Index: create.patch.sh
===================================================================
--- create.patch.sh (nonexistent)
+++ create.patch.sh (revision 5)
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+VERSION=7.6
+
+tar --files-from=file.list -xzvf ../tcp_wrappers_$VERSION.tar.gz
+( cd tcp_wrappers_$VERSION ; chmod +w * )
+mv tcp_wrappers_$VERSION tcp_wrappers_$VERSION-orig
+
+cp -rf ./tcp_wrappers_$VERSION-new ./tcp_wrappers_$VERSION
+
+diff --unified -Nr tcp_wrappers_$VERSION-orig tcp_wrappers_$VERSION > tcp_wrappers_$VERSION.patch
+
+mv tcp_wrappers_$VERSION.patch ../patches
+
+rm -rf ./tcp_wrappers_$VERSION
+rm -rf ./tcp_wrappers_$VERSION-orig
Property changes on: create.patch.sh
___________________________________________________________________
Added: svn:executable
## -0,0 +1 ##
+*
\ No newline at end of property
Index: file.list
===================================================================
--- file.list (nonexistent)
+++ file.list (revision 5)
@@ -0,0 +1,22 @@
+tcp_wrappers_7.6/Makefile
+tcp_wrappers_7.6/eval.c
+tcp_wrappers_7.6/fix_options.c
+tcp_wrappers_7.6/hosts_access.5
+tcp_wrappers_7.6/hosts_access.c
+tcp_wrappers_7.6/inetcf.c
+tcp_wrappers_7.6/misc.c
+tcp_wrappers_7.6/options.c
+tcp_wrappers_7.6/percent_m.c
+tcp_wrappers_7.6/refuse.c
+tcp_wrappers_7.6/rfc931.c
+tcp_wrappers_7.6/scaffold.c
+tcp_wrappers_7.6/scaffold.h
+tcp_wrappers_7.6/shell_cmd.c
+tcp_wrappers_7.6/socket.c
+tcp_wrappers_7.6/tcpd.c
+tcp_wrappers_7.6/tcpd.h
+tcp_wrappers_7.6/tcpdchk.c
+tcp_wrappers_7.6/tcpdmatch.c
+tcp_wrappers_7.6/tli.c
+tcp_wrappers_7.6/update.c
+tcp_wrappers_7.6/workarounds.c
Index: tcp_wrappers_7.6-new/Makefile
===================================================================
--- tcp_wrappers_7.6-new/Makefile (nonexistent)
+++ tcp_wrappers_7.6-new/Makefile (revision 5)
@@ -0,0 +1,919 @@
+# @(#) Makefile 1.23 97/03/21 19:27:20
+
+what:
+ @echo
+ @echo "Usage: edit the REAL_DAEMON_DIR definition in the Makefile then:"
+ @echo
+ @echo " make sys-type"
+ @echo
+ @echo "If you are in a hurry you can try instead:"
+ @echo
+ @echo " make REAL_DAEMON_DIR=/foo/bar sys-type"
+ @echo
+ @echo "And for a version with language extensions enabled:"
+ @echo
+ @echo " make REAL_DAEMON_DIR=/foo/bar STYLE=-DPROCESS_OPTIONS sys-type"
+ @echo
+ @echo "This Makefile knows about the following sys-types:"
+ @echo
+ @echo " generic (most bsd-ish systems with sys5 compatibility)"
+ @echo " 386bsd aix alpha apollo bsdos convex-ultranet dell-gcc dgux dgux543"
+ @echo " dynix epix esix freebsd hpux irix4 irix5 irix6 isc iunix"
+ @echo " linux machten mips(untested) ncrsvr4 netbsd next osf power_unix_211"
+ @echo " ptx-2.x ptx-generic pyramid sco sco-nis sco-od2 sco-os5 sinix sunos4"
+ @echo " sunos40 sunos5 solaris8 sysv4 tandem ultrix unicos7 unicos8 unixware1 unixware2"
+ @echo " uts215 uxp"
+ @echo
+ @echo "If none of these match your environment, edit the system"
+ @echo "dependencies sections in the Makefile and do a 'make other'."
+ @echo
+
+#######################################################
+# Choice between easy and advanced installation recipe.
+#
+# Advanced installation: vendor-provided daemons are left alone, and the
+# inetd configuration file is edited. In this case, the REAL_DAEMON_DIR
+# macro should reflect the actual directory with (most of) your
+# vendor-provided network daemons. These names can be found in the
+# inetd.conf file. Usually, the telnet, ftp and finger daemons all live
+# in the same directory.
+#
+# Uncomment the appropriate line if you are going to edit inetd.conf.
+#
+# Ultrix 4.x SunOS 4.x ConvexOS 10.x Dynix/ptx
+#REAL_DAEMON_DIR=/usr/etc
+#
+# SysV.4 Solaris 2.x OSF AIX
+REAL_DAEMON_DIR=/usr/sbin
+#
+# BSD 4.4
+#REAL_DAEMON_DIR=/usr/libexec
+#
+# HP-UX SCO Unicos
+#REAL_DAEMON_DIR=/etc
+
+# Easy installation: vendor-provided network daemons are moved to "some
+# other" directory, and the tcpd wrapper fills in the "holes". For this
+# mode of operation, the REAL_DAEMON_DIR macro should be set to the "some
+# other" directory. The "..." is here for historical reasons only; you
+# should probably use some other name.
+#
+# Uncomment the appropriate line if you are going to move your daemons.
