You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

940 lines
33 KiB

  1. --- a/hosts_access.c
  2. +++ b/hosts_access.c
  3. @@ -240,6 +240,26 @@ struct request_info *request;
  4. }
  5. }
  6. +/* hostfile_match - look up host patterns from file */
  7. +
  8. +static int hostfile_match(path, host)
  9. +char *path;
  10. +struct hosts_info *host;
  11. +{
  12. + char tok[BUFSIZ];
  13. + int match = NO;
  14. + FILE *fp;
  15. +
  16. + if ((fp = fopen(path, "r")) != 0) {
  17. + while (fscanf(fp, "%s", tok) == 1 && !(match = host_match(tok, host)))
  18. + /* void */ ;
  19. + fclose(fp);
  20. + } else if (errno != ENOENT) {
  21. + tcpd_warn("open %s: %m", path);
  22. + }
  23. + return (match);
  24. +}
  25. +
  26. /* host_match - match host name and/or address against pattern */
  27. static int host_match(tok, host)
  28. @@ -267,6 +287,8 @@ struct host_info *host;
  29. tcpd_warn("netgroup support is disabled"); /* not tcpd_jump() */
  30. return (NO);
  31. #endif
  32. + } else if (tok[0] == '/') { /* /file hack */
  33. + return (hostfile_match(tok, host));
  34. } else if (STR_EQ(tok, "KNOWN")) { /* check address and name */
  35. char *name = eval_hostname(host);
  36. return (STR_NE(eval_hostaddr(host), unknown) && HOSTNAME_KNOWN(name));
  37. --- a/tcpd.h
  38. +++ b/tcpd.h
  39. @@ -4,6 +4,27 @@
  40. * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
  41. */
  42. +#ifndef _TCPWRAPPERS_TCPD_H
  43. +#define _TCPWRAPPERS_TCPD_H
  44. +
  45. +/* someone else may have defined this */
  46. +#undef __P
  47. +
  48. +/* use prototypes if we have an ANSI C compiler or are using C++ */
  49. +#if defined(__STDC__) || defined(__cplusplus)
  50. +#define __P(args) args
  51. +#else
  52. +#define __P(args) ()
  53. +#endif
  54. +
  55. +/* Need definitions of struct sockaddr_in and FILE. */
  56. +#include <netinet/in.h>
  57. +#include <stdio.h>
  58. +
  59. +#ifdef __cplusplus
  60. +extern "C" {
  61. +#endif
  62. +
  63. /* Structure to describe one communications endpoint. */
  64. #define STRING_LENGTH 128 /* hosts, users, processes */
  65. @@ -25,10 +46,10 @@ struct request_info {
  66. char pid[10]; /* access via eval_pid(request) */
  67. struct host_info client[1]; /* client endpoint info */
  68. struct host_info server[1]; /* server endpoint info */
  69. - void (*sink) (); /* datagram sink function or 0 */
  70. - void (*hostname) (); /* address to printable hostname */
  71. - void (*hostaddr) (); /* address to printable address */
  72. - void (*cleanup) (); /* cleanup function or 0 */
  73. + void (*sink) __P((int)); /* datagram sink function or 0 */
  74. + void (*hostname) __P((struct host_info *)); /* address to printable hostname */
  75. + void (*hostaddr) __P((struct host_info *)); /* address to printable address */
  76. + void (*cleanup) __P((struct request_info *)); /* cleanup function or 0 */
  77. struct netconfig *config; /* netdir handle */
  78. };
  79. @@ -61,25 +82,30 @@ extern char paranoid[];
  80. /* Global functions. */
  81. #if defined(TLI) || defined(PTX) || defined(TLI_SEQUENT)
  82. -extern void fromhost(); /* get/validate client host info */
  83. +extern void fromhost __P((struct request_info *)); /* get/validate client host info */
  84. #else
  85. #define fromhost sock_host /* no TLI support needed */
  86. #endif
  87. -extern int hosts_access(); /* access control */
  88. -extern void shell_cmd(); /* execute shell command */
  89. -extern char *percent_x(); /* do %<char> expansion */
  90. -extern void rfc931(); /* client name from RFC 931 daemon */
  91. -extern void clean_exit(); /* clean up and exit */
  92. -extern void refuse(); /* clean up and exit */
  93. -extern char *xgets(); /* fgets() on steroids */
  94. -extern char *split_at(); /* strchr() and split */
  95. -extern unsigned long dot_quad_addr(); /* restricted inet_addr() */
  96. +extern void shell_cmd __P((char *)); /* execute shell command */
  97. +extern char *percent_x __P((char *, int, char *, struct request_info *)); /* do %<char> expansion */
  98. +extern void rfc931 __P((struct sockaddr_in *, struct sockaddr_in *, char *)); /* client name from RFC 931 daemon */
  99. +extern void clean_exit __P((struct request_info *)); /* clean up and exit */
  100. +extern void refuse __P((struct request_info *)); /* clean up and exit */
  101. +extern char *xgets __P((char *, int, FILE *)); /* fgets() on steroids */
  102. +extern char *split_at __P((char *, int)); /* strchr() and split */
  103. +extern unsigned long dot_quad_addr __P((char *)); /* restricted inet_addr() */
  104. /* Global variables. */
  105. +#ifdef HAVE_WEAKSYMS
  106. +extern int allow_severity __attribute__ ((weak)); /* for connection logging */
  107. +extern int deny_severity __attribute__ ((weak)); /* for connection logging */
  108. +#else
  109. extern int allow_severity; /* for connection logging */
  110. extern int deny_severity; /* for connection logging */
  111. +#endif
  112. +
  113. extern char *hosts_allow_table; /* for verification mode redirection */
  114. extern char *hosts_deny_table; /* for verification mode redirection */
  115. extern int hosts_access_verbose; /* for verbose matching mode */
  116. @@ -92,9 +118,14 @@ extern int resident; /* > 0 if residen
  117. */
  118. #ifdef __STDC__
  119. +extern int hosts_access(struct request_info *request);
  120. +extern int hosts_ctl(char *daemon, char *client_name, char *client_addr,
  121. + char *client_user);
  122. extern struct request_info *request_init(struct request_info *,...);
  123. extern struct request_info *request_set(struct request_info *,...);
  124. #else
  125. +extern int hosts_access();
  126. +extern int hosts_ctl();
  127. extern struct request_info *request_init(); /* initialize request */
  128. extern struct request_info *request_set(); /* update request structure */
  129. #endif
  130. @@ -117,27 +148,31 @@ extern struct request_info *request_set(
  131. * host_info structures serve as caches for the lookup results.
