source:
scripts/patches/tcp_wrappers-7.6-shared_lib_plus_plus-1.patch@
b460b7f
      
      | Last change on this file since b460b7f was 7f65c0e, checked in by , 20 years ago | |
|---|---|
| 
 | |
| File size: 37.9 KB | |
- 
      tcp_wrappers_7.6Submitted By: Tushar Teredesai <tushar@linuxfromscratch.org> Date: 2003-10-04 Initial Package Version: 7.6 Origin: http://archives.linuxfromscratch.org/mail-archives/blfs-dev/2003-January/001960.html Description: The patch was created from the tcp_wrappers modified package by Mark Heerdink. This patch provides the following improvements: * Install libwrap.so along with libwrap.a. * Create an install target for tcp_wrappers. * Compilation and security fixes. * Documentation fixes. $LastChangedBy: bdubbs $ $Date: 2004-08-07 18:56:30 -0600 (Sat, 07 Aug 2004) $ diff -Naur tcp_wrappers_7.6/Makefile tcp_wrappers_7.6.gimli/Makefileold new 1 GLIBC=$(shell grep -s -c __GLIBC__ /usr/include/features.h) 2 1 3 # @(#) Makefile 1.23 97/03/21 19:27:20 2 4 5 # unset the HOSTNAME environment variable 6 HOSTNAME = 7 3 8 what: 4 9 @echo 5 10 @echo "Usage: edit the REAL_DAEMON_DIR definition in the Makefile then:" … … 19 24 @echo " generic (most bsd-ish systems with sys5 compatibility)" 20 25 @echo " 386bsd aix alpha apollo bsdos convex-ultranet dell-gcc dgux dgux543" 21 26 @echo " dynix epix esix freebsd hpux irix4 irix5 irix6 isc iunix" 22 @echo " linux machten mips(untested) ncrsvr4 netbsd next osf power_unix_211"27 @echo " linux gnu machten mips(untested) ncrsvr4 netbsd next osf power_unix_211" 23 28 @echo " ptx-2.x ptx-generic pyramid sco sco-nis sco-od2 sco-os5 sinix sunos4" 24 29 @echo " sunos40 sunos5 sysv4 tandem ultrix unicos7 unicos8 unixware1 unixware2" 25 30 @echo " uts215 uxp" … … 43 48 # Ultrix 4.x SunOS 4.x ConvexOS 10.x Dynix/ptx 44 49 #REAL_DAEMON_DIR=/usr/etc 45 50 # 46 # SysV.4 Solaris 2.x OSF AIX 47 #REAL_DAEMON_DIR=/usr/sbin51 # SysV.4 Solaris 2.x OSF AIX Linux 52 REAL_DAEMON_DIR=/usr/sbin 48 53 # 49 54 # BSD 4.4 50 55 #REAL_DAEMON_DIR=/usr/libexec … … 141 146 LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \ 142 147 EXTRA_CFLAGS=-DSYS_ERRLIST_DEFINED VSYSLOG= all 143 148 149 ifneq ($(GLIBC),0) 150 MYLIB=-lnsl 151 endif 152 144 153 linux: 145 154 @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ 146 LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=setenv.o \ 147 NETGROUP= TLI= EXTRA_CFLAGS="-DBROKEN_SO_LINGER" all 155 LIBS=$(MYLIB) RANLIB=ranlib ARFLAGS=rv AUX_OBJ=weak_symbols.o \ 156 NETGROUP=-DNETGROUP TLI= VSYSLOG= BUGS= all \ 157 EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_WEAKSYMS -D_REENTRANT" 158 159 gnu: 160 @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ 161 LIBS=$(MYLIB) RANLIB=ranlib ARFLAGS=rv AUX_OBJ=weak_symbols.o \ 162 NETGROUP=-DNETGROUP TLI= VSYSLOG= BUGS= all \ 163 EXTRA_CFLAGS="-DHAVE_STRERROR -DHAVE_WEAKSYMS -D_REENTRANT" 148 164 149 165 # This is good for many SYSV+BSD hybrids with NIS, probably also for HP-UX 7.x. 150 166 hpux hpux8 hpux9 hpux10: … … 391 407 # the ones provided with this source distribution. The environ.c module 392 408 # implements setenv(), getenv(), and putenv(). 393 409 394 AUX_OBJ= setenv.o410 #AUX_OBJ= setenv.o 395 411 #AUX_OBJ= environ.o 396 412 #AUX_OBJ= environ.o strcasecmp.o 397 413 … … 454 470 # host name aliases. Compile with -DSOLARIS_24_GETHOSTBYNAME_BUG to work 455 471 # around this. The workaround does no harm on other Solaris versions. 456 472 457 BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DLIBC_CALLS_STRTOK 473 BUGS = 474 #BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DLIBC_CALLS_STRTOK 458 475 #BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DINET_ADDR_BUG 459 476 #BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DSOLARIS_24_GETHOSTBYNAME_BUG 460 477 … … 464 481 # If your system supports NIS or YP-style netgroups, enable the following 465 482 # macro definition. Netgroups are used only for host access control. 466 483 # 467 #NETGROUP= -DNETGROUP484 NETGROUP= -DNETGROUP 468 485 469 486 ############################################################### 470 487 # System dependencies: whether or not your system has vsyslog() … … 491 508 # Uncomment the next definition to turn on the language extensions 492 509 # (examples: allow, deny, banners, twist and spawn). 493 510 # 494 #STYLE = -DPROCESS_OPTIONS # Enable language extensions.511 STYLE = -DPROCESS_OPTIONS # Enable language extensions. 495 512 496 513 ################################################################ 497 514 # Optional: Changing the default disposition of logfile records … … 514 531 # 515 532 # The LOG_XXX names below are taken from the /usr/include/syslog.h file. 516 533 517 FACILITY= LOG_ MAIL# LOG_MAIL is what most sendmail daemons use534 FACILITY= LOG_DAEMON # LOG_MAIL is what most sendmail daemons use 518 535 519 536 # The syslog priority at which successful connections are logged. 520 537 … … 610 627 # Paranoid mode implies hostname lookup. In order to disable hostname 611 628 # lookups altogether, see the next section. 612 629 613 PARANOID= -DPARANOID630 #PARANOID= -DPARANOID 614 631 615 632 ######################################## 616 633 # Optional: turning off hostname lookups … … 623 640 # In order to perform selective hostname lookups, disable paranoid 624 641 # mode (see previous section) and comment out the following definition. 625 642 626 HOSTNAME= -DALWAYS_HOSTNAME643 #HOSTNAME= -DALWAYS_HOSTNAME 627 644 628 645 ############################################# 629 646 # Optional: Turning on host ADDRESS checking … … 649 666 # source-routed traffic in the kernel. Examples: 4.4BSD derivatives, 650 667 # Solaris 2.x, and Linux. See your system documentation for details. 651 668 # 652 #KILL_OPT= -DKILL_IP_OPTIONS669 KILL_OPT= -DKILL_IP_OPTIONS 653 670 654 671 ## End configuration options 655 672 ############################ 656 673 657 674 # Protection against weird shells or weird make programs. 658 675 676 CC = gcc 659 677 SHELL = /bin/sh 660 .c.o:; $(CC) $(CFLAGS) -c $*.c 678 .c.o:; $(CC) $(CFLAGS) -o $*.o -c $*.c 679 680 SOMAJOR = 0 681 SOMINOR = 7.6 682 683 LIB = libwrap.a 684 SHLIB = shared/libwrap.so.$(SOMAJOR).$(SOMINOR) 685 SHLIBSOMAJ= shared/libwrap.so.$(SOMAJOR) 686 SHLIBSO = shared/libwrap.so 687 SHLIBFLAGS = -Lshared -lwrap 661 688 662 CFLAGS = -O -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \ 689 shared/%.o: %.c 690 $(CC) $(CFLAGS) $(SHCFLAGS) -c $< -o $@ 691 692 CFLAGS = -O2 -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \ 663 693 $(BUGS) $(SYSTYPE) $(AUTH) $(UMASK) \ 664 694 -DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" $(STYLE) $(KILL_OPT) \ 665 695 -DSEVERITY=$(SEVERITY) -DRFC931_TIMEOUT=$(RFC931_TIMEOUT) \ 666 696 $(UCHAR) $(TABLES) $(STRINGS) $(TLI) $(EXTRA_CFLAGS) $(DOT) \ 667 697 $(VSYSLOG) $(HOSTNAME) 668 698 699 SHLINKFLAGS = -shared -Xlinker -soname -Xlinker libwrap.so.$(SOMAJOR) -lc $(LIBS) 700 SHCFLAGS = -fPIC -shared -D_REENTRANT 701 669 702 LIB_OBJ= hosts_access.o options.o shell_cmd.o rfc931.o eval.o \ 670 703 hosts_ctl.o refuse.o percent_x.o clean_exit.o $(AUX_OBJ) \ 671 704 $(FROM_OBJ) fix_options.o socket.o tli.o workarounds.o \ 672 705 update.o misc.o diag.o percent_m.o myvsyslog.o 673 706 707 SHLIB_OBJ= $(addprefix shared/, $(LIB_OBJ)); 708 674 709 FROM_OBJ= fromhost.o 675 710 676 711 KIT = README miscd.c tcpd.c fromhost.c hosts_access.c shell_cmd.c \ … … 684 719 refuse.c tcpdchk.8 setenv.c inetcf.c inetcf.h scaffold.c \ 685 720 scaffold.h tcpdmatch.8 README.NIS 686 721 687 LIB = libwrap.a 688 689 all other: config-check tcpd tcpdmatch try-from safe_finger tcpdchk 722 all other: config-check tcpd tcpdmatch try-from safe_finger tcpdchk $(LIB) 690 723 691 724 # Invalidate all object files when the compiler options (CFLAGS) have changed. 692 725 693 726 config-check: 694 727 @set +e; test -n "$(REAL_DAEMON_DIR)" || { make; exit 1; } 695 @set +e; echo $(CFLAGS) > /tmp/cflags.$$$$; \696 if cmp cflags /tmp/cflags.$$$$; \697 then rm /tmp/cflags.$$$$; \698 else mv /tmp/cflags.$$$$cflags ; \728 @set +e; echo $(CFLAGS) >cflags.new ; \ 729 if cmp cflags cflags.new ; \ 730 then rm cflags.new ; \ 731 else mv cflags.new cflags ; \ 699 732 fi >/dev/null 2>/dev/null 733 @if [ ! -d shared ]; then mkdir shared; fi 700 734 701 735 $(LIB): $(LIB_OBJ) 702 736 rm -f $(LIB) 703 737 $(AR) $(ARFLAGS) $(LIB) $(LIB_OBJ) 704 738 -$(RANLIB) $(LIB) 705 739 706 tcpd: tcpd.o $(LIB) 707 $(CC) $(CFLAGS) -o $@ tcpd.o $(LIB) $(LIBS) 740 $(SHLIB): $(SHLIB_OBJ) 741 rm -f $(SHLIB) 742 $(CC) -o $(SHLIB) $(SHLINKFLAGS) $(SHLIB_OBJ) 743 ln -s $(notdir $(SHLIB)) $(SHLIBSOMAJ) 744 ln -s $(notdir $(SHLIBSOMAJ)) $(SHLIBSO) 745 746 tcpd: tcpd.o $(SHLIB) 747 $(CC) $(CFLAGS) -o $@ tcpd.o $(SHLIBFLAGS) 708 748 709 miscd: miscd.o $( LIB)710 $(CC) $(CFLAGS) -o $@ miscd.o $( LIB) $(LIBS)749 miscd: miscd.o $(SHLIB) 750 $(CC) $(CFLAGS) -o $@ miscd.o $(SHLIBFLAGS) 711 751 712 safe_finger: safe_finger.o $( LIB)713 $(CC) $(CFLAGS) -o $@ safe_finger.o $( LIB) $(LIBS)752 safe_finger: safe_finger.o $(SHLIB) 753 $(CC) $(CFLAGS) -o $@ safe_finger.o $(SHLIBFLAGS) 714 754 715 755 TCPDMATCH_OBJ = tcpdmatch.o fakelog.o inetcf.o scaffold.o 716 756 717 tcpdmatch: $(TCPDMATCH_OBJ) $( LIB)718 $(CC) $(CFLAGS) -o $@ $(TCPDMATCH_OBJ) $( LIB) $(LIBS)757 tcpdmatch: $(TCPDMATCH_OBJ) $(SHLIB) 758 $(CC) $(CFLAGS) -o $@ $(TCPDMATCH_OBJ) $(SHLIBFLAGS) 719 759 720 try-from: try-from.o fakelog.o $( LIB)721 $(CC) $(CFLAGS) -o $@ try-from.o fakelog.o $( LIB) $(LIBS)760 try-from: try-from.o fakelog.o $(SHLIB) 761 $(CC) $(CFLAGS) -o $@ try-from.o fakelog.o $(SHLIBFLAGS) 722 762 723 763 TCPDCHK_OBJ = tcpdchk.o fakelog.o inetcf.o scaffold.o 724 764 725 tcpdchk: $(TCPDCHK_OBJ) $(LIB) 726 $(CC) $(CFLAGS) -o $@ $(TCPDCHK_OBJ) $(LIB) $(LIBS) 765 tcpdchk: $(TCPDCHK_OBJ) $(SHLIB) 766 $(CC) $(CFLAGS) -o $@ $(TCPDCHK_OBJ) $(SHLIBFLAGS) 767 768 install: install-lib install-bin install-dev 769 770 install-lib: 771 install -o root -g root -m 0755 $(SHLIB) ${DESTDIR}/usr/lib/ 772 ln -sf $(notdir $(SHLIB)) ${DESTDIR}/usr/lib/$(notdir $(SHLIBSOMAJ)) 773 ln -sf $(notdir $(SHLIBSOMAJ)) ${DESTDIR}/usr/lib/$(notdir $(SHLIBSO)) 774 775 install-bin: 776 install -o root -g root -m 0755 tcpd ${DESTDIR}/usr/sbin/ 777 install -o root -g root -m 0755 tcpdchk ${DESTDIR}/usr/sbin/ 778 install -o root -g root -m 0755 tcpdmatch ${DESTDIR}/usr/sbin/ 779 install -o root -g root -m 0755 try-from ${DESTDIR}/usr/sbin/ 780 install -o root -g root -m 0755 safe_finger ${DESTDIR}/usr/sbin/ 781 install -o root -g root -m 0644 tcpd.8 ${DESTDIR}/usr/share/man/man8/ 782 install -o root -g root -m 0644 tcpdchk.8 ${DESTDIR}/usr/share/man/man8/ 783 install -o root -g root -m 0644 try-from.8 ${DESTDIR}/usr/share/man/man8/ 784 install -o root -g root -m 0644 tcpdmatch.8 ${DESTDIR}/usr/share/man/man8/ 785 install -o root -g root -m 0644 safe_finger.8 ${DESTDIR}/usr/share/man/man8/ 786 install -o root -g root -m 0644 hosts_access.5 ${DESTDIR}/usr/share/man/man5/ 787 install -o root -g root -m 0644 hosts_options.5 ${DESTDIR}/usr/share/man/man5/ 788 789 install-dev: 790 install -o root -g root -m 0644 hosts_access.3 ${DESTDIR}/usr/share/man/man3/ 791 install -o root -g root -m 0644 tcpd.h ${DESTDIR}/usr/include/ 792 install -o root -g root -m 0644 $(LIB) ${DESTDIR}/usr/lib/ 793 ln -sf hosts_access.3 ${DESTDIR}/usr/share/man/man3/hosts_ctl.3 794 ln -sf hosts_access.3 ${DESTDIR}/usr/share/man/man3/request_init.3 795 ln -sf hosts_access.3 ${DESTDIR}/usr/share/man/man3/request_set.3 727 796 728 797 shar: $(KIT) 729 798 @shar $(KIT) … … 739 808 740 809 clean: 741 810 rm -f tcpd miscd safe_finger tcpdmatch tcpdchk try-from *.[oa] core \ 742 cflags 811 cflags libwrap*.so* 812 rm -rf shared 743 813 744 814 tidy: clean 745 815 chmod -R a+r . … … 885 955 update.o: mystdarg.h 886 956 update.o: tcpd.h 887 957 vfprintf.o: cflags 958 weak_symbols.o: tcpd.h 888 959 workarounds.o: cflags 889 960 workarounds.o: tcpd.h 
- 
      tcp_wrappers_7.6diff -Naur tcp_wrappers_7.6/fix_options.c tcp_wrappers_7.6.gimli/fix_options.c old new 35 35 #ifdef IP_OPTIONS 36 36 unsigned char optbuf[BUFFER_SIZE / 3], *cp; 37 37 char lbuf[BUFFER_SIZE], *lp; 38 #if !defined(__GLIBC__) 38 39 int optsize = sizeof(optbuf), ipproto; 40 #else /* __GLIBC__ */ 41 size_t optsize = sizeof(optbuf); 42 int ipproto; 43 #endif /* __GLIBC__ */ 39 44 struct protoent *ip; 40 45 int fd = request->fd; 41 46 unsigned int opt; 
- 
      tcp_wrappers_7.6diff -Naur tcp_wrappers_7.6/hosts_access.3 tcp_wrappers_7.6.gimli/hosts_access.3 old new 3 3 hosts_access, hosts_ctl, request_init, request_set \- access control library 4 4 .SH SYNOPSIS 5 5 .nf 6 #include "tcpd.h"6 #include <tcpd.h> 7 7 8 8 extern int allow_severity; 9 9 extern int deny_severity; 
- 
      tcp_wrappers_7.6diff -Naur tcp_wrappers_7.6/hosts_access.5 tcp_wrappers_7.6.gimli/hosts_access.5 old new 8 8 impatient reader is encouraged to skip to the EXAMPLES section for a 9 9 quick introduction. 10 10 .PP 11 Anextended version of the access control language is described in the12 \fIhosts_options\fR(5) document. The extensions are turned on at13 program build time by building with -DPROCESS_OPTIONS. 11 The extended version of the access control language is described in the 12 \fIhosts_options\fR(5) document. \fBNote that this language supersedes 13 the meaning of \fIshell_command\fB as documented below.\fR 14 14 .PP 15 15 In the following text, \fIdaemon\fR is the the process name of a 16 16 network daemon process, and \fIclient\fR is the name and/or address of … … 40 40 character. This permits you to break up long lines so that they are 41 41 easier to edit. 42 42 .IP \(bu 43 Blank lines or lines that begin with a `# \' character are ignored.43 Blank lines or lines that begin with a `#' character are ignored. 44 44 This permits you to insert comments and whitespace so that the tables 45 45 are easier to read. 46 46 .IP \(bu … … 69 69 .SH PATTERNS 70 70 The access control language implements the following patterns: 71 71 .IP \(bu 72 A string that begins with a `. \' character. A host name is matched if72 A string that begins with a `.' character. A host name is matched if 73 73 the last components of its name match the specified pattern. For 74 example, the pattern `.tue.nl \' matches the host name75 `wzv.win.tue.nl \'.74 example, the pattern `.tue.nl' matches the host name 75 `wzv.win.tue.nl'. 76 76 .IP \(bu 77 A string that ends with a `. \' character. A host address is matched if77 A string that ends with a `.' character. A host address is matched if 78 78 its first numeric fields match the given string. For example, the 79 pattern `131.155. \' matches the address of (almost) every host on the79 pattern `131.155.' matches the address of (almost) every host on the 80 80 Eind\%hoven University network (131.155.x.x). 81 81 .IP \(bu 82 A string that begins with an `@ \' character is treated as an NIS82 A string that begins with an `@' character is treated as an NIS 83 83 (formerly YP) netgroup name. A host name is matched if it is a host 84 84 member of the specified netgroup. Netgroup matches are not supported 85 85 for daemon process names or for client user names. 86 86 .IP \(bu 87 An expression of the form `n.n.n.n/m.m.m.m\' is interpreted as a 88 `net/mask\' pair. A host address is matched if `net\' is equal to the 89 bitwise AND of the address and the `mask\'. For example, the net/mask 90 pattern `131.155.72.0/255.255.254.0\' matches every address in the 91 range `131.155.72.0\' through `131.155.73.255\'. 87 An expression of the form `n.n.n.n/m.m.m.m' is interpreted as a 88 `net/mask' pair. A host address is matched if `net' is equal to the 89 bitwise AND of the address and the `mask'. For example, the net/mask 90 pattern `131.155.72.0/255.255.254.0' matches every address in the 91 range `131.155.72.0' through `131.155.73.255'. 92 .IP \(bu 93 A string that begins with a `/' character is treated as a file 94 name. A host name or address is matched if it matches any host name 95 or address pattern listed in the named file. The file format is 96 zero or more lines with zero or more host name or address patterns 97 separated by whitespace. A file name pattern can be used anywhere 98 a host name or address pattern can be used. 92 99 .SH WILDCARDS 93 100 The access control language supports explicit wildcards: 94 101 .IP ALL … … 115 122 .ne 6 116 123 .SH OPERATORS 117 124 .IP EXCEPT 118 Intended use is of the form: `list_1 EXCEPT list_2 \'; this construct125 Intended use is of the form: `list_1 EXCEPT list_2'; this construct 119 126 matches anything that matches \fIlist_1\fR unless it matches 120 127 \fIlist_2\fR. The EXCEPT operator can be used in daemon_lists and in 121 128 client_lists. The EXCEPT operator can be nested: if the control 122 language would permit the use of parentheses, `a EXCEPT b EXCEPT c \'123 would parse as `(a EXCEPT (b EXCEPT c)) \'.129 language would permit the use of parentheses, `a EXCEPT b EXCEPT c' 130 would parse as `(a EXCEPT (b EXCEPT c))'. 124 131 .br 125 132 .ne 6 126 133 .SH SHELL COMMANDS 127 134 If the first-matched access control rule contains a shell command, that 128 135 command is subjected to %<letter> substitutions (see next section). 129 136 The result is executed by a \fI/bin/sh\fR child process with standard 130 input, output and error connected to \fI/dev/null\fR. Specify an `& \'137 input, output and error connected to \fI/dev/null\fR. Specify an `&' 131 138 at the end of the command if you do not want to wait until it has 132 139 completed. 133 140 .PP … … 159 166 .IP %u 160 167 The client user name (or "unknown"). 161 168 .IP %% 162 Expands to a single `% \' character.169 Expands to a single `%' character. 163 170 .PP 164 171 Characters in % expansions that may confuse the shell are replaced by 165 172 underscores. … … 243 250 less trustworthy. It is possible for an intruder to spoof both the 244 251 client connection and the IDENT lookup, although doing so is much 245 252 harder than spoofing just a client connection. It may also be that 246 the client \'s IDENT server is lying.253 the client's IDENT server is lying. 247 254 .PP 248 Note: IDENT lookups don \'t work with UDP services.255 Note: IDENT lookups don't work with UDP services. 249 256 .SH EXAMPLES 250 257 The language is flexible enough that different types of access control 251 258 policy can be expressed with a minimum of fuss. Although the language … … 285 292 .br 286 293 ALL: .foobar.edu EXCEPT terminalserver.foobar.edu 287 294 .PP 288 The first rule permits access from hosts in the local domain (no `. \'295 The first rule permits access from hosts in the local domain (no `.' 289 296 in the host name) and from members of the \fIsome_netgroup\fP 290 297 netgroup. The second rule permits access from all hosts in the 291 298 \fIfoobar.edu\fP domain (notice the leading dot), with the exception of … … 322 329 /etc/hosts.deny: 323 330 .in +3 324 331 .nf 325 in.tftpd: ALL: (/ some/where/safe_finger -l @%h | \\326 /usr/ ucb/mail -s %d-%h root) &332 in.tftpd: ALL: (/usr/sbin/safe_finger -l @%h | \\ 333 /usr/bin/mail -s %d-%h root) & 327 334 .fi 328 335 .PP 329 336 The safe_finger command comes with the tcpd wrapper and should be … … 349 356 capacity of an internal buffer; when an access control rule is not 350 357 terminated by a newline character; when the result of %<letter> 351 358 expansion would overflow an internal buffer; when a system call fails 352 that shouldn \'t. All problems are reported via the syslog daemon.359 that shouldn't. All problems are reported via the syslog daemon. 353 360 .SH FILES 354 361 .na 355 362 .nf 
- 
      tcp_wrappers_7.6diff -Naur tcp_wrappers_7.6/hosts_access.c tcp_wrappers_7.6.gimli/hosts_access.c old new 240 240 } 241 241 } 242 242 243 /* hostfile_match - look up host patterns from file */ 244 245 static int hostfile_match(path, host) 246 char *path; 247 struct hosts_info *host; 248 { 249 char tok[BUFSIZ]; 250 int match = NO; 251 FILE *fp; 252 253 if ((fp = fopen(path, "r")) != 0) { 254 while (fscanf(fp, "%s", tok) == 1 && !(match = host_match(tok, host))) 255 /* void */ ; 256 fclose(fp); 257 } else if (errno != ENOENT) { 258 tcpd_warn("open %s: %m", path); 259 } 260 return (match); 261 } 262 243 263 /* host_match - match host name and/or address against pattern */ 244 264 245 265 static int host_match(tok, host) … … 267 287 tcpd_warn("netgroup support is disabled"); /* not tcpd_jump() */ 268 288 return (NO); 269 289 #endif 290 } else if (tok[0] == '/') { /* /file hack */ 291 return (hostfile_match(tok, host)); 270 292 } else if (STR_EQ(tok, "KNOWN")) { /* check address and name */ 271 293 char *name = eval_hostname(host); 272 294 return (STR_NE(eval_hostaddr(host), unknown) && HOSTNAME_KNOWN(name)); 
- 
      hosts_options.5diff -Naur tcp_wrappers_7.6/hosts_options.5 tcp_wrappers_7.6.gimli/hosts_options.5 old new 58 58 Execute, in a child process, the specified shell command, after 59 59 performing the %<letter> expansions described in the hosts_access(5) 60 60 manual page. The command is executed with stdin, stdout and stderr 61 connected to the null device, so that it won \'t mess up the61 connected to the null device, so that it won't mess up the 62 62 conversation with the client host. Example: 63 63 .sp 64 64 .nf 65 65 .ti +3 66 spawn (/ some/where/safe_finger -l @%h | /usr/ucb/mail root) &66 spawn (/usr/sbin/safe_finger -l @%h | /usr/bin/mail root) & 67 67 .fi 68 68 .sp 69 69 executes, in a background child process, the shell command "safe_finger 
- 
      tcp_wrappers_7.6diff -Naur tcp_wrappers_7.6/options.c tcp_wrappers_7.6.gimli/options.c old new 473 473 #ifdef LOG_CRON 474 474 "cron", LOG_CRON, 475 475 #endif 476 #ifdef LOG_FTP 477 "ftp", LOG_FTP, 478 #endif 476 479 #ifdef LOG_LOCAL0 477 480 "local0", LOG_LOCAL0, 478 481 #endif 
- 
      tcp_wrappers_7.6diff -Naur tcp_wrappers_7.6/percent_m.c tcp_wrappers_7.6.gimli/percent_m.c old new 13 13 #include <string.h> 14 14 15 15 extern int errno; 16 #if ndef SYS_ERRLIST_DEFINED16 #if !defined(SYS_ERRLIST_DEFINED) && !defined(HAVE_STRERROR) 17 17 extern char *sys_errlist[]; 18 18 extern int sys_nerr; 19 19 #endif … … 29 29 30 30 while (*bp = *cp) 31 31 if (*cp == '%' && cp[1] == 'm') { 32 #ifdef HAVE_STRERROR 33 strcpy(bp, strerror(errno)); 34 #else 32 35 if (errno < sys_nerr && errno > 0) { 33 36 strcpy(bp, sys_errlist[errno]); 34 37 } else { 35 38 sprintf(bp, "Unknown error %d", errno); 36 39 } 40 #endif 37 41 bp += strlen(bp); 38 42 cp += 2; 39 43 } else { 
- 
      tcp_wrappers_7.6diff -Naur tcp_wrappers_7.6/rfc931.c tcp_wrappers_7.6.gimli/rfc931.c old new 33 33 34 34 int rfc931_timeout = RFC931_TIMEOUT;/* Global so it can be changed */ 35 35 36 static jmp_buf timebuf;36 static sigjmp_buf timebuf; 37 37 38 38 /* fsocket - open stdio stream on top of socket */ 39 39 … … 62 62 static void timeout(sig) 63 63 int sig; 64 64 { 65 longjmp(timebuf, sig);65 siglongjmp(timebuf, sig); 66 66 } 67 67 68 68 /* rfc931 - return remote user name, given socket structures */ … … 99 99 * Set up a timer so we won't get stuck while waiting for the server. 100 100 */ 101 101 102 if (s etjmp(timebuf) == 0) {102 if (sigsetjmp(timebuf,1) == 0) { 103 103 signal(SIGALRM, timeout); 104 104 alarm(rfc931_timeout); 105 105 
- 
      tcp_wrappers_7.6diff -Naur tcp_wrappers_7.6/safe_finger.8 tcp_wrappers_7.6.gimli/safe_finger.8 old new 1 .TH SAFE_FINGER 8 "21th June 1997" Linux "Linux Programmer's Manual" 2 .SH NAME 3 safe_finger \- finger client wrapper that protects against nasty stuff 4 from finger servers 5 .SH SYNOPSIS 6 .B safe_finger [finger_options] 7 .SH DESCRIPTION 8 The 9 .B safe_finger 10 command protects against nasty stuff from finger servers. Use this 11 program for automatic reverse finger probes from the 12 .B tcp_wrapper 13 .B (tcpd) 14 , not the raw finger command. The 15 .B safe_finger 16 command makes sure that the finger client is not run with root 17 privileges. It also runs the finger client with a defined PATH 18 environment. 19 .B safe_finger 20 will also protect you from problems caused by the output of some 21 finger servers. The problem: some programs may react to stuff in 22 the first column. Other programs may get upset by thrash anywhere 23 on a line. File systems may fill up as the finger server keeps 24 sending data. Text editors may bomb out on extremely long lines. 25 The finger server may take forever because it is somehow wedged. 26 .B safe_finger 27 takes care of all this badness. 28 .SH SEE ALSO 29 .BR hosts_access (5), 30 .BR hosts_options (5), 31 .BR tcpd (8) 32 .SH AUTHOR 33 Wietse Venema, Eindhoven University of Technology, The Netherlands. 34 
- 
      tcp_wrappers_7.6diff -Naur tcp_wrappers_7.6/safe_finger.c tcp_wrappers_7.6.gimli/safe_finger.c old new 26 26 #include <stdio.h> 27 27 #include <ctype.h> 28 28 #include <pwd.h> 29 #include <syslog.h> 29 30 30 31 extern void exit(); 31 32 32 33 /* Local stuff */ 33 34 34 char path[] = "PATH=/bin:/usr/bin:/ usr/ucb:/usr/bsd:/etc:/usr/etc:/usr/sbin";35 char path[] = "PATH=/bin:/usr/bin:/sbin:/usr/sbin"; 35 36 36 37 #define TIME_LIMIT 60 /* Do not keep listinging forever */ 37 38 #define INPUT_LENGTH 100000 /* Do not keep listinging forever */ 38 39 #define LINE_LENGTH 128 /* Editors can choke on long lines */ 39 40 #define FINGER_PROGRAM "finger" /* Most, if not all, UNIX systems */ 40 41 #define UNPRIV_NAME "nobody" /* Preferred privilege level */ 41 #define UNPRIV_UGID 32767/* Default uid and gid */42 #define UNPRIV_UGID 65534 /* Default uid and gid */ 42 43 43 44 int finger_pid; 45 int allow_severity = SEVERITY; 46 int deny_severity = LOG_WARNING; 44 47 45 48 void cleanup(sig) 46 49 int sig; 
- 
      tcp_wrappers_7.6diff -Naur tcp_wrappers_7.6/scaffold.c tcp_wrappers_7.6.gimli/scaffold.c old new 180 180 181 181 /* ARGSUSED */ 182 182 183 void rfc931(request) 184 struct request_info *request; 183 void rfc931(rmt_sin, our_sin, dest) 184 struct sockaddr_in *rmt_sin; 185 struct sockaddr_in *our_sin; 186 char *dest; 185 187 { 186 strcpy( request->user, unknown);188 strcpy(dest, unknown); 187 189 } 188 190 189 191 /* check_path - examine accessibility */ 
- 
      tcp_wrappers_7.6diff -Naur tcp_wrappers_7.6/socket.c tcp_wrappers_7.6.gimli/socket.c old new 76 76 { 77 77 static struct sockaddr_in client; 78 78 static struct sockaddr_in server; 79 #if !defined (__GLIBC__) 79 80 int len; 81 #else /* __GLIBC__ */ 82 size_t len; 83 #endif /* __GLIBC__ */ 80 84 char buf[BUFSIZ]; 81 85 int fd = request->fd; 82 86 … … 224 228 { 225 229 char buf[BUFSIZ]; 226 230 struct sockaddr_in sin; 231 #if !defined(__GLIBC__) 227 232 int size = sizeof(sin); 233 #else /* __GLIBC__ */ 234 size_t size = sizeof(sin); 235 #endif /* __GLIBC__ */ 228 236 229 237 /* 230 238 * Eat up the not-yet received datagram. Some systems insist on a 
- 
      tcp_wrappers_7.6diff -Naur tcp_wrappers_7.6/tcpd.8 tcp_wrappers_7.6.gimli/tcpd.8 old new 94 94 .PP 95 95 The example assumes that the network daemons live in /usr/etc. On some 96 96 systems, network daemons live in /usr/sbin or in /usr/libexec, or have 97 no `in. \' prefix to their name.97 no `in.' prefix to their name. 98 98 .SH EXAMPLE 2 99 99 This example applies when \fItcpd\fR expects that the network daemons 100 100 are left in their original place. … … 110 110 becomes: 111 111 .sp 112 112 .ti +5 113 finger stream tcp nowait nobody / some/where/tcpdin.fingerd113 finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd 114 114 .sp 115 115 .fi 116 116 .PP 117 117 The example assumes that the network daemons live in /usr/etc. On some 118 118 systems, network daemons live in /usr/sbin or in /usr/libexec, the 119 daemons have no `in. \' prefix to their name, or there is no userid119 daemons have no `in.' prefix to their name, or there is no userid 120 120 field in the inetd configuration file. 121 121 .PP 122 122 Similar changes will be needed for the other services that are to be 123 covered by \fItcpd\fR. Send a `kill -HUP \' to the \fIinetd\fR(8)123 covered by \fItcpd\fR. Send a `kill -HUP' to the \fIinetd\fR(8) 124 124 process to make the changes effective. AIX users may also have to 125 execute the `inetimp \' command.125 execute the `inetimp' command. 126 126 .SH EXAMPLE 3 127 127 In the case of daemons that do not live in a common directory ("secret" 128 128 or otherwise), edit the \fIinetd\fR configuration file so that it 129 129 specifies an absolute path name for the process name field. For example: 130 130 .nf 131 131 .sp 132 ntalk dgram udp wait root / some/where/tcpd /usr/local/lib/ntalkd132 ntalk dgram udp wait root /usr/sbin/tcpd /usr/sbin/in.ntalkd 133 133 .sp 134 134 .fi 135 135 .PP 
- 
      tcp_wrappers_7.6diff -Naur tcp_wrappers_7.6/tcpd.h tcp_wrappers_7.6.gimli/tcpd.h old new 4 4 * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. 5 5 */ 6 6 7 #ifndef _TCPWRAPPERS_TCPD_H 8 #define _TCPWRAPPERS_TCPD_H 9 10 /* someone else may have defined this */ 11 #undef __P 12 13 /* use prototypes if we have an ANSI C compiler or are using C++ */ 14 #if defined(__STDC__) || defined(__cplusplus) 15 #define __P(args) args 16 #else 17 #define __P(args) () 18 #endif 19 20 /* Need definitions of struct sockaddr_in and FILE. */ 21 #include <netinet/in.h> 22 #include <stdio.h> 23 24 __BEGIN_DECLS 25 7 26 /* Structure to describe one communications endpoint. */ 8 27 9 28 #define STRING_LENGTH 128 /* hosts, users, processes */ … … 25 44 char pid[10]; /* access via eval_pid(request) */ 26 45 struct host_info client[1]; /* client endpoint info */ 27 46 struct host_info server[1]; /* server endpoint info */ 28 void (*sink) ();/* datagram sink function or 0 */29 void (*hostname) ();/* address to printable hostname */30 void (*hostaddr) ();/* address to printable address */31 void (*cleanup) ();/* cleanup function or 0 */47 void (*sink) __P((int)); /* datagram sink function or 0 */ 48 void (*hostname) __P((struct host_info *)); /* address to printable hostname */ 49 void (*hostaddr) __P((struct host_info *)); /* address to printable address */ 50 void (*cleanup) __P((struct request_info *)); /* cleanup function or 0 */ 32 51 struct netconfig *config; /* netdir handle */ 33 52 }; 34 53 … … 61 80 /* Global functions. */ 62 81 63 82 #if defined(TLI) || defined(PTX) || defined(TLI_SEQUENT) 64 extern void fromhost ();/* get/validate client host info */83 extern void fromhost __P((struct request_info *)); /* get/validate client host info */ 65 84 #else 66 85 #define fromhost sock_host /* no TLI support needed */ 67 86 #endif 68 87 69 extern int hosts_access(); /* access control */ 70 extern void shell_cmd(); /* execute shell command */ 71 extern char *percent_x(); /* do %<char> expansion */ 72 extern void rfc931(); /* client name from RFC 931 daemon */ 73 extern void clean_exit(); /* clean up and exit */ 74 extern void refuse(); /* clean up and exit */ 75 extern char *xgets(); /* fgets() on steroids */ 76 extern char *split_at(); /* strchr() and split */ 77 extern unsigned long dot_quad_addr(); /* restricted inet_addr() */ 88 extern void shell_cmd __P((char *)); /* execute shell command */ 89 extern char *percent_x __P((char *, int, char *, struct request_info *)); /* do %<char> expansion */ 90 extern void rfc931 __P((struct sockaddr_in *, struct sockaddr_in *, char *)); /* client name from RFC 931 daemon */ 91 extern void clean_exit __P((struct request_info *)); /* clean up and exit */ 92 extern void refuse __P((struct request_info *)); /* clean up and exit */ 93 extern char *xgets __P((char *, int, FILE *)); /* fgets() on steroids */ 94 extern char *split_at __P((char *, int)); /* strchr() and split */ 95 extern unsigned long dot_quad_addr __P((char *)); /* restricted inet_addr() */ 78 96 79 97 /* Global variables. */ 80 98 99 #ifdef HAVE_WEAKSYMS 100 extern int allow_severity __attribute__ ((weak)); /* for connection logging */ 101 extern int deny_severity __attribute__ ((weak)); /* for connection logging */ 102 #else 81 103 extern int allow_severity; /* for connection logging */ 82 104 extern int deny_severity; /* for connection logging */ 105 #endif 106 83 107 extern char *hosts_allow_table; /* for verification mode redirection */ 84 108 extern char *hosts_deny_table; /* for verification mode redirection */ 85 109 extern int hosts_access_verbose; /* for verbose matching mode */ … … 92 116 */ 93 117 94 118 #ifdef __STDC__ 119 extern int hosts_access(struct request_info *request); 120 extern int hosts_ctl(char *daemon, char *client_name, char *client_addr, 121 char *client_user); 95 122 extern struct request_info *request_init(struct request_info *,...); 96 123 extern struct request_info *request_set(struct request_info *,...); 97 124 #else 125 extern int hosts_access(); 126 extern int hosts_ctl(); 98 127 extern struct request_info *request_init(); /* initialize request */ 99 128 extern struct request_info *request_set(); /* update request structure */ 100 129 #endif … … 117 146 * host_info structures serve as caches for the lookup results. 118 147 */ 119 148 120 extern char *eval_user ();/* client user */121 extern char *eval_hostname ();/* printable hostname */122 extern char *eval_hostaddr ();/* printable host address */123 extern char *eval_hostinfo ();/* host name or address */124 extern char *eval_client ();/* whatever is available */125 extern char *eval_server ();/* whatever is available */149 extern char *eval_user __P((struct request_info *)); /* client user */ 150 extern char *eval_hostname __P((struct host_info *)); /* printable hostname */ 151 extern char *eval_hostaddr __P((struct host_info *)); /* printable host address */ 152 extern char *eval_hostinfo __P((struct host_info *)); /* host name or address */ 153 extern char *eval_client __P((struct request_info *)); /* whatever is available */ 154 extern char *eval_server __P((struct request_info *)); /* whatever is available */ 126 155 #define eval_daemon(r) ((r)->daemon) /* daemon process name */ 127 156 #define eval_pid(r) ((r)->pid) /* process id */ 128 157 129 158 /* Socket-specific methods, including DNS hostname lookups. */ 130 159 131 extern void sock_host(); /* look up endpoint addresses */ 132 extern void sock_hostname(); /* translate address to hostname */ 133 extern void sock_hostaddr(); /* address to printable address */ 160 /* look up endpoint addresses */ 161 extern void sock_host __P((struct request_info *)); 162 /* translate address to hostname */ 163 extern void sock_hostname __P((struct host_info *)); 164 /* address to printable address */ 165 extern void sock_hostaddr __P((struct host_info *)); 166 134 167 #define sock_methods(r) \ 135 168 { (r)->hostname = sock_hostname; (r)->hostaddr = sock_hostaddr; } 136 169 137 170 /* The System V Transport-Level Interface (TLI) interface. */ 138 171 139 172 #if defined(TLI) || defined(PTX) || defined(TLI_SEQUENT) 140 extern void tli_host ();/* look up endpoint addresses etc. */173 extern void tli_host __P((struct request_info *)); /* look up endpoint addresses etc. */ 141 174 #endif 142 175 143 176 /* … … 178 211 * behavior. 179 212 */ 180 213 181 extern void process_options ();/* execute options */214 extern void process_options __P((char *, struct request_info *)); /* execute options */ 182 215 extern int dry_run; /* verification flag */ 183 216 184 217 /* Bug workarounds. */ … … 217 250 #define strtok my_strtok 218 251 extern char *my_strtok(); 219 252 #endif 253 254 __END_DECLS 255 256 #endif /* tcpd.h */ 
- 
      tcp_wrappers_7.6diff -Naur tcp_wrappers_7.6/tcpdchk.c tcp_wrappers_7.6.gimli/tcpdchk.c old new 350 350 { 351 351 if (pat[0] == '@') { 352 352 tcpd_warn("%s: daemon name begins with \"@\"", pat); 353 } else if (pat[0] == '/') { 354 tcpd_warn("%s: daemon name begins with \"/\"", pat); 353 355 } else if (pat[0] == '.') { 354 356 tcpd_warn("%s: daemon name begins with dot", pat); 355 357 } else if (pat[strlen(pat) - 1] == '.') { … … 382 384 { 383 385 if (pat[0] == '@') { /* @netgroup */ 384 386 tcpd_warn("%s: user name begins with \"@\"", pat); 387 } else if (pat[0] == '/') { 388 tcpd_warn("%s: user name begins with \"/\"", pat); 385 389 } else if (pat[0] == '.') { 386 390 tcpd_warn("%s: user name begins with dot", pat); 387 391 } else if (pat[strlen(pat) - 1] == '.') { … … 402 406 static int check_host(pat) 403 407 char *pat; 404 408 { 409 char buf[BUFSIZ]; 405 410 char *mask; 406 411 int addr_count = 1; 412 FILE *fp; 413 struct tcpd_context saved_context; 414 char *cp; 415 char *wsp = " \t\r\n"; 407 416 408 417 if (pat[0] == '@') { /* @netgroup */ 409 418 #ifdef NO_NETGRENT … … 422 431 tcpd_warn("netgroup support disabled"); 423 432 #endif 424 433 #endif 434 } else if (pat[0] == '/') { /* /path/name */ 435 if ((fp = fopen(pat, "r")) != 0) { 436 saved_context = tcpd_context; 437 tcpd_context.file = pat; 438 tcpd_context.line = 0; 439 while (fgets(buf, sizeof(buf), fp)) { 440 tcpd_context.line++; 441 for (cp = strtok(buf, wsp); cp; cp = strtok((char *) 0, wsp)) 442 check_host(cp); 443 } 444 tcpd_context = saved_context; 445 fclose(fp); 446 } else if (errno != ENOENT) { 447 tcpd_warn("open %s: %m", pat); 448 } 425 449 } else if (mask = split_at(pat, '/')) { /* network/netmask */ 426 450 if (dot_quad_addr(pat) == INADDR_NONE 427 451 || dot_quad_addr(mask) == INADDR_NONE) 
- 
      tcp_wrappers_7.6diff -Naur tcp_wrappers_7.6/try-from.8 tcp_wrappers_7.6.gimli/try-from.8 old new 1 .TH TRY-FROM 8 "21th June 1997" Linux "Linux Programmer's Manual" 2 .SH NAME 3 try-from \- test program for the tcp_wrapper 4 .SH SYNOPSIS 5 .B try-from 6 .SH DESCRIPTION 7 The 8 .B try-from 9 command can be called via a remote shell command to find out 10 if the hostname and address are properly recognized 11 by the 12 .B tcp_wrapper 13 library, if username lookup works, and (SysV only) if the TLI 14 on top of IP heuristics work. Diagnostics are reported through 15 .BR syslog (3) 16 and redirected to stderr. 17 18 Example: 19 20 rsh host /some/where/try-from 21 22 .SH SEE ALSO 23 .BR hosts_access (5), 24 .BR hosts_options (5), 25 .BR tcpd (8) 26 .SH AUTHOR 27 Wietse Venema, Eindhoven University of Technology, The Netherlands. 28 
- 
      tcp_wrappers_7.6diff -Naur tcp_wrappers_7.6/weak_symbols.c tcp_wrappers_7.6.gimli/weak_symbols.c old new 1 /* 2 * @(#) weak_symbols.h 1.5 99/12/29 23:50 3 * 4 * Author: Anthony Towns <ajt@debian.org> 5 */ 6 7 #ifdef HAVE_WEAKSYMS 8 #include <syslog.h> 9 int deny_severity = LOG_WARNING; 10 int allow_severity = SEVERITY; 11 #endif 
- 
      tcp_wrappers_7.6diff -Naur tcp_wrappers_7.6/workarounds.c tcp_wrappers_7.6.gimli/workarounds.c old new 163 163 int fix_getpeername(sock, sa, len) 164 164 int sock; 165 165 struct sockaddr *sa; 166 #if !defined(__GLIBC__) 166 167 int *len; 168 #else /* __GLIBC__ */ 169 size_t *len; 170 #endif /* __GLIBC__ */ 167 171 { 168 172 int ret; 169 173 struct sockaddr_in *sin = (struct sockaddr_in *) sa; 
  Note:
 See   TracBrowser
 for help on using the repository browser.
    