+#
+# Ultrix 4.x SunOS 4.x ConvexOS 10.x Dynix/ptx
+#REAL_DAEMON_DIR=/usr/etc/...
+#
+# SysV.4 Solaris 2.x OSF AIX
+#REAL_DAEMON_DIR=/usr/sbin/...
+#
+# BSD 4.4
+#REAL_DAEMON_DIR=/usr/libexec/...
+#
+# HP-UX SCO Unicos
+#REAL_DAEMON_DIR=/etc/...
+
+# End of mandatory section
+##########################
+
+##########################################
+# Ready-to-use system-dependent templates.
+#
+# Ready-to-use templates are available for many systems (see the "echo"
+# commands at the start of this Makefile). The templates take care of
+# all system dependencies: after editing the REAL_DAEMON_DIR definition
+# above, do a "make sunos4" (or whatever system type is appropriate).
+#
+# If your system is not listed (or something that comes close enough), you
+# have to edit the system dependencies section below and do a "make other".
+#
+# Send templates for other UNIX versions to wietse@wzv.win.tue.nl.
+
+# This is good for many BSD+SYSV hybrids with NIS (formerly YP).
+generic aix osf alpha dynix:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=setenv.o \
+ NETGROUP=-DNETGROUP TLI= all
+
+# Ditto, with vsyslog
+sunos4:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=setenv.o \
+ NETGROUP=-DNETGROUP VSYSLOG= TLI= all
+
+# Generic with resolver library.
+generic-resolver:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS=-lresolv RANLIB=ranlib ARFLAGS=rv AUX_OBJ=setenv.o \
+ NETGROUP=-DNETGROUP TLI= all
+
+# The NeXT loader needs "-m" or it barfs on redefined library functions.
+next:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS=-m RANLIB=ranlib ARFLAGS=rv AUX_OBJ=environ.o \
+ NETGROUP=-DNETGROUP TLI= all
+
+# SunOS for the 386 was frozen at release 4.0.x.
+sunos40:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ="setenv.o strcasecmp.o" \
+ NETGROUP=-DNETGROUP VSYSLOG= TLI= all
+
+# Ultrix is like aix, next, etc., but has miscd and setenv().
+ultrix:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= \
+ NETGROUP=-DNETGROUP TLI= all miscd
+
+# This works on EP/IX 1.4.3 and will likely work on Mips (reggers@julian.uwo.ca)
+epix:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=environ.o \
+ NETGROUP=-DNETGROUP TLI= SYSTYPE="-systype bsd43" all
+
+# Freebsd and linux by default have no NIS.
+386bsd bsdos:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \
+ EXTRA_CFLAGS=-DSYS_ERRLIST_DEFINED VSYSLOG= all
+
+freebsd:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS="-L/usr/local/v6/lib -linet6" \
+ LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \
+ EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DINET6 -Dss_family=__ss_family -Dss_len=__ss_len" \
+ VSYSLOG= all
+
+netbsd:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \
+ EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DINET6 -Dss_family=__ss_family -Dss_len=__ss_len" VSYSLOG= all
+
+linux:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS="-lnsl" RANLIB=$(RANLIB) ARFLAGS=rv AUX_OBJ=weak_symbols.o \
+ NETGROUP="-DNETGROUP" TLI= EXTRA_CFLAGS="-fPIC -DPIC -D_REENTRANT -DHAVE_STRERROR -DBROKEN_SO_LINGER -DINET6=1 -Dss_family=__ss_family -Dss_len=__ss_len -DHAVE_WEAKSYMS" all
+
+linux-old:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS="/usr/inet6/lib/libinet6.a -lresolv" \
+ RANLIB=ranlib ARFLAGS=rv AUX_OBJ=setenv.o NETGROUP= TLI= \
+ EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DBROKEN_SO_LINGER -DINET6=1 -Dss_family=sin6_family -Dsockaddr_storage=sockaddr_in6 -I/usr/inet6/include" all
+
+# This is good for many SYSV+BSD hybrids with NIS, probably also for HP-UX 7.x.
+hpux hpux8 hpux9 hpux10:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS= RANLIB=echo ARFLAGS=rv AUX_OBJ=setenv.o \
+ NETGROUP=-DNETGROUP TLI= all
+
+# ConvexOS-10.x with UltraNet support (ukkonen@csc.fi).
+convex-ultranet:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS=-lulsock RANLIB=ranlib ARFLAGS=rv AUX_OBJ=environ.o \
+ NETGROUP=-DNETGROUP TLI= all
+
+# Generic support for the Dynix/PTX version of TLI.
+ptx-generic:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS="-lsocket -linet -lnsl" RANLIB=echo ARFLAGS=rv \
+ AUX_OBJ="setenv.o strcasecmp.o ptx.o" NETGROUP= TLI=-DPTX all
+
+# With UDP support optimized for PTX 2.x (timw@sequent.com).
+ptx-2.x:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS="-lsocket -linet -lnsl" RANLIB=echo ARFLAGS=rv \
+ AUX_OBJ="setenv.o strcasecmp.o tli-sequent.o" NETGROUP= \
+ TLI=-DTLI_SEQUENT all
+
+# IRIX 4.0.x has a special ar(1) flag.
+irix4:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS="-lc -lsun" RANLIB=echo ARFLAGS=rvs AUX_OBJ=setenv.o \
+ NETGROUP=-DNETGROUP TLI= all
+
+# IRIX 5.2 is SYSV4 with several broken things (such as -lsocket -lnsl).
