wok-next annotate libwrap/stuff/tcp_wrappers-7.6-shared_lib_plus_plus-1.patch @ rev 4382

Add ht
author Pascal Bellard <pascal.bellard@slitaz.org>
date Wed Oct 14 11:55:42 2009 +0200 (2009-10-14)
parents
children
rev   line source
erjo@286 1 Submitted By: Tushar Teredesai <tushar@linuxfromscratch.org>
erjo@286 2 Date: 2003-10-04
erjo@286 3 Initial Package Version: 7.6
erjo@286 4 Origin: http://archives.linuxfromscratch.org/mail-archives/blfs-dev/2003-January/001960.html
erjo@286 5 Description: The patch was created from the tcp_wrappers modified package by Mark Heerdink.
erjo@286 6 This patch provides the following improvements:
erjo@286 7 * Install libwrap.so along with libwrap.a.
erjo@286 8 * Create an install target for tcp_wrappers.
erjo@286 9 * Compilation and security fixes.
erjo@286 10 * Documentation fixes.
erjo@286 11 diff -Naur tcp_wrappers_7.6/Makefile tcp_wrappers_7.6.gimli/Makefile
erjo@286 12 --- tcp_wrappers_7.6/Makefile 1997-03-21 12:27:21.000000000 -0600
erjo@286 13 +++ tcp_wrappers_7.6.gimli/Makefile 2002-07-15 16:07:21.000000000 -0500
erjo@286 14 @@ -1,5 +1,10 @@
erjo@286 15 +GLIBC=$(shell grep -s -c __GLIBC__ /usr/include/features.h)
erjo@286 16 +
erjo@286 17 # @(#) Makefile 1.23 97/03/21 19:27:20
erjo@286 18
erjo@286 19 +# unset the HOSTNAME environment variable
erjo@286 20 +HOSTNAME =
erjo@286 21 +
erjo@286 22 what:
erjo@286 23 @echo
erjo@286 24 @echo "Usage: edit the REAL_DAEMON_DIR definition in the Makefile then:"
erjo@286 25 @@ -19,7 +24,7 @@
erjo@286 26 @echo " generic (most bsd-ish systems with sys5 compatibility)"
erjo@286 27 @echo " 386bsd aix alpha apollo bsdos convex-ultranet dell-gcc dgux dgux543"
erjo@286 28 @echo " dynix epix esix freebsd hpux irix4 irix5 irix6 isc iunix"
erjo@286 29 - @echo " linux machten mips(untested) ncrsvr4 netbsd next osf power_unix_211"
erjo@286 30 + @echo " linux gnu machten mips(untested) ncrsvr4 netbsd next osf power_unix_211"
erjo@286 31 @echo " ptx-2.x ptx-generic pyramid sco sco-nis sco-od2 sco-os5 sinix sunos4"
erjo@286 32 @echo " sunos40 sunos5 sysv4 tandem ultrix unicos7 unicos8 unixware1 unixware2"
erjo@286 33 @echo " uts215 uxp"
erjo@286 34 @@ -43,8 +48,8 @@
erjo@286 35 # Ultrix 4.x SunOS 4.x ConvexOS 10.x Dynix/ptx
erjo@286 36 #REAL_DAEMON_DIR=/usr/etc
erjo@286 37 #
erjo@286 38 -# SysV.4 Solaris 2.x OSF AIX
erjo@286 39 -#REAL_DAEMON_DIR=/usr/sbin
erjo@286 40 +# SysV.4 Solaris 2.x OSF AIX Linux
erjo@286 41 +REAL_DAEMON_DIR=/usr/sbin
erjo@286 42 #
erjo@286 43 # BSD 4.4
erjo@286 44 #REAL_DAEMON_DIR=/usr/libexec
erjo@286 45 @@ -141,10 +146,21 @@
erjo@286 46 LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \
erjo@286 47 EXTRA_CFLAGS=-DSYS_ERRLIST_DEFINED VSYSLOG= all
erjo@286 48
erjo@286 49 +ifneq ($(GLIBC),0)
erjo@286 50 +MYLIB=-lnsl
erjo@286 51 +endif
erjo@286 52 +
erjo@286 53 linux:
erjo@286 54 @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
erjo@286 55 - LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=setenv.o \
erjo@286 56 - NETGROUP= TLI= EXTRA_CFLAGS="-DBROKEN_SO_LINGER" all
erjo@286 57 + LIBS=$(MYLIB) RANLIB=ranlib ARFLAGS=rv AUX_OBJ=weak_symbols.o \
erjo@286 58 + NETGROUP=-DNETGROUP TLI= VSYSLOG= BUGS= all \
erjo@286 59 + EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_WEAKSYMS -D_REENTRANT"
erjo@286 60 +
erjo@286 61 +gnu:
erjo@286 62 + @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
erjo@286 63 + LIBS=$(MYLIB) RANLIB=ranlib ARFLAGS=rv AUX_OBJ=weak_symbols.o \
erjo@286 64 + NETGROUP=-DNETGROUP TLI= VSYSLOG= BUGS= all \
erjo@286 65 + EXTRA_CFLAGS="-DHAVE_STRERROR -DHAVE_WEAKSYMS -D_REENTRANT"
erjo@286 66
erjo@286 67 # This is good for many SYSV+BSD hybrids with NIS, probably also for HP-UX 7.x.
erjo@286 68 hpux hpux8 hpux9 hpux10:
erjo@286 69 @@ -391,7 +407,7 @@
erjo@286 70 # the ones provided with this source distribution. The environ.c module
erjo@286 71 # implements setenv(), getenv(), and putenv().
erjo@286 72
erjo@286 73 -AUX_OBJ= setenv.o
erjo@286 74 +#AUX_OBJ= setenv.o
erjo@286 75 #AUX_OBJ= environ.o
erjo@286 76 #AUX_OBJ= environ.o strcasecmp.o
erjo@286 77
erjo@286 78 @@ -454,7 +470,8 @@
erjo@286 79 # host name aliases. Compile with -DSOLARIS_24_GETHOSTBYNAME_BUG to work
erjo@286 80 # around this. The workaround does no harm on other Solaris versions.
erjo@286 81
erjo@286 82 -BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DLIBC_CALLS_STRTOK
erjo@286 83 +BUGS =
erjo@286 84 +#BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DLIBC_CALLS_STRTOK
erjo@286 85 #BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DINET_ADDR_BUG
erjo@286 86 #BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DSOLARIS_24_GETHOSTBYNAME_BUG
erjo@286 87
erjo@286 88 @@ -464,7 +481,7 @@
erjo@286 89 # If your system supports NIS or YP-style netgroups, enable the following
erjo@286 90 # macro definition. Netgroups are used only for host access control.
erjo@286 91 #
erjo@286 92 -#NETGROUP= -DNETGROUP
erjo@286 93 +NETGROUP= -DNETGROUP
erjo@286 94
erjo@286 95 ###############################################################
erjo@286 96 # System dependencies: whether or not your system has vsyslog()
erjo@286 97 @@ -491,7 +508,7 @@
erjo@286 98 # Uncomment the next definition to turn on the language extensions
erjo@286 99 # (examples: allow, deny, banners, twist and spawn).
erjo@286 100 #
erjo@286 101 -#STYLE = -DPROCESS_OPTIONS # Enable language extensions.
erjo@286 102 +STYLE = -DPROCESS_OPTIONS # Enable language extensions.
erjo@286 103
erjo@286 104 ################################################################
erjo@286 105 # Optional: Changing the default disposition of logfile records
erjo@286 106 @@ -514,7 +531,7 @@
erjo@286 107 #
erjo@286 108 # The LOG_XXX names below are taken from the /usr/include/syslog.h file.
erjo@286 109
erjo@286 110 -FACILITY= LOG_MAIL # LOG_MAIL is what most sendmail daemons use
erjo@286 111 +FACILITY= LOG_DAEMON # LOG_MAIL is what most sendmail daemons use
erjo@286 112
erjo@286 113 # The syslog priority at which successful connections are logged.
erjo@286 114
erjo@286 115 @@ -610,7 +627,7 @@
erjo@286 116 # Paranoid mode implies hostname lookup. In order to disable hostname
erjo@286 117 # lookups altogether, see the next section.
erjo@286 118
erjo@286 119 -PARANOID= -DPARANOID
erjo@286 120 +#PARANOID= -DPARANOID
erjo@286 121
erjo@286 122 ########################################
erjo@286 123 # Optional: turning off hostname lookups
erjo@286 124 @@ -623,7 +640,7 @@
erjo@286 125 # In order to perform selective hostname lookups, disable paranoid
erjo@286 126 # mode (see previous section) and comment out the following definition.