  132. */
  133. -extern char *eval_user(); /* client user */
  134. -extern char *eval_hostname(); /* printable hostname */
  135. -extern char *eval_hostaddr(); /* printable host address */
  136. -extern char *eval_hostinfo(); /* host name or address */
  137. -extern char *eval_client(); /* whatever is available */
  138. -extern char *eval_server(); /* whatever is available */
  139. +extern char *eval_user __P((struct request_info *)); /* client user */
  140. +extern char *eval_hostname __P((struct host_info *)); /* printable hostname */
  141. +extern char *eval_hostaddr __P((struct host_info *)); /* printable host address */
  142. +extern char *eval_hostinfo __P((struct host_info *)); /* host name or address */
  143. +extern char *eval_client __P((struct request_info *)); /* whatever is available */
  144. +extern char *eval_server __P((struct request_info *)); /* whatever is available */
  145. #define eval_daemon(r) ((r)->daemon) /* daemon process name */
  146. #define eval_pid(r) ((r)->pid) /* process id */
  147. /* Socket-specific methods, including DNS hostname lookups. */
  148. -extern void sock_host(); /* look up endpoint addresses */
  149. -extern void sock_hostname(); /* translate address to hostname */
  150. -extern void sock_hostaddr(); /* address to printable address */
  151. +/* look up endpoint addresses */
  152. +extern void sock_host __P((struct request_info *));
  153. +/* translate address to hostname */
  154. +extern void sock_hostname __P((struct host_info *));
  155. +/* address to printable address */
  156. +extern void sock_hostaddr __P((struct host_info *));
  157. +
  158. #define sock_methods(r) \
  159. { (r)->hostname = sock_hostname; (r)->hostaddr = sock_hostaddr; }
  160. /* The System V Transport-Level Interface (TLI) interface. */
  161. #if defined(TLI) || defined(PTX) || defined(TLI_SEQUENT)
  162. -extern void tli_host(); /* look up endpoint addresses etc. */
  163. +extern void tli_host __P((struct request_info *)); /* look up endpoint addresses etc. */
  164. #endif
  165. /*
  166. @@ -178,7 +213,7 @@ extern struct tcpd_context tcpd_context;
  167. * behavior.
  168. */
  169. -extern void process_options(); /* execute options */
  170. +extern void process_options __P((char *, struct request_info *)); /* execute options */
  171. extern int dry_run; /* verification flag */
  172. /* Bug workarounds. */
  173. @@ -217,3 +252,9 @@ extern char *fix_strtok();
  174. #define strtok my_strtok
  175. extern char *my_strtok();
  176. #endif
  177. +
  178. +#ifdef __cplusplus
  179. +}
  180. +#endif
  181. +
  182. +#endif /* tcpd.h */
  183. --- a/Makefile
  184. +++ b/Makefile
  185. @@ -1,5 +1,10 @@
  186. +GLIBC=$(shell grep -s -c __GLIBC__ /usr/include/features.h)
  187. +
  188. # @(#) Makefile 1.23 97/03/21 19:27:20
  189. +# unset the HOSTNAME environment variable
  190. +HOSTNAME =
  191. +
  192. what:
  193. @echo
  194. @echo "Usage: edit the REAL_DAEMON_DIR definition in the Makefile then:"
  195. @@ -19,7 +24,7 @@ what:
  196. @echo " generic (most bsd-ish systems with sys5 compatibility)"
  197. @echo " 386bsd aix alpha apollo bsdos convex-ultranet dell-gcc dgux dgux543"
  198. @echo " dynix epix esix freebsd hpux irix4 irix5 irix6 isc iunix"
  199. - @echo " linux machten mips(untested) ncrsvr4 netbsd next osf power_unix_211"
  200. + @echo " linux gnu machten mips(untested) ncrsvr4 netbsd next osf power_unix_211"
  201. @echo " ptx-2.x ptx-generic pyramid sco sco-nis sco-od2 sco-os5 sinix sunos4"
  202. @echo " sunos40 sunos5 sysv4 tandem ultrix unicos7 unicos8 unixware1 unixware2"
  203. @echo " uts215 uxp"
  204. @@ -43,8 +48,8 @@ what:
  205. # Ultrix 4.x SunOS 4.x ConvexOS 10.x Dynix/ptx
  206. #REAL_DAEMON_DIR=/usr/etc
  207. #
  208. -# SysV.4 Solaris 2.x OSF AIX
  209. -#REAL_DAEMON_DIR=/usr/sbin
  210. +# SysV.4 Solaris 2.x OSF AIX Linux
  211. +REAL_DAEMON_DIR=/usr/sbin
  212. #
  213. # BSD 4.4
  214. #REAL_DAEMON_DIR=/usr/libexec
  215. @@ -141,10 +146,21 @@ freebsd:
  216. LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \
  217. EXTRA_CFLAGS=-DSYS_ERRLIST_DEFINED VSYSLOG= all
  218. +ifneq ($(GLIBC),0)
  219. +MYLIB=-lnsl
  220. +endif
  221. +
  222. linux:
  223. @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
  224. - LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=setenv.o \
  225. - NETGROUP= TLI= EXTRA_CFLAGS="-DBROKEN_SO_LINGER" all
  226. + LIBS=$(MYLIB) RANLIB=ranlib ARFLAGS=rv AUX_OBJ=weak_symbols.o \
  227. + NETGROUP=-DNETGROUP TLI= VSYSLOG= BUGS= all \
  228. + EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_WEAKSYMS -D_REENTRANT"
  229. +
  230. +gnu:
  231. + @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
  232. + LIBS=$(MYLIB) RANLIB=ranlib ARFLAGS=rv AUX_OBJ=weak_symbols.o \
  233. + NETGROUP=-DNETGROUP TLI= VSYSLOG= BUGS= all \
  234. + EXTRA_CFLAGS="-DHAVE_STRERROR -DHAVE_WEAKSYMS -D_REENTRANT"
  235. # This is good for many SYSV+BSD hybrids with NIS, probably also for HP-UX 7.x.