+irix5:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS=-lsun RANLIB=echo ARFLAGS=rv VSYSLOG= \
+ NETGROUP=-DNETGROUP AUX_OBJ=setenv.o TLI= all
+
+# IRIX 6.2 (tucker@math.unc.edu). Must find a better value than 200000.
+irix6:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS= RANLIB=echo ARFLAGS=rv VSYSLOG= \
+ NETGROUP=-DNETGROUP EXTRA_CFLAGS="-DBSD=200000" TLI= all
+
+# SunOS 5.x is another SYSV4 variant.
+sunos5:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS="-lsocket -lnsl" RANLIB=echo ARFLAGS=rv VSYSLOG= \
+ NETGROUP=-DNETGROUP AUX_OBJ=setenv.o TLI=-DTLI \
+ BUGS="$(BUGS) -DSOLARIS_24_GETHOSTBYNAME_BUG" all
+
+# SunOS 5.8 is another SYSV4 variant, but has IPv6 support
+solaris8:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS="-lsocket -lnsl" RANLIB=echo ARFLAGS=rv VSYSLOG= \
+ NETGROUP=-DNETGROUP AUX_OBJ=setenv.o TLI=-DTLI \
+ EXTRA_CFLAGS="-DINET6 -DNO_CLONE_DEVICE -DINT32_T" all
+
+# Generic SYSV40
+esix sysv4:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS="-lsocket -lnsl" RANLIB=echo ARFLAGS=rv \
+ NETGROUP=-DNETGROUP AUX_OBJ=setenv.o TLI=-DTLI all
+
+# DG/UX 5.4.1 and 5.4.2 have an unusual inet_addr() interface.
+dgux:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS=-lnsl RANLIB=echo ARFLAGS=rv \
+ NETGROUP=-DNETGROUP AUX_OBJ=setenv.o TLI=-DTLI \
+ BUGS="$(BUGS) -DINET_ADDR_BUG" all
+
+dgux543:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS=-lnsl RANLIB=echo ARFLAGS=rv \
+ NETGROUP=-DNETGROUP AUX_OBJ=setenv.o TLI=-DTLI all
+
+# NCR UNIX 02.02.01 and 02.03.00 (Alex Chircop, msu@unimt.mt)
+ncrsvr4:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS="-lresolv -lnsl -lsocket" RANLIB=echo ARFLAGS=rv \
+ AUX_OBJ="setenv.o strcasecmp.o" NETGROUP= TLI=-DTLI \
+ EXTRA_CFLAGS="" FROM_OBJ=ncr.o all
+
+# Tandem SYSV4 (eqawas@hedgehog.ac.cowan.edu.au)
+tandem:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS="-lsocket -lnsl" RANLIB=echo ARFLAGS=rv \
+ NETGROUP= AUX_OBJ="setenv.o strcasecmp.o" TLI=-DTLI all
+
+# Amdahl UTS 2.1.5 (Richard.Richmond@bridge.bst.bls.com)
+uts215:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS="-lsocket" RANLIB=echo \
+ ARFLAGS=rv AUX_OBJ=setenv.o NETGROUP=-DNO_NETGROUP TLI= all
+
+# UXP/DS System V.4 clone (vic@uida0.uida.es).
+uxp:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS="-L/usr/ucblib -lsocket -lnsl -lucb" \
+ RANLIB=echo ARFLAGS=rv NETGROUP=-DNETGROUP \
+ AUX_OBJ=setenv.o TLI="-DTLI -DDRS_XTI" all
+
+# DELL System V.4 Issue 2.2 using gcc (kim@tac.nyc.ny.us, jurban@norden1.com)
+dell-gcc:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS="-lsocket -lnsl" RANLIB=ranlib ARFLAGS=rv CC=gcc \
+ AUX_OBJ="setenv.o strcasecmp.o" TLI=-DTLI all
+
+# SCO 3.2v4.1 no frills (jedwards@sol1.solinet.net).
+sco:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS="-lsocket -lnsl_s" RANLIB=echo ARFLAGS=rv \
+ NETGROUP= AUX_OBJ=setenv.o TLI= all
+
+# SCO OpenDesktop 2.0, release 3.2 (peter@midnight.com). Please simplify.
+sco-od2:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS="-lrpcsvc -lrpc -lyp -lrpc -lrpcsvc -lsocket" \
+ RANLIB=echo ARFLAGS=rv AUX_OBJ=setenv.o \
+ NETGROUP=-DNETGROUP TLI= all
+
+# SCO 3.2v4.2 with TCP/IP 1.2.1 (Eduard.Vopicka@vse.cz). Please simplify.
+sco-nis:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS="-lyp -lrpc -lsocket -lyp -lc_s -lc" \
+ RANLIB=echo ARFLAGS=rv AUX_OBJ=setenv.o \
+ NETGROUP=-DNETGROUP TLI= EXTRA_CFLAGS="-nointl -DNO_NETGRENT" all
+
+# SCO 3.2v5.0.0 OpenServer 5 (bob@odt.handy.com, bill@razorlogic.com)
+sco-os5:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS="-lrpcsvc -lsocket" RANLIB=echo ARFLAGS=rv VSYSLOG= \
+ AUX_OBJ=setenv.o NETGROUP=-DNETGROUP TLI= all
+
+# sinix 5.42 setjmp workaround (szrzs023@ub3.ub.uni-kiel.de)
+sinix:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS="-lsocket -lnsl -L/usr/ccs/lib -lc -L/usr/ucblib -lucb" \
+ RANLIB=echo ARFLAGS=rv AUX_OBJ=setenv.o TLI=-DTLI all
+
+# Domain SR10.4. Build under bsd, run under either sysv3 or bsd43.