erjo@286 127
erjo@286 128 -HOSTNAME= -DALWAYS_HOSTNAME
erjo@286 129 +#HOSTNAME= -DALWAYS_HOSTNAME
erjo@286 130
erjo@286 131 #############################################
erjo@286 132 # Optional: Turning on host ADDRESS checking
erjo@286 133 @@ -649,28 +666,46 @@
erjo@286 134 # source-routed traffic in the kernel. Examples: 4.4BSD derivatives,
erjo@286 135 # Solaris 2.x, and Linux. See your system documentation for details.
erjo@286 136 #
erjo@286 137 -# KILL_OPT= -DKILL_IP_OPTIONS
erjo@286 138 +KILL_OPT= -DKILL_IP_OPTIONS
erjo@286 139
erjo@286 140 ## End configuration options
erjo@286 141 ############################
erjo@286 142
erjo@286 143 # Protection against weird shells or weird make programs.
erjo@286 144
erjo@286 145 +CC = gcc
erjo@286 146 SHELL = /bin/sh
erjo@286 147 -.c.o:; $(CC) $(CFLAGS) -c $*.c
erjo@286 148 +.c.o:; $(CC) $(CFLAGS) -o $*.o -c $*.c
erjo@286 149 +
erjo@286 150 +SOMAJOR = 0
erjo@286 151 +SOMINOR = 7.6
erjo@286 152 +
erjo@286 153 +LIB = libwrap.a
erjo@286 154 +SHLIB = shared/libwrap.so.$(SOMAJOR).$(SOMINOR)
erjo@286 155 +SHLIBSOMAJ= shared/libwrap.so.$(SOMAJOR)
erjo@286 156 +SHLIBSO = shared/libwrap.so
erjo@286 157 +SHLIBFLAGS = -Lshared -lwrap
erjo@286 158
erjo@286 159 -CFLAGS = -O -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \
erjo@286 160 +shared/%.o: %.c
erjo@286 161 + $(CC) $(CFLAGS) $(SHCFLAGS) -c $< -o $@
erjo@286 162 +
erjo@286 163 +CFLAGS = -O2 -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \
erjo@286 164 $(BUGS) $(SYSTYPE) $(AUTH) $(UMASK) \
erjo@286 165 -DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" $(STYLE) $(KILL_OPT) \
erjo@286 166 -DSEVERITY=$(SEVERITY) -DRFC931_TIMEOUT=$(RFC931_TIMEOUT) \
erjo@286 167 $(UCHAR) $(TABLES) $(STRINGS) $(TLI) $(EXTRA_CFLAGS) $(DOT) \
erjo@286 168 $(VSYSLOG) $(HOSTNAME)
erjo@286 169
erjo@286 170 +SHLINKFLAGS = -shared -Xlinker -soname -Xlinker libwrap.so.$(SOMAJOR) -lc $(LIBS)
erjo@286 171 +SHCFLAGS = -fPIC -shared -D_REENTRANT
erjo@286 172 +
erjo@286 173 LIB_OBJ= hosts_access.o options.o shell_cmd.o rfc931.o eval.o \
erjo@286 174 hosts_ctl.o refuse.o percent_x.o clean_exit.o $(AUX_OBJ) \
erjo@286 175 $(FROM_OBJ) fix_options.o socket.o tli.o workarounds.o \
erjo@286 176 update.o misc.o diag.o percent_m.o myvsyslog.o
erjo@286 177
erjo@286 178 +SHLIB_OBJ= $(addprefix shared/, $(LIB_OBJ));
erjo@286 179 +
erjo@286 180 FROM_OBJ= fromhost.o
erjo@286 181
erjo@286 182 KIT = README miscd.c tcpd.c fromhost.c hosts_access.c shell_cmd.c \
erjo@286 183 @@ -684,46 +719,80 @@
erjo@286 184 refuse.c tcpdchk.8 setenv.c inetcf.c inetcf.h scaffold.c \
erjo@286 185 scaffold.h tcpdmatch.8 README.NIS
erjo@286 186
erjo@286 187 -LIB = libwrap.a
erjo@286 188 -
erjo@286 189 -all other: config-check tcpd tcpdmatch try-from safe_finger tcpdchk
erjo@286 190 +all other: config-check tcpd tcpdmatch try-from safe_finger tcpdchk $(LIB)
erjo@286 191
erjo@286 192 # Invalidate all object files when the compiler options (CFLAGS) have changed.
erjo@286 193
erjo@286 194 config-check:
erjo@286 195 @set +e; test -n "$(REAL_DAEMON_DIR)" || { make; exit 1; }
erjo@286 196 - @set +e; echo $(CFLAGS) >/tmp/cflags.$$$$ ; \
erjo@286 197 - if cmp cflags /tmp/cflags.$$$$ ; \
erjo@286 198 - then rm /tmp/cflags.$$$$ ; \
erjo@286 199 - else mv /tmp/cflags.$$$$ cflags ; \
erjo@286 200 + @set +e; echo $(CFLAGS) >cflags.new ; \
erjo@286 201 + if cmp cflags cflags.new ; \
erjo@286 202 + then rm cflags.new ; \
erjo@286 203 + else mv cflags.new cflags ; \
erjo@286 204 fi >/dev/null 2>/dev/null
erjo@286 205 + @if [ ! -d shared ]; then mkdir shared; fi
erjo@286 206
erjo@286 207 $(LIB): $(LIB_OBJ)
erjo@286 208 rm -f $(LIB)
erjo@286 209 $(AR) $(ARFLAGS) $(LIB) $(LIB_OBJ)
erjo@286 210 -$(RANLIB) $(LIB)
erjo@286 211
erjo@286 212 -tcpd: tcpd.o $(LIB)
erjo@286 213 - $(CC) $(CFLAGS) -o $@ tcpd.o $(LIB) $(LIBS)
erjo@286 214 +$(SHLIB): $(SHLIB_OBJ)
erjo@286 215 + rm -f $(SHLIB)
erjo@286 216 + $(CC) -o $(SHLIB) $(SHLINKFLAGS) $(SHLIB_OBJ)
erjo@286 217 + ln -s $(notdir $(SHLIB)) $(SHLIBSOMAJ)
erjo@286 218 + ln -s $(notdir $(SHLIBSOMAJ)) $(SHLIBSO)
erjo@286 219 +
erjo@286 220 +tcpd: tcpd.o $(SHLIB)
erjo@286 221 + $(CC) $(CFLAGS) -o $@ tcpd.o $(SHLIBFLAGS)
erjo@286 222
erjo@286 223 -miscd: miscd.o $(LIB)
erjo@286 224 - $(CC) $(CFLAGS) -o $@ miscd.o $(LIB) $(LIBS)
erjo@286 225 +miscd: miscd.o $(SHLIB)
erjo@286 226 + $(CC) $(CFLAGS) -o $@ miscd.o $(SHLIBFLAGS)
erjo@286 227
erjo@286 228 -safe_finger: safe_finger.o $(LIB)
erjo@286 229 - $(CC) $(CFLAGS) -o $@ safe_finger.o $(LIB) $(LIBS)
erjo@286 230 +safe_finger: safe_finger.o $(SHLIB)
erjo@286 231 + $(CC) $(CFLAGS) -o $@ safe_finger.o $(SHLIBFLAGS)
erjo@286 232
erjo@286 233 TCPDMATCH_OBJ = tcpdmatch.o fakelog.o inetcf.o scaffold.o
erjo@286 234
erjo@286 235 -tcpdmatch: $(TCPDMATCH_OBJ) $(LIB)
erjo@286 236 - $(CC) $(CFLAGS) -o $@ $(TCPDMATCH_OBJ) $(LIB) $(LIBS)
erjo@286 237 +tcpdmatch: $(TCPDMATCH_OBJ) $(SHLIB)
erjo@286 238 + $(CC) $(CFLAGS) -o $@ $(TCPDMATCH_OBJ) $(SHLIBFLAGS)
erjo@286 239
erjo@286 240 -try-from: try-from.o fakelog.o $(LIB)
erjo@286 241 - $(CC) $(CFLAGS) -o $@ try-from.o fakelog.o $(LIB) $(LIBS)
erjo@286 242 +try-from: try-from.o fakelog.o $(SHLIB)
erjo@286 243 + $(CC) $(CFLAGS) -o $@ try-from.o fakelog.o $(SHLIBFLAGS)
erjo@286 244
erjo@286 245 TCPDCHK_OBJ = tcpdchk.o fakelog.o inetcf.o scaffold.o
erjo@286 246
erjo@286 247 -tcpdchk: $(TCPDCHK_OBJ) $(LIB)
erjo@286 248 - $(CC) $(CFLAGS) -o $@ $(TCPDCHK_OBJ) $(LIB) $(LIBS)
erjo@286 249 +tcpdchk: $(TCPDCHK_OBJ) $(SHLIB)
