[617118d] | 1 | Submitted By: Tushar Teredesai <tushar@linuxfromscratch.org> |
---|
| 2 | Date: 2003-10-04 |
---|
| 3 | Initial Package Version: 7.6 |
---|
| 4 | Origin: http://archives.linuxfromscratch.org/mail-archives/blfs-dev/2003-January/001960.html |
---|
| 5 | Description: The patch was created from the tcp_wrappers modified package by Mark Heerdink. |
---|
| 6 | This patch provides the following improvements: |
---|
| 7 | * Install libwrap.so along with libwrap.a. |
---|
| 8 | * Create an install target for tcp_wrappers. |
---|
| 9 | * Compilation and security fixes. |
---|
| 10 | * Documentation fixes. |
---|
| 11 | |
---|
| 12 | $LastChangedBy: bdubbs $ |
---|
| 13 | $Date: 2004-08-07 18:56:30 -0600 (Sat, 07 Aug 2004) $ |
---|
| 14 | |
---|
| 15 | diff -Naur tcp_wrappers_7.6/Makefile tcp_wrappers_7.6.gimli/Makefile |
---|
| 16 | --- tcp_wrappers_7.6/Makefile 1997-03-21 12:27:21.000000000 -0600 |
---|
| 17 | +++ tcp_wrappers_7.6.gimli/Makefile 2002-07-15 16:07:21.000000000 -0500 |
---|
| 18 | @@ -1,5 +1,10 @@ |
---|
| 19 | +GLIBC=$(shell grep -s -c __GLIBC__ /usr/include/features.h) |
---|
| 20 | + |
---|
| 21 | # @(#) Makefile 1.23 97/03/21 19:27:20 |
---|
| 22 | |
---|
| 23 | +# unset the HOSTNAME environment variable |
---|
| 24 | +HOSTNAME = |
---|
| 25 | + |
---|
| 26 | what: |
---|
| 27 | @echo |
---|
| 28 | @echo "Usage: edit the REAL_DAEMON_DIR definition in the Makefile then:" |
---|
| 29 | @@ -19,7 +24,7 @@ |
---|
| 30 | @echo " generic (most bsd-ish systems with sys5 compatibility)" |
---|
| 31 | @echo " 386bsd aix alpha apollo bsdos convex-ultranet dell-gcc dgux dgux543" |
---|
| 32 | @echo " dynix epix esix freebsd hpux irix4 irix5 irix6 isc iunix" |
---|
| 33 | - @echo " linux machten mips(untested) ncrsvr4 netbsd next osf power_unix_211" |
---|
| 34 | + @echo " linux gnu machten mips(untested) ncrsvr4 netbsd next osf power_unix_211" |
---|
| 35 | @echo " ptx-2.x ptx-generic pyramid sco sco-nis sco-od2 sco-os5 sinix sunos4" |
---|
| 36 | @echo " sunos40 sunos5 sysv4 tandem ultrix unicos7 unicos8 unixware1 unixware2" |
---|
| 37 | @echo " uts215 uxp" |
---|
| 38 | @@ -43,8 +48,8 @@ |
---|
| 39 | # Ultrix 4.x SunOS 4.x ConvexOS 10.x Dynix/ptx |
---|
| 40 | #REAL_DAEMON_DIR=/usr/etc |
---|
| 41 | # |
---|
| 42 | -# SysV.4 Solaris 2.x OSF AIX |
---|
| 43 | -#REAL_DAEMON_DIR=/usr/sbin |
---|
| 44 | +# SysV.4 Solaris 2.x OSF AIX Linux |
---|
| 45 | +REAL_DAEMON_DIR=/usr/sbin |
---|
| 46 | # |
---|
| 47 | # BSD 4.4 |
---|
| 48 | #REAL_DAEMON_DIR=/usr/libexec |
---|
| 49 | @@ -141,10 +146,21 @@ |
---|
| 50 | LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \ |
---|
| 51 | EXTRA_CFLAGS=-DSYS_ERRLIST_DEFINED VSYSLOG= all |
---|
| 52 | |
---|
| 53 | +ifneq ($(GLIBC),0) |
---|
| 54 | +MYLIB=-lnsl |
---|
| 55 | +endif |
---|
| 56 | + |
---|
| 57 | linux: |
---|
| 58 | @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ |
---|
| 59 | - LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=setenv.o \ |
---|
| 60 | - NETGROUP= TLI= EXTRA_CFLAGS="-DBROKEN_SO_LINGER" all |
---|
| 61 | + LIBS=$(MYLIB) RANLIB=ranlib ARFLAGS=rv AUX_OBJ=weak_symbols.o \ |
---|
| 62 | + NETGROUP=-DNETGROUP TLI= VSYSLOG= BUGS= all \ |
---|
| 63 | + EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_WEAKSYMS -D_REENTRANT" |
---|
| 64 | + |
---|
| 65 | +gnu: |
---|
| 66 | + @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ |
---|
| 67 | + LIBS=$(MYLIB) RANLIB=ranlib ARFLAGS=rv AUX_OBJ=weak_symbols.o \ |
---|
| 68 | + NETGROUP=-DNETGROUP TLI= VSYSLOG= BUGS= all \ |
---|
| 69 | + EXTRA_CFLAGS="-DHAVE_STRERROR -DHAVE_WEAKSYMS -D_REENTRANT" |
---|
| 70 | |
---|
| 71 | # This is good for many SYSV+BSD hybrids with NIS, probably also for HP-UX 7.x. |
---|
| 72 | hpux hpux8 hpux9 hpux10: |
---|
| 73 | @@ -391,7 +407,7 @@ |
---|
| 74 | # the ones provided with this source distribution. The environ.c module |
---|
| 75 | # implements setenv(), getenv(), and putenv(). |
---|
| 76 | |
---|
| 77 | -AUX_OBJ= setenv.o |
---|
| 78 | +#AUX_OBJ= setenv.o |
---|
| 79 | #AUX_OBJ= environ.o |
---|
| 80 | #AUX_OBJ= environ.o strcasecmp.o |
---|
| 81 | |
---|
| 82 | @@ -454,7 +470,8 @@ |
---|
| 83 | # host name aliases. Compile with -DSOLARIS_24_GETHOSTBYNAME_BUG to work |
---|
| 84 | # around this. The workaround does no harm on other Solaris versions. |
---|
| 85 | |
---|
| 86 | -BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DLIBC_CALLS_STRTOK |
---|
| 87 | +BUGS = |
---|
| 88 | +#BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DLIBC_CALLS_STRTOK |
---|
| 89 | #BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DINET_ADDR_BUG |
---|
| 90 | #BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DSOLARIS_24_GETHOSTBYNAME_BUG |
---|
| 91 | |
---|
| 92 | @@ -464,7 +481,7 @@ |
---|
| 93 | # If your system supports NIS or YP-style netgroups, enable the following |
---|
| 94 | # macro definition. Netgroups are used only for host access control. |
---|
| 95 | # |
---|
| 96 | -#NETGROUP= -DNETGROUP |
---|
| 97 | +NETGROUP= -DNETGROUP |
---|
| 98 | |
---|
| 99 | ############################################################### |
---|
| 100 | # System dependencies: whether or not your system has vsyslog() |
---|
| 101 | @@ -491,7 +508,7 @@ |
---|
| 102 | # Uncomment the next definition to turn on the language extensions |
---|
| 103 | # (examples: allow, deny, banners, twist and spawn). |
---|
| 104 | # |
---|
| 105 | -#STYLE = -DPROCESS_OPTIONS # Enable language extensions. |
---|
| 106 | +STYLE = -DPROCESS_OPTIONS # Enable language extensions. |
---|
| 107 | |
---|
| 108 | ################################################################ |
---|
| 109 | # Optional: Changing the default disposition of logfile records |
---|
| 110 | @@ -514,7 +531,7 @@ |
---|
| 111 | # |
---|
| 112 | # The LOG_XXX names below are taken from the /usr/include/syslog.h file. |
---|
| 113 | |
---|
| 114 | -FACILITY= LOG_MAIL # LOG_MAIL is what most sendmail daemons use |
---|
| 115 | +FACILITY= LOG_DAEMON # LOG_MAIL is what most sendmail daemons use |
---|
| 116 | |
---|
| 117 | # The syslog priority at which successful connections are logged. |
---|
| 118 | |
---|
| 119 | @@ -610,7 +627,7 @@ |
---|
| 120 | # Paranoid mode implies hostname lookup. In order to disable hostname |
---|
| 121 | # lookups altogether, see the next section. |
---|
| 122 | |
---|
| 123 | -PARANOID= -DPARANOID |
---|
| 124 | +#PARANOID= -DPARANOID |
---|
| 125 | |
---|
| 126 | ######################################## |
---|
| 127 | # Optional: turning off hostname lookups |
---|
| 128 | @@ -623,7 +640,7 @@ |
---|
| 129 | # In order to perform selective hostname lookups, disable paranoid |