+apollo:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=setenv.o \
+ NETGROUP=-DNETGROUP TLI= SYSTYPE="-A run,any -A sys,any" all
+
+# Pyramid OSx 5.1, using the BSD universe.
+pyramid:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ="environ.o vfprintf.o" \
+ STRINGS="-Dstrchr=index -Dstrrchr=rindex -Dmemcmp=bcmp -Dno_memcpy" \
+ NETGROUP="-DNETGROUP -DUSE_GETDOMAIN" TLI= all
+
+# Untested.
+mips:
+ @echo "Warning: some definitions may be wrong."
+ make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=environ.o \
+ NETGROUP=-DNETGROUP TLI= SYSTYPE="-sysname bsd43" all
+
+# Cray (tested with UNICOS 7.0.4).
+unicos7:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS=-lnet RANLIB=echo ARFLAGS=rv \
+ EXTRA_CFLAGS=-DINADDR_NONE="\"((unsigned long) -1)\"" \
+ AUX_OBJ="setenv.o strcasecmp.o" NETGROUP= TLI= all
+
+# Unicos 8.x, Cray-YMP (Bruce Kelly).
+unicos8:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS= RANLIB=echo AR=bld ARFLAGS=rv \
+ AUX_OBJ= NETGROUP= TLI= all
+
+# Power_UNIX 2.1.1 (amantel@lerc.nasa.gov)
+power_unix_211:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS="-lnsl -lsocket -lgen -lresolv" RANLIB=echo ARFLAGS=rv \
+ NETGROUP= AUX_OBJ=setenv.o TLI=-DTLI BUGS="$(BUGS)" all
+
+# ISC (fc@all.net)
+isc:
+ make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS="-linet -lnsl_s -ldbm" RANLIB=echo ARFLAGS=rv \
+ AUX_OBJ="setenv.o strcasecmp.o" EXTRA_CFLAGS="-DENOTCONN=ENAVAIL" \
+ NETGROUP= TLI= all
+
+# Interactive UNIX R3.2 version 4.0 (Bobby D. Wright).
+iunix:
+ make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS="-linet -lnsl_s -ldbm" RANLIB=echo ARFLAGS=rv \
+ AUX_OBJ=environ.o strcasecmp.o NETGROUP= TLI= all
+
+# RTU 6.0 on a Masscomp 5400 (ben@piglet.cr.usgs.gov). When using the
+# advanced installation, increment argv before actually looking at it.
+rtu:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=environ.o \
+ NETGROUP= TLI= all
+
+# Unixware sans NIS (mc@telebase.com). Compiler dislikes strcasecmp.c.
+unixware1:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS="-lsocket -lnsl -lc -L/usr/ucblib -lucb" RANLIB=echo ARFLAGS=rv \
+ NETGROUP=$(NETGROUP) AUX_OBJ=environ.o TLI=-DTLI all
+
+unixware2:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS="-lsocket -lnsl -lgen -lc -L/usr/ucblib -lucb" RANLIB=echo \
+ ARFLAGS=rv NETGROUP=$(NETGROUP) AUX_OBJ=environ.o TLI=-DTLI all
+
+u6000:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS="-lsocket -lnsl" RANLIB=echo ARFLAGS=rv \
+ NETGROUP=-DNETGROUP AUX_OBJ="setenv.o strcasecmp.o" TLI=-DTLI all
+
+# MachTen
+machten:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=environ.o \
+ NETGROUP= TLI= all
+
+###############################################################
+# System dependencies: TLI (transport-level interface) support.
+#
+# Uncomment the following macro if your system has System V.4-style TLI
+# support (/usr/include/sys/timod.h, /etc/netconfig, and the netdir(3)
+# routines).
+#
+#TLI = -DTLI
+
+###############################################################################
+# System dependencies: differences between ranlib(1) and ar(1) implementations.
+#
+# Some C compilers (Ultrix 4.x) insist that ranlib(1) be run on an object
+# library; some don't care as long as the modules are in the right order;
+# some systems don't even have a ranlib(1) command. Make your choice.
+
+#RANLIB = ranlib # have ranlib (BSD-ish UNIX)
+#RANLIB = echo # no ranlib (SYSV-ish UNIX)
+
+ARFLAGS = rv # most systems
+#ARFLAGS= rvs # IRIX 4.0.x
+
+#AR = ar
+#AR = bld # Unicos 8.x
+
+#############################################################################
+# System dependencies: routines that are not present in the system libraries.
+#
+# If your system library does not have set/putenv() or strcasecmp(), use
+# the ones provided with this source distribution. The environ.c module
+# implements setenv(), getenv(), and putenv().
+
+#AUX_OBJ= setenv.o
+#AUX_OBJ= environ.o
+#AUX_OBJ= environ.o strcasecmp.o
+
+# Uncomment the following if your C library does not provide the
+# strchr/strrchr/memcmp routines, but comes with index/rindex/bcmp.
+#
+#STRINGS= -Dstrchr=index -Dstrrchr=rindex -Dmemcmp=bcmp -Dno_memcpy
+
+#################################################################
+# System dependencies: selection of non-default object libraries.
+#
+# Most System V implementations require that you explicitly specify the
+# networking libraries. There is no general consensus, though.