  236. hpux hpux8 hpux9 hpux10:
  237. @@ -391,7 +407,7 @@ AR = ar
  238. # the ones provided with this source distribution. The environ.c module
  239. # implements setenv(), getenv(), and putenv().
  240. -AUX_OBJ= setenv.o
  241. +#AUX_OBJ= setenv.o
  242. #AUX_OBJ= environ.o
  243. #AUX_OBJ= environ.o strcasecmp.o
  244. @@ -454,7 +470,8 @@ AUX_OBJ= setenv.o
  245. # host name aliases. Compile with -DSOLARIS_24_GETHOSTBYNAME_BUG to work
  246. # around this. The workaround does no harm on other Solaris versions.
  247. -BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DLIBC_CALLS_STRTOK
  248. +BUGS =
  249. +#BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DLIBC_CALLS_STRTOK
  250. #BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DINET_ADDR_BUG
  251. #BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DSOLARIS_24_GETHOSTBYNAME_BUG
  252. @@ -464,7 +481,7 @@ BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS
  253. # If your system supports NIS or YP-style netgroups, enable the following
  254. # macro definition. Netgroups are used only for host access control.
  255. #
  256. -#NETGROUP= -DNETGROUP
  257. +NETGROUP= -DNETGROUP
  258. ###############################################################
  259. # System dependencies: whether or not your system has vsyslog()
  260. @@ -491,7 +508,7 @@ VSYSLOG = -Dvsyslog=myvsyslog
  261. # Uncomment the next definition to turn on the language extensions
  262. # (examples: allow, deny, banners, twist and spawn).
  263. #
  264. -#STYLE = -DPROCESS_OPTIONS # Enable language extensions.
  265. +STYLE = -DPROCESS_OPTIONS # Enable language extensions.
  266. ################################################################
  267. # Optional: Changing the default disposition of logfile records
  268. @@ -514,7 +531,7 @@ VSYSLOG = -Dvsyslog=myvsyslog
  269. #
  270. # The LOG_XXX names below are taken from the /usr/include/syslog.h file.
  271. -FACILITY= LOG_MAIL # LOG_MAIL is what most sendmail daemons use
  272. +FACILITY= LOG_DAEMON # LOG_MAIL is what most sendmail daemons use
  273. # The syslog priority at which successful connections are logged.
  274. @@ -610,7 +627,7 @@ TABLES = -DHOSTS_DENY=\"/etc/hosts.deny\
  275. # Paranoid mode implies hostname lookup. In order to disable hostname
  276. # lookups altogether, see the next section.
  277. -PARANOID= -DPARANOID
  278. +#PARANOID= -DPARANOID
  279. ########################################
  280. # Optional: turning off hostname lookups
  281. @@ -623,7 +640,7 @@ PARANOID= -DPARANOID
  282. # In order to perform selective hostname lookups, disable paranoid
  283. # mode (see previous section) and comment out the following definition.
  284. -HOSTNAME= -DALWAYS_HOSTNAME
  285. +#HOSTNAME= -DALWAYS_HOSTNAME
  286. #############################################
  287. # Optional: Turning on host ADDRESS checking
  288. @@ -649,28 +666,46 @@ HOSTNAME= -DALWAYS_HOSTNAME
  289. # source-routed traffic in the kernel. Examples: 4.4BSD derivatives,
  290. # Solaris 2.x, and Linux. See your system documentation for details.
  291. #
  292. -# KILL_OPT= -DKILL_IP_OPTIONS
  293. +KILL_OPT= -DKILL_IP_OPTIONS
  294. ## End configuration options
  295. ############################
  296. # Protection against weird shells or weird make programs.