erjo@286 250 + $(CC) $(CFLAGS) -o $@ $(TCPDCHK_OBJ) $(SHLIBFLAGS)
erjo@286 251 +
erjo@286 252 +install: install-lib install-bin install-dev
erjo@286 253 +
erjo@286 254 +install-lib:
erjo@286 255 + install -o root -g root -m 0755 $(SHLIB) ${DESTDIR}/usr/lib/
erjo@286 256 + ln -sf $(notdir $(SHLIB)) ${DESTDIR}/usr/lib/$(notdir $(SHLIBSOMAJ))
erjo@286 257 + ln -sf $(notdir $(SHLIBSOMAJ)) ${DESTDIR}/usr/lib/$(notdir $(SHLIBSO))
erjo@286 258 +
erjo@286 259 +install-bin:
erjo@286 260 + install -o root -g root -m 0755 tcpd ${DESTDIR}/usr/sbin/
erjo@286 261 + install -o root -g root -m 0755 tcpdchk ${DESTDIR}/usr/sbin/
erjo@286 262 + install -o root -g root -m 0755 tcpdmatch ${DESTDIR}/usr/sbin/
erjo@286 263 + install -o root -g root -m 0755 try-from ${DESTDIR}/usr/sbin/
erjo@286 264 + install -o root -g root -m 0755 safe_finger ${DESTDIR}/usr/sbin/
erjo@286 265 + install -o root -g root -m 0644 tcpd.8 ${DESTDIR}/usr/share/man/man8/
erjo@286 266 + install -o root -g root -m 0644 tcpdchk.8 ${DESTDIR}/usr/share/man/man8/
erjo@286 267 + install -o root -g root -m 0644 try-from.8 ${DESTDIR}/usr/share/man/man8/
erjo@286 268 + install -o root -g root -m 0644 tcpdmatch.8 ${DESTDIR}/usr/share/man/man8/
erjo@286 269 + install -o root -g root -m 0644 safe_finger.8 ${DESTDIR}/usr/share/man/man8/
erjo@286 270 + install -o root -g root -m 0644 hosts_access.5 ${DESTDIR}/usr/share/man/man5/
erjo@286 271 + install -o root -g root -m 0644 hosts_options.5 ${DESTDIR}/usr/share/man/man5/
erjo@286 272 +
erjo@286 273 +install-dev:
erjo@286 274 + install -o root -g root -m 0644 hosts_access.3 ${DESTDIR}/usr/share/man/man3/
erjo@286 275 + install -o root -g root -m 0644 tcpd.h ${DESTDIR}/usr/include/
erjo@286 276 + install -o root -g root -m 0644 $(LIB) ${DESTDIR}/usr/lib/
erjo@286 277 + ln -sf hosts_access.3 ${DESTDIR}/usr/share/man/man3/hosts_ctl.3
erjo@286 278 + ln -sf hosts_access.3 ${DESTDIR}/usr/share/man/man3/request_init.3
erjo@286 279 + ln -sf hosts_access.3 ${DESTDIR}/usr/share/man/man3/request_set.3
erjo@286 280
erjo@286 281 shar: $(KIT)
erjo@286 282 @shar $(KIT)
erjo@286 283 @@ -739,7 +808,8 @@
erjo@286 284
erjo@286 285 clean:
erjo@286 286 rm -f tcpd miscd safe_finger tcpdmatch tcpdchk try-from *.[oa] core \
erjo@286 287 - cflags
erjo@286 288 + cflags libwrap*.so*
erjo@286 289 + rm -rf shared
erjo@286 290
erjo@286 291 tidy: clean
erjo@286 292 chmod -R a+r .
erjo@286 293 @@ -885,5 +955,6 @@
erjo@286 294 update.o: mystdarg.h
erjo@286 295 update.o: tcpd.h
erjo@286 296 vfprintf.o: cflags
erjo@286 297 +weak_symbols.o: tcpd.h
erjo@286 298 workarounds.o: cflags
erjo@286 299 workarounds.o: tcpd.h
erjo@286 300 diff -Naur tcp_wrappers_7.6/fix_options.c tcp_wrappers_7.6.gimli/fix_options.c
erjo@286 301 --- tcp_wrappers_7.6/fix_options.c 1997-04-07 19:29:19.000000000 -0500
erjo@286 302 +++ tcp_wrappers_7.6.gimli/fix_options.c 2002-01-07 08:50:19.000000000 -0600
erjo@286 303 @@ -35,7 +35,12 @@
erjo@286 304 #ifdef IP_OPTIONS
erjo@286 305 unsigned char optbuf[BUFFER_SIZE / 3], *cp;
erjo@286 306 char lbuf[BUFFER_SIZE], *lp;
erjo@286 307 +#if !defined(__GLIBC__)
erjo@286 308 int optsize = sizeof(optbuf), ipproto;
erjo@286 309 +#else /* __GLIBC__ */
erjo@286 310 + size_t optsize = sizeof(optbuf);
erjo@286 311 + int ipproto;
erjo@286 312 +#endif /* __GLIBC__ */
erjo@286 313 struct protoent *ip;
erjo@286 314 int fd = request->fd;
erjo@286 315 unsigned int opt;
erjo@286 316 diff -Naur tcp_wrappers_7.6/hosts_access.3 tcp_wrappers_7.6.gimli/hosts_access.3
erjo@286 317 --- tcp_wrappers_7.6/hosts_access.3 1996-02-11 10:01:27.000000000 -0600
erjo@286 318 +++ tcp_wrappers_7.6.gimli/hosts_access.3 2002-01-07 08:50:19.000000000 -0600
erjo@286 319 @@ -3,7 +3,7 @@
erjo@286 320 hosts_access, hosts_ctl, request_init, request_set \- access control library
erjo@286 321 .SH SYNOPSIS
erjo@286 322 .nf
erjo@286 323 -#include "tcpd.h"
erjo@286 324 +#include <tcpd.h>
erjo@286 325
erjo@286 326 extern int allow_severity;
erjo@286 327 extern int deny_severity;
erjo@286 328 diff -Naur tcp_wrappers_7.6/hosts_access.5 tcp_wrappers_7.6.gimli/hosts_access.5
erjo@286 329 --- tcp_wrappers_7.6/hosts_access.5 1995-01-30 12:51:47.000000000 -0600
erjo@286 330 +++ tcp_wrappers_7.6.gimli/hosts_access.5 2002-01-07 08:50:19.000000000 -0600
erjo@286 331 @@ -8,9 +8,9 @@
erjo@286 332 impatient reader is encouraged to skip to the EXAMPLES section for a
erjo@286 333 quick introduction.
erjo@286 334 .PP
erjo@286 335 -An extended version of the access control language is described in the
erjo@286 336 -\fIhosts_options\fR(5) document. The extensions are turned on at
erjo@286 337 -program build time by building with -DPROCESS_OPTIONS.
erjo@286 338 +The extended version of the access control language is described in the
erjo@286 339 +\fIhosts_options\fR(5) document. \fBNote that this language supersedes
erjo@286 340 +the meaning of \fIshell_command\fB as documented below.\fR
erjo@286 341 .PP
erjo@286 342 In the following text, \fIdaemon\fR is the the process name of a
erjo@286 343 network daemon process, and \fIclient\fR is the name and/or address of
erjo@286 344 @@ -40,7 +40,7 @@
erjo@286 345 character. This permits you to break up long lines so that they are
erjo@286 346 easier to edit.
erjo@286 347 .IP \(bu
erjo@286 348 -Blank lines or lines that begin with a `#\' character are ignored.
erjo@286 349 +Blank lines or lines that begin with a `#' character are ignored.
erjo@286 350 This permits you to insert comments and whitespace so that the tables
erjo@286 351 are easier to read.
erjo@286 352 .IP \(bu
erjo@286 353 @@ -69,26 +69,33 @@
erjo@286 354 .SH PATTERNS
erjo@286 355 The access control language implements the following patterns:
erjo@286 356 .IP \(bu
erjo@286 357 -A string that begins with a `.\' character. A host name is matched if
erjo@286 358 +A string that begins with a `.' character. A host name is matched if
erjo@286 359 the last components of its name match the specified pattern. For
erjo@286 360 -example, the pattern `.tue.nl\' matches the host name
erjo@286 361 -`wzv.win.tue.nl\'.
erjo@286 362 +example, the pattern `.tue.nl' matches the host name
erjo@286 363 +`wzv.win.tue.nl'.
erjo@286 364 .IP \(bu
erjo@286 365 -A string that ends with a `.\' character. A host address is matched if
erjo@286 366 +A string that ends with a `.' character. A host address is matched if
erjo@286 367 its first numeric fields match the given string. For example, the
erjo@286 368 -pattern `131.155.\' matches the address of (almost) every host on the
erjo@286 369 +pattern `131.155.' matches the address of (almost) every host on the
erjo@286 370 Eind\%hoven University network (131.155.x.x).
erjo@286 371 .IP \(bu
erjo@286 372 -A string that begins with an `@\' character is treated as an NIS
erjo@286 373 +A string that begins with an `@' character is treated as an NIS
erjo@286 374 (formerly YP) netgroup name. A host name is matched if it is a host
erjo@286 375 member of the specified netgroup. Netgroup matches are not supported
erjo@286 376 for daemon process names or for client user names.
erjo@286 377 .IP \(bu
erjo@286 378 -An expression of the form `n.n.n.n/m.m.m.m\' is interpreted as a
erjo@286 379 -`net/mask\' pair. A host address is matched if `net\' is equal to the
erjo@286 380 -bitwise AND of the address and the `mask\'. For example, the net/mask
erjo@286 381 -pattern `131.155.72.0/255.255.254.0\' matches every address in the
erjo@286 382 -range `131.155.72.0\' through `131.155.73.255\'.
erjo@286 383 +An expression of the form `n.n.n.n/m.m.m.m' is interpreted as a
erjo@286 384 +`net/mask' pair. A host address is matched if `net' is equal to the
erjo@286 385 +bitwise AND of the address and the `mask'. For example, the net/mask
erjo@286 386 +pattern `131.155.72.0/255.255.254.0' matches every address in the
erjo@286 387 +range `131.155.72.0' through `131.155.73.255'.
erjo@286 388 +.IP \(bu
erjo@286 389 +A string that begins with a `/' character is treated as a file
erjo@286 390 +name. A host name or address is matched if it matches any host name
erjo@286 391 +or address pattern listed in the named file. The file format is
erjo@286 392 +zero or more lines with zero or more host name or address patterns
erjo@286 393 +separated by whitespace. A file name pattern can be used anywhere
erjo@286 394 +a host name or address pattern can be used.
erjo@286 395 .SH WILDCARDS
erjo@286 396 The access control language supports explicit wildcards:
erjo@286 397 .IP ALL
erjo@286 398 @@ -115,19 +122,19 @@
erjo@286 399 .ne 6
erjo@286 400 .SH OPERATORS
erjo@286 401 .IP EXCEPT
erjo@286 402 -Intended use is of the form: `list_1 EXCEPT list_2\'; this construct
erjo@286 403 +Intended use is of the form: `list_1 EXCEPT list_2'; this construct
erjo@286 404 matches anything that matches \fIlist_1\fR unless it matches
erjo@286 405 \fIlist_2\fR. The EXCEPT operator can be used in daemon_lists and in
erjo@286 406 client_lists. The EXCEPT operator can be nested: if the control
erjo@286 407 -language would permit the use of parentheses, `a EXCEPT b EXCEPT c\'
erjo@286 408 -would parse as `(a EXCEPT (b EXCEPT c))\'.
erjo@286 409 +language would permit the use of parentheses, `a EXCEPT b EXCEPT c'
erjo@286 410 +would parse as `(a EXCEPT (b EXCEPT c))'.
erjo@286 411 .br
erjo@286 412 .ne 6
erjo@286 413 .SH SHELL COMMANDS
erjo@286 414 If the first-matched access control rule contains a shell command, that
erjo@286 415 command is subjected to %<letter> substitutions (see next section).
erjo@286 416 The result is executed by a \fI/bin/sh\fR child process with standard
erjo@286 417 -input, output and error connected to \fI/dev/null\fR. Specify an `&\'
erjo@286 418 +input, output and error connected to \fI/dev/null\fR. Specify an `&'
erjo@286 419 at the end of the command if you do not want to wait until it has
erjo@286 420 completed.
erjo@286 421 .PP
erjo@286 422 @@ -159,7 +166,7 @@
erjo@286 423 .IP %u
erjo@286 424 The client user name (or "unknown").
erjo@286 425 .IP %%
erjo@286 426 -Expands to a single `%\' character.
erjo@286 427 +Expands to a single `%' character.
erjo@286 428 .PP
erjo@286 429 Characters in % expansions that may confuse the shell are replaced by
erjo@286 430 underscores.
erjo@286 431 @@ -243,9 +250,9 @@
erjo@286 432 less trustworthy. It is possible for an intruder to spoof both the
erjo@286 433 client connection and the IDENT lookup, although doing so is much
erjo@286 434 harder than spoofing just a client connection. It may also be that
erjo@286 435 -the client\'s IDENT server is lying.
erjo@286 436 +the client's IDENT server is lying.
erjo@286 437 .PP
erjo@286 438 -Note: IDENT lookups don\'t work with UDP services.
erjo@286 439 +Note: IDENT lookups don't work with UDP services.
erjo@286 440 .SH EXAMPLES
erjo@286 441 The language is flexible enough that different types of access control
erjo@286 442 policy can be expressed with a minimum of fuss. Although the language
erjo@286 443 @@ -285,7 +292,7 @@
erjo@286 444 .br
erjo@286 445 ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
erjo@286 446 .PP
erjo@286 447 -The first rule permits access from hosts in the local domain (no `.\'
erjo@286 448 +The first rule permits access from hosts in the local domain (no `.'
erjo@286 449 in the host name) and from members of the \fIsome_netgroup\fP
erjo@286 450 netgroup. The second rule permits access from all hosts in the
erjo@286 451 \fIfoobar.edu\fP domain (notice the leading dot), with the exception of
erjo@286 452 @@ -322,8 +329,8 @@
erjo@286 453 /etc/hosts.deny:
erjo@286 454 .in +3
erjo@286 455 .nf
erjo@286 456 -in.tftpd: ALL: (/some/where/safe_finger -l @%h | \\
erjo@286 457 - /usr/ucb/mail -s %d-%h root) &
erjo@286 458 +in.tftpd: ALL: (/usr/sbin/safe_finger -l @%h | \\
erjo@286 459 + /usr/bin/mail -s %d-%h root) &
erjo@286 460 .fi
erjo@286 461 .PP
erjo@286 462 The safe_finger command comes with the tcpd wrapper and should be
erjo@286 463 @@ -349,7 +356,7 @@
erjo@286 464 capacity of an internal buffer; when an access control rule is not
erjo@286 465 terminated by a newline character; when the result of %<letter>
erjo@286 466 expansion would overflow an internal buffer; when a system call fails
erjo@286 467 -that shouldn\'t. All problems are reported via the syslog daemon.
erjo@286 468 +that shouldn't. All problems are reported via the syslog daemon.
erjo@286 469 .SH FILES
erjo@286 470 .na
erjo@286 471 .nf
erjo@286 472 diff -Naur tcp_wrappers_7.6/hosts_access.c tcp_wrappers_7.6.gimli/hosts_access.c
erjo@286 473 --- tcp_wrappers_7.6/hosts_access.c 1997-02-11 19:13:23.000000000 -0600
erjo@286 474 +++ tcp_wrappers_7.6.gimli/hosts_access.c 2002-01-07 08:50:19.000000000 -0600
erjo@286 475 @@ -240,6 +240,26 @@
erjo@286 476 }
erjo@286 477 }
erjo@286 478
erjo@286 479 +/* hostfile_match - look up host patterns from file */
erjo@286 480 +
erjo@286 481 +static int hostfile_match(path, host)
erjo@286 482 +char *path;
erjo@286 483 +struct hosts_info *host;
erjo@286 484 +{
erjo@286 485 + char tok[BUFSIZ];
erjo@286 486 + int match = NO;
erjo@286 487 + FILE *fp;
erjo@286 488 +
erjo@286 489 + if ((fp = fopen(path, "r")) != 0) {
erjo@286 490 + while (fscanf(fp, "%s", tok) == 1 && !(match = host_match(tok, host)))
erjo@286 491 + /* void */ ;
erjo@286 492 + fclose(fp);
erjo@286 493 + } else if (errno != ENOENT) {
erjo@286 494 + tcpd_warn("open %s: %m", path);
erjo@286 495 + }
erjo@286 496 + return (match);
erjo@286 497 +}
erjo@286 498 +
erjo@286 499 /* host_match - match host name and/or address against pattern */
erjo@286 500
erjo@286 501 static int host_match(tok, host)
erjo@286 502 @@ -267,6 +287,8 @@
erjo@286 503 tcpd_warn("netgroup support is disabled"); /* not tcpd_jump() */
erjo@286 504 return (NO);
erjo@286 505 #endif
erjo@286 506 + } else if (tok[0] == '/') { /* /file hack */
erjo@286 507 + return (hostfile_match(tok, host));
erjo@286 508 } else if (STR_EQ(tok, "KNOWN")) { /* check address and name */
erjo@286 509 char *name = eval_hostname(host);
erjo@286 510 return (STR_NE(eval_hostaddr(host), unknown) && HOSTNAME_KNOWN(name));
erjo@286 511 diff -Naur tcp_wrappers_7.6/hosts_options.5 tcp_wrappers_7.6.gimli/hosts_options.5
erjo@286 512 --- tcp_wrappers_7.6/hosts_options.5 1994-12-28 10:42:29.000000000 -0600
erjo@286 513 +++ tcp_wrappers_7.6.gimli/hosts_options.5 2002-01-07 08:50:19.000000000 -0600
erjo@286 514 @@ -58,12 +58,12 @@
erjo@286 515 Execute, in a child process, the specified shell command, after
erjo@286 516 performing the %<letter> expansions described in the hosts_access(5)
erjo@286 517 manual page. The command is executed with stdin, stdout and stderr
erjo@286 518 -connected to the null device, so that it won\'t mess up the
erjo@286 519 +connected to the null device, so that it won't mess up the
erjo@286 520 conversation with the client host. Example:
erjo@286 521 .sp
erjo@286 522 .nf
erjo@286 523 .ti +3
erjo@286 524 -spawn (/some/where/safe_finger -l @%h | /usr/ucb/mail root) &
erjo@286 525 +spawn (/usr/sbin/safe_finger -l @%h | /usr/bin/mail root) &
erjo@286 526 .fi
erjo@286 527 .sp
erjo@286 528 executes, in a background child process, the shell command "safe_finger
erjo@286 529 diff -Naur tcp_wrappers_7.6/options.c tcp_wrappers_7.6.gimli/options.c
erjo@286 530 --- tcp_wrappers_7.6/options.c 1996-02-11 10:01:32.000000000 -0600
erjo@286 531 +++ tcp_wrappers_7.6.gimli/options.c 2002-01-07 08:50:19.000000000 -0600
erjo@286 532 @@ -473,6 +473,9 @@
erjo@286 533 #ifdef LOG_CRON
erjo@286 534 "cron", LOG_CRON,
erjo@286 535 #endif
erjo@286 536 +#ifdef LOG_FTP
erjo@286 537 + "ftp", LOG_FTP,
erjo@286 538 +#endif
erjo@286 539 #ifdef LOG_LOCAL0
erjo@286 540 "local0", LOG_LOCAL0,
erjo@286 541 #endif
erjo@286 542 diff -Naur tcp_wrappers_7.6/percent_m.c tcp_wrappers_7.6.gimli/percent_m.c
erjo@286 543 --- tcp_wrappers_7.6/percent_m.c 1994-12-28 10:42:37.000000000 -0600
erjo@286 544 +++ tcp_wrappers_7.6.gimli/percent_m.c 2002-01-07 08:50:19.000000000 -0600
erjo@286 545 @@ -13,7 +13,7 @@
erjo@286 546 #include <string.h>
erjo@286 547
erjo@286 548 extern int errno;
erjo@286 549 -#ifndef SYS_ERRLIST_DEFINED
erjo@286 550 +#if !defined(SYS_ERRLIST_DEFINED) && !defined(HAVE_STRERROR)
erjo@286 551 extern char *sys_errlist[];
erjo@286 552 extern int sys_nerr;
erjo@286 553 #endif
erjo@286 554 @@ -29,11 +29,15 @@
erjo@286 555
erjo@286 556 while (*bp = *cp)
erjo@286 557 if (*cp == '%' && cp[1] == 'm') {
erjo@286 558 +#ifdef HAVE_STRERROR
erjo@286 559 + strcpy(bp, strerror(errno));
erjo@286 560 +#else
erjo@286 561 if (errno < sys_nerr && errno > 0) {
erjo@286 562 strcpy(bp, sys_errlist[errno]);
erjo@286 563 } else {
erjo@286 564 sprintf(bp, "Unknown error %d", errno);
erjo@286 565 }
erjo@286 566 +#endif
erjo@286 567 bp += strlen(bp);
erjo@286 568 cp += 2;
erjo@286 569 } else {
erjo@286 570 diff -Naur tcp_wrappers_7.6/rfc931.c tcp_wrappers_7.6.gimli/rfc931.c
erjo@286 571 --- tcp_wrappers_7.6/rfc931.c 1995-01-02 09:11:34.000000000 -0600
erjo@286 572 +++ tcp_wrappers_7.6.gimli/rfc931.c 2002-01-07 08:50:19.000000000 -0600
erjo@286 573 @@ -33,7 +33,7 @@
erjo@286 574
erjo@286 575 int rfc931_timeout = RFC931_TIMEOUT;/* Global so it can be changed */
erjo@286 576
erjo@286 577 -static jmp_buf timebuf;
erjo@286 578 +static sigjmp_buf timebuf;
erjo@286 579
erjo@286 580 /* fsocket - open stdio stream on top of socket */
erjo@286 581
erjo@286 582 @@ -62,7 +62,7 @@
erjo@286 583 static void timeout(sig)
erjo@286 584 int sig;
erjo@286 585 {
erjo@286 586 - longjmp(timebuf, sig);
erjo@286 587 + siglongjmp(timebuf, sig);
erjo@286 588 }
erjo@286 589
erjo@286 590 /* rfc931 - return remote user name, given socket structures */
erjo@286 591 @@ -99,7 +99,7 @@
erjo@286 592 * Set up a timer so we won't get stuck while waiting for the server.
erjo@286 593 */
erjo@286 594
erjo@286 595 - if (setjmp(timebuf) == 0) {
erjo@286 596 + if (sigsetjmp(timebuf,1) == 0) {
erjo@286 597 signal(SIGALRM, timeout);
erjo@286 598 alarm(rfc931_timeout);
erjo@286 599
erjo@286 600 diff -Naur tcp_wrappers_7.6/safe_finger.8 tcp_wrappers_7.6.gimli/safe_finger.8
erjo@286 601 --- tcp_wrappers_7.6/safe_finger.8 1969-12-31 18:00:00.000000000 -0600
erjo@286 602 +++ tcp_wrappers_7.6.gimli/safe_finger.8 2002-01-07 08:50:19.000000000 -0600
erjo@286 603 @@ -0,0 +1,34 @@
erjo@286 604 +.TH SAFE_FINGER 8 "21th June 1997" Linux "Linux Programmer's Manual"
erjo@286 605 +.SH NAME
erjo@286 606 +safe_finger \- finger client wrapper that protects against nasty stuff
erjo@286 607 +from finger servers
erjo@286 608 +.SH SYNOPSIS
erjo@286 609 +.B safe_finger [finger_options]
erjo@286 610 +.SH DESCRIPTION
erjo@286 611 +The
erjo@286 612 +.B safe_finger
erjo@286 613 +command protects against nasty stuff from finger servers. Use this
erjo@286 614 +program for automatic reverse finger probes from the
erjo@286 615 +.B tcp_wrapper
erjo@286 616 +.B (tcpd)
erjo@286 617 +, not the raw finger command. The
erjo@286 618 +.B safe_finger
erjo@286 619 +command makes sure that the finger client is not run with root
erjo@286 620 +privileges. It also runs the finger client with a defined PATH
erjo@286 621 +environment.
erjo@286 622 +.B safe_finger
erjo@286 623 +will also protect you from problems caused by the output of some
erjo@286 624 +finger servers. The problem: some programs may react to stuff in
erjo@286 625 +the first column. Other programs may get upset by thrash anywhere
erjo@286 626 +on a line. File systems may fill up as the finger server keeps
erjo@286 627 +sending data. Text editors may bomb out on extremely long lines.
erjo@286 628 +The finger server may take forever because it is somehow wedged.
erjo@286 629 +.B safe_finger
erjo@286 630 +takes care of all this badness.
erjo@286 631 +.SH SEE ALSO
erjo@286 632 +.BR hosts_access (5),
erjo@286 633 +.BR hosts_options (5),
erjo@286 634 +.BR tcpd (8)
erjo@286 635 +.SH AUTHOR
erjo@286 636 +Wietse Venema, Eindhoven University of Technology, The Netherlands.
erjo@286 637 +
erjo@286 638 diff -Naur tcp_wrappers_7.6/safe_finger.c tcp_wrappers_7.6.gimli/safe_finger.c
erjo@286 639 --- tcp_wrappers_7.6/safe_finger.c 1994-12-28 10:42:42.000000000 -0600
erjo@286 640 +++ tcp_wrappers_7.6.gimli/safe_finger.c 2002-01-07 08:50:19.000000000 -0600
erjo@286 641 @@ -26,21 +26,24 @@
erjo@286 642 #include <stdio.h>
erjo@286 643 #include <ctype.h>
erjo@286 644 #include <pwd.h>
erjo@286 645 +#include <syslog.h>
erjo@286 646
erjo@286 647 extern void exit();
erjo@286 648
erjo@286 649 /* Local stuff */
erjo@286 650
erjo@286 651 -char path[] = "PATH=/bin:/usr/bin:/usr/ucb:/usr/bsd:/etc:/usr/etc:/usr/sbin";
erjo@286 652 +char path[] = "PATH=/bin:/usr/bin:/sbin:/usr/sbin";
erjo@286 653
erjo@286 654 #define TIME_LIMIT 60 /* Do not keep listinging forever */
erjo@286 655 #define INPUT_LENGTH 100000 /* Do not keep listinging forever */
erjo@286 656 #define LINE_LENGTH 128 /* Editors can choke on long lines */
erjo@286 657 #define FINGER_PROGRAM "finger" /* Most, if not all, UNIX systems */
erjo@286 658 #define UNPRIV_NAME "nobody" /* Preferred privilege level */
erjo@286 659 -#define UNPRIV_UGID 32767 /* Default uid and gid */
erjo@286 660 +#define UNPRIV_UGID 65534 /* Default uid and gid */
erjo@286 661
erjo@286 662 int finger_pid;
erjo@286 663 +int allow_severity = SEVERITY;
erjo@286 664 +int deny_severity = LOG_WARNING;
erjo@286 665
erjo@286 666 void cleanup(sig)
erjo@286 667 int sig;
erjo@286 668 diff -Naur tcp_wrappers_7.6/scaffold.c tcp_wrappers_7.6.gimli/scaffold.c
erjo@286 669 --- tcp_wrappers_7.6/scaffold.c 1997-03-21 12:27:24.000000000 -0600
erjo@286 670 +++ tcp_wrappers_7.6.gimli/scaffold.c 2002-01-07 08:50:19.000000000 -0600
erjo@286 671 @@ -180,10 +180,12 @@
erjo@286 672
erjo@286 673 /* ARGSUSED */
erjo@286 674
erjo@286 675 -void rfc931(request)
erjo@286 676 -struct request_info *request;
erjo@286 677 +void rfc931(rmt_sin, our_sin, dest)
erjo@286 678 +struct sockaddr_in *rmt_sin;
erjo@286 679 +struct sockaddr_in *our_sin;
erjo@286 680 +char *dest;
erjo@286 681 {
erjo@286 682 - strcpy(request->user, unknown);
erjo@286 683 + strcpy(dest, unknown);
erjo@286 684 }
erjo@286 685
erjo@286 686 /* check_path - examine accessibility */
erjo@286 687 diff -Naur tcp_wrappers_7.6/socket.c tcp_wrappers_7.6.gimli/socket.c
erjo@286 688 --- tcp_wrappers_7.6/socket.c 1997-03-21 12:27:25.000000000 -0600
erjo@286 689 +++ tcp_wrappers_7.6.gimli/socket.c 2002-01-07 08:50:19.000000000 -0600
erjo@286 690 @@ -76,7 +76,11 @@
erjo@286 691 {
erjo@286 692 static struct sockaddr_in client;
erjo@286 693 static struct sockaddr_in server;
erjo@286 694 +#if !defined (__GLIBC__)
erjo@286 695 int len;
erjo@286 696 +#else /* __GLIBC__ */
erjo@286 697 + size_t len;
erjo@286 698 +#endif /* __GLIBC__ */
erjo@286 699 char buf[BUFSIZ];
erjo@286 700 int fd = request->fd;
erjo@286 701
erjo@286 702 @@ -224,7 +228,11 @@
erjo@286 703 {
erjo@286 704 char buf[BUFSIZ];
erjo@286 705 struct sockaddr_in sin;
erjo@286 706 +#if !defined(__GLIBC__)
erjo@286 707 int size = sizeof(sin);
erjo@286 708 +#else /* __GLIBC__ */
erjo@286 709 + size_t size = sizeof(sin);
erjo@286 710 +#endif /* __GLIBC__ */
erjo@286 711
erjo@286 712 /*
erjo@286 713 * Eat up the not-yet received datagram. Some systems insist on a
erjo@286 714 diff -Naur tcp_wrappers_7.6/tcpd.8 tcp_wrappers_7.6.gimli/tcpd.8
erjo@286 715 --- tcp_wrappers_7.6/tcpd.8 1996-02-21 09:39:16.000000000 -0600
erjo@286 716 +++ tcp_wrappers_7.6.gimli/tcpd.8 2002-01-07 08:50:19.000000000 -0600
erjo@286 717 @@ -94,7 +94,7 @@
erjo@286 718 .PP
erjo@286 719 The example assumes that the network daemons live in /usr/etc. On some
erjo@286 720 systems, network daemons live in /usr/sbin or in /usr/libexec, or have
erjo@286 721 -no `in.\' prefix to their name.
erjo@286 722 +no `in.' prefix to their name.
erjo@286 723 .SH EXAMPLE 2
erjo@286 724 This example applies when \fItcpd\fR expects that the network daemons
erjo@286 725 are left in their original place.
erjo@286 726 @@ -110,26 +110,26 @@
erjo@286 727 becomes:
erjo@286 728 .sp
erjo@286 729 .ti +5
erjo@286 730 -finger stream tcp nowait nobody /some/where/tcpd in.fingerd
erjo@286 731 +finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd
erjo@286 732 .sp
erjo@286 733 .fi
erjo@286 734 .PP
erjo@286 735 The example assumes that the network daemons live in /usr/etc. On some
erjo@286 736 systems, network daemons live in /usr/sbin or in /usr/libexec, the
erjo@286 737 -daemons have no `in.\' prefix to their name, or there is no userid
erjo@286 738 +daemons have no `in.' prefix to their name, or there is no userid
erjo@286 739 field in the inetd configuration file.
erjo@286 740 .PP
erjo@286 741 Similar changes will be needed for the other services that are to be
erjo@286 742 -covered by \fItcpd\fR. Send a `kill -HUP\' to the \fIinetd\fR(8)
erjo@286 743 +covered by \fItcpd\fR. Send a `kill -HUP' to the \fIinetd\fR(8)
erjo@286 744 process to make the changes effective. AIX users may also have to
erjo@286 745 -execute the `inetimp\' command.
erjo@286 746 +execute the `inetimp' command.
erjo@286 747 .SH EXAMPLE 3
erjo@286 748 In the case of daemons that do not live in a common directory ("secret"
erjo@286 749 or otherwise), edit the \fIinetd\fR configuration file so that it
erjo@286 750 specifies an absolute path name for the process name field. For example:
erjo@286 751 .nf
erjo@286 752 .sp
erjo@286 753 - ntalk dgram udp wait root /some/where/tcpd /usr/local/lib/ntalkd
erjo@286 754 + ntalk dgram udp wait root /usr/sbin/tcpd /usr/sbin/in.ntalkd
erjo@286 755 .sp
erjo@286 756 .fi
erjo@286 757 .PP
erjo@286 758 diff -Naur tcp_wrappers_7.6/tcpd.h tcp_wrappers_7.6.gimli/tcpd.h
erjo@286 759 --- tcp_wrappers_7.6/tcpd.h 1996-03-19 09:22:25.000000000 -0600
erjo@286 760 +++ tcp_wrappers_7.6.gimli/tcpd.h 2002-01-07 08:50:19.000000000 -0600
erjo@286 761 @@ -4,6 +4,25 @@
erjo@286 762 * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
erjo@286 763 */
erjo@286 764
erjo@286 765 +#ifndef _TCPWRAPPERS_TCPD_H
erjo@286 766 +#define _TCPWRAPPERS_TCPD_H
erjo@286 767 +
erjo@286 768 +/* someone else may have defined this */
erjo@286 769 +#undef __P
erjo@286 770 +
erjo@286 771 +/* use prototypes if we have an ANSI C compiler or are using C++ */
erjo@286 772 +#if defined(__STDC__) || defined(__cplusplus)
erjo@286 773 +#define __P(args) args
erjo@286 774 +#else
erjo@286 775 +#define __P(args) ()
erjo@286 776 +#endif
erjo@286 777 +
erjo@286 778 +/* Need definitions of struct sockaddr_in and FILE. */
erjo@286 779 +#include <netinet/in.h>
erjo@286 780 +#include <stdio.h>
erjo@286 781 +
erjo@286 782 +__BEGIN_DECLS
erjo@286 783 +
erjo@286 784 /* Structure to describe one communications endpoint. */
erjo@286 785
erjo@286 786 #define STRING_LENGTH 128 /* hosts, users, processes */
erjo@286 787 @@ -25,10 +44,10 @@
erjo@286 788 char pid[10]; /* access via eval_pid(request) */
erjo@286 789 struct host_info client[1]; /* client endpoint info */
erjo@286 790 struct host_info server[1]; /* server endpoint info */
erjo@286 791 - void (*sink) (); /* datagram sink function or 0 */
erjo@286 792 - void (*hostname) (); /* address to printable hostname */
erjo@286 793 - void (*hostaddr) (); /* address to printable address */
erjo@286 794 - void (*cleanup) (); /* cleanup function or 0 */
erjo@286 795 + void (*sink) __P((int)); /* datagram sink function or 0 */
erjo@286 796 + void (*hostname) __P((struct host_info *)); /* address to printable hostname */
erjo@286 797 + void (*hostaddr) __P((struct host_info *)); /* address to printable address */
erjo@286 798 + void (*cleanup) __P((struct request_info *)); /* cleanup function or 0 */
erjo@286 799 struct netconfig *config; /* netdir handle */
erjo@286 800 };
erjo@286 801
erjo@286 802 @@ -61,25 +80,30 @@
erjo@286 803 /* Global functions. */
erjo@286 804
erjo@286 805 #if defined(TLI) || defined(PTX) || defined(TLI_SEQUENT)
erjo@286 806 -extern void fromhost(); /* get/validate client host info */
erjo@286 807 +extern void fromhost __P((struct request_info *)); /* get/validate client host info */
erjo@286 808 #else
erjo@286 809 #define fromhost sock_host /* no TLI support needed */
erjo@286 810 #endif
erjo@286 811
erjo@286 812 -extern int hosts_access(); /* access control */
erjo@286 813 -extern void shell_cmd(); /* execute shell command */
erjo@286 814 -extern char *percent_x(); /* do %<char> expansion */
erjo@286 815 -extern void rfc931(); /* client name from RFC 931 daemon */
erjo@286 816 -extern void clean_exit(); /* clean up and exit */
erjo@286 817 -extern void refuse(); /* clean up and exit */
erjo@286 818 -extern char *xgets(); /* fgets() on steroids */
erjo@286 819 -extern char *split_at(); /* strchr() and split */
erjo@286 820 -extern unsigned long dot_quad_addr(); /* restricted inet_addr() */
erjo@286 821 +extern void shell_cmd __P((char *)); /* execute shell command */
erjo@286 822 +extern char *percent_x __P((char *, int, char *, struct request_info *)); /* do %<char> expansion */
erjo@286 823 +extern void rfc931 __P((struct sockaddr_in *, struct sockaddr_in *, char *)); /* client name from RFC 931 daemon */
erjo@286 824 +extern void clean_exit __P((struct request_info *)); /* clean up and exit */
erjo@286 825 +extern void refuse __P((struct request_info *)); /* clean up and exit */
erjo@286 826 +extern char *xgets __P((char *, int, FILE *)); /* fgets() on steroids */
erjo@286 827 +extern char *split_at __P((char *, int)); /* strchr() and split */
erjo@286 828 +extern unsigned long dot_quad_addr __P((char *)); /* restricted inet_addr() */
erjo@286 829
erjo@286 830 /* Global variables. */
erjo@286 831
erjo@286 832 +#ifdef HAVE_WEAKSYMS
erjo@286 833 +extern int allow_severity __attribute__ ((weak)); /* for connection logging */
erjo@286 834 +extern int deny_severity __attribute__ ((weak)); /* for connection logging */
erjo@286 835 +#else
erjo@286 836 extern int allow_severity; /* for connection logging */
erjo@286 837 extern int deny_severity; /* for connection logging */
erjo@286 838 +#endif
erjo@286 839 +
erjo@286 840 extern char *hosts_allow_table; /* for verification mode redirection */
erjo@286 841 extern char *hosts_deny_table; /* for verification mode redirection */
erjo@286 842 extern int hosts_access_verbose; /* for verbose matching mode */
erjo@286 843 @@ -92,9 +116,14 @@
erjo@286 844 */
erjo@286 845
erjo@286 846 #ifdef __STDC__
erjo@286 847 +extern int hosts_access(struct request_info *request);
erjo@286 848 +extern int hosts_ctl(char *daemon, char *client_name, char *client_addr,
erjo@286 849 + char *client_user);
erjo@286 850 extern struct request_info *request_init(struct request_info *,...);
erjo@286 851 extern struct request_info *request_set(struct request_info *,...);
erjo@286 852 #else
erjo@286 853 +extern int hosts_access();
erjo@286 854 +extern int hosts_ctl();
erjo@286 855 extern struct request_info *request_init(); /* initialize request */
erjo@286 856 extern struct request_info *request_set(); /* update request structure */
erjo@286 857 #endif
erjo@286 858 @@ -117,27 +146,31 @@
erjo@286 859 * host_info structures serve as caches for the lookup results.
erjo@286 860 */
erjo@286 861
erjo@286 862 -extern char *eval_user(); /* client user */
erjo@286 863 -extern char *eval_hostname(); /* printable hostname */
erjo@286 864 -extern char *eval_hostaddr(); /* printable host address */
erjo@286 865 -extern char *eval_hostinfo(); /* host name or address */
erjo@286 866 -extern char *eval_client(); /* whatever is available */
erjo@286 867 -extern char *eval_server(); /* whatever is available */
erjo@286 868 +extern char *eval_user __P((struct request_info *)); /* client user */
erjo@286 869 +extern char *eval_hostname __P((struct host_info *)); /* printable hostname */
erjo@286 870 +extern char *eval_hostaddr __P((struct host_info *)); /* printable host address */
erjo@286 871 +extern char *eval_hostinfo __P((struct host_info *)); /* host name or address */
erjo@286 872 +extern char *eval_client __P((struct request_info *)); /* whatever is available */
erjo@286 873 +extern char *eval_server __P((struct request_info *)); /* whatever is available */
erjo@286 874 #define eval_daemon(r) ((r)->daemon) /* daemon process name */
erjo@286 875 #define eval_pid(r) ((r)->pid) /* process id */
erjo@286 876
erjo@286 877 /* Socket-specific methods, including DNS hostname lookups. */
erjo@286 878
erjo@286 879 -extern void sock_host(); /* look up endpoint addresses */
erjo@286 880 -extern void sock_hostname(); /* translate address to hostname */
erjo@286 881 -extern void sock_hostaddr(); /* address to printable address */
erjo@286 882 +/* look up endpoint addresses */
erjo@286 883 +extern void sock_host __P((struct request_info *));
erjo@286 884 +/* translate address to hostname */
erjo@286 885 +extern void sock_hostname __P((struct host_info *));
erjo@286 886 +/* address to printable address */
erjo@286 887 +extern void sock_hostaddr __P((struct host_info *));
erjo@286 888 +
erjo@286 889 #define sock_methods(r) \
erjo@286 890 { (r)->hostname = sock_hostname; (r)->hostaddr = sock_hostaddr; }
erjo@286 891
erjo@286 892 /* The System V Transport-Level Interface (TLI) interface. */
erjo@286 893
erjo@286 894 #if defined(TLI) || defined(PTX) || defined(TLI_SEQUENT)
erjo@286 895 -extern void tli_host(); /* look up endpoint addresses etc. */
erjo@286 896 +extern void tli_host __P((struct request_info *)); /* look up endpoint addresses etc. */
erjo@286 897 #endif
erjo@286 898
erjo@286 899 /*
erjo@286 900 @@ -178,7 +211,7 @@
erjo@286 901 * behavior.
erjo@286 902 */
erjo@286 903
erjo@286 904 -extern void process_options(); /* execute options */
erjo@286 905 +extern void process_options __P((char *, struct request_info *)); /* execute options */
erjo@286 906 extern int dry_run; /* verification flag */
erjo@286 907
erjo@286 908 /* Bug workarounds. */
erjo@286 909 @@ -217,3 +250,7 @@
erjo@286 910 #define strtok my_strtok
erjo@286 911 extern char *my_strtok();
erjo@286 912 #endif
erjo@286 913 +
erjo@286 914 +__END_DECLS
erjo@286 915 +
erjo@286 916 +#endif /* tcpd.h */
erjo@286 917 diff -Naur tcp_wrappers_7.6/tcpdchk.c tcp_wrappers_7.6.gimli/tcpdchk.c
erjo@286 918 --- tcp_wrappers_7.6/tcpdchk.c 1997-02-11 19:13:25.000000000 -0600
erjo@286 919 +++ tcp_wrappers_7.6.gimli/tcpdchk.c 2002-01-07 08:50:19.000000000 -0600
erjo@286 920 @@ -350,6 +350,8 @@
erjo@286 921 {
erjo@286 922 if (pat[0] == '@') {
erjo@286 923 tcpd_warn("%s: daemon name begins with \"@\"", pat);
erjo@286 924 + } else if (pat[0] == '/') {
erjo@286 925 + tcpd_warn("%s: daemon name begins with \"/\"", pat);
erjo@286 926 } else if (pat[0] == '.') {
erjo@286 927 tcpd_warn("%s: daemon name begins with dot", pat);
erjo@286 928 } else if (pat[strlen(pat) - 1] == '.') {
erjo@286 929 @@ -382,6 +384,8 @@
erjo@286 930 {
erjo@286 931 if (pat[0] == '@') { /* @netgroup */
erjo@286 932 tcpd_warn("%s: user name begins with \"@\"", pat);
erjo@286 933 + } else if (pat[0] == '/') {
erjo@286 934 + tcpd_warn("%s: user name begins with \"/\"", pat);
erjo@286 935 } else if (pat[0] == '.') {
erjo@286 936 tcpd_warn("%s: user name begins with dot", pat);
erjo@286 937 } else if (pat[strlen(pat) - 1] == '.') {
erjo@286 938 @@ -402,8 +406,13 @@
erjo@286 939 static int check_host(pat)
erjo@286 940 char *pat;
erjo@286 941 {
erjo@286 942 + char buf[BUFSIZ];
erjo@286 943 char *mask;
erjo@286 944 int addr_count = 1;
erjo@286 945 + FILE *fp;
erjo@286 946 + struct tcpd_context saved_context;
erjo@286 947 + char *cp;
erjo@286 948 + char *wsp = " \t\r\n";
erjo@286 949
erjo@286 950 if (pat[0] == '@') { /* @netgroup */
erjo@286 951 #ifdef NO_NETGRENT
erjo@286 952 @@ -422,6 +431,21 @@
erjo@286 953 tcpd_warn("netgroup support disabled");
erjo@286 954 #endif
erjo@286 955 #endif
erjo@286 956 + } else if (pat[0] == '/') { /* /path/name */
erjo@286 957 + if ((fp = fopen(pat, "r")) != 0) {
erjo@286 958 + saved_context = tcpd_context;
erjo@286 959 + tcpd_context.file = pat;
erjo@286 960 + tcpd_context.line = 0;
erjo@286 961 + while (fgets(buf, sizeof(buf), fp)) {
erjo@286 962 + tcpd_context.line++;
erjo@286 963 + for (cp = strtok(buf, wsp); cp; cp = strtok((char *) 0, wsp))
erjo@286 964 + check_host(cp);
erjo@286 965 + }
erjo@286 966 + tcpd_context = saved_context;
erjo@286 967 + fclose(fp);
erjo@286 968 + } else if (errno != ENOENT) {
erjo@286 969 + tcpd_warn("open %s: %m", pat);
erjo@286 970 + }
erjo@286 971 } else if (mask = split_at(pat, '/')) { /* network/netmask */
erjo@286 972 if (dot_quad_addr(pat) == INADDR_NONE
erjo@286 973 || dot_quad_addr(mask) == INADDR_NONE)
erjo@286 974 diff -Naur tcp_wrappers_7.6/try-from.8 tcp_wrappers_7.6.gimli/try-from.8
erjo@286 975 --- tcp_wrappers_7.6/try-from.8 1969-12-31 18:00:00.000000000 -0600
erjo@286 976 +++ tcp_wrappers_7.6.gimli/try-from.8 2002-01-07 08:50:19.000000000 -0600
erjo@286 977 @@ -0,0 +1,28 @@
erjo@286 978 +.TH TRY-FROM 8 "21th June 1997" Linux "Linux Programmer's Manual"
erjo@286 979 +.SH NAME
erjo@286 980 +try-from \- test program for the tcp_wrapper
erjo@286 981 +.SH SYNOPSIS
erjo@286 982 +.B try-from
erjo@286 983 +.SH DESCRIPTION
erjo@286 984 +The
erjo@286 985 +.B try-from
erjo@286 986 +command can be called via a remote shell command to find out
erjo@286 987 +if the hostname and address are properly recognized
erjo@286 988 +by the
erjo@286 989 +.B tcp_wrapper
erjo@286 990 +library, if username lookup works, and (SysV only) if the TLI
erjo@286 991 +on top of IP heuristics work. Diagnostics are reported through
erjo@286 992 +.BR syslog (3)
erjo@286 993 +and redirected to stderr.
erjo@286 994 +
erjo@286 995 +Example:
erjo@286 996 +
erjo@286 997 +rsh host /some/where/try-from
erjo@286 998 +
erjo@286 999 +.SH SEE ALSO
erjo@286 1000 +.BR hosts_access (5),
erjo@286 1001 +.BR hosts_options (5),
erjo@286 1002 +.BR tcpd (8)
erjo@286 1003 +.SH AUTHOR
erjo@286 1004 +Wietse Venema, Eindhoven University of Technology, The Netherlands.
erjo@286 1005 +
erjo@286 1006 diff -Naur tcp_wrappers_7.6/weak_symbols.c tcp_wrappers_7.6.gimli/weak_symbols.c
erjo@286 1007 --- tcp_wrappers_7.6/weak_symbols.c 1969-12-31 18:00:00.000000000 -0600
erjo@286 1008 +++ tcp_wrappers_7.6.gimli/weak_symbols.c 2002-01-07 08:50:19.000000000 -0600
erjo@286 1009 @@ -0,0 +1,11 @@
erjo@286 1010 + /*
erjo@286 1011 + * @(#) weak_symbols.h 1.5 99/12/29 23:50
erjo@286 1012 + *
erjo@286 1013 + * Author: Anthony Towns <ajt@debian.org>
erjo@286 1014 + */
erjo@286 1015 +
erjo@286 1016 +#ifdef HAVE_WEAKSYMS
erjo@286 1017 +#include <syslog.h>
erjo@286 1018 +int deny_severity = LOG_WARNING;
erjo@286 1019 +int allow_severity = SEVERITY;
erjo@286 1020 +#endif
erjo@286 1021 diff -Naur tcp_wrappers_7.6/workarounds.c tcp_wrappers_7.6.gimli/workarounds.c
erjo@286 1022 --- tcp_wrappers_7.6/workarounds.c 1996-03-19 09:22:26.000000000 -0600
erjo@286 1023 +++ tcp_wrappers_7.6.gimli/workarounds.c 2002-01-07 08:50:19.000000000 -0600
erjo@286 1024 @@ -163,7 +163,11 @@
erjo@286 1025 int fix_getpeername(sock, sa, len)
erjo@286 1026 int sock;
erjo@286 1027 struct sockaddr *sa;
erjo@286 1028 +#if !defined(__GLIBC__)
erjo@286 1029 int *len;
erjo@286 1030 +#else /* __GLIBC__ */
erjo@286 1031 +size_t *len;
erjo@286 1032 +#endif /* __GLIBC__ */
erjo@286 1033 {
erjo@286 1034 int ret;
erjo@286 1035 struct sockaddr_in *sin = (struct sockaddr_in *) sa;