+#
+#LIBS = -lsocket -lnsl # SysV.4 Solaris 2.x
+#LIBS = -lsun # IRIX
+#LIBS = -lsocket -linet -lnsl -lnfs # PTX
+#LIBS = -linet -lnsl_s -ldbm # ISC
+#LIBS = -lnet # Unicos 7
+#LIBS = -linet -lsyslog -ldbm
+#LIBS = -lsyslog -lsocket -lnsl
+
+######################################################
+# System dependencies: system-specific compiler flags.
+#
+# Apollo Domain/OS offers both bsd and sys5 environments, sometimes
+# on the same machine. If your Apollo is primarily sys5.3 and also
+# has bsd4.3, uncomment the following to build under bsd and run under
+# either environment.
+#
+#SYSTYPE= -A run,any -A sys,any
+
+# For MIPS RISC/os 4_52.p3, uncomment the following definition.
+#
+#SYSTYPE= -sysname bsd43
+
+##################################################
+# System dependencies: working around system bugs.
+#
+# -DGETPEERNAME_BUG works around a getpeername(2) bug in some versions of
+# Apollo or SYSV.4 UNIX: the wrapper would report that all UDP requests
+# come from address 0.0.0.0. The workaround does no harm on other systems.
+#
+# -DBROKEN_FGETS works around an fgets(3) bug in some System V versions
+# (IRIX): fgets() gives up too fast when reading from a network socket.
+# The workaround does no harm on other systems.
+#
+# Some UNIX systems (IRIX) make the error of calling the strtok() library
+# routine from other library routines such as, e.g., gethostbyname/addr().
+# The result is that hosts can slip through the wrapper allow/deny filters.
+# Compile with -DLIBC_CALLS_STRTOK to avoid the vendor's strtok() routine.
+# The workaround does no harm on other systems.
+#
+# DG/UX 5.4.1 comes with an inet_ntoa() function that returns a structure
+# instead of a long integer. Compile with -DINET_ADDR_BUG to work around
+# this mutant behavour. Fixed in 5.4R3.
+#
+# Solaris 2.4 gethostbyname(), in DNS through NIS mode, puts only one
+# address in the host address list; all other addresses are treated as
+# host name aliases. Compile with -DSOLARIS_24_GETHOSTBYNAME_BUG to work
+# around this. The workaround does no harm on other Solaris versions.
+
+#BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DLIBC_CALLS_STRTOK
+#BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DINET_ADDR_BUG
+#BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DSOLARIS_24_GETHOSTBYNAME_BUG
+
+##########################################################################
+# System dependencies: whether or not your system has NIS (or YP) support.
+#
+# If your system supports NIS or YP-style netgroups, enable the following
+# macro definition. Netgroups are used only for host access control.
+#
+NETGROUP= -DNETGROUP
+
+###############################################################
+# System dependencies: whether or not your system has vsyslog()
+#
+# If your system supports vsyslog(), comment out the following definition.
+# If in doubt leave it in, it won't harm.
+
+#VSYSLOG = -Dvsyslog=myvsyslog
+
+# End of the system dependencies.
+#################################
+
+##############################
+# Start of the optional stuff.
+
+###########################################
+# Optional: Turning on language extensions
+#
+# Instead of the default access control language that is documented in
+# the hosts_access.5 document, the wrappers can be configured to
+# implement an extensible language documented in the hosts_options.5
+# document. This language is implemented by the "options.c" source
+# module, which also gives hints on how to add your own extensions.
+# Uncomment the next definition to turn on the language extensions
+# (examples: allow, deny, banners, twist and spawn).
+#
+STYLE = -DPROCESS_OPTIONS # Enable language extensions.
+
+################################################################
+# Optional: Changing the default disposition of logfile records
+#
+# By default, logfile entries are written to the same file as used for
+# sendmail transaction logs. See your /etc/syslog.conf file for actual
+# path names of logfiles. The tutorial section in the README file
+# gives a brief introduction to the syslog daemon.
+#
+# Change the FACILITY definition below if you disagree with the default
+# disposition. Some syslog versions (including Ultrix 4.x) do not provide
+# this flexibility.
+#
+# If nothing shows up on your system, it may be that the syslog records
+# are sent to a dedicated loghost. It may also be that no syslog daemon
+# is running at all. The README file gives pointers to surrogate syslog
+# implementations for systems that have no syslog library routines or
+# no syslog daemons. When changing the syslog.conf file, remember that
+# there must be TABs between fields.
+#
+# The LOG_XXX names below are taken from the /usr/include/syslog.h file.
+
+#FACILITY= LOG_MAIL # LOG_MAIL is what most sendmail daemons use
+FACILITY= LOG_AUTHPRIV # LOG_AUTHPRIV is better for Slackware (Patric does this before RH 2.0)
+
+# The syslog priority at which successful connections are logged.
+
+SEVERITY= LOG_INFO # LOG_INFO is normally not logged to the console
+
+###########################
+# Optional: Reduce DNS load
+#
+# When looking up the address for a host.domain name, the typical DNS
+# code will first append substrings of your own domain, so it tries
+# host.domain.your.own.domain, then host.domain.own.domain, and then
+# host.domain. The APPEND_DOT feature stops this waste of cycles. It is
+# off by default because it causes problems on sites that don't use DNS
+# and with Solaris < 2.4. APPEND_DOT will not work with hostnames taken
+# from /etc/hosts or from NIS maps. It does work with DNS through NIS.