  297. +CC = gcc
  298. SHELL = /bin/sh
  299. -.c.o:; $(CC) $(CFLAGS) -c $*.c
  300. +.c.o:; $(CC) $(CFLAGS) -o $*.o -c $*.c
  301. +
  302. +SOMAJOR = 0
  303. +SOMINOR = 7.6
  304. +
  305. +LIB = libwrap.a
  306. +SHLIB = shared/libwrap.so.$(SOMAJOR).$(SOMINOR)
  307. +SHLIBSOMAJ= shared/libwrap.so.$(SOMAJOR)
  308. +SHLIBSO = shared/libwrap.so
  309. +SHLIBFLAGS = -Lshared -lwrap
  310. -CFLAGS = -O -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \
  311. +shared/%.o: %.c
  312. + $(CC) $(CFLAGS) $(SHCFLAGS) -c $< -o $@
  313. +
  314. +CFLAGS = -O2 -g -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \
  315. $(BUGS) $(SYSTYPE) $(AUTH) $(UMASK) \
  316. -DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" $(STYLE) $(KILL_OPT) \
  317. -DSEVERITY=$(SEVERITY) -DRFC931_TIMEOUT=$(RFC931_TIMEOUT) \
  318. $(UCHAR) $(TABLES) $(STRINGS) $(TLI) $(EXTRA_CFLAGS) $(DOT) \
  319. $(VSYSLOG) $(HOSTNAME)
  320. +SHLINKFLAGS = -shared -Xlinker -soname -Xlinker libwrap.so.$(SOMAJOR) -lc $(LIBS)
  321. +SHCFLAGS = -fPIC -shared -D_REENTRANT
  322. +
  323. LIB_OBJ= hosts_access.o options.o shell_cmd.o rfc931.o eval.o \
  324. hosts_ctl.o refuse.o percent_x.o clean_exit.o $(AUX_OBJ) \
  325. $(FROM_OBJ) fix_options.o socket.o tli.o workarounds.o \
  326. update.o misc.o diag.o percent_m.o myvsyslog.o
  327. +SHLIB_OBJ= $(addprefix shared/, $(LIB_OBJ));
  328. +
  329. FROM_OBJ= fromhost.o
  330. KIT = README miscd.c tcpd.c fromhost.c hosts_access.c shell_cmd.c \
  331. @@ -684,46 +719,78 @@ KIT = README miscd.c tcpd.c fromhost.c h
  332. refuse.c tcpdchk.8 setenv.c inetcf.c inetcf.h scaffold.c \
  333. scaffold.h tcpdmatch.8 README.NIS
  334. -LIB = libwrap.a
  335. -
  336. -all other: config-check tcpd tcpdmatch try-from safe_finger tcpdchk
  337. +all other: config-check tcpd tcpdmatch try-from safe_finger tcpdchk $(LIB)
  338. # Invalidate all object files when the compiler options (CFLAGS) have changed.
  339. config-check:
  340. @set +e; test -n "$(REAL_DAEMON_DIR)" || { make; exit 1; }
  341. - @set +e; echo $(CFLAGS) >/tmp/cflags.$$$$ ; \
  342. - if cmp cflags /tmp/cflags.$$$$ ; \
  343. - then rm /tmp/cflags.$$$$ ; \
  344. - else mv /tmp/cflags.$$$$ cflags ; \
  345. + @set +e; echo $(CFLAGS) >cflags.new ; \
  346. + if cmp cflags cflags.new ; \
  347. + then rm cflags.new ; \
  348. + else mv cflags.new cflags ; \
  349. fi >/dev/null 2>/dev/null
  350. + @if [ ! -d shared ]; then mkdir shared; fi
  351. $(LIB): $(LIB_OBJ)
  352. rm -f $(LIB)
  353. $(AR) $(ARFLAGS) $(LIB) $(LIB_OBJ)
  354. -$(RANLIB) $(LIB)
  355. -tcpd: tcpd.o $(LIB)
  356. - $(CC) $(CFLAGS) -o $@ tcpd.o $(LIB) $(LIBS)
  357. +$(SHLIB): $(SHLIB_OBJ)
  358. + rm -f $(SHLIB)
  359. + $(CC) -o $(SHLIB) $(SHLINKFLAGS) $(SHLIB_OBJ)
  360. + ln -s $(notdir $(SHLIB)) $(SHLIBSOMAJ)
  361. + ln -s $(notdir $(SHLIBSOMAJ)) $(SHLIBSO)
  362. +
  363. +tcpd: tcpd.o $(SHLIB)
  364. + $(CC) $(CFLAGS) -o $@ tcpd.o $(SHLIBFLAGS)
  365. -miscd: miscd.o $(LIB)
  366. - $(CC) $(CFLAGS) -o $@ miscd.o $(LIB) $(LIBS)
  367. +miscd: miscd.o $(SHLIB)
  368. + $(CC) $(CFLAGS) -o $@ miscd.o $(SHLIBFLAGS)
  369. -safe_finger: safe_finger.o $(LIB)
  370. - $(CC) $(CFLAGS) -o $@ safe_finger.o $(LIB) $(LIBS)
  371. +safe_finger: safe_finger.o $(SHLIB)
  372. + $(CC) $(CFLAGS) -o $@ safe_finger.o $(SHLIBFLAGS)
  373. TCPDMATCH_OBJ = tcpdmatch.o fakelog.o inetcf.o scaffold.o
  374. -tcpdmatch: $(TCPDMATCH_OBJ) $(LIB)
  375. - $(CC) $(CFLAGS) -o $@ $(TCPDMATCH_OBJ) $(LIB) $(LIBS)
  376. +tcpdmatch: $(TCPDMATCH_OBJ) $(SHLIB)
  377. + $(CC) $(CFLAGS) -o $@ $(TCPDMATCH_OBJ) $(SHLIBFLAGS)
  378. -try-from: try-from.o fakelog.o $(LIB)
  379. - $(CC) $(CFLAGS) -o $@ try-from.o fakelog.o $(LIB) $(LIBS)
  380. +try-from: try-from.o fakelog.o $(SHLIB)
  381. + $(CC) $(CFLAGS) -o $@ try-from.o fakelog.o $(SHLIBFLAGS)
  382. TCPDCHK_OBJ = tcpdchk.o fakelog.o inetcf.o scaffold.o
  383. -tcpdchk: $(TCPDCHK_OBJ) $(LIB)
  384. - $(CC) $(CFLAGS) -o $@ $(TCPDCHK_OBJ) $(LIB) $(LIBS)
  385. +tcpdchk: $(TCPDCHK_OBJ) $(SHLIB)
  386. + $(CC) $(CFLAGS) -o $@ $(TCPDCHK_OBJ) $(SHLIBFLAGS)
  387. +
  388. +install: install-lib install-bin install-dev
  389. +
  390. +install-lib:
  391. + install -o root -g root -m 0644 $(SHLIB) ${DESTDIR}/lib/
  392. + ln -s $(notdir $(SHLIB)) ${DESTDIR}/lib/$(notdir $(SHLIBSOMAJ))
  393. +
  394. +install-bin:
  395. + install -o root -g root -m 0755 tcpd ${DESTDIR}/usr/sbin/
  396. + install -o root -g root -m 0755 tcpdchk ${DESTDIR}/usr/sbin/
  397. + install -o root -g root -m 0755 tcpdmatch ${DESTDIR}/usr/sbin/
  398. + install -o root -g root -m 0755 try-from ${DESTDIR}/usr/sbin/
  399. + install -o root -g root -m 0755 safe_finger ${DESTDIR}/usr/sbin/
  400. + install -o root -g root -m 0644 tcpd.8 ${DESTDIR}/usr/share/man/man8/
