source: scripts/patches/tcp_wrappers-7.6-shared_lib_plus_plus-1.patch@ 8fdfc096

clfs-1.2 clfs-2.1 clfs-3.0.0-systemd clfs-3.0.0-sysvinit systemd sysvinit
Last change on this file since 8fdfc096 was 7f65c0e, checked in by Jim Gifford <clfs@…>, 19 years ago

r625@server (orig r623): jim | 2005-10-31 12:43:24 -0800
Final Move

  • Property mode set to 100644
File size: 37.9 KB
  • tcp_wrappers_7.6

    Submitted By: Tushar Teredesai <tushar@linuxfromscratch.org>
    Date: 2003-10-04
    Initial Package Version: 7.6
    Origin: http://archives.linuxfromscratch.org/mail-archives/blfs-dev/2003-January/001960.html
    Description: The patch was created from the tcp_wrappers modified package by Mark Heerdink.
    This patch provides the following improvements:
        * Install libwrap.so along with libwrap.a.
        * Create an install target for tcp_wrappers.
        * Compilation and security fixes.
        * Documentation fixes.
    
    $LastChangedBy: bdubbs $
    $Date: 2004-08-07 18:56:30 -0600 (Sat, 07 Aug 2004) $
    
    diff -Naur tcp_wrappers_7.6/Makefile tcp_wrappers_7.6.gimli/Makefile
    old new  
     1GLIBC=$(shell grep -s -c __GLIBC__ /usr/include/features.h)
     2
    13# @(#) Makefile 1.23 97/03/21 19:27:20
    24
     5# unset the HOSTNAME environment variable
     6HOSTNAME =
     7
    38what:
    49        @echo
    510        @echo "Usage: edit the REAL_DAEMON_DIR definition in the Makefile then:"
     
    1924        @echo " generic (most bsd-ish systems with sys5 compatibility)"
    2025        @echo " 386bsd aix alpha apollo bsdos convex-ultranet dell-gcc dgux dgux543"
    2126        @echo " dynix epix esix freebsd hpux irix4 irix5 irix6 isc iunix"
    22         @echo " linux machten mips(untested) ncrsvr4 netbsd next osf power_unix_211"
     27        @echo " linux gnu machten mips(untested) ncrsvr4 netbsd next osf power_unix_211"
    2328        @echo " ptx-2.x ptx-generic pyramid sco sco-nis sco-od2 sco-os5 sinix sunos4"
    2429        @echo " sunos40 sunos5 sysv4 tandem ultrix unicos7 unicos8 unixware1 unixware2"
    2530        @echo " uts215 uxp"
     
    4348# Ultrix 4.x SunOS 4.x ConvexOS 10.x Dynix/ptx
    4449#REAL_DAEMON_DIR=/usr/etc
    4550#
    46 # SysV.4 Solaris 2.x OSF AIX
    47 #REAL_DAEMON_DIR=/usr/sbin
     51# SysV.4 Solaris 2.x OSF AIX Linux
     52REAL_DAEMON_DIR=/usr/sbin
    4853#
    4954# BSD 4.4
    5055#REAL_DAEMON_DIR=/usr/libexec
     
    141146        LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \
    142147        EXTRA_CFLAGS=-DSYS_ERRLIST_DEFINED VSYSLOG= all
    143148
     149ifneq ($(GLIBC),0)
     150MYLIB=-lnsl
     151endif
     152
    144153linux:
    145154        @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
    146         LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=setenv.o \
    147         NETGROUP= TLI= EXTRA_CFLAGS="-DBROKEN_SO_LINGER" all
     155        LIBS=$(MYLIB) RANLIB=ranlib ARFLAGS=rv AUX_OBJ=weak_symbols.o \
     156        NETGROUP=-DNETGROUP TLI= VSYSLOG= BUGS= all \
     157        EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_WEAKSYMS -D_REENTRANT"
     158
     159gnu:
     160        @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
     161        LIBS=$(MYLIB) RANLIB=ranlib ARFLAGS=rv AUX_OBJ=weak_symbols.o \
     162        NETGROUP=-DNETGROUP TLI= VSYSLOG= BUGS= all \
     163        EXTRA_CFLAGS="-DHAVE_STRERROR -DHAVE_WEAKSYMS -D_REENTRANT"
    148164
    149165# This is good for many SYSV+BSD hybrids with NIS, probably also for HP-UX 7.x.
    150166hpux hpux8 hpux9 hpux10:
     
    391407# the ones provided with this source distribution. The environ.c module
    392408# implements setenv(), getenv(), and putenv().
    393409
    394 AUX_OBJ= setenv.o
     410#AUX_OBJ= setenv.o
    395411#AUX_OBJ= environ.o
    396412#AUX_OBJ= environ.o strcasecmp.o
    397413
     
    454470# host name aliases. Compile with -DSOLARIS_24_GETHOSTBYNAME_BUG to work
    455471# around this. The workaround does no harm on other Solaris versions.
    456472
    457 BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DLIBC_CALLS_STRTOK
     473BUGS =
     474#BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DLIBC_CALLS_STRTOK
    458475#BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DINET_ADDR_BUG
    459476#BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DSOLARIS_24_GETHOSTBYNAME_BUG
    460477
     
    464481# If your system supports NIS or YP-style netgroups, enable the following
    465482# macro definition. Netgroups are used only for host access control.
    466483#
    467 #NETGROUP= -DNETGROUP
     484NETGROUP= -DNETGROUP
    468485
    469486###############################################################
    470487# System dependencies: whether or not your system has vsyslog()
     
    491508# Uncomment the next definition to turn on the language extensions
    492509# (examples: allow, deny, banners, twist and spawn).
    493510#
    494 #STYLE  = -DPROCESS_OPTIONS     # Enable language extensions.
     511STYLE   = -DPROCESS_OPTIONS     # Enable language extensions.
    495512
    496513################################################################
    497514# Optional: Changing the default disposition of logfile records
     