+#
+DOT= -DAPPEND_DOT
+
+##################################################
+# Optional: Always attempt remote username lookups
+#
+# By default, the wrappers look up the remote username only when the
+# access control rules require them to do so.
+#
+# Username lookups require that the remote host runs a daemon that
+# supports an RFC 931 like protocol. Remote user name lookups are not
+# possible for UDP-based connections, and can cause noticeable delays
+# with connections from non-UNIX PCs. On some systems, remote username
+# lookups can trigger a kernel bug, causing loss of service. The README
+# file describes how to find out if your UNIX kernel has that problem.
+#
+# Uncomment the following definition if the wrappers should always
+# attempt to get the remote user name. If this is not enabled you can
+# still do selective username lookups as documented in the hosts_access.5
+# and hosts_options.5 manual pages (`nroff -man' format).
+#
+AUTH = #-DALWAYS_RFC931
+#
+# The default username lookup timeout is 10 seconds. This may not be long
+# enough for slow hosts or networks, but is enough to irritate PC users.
+
+RFC931_TIMEOUT = 10
+
+######################################################
+# Optional: Changing the default file protection mask
+#
+# On many systems, network daemons and other system processes are started
+# with a zero umask value, so that world-writable files may be produced.
+# It is a good idea to edit your /etc/rc* files so that they begin with
+# an explicit umask setting. On our site we use `umask 022' because it
+# does not break anything yet gives adequate protection against tampering.
+#
+# The following macro specifies the default umask for processes run under
+# control of the daemon wrappers. Comment it out only if you are certain
+# that inetd and its children are started with a safe umask value.
+
+UMASK = -DDAEMON_UMASK=022
+
+#######################################
+# Optional: Turning off access control
+#
+# By default, host access control is enabled. To disable host access
+# control, comment out the following definition. Host access control
+# can also be turned off at runtime by providing no or empty access
+# control tables.
+
+ACCESS = -DHOSTS_ACCESS
+
+########################################################
+# Optional: Changing the access control table pathnames
+#
+# The HOSTS_ALLOW and HOSTS_DENY macros define where the programs will
+# look for access control information. Watch out for the quotes and
+# backslashes when you make changes.
+
+TABLES = -DHOSTS_DENY=\"/etc/hosts.deny\" -DHOSTS_ALLOW=\"/etc/hosts.allow\"
+
+####################################################
+# Optional: dealing with host name/address conflicts
+#
+# By default, the software tries to protect against hosts that claim to
+# have someone elses host name. This is relevant for network services
+# whose authentication depends on host names, such as rsh and rlogin.
+#
+# With paranoid mode on, connections will be rejected when the host name
+# does not match the host address. Connections will also be rejected when
+# the host name is available but cannot be verified.
+#
+# Comment out the following definition if you want more control over such
+# requests. When paranoid mode is off and a host name double check fails,
+# the client can be matched with the PARANOID access control pattern.
+#
+# Paranoid mode implies hostname lookup. In order to disable hostname
+# lookups altogether, see the next section.
+
+PARANOID= #-DPARANOID
+
+########################################
+# Optional: turning off hostname lookups
+#
+# By default, the software always attempts to look up the client
+# hostname. With selective hostname lookups, the client hostname
+# lookup is postponed until the name is required by an access control
+# rule or by a %letter expansion.
+#
+# In order to perform selective hostname lookups, disable paranoid
+# mode (see previous section) and comment out the following definition.
+
+HOSTNAME= #-DALWAYS_HOSTNAME
+
+#############################################
+# Optional: Turning on host ADDRESS checking
+#
+# Optionally, the software tries to protect against hosts that pretend to
+# have someone elses host address. This is relevant for network services
+# whose authentication depends on host names, such as rsh and rlogin,
+# because the network address is used to look up the remote host name.
+#
+# The protection is to refuse TCP connections with IP source routing
+# options.
+#
+# This feature cannot be used with SunOS 4.x because of a kernel bug in
+# the implementation of the getsockopt() system call. Kernel panics have
+# been observed for SunOS 4.1.[1-3]. Symptoms are "BAD TRAP" and "Data
+# fault" while executing the tcp_ctloutput() kernel function.
+#
+# Reportedly, Sun patch 100804-03 or 101790 fixes this for SunOS 4.1.x.
+#
+# Uncomment the following macro definition if your getsockopt() is OK.
+#
+# -DKILL_IP_OPTIONS is not needed on modern UNIX systems that can stop
+# source-routed traffic in the kernel. Examples: 4.4BSD derivatives,
+# Solaris 2.x, and Linux. See your system documentation for details.
+#
+KILL_OPT= -DKILL_IP_OPTIONS
+
+## End configuration options
+############################
+
+# Protection against weird shells or weird make programs.