  401. + install -o root -g root -m 0644 tcpdchk.8 ${DESTDIR}/usr/share/man/man8/
  402. + install -o root -g root -m 0644 tcpdmatch.8 ${DESTDIR}/usr/share/man/man8/
  403. + install -o root -g root -m 0644 hosts_access.5 ${DESTDIR}/usr/share/man/man5/
  404. + install -o root -g root -m 0644 hosts_options.5 ${DESTDIR}/usr/share/man/man5/
  405. +
  406. +install-dev:
  407. + ln -s /lib/$(notdir $(SHLIBSOMAJ)) ${DESTDIR}/usr/lib/$(notdir $(SHLIBSO))
  408. + install -o root -g root -m 0644 hosts_access.3 ${DESTDIR}/usr/share/man/man3/
  409. + install -o root -g root -m 0644 tcpd.h ${DESTDIR}/usr/include/
  410. + install -o root -g root -m 0644 $(LIB) ${DESTDIR}/usr/lib/
  411. + ln -s hosts_access.3 ${DESTDIR}/usr/share/man/man3/hosts_ctl.3
  412. + ln -s hosts_access.3 ${DESTDIR}/usr/share/man/man3/request_init.3
  413. + ln -s hosts_access.3 ${DESTDIR}/usr/share/man/man3/request_set.3
  414. shar: $(KIT)
  415. @shar $(KIT)
  416. @@ -739,7 +806,8 @@ archive:
  417. clean:
  418. rm -f tcpd miscd safe_finger tcpdmatch tcpdchk try-from *.[oa] core \
  419. - cflags
  420. + cflags libwrap*.so*
  421. + rm -rf shared
  422. tidy: clean
  423. chmod -R a+r .
  424. @@ -885,5 +953,6 @@ update.o: cflags
  425. update.o: mystdarg.h
  426. update.o: tcpd.h
  427. vfprintf.o: cflags
  428. +weak_symbols.o: tcpd.h
  429. workarounds.o: cflags
  430. workarounds.o: tcpd.h
  431. --- a/hosts_access.5
  432. +++ b/hosts_access.5
  433. @@ -8,9 +8,9 @@ name, host name/address) patterns. Exam
  434. impatient reader is encouraged to skip to the EXAMPLES section for a
  435. quick introduction.
  436. .PP
  437. -An extended version of the access control language is described in the
  438. -\fIhosts_options\fR(5) document. The extensions are turned on at
  439. -program build time by building with -DPROCESS_OPTIONS.
  440. +The extended version of the access control language is described in the
  441. +\fIhosts_options\fR(5) document. \fBNote that this language supersedes
  442. +the meaning of \fIshell_command\fB as documented below.\fR
  443. .PP
  444. In the following text, \fIdaemon\fR is the the process name of a
  445. network daemon process, and \fIclient\fR is the name and/or address of
  446. @@ -40,7 +40,7 @@ A newline character is ignored when it i
  447. character. This permits you to break up long lines so that they are
  448. easier to edit.
  449. .IP \(bu
  450. -Blank lines or lines that begin with a `#\' character are ignored.
  451. +Blank lines or lines that begin with a `#' character are ignored.
  452. This permits you to insert comments and whitespace so that the tables
  453. are easier to read.
  454. .IP \(bu
  455. @@ -69,26 +69,33 @@ checks are case insensitive.
  456. .SH PATTERNS
  457. The access control language implements the following patterns:
  458. .IP \(bu
  459. -A string that begins with a `.\' character. A host name is matched if
  460. +A string that begins with a `.' character. A host name is matched if
  461. the last components of its name match the specified pattern. For
  462. -example, the pattern `.tue.nl\' matches the host name
  463. -`wzv.win.tue.nl\'.
  464. +example, the pattern `.tue.nl' matches the host name
  465. +`wzv.win.tue.nl'.
  466. .IP \(bu
  467. -A string that ends with a `.\' character. A host address is matched if
  468. +A string that ends with a `.' character. A host address is matched if
  469. its first numeric fields match the given string. For example, the
  470. -pattern `131.155.\' matches the address of (almost) every host on the
  471. +pattern `131.155.' matches the address of (almost) every host on the
  472. Eind\%hoven University network (131.155.x.x).
  473. .IP \(bu
  474. -A string that begins with an `@\' character is treated as an NIS
  475. +A string that begins with an `@' character is treated as an NIS
  476. (formerly YP) netgroup name. A host name is matched if it is a host
  477. member of the specified netgroup. Netgroup matches are not supported
  478. for daemon process names or for client user names.
  479. .IP \(bu
  480. -An expression of the form `n.n.n.n/m.m.m.m\' is interpreted as a
  481. -`net/mask\' pair. A host address is matched if `net\' is equal to the
  482. -bitwise AND of the address and the `mask\'. For example, the net/mask
  483. -pattern `131.155.72.0/255.255.254.0\' matches every address in the
  484. -range `131.155.72.0\' through `131.155.73.255\'.
  485. +An expression of the form `n.n.n.n/m.m.m.m' is interpreted as a
  486. +`net/mask' pair. A host address is matched if `net' is equal to the
  487. +bitwise AND of the address and the `mask'. For example, the net/mask
  488. +pattern `131.155.72.0/255.255.254.0' matches every address in the
  489. +range `131.155.72.0' through `131.155.73.255'.
  490. +.IP \(bu
  491. +A string that begins with a `/' character is treated as a file
  492. +name. A host name or address is matched if it matches any host name
  493. +or address pattern listed in the named file. The file format is
  494. +zero or more lines with zero or more host name or address patterns
  495. +separated by whitespace. A file name pattern can be used anywhere
  496. +a host name or address pattern can be used.
  497. .SH WILDCARDS
  498. The access control language supports explicit wildcards:
  499. .IP ALL
  500. @@ -115,19 +122,19 @@ without -DPARANOID when you want more co
  501. .ne 6
  502. .SH OPERATORS
  503. .IP EXCEPT
  504. -Intended use is of the form: `list_1 EXCEPT list_2\'; this construct
  505. +Intended use is of the form: `list_1 EXCEPT list_2'; this construct
  506. matches anything that matches \fIlist_1\fR unless it matches
  507. \fIlist_2\fR. The EXCEPT operator can be used in daemon_lists and in
  508. client_lists. The EXCEPT operator can be nested: if the control
  509. -language would permit the use of parentheses, `a EXCEPT b EXCEPT c\'
  510. -would parse as `(a EXCEPT (b EXCEPT c))\'.
  511. +language would permit the use of parentheses, `a EXCEPT b EXCEPT c'
  512. +would parse as `(a EXCEPT (b EXCEPT c))'.
  513. .br
  514. .ne 6
  515. .SH SHELL COMMANDS
  516. If the first-matched access control rule contains a shell command, that
  517. command is subjected to %<letter> substitutions (see next section).
  518. The result is executed by a \fI/bin/sh\fR child process with standard
  519. -input, output and error connected to \fI/dev/null\fR. Specify an `&\'
  520. +input, output and error connected to \fI/dev/null\fR. Specify an `&'
  521. at the end of the command if you do not want to wait until it has
  522. completed.
  523. .PP
  524. @@ -159,7 +166,7 @@ depending on how much information is ava
  525. .IP %u
  526. The client user name (or "unknown").
  527. .IP %%
  528. -Expands to a single `%\' character.
  529. +Expands to a single `%' character.
  530. .PP
  531. Characters in % expansions that may confuse the shell are replaced by
  532. underscores.
  533. @@ -243,9 +250,9 @@ A positive IDENT lookup result (the clie
  534. less trustworthy. It is possible for an intruder to spoof both the
  535. client connection and the IDENT lookup, although doing so is much
  536. harder than spoofing just a client connection. It may also be that
  537. -the client\'s IDENT server is lying.
  538. +the client's IDENT server is lying.
  539. .PP
  540. -Note: IDENT lookups don\'t work with UDP services.
  541. +Note: IDENT lookups don't work with UDP services.
  542. .SH EXAMPLES
  543. The language is flexible enough that different types of access control
  544. policy can be expressed with a minimum of fuss. Although the language
  545. @@ -285,7 +292,7 @@ ALL: LOCAL @some_netgroup
  546. .br
  547. ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
  548. .PP
  549. -The first rule permits access from hosts in the local domain (no `.\'
  550. +The first rule permits access from hosts in the local domain (no `.'
  551. in the host name) and from members of the \fIsome_netgroup\fP
  552. netgroup. The second rule permits access from all hosts in the
  553. \fIfoobar.edu\fP domain (notice the leading dot), with the exception of
  554. @@ -322,8 +329,8 @@ in.tftpd: LOCAL, .my.domain
  555. /etc/hosts.deny:
  556. .in +3
  557. .nf
  558. -in.tftpd: ALL: (/some/where/safe_finger -l @%h | \\
  559. - /usr/ucb/mail -s %d-%h root) &
  560. +in.tftpd: ALL: (/usr/sbin/safe_finger -l @%h | \\
  561. + /usr/bin/mail -s %d-%h root) &
  562. .fi
  563. .PP
  564. The safe_finger command comes with the tcpd wrapper and should be
  565. @@ -349,7 +356,7 @@ control rule; when the length of an acce
  566. capacity of an internal buffer; when an access control rule is not
  567. terminated by a newline character; when the result of %<letter>
  568. expansion would overflow an internal buffer; when a system call fails
  569. -that shouldn\'t. All problems are reported via the syslog daemon.
  570. +that shouldn't. All problems are reported via the syslog daemon.
  571. .SH FILES
  572. .na
  573. .nf
  574. --- a/rfc931.c
  575. +++ b/rfc931.c
  576. @@ -33,7 +33,7 @@ static char sccsid[] = "@(#) rfc931.c 1.
  577. int rfc931_timeout = RFC931_TIMEOUT;/* Global so it can be changed */
  578. -static jmp_buf timebuf;
  579. +static sigjmp_buf timebuf;
  580. /* fsocket - open stdio stream on top of socket */
  581. @@ -62,7 +62,7 @@ int protocol;
  582. static void timeout(sig)
  583. int sig;
  584. {
  585. - longjmp(timebuf, sig);
  586. + siglongjmp(timebuf, sig);
  587. }
  588. /* rfc931 - return remote user name, given socket structures */
  589. @@ -99,7 +99,7 @@ char *dest;
  590. * Set up a timer so we won't get stuck while waiting for the server.
  591. */
  592. - if (setjmp(timebuf) == 0) {
  593. + if (sigsetjmp(timebuf,1) == 0) {
  594. signal(SIGALRM, timeout);
  595. alarm(rfc931_timeout);
  596. --- a/tcpd.8
  597. +++ b/tcpd.8
  598. @@ -94,7 +94,7 @@ configuration files.
  599. .PP
  600. The example assumes that the network daemons live in /usr/etc. On some
  601. systems, network daemons live in /usr/sbin or in /usr/libexec, or have
  602. -no `in.\' prefix to their name.
  603. +no `in.' prefix to their name.
  604. .SH EXAMPLE 2
  605. This example applies when \fItcpd\fR expects that the network daemons
  606. are left in their original place.
  607. @@ -110,26 +110,26 @@ finger stream tcp nowait nobody /us
  608. becomes:
  609. .sp
  610. .ti +5
  611. -finger stream tcp nowait nobody /some/where/tcpd in.fingerd
  612. +finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd
  613. .sp
  614. .fi
  615. .PP
  616. The example assumes that the network daemons live in /usr/etc. On some
  617. systems, network daemons live in /usr/sbin or in /usr/libexec, the
  618. -daemons have no `in.\' prefix to their name, or there is no userid
  619. +daemons have no `in.' prefix to their name, or there is no userid
  620. field in the inetd configuration file.
  621. .PP
  622. Similar changes will be needed for the other services that are to be
  623. -covered by \fItcpd\fR. Send a `kill -HUP\' to the \fIinetd\fR(8)
  624. +covered by \fItcpd\fR. Send a `kill -HUP' to the \fIinetd\fR(8)
  625. process to make the changes effective. AIX users may also have to
  626. -execute the `inetimp\' command.
  627. +execute the `inetimp' command.
  628. .SH EXAMPLE 3
  629. In the case of daemons that do not live in a common directory ("secret"
  630. or otherwise), edit the \fIinetd\fR configuration file so that it
  631. specifies an absolute path name for the process name field. For example:
  632. .nf
  633. .sp
  634. - ntalk dgram udp wait root /some/where/tcpd /usr/local/lib/ntalkd
  635. + ntalk dgram udp wait root /usr/sbin/tcpd /usr/sbin/in.ntalkd
  636. .sp
  637. .fi
  638. .PP
  639. --- a/hosts_access.3
  640. +++ b/hosts_access.3
  641. @@ -3,7 +3,7 @@
  642. hosts_access, hosts_ctl, request_init, request_set \- access control library
  643. .SH SYNOPSIS
  644. .nf
  645. -#include "tcpd.h"
  646. +#include <tcpd.h>
  647. extern int allow_severity;
  648. extern int deny_severity;
  649. --- a/options.c
  650. +++ b/options.c
  651. @@ -473,6 +473,9 @@ static struct syslog_names log_fac[] = {
  652. #ifdef LOG_CRON
  653. "cron", LOG_CRON,
  654. #endif
  655. +#ifdef LOG_FTP
  656. + "ftp", LOG_FTP,
  657. +#endif
  658. #ifdef LOG_LOCAL0
  659. "local0", LOG_LOCAL0,
  660. #endif
  661. --- a/fix_options.c
  662. +++ b/fix_options.c
  663. @@ -35,7 +35,12 @@ struct request_info *request;
  664. #ifdef IP_OPTIONS
  665. unsigned char optbuf[BUFFER_SIZE / 3], *cp;
  666. char lbuf[BUFFER_SIZE], *lp;
  667. +#if !defined(__GLIBC__)
  668. int optsize = sizeof(optbuf), ipproto;
  669. +#else /* __GLIBC__ */
  670. + size_t optsize = sizeof(optbuf);
  671. + int ipproto;
  672. +#endif /* __GLIBC__ */
  673. struct protoent *ip;
  674. int fd = request->fd;
  675. unsigned int opt;
  676. --- a/workarounds.c
  677. +++ b/workarounds.c
  678. @@ -163,7 +163,11 @@ int *fromlen;
  679. int fix_getpeername(sock, sa, len)
  680. int sock;
  681. struct sockaddr *sa;
  682. +#if !defined(__GLIBC__)
  683. int *len;
  684. +#else /* __GLIBC__ */
  685. +size_t *len;
  686. +#endif /* __GLIBC__ */
  687. {
  688. int ret;
  689. struct sockaddr_in *sin = (struct sockaddr_in *) sa;
  690. --- a/socket.c
  691. +++ b/socket.c
  692. @@ -76,7 +76,11 @@ struct request_info *request;
  693. {
  694. static struct sockaddr_in client;
  695. static struct sockaddr_in server;
  696. +#if !defined (__GLIBC__)
  697. int len;
  698. +#else /* __GLIBC__ */
  699. + size_t len;
  700. +#endif /* __GLIBC__ */
  701. char buf[BUFSIZ];
  702. int fd = request->fd;
  703. @@ -224,7 +228,11 @@ int fd;
  704. {
  705. char buf[BUFSIZ];
  706. struct sockaddr_in sin;
  707. +#if !defined(__GLIBC__)
  708. int size = sizeof(sin);
  709. +#else /* __GLIBC__ */
  710. + size_t size = sizeof(sin);
  711. +#endif /* __GLIBC__ */
  712. /*
  713. * Eat up the not-yet received datagram. Some systems insist on a
  714. --- a/safe_finger.c
  715. +++ b/safe_finger.c
  716. @@ -26,21 +26,24 @@ static char sccsid[] = "@(#) safe_finger
  717. #include <stdio.h>
  718. #include <ctype.h>
  719. #include <pwd.h>
  720. +#include <syslog.h>
  721. extern void exit();
  722. /* Local stuff */
  723. -char path[] = "PATH=/bin:/usr/bin:/usr/ucb:/usr/bsd:/etc:/usr/etc:/usr/sbin";
  724. +char path[] = "PATH=/bin:/usr/bin:/sbin:/usr/sbin";
  725. #define TIME_LIMIT 60 /* Do not keep listinging forever */
  726. #define INPUT_LENGTH 100000 /* Do not keep listinging forever */
  727. #define LINE_LENGTH 128 /* Editors can choke on long lines */
  728. #define FINGER_PROGRAM "finger" /* Most, if not all, UNIX systems */
  729. #define UNPRIV_NAME "nobody" /* Preferred privilege level */
  730. -#define UNPRIV_UGID 32767 /* Default uid and gid */
  731. +#define UNPRIV_UGID 65534 /* Default uid and gid */
  732. int finger_pid;
  733. +int allow_severity = SEVERITY;
  734. +int deny_severity = LOG_WARNING;
  735. void cleanup(sig)
  736. int sig;
  737. --- a/hosts_options.5
  738. +++ b/hosts_options.5
  739. @@ -58,12 +58,12 @@ Notice the leading dot on the domain nam
  740. Execute, in a child process, the specified shell command, after
  741. performing the %<letter> expansions described in the hosts_access(5)
  742. manual page. The command is executed with stdin, stdout and stderr
  743. -connected to the null device, so that it won\'t mess up the
  744. +connected to the null device, so that it won't mess up the
  745. conversation with the client host. Example:
  746. .sp
  747. .nf
  748. .ti +3
  749. -spawn (/some/where/safe_finger -l @%h | /usr/ucb/mail root) &
  750. +spawn (/usr/sbin/safe_finger -l @%h | /usr/bin/mail root) &
  751. .fi
  752. .sp
  753. executes, in a background child process, the shell command "safe_finger
  754. --- a/tcpdchk.c
  755. +++ b/tcpdchk.c
  756. @@ -350,6 +350,8 @@ char *pat;
  757. {
  758. if (pat[0] == '@') {
  759. tcpd_warn("%s: daemon name begins with \"@\"", pat);
  760. + } else if (pat[0] == '/') {
  761. + tcpd_warn("%s: daemon name begins with \"/\"", pat);
  762. } else if (pat[0] == '.') {
  763. tcpd_warn("%s: daemon name begins with dot", pat);
  764. } else if (pat[strlen(pat) - 1] == '.') {
  765. @@ -382,6 +384,8 @@ char *pat;
  766. {
  767. if (pat[0] == '@') { /* @netgroup */
  768. tcpd_warn("%s: user name begins with \"@\"", pat);
  769. + } else if (pat[0] == '/') {
  770. + tcpd_warn("%s: user name begins with \"/\"", pat);
  771. } else if (pat[0] == '.') {
  772. tcpd_warn("%s: user name begins with dot", pat);
  773. } else if (pat[strlen(pat) - 1] == '.') {
  774. @@ -402,8 +406,13 @@ char *pat;
  775. static int check_host(pat)
  776. char *pat;
  777. {
  778. + char buf[BUFSIZ];
  779. char *mask;
  780. int addr_count = 1;
  781. + FILE *fp;
  782. + struct tcpd_context saved_context;
  783. + char *cp;
  784. + char *wsp = " \t\r\n";
  785. if (pat[0] == '@') { /* @netgroup */
  786. #ifdef NO_NETGRENT
  787. @@ -422,6 +431,21 @@ char *pat;
  788. tcpd_warn("netgroup support disabled");
  789. #endif
  790. #endif
  791. + } else if (pat[0] == '/') { /* /path/name */
  792. + if ((fp = fopen(pat, "r")) != 0) {
  793. + saved_context = tcpd_context;
  794. + tcpd_context.file = pat;
  795. + tcpd_context.line = 0;
  796. + while (fgets(buf, sizeof(buf), fp)) {
  797. + tcpd_context.line++;
  798. + for (cp = strtok(buf, wsp); cp; cp = strtok((char *) 0, wsp))
  799. + check_host(cp);
  800. + }
  801. + tcpd_context = saved_context;
  802. + fclose(fp);
  803. + } else if (errno != ENOENT) {
  804. + tcpd_warn("open %s: %m", pat);
  805. + }
  806. } else if (mask = split_at(pat, '/')) { /* network/netmask */
  807. if (dot_quad_addr(pat) == INADDR_NONE
  808. || dot_quad_addr(mask) == INADDR_NONE)
  809. --- a/percent_m.c
  810. +++ b/percent_m.c
  811. @@ -13,7 +13,7 @@ static char sccsid[] = "@(#) percent_m.c
  812. #include <string.h>
  813. extern int errno;
  814. -#ifndef SYS_ERRLIST_DEFINED
  815. +#if !defined(SYS_ERRLIST_DEFINED) && !defined(HAVE_STRERROR)
  816. extern char *sys_errlist[];
  817. extern int sys_nerr;
  818. #endif
  819. @@ -29,11 +29,15 @@ char *ibuf;
  820. while (*bp = *cp)
  821. if (*cp == '%' && cp[1] == 'm') {
  822. +#ifdef HAVE_STRERROR
  823. + strcpy(bp, strerror(errno));
  824. +#else
  825. if (errno < sys_nerr && errno > 0) {
  826. strcpy(bp, sys_errlist[errno]);
  827. } else {
  828. sprintf(bp, "Unknown error %d", errno);
  829. }
  830. +#endif
  831. bp += strlen(bp);
  832. cp += 2;
  833. } else {
  834. --- a/scaffold.c
  835. +++ b/scaffold.c
  836. @@ -180,10 +180,12 @@ struct request_info *request;
  837. /* ARGSUSED */
  838. -void rfc931(request)
  839. -struct request_info *request;
  840. +void rfc931(rmt_sin, our_sin, dest)
  841. +struct sockaddr_in *rmt_sin;
  842. +struct sockaddr_in *our_sin;
  843. +char *dest;
  844. {
  845. - strcpy(request->user, unknown);
  846. + strcpy(dest, unknown);
  847. }
  848. /* check_path - examine accessibility */
  849. --- /dev/null
  850. +++ b/weak_symbols.c
  851. @@ -0,0 +1,11 @@
  852. + /*
  853. + * @(#) weak_symbols.h 1.5 99/12/29 23:50
  854. + *
  855. + * Author: Anthony Towns <ajt@debian.org>
  856. + */
  857. +
  858. +#ifdef HAVE_WEAKSYMS
  859. +#include <syslog.h>
  860. +int deny_severity = LOG_WARNING;
  861. +int allow_severity = SEVERITY;
  862. +#endif