    514531#
    515532# The LOG_XXX names below are taken from the /usr/include/syslog.h file.
    516533
    517 FACILITY= LOG_MAIL      # LOG_MAIL is what most sendmail daemons use
     534FACILITY= LOG_DAEMON    # LOG_MAIL is what most sendmail daemons use
    518535
    519536# The syslog priority at which successful connections are logged.
    520537
     
    610627# Paranoid mode implies hostname lookup. In order to disable hostname
    611628# lookups altogether, see the next section.
    612629
    613 PARANOID= -DPARANOID
     630#PARANOID= -DPARANOID
    614631
    615632########################################
    616633# Optional: turning off hostname lookups
     
    623640# In order to perform selective hostname lookups, disable paranoid
    624641# mode (see previous section) and comment out the following definition.
    625642
    626 HOSTNAME= -DALWAYS_HOSTNAME
     643#HOSTNAME= -DALWAYS_HOSTNAME
    627644
    628645#############################################
    629646# Optional: Turning on host ADDRESS checking
     
    649666# source-routed traffic in the kernel. Examples: 4.4BSD derivatives,
    650667# Solaris 2.x, and Linux. See your system documentation for details.
    651668#
    652 # KILL_OPT= -DKILL_IP_OPTIONS
     669KILL_OPT= -DKILL_IP_OPTIONS
    653670
    654671## End configuration options
    655672############################
    656673
    657674# Protection against weird shells or weird make programs.
    658675
     676CC      = gcc
    659677SHELL   = /bin/sh
    660 .c.o:;  $(CC) $(CFLAGS) -c $*.c
     678.c.o:;  $(CC) $(CFLAGS) -o $*.o -c $*.c
     679
     680SOMAJOR = 0
     681SOMINOR = 7.6
     682
     683LIB     = libwrap.a
     684SHLIB   = shared/libwrap.so.$(SOMAJOR).$(SOMINOR)
     685SHLIBSOMAJ= shared/libwrap.so.$(SOMAJOR)
     686SHLIBSO = shared/libwrap.so
     687SHLIBFLAGS = -Lshared -lwrap
    661688
    662 CFLAGS  = -O -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \
     689shared/%.o: %.c
     690        $(CC) $(CFLAGS) $(SHCFLAGS) -c $< -o $@
     691
     692CFLAGS  = -O2 -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \
    663693        $(BUGS) $(SYSTYPE) $(AUTH) $(UMASK) \
    664694        -DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" $(STYLE) $(KILL_OPT) \
    665695        -DSEVERITY=$(SEVERITY) -DRFC931_TIMEOUT=$(RFC931_TIMEOUT) \
    666696        $(UCHAR) $(TABLES) $(STRINGS) $(TLI) $(EXTRA_CFLAGS) $(DOT) \
    667697        $(VSYSLOG) $(HOSTNAME)
    668698
     699SHLINKFLAGS = -shared -Xlinker -soname -Xlinker libwrap.so.$(SOMAJOR) -lc $(LIBS)
     700SHCFLAGS = -fPIC -shared -D_REENTRANT
     701
    669702LIB_OBJ= hosts_access.o options.o shell_cmd.o rfc931.o eval.o \
    670703        hosts_ctl.o refuse.o percent_x.o clean_exit.o $(AUX_OBJ) \
    671704        $(FROM_OBJ) fix_options.o socket.o tli.o workarounds.o \
    672705        update.o misc.o diag.o percent_m.o myvsyslog.o
    673706
     707SHLIB_OBJ= $(addprefix shared/, $(LIB_OBJ));
     708
    674709FROM_OBJ= fromhost.o
    675710
    676711KIT     = README miscd.c tcpd.c fromhost.c hosts_access.c shell_cmd.c \
     