+
+SHELL = /bin/sh
+.c.o:; $(CC) $(CFLAGS) -c $*.c
+
+CFLAGS += -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \
+ $(BUGS) $(SYSTYPE) $(AUTH) $(UMASK) \
+ -DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" $(STYLE) $(KILL_OPT) \
+ -DSEVERITY=$(SEVERITY) -DRFC931_TIMEOUT=$(RFC931_TIMEOUT) \
+ $(UCHAR) $(TABLES) $(STRINGS) $(TLI) $(EXTRA_CFLAGS) $(DOT) \
+ $(VSYSLOG) $(HOSTNAME)
+
+LIB_OBJ= hosts_access.o options.o shell_cmd.o rfc931.o eval.o \
+ hosts_ctl.o refuse.o percent_x.o clean_exit.o $(AUX_OBJ) \
+ $(FROM_OBJ) fix_options.o socket.o tli.o workarounds.o \
+ update.o misc.o diag.o percent_m.o myvsyslog.o
+
+FROM_OBJ= fromhost.o
+
+KIT = README miscd.c tcpd.c fromhost.c hosts_access.c shell_cmd.c \
+ tcpd.h tcpdmatch.c Makefile hosts_access.5 strcasecmp.c BLURB rfc931.c \
+ tcpd.8 eval.c hosts_access.3 hosts_ctl.c percent_x.c options.c \
+ clean_exit.c environ.c patchlevel.h fix_options.c workarounds.c \
+ socket.c tli.c DISCLAIMER fakelog.c safe_finger.c hosts_options.5 \
+ CHANGES try-from.c update.c ptx.c vfprintf.c tli-sequent.c \
+ tli-sequent.h misc.c diag.c ncr.c tcpdchk.c percent_m.c \
+ myvsyslog.c mystdarg.h printf.ck README.IRIX Banners.Makefile \
+ refuse.c tcpdchk.8 setenv.c inetcf.c inetcf.h scaffold.c \
+ scaffold.h tcpdmatch.8 README.NIS
+
+LIB = libwrap.a
+SHLIB = libwrap.so
+
+all other: config-check tcpd tcpdmatch try-from safe_finger tcpdchk $(SHLIB)
+
+# Invalidate all object files when the compiler options (CFLAGS) have changed.
+
+.NOTPARALLEL: config-check
+config-check:
+ @set +e; test -n "$(REAL_DAEMON_DIR)" || { make; exit 1; }
+ @set +e; echo $(CFLAGS) >/tmp/cflags.$$$$ ; \
+ if cmp cflags /tmp/cflags.$$$$ ; \
+ then rm /tmp/cflags.$$$$ ; \
+ else mv /tmp/cflags.$$$$ cflags ; \
+ fi >/dev/null 2>/dev/null
+
+$(LIB): $(LIB_OBJ)
+ rm -f $(LIB)
+ $(AR) $(ARFLAGS) $(LIB) $(LIB_OBJ)
+ -$(RANLIB) $(LIB)
+
+$(SHLIB): $(LIB_OBJ)
+ $(CC) $(LDFLAGS) -shared -fPIC -Wl,-soname -Wl,$(SHLIB).$(MAJOR) \
+ -o $(SHLIB).$(MAJOR).$(MINOR).$(REL) $^ $(LIBS)
+ ln -s $(SHLIB).$(MAJOR).$(MINOR).$(REL) $(SHLIB).$(MAJOR)
+ ln -s $(SHLIB).$(MAJOR).$(MINOR).$(REL) $(SHLIB)
+
+tcpd: tcpd.o $(LIB)
+ $(CC) $(LDFLAGS) -o $@ tcpd.o $(LIB) $(LIBS)
+
+miscd: miscd.o $(LIB)
+ $(CC) $(LDFLAGS) -o $@ miscd.o $(LIB) $(LIBS)
+
+safe_finger: safe_finger.o $(LIB)
+ $(CC) $(LDFLAGS) -o $@ safe_finger.o $(LIB) $(LIBS)
+
+TCPDMATCH_OBJ = tcpdmatch.o fakelog.o inetcf.o scaffold.o
+
+tcpdmatch: $(TCPDMATCH_OBJ) $(LIB)
+ $(CC) $(LDFLAGS) -o $@ $(TCPDMATCH_OBJ) $(LIB) $(LIBS)
+
+try-from: try-from.o fakelog.o $(LIB)
+ $(CC) $(LDFLAGS) -o $@ try-from.o fakelog.o $(LIB) $(LIBS)
+
+TCPDCHK_OBJ = tcpdchk.o fakelog.o inetcf.o scaffold.o
+
+tcpdchk: $(TCPDCHK_OBJ) $(LIB)
+ $(CC) $(LDFLAGS) -o $@ $(TCPDCHK_OBJ) $(LIB) $(LIBS)
+
+shar: $(KIT)
+ @shar $(KIT)
+
+kit: $(KIT)
+ @makekit $(KIT)
+
+files:
+ @echo $(KIT)
+
+archive:
+ $(ARCHIVE) $(KIT)
+
+clean:
+ rm -f tcpd miscd safe_finger tcpdmatch tcpdchk try-from *.[oa] core \
+ cflags
+
+tidy: clean
+ chmod -R a+r .
+ chmod 755 .
+
+# Enable all bells and whistles for linting.