---|
| 130 | # mode (see previous section) and comment out the following definition. |
---|
| 131 | |
---|
| 132 | -HOSTNAME= -DALWAYS_HOSTNAME |
---|
| 133 | +#HOSTNAME= -DALWAYS_HOSTNAME |
---|
| 134 | |
---|
| 135 | ############################################# |
---|
| 136 | # Optional: Turning on host ADDRESS checking |
---|
| 137 | @@ -649,28 +666,46 @@ |
---|
| 138 | # source-routed traffic in the kernel. Examples: 4.4BSD derivatives, |
---|
| 139 | # Solaris 2.x, and Linux. See your system documentation for details. |
---|
| 140 | # |
---|
| 141 | -# KILL_OPT= -DKILL_IP_OPTIONS |
---|
| 142 | +KILL_OPT= -DKILL_IP_OPTIONS |
---|
| 143 | |
---|
| 144 | ## End configuration options |
---|
| 145 | ############################ |
---|
| 146 | |
---|
| 147 | # Protection against weird shells or weird make programs. |
---|
| 148 | |
---|
| 149 | +CC = gcc |
---|
| 150 | SHELL = /bin/sh |
---|
| 151 | -.c.o:; $(CC) $(CFLAGS) -c $*.c |
---|
| 152 | +.c.o:; $(CC) $(CFLAGS) -o $*.o -c $*.c |
---|
| 153 | + |
---|
| 154 | +SOMAJOR = 0 |
---|
| 155 | +SOMINOR = 7.6 |
---|
| 156 | + |
---|
| 157 | +LIB = libwrap.a |
---|
| 158 | +SHLIB = shared/libwrap.so.$(SOMAJOR).$(SOMINOR) |
---|
| 159 | +SHLIBSOMAJ= shared/libwrap.so.$(SOMAJOR) |
---|
| 160 | +SHLIBSO = shared/libwrap.so |
---|
| 161 | +SHLIBFLAGS = -Lshared -lwrap |
---|
| 162 | |
---|
| 163 | -CFLAGS = -O -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \ |
---|
| 164 | +shared/%.o: %.c |
---|
| 165 | + $(CC) $(CFLAGS) $(SHCFLAGS) -c $< -o $@ |
---|
| 166 | + |
---|
| 167 | +CFLAGS = -O2 -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \ |
---|
| 168 | $(BUGS) $(SYSTYPE) $(AUTH) $(UMASK) \ |
---|
| 169 | -DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" $(STYLE) $(KILL_OPT) \ |
---|
| 170 | -DSEVERITY=$(SEVERITY) -DRFC931_TIMEOUT=$(RFC931_TIMEOUT) \ |
---|
| 171 | $(UCHAR) $(TABLES) $(STRINGS) $(TLI) $(EXTRA_CFLAGS) $(DOT) \ |
---|
| 172 | $(VSYSLOG) $(HOSTNAME) |
---|
| 173 | |
---|
| 174 | +SHLINKFLAGS = -shared -Xlinker -soname -Xlinker libwrap.so.$(SOMAJOR) -lc $(LIBS) |
---|
| 175 | +SHCFLAGS = -fPIC -shared -D_REENTRANT |
---|
| 176 | + |
---|
| 177 | LIB_OBJ= hosts_access.o options.o shell_cmd.o rfc931.o eval.o \ |
---|
| 178 | hosts_ctl.o refuse.o percent_x.o clean_exit.o $(AUX_OBJ) \ |
---|
| 179 | $(FROM_OBJ) fix_options.o socket.o tli.o workarounds.o \ |
---|
| 180 | update.o misc.o diag.o percent_m.o myvsyslog.o |
---|
| 181 | |
---|
| 182 | +SHLIB_OBJ= $(addprefix shared/, $(LIB_OBJ)); |
---|
| 183 | + |
---|
| 184 | FROM_OBJ= fromhost.o |
---|
| 185 | |
---|
| 186 | KIT = README miscd.c tcpd.c fromhost.c hosts_access.c shell_cmd.c \ |
---|
| 187 | @@ -684,46 +719,80 @@ |
---|
| 188 | refuse.c tcpdchk.8 setenv.c inetcf.c inetcf.h scaffold.c \ |
---|
| 189 | scaffold.h tcpdmatch.8 README.NIS |
---|
| 190 | |
---|
| 191 | -LIB = libwrap.a |
---|
| 192 | - |
---|
| 193 | -all other: config-check tcpd tcpdmatch try-from safe_finger tcpdchk |
---|
| 194 | +all other: config-check tcpd tcpdmatch try-from safe_finger tcpdchk $(LIB) |
---|
| 195 | |
---|
| 196 | # Invalidate all object files when the compiler options (CFLAGS) have changed. |
---|
| 197 | |
---|
| 198 | config-check: |
---|
| 199 | @set +e; test -n "$(REAL_DAEMON_DIR)" || { make; exit 1; } |
---|
| 200 | - @set +e; echo $(CFLAGS) >/tmp/cflags.$$$$ ; \ |
---|
| 201 | - if cmp cflags /tmp/cflags.$$$$ ; \ |
---|
| 202 | - then rm /tmp/cflags.$$$$ ; \ |
---|
| 203 | - else mv /tmp/cflags.$$$$ cflags ; \ |
---|
| 204 | + @set +e; echo $(CFLAGS) >cflags.new ; \ |
---|
| 205 | + if cmp cflags cflags.new ; \ |
---|
| 206 | + then rm cflags.new ; \ |
---|
| 207 | + else mv cflags.new cflags ; \ |
---|
| 208 | fi >/dev/null 2>/dev/null |
---|
| 209 | + @if [ ! -d shared ]; then mkdir shared; fi |
---|
| 210 | |
---|
| 211 | $(LIB): $(LIB_OBJ) |
---|
| 212 | rm -f $(LIB) |
---|
| 213 | $(AR) $(ARFLAGS) $(LIB) $(LIB_OBJ) |
---|
| 214 | -$(RANLIB) $(LIB) |
---|
| 215 | |
---|
| 216 | -tcpd: tcpd.o $(LIB) |
---|
| 217 | - $(CC) $(CFLAGS) -o $@ tcpd.o $(LIB) $(LIBS) |
---|
| 218 | +$(SHLIB): $(SHLIB_OBJ) |
---|
| 219 | + rm -f $(SHLIB) |
---|
| 220 | + $(CC) -o $(SHLIB) $(SHLINKFLAGS) $(SHLIB_OBJ) |
---|
| 221 | + ln -s $(notdir $(SHLIB)) $(SHLIBSOMAJ) |
---|
| 222 | + ln -s $(notdir $(SHLIBSOMAJ)) $(SHLIBSO) |
---|
| 223 | + |
---|
| 224 | +tcpd: tcpd.o $(SHLIB) |
---|
| 225 | + $(CC) $(CFLAGS) -o $@ tcpd.o $(SHLIBFLAGS) |
---|
| 226 | |
---|
| 227 | -miscd: miscd.o $(LIB) |
---|
| 228 | - $(CC) $(CFLAGS) -o $@ miscd.o $(LIB) $(LIBS) |
---|
| 229 | +miscd: miscd.o $(SHLIB) |
---|
| 230 | + $(CC) $(CFLAGS) -o $@ miscd.o $(SHLIBFLAGS) |
---|
| 231 | |
---|
| 232 | -safe_finger: safe_finger.o $(LIB) |
---|
| 233 | - $(CC) $(CFLAGS) -o $@ safe_finger.o $(LIB) $(LIBS) |
---|
| 234 | +safe_finger: safe_finger.o $(SHLIB) |
---|
| 235 | + $(CC) $(CFLAGS) -o $@ safe_finger.o $(SHLIBFLAGS) |
---|
| 236 | |
---|
| 237 | TCPDMATCH_OBJ = tcpdmatch.o fakelog.o inetcf.o scaffold.o |
---|
| 238 | |
---|
| 239 | -tcpdmatch: $(TCPDMATCH_OBJ) $(LIB) |
---|
| 240 | - $(CC) $(CFLAGS) -o $@ $(TCPDMATCH_OBJ) $(LIB) $(LIBS) |
---|
| 241 | +tcpdmatch: $(TCPDMATCH_OBJ) $(SHLIB) |
---|
| 242 | + $(CC) $(CFLAGS) -o $@ $(TCPDMATCH_OBJ) $(SHLIBFLAGS) |
---|
| 243 | |
---|
| 244 | -try-from: try-from.o fakelog.o $(LIB) |
---|
| 245 | - $(CC) $(CFLAGS) -o $@ try-from.o fakelog.o $(LIB) $(LIBS) |
---|
| 246 | +try-from: try-from.o fakelog.o $(SHLIB) |
---|
| 247 | + $(CC) $(CFLAGS) -o $@ try-from.o fakelog.o $(SHLIBFLAGS) |
---|
| 248 | |
---|
| 249 | TCPDCHK_OBJ = tcpdchk.o fakelog.o inetcf.o scaffold.o |
---|
| 250 | |
---|
| 251 | -tcpdchk: $(TCPDCHK_OBJ) $(LIB) |
---|
| 252 | - $(CC) $(CFLAGS) -o $@ $(TCPDCHK_OBJ) $(LIB) $(LIBS) |
---|
| 253 | +tcpdchk: $(TCPDCHK_OBJ) $(SHLIB) |
---|
| 254 | + $(CC) $(CFLAGS) -o $@ $(TCPDCHK_OBJ) $(SHLIBFLAGS) |
---|
| 255 | + |
---|
| 256 | +install: install-lib install-bin install-dev |
---|
| 257 | + |
---|
| 258 | +install-lib: |
---|
| 259 | + install -o root -g root -m 0755 $(SHLIB) ${DESTDIR}/usr/lib/ |
---|
| 260 | + ln -sf $(notdir $(SHLIB)) ${DESTDIR}/usr/lib/$(notdir $(SHLIBSOMAJ)) |
---|
| 261 | + ln -sf $(notdir $(SHLIBSOMAJ)) ${DESTDIR}/usr/lib/$(notdir $(SHLIBSO)) |
---|
| 262 | + |
---|
| 263 | +install-bin: |
---|
| 264 | + install -o root -g root -m 0755 tcpd ${DESTDIR}/usr/sbin/ |
---|
| 265 | + install -o root -g root -m 0755 tcpdchk ${DESTDIR}/usr/sbin/ |
---|
| 266 | + install -o root -g root -m 0755 tcpdmatch ${DESTDIR}/usr/sbin/ |
---|
| 267 | + install -o root -g root -m 0755 try-from ${DESTDIR}/usr/sbin/ |
---|
| 268 | + install -o root -g root -m 0755 safe_finger ${DESTDIR}/usr/sbin/ |
---|
| 269 | + install -o root -g root -m 0644 tcpd.8 ${DESTDIR}/usr/share/man/man8/ |
---|
| 270 | + install -o root -g root -m 0644 tcpdchk.8 ${DESTDIR}/usr/share/man/man8/ |
---|
| 271 | + install -o root -g root -m 0644 try-from.8 ${DESTDIR}/usr/share/man/man8/ |
---|
| 272 | + install -o root -g root -m 0644 tcpdmatch.8 ${DESTDIR}/usr/share/man/man8/ |
---|
| 273 | + install -o root -g root -m 0644 safe_finger.8 ${DESTDIR}/usr/share/man/man8/ |
---|
| 274 | + install -o root -g root -m 0644 hosts_access.5 ${DESTDIR}/usr/share/man/man5/ |
---|
| 275 | + install -o root -g root -m 0644 hosts_options.5 ${DESTDIR}/usr/share/man/man5/ |
---|
| 276 | + |
---|
| 277 | +install-dev: |
---|
| 278 | + install -o root -g root -m 0644 hosts_access.3 ${DESTDIR}/usr/share/man/man3/ |
---|
| 279 | + install -o root -g root -m 0644 tcpd.h ${DESTDIR}/usr/include/ |
---|
| 280 | + install -o root -g root -m 0644 $(LIB) ${DESTDIR}/usr/lib/ |
---|
| 281 | + ln -sf hosts_access.3 ${DESTDIR}/usr/share/man/man3/hosts_ctl.3 |
---|
| 282 | + ln -sf hosts_access.3 ${DESTDIR}/usr/share/man/man3/request_init.3 |
---|
| 283 | + ln -sf hosts_access.3 ${DESTDIR}/usr/share/man/man3/request_set.3 |
---|
| 284 | |
---|
| 285 | shar: $(KIT) |
---|
| 286 | @shar $(KIT) |
---|
| 287 | @@ -739,7 +808,8 @@ |
---|
| 288 | |
---|
| 289 | clean: |
---|
| 290 | rm -f tcpd miscd safe_finger tcpdmatch tcpdchk try-from *.[oa] core \ |
---|
| 291 | - cflags |
---|
| 292 | + cflags libwrap*.so* |
---|
| 293 | + rm -rf shared |
---|
| 294 | |
---|
| 295 | tidy: clean |
---|
| 296 | chmod -R a+r . |
---|
| 297 | @@ -885,5 +955,6 @@ |
---|
| 298 | update.o: mystdarg.h |
---|
| 299 | update.o: tcpd.h |
---|
| 300 | vfprintf.o: cflags |
---|
| 301 | +weak_symbols.o: tcpd.h |
---|
| 302 | workarounds.o: cflags |
---|
| 303 | workarounds.o: tcpd.h |
---|
| 304 | diff -Naur tcp_wrappers_7.6/fix_options.c tcp_wrappers_7.6.gimli/fix_options.c |
---|
| 305 | --- tcp_wrappers_7.6/fix_options.c 1997-04-07 19:29:19.000000000 -0500 |
---|
| 306 | +++ tcp_wrappers_7.6.gimli/fix_options.c 2002-01-07 08:50:19.000000000 -0600 |
---|
| 307 | @@ -35,7 +35,12 @@ |
---|
| 308 | #ifdef IP_OPTIONS |
---|
| 309 | unsigned char optbuf[BUFFER_SIZE / 3], *cp; |
---|
| 310 | char lbuf[BUFFER_SIZE], *lp; |
---|
| 311 | +#if !defined(__GLIBC__) |
---|
| 312 | int optsize = sizeof(optbuf), ipproto; |
---|
| 313 | +#else /* __GLIBC__ */ |
---|
| 314 | + size_t optsize = sizeof(optbuf); |
---|
| 315 | + int ipproto; |
---|
| 316 | +#endif /* __GLIBC__ */ |
---|
| 317 | struct protoent *ip; |
---|
| 318 | int fd = request->fd; |
---|
| 319 | unsigned int opt; |
---|
| 320 | diff -Naur tcp_wrappers_7.6/hosts_access.3 tcp_wrappers_7.6.gimli/hosts_access.3 |
---|
| 321 | --- tcp_wrappers_7.6/hosts_access.3 1996-02-11 10:01:27.000000000 -0600 |
---|
| 322 | +++ tcp_wrappers_7.6.gimli/hosts_access.3 2002-01-07 08:50:19.000000000 -0600 |
---|
| 323 | @@ -3,7 +3,7 @@ |
---|
| 324 | hosts_access, hosts_ctl, request_init, request_set \- access control library |
---|
| 325 | .SH SYNOPSIS |
---|
| 326 | .nf |
---|
| 327 | -#include "tcpd.h" |
---|
| 328 | +#include <tcpd.h> |
---|
| 329 | |
---|
| 330 | extern int allow_severity; |
---|
| 331 | extern int deny_severity; |
---|
| 332 | diff -Naur tcp_wrappers_7.6/hosts_access.5 tcp_wrappers_7.6.gimli/hosts_access.5 |
---|
| 333 | --- tcp_wrappers_7.6/hosts_access.5 1995-01-30 12:51:47.000000000 -0600 |
---|
| 334 | +++ tcp_wrappers_7.6.gimli/hosts_access.5 2002-01-07 08:50:19.000000000 -0600 |
---|
| 335 | @@ -8,9 +8,9 @@ |
---|
| 336 | impatient reader is encouraged to skip to the EXAMPLES section for a |
---|
| 337 | quick introduction. |
---|
| 338 | .PP |
---|
| 339 | -An extended version of the access control language is described in the |
---|
| 340 | -\fIhosts_options\fR(5) document. The extensions are turned on at |
---|
| 341 | -program build time by building with -DPROCESS_OPTIONS. |
---|
| 342 | +The extended version of the access control language is described in the |
---|
| 343 | +\fIhosts_options\fR(5) document. \fBNote that this language supersedes |
---|
| 344 | +the meaning of \fIshell_command\fB as documented below.\fR |
---|
| 345 | .PP |
---|
| 346 | In the following text, \fIdaemon\fR is the the process name of a |
---|
| 347 | network daemon process, and \fIclient\fR is the name and/or address of |
---|
| 348 | @@ -40,7 +40,7 @@ |
---|
| 349 | character. This permits you to break up long lines so that they are |
---|
| 350 | easier to edit. |
---|
| 351 | .IP \(bu |
---|
| 352 | -Blank lines or lines that begin with a `#\' character are ignored. |
---|
| 353 | +Blank lines or lines that begin with a `#' character are ignored. |
---|
| 354 | This permits you to insert comments and whitespace so that the tables |
---|
| 355 | are easier to read. |
---|
| 356 | .IP \(bu |
---|
| 357 | @@ -69,26 +69,33 @@ |
---|
| 358 | .SH PATTERNS |
---|
| 359 | The access control language implements the following patterns: |
---|
| 360 | .IP \(bu |
---|
| 361 | -A string that begins with a `.\' character. A host name is matched if |
---|
| 362 | +A string that begins with a `.' character. A host name is matched if |
---|
| 363 | the last components of its name match the specified pattern. For |
---|
| 364 | -example, the pattern `.tue.nl\' matches the host name |
---|
| 365 | -`wzv.win.tue.nl\'. |
---|
| 366 | +example, the pattern `.tue.nl' matches the host name |
---|
| 367 | +`wzv.win.tue.nl'. |
---|
| 368 | .IP \(bu |
---|
| 369 | -A string that ends with a `.\' character. A host address is matched if |
---|
| 370 | +A string that ends with a `.' character. A host address is matched if |
---|
| 371 | its first numeric fields match the given string. For example, the |
---|
| 372 | -pattern `131.155.\' matches the address of (almost) every host on the |
---|
| 373 | +pattern `131.155.' matches the address of (almost) every host on the |
---|
| 374 | Eind\%hoven University network (131.155.x.x). |
---|
| 375 | .IP \(bu |
---|
| 376 | -A string that begins with an `@\' character is treated as an NIS |
---|
| 377 | +A string that begins with an `@' character is treated as an NIS |
---|
| 378 | (formerly YP) netgroup name. A host name is matched if it is a host |
---|
| 379 | member of the specified netgroup. Netgroup matches are not supported |
---|
| 380 | for daemon process names or for client user names. |
---|
| 381 | .IP \(bu |
---|
| 382 | -An expression of the form `n.n.n.n/m.m.m.m\' is interpreted as a |
---|
| 383 | -`net/mask\' pair. A host address is matched if `net\' is equal to the |
---|
| 384 | -bitwise AND of the address and the `mask\'. For example, the net/mask |
---|
| 385 | -pattern `131.155.72.0/255.255.254.0\' matches every address in the |
---|
| 386 | -range `131.155.72.0\' through `131.155.73.255\'. |
---|
| 387 | +An expression of the form `n.n.n.n/m.m.m.m' is interpreted as a |
---|
| 388 | +`net/mask' pair. A host address is matched if `net' is equal to the |
---|
| 389 | +bitwise AND of the address and the `mask'. For example, the net/mask |
---|
| 390 | +pattern `131.155.72.0/255.255.254.0' matches every address in the |
---|
| 391 | +range `131.155.72.0' through `131.155.73.255'. |
---|
| 392 | +.IP \(bu |
---|
| 393 | +A string that begins with a `/' character is treated as a file |
---|
| 394 | +name. A host name or address is matched if it matches any host name |
---|
| 395 | +or address pattern listed in the named file. The file format is |
---|
| 396 | +zero or more lines with zero or more host name or address patterns |
---|
| 397 | +separated by whitespace. A file name pattern can be used anywhere |
---|
| 398 | +a host name or address pattern can be used. |
---|
| 399 | .SH WILDCARDS |
---|
| 400 | The access control language supports explicit wildcards: |
---|
| 401 | .IP ALL |
---|
| 402 | @@ -115,19 +122,19 @@ |
---|
| 403 | .ne 6 |
---|
| 404 | .SH OPERATORS |
---|
| 405 | .IP EXCEPT |
---|
| 406 | -Intended use is of the form: `list_1 EXCEPT list_2\'; this construct |
---|
| 407 | +Intended use is of the form: `list_1 EXCEPT list_2'; this construct |
---|
| 408 | matches anything that matches \fIlist_1\fR unless it matches |
---|
| 409 | \fIlist_2\fR. The EXCEPT operator can be used in daemon_lists and in |
---|
| 410 | client_lists. The EXCEPT operator can be nested: if the control |
---|
| 411 | -language would permit the use of parentheses, `a EXCEPT b EXCEPT c\' |
---|
| 412 | -would parse as `(a EXCEPT (b EXCEPT c))\'. |
---|
| 413 | +language would permit the use of parentheses, `a EXCEPT b EXCEPT c' |
---|
| 414 | +would parse as `(a EXCEPT (b EXCEPT c))'. |
---|
| 415 | .br |
---|
| 416 | .ne 6 |
---|
| 417 | .SH SHELL COMMANDS |
---|
| 418 | If the first-matched access control rule contains a shell command, that |
---|
| 419 | command is subjected to %<letter> substitutions (see next section). |
---|
| 420 | The result is executed by a \fI/bin/sh\fR child process with standard |
---|
| 421 | -input, output and error connected to \fI/dev/null\fR. Specify an `&\' |
---|
| 422 | +input, output and error connected to \fI/dev/null\fR. Specify an `&' |
---|
| 423 | at the end of the command if you do not want to wait until it has |
---|
| 424 | completed. |
---|
| 425 | .PP |
---|
| 426 | @@ -159,7 +166,7 @@ |
---|
| 427 | .IP %u |
---|
| 428 | The client user name (or "unknown"). |
---|
| 429 | .IP %% |
---|
| 430 | -Expands to a single `%\' character. |
---|
| 431 | +Expands to a single `%' character. |
---|
| 432 | .PP |
---|
| 433 | Characters in % expansions that may confuse the shell are replaced by |
---|
| 434 | underscores. |
---|
| 435 | @@ -243,9 +250,9 @@ |
---|
| 436 | less trustworthy. It is possible for an intruder to spoof both the |
---|
| 437 | client connection and the IDENT lookup, although doing so is much |
---|
| 438 | harder than spoofing just a client connection. It may also be that |
---|
| 439 | -the client\'s IDENT server is lying. |
---|
| 440 | +the client's IDENT server is lying. |
---|
| 441 | .PP |
---|
| 442 | -Note: IDENT lookups don\'t work with UDP services. |
---|
| 443 | +Note: IDENT lookups don't work with UDP services. |
---|
| 444 | .SH EXAMPLES |
---|
| 445 | The language is flexible enough that different types of access control |
---|
| 446 | policy can be expressed with a minimum of fuss. Although the language |
---|
| 447 | @@ -285,7 +292,7 @@ |
---|
| 448 | .br |
---|
| 449 | ALL: .foobar.edu EXCEPT terminalserver.foobar.edu |
---|
| 450 | .PP |
---|
| 451 | -The first rule permits access from hosts in the local domain (no `.\' |
---|
| 452 | +The first rule permits access from hosts in the local domain (no `.' |
---|
| 453 | in the host name) and from members of the \fIsome_netgroup\fP |
---|
| 454 | netgroup. The second rule permits access from all hosts in the |
---|
| 455 | \fIfoobar.edu\fP domain (notice the leading dot), with the exception of |
---|
| 456 | @@ -322,8 +329,8 @@ |
---|
| 457 | /etc/hosts.deny: |
---|
| 458 | .in +3 |
---|
| 459 | .nf |
---|
| 460 | -in.tftpd: ALL: (/some/where/safe_finger -l @%h | \\ |
---|
| 461 | - /usr/ucb/mail -s %d-%h root) & |
---|
| 462 | +in.tftpd: ALL: (/usr/sbin/safe_finger -l @%h | \\ |
---|
| 463 | + /usr/bin/mail -s %d-%h root) & |
---|
| 464 | .fi |
---|
| 465 | .PP |
---|
| 466 | The safe_finger command comes with the tcpd wrapper and should be |
---|
| 467 | @@ -349,7 +356,7 @@ |
---|
| 468 | capacity of an internal buffer; when an access control rule is not |
---|
| 469 | terminated by a newline character; when the result of %<letter> |
---|
| 470 | expansion would overflow an internal buffer; when a system call fails |
---|
| 471 | -that shouldn\'t. All problems are reported via the syslog daemon. |
---|
| 472 | +that shouldn't. All problems are reported via the syslog daemon. |
---|
| 473 | .SH FILES |
---|
| 474 | .na |
---|
| 475 | .nf |
---|
| 476 | diff -Naur tcp_wrappers_7.6/hosts_access.c tcp_wrappers_7.6.gimli/hosts_access.c |
---|
| 477 | --- tcp_wrappers_7.6/hosts_access.c 1997-02-11 19:13:23.000000000 -0600 |
---|
| 478 | +++ tcp_wrappers_7.6.gimli/hosts_access.c 2002-01-07 08:50:19.000000000 -0600 |
---|
| 479 | @@ -240,6 +240,26 @@ |
---|
| 480 | } |
---|
| 481 | } |
---|
| 482 | |
---|
| 483 | +/* hostfile_match - look up host patterns from file */ |
---|
| 484 | + |
---|
| 485 | +static int hostfile_match(path, host) |
---|
| 486 | +char *path; |
---|
| 487 | +struct hosts_info *host; |
---|
| 488 | +{ |
---|
| 489 | + char tok[BUFSIZ]; |
---|
| 490 | + int match = NO; |
---|
| 491 | + FILE *fp; |
---|
| 492 | + |
---|
| 493 | + if ((fp = fopen(path, "r")) != 0) { |
---|
| 494 | + while (fscanf(fp, "%s", tok) == 1 && !(match = host_match(tok, host))) |
---|
| 495 | + /* void */ ; |
---|
| 496 | + fclose(fp); |
---|
| 497 | + } else if (errno != ENOENT) { |
---|
| 498 | + tcpd_warn("open %s: %m", path); |
---|
| 499 | + } |
---|
| 500 | + return (match); |
---|
| 501 | +} |
---|
| 502 | + |
---|
| 503 | /* host_match - match host name and/or address against pattern */ |
---|
| 504 | |
---|
| 505 | static int host_match(tok, host) |
---|
| 506 | @@ -267,6 +287,8 @@ |
---|
| 507 | tcpd_warn("netgroup support is disabled"); /* not tcpd_jump() */ |
---|
| 508 | return (NO); |
---|
| 509 | #endif |
---|
| 510 | + } else if (tok[0] == '/') { /* /file hack */ |
---|
| 511 | + return (hostfile_match(tok, host)); |
---|
| 512 | } else if (STR_EQ(tok, "KNOWN")) { /* check address and name */ |
---|
| 513 | char *name = eval_hostname(host); |
---|
| 514 | return (STR_NE(eval_hostaddr(host), unknown) && HOSTNAME_KNOWN(name)); |
---|
| 515 | diff -Naur tcp_wrappers_7.6/hosts_options.5 tcp_wrappers_7.6.gimli/hosts_options.5 |
---|
| 516 | --- tcp_wrappers_7.6/hosts_options.5 1994-12-28 10:42:29.000000000 -0600 |
---|
| 517 | +++ tcp_wrappers_7.6.gimli/hosts_options.5 2002-01-07 08:50:19.000000000 -0600 |
---|
| 518 | @@ -58,12 +58,12 @@ |
---|
| 519 | Execute, in a child process, the specified shell command, after |
---|
| 520 | performing the %<letter> expansions described in the hosts_access(5) |
---|
| 521 | manual page. The command is executed with stdin, stdout and stderr |
---|
| 522 | -connected to the null device, so that it won\'t mess up the |
---|
| 523 | +connected to the null device, so that it won't mess up the |
---|
| 524 | conversation with the client host. Example: |
---|
| 525 | .sp |
---|
| 526 | .nf |
---|
| 527 | .ti +3 |
---|
| 528 | -spawn (/some/where/safe_finger -l @%h | /usr/ucb/mail root) & |
---|
| 529 | +spawn (/usr/sbin/safe_finger -l @%h | /usr/bin/mail root) & |
---|
| 530 | .fi |
---|
| 531 | .sp |
---|
| 532 | executes, in a background child process, the shell command "safe_finger |
---|
| 533 | diff -Naur tcp_wrappers_7.6/options.c tcp_wrappers_7.6.gimli/options.c |
---|
| 534 | --- tcp_wrappers_7.6/options.c 1996-02-11 10:01:32.000000000 -0600 |
---|
| 535 | +++ tcp_wrappers_7.6.gimli/options.c 2002-01-07 08:50:19.000000000 -0600 |
---|
| 536 | @@ -473,6 +473,9 @@ |
---|
| 537 | #ifdef LOG_CRON |
---|
| 538 | "cron", LOG_CRON, |
---|
| 539 | #endif |
---|
| 540 | +#ifdef LOG_FTP |
---|
| 541 | + "ftp", LOG_FTP, |
---|
| 542 | +#endif |
---|
| 543 | #ifdef LOG_LOCAL0 |
---|
| 544 | "local0", LOG_LOCAL0, |
---|
| 545 | #endif |
---|
| 546 | diff -Naur tcp_wrappers_7.6/percent_m.c tcp_wrappers_7.6.gimli/percent_m.c |
---|
| 547 | --- tcp_wrappers_7.6/percent_m.c 1994-12-28 10:42:37.000000000 -0600 |
---|
| 548 | +++ tcp_wrappers_7.6.gimli/percent_m.c 2002-01-07 08:50:19.000000000 -0600 |
---|
| 549 | @@ -13,7 +13,7 @@ |
---|
| 550 | #include <string.h> |
---|
| 551 | |
---|
| 552 | extern int errno; |
---|
| 553 | -#ifndef SYS_ERRLIST_DEFINED |
---|
| 554 | +#if !defined(SYS_ERRLIST_DEFINED) && !defined(HAVE_STRERROR) |
---|
| 555 | extern char *sys_errlist[]; |
---|
| 556 | extern int sys_nerr; |
---|
| 557 | #endif |
---|
| 558 | @@ -29,11 +29,15 @@ |
---|
| 559 | |
---|
| 560 | while (*bp = *cp) |
---|
| 561 | if (*cp == '%' && cp[1] == 'm') { |
---|
| 562 | +#ifdef HAVE_STRERROR |
---|
| 563 | + strcpy(bp, strerror(errno)); |
---|
| 564 | +#else |
---|
| 565 | if (errno < sys_nerr && errno > 0) { |
---|
| 566 | strcpy(bp, sys_errlist[errno]); |
---|
| 567 | } else { |
---|
| 568 | sprintf(bp, "Unknown error %d", errno); |
---|
| 569 | } |
---|
| 570 | +#endif |
---|
| 571 | bp += strlen(bp); |
---|
| 572 | cp += 2; |
---|
| 573 | } else { |
---|
| 574 | diff -Naur tcp_wrappers_7.6/rfc931.c tcp_wrappers_7.6.gimli/rfc931.c |
---|
| 575 | --- tcp_wrappers_7.6/rfc931.c 1995-01-02 09:11:34.000000000 -0600 |
---|
| 576 | +++ tcp_wrappers_7.6.gimli/rfc931.c 2002-01-07 08:50:19.000000000 -0600 |
---|
| 577 | @@ -33,7 +33,7 @@ |
---|
| 578 | |
---|
| 579 | int rfc931_timeout = RFC931_TIMEOUT;/* Global so it can be changed */ |
---|
| 580 | |
---|
| 581 | -static jmp_buf timebuf; |
---|
| 582 | +static sigjmp_buf timebuf; |
---|
| 583 | |
---|
| 584 | /* fsocket - open stdio stream on top of socket */ |
---|
| 585 | |
---|
| 586 | @@ -62,7 +62,7 @@ |
---|
| 587 | static void timeout(sig) |
---|
| 588 | int sig; |
---|
| 589 | { |
---|
| 590 | - longjmp(timebuf, sig); |
---|
| 591 | + siglongjmp(timebuf, sig); |
---|
| 592 | } |
---|
| 593 | |
---|
| 594 | /* rfc931 - return remote user name, given socket structures */ |
---|
| 595 | @@ -99,7 +99,7 @@ |
---|
| 596 | * Set up a timer so we won't get stuck while waiting for the server. |
---|
| 597 | */ |
---|
| 598 | |
---|
| 599 | - if (setjmp(timebuf) == 0) { |
---|
| 600 | + if (sigsetjmp(timebuf,1) == 0) { |
---|
| 601 | signal(SIGALRM, timeout); |
---|
| 602 | alarm(rfc931_timeout); |
---|
| 603 | |
---|
| 604 | diff -Naur tcp_wrappers_7.6/safe_finger.8 tcp_wrappers_7.6.gimli/safe_finger.8 |
---|
| 605 | --- tcp_wrappers_7.6/safe_finger.8 1969-12-31 18:00:00.000000000 -0600 |
---|
| 606 | +++ tcp_wrappers_7.6.gimli/safe_finger.8 2002-01-07 08:50:19.000000000 -0600 |
---|
| 607 | @@ -0,0 +1,34 @@ |
---|
| 608 | +.TH SAFE_FINGER 8 "21th June 1997" Linux "Linux Programmer's Manual" |
---|
| 609 | +.SH NAME |
---|
| 610 | +safe_finger \- finger client wrapper that protects against nasty stuff |
---|
| 611 | +from finger servers |
---|
| 612 | +.SH SYNOPSIS |
---|
| 613 | +.B safe_finger [finger_options] |
---|
| 614 | +.SH DESCRIPTION |
---|
| 615 | +The |
---|
| 616 | +.B safe_finger |
---|
| 617 | +command protects against nasty stuff from finger servers. Use this |
---|
| 618 | +program for automatic reverse finger probes from the |
---|
| 619 | +.B tcp_wrapper |
---|
| 620 | +.B (tcpd) |
---|
| 621 | +, not the raw finger command. The |
---|
| 622 | +.B safe_finger |
---|
| 623 | +command makes sure that the finger client is not run with root |
---|
| 624 | +privileges. It also runs the finger client with a defined PATH |
---|
| 625 | +environment. |
---|
| 626 | +.B safe_finger |
---|
| 627 | +will also protect you from problems caused by the output of some |
---|
| 628 | +finger servers. The problem: some programs may react to stuff in |
---|
| 629 | +the first column. Other programs may get upset by thrash anywhere |
---|
| 630 | +on a line. File systems may fill up as the finger server keeps |
---|
| 631 | +sending data. Text editors may bomb out on extremely long lines. |
---|
| 632 | +The finger server may take forever because it is somehow wedged. |
---|
| 633 | +.B safe_finger |
---|
| 634 | +takes care of all this badness. |
---|
| 635 | +.SH SEE ALSO |
---|
| 636 | +.BR hosts_access (5), |
---|
| 637 | +.BR hosts_options (5), |
---|
| 638 | +.BR tcpd (8) |
---|
| 639 | +.SH AUTHOR |
---|
| 640 | +Wietse Venema, Eindhoven University of Technology, The Netherlands. |
---|
| 641 | + |
---|
| 642 | diff -Naur tcp_wrappers_7.6/safe_finger.c tcp_wrappers_7.6.gimli/safe_finger.c |
---|
| 643 | --- tcp_wrappers_7.6/safe_finger.c 1994-12-28 10:42:42.000000000 -0600 |
---|
| 644 | +++ tcp_wrappers_7.6.gimli/safe_finger.c 2002-01-07 08:50:19.000000000 -0600 |
---|
| 645 | @@ -26,21 +26,24 @@ |
---|
| 646 | #include <stdio.h> |
---|
| 647 | #include <ctype.h> |
---|
| 648 | #include <pwd.h> |
---|
| 649 | +#include <syslog.h> |
---|
| 650 | |
---|
| 651 | extern void exit(); |
---|
| 652 | |
---|
| 653 | /* Local stuff */ |
---|
| 654 | |
---|
| 655 | -char path[] = "PATH=/bin:/usr/bin:/usr/ucb:/usr/bsd:/etc:/usr/etc:/usr/sbin"; |
---|
| 656 | +char path[] = "PATH=/bin:/usr/bin:/sbin:/usr/sbin"; |
---|
| 657 | |
---|
| 658 | #define TIME_LIMIT 60 /* Do not keep listinging forever */ |
---|
| 659 | #define INPUT_LENGTH 100000 /* Do not keep listinging forever */ |
---|
| 660 | #define LINE_LENGTH 128 /* Editors can choke on long lines */ |
---|
| 661 | #define FINGER_PROGRAM "finger" /* Most, if not all, UNIX systems */ |
---|
| 662 | #define UNPRIV_NAME "nobody" /* Preferred privilege level */ |
---|
| 663 | -#define UNPRIV_UGID 32767 /* Default uid and gid */ |
---|
| 664 | +#define UNPRIV_UGID 65534 /* Default uid and gid */ |
---|
| 665 | |
---|
| 666 | int finger_pid; |
---|
| 667 | +int allow_severity = SEVERITY; |
---|
| 668 | +int deny_severity = LOG_WARNING; |
---|
| 669 | |
---|
| 670 | void cleanup(sig) |
---|
| 671 | int sig; |
---|
| 672 | diff -Naur tcp_wrappers_7.6/scaffold.c tcp_wrappers_7.6.gimli/scaffold.c |
---|
| 673 | --- tcp_wrappers_7.6/scaffold.c 1997-03-21 12:27:24.000000000 -0600 |
---|
| 674 | +++ tcp_wrappers_7.6.gimli/scaffold.c 2002-01-07 08:50:19.000000000 -0600 |
---|
| 675 | @@ -180,10 +180,12 @@ |
---|
| 676 | |
---|
| 677 | /* ARGSUSED */ |
---|
| 678 | |
---|
| 679 | -void rfc931(request) |
---|
| 680 | -struct request_info *request; |
---|
| 681 | +void rfc931(rmt_sin, our_sin, dest) |
---|
| 682 | +struct sockaddr_in *rmt_sin; |
---|
| 683 | +struct sockaddr_in *our_sin; |
---|
| 684 | +char *dest; |
---|
| 685 | { |
---|
| 686 | - strcpy(request->user, unknown); |
---|
| 687 | + strcpy(dest, unknown); |
---|
| 688 | } |
---|
| 689 | |
---|
| 690 | /* check_path - examine accessibility */ |
---|
| 691 | diff -Naur tcp_wrappers_7.6/socket.c tcp_wrappers_7.6.gimli/socket.c |
---|
| 692 | --- tcp_wrappers_7.6/socket.c 1997-03-21 12:27:25.000000000 -0600 |
---|
| 693 | +++ tcp_wrappers_7.6.gimli/socket.c 2002-01-07 08:50:19.000000000 -0600 |
---|
| 694 | @@ -76,7 +76,11 @@ |
---|
| 695 | { |
---|
| 696 | static struct sockaddr_in client; |
---|
| 697 | static struct sockaddr_in server; |
---|
| 698 | +#if !defined (__GLIBC__) |
---|
| 699 | int len; |
---|
| 700 | +#else /* __GLIBC__ */ |
---|
| 701 | + size_t len; |
---|
| 702 | +#endif /* __GLIBC__ */ |
---|
| 703 | char buf[BUFSIZ]; |
---|
| 704 | int fd = request->fd; |
---|
| 705 | |
---|
| 706 | @@ -224,7 +228,11 @@ |
---|
| 707 | { |
---|
| 708 | char buf[BUFSIZ]; |
---|
| 709 | struct sockaddr_in sin; |
---|
| 710 | +#if !defined(__GLIBC__) |
---|
| 711 | int size = sizeof(sin); |
---|
| 712 | +#else /* __GLIBC__ */ |
---|
| 713 | + size_t size = sizeof(sin); |
---|
| 714 | +#endif /* __GLIBC__ */ |
---|
| 715 | |
---|
| 716 | /* |
---|
| 717 | * Eat up the not-yet received datagram. Some systems insist on a |
---|
| 718 | diff -Naur tcp_wrappers_7.6/tcpd.8 tcp_wrappers_7.6.gimli/tcpd.8 |
---|
| 719 | --- tcp_wrappers_7.6/tcpd.8 1996-02-21 09:39:16.000000000 -0600 |
---|
| 720 | +++ tcp_wrappers_7.6.gimli/tcpd.8 2002-01-07 08:50:19.000000000 -0600 |
---|
| 721 | @@ -94,7 +94,7 @@ |
---|
| 722 | .PP |
---|
| 723 | The example assumes that the network daemons live in /usr/etc. On some |
---|
| 724 | systems, network daemons live in /usr/sbin or in /usr/libexec, or have |
---|
| 725 | -no `in.\' prefix to their name. |
---|
| 726 | +no `in.' prefix to their name. |
---|
| 727 | .SH EXAMPLE 2 |
---|
| 728 | This example applies when \fItcpd\fR expects that the network daemons |
---|
| 729 | are left in their original place. |
---|
| 730 | @@ -110,26 +110,26 @@ |
---|
| 731 | becomes: |
---|
| 732 | .sp |
---|
| 733 | .ti +5 |
---|
| 734 | -finger stream tcp nowait nobody /some/where/tcpd in.fingerd |
---|
| 735 | +finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd |
---|
| 736 | .sp |
---|
| 737 | .fi |
---|
| 738 | .PP |
---|
| 739 | The example assumes that the network daemons live in /usr/etc. On some |
---|
| 740 | systems, network daemons live in /usr/sbin or in /usr/libexec, the |
---|
| 741 | -daemons have no `in.\' prefix to their name, or there is no userid |
---|
| 742 | +daemons have no `in.' prefix to their name, or there is no userid |
---|
| 743 | field in the inetd configuration file. |
---|
| 744 | .PP |
---|
| 745 | Similar changes will be needed for the other services that are to be |
---|
| 746 | -covered by \fItcpd\fR. Send a `kill -HUP\' to the \fIinetd\fR(8) |
---|
| 747 | +covered by \fItcpd\fR. Send a `kill -HUP' to the \fIinetd\fR(8) |
---|
| 748 | process to make the changes effective. AIX users may also have to |
---|
| 749 | -execute the `inetimp\' command. |
---|
| 750 | +execute the `inetimp' command. |
---|
| 751 | .SH EXAMPLE 3 |
---|
| 752 | In the case of daemons that do not live in a common directory ("secret" |
---|
| 753 | or otherwise), edit the \fIinetd\fR configuration file so that it |
---|
| 754 | specifies an absolute path name for the process name field. For example: |
---|
| 755 | .nf |
---|
| 756 | .sp |
---|
| 757 | - ntalk dgram udp wait root /some/where/tcpd /usr/local/lib/ntalkd |
---|
| 758 | + ntalk dgram udp wait root /usr/sbin/tcpd /usr/sbin/in.ntalkd |
---|
| 759 | .sp |
---|
| 760 | .fi |
---|
| 761 | .PP |
---|
| 762 | diff -Naur tcp_wrappers_7.6/tcpd.h tcp_wrappers_7.6.gimli/tcpd.h |
---|
| 763 | --- tcp_wrappers_7.6/tcpd.h 1996-03-19 09:22:25.000000000 -0600 |
---|
| 764 | +++ tcp_wrappers_7.6.gimli/tcpd.h 2002-01-07 08:50:19.000000000 -0600 |
---|
| 765 | @@ -4,6 +4,25 @@ |
---|
| 766 | * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. |
---|
| 767 | */ |
---|
| 768 | |
---|
| 769 | +#ifndef _TCPWRAPPERS_TCPD_H |
---|
| 770 | +#define _TCPWRAPPERS_TCPD_H |
---|
| 771 | + |
---|
| 772 | +/* someone else may have defined this */ |
---|
| 773 | +#undef __P |
---|
| 774 | + |
---|
| 775 | +/* use prototypes if we have an ANSI C compiler or are using C++ */ |
---|
| 776 | +#if defined(__STDC__) || defined(__cplusplus) |
---|
| 777 | +#define __P(args) args |
---|
| 778 | +#else |
---|
| 779 | +#define __P(args) () |
---|
| 780 | +#endif |
---|
| 781 | + |
---|
| 782 | +/* Need definitions of struct sockaddr_in and FILE. */ |
---|
| 783 | +#include <netinet/in.h> |
---|
| 784 | +#include <stdio.h> |
---|
| 785 | + |
---|
| 786 | +__BEGIN_DECLS |
---|
| 787 | + |
---|
| 788 | /* Structure to describe one communications endpoint. */ |
---|
| 789 | |
---|
| 790 | #define STRING_LENGTH 128 /* hosts, users, processes */ |
---|
| 791 | @@ -25,10 +44,10 @@ |
---|
| 792 | char pid[10]; /* access via eval_pid(request) */ |
---|
| 793 | struct host_info client[1]; /* client endpoint info */ |
---|
| 794 | struct host_info server[1]; /* server endpoint info */ |
---|
| 795 | - void (*sink) (); /* datagram sink function or 0 */ |
---|
| 796 | - void (*hostname) (); /* address to printable hostname */ |
---|
| 797 | - void (*hostaddr) (); /* address to printable address */ |
---|
| 798 | - void (*cleanup) (); /* cleanup function or 0 */ |
---|
| 799 | + void (*sink) __P((int)); /* datagram sink function or 0 */ |
---|
| 800 | + void (*hostname) __P((struct host_info *)); /* address to printable hostname */ |
---|
| 801 | + void (*hostaddr) __P((struct host_info *)); /* address to printable address */ |
---|
| 802 | + void (*cleanup) __P((struct request_info *)); /* cleanup function or 0 */ |
---|
| 803 | struct netconfig *config; /* netdir handle */ |
---|
| 804 | }; |
---|
| 805 | |
---|
| 806 | @@ -61,25 +80,30 @@ |
---|
| 807 | /* Global functions. */ |
---|
| 808 | |
---|
| 809 | #if defined(TLI) || defined(PTX) || defined(TLI_SEQUENT) |
---|
| 810 | -extern void fromhost(); /* get/validate client host info */ |
---|
| 811 | +extern void fromhost __P((struct request_info *)); /* get/validate client host info */ |
---|
| 812 | #else |
---|
| 813 | #define fromhost sock_host /* no TLI support needed */ |
---|
| 814 | #endif |
---|
| 815 | |
---|
| 816 | -extern int hosts_access(); /* access control */ |
---|
| 817 | -extern void shell_cmd(); /* execute shell command */ |
---|
| 818 | -extern char *percent_x(); /* do %<char> expansion */ |
---|
| 819 | -extern void rfc931(); /* client name from RFC 931 daemon */ |
---|
| 820 | -extern void clean_exit(); /* clean up and exit */ |
---|
| 821 | -extern void refuse(); /* clean up and exit */ |
---|
| 822 | -extern char *xgets(); /* fgets() on steroids */ |
---|
| 823 | -extern char *split_at(); /* strchr() and split */ |
---|
| 824 | -extern unsigned long dot_quad_addr(); /* restricted inet_addr() */ |
---|
| 825 | +extern void shell_cmd __P((char *)); /* execute shell command */ |
---|
| 826 | +extern char *percent_x __P((char *, int, char *, struct request_info *)); /* do %<char> expansion */ |
---|
| 827 | +extern void rfc931 __P((struct sockaddr_in *, struct sockaddr_in *, char *)); /* client name from RFC 931 daemon */ |
---|
| 828 | +extern void clean_exit __P((struct request_info *)); /* clean up and exit */ |
---|
| 829 | +extern void refuse __P((struct request_info *)); /* clean up and exit */ |
---|
| 830 | +extern char *xgets __P((char *, int, FILE *)); /* fgets() on steroids */ |
---|
| 831 | +extern char *split_at __P((char *, int)); /* strchr() and split */ |
---|
| 832 | +extern unsigned long dot_quad_addr __P((char *)); /* restricted inet_addr() */ |
---|
| 833 | |
---|
| 834 | /* Global variables. */ |
---|
| 835 | |
---|
| 836 | +#ifdef HAVE_WEAKSYMS |
---|
| 837 | +extern int allow_severity __attribute__ ((weak)); /* for connection logging */ |
---|
| 838 | +extern int deny_severity __attribute__ ((weak)); /* for connection logging */ |
---|
| 839 | +#else |
---|
| 840 | extern int allow_severity; /* for connection logging */ |
---|
| 841 | extern int deny_severity; /* for connection logging */ |
---|
| 842 | +#endif |
---|
| 843 | + |
---|
| 844 | extern char *hosts_allow_table; /* for verification mode redirection */ |
---|
| 845 | extern char *hosts_deny_table; /* for verification mode redirection */ |
---|
| 846 | extern int hosts_access_verbose; /* for verbose matching mode */ |
---|
| 847 | @@ -92,9 +116,14 @@ |
---|
| 848 | */ |
---|
| 849 | |
---|
| 850 | #ifdef __STDC__ |
---|
| 851 | +extern int hosts_access(struct request_info *request); |
---|
| 852 | +extern int hosts_ctl(char *daemon, char *client_name, char *client_addr, |
---|
| 853 | + char *client_user); |
---|
| 854 | extern struct request_info *request_init(struct request_info *,...); |
---|
| 855 | extern struct request_info *request_set(struct request_info *,...); |
---|
| 856 | #else |
---|
| 857 | +extern int hosts_access(); |
---|
| 858 | +extern int hosts_ctl(); |
---|
| 859 | extern struct request_info *request_init(); /* initialize request */ |
---|
| 860 | extern struct request_info *request_set(); /* update request structure */ |
---|
| 861 | #endif |
---|
| 862 | @@ -117,27 +146,31 @@ |
---|
| 863 | * host_info structures serve as caches for the lookup results. |
---|
| 864 | */ |
---|
| 865 | |
---|
| 866 | -extern char *eval_user(); /* client user */ |
---|
| 867 | -extern char *eval_hostname(); /* printable hostname */ |
---|
| 868 | -extern char *eval_hostaddr(); /* printable host address */ |
---|
| 869 | -extern char *eval_hostinfo(); /* host name or address */ |
---|
| 870 | -extern char *eval_client(); /* whatever is available */ |
---|
| 871 | -extern char *eval_server(); /* whatever is available */ |
---|
| 872 | +extern char *eval_user __P((struct request_info *)); /* client user */ |
---|
| 873 | +extern char *eval_hostname __P((struct host_info *)); /* printable hostname */ |
---|
| 874 | +extern char *eval_hostaddr __P((struct host_info *)); /* printable host address */ |
---|
| 875 | +extern char *eval_hostinfo __P((struct host_info *)); /* host name or address */ |
---|
| 876 | +extern char *eval_client __P((struct request_info *)); /* whatever is available */ |
---|
| 877 | +extern char *eval_server __P((struct request_info *)); /* whatever is available */ |
---|
| 878 | #define eval_daemon(r) ((r)->daemon) /* daemon process name */ |
---|
| 879 | #define eval_pid(r) ((r)->pid) /* process id */ |
---|
| 880 | |
---|
| 881 | /* Socket-specific methods, including DNS hostname lookups. */ |
---|
| 882 | |
---|
| 883 | -extern void sock_host(); /* look up endpoint addresses */ |
---|
| 884 | -extern void sock_hostname(); /* translate address to hostname */ |
---|
| 885 | -extern void sock_hostaddr(); /* address to printable address */ |
---|
| 886 | +/* look up endpoint addresses */ |
---|
| 887 | +extern void sock_host __P((struct request_info *)); |
---|
| 888 | +/* translate address to hostname */ |
---|
| 889 | +extern void sock_hostname __P((struct host_info *)); |
---|
| 890 | +/* address to printable address */ |
---|
| 891 | +extern void sock_hostaddr __P((struct host_info *)); |
---|
| 892 | + |
---|
| 893 | #define sock_methods(r) \ |
---|
| 894 | { (r)->hostname = sock_hostname; (r)->hostaddr = sock_hostaddr; } |
---|
| 895 | |
---|
| 896 | /* The System V Transport-Level Interface (TLI) interface. */ |
---|
| 897 | |
---|
| 898 | #if defined(TLI) || defined(PTX) || defined(TLI_SEQUENT) |
---|
| 899 | -extern void tli_host(); /* look up endpoint addresses etc. */ |
---|
| 900 | +extern void tli_host __P((struct request_info *)); /* look up endpoint addresses etc. */ |
---|
| 901 | #endif |
---|
| 902 | |
---|
| 903 | /* |
---|
| 904 | @@ -178,7 +211,7 @@ |
---|
| 905 | * behavior. |
---|
| 906 | */ |
---|
| 907 | |
---|
| 908 | -extern void process_options(); /* execute options */ |
---|
| 909 | +extern void process_options __P((char *, struct request_info *)); /* execute options */ |
---|
| 910 | extern int dry_run; /* verification flag */ |
---|
| 911 | |
---|
| 912 | /* Bug workarounds. */ |
---|
| 913 | @@ -217,3 +250,7 @@ |
---|
| 914 | #define strtok my_strtok |
---|
| 915 | extern char *my_strtok(); |
---|
| 916 | #endif |
---|
| 917 | + |
---|
| 918 | +__END_DECLS |
---|
| 919 | + |
---|
| 920 | +#endif /* tcpd.h */ |
---|
| 921 | diff -Naur tcp_wrappers_7.6/tcpdchk.c tcp_wrappers_7.6.gimli/tcpdchk.c |
---|
| 922 | --- tcp_wrappers_7.6/tcpdchk.c 1997-02-11 19:13:25.000000000 -0600 |
---|
| 923 | +++ tcp_wrappers_7.6.gimli/tcpdchk.c 2002-01-07 08:50:19.000000000 -0600 |
---|
| 924 | @@ -350,6 +350,8 @@ |
---|
| 925 | { |
---|
| 926 | if (pat[0] == '@') { |
---|
| 927 | tcpd_warn("%s: daemon name begins with \"@\"", pat); |
---|
| 928 | + } else if (pat[0] == '/') { |
---|
| 929 | + tcpd_warn("%s: daemon name begins with \"/\"", pat); |
---|
| 930 | } else if (pat[0] == '.') { |
---|
| 931 | tcpd_warn("%s: daemon name begins with dot", pat); |
---|
| 932 | } else if (pat[strlen(pat) - 1] == '.') { |
---|
| 933 | @@ -382,6 +384,8 @@ |
---|
| 934 | { |
---|
| 935 | if (pat[0] == '@') { /* @netgroup */ |
---|
| 936 | tcpd_warn("%s: user name begins with \"@\"", pat); |
---|
| 937 | + } else if (pat[0] == '/') { |
---|
| 938 | + tcpd_warn("%s: user name begins with \"/\"", pat); |
---|
| 939 | } else if (pat[0] == '.') { |
---|
| 940 | tcpd_warn("%s: user name begins with dot", pat); |
---|
| 941 | } else if (pat[strlen(pat) - 1] == '.') { |
---|
| 942 | @@ -402,8 +406,13 @@ |
---|
| 943 | static int check_host(pat) |
---|
| 944 | char *pat; |
---|
| 945 | { |
---|
| 946 | + char buf[BUFSIZ]; |
---|
| 947 | char *mask; |
---|
| 948 | int addr_count = 1; |
---|
| 949 | + FILE *fp; |
---|
| 950 | + struct tcpd_context saved_context; |
---|
| 951 | + char *cp; |
---|
| 952 | + char *wsp = " \t\r\n"; |
---|
| 953 | |
---|
| 954 | if (pat[0] == '@') { /* @netgroup */ |
---|
| 955 | #ifdef NO_NETGRENT |
---|
| 956 | @@ -422,6 +431,21 @@ |
---|
| 957 | tcpd_warn("netgroup support disabled"); |
---|
| 958 | #endif |
---|
| 959 | #endif |
---|
| 960 | + } else if (pat[0] == '/') { /* /path/name */ |
---|
| 961 | + if ((fp = fopen(pat, "r")) != 0) { |
---|
| 962 | + saved_context = tcpd_context; |
---|
| 963 | + tcpd_context.file = pat; |
---|
| 964 | + tcpd_context.line = 0; |
---|
| 965 | + while (fgets(buf, sizeof(buf), fp)) { |
---|
| 966 | + tcpd_context.line++; |
---|
| 967 | + for (cp = strtok(buf, wsp); cp; cp = strtok((char *) 0, wsp)) |
---|
| 968 | + check_host(cp); |
---|
| 969 | + } |
---|
| 970 | + tcpd_context = saved_context; |
---|
| 971 | + fclose(fp); |
---|
| 972 | + } else if (errno != ENOENT) { |
---|
| 973 | + tcpd_warn("open %s: %m", pat); |
---|
| 974 | + } |
---|
| 975 | } else if (mask = split_at(pat, '/')) { /* network/netmask */ |
---|
| 976 | if (dot_quad_addr(pat) == INADDR_NONE |
---|
| 977 | || dot_quad_addr(mask) == INADDR_NONE) |
---|
| 978 | diff -Naur tcp_wrappers_7.6/try-from.8 tcp_wrappers_7.6.gimli/try-from.8 |
---|
| 979 | --- tcp_wrappers_7.6/try-from.8 1969-12-31 18:00:00.000000000 -0600 |
---|
| 980 | +++ tcp_wrappers_7.6.gimli/try-from.8 2002-01-07 08:50:19.000000000 -0600 |
---|
| 981 | @@ -0,0 +1,28 @@ |
---|
| 982 | +.TH TRY-FROM 8 "21th June 1997" Linux "Linux Programmer's Manual" |
---|
| 983 | +.SH NAME |
---|
| 984 | +try-from \- test program for the tcp_wrapper |
---|
| 985 | +.SH SYNOPSIS |
---|
| 986 | +.B try-from |
---|
| 987 | +.SH DESCRIPTION |
---|
| 988 | +The |
---|
| 989 | +.B try-from |
---|
| 990 | +command can be called via a remote shell command to find out |
---|
| 991 | +if the hostname and address are properly recognized |
---|
| 992 | +by the |
---|
| 993 | +.B tcp_wrapper |
---|
| 994 | +library, if username lookup works, and (SysV only) if the TLI |
---|
| 995 | +on top of IP heuristics work. Diagnostics are reported through |
---|
| 996 | +.BR syslog (3) |
---|
| 997 | +and redirected to stderr. |
---|
| 998 | + |
---|
| 999 | +Example: |
---|
| 1000 | + |
---|
| 1001 | +rsh host /some/where/try-from |
---|
| 1002 | + |
---|
| 1003 | +.SH SEE ALSO |
---|
| 1004 | +.BR hosts_access (5), |
---|
| 1005 | +.BR hosts_options (5), |
---|
| 1006 | +.BR tcpd (8) |
---|
| 1007 | +.SH AUTHOR |
---|
| 1008 | +Wietse Venema, Eindhoven University of Technology, The Netherlands. |
---|
| 1009 | + |
---|
| 1010 | diff -Naur tcp_wrappers_7.6/weak_symbols.c tcp_wrappers_7.6.gimli/weak_symbols.c |
---|
| 1011 | --- tcp_wrappers_7.6/weak_symbols.c 1969-12-31 18:00:00.000000000 -0600 |
---|
| 1012 | +++ tcp_wrappers_7.6.gimli/weak_symbols.c 2002-01-07 08:50:19.000000000 -0600 |
---|
| 1013 | @@ -0,0 +1,11 @@ |
---|
| 1014 | + /* |
---|
| 1015 | + * @(#) weak_symbols.h 1.5 99/12/29 23:50 |
---|
| 1016 | + * |
---|
| 1017 | + * Author: Anthony Towns <ajt@debian.org> |
---|
| 1018 | + */ |
---|
| 1019 | + |
---|
| 1020 | +#ifdef HAVE_WEAKSYMS |
---|
| 1021 | +#include <syslog.h> |
---|
| 1022 | +int deny_severity = LOG_WARNING; |
---|
| 1023 | +int allow_severity = SEVERITY; |
---|
| 1024 | +#endif |
---|
| 1025 | diff -Naur tcp_wrappers_7.6/workarounds.c tcp_wrappers_7.6.gimli/workarounds.c |
---|
| 1026 | --- tcp_wrappers_7.6/workarounds.c 1996-03-19 09:22:26.000000000 -0600 |
---|
| 1027 | +++ tcp_wrappers_7.6.gimli/workarounds.c 2002-01-07 08:50:19.000000000 -0600 |
---|
| 1028 | @@ -163,7 +163,11 @@ |
---|
| 1029 | int fix_getpeername(sock, sa, len) |
---|
| 1030 | int sock; |
---|
| 1031 | struct sockaddr *sa; |
---|
| 1032 | +#if !defined(__GLIBC__) |
---|
| 1033 | int *len; |
---|
| 1034 | +#else /* __GLIBC__ */ |
---|
| 1035 | +size_t *len; |
---|
| 1036 | +#endif /* __GLIBC__ */ |
---|
| 1037 | { |
---|
| 1038 | int ret; |
---|
| 1039 | struct sockaddr_in *sin = (struct sockaddr_in *) sa; |
---|