    684719        refuse.c tcpdchk.8 setenv.c inetcf.c inetcf.h scaffold.c \
    685720        scaffold.h tcpdmatch.8 README.NIS
    686721
    687 LIB     = libwrap.a
    688 
    689 all other: config-check tcpd tcpdmatch try-from safe_finger tcpdchk
     722all other: config-check tcpd tcpdmatch try-from safe_finger tcpdchk $(LIB)
    690723
    691724# Invalidate all object files when the compiler options (CFLAGS) have changed.
    692725
    693726config-check:
    694727        @set +e; test -n "$(REAL_DAEMON_DIR)" || { make; exit 1; }
    695         @set +e; echo $(CFLAGS) >/tmp/cflags.$$$$ ; \
    696         if cmp cflags /tmp/cflags.$$$$ ; \
    697         then rm /tmp/cflags.$$$$ ; \
    698         else mv /tmp/cflags.$$$$ cflags ; \
     728        @set +e; echo $(CFLAGS) >cflags.new ; \
     729        if cmp cflags cflags.new ; \
     730        then rm cflags.new ; \
     731        else mv cflags.new cflags ; \
    699732        fi >/dev/null 2>/dev/null
     733        @if [ ! -d shared ]; then mkdir shared; fi
    700734
    701735$(LIB): $(LIB_OBJ)
    702736        rm -f $(LIB)
    703737        $(AR) $(ARFLAGS) $(LIB) $(LIB_OBJ)
    704738        -$(RANLIB) $(LIB)
    705739
    706 tcpd:   tcpd.o $(LIB)
    707         $(CC) $(CFLAGS) -o $@ tcpd.o $(LIB) $(LIBS)
     740$(SHLIB): $(SHLIB_OBJ)
     741        rm -f $(SHLIB)
     742        $(CC) -o $(SHLIB) $(SHLINKFLAGS) $(SHLIB_OBJ)
     743        ln -s $(notdir $(SHLIB)) $(SHLIBSOMAJ)
     744        ln -s $(notdir $(SHLIBSOMAJ)) $(SHLIBSO)
     745
     746tcpd:   tcpd.o $(SHLIB)
     747        $(CC) $(CFLAGS) -o $@ tcpd.o $(SHLIBFLAGS)
    708748
    709 miscd:  miscd.o $(LIB)
    710         $(CC) $(CFLAGS) -o $@ miscd.o $(LIB) $(LIBS)
     749miscd:  miscd.o $(SHLIB)
     750        $(CC) $(CFLAGS) -o $@ miscd.o $(SHLIBFLAGS)
    711751
    712 safe_finger: safe_finger.o $(LIB)
    713         $(CC) $(CFLAGS) -o $@ safe_finger.o $(LIB) $(LIBS)
     752safe_finger: safe_finger.o $(SHLIB)
     753        $(CC) $(CFLAGS) -o $@ safe_finger.o $(SHLIBFLAGS)
    714754
    715755TCPDMATCH_OBJ = tcpdmatch.o fakelog.o inetcf.o scaffold.o
    716756
    717 tcpdmatch: $(TCPDMATCH_OBJ) $(LIB)
    718         $(CC) $(CFLAGS) -o $@ $(TCPDMATCH_OBJ) $(LIB) $(LIBS)
     757tcpdmatch: $(TCPDMATCH_OBJ) $(SHLIB)
     758        $(CC) $(CFLAGS) -o $@ $(TCPDMATCH_OBJ) $(SHLIBFLAGS)
    719759
    720 try-from: try-from.o fakelog.o $(LIB)
    721         $(CC) $(CFLAGS) -o $@ try-from.o fakelog.o $(LIB) $(LIBS)
     760try-from: try-from.o fakelog.o $(SHLIB)
     761        $(CC) $(CFLAGS) -o $@ try-from.o fakelog.o $(SHLIBFLAGS)
    722762
    723763TCPDCHK_OBJ = tcpdchk.o fakelog.o inetcf.o scaffold.o
    724764
    725 tcpdchk: $(TCPDCHK_OBJ) $(LIB)
    726         $(CC) $(CFLAGS) -o $@ $(TCPDCHK_OBJ) $(LIB) $(LIBS)
     765tcpdchk: $(TCPDCHK_OBJ) $(SHLIB)
     766        $(CC) $(CFLAGS) -o $@ $(TCPDCHK_OBJ) $(SHLIBFLAGS)
     767
     768install: install-lib install-bin install-dev
     769
     770install-lib:
     771        install -o root -g root -m 0755 $(SHLIB) ${DESTDIR}/usr/lib/
     772        ln -sf $(notdir $(SHLIB)) ${DESTDIR}/usr/lib/$(notdir $(SHLIBSOMAJ))
     773        ln -sf $(notdir $(SHLIBSOMAJ)) ${DESTDIR}/usr/lib/$(notdir $(SHLIBSO))
     774
     775install-bin:
     776        install -o root -g root -m 0755 tcpd ${DESTDIR}/usr/sbin/
     777        install -o root -g root -m 0755 tcpdchk ${DESTDIR}/usr/sbin/
     778        install -o root -g root -m 0755 tcpdmatch ${DESTDIR}/usr/sbin/
     779        install -o root -g root -m 0755 try-from ${DESTDIR}/usr/sbin/
     780        install -o root -g root -m 0755 safe_finger ${DESTDIR}/usr/sbin/
     781        install -o root -g root -m 0644 tcpd.8 ${DESTDIR}/usr/share/man/man8/
     782        install -o root -g root -m 0644 tcpdchk.8 ${DESTDIR}/usr/share/man/man8/
     783        install -o root -g root -m 0644 try-from.8 ${DESTDIR}/usr/share/man/man8/
     784        install -o root -g root -m 0644 tcpdmatch.8 ${DESTDIR}/usr/share/man/man8/
     785        install -o root -g root -m 0644 safe_finger.8 ${DESTDIR}/usr/share/man/man8/
     786        install -o root -g root -m 0644 hosts_access.5 ${DESTDIR}/usr/share/man/man5/
     787        install -o root -g root -m 0644 hosts_options.5 ${DESTDIR}/usr/share/man/man5/
     788
     789install-dev:
     790        install -o root -g root -m 0644 hosts_access.3 ${DESTDIR}/usr/share/man/man3/
     791        install -o root -g root -m 0644 tcpd.h ${DESTDIR}/usr/include/
     792        install -o root -g root -m 0644 $(LIB) ${DESTDIR}/usr/lib/
     793        ln -sf hosts_access.3 ${DESTDIR}/usr/share/man/man3/hosts_ctl.3
     794        ln -sf hosts_access.3 ${DESTDIR}/usr/share/man/man3/request_init.3
     795        ln -sf hosts_access.3 ${DESTDIR}/usr/share/man/man3/request_set.3
    727796
    728797shar:   $(KIT)
    729798        @shar $(KIT)
     
    739808
    740809clean:
    741810        rm -f tcpd miscd safe_finger tcpdmatch tcpdchk try-from *.[oa] core \
    742         cflags
     811        cflags libwrap*.so*
     812        rm -rf shared
    743813
    744814tidy:   clean
    745815        chmod -R a+r .
     
    885955update.o: mystdarg.h
    886956update.o: tcpd.h
    887957vfprintf.o: cflags
     958weak_symbols.o: tcpd.h
    888959workarounds.o: cflags
    889960workarounds.o: tcpd.h
  • tcp_wrappers_7.6

    diff -Naur tcp_wrappers_7.6/fix_options.c tcp_wrappers_7.6.gimli/fix_options.c
    old new  
    3535#ifdef IP_OPTIONS
    3636    unsigned char optbuf[BUFFER_SIZE / 3], *cp;
    3737    char    lbuf[BUFFER_SIZE], *lp;
     38#if !defined(__GLIBC__)
    3839    int     optsize = sizeof(optbuf), ipproto;
     40#else /* __GLIBC__ */
     41    size_t  optsize = sizeof(optbuf);
     42    int     ipproto;
     43#endif /* __GLIBC__ */
    3944    struct protoent *ip;
    4045    int     fd = request->fd;
    4146    unsigned int opt;
  • tcp_wrappers_7.6

    diff -Naur tcp_wrappers_7.6/hosts_access.3 tcp_wrappers_7.6.gimli/hosts_access.3
    old new  
    33hosts_access, hosts_ctl, request_init, request_set \- access control library
    44.SH SYNOPSIS
    55.nf
    6 #include "tcpd.h"
     6#include <tcpd.h>
    77
    88extern int allow_severity;
    99extern int deny_severity;
  • tcp_wrappers_7.6

    diff -Naur tcp_wrappers_7.6/hosts_access.5 tcp_wrappers_7.6.gimli/hosts_access.5
    old new  
    88impatient reader is encouraged to skip to the EXAMPLES section for a
    99quick introduction.
    1010.PP
    11 An extended version of the access control language is described in the
    12 \fIhosts_options\fR(5) document. The extensions are turned on at
    13 program build time by building with -DPROCESS_OPTIONS.
     11The extended version of the access control language is described in the
     12\fIhosts_options\fR(5) document. \fBNote that this language supersedes
     13the meaning of \fIshell_command\fB as documented below.\fR
    1414.PP
    1515In the following text, \fIdaemon\fR is the the process name of a
    1616network daemon process, and \fIclient\fR is the name and/or address of
     
    4040character. This permits you to break up long lines so that they are
    4141easier to edit.
    4242.IP \(bu
    43 Blank lines or lines that begin with a `#\' character are ignored.
     43Blank lines or lines that begin with a `#' character are ignored.
    4444This permits you to insert comments and whitespace so that the tables
    4545are easier to read.
    4646.IP \(bu
     
    6969.SH PATTERNS
    7070The access control language implements the following patterns:
    7171.IP \(bu
    72 A string that begins with a `.\' character. A host name is matched if
     72A string that begins with a `.' character. A host name is matched if
    7373the last components of its name match the specified pattern.  For
    74 example, the pattern `.tue.nl\' matches the host name
    75 `wzv.win.tue.nl\'.
     74example, the pattern `.tue.nl' matches the host name
     75`wzv.win.tue.nl'.
    7676.IP \(bu
    77 A string that ends with a `.\' character. A host address is matched if
     77A string that ends with a `.' character. A host address is matched if
    7878its first numeric fields match the given string.  For example, the
    79 pattern `131.155.\' matches the address of (almost) every host on the
     79pattern `131.155.' matches the address of (almost) every host on the
    8080Eind\%hoven University network (131.155.x.x).
    8181.IP \(bu
    82 A string that begins with an `@\' character is treated as an NIS
     82A string that begins with an `@' character is treated as an NIS
    8383(formerly YP) netgroup name. A host name is matched if it is a host
    8484member of the specified netgroup. Netgroup matches are not supported
    8585for daemon process names or for client user names.
    8686.IP \(bu
    87 An expression of the form `n.n.n.n/m.m.m.m\' is interpreted as a
    88 `net/mask\' pair. A host address is matched if `net\' is equal to the
    89 bitwise AND of the address and the `mask\'. For example, the net/mask
    90 pattern `131.155.72.0/255.255.254.0\' matches every address in the
    91 range `131.155.72.0\' through `131.155.73.255\'.
     87An expression of the form `n.n.n.n/m.m.m.m' is interpreted as a
     88`net/mask' pair. A host address is matched if `net' is equal to the
     89bitwise AND of the address and the `mask'. For example, the net/mask
     90pattern `131.155.72.0/255.255.254.0' matches every address in the
     91range `131.155.72.0' through `131.155.73.255'.
     92.IP \(bu
     93A string that begins with a `/' character is treated as a file
     94name. A host name or address is matched if it matches any host name
     95or address pattern listed in the named file. The file format is
     96zero or more lines with zero or more host name or address patterns
     97separated by whitespace.  A file name pattern can be used anywhere
     98a host name or address pattern can be used.
    9299.SH WILDCARDS
    93100The access control language supports explicit wildcards:
    94101.IP ALL
     
    115122.ne 6
    116123.SH OPERATORS
    117124.IP EXCEPT
    118 Intended use is of the form: `list_1 EXCEPT list_2\'; this construct
     125Intended use is of the form: `list_1 EXCEPT list_2'; this construct
    119126matches anything that matches \fIlist_1\fR unless it matches
    120127\fIlist_2\fR.  The EXCEPT operator can be used in daemon_lists and in
    121128client_lists. The EXCEPT operator can be nested: if the control
    122 language would permit the use of parentheses, `a EXCEPT b EXCEPT c\'
    123 would parse as `(a EXCEPT (b EXCEPT c))\'.
     129language would permit the use of parentheses, `a EXCEPT b EXCEPT c'
     130would parse as `(a EXCEPT (b EXCEPT c))'.
    124131.br
    125132.ne 6
    126133.SH SHELL COMMANDS
    127134If the first-matched access control rule contains a shell command, that
    128135command is subjected to %<letter> substitutions (see next section).
    129136The result is executed by a \fI/bin/sh\fR child process with standard
    130 input, output and error connected to \fI/dev/null\fR.  Specify an `&\'
     137input, output and error connected to \fI/dev/null\fR.  Specify an `&'
    131138at the end of the command if you do not want to wait until it has
    132139completed.
    133140.PP
     
    159166.IP %u
    160167The client user name (or "unknown").
    161168.IP %%
    162 Expands to a single `%\' character.
     169Expands to a single `%' character.
    163170.PP
    164171Characters in % expansions that may confuse the shell are replaced by
    165172underscores.
     
    243250less trustworthy. It is possible for an intruder to spoof both the
    244251client connection and the IDENT lookup, although doing so is much
    245252harder than spoofing just a client connection. It may also be that
    246 the client\'s IDENT server is lying.
     253the client's IDENT server is lying.
    247254.PP
    248 Note: IDENT lookups don\'t work with UDP services.
     255Note: IDENT lookups don't work with UDP services.
    249256.SH EXAMPLES
    250257The language is flexible enough that different types of access control
    251258policy can be expressed with a minimum of fuss. Although the language
     
    285292.br
    286293ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
    287294.PP
    288 The first rule permits access from hosts in the local domain (no `.\'
     295The first rule permits access from hosts in the local domain (no `.'
    289296in the host name) and from members of the \fIsome_netgroup\fP
    290297netgroup.  The second rule permits access from all hosts in the
    291298\fIfoobar.edu\fP domain (notice the leading dot), with the exception of
     
    322329/etc/hosts.deny:
    323330.in +3
    324331.nf
    325 in.tftpd: ALL: (/some/where/safe_finger -l @%h | \\
    326         /usr/ucb/mail -s %d-%h root) &
     332in.tftpd: ALL: (/usr/sbin/safe_finger -l @%h | \\
     333        /usr/bin/mail -s %d-%h root) &
    327334.fi
    328335.PP
    329336The safe_finger command comes with the tcpd wrapper and should be
     
    349356capacity of an internal buffer; when an access control rule is not
    350357terminated by a newline character; when the result of %<letter>
    351358expansion would overflow an internal buffer; when a system call fails
    352 that shouldn\'t.  All problems are reported via the syslog daemon.
     359that shouldn't.  All problems are reported via the syslog daemon.
    353360.SH FILES
    354361.na
    355362.nf
  • tcp_wrappers_7.6

    diff -Naur tcp_wrappers_7.6/hosts_access.c tcp_wrappers_7.6.gimli/hosts_access.c
    old new  
    240240    }
    241241}
    242242
     243/* hostfile_match - look up host patterns from file */
     244
     245static int hostfile_match(path, host)
     246char   *path;
     247struct hosts_info *host;
     248{
     249    char    tok[BUFSIZ];
     250    int     match = NO;
     251    FILE   *fp;
     252
     253    if ((fp = fopen(path, "r")) != 0) {
     254        while (fscanf(fp, "%s", tok) == 1 && !(match = host_match(tok, host)))
     255            /* void */ ;
     256        fclose(fp);
     257    } else if (errno != ENOENT) {
     258        tcpd_warn("open %s: %m", path);
     259    }
     260    return (match);
     261}
     262
    243263/* host_match - match host name and/or address against pattern */
    244264
    245265static int host_match(tok, host)
     
    267287        tcpd_warn("netgroup support is disabled");      /* not tcpd_jump() */
    268288        return (NO);
    269289#endif
     290    } else if (tok[0] == '/') {                         /* /file hack */
     291        return (hostfile_match(tok, host));
    270292    } else if (STR_EQ(tok, "KNOWN")) {          /* check address and name */
    271293        char   *name = eval_hostname(host);
    272294        return (STR_NE(eval_hostaddr(host), unknown) && HOSTNAME_KNOWN(name));
  • hosts_options.5

    diff -Naur tcp_wrappers_7.6/hosts_options.5 tcp_wrappers_7.6.gimli/hosts_options.5
    old new  
    5858Execute, in a child process, the specified shell command, after
    5959performing the %<letter> expansions described in the hosts_access(5)
    6060manual page.  The command is executed with stdin, stdout and stderr
    61 connected to the null device, so that it won\'t mess up the
     61connected to the null device, so that it won't mess up the
    6262conversation with the client host. Example:
    6363.sp
    6464.nf
    6565.ti +3
    66 spawn (/some/where/safe_finger -l @%h | /usr/ucb/mail root) &
     66spawn (/usr/sbin/safe_finger -l @%h | /usr/bin/mail root) &
    6767.fi
    6868.sp
    6969executes, in a background child process, the shell command "safe_finger
  • tcp_wrappers_7.6

    diff -Naur tcp_wrappers_7.6/options.c tcp_wrappers_7.6.gimli/options.c
    old new  
    473473#ifdef LOG_CRON
    474474    "cron", LOG_CRON,
    475475#endif
     476#ifdef LOG_FTP
     477    "ftp", LOG_FTP,
     478#endif
    476479#ifdef LOG_LOCAL0
    477480    "local0", LOG_LOCAL0,
    478481#endif
  • tcp_wrappers_7.6

    diff -Naur tcp_wrappers_7.6/percent_m.c tcp_wrappers_7.6.gimli/percent_m.c
    old new  
    1313#include <string.h>
    1414
    1515extern int errno;
    16 #ifndef SYS_ERRLIST_DEFINED
     16#if !defined(SYS_ERRLIST_DEFINED) && !defined(HAVE_STRERROR)
    1717extern char *sys_errlist[];
    1818extern int sys_nerr;
    1919#endif
     
    2929
    3030    while (*bp = *cp)
    3131        if (*cp == '%' && cp[1] == 'm') {
     32#ifdef HAVE_STRERROR
     33            strcpy(bp, strerror(errno));
     34#else
    3235            if (errno < sys_nerr && errno > 0) {
    3336                strcpy(bp, sys_errlist[errno]);
    3437            } else {
    3538                sprintf(bp, "Unknown error %d", errno);
    3639            }
     40#endif
    3741            bp += strlen(bp);
    3842            cp += 2;
    3943        } else {
  • tcp_wrappers_7.6

    diff -Naur tcp_wrappers_7.6/rfc931.c tcp_wrappers_7.6.gimli/rfc931.c
    old new  
    3333
    3434int     rfc931_timeout = RFC931_TIMEOUT;/* Global so it can be changed */
    3535
    36 static jmp_buf timebuf;
     36static sigjmp_buf timebuf;
    3737
    3838/* fsocket - open stdio stream on top of socket */
    3939
     
    6262static void timeout(sig)
    6363int     sig;
    6464{
    65     longjmp(timebuf, sig);
     65    siglongjmp(timebuf, sig);
    6666}
    6767
    6868/* rfc931 - return remote user name, given socket structures */
     
    9999         * Set up a timer so we won't get stuck while waiting for the server.
    100100         */
    101101
    102         if (setjmp(timebuf) == 0) {
     102        if (sigsetjmp(timebuf,1) == 0) {
    103103            signal(SIGALRM, timeout);
    104104            alarm(rfc931_timeout);
    105105
  • tcp_wrappers_7.6

    diff -Naur tcp_wrappers_7.6/safe_finger.8 tcp_wrappers_7.6.gimli/safe_finger.8
    old new  
     1.TH SAFE_FINGER 8 "21th June 1997" Linux "Linux Programmer's Manual"
     2.SH NAME
     3safe_finger \- finger client wrapper that protects against nasty stuff
     4from finger servers
     5.SH SYNOPSIS
     6.B safe_finger [finger_options]
     7.SH DESCRIPTION
     8The
     9.B safe_finger
     10command protects against nasty stuff from finger servers. Use this
     11program for automatic reverse finger probes from the
     12.B tcp_wrapper
     13.B (tcpd)
     14, not the raw finger command. The
     15.B safe_finger
     16command makes sure that the finger client is not run with root
     17privileges. It also runs the finger client with a defined PATH
     18environment.
     19.B safe_finger
     20will also protect you from problems caused by the output of some
     21finger servers. The problem: some programs may react to stuff in
     22the first column. Other programs may get upset by thrash anywhere
     23on a line. File systems may fill up as the finger server keeps
     24sending data. Text editors may bomb out on extremely long lines.
     25The finger server may take forever because it is somehow wedged.
     26.B safe_finger
     27takes care of all this badness.
     28.SH SEE ALSO
     29.BR hosts_access (5),
     30.BR hosts_options (5),
     31.BR tcpd (8)
     32.SH AUTHOR
     33Wietse Venema, Eindhoven University of Technology, The Netherlands.
     34
  • tcp_wrappers_7.6

    diff -Naur tcp_wrappers_7.6/safe_finger.c tcp_wrappers_7.6.gimli/safe_finger.c
    old new  
    2626#include <stdio.h>
    2727#include <ctype.h>
    2828#include <pwd.h>
     29#include <syslog.h>
    2930
    3031extern void exit();
    3132
    3233/* Local stuff */
    3334
    34 char    path[] = "PATH=/bin:/usr/bin:/usr/ucb:/usr/bsd:/etc:/usr/etc:/usr/sbin";
     35char    path[] = "PATH=/bin:/usr/bin:/sbin:/usr/sbin";
    3536
    3637#define TIME_LIMIT      60              /* Do not keep listinging forever */
    3738#define INPUT_LENGTH    100000          /* Do not keep listinging forever */
    3839#define LINE_LENGTH     128             /* Editors can choke on long lines */
    3940#define FINGER_PROGRAM  "finger"        /* Most, if not all, UNIX systems */
    4041#define UNPRIV_NAME     "nobody"        /* Preferred privilege level */
    41 #define UNPRIV_UGID     32767           /* Default uid and gid */
     42#define UNPRIV_UGID     65534           /* Default uid and gid */
    4243
    4344int     finger_pid;
     45int     allow_severity = SEVERITY;
     46int     deny_severity = LOG_WARNING;
    4447
    4548void    cleanup(sig)
    4649int     sig;
  • tcp_wrappers_7.6

    diff -Naur tcp_wrappers_7.6/scaffold.c tcp_wrappers_7.6.gimli/scaffold.c
    old new  
    180180
    181181/* ARGSUSED */
    182182
    183 void    rfc931(request)
    184 struct request_info *request;
     183void    rfc931(rmt_sin, our_sin, dest)
     184struct sockaddr_in *rmt_sin;
     185struct sockaddr_in *our_sin;
     186char   *dest;
    185187{
    186     strcpy(request->user, unknown);
     188    strcpy(dest, unknown);
    187189}
    188190
    189191/* check_path - examine accessibility */
  • tcp_wrappers_7.6

    diff -Naur tcp_wrappers_7.6/socket.c tcp_wrappers_7.6.gimli/socket.c
    old new  
    7676{
    7777    static struct sockaddr_in client;
    7878    static struct sockaddr_in server;
     79#if !defined (__GLIBC__)
    7980    int     len;
     81#else /* __GLIBC__ */
     82    size_t  len;
     83#endif /* __GLIBC__ */
    8084    char    buf[BUFSIZ];
    8185    int     fd = request->fd;
    8286
     
    224228{
    225229    char    buf[BUFSIZ];
    226230    struct sockaddr_in sin;
     231#if !defined(__GLIBC__)
    227232    int     size = sizeof(sin);
     233#else /* __GLIBC__ */
     234    size_t  size = sizeof(sin);
     235#endif /* __GLIBC__ */
    228236
    229237    /*
    230238     * Eat up the not-yet received datagram. Some systems insist on a
  • tcp_wrappers_7.6

    diff -Naur tcp_wrappers_7.6/tcpd.8 tcp_wrappers_7.6.gimli/tcpd.8
    old new  
    9494.PP
    9595The example assumes that the network daemons live in /usr/etc. On some
    9696systems, network daemons live in /usr/sbin or in /usr/libexec, or have
    97 no `in.\' prefix to their name.
     97no `in.' prefix to their name.
    9898.SH EXAMPLE 2
    9999This example applies when \fItcpd\fR expects that the network daemons
    100100are left in their original place.
     
    110110becomes:
    111111.sp
    112112.ti +5
    113 finger  stream  tcp  nowait  nobody  /some/where/tcpd     in.fingerd
     113finger  stream  tcp  nowait  nobody  /usr/sbin/tcpd       in.fingerd
    114114.sp
    115115.fi
    116116.PP
    117117The example assumes that the network daemons live in /usr/etc. On some
    118118systems, network daemons live in /usr/sbin or in /usr/libexec, the
    119 daemons have no `in.\' prefix to their name, or there is no userid
     119daemons have no `in.' prefix to their name, or there is no userid
    120120field in the inetd configuration file.
    121121.PP
    122122Similar changes will be needed for the other services that are to be
    123 covered by \fItcpd\fR.  Send a `kill -HUP\' to the \fIinetd\fR(8)
     123covered by \fItcpd\fR.  Send a `kill -HUP' to the \fIinetd\fR(8)
    124124process to make the changes effective. AIX users may also have to
    125 execute the `inetimp\' command.
     125execute the `inetimp' command.
    126126.SH EXAMPLE 3
    127127In the case of daemons that do not live in a common directory ("secret"
    128128or otherwise), edit the \fIinetd\fR configuration file so that it
    129129specifies an absolute path name for the process name field. For example:
    130130.nf
    131131.sp
    132     ntalk  dgram  udp  wait  root  /some/where/tcpd  /usr/local/lib/ntalkd
     132    ntalk  dgram  udp  wait  root  /usr/sbin/tcpd  /usr/sbin/in.ntalkd
    133133.sp
    134134.fi
    135135.PP
  • tcp_wrappers_7.6

    diff -Naur tcp_wrappers_7.6/tcpd.h tcp_wrappers_7.6.gimli/tcpd.h
    old new  
    44  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
    55  */
    66
     7#ifndef _TCPWRAPPERS_TCPD_H
     8#define _TCPWRAPPERS_TCPD_H
     9
     10/* someone else may have defined this */
     11#undef  __P
     12
     13/* use prototypes if we have an ANSI C compiler or are using C++ */
     14#if defined(__STDC__) || defined(__cplusplus)
     15#define __P(args)       args
     16#else
     17#define __P(args)       ()
     18#endif
     19
     20/* Need definitions of struct sockaddr_in and FILE. */
     21#include <netinet/in.h>
     22#include <stdio.h>
     23
     24__BEGIN_DECLS
     25
    726/* Structure to describe one communications endpoint. */
    827
    928#define STRING_LENGTH   128             /* hosts, users, processes */
     
    2544    char    pid[10];                    /* access via eval_pid(request) */
    2645    struct host_info client[1];         /* client endpoint info */
    2746    struct host_info server[1];         /* server endpoint info */
    28     void  (*sink) ();                   /* datagram sink function or 0 */
    29     void  (*hostname) ();               /* address to printable hostname */
    30     void  (*hostaddr) ();               /* address to printable address */
    31     void  (*cleanup) ();                /* cleanup function or 0 */
     47    void  (*sink) __P((int));           /* datagram sink function or 0 */
     48    void  (*hostname) __P((struct host_info *)); /* address to printable hostname */
     49    void  (*hostaddr) __P((struct host_info *)); /* address to printable address */
     50    void  (*cleanup) __P((struct request_info *)); /* cleanup function or 0 */
    3251    struct netconfig *config;           /* netdir handle */
    3352};
    3453
     
    6180/* Global functions. */
    6281
    6382#if defined(TLI) || defined(PTX) || defined(TLI_SEQUENT)
    64 extern void fromhost();                 /* get/validate client host info */
     83extern void fromhost __P((struct request_info *));      /* get/validate client host info */
    6584#else
    6685#define fromhost sock_host              /* no TLI support needed */
    6786#endif
    6887
    69 extern int hosts_access();              /* access control */
    70 extern void shell_cmd();                /* execute shell command */
    71 extern char *percent_x();               /* do %<char> expansion */
    72 extern void rfc931();                   /* client name from RFC 931 daemon */
    73 extern void clean_exit();               /* clean up and exit */
    74 extern void refuse();                   /* clean up and exit */
    75 extern char *xgets();                   /* fgets() on steroids */
    76 extern char *split_at();                /* strchr() and split */
    77 extern unsigned long dot_quad_addr();   /* restricted inet_addr() */
     88extern void shell_cmd __P((char *));    /* execute shell command */
     89extern char *percent_x __P((char *, int, char *, struct request_info *)); /* do %<char> expansion */
     90extern void rfc931 __P((struct sockaddr_in *, struct sockaddr_in *, char *)); /* client name from RFC 931 daemon */
     91extern void clean_exit __P((struct request_info *)); /* clean up and exit */
     92extern void refuse __P((struct request_info *));        /* clean up and exit */
     93extern char *xgets __P((char *, int, FILE *));  /* fgets() on steroids */
     94extern char *split_at __P((char *, int));       /* strchr() and split */
     95extern unsigned long dot_quad_addr __P((char *)); /* restricted inet_addr() */
    7896
    7997/* Global variables. */
    8098
     99#ifdef HAVE_WEAKSYMS
     100extern int allow_severity __attribute__ ((weak)); /* for connection logging */
     101extern int deny_severity __attribute__ ((weak)); /* for connection logging */
     102#else
    81103extern int allow_severity;              /* for connection logging */
    82104extern int deny_severity;               /* for connection logging */
     105#endif
     106
    83107extern char *hosts_allow_table;         /* for verification mode redirection */
    84108extern char *hosts_deny_table;          /* for verification mode redirection */
    85109extern int hosts_access_verbose;        /* for verbose matching mode */
     
    92116  */
    93117
    94118#ifdef __STDC__
     119extern int hosts_access(struct request_info *request);
     120extern int hosts_ctl(char *daemon, char *client_name, char *client_addr,
     121                     char *client_user);
    95122extern struct request_info *request_init(struct request_info *,...);
    96123extern struct request_info *request_set(struct request_info *,...);
    97124#else
     125extern int hosts_access();
     126extern int hosts_ctl();
    98127extern struct request_info *request_init();     /* initialize request */
    99128extern struct request_info *request_set();      /* update request structure */
    100129#endif
     
    117146  * host_info structures serve as caches for the lookup results.
    118147  */
    119148
    120 extern char *eval_user();               /* client user */
    121 extern char *eval_hostname();           /* printable hostname */
    122 extern char *eval_hostaddr();           /* printable host address */
    123 extern char *eval_hostinfo();           /* host name or address */
    124 extern char *eval_client();             /* whatever is available */
    125 extern char *eval_server();             /* whatever is available */
     149extern char *eval_user __P((struct request_info *));    /* client user */
     150extern char *eval_hostname __P((struct host_info *));   /* printable hostname */
     151extern char *eval_hostaddr __P((struct host_info *));   /* printable host address */
     152extern char *eval_hostinfo __P((struct host_info *));   /* host name or address */
     153extern char *eval_client __P((struct request_info *));  /* whatever is available */
     154extern char *eval_server __P((struct request_info *));  /* whatever is available */
    126155#define eval_daemon(r)  ((r)->daemon)   /* daemon process name */
    127156#define eval_pid(r)     ((r)->pid)      /* process id */
    128157
    129158/* Socket-specific methods, including DNS hostname lookups. */
    130159
    131 extern void sock_host();                /* look up endpoint addresses */
    132 extern void sock_hostname();            /* translate address to hostname */
    133 extern void sock_hostaddr();            /* address to printable address */
     160/* look up endpoint addresses */
     161extern void sock_host __P((struct request_info *));
     162/* translate address to hostname */
     163extern void sock_hostname __P((struct host_info *));
     164/* address to printable address */
     165extern void sock_hostaddr __P((struct host_info *));
     166
    134167#define sock_methods(r) \
    135168        { (r)->hostname = sock_hostname; (r)->hostaddr = sock_hostaddr; }
    136169
    137170/* The System V Transport-Level Interface (TLI) interface. */
    138171
    139172#if defined(TLI) || defined(PTX) || defined(TLI_SEQUENT)
    140 extern void tli_host();                 /* look up endpoint addresses etc. */
     173extern void tli_host __P((struct request_info *));      /* look up endpoint addresses etc. */
    141174#endif
    142175
    143176 /*
     
    178211  * behavior.
    179212  */
    180213
    181 extern void process_options();          /* execute options */
     214extern void process_options __P((char *, struct request_info *)); /* execute options */
    182215extern int dry_run;                     /* verification flag */
    183216
    184217/* Bug workarounds. */
     
    217250#define strtok  my_strtok
    218251extern char *my_strtok();
    219252#endif
     253
     254__END_DECLS
     255
     256#endif /* tcpd.h */
  • tcp_wrappers_7.6

    diff -Naur tcp_wrappers_7.6/tcpdchk.c tcp_wrappers_7.6.gimli/tcpdchk.c
    old new  
    350350{
    351351    if (pat[0] == '@') {
    352352        tcpd_warn("%s: daemon name begins with \"@\"", pat);
     353    } else if (pat[0] == '/') {
     354        tcpd_warn("%s: daemon name begins with \"/\"", pat);
    353355    } else if (pat[0] == '.') {
    354356        tcpd_warn("%s: daemon name begins with dot", pat);
    355357    } else if (pat[strlen(pat) - 1] == '.') {
     
    382384{
    383385    if (pat[0] == '@') {                        /* @netgroup */
    384386        tcpd_warn("%s: user name begins with \"@\"", pat);
     387    } else if (pat[0] == '/') {
     388        tcpd_warn("%s: user name begins with \"/\"", pat);
    385389    } else if (pat[0] == '.') {
    386390        tcpd_warn("%s: user name begins with dot", pat);
    387391    } else if (pat[strlen(pat) - 1] == '.') {
     
    402406static int check_host(pat)
    403407char   *pat;
    404408{
     409    char    buf[BUFSIZ];
    405410    char   *mask;
    406411    int     addr_count = 1;
     412    FILE   *fp;
     413    struct tcpd_context saved_context;
     414    char   *cp;
     415    char   *wsp = " \t\r\n";
    407416
    408417    if (pat[0] == '@') {                        /* @netgroup */
    409418#ifdef NO_NETGRENT
     
    422431        tcpd_warn("netgroup support disabled");
    423432#endif
    424433#endif
     434    } else if (pat[0] == '/') {                 /* /path/name */
     435        if ((fp = fopen(pat, "r")) != 0) {
     436            saved_context = tcpd_context;
     437            tcpd_context.file = pat;
     438            tcpd_context.line = 0;
     439            while (fgets(buf, sizeof(buf), fp)) {
     440                tcpd_context.line++;
     441                for (cp = strtok(buf, wsp); cp; cp = strtok((char *) 0, wsp))
     442                    check_host(cp);
     443            }
     444            tcpd_context = saved_context;
     445            fclose(fp);
     446        } else if (errno != ENOENT) {
     447            tcpd_warn("open %s: %m", pat);
     448        }
    425449    } else if (mask = split_at(pat, '/')) {     /* network/netmask */
    426450        if (dot_quad_addr(pat) == INADDR_NONE
    427451            || dot_quad_addr(mask) == INADDR_NONE)
  • tcp_wrappers_7.6

    diff -Naur tcp_wrappers_7.6/try-from.8 tcp_wrappers_7.6.gimli/try-from.8
    old new  
     1.TH TRY-FROM 8 "21th June 1997" Linux "Linux Programmer's Manual"
     2.SH NAME
     3try-from \- test program for the tcp_wrapper
     4.SH SYNOPSIS
     5.B try-from
     6.SH DESCRIPTION
     7The
     8.B try-from
     9command can be called via a remote shell command to find out
     10if the hostname and address are properly recognized
     11by the
     12.B tcp_wrapper
     13library, if username lookup works, and (SysV only) if the TLI
     14on top of IP heuristics work. Diagnostics are reported through
     15.BR syslog (3)
     16and redirected to stderr.
     17
     18Example:
     19
     20rsh host /some/where/try-from
     21
     22.SH SEE ALSO
     23.BR hosts_access (5),
     24.BR hosts_options (5),
     25.BR tcpd (8)
     26.SH AUTHOR
     27Wietse Venema, Eindhoven University of Technology, The Netherlands.
     28
  • tcp_wrappers_7.6

    diff -Naur tcp_wrappers_7.6/weak_symbols.c tcp_wrappers_7.6.gimli/weak_symbols.c
    old new  
     1 /*
     2  * @(#) weak_symbols.h 1.5 99/12/29 23:50
     3  *
     4  * Author: Anthony Towns <ajt@debian.org>
     5  */
     6
     7#ifdef HAVE_WEAKSYMS
     8#include <syslog.h>
     9int deny_severity = LOG_WARNING;
     10int allow_severity = SEVERITY;
     11#endif
  • tcp_wrappers_7.6

    diff -Naur tcp_wrappers_7.6/workarounds.c tcp_wrappers_7.6.gimli/workarounds.c
    old new  
    163163int     fix_getpeername(sock, sa, len)
    164164int     sock;
    165165struct sockaddr *sa;
     166#if !defined(__GLIBC__)
    166167int    *len;
     168#else /* __GLIBC__ */
     169size_t *len;
     170#endif /* __GLIBC__ */
    167171{
    168172    int     ret;
    169173    struct sockaddr_in *sin = (struct sockaddr_in *) sa;
Note: See TracBrowser for help on using the repository browser.