+
+lint: tcpd_lint miscd_lint match_lint chk_lint
+
+tcpd_lint:
+ lint -DFACILITY=LOG_MAIL -DHOSTS_ACCESS -DPARANOID -DNETGROUP \
+ -DGETPEERNAME_BUG -DDAEMON_UMASK=022 -DSEVERITY=$(SEVERITY) \
+ $(TABLES) -DKILL_IP_OPTIONS -DPROCESS_OPTIONS \
+ -DRFC931_TIMEOUT=$(RFC931_TIMEOUT) -DALWAYS_RFC931 \
+ -DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" \
+ -Dvsyslog=myvsyslog \
+ tcpd.c fromhost.c socket.c tli.c hosts_access.c \
+ shell_cmd.c refuse.c rfc931.c eval.c percent_x.c clean_exit.c \
+ options.c setenv.c fix_options.c workarounds.c update.c misc.c \
+ diag.c myvsyslog.c percent_m.c
+
+miscd_lint:
+ lint -DFACILITY=LOG_MAIL -DHOSTS_ACCESS -DPARANOID -DNETGROUP \
+ -DGETPEERNAME_BUG -DDAEMON_UMASK=022 -DSEVERITY=$(SEVERITY) \
+ $(TABLES) -DKILL_IP_OPTIONS -DPROCESS_OPTIONS \
+ -DRFC931_TIMEOUT=$(RFC931_TIMEOUT) -DALWAYS_RFC931 \
+ -DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" \
+ -Dvsyslog=myvsyslog \
+ miscd.c fromhost.c socket.c tli.c hosts_access.c \
+ shell_cmd.c refuse.c rfc931.c eval.c percent_x.c clean_exit.c \
+ options.c setenv.c fix_options.c workarounds.c update.c misc.c \
+ diag.c myvsyslog.c percent_m.c
+
+match_lint:
+ lint -DFACILITY=LOG_MAIL -DSEVERITY=$(SEVERITY) -DHOSTS_ACCESS \
+ -DPARANOID $(TABLES) -DNETGROUP -DPROCESS_OPTIONS -DRFC931_TIMEOUT=10 \
+ -DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" \
+ -Dvsyslog=myvsyslog \
+ tcpdmatch.c hosts_access.c eval.c percent_x.c options.c workarounds.c \
+ update.c socket.c misc.c diag.c myvsyslog.c percent_m.c setenv.c \
+ inetcf.c scaffold.c
+
+chk_lint:
+ lint -DFACILITY=LOG_MAIL -DSEVERITY=$(SEVERITY) -DHOSTS_ACCESS \
+ -DPARANOID $(TABLES) -DNETGROUP -DPROCESS_OPTIONS -DRFC931_TIMEOUT=10 \
+ -DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" \
+ -Dvsyslog=myvsyslog \
+ tcpdchk.c eval.c percent_x.c options.c update.c workarounds.c \
+ setenv.c misc.c diag.c myvsyslog.c percent_m.c inetcf.c scaffold.c
+
+printfck:
+ printfck -f printf.ck \
+ tcpd.c fromhost.c socket.c tli.c hosts_access.c \
+ shell_cmd.c refuse.c rfc931.c eval.c percent_x.c clean_exit.c \
+ options.c setenv.c fix_options.c workarounds.c update.c misc.c \
+ diag.c myvsyslog.c percent_m.c >aap.c
+ lint -DFACILITY=LOG_MAIL -DHOSTS_ACCESS -DPARANOID -DNETGROUP \
+ -DGETPEERNAME_BUG -DDAEMON_UMASK=022 -DSEVERITY=$(SEVERITY) \
+ $(TABLES) -DKILL_IP_OPTIONS -DPROCESS_OPTIONS \
+ -DRFC931_TIMEOUT=$(RFC931_TIMEOUT) -DALWAYS_RFC931 \
+ -DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" -Dvsyslog=myvsyslog aap.c
+ printfck -f printf.ck \
+ tcpdchk.c eval.c percent_x.c options.c update.c workarounds.c \
+ setenv.c misc.c diag.c myvsyslog.c percent_m.c inetcf.c scaffold.c \
+ >aap.c
+ lint -DFACILITY=LOG_MAIL -DSEVERITY=$(SEVERITY) -DHOSTS_ACCESS \
+ -DPARANOID $(TABLES) -DNETGROUP -DPROCESS_OPTIONS -DRFC931_TIMEOUT=10 \
+ -Dvsyslog=myvsyslog -DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\"
+
+# Internal compilation dependencies.
+
+clean_exit.o: cflags
+clean_exit.o: tcpd.h
+diag.o: cflags
+diag.o: mystdarg.h
+diag.o: tcpd.h
+environ.o: cflags
+eval.o: cflags
+eval.o: tcpd.h
+fakelog.o: cflags
+fakelog.o: mystdarg.h
+fix_options.o: cflags
+fix_options.o: tcpd.h
+fromhost.o: cflags
+fromhost.o: tcpd.h
+hosts_access.o: cflags
+hosts_access.o: tcpd.h
+hosts_ctl.o: cflags
+hosts_ctl.o: tcpd.h
+inetcf.o: cflags
+inetcf.o: inetcf.h
+inetcf.o: tcpd.h
+misc.o: cflags
+misc.o: tcpd.h
+miscd.o: cflags
+miscd.o: patchlevel.h
+miscd.o: tcpd.h
+myvsyslog.o: cflags
+myvsyslog.o: mystdarg.h
+myvsyslog.o: tcpd.h
+ncr.o: cflags
+ncr.o: tcpd.h
+options.o: cflags
+options.o: tcpd.h
+percent_m.o: cflags
+percent_m.o: mystdarg.h
+percent_x.o: cflags
+percent_x.o: tcpd.h
+ptx.o: cflags
+ptx.o: tcpd.h
+refuse.o: cflags
+refuse.o: tcpd.h
+rfc931.o: cflags
+rfc931.o: tcpd.h
+safe_finger.o: cflags
+scaffold.o: cflags
+scaffold.o: scaffold.h
+scaffold.o: tcpd.h
+setenv.o: cflags
+shell_cmd.o: cflags
+shell_cmd.o: tcpd.h
+socket.o: cflags
+socket.o: tcpd.h
+strcasecmp.o: cflags
+tcpd.o: cflags
+tcpd.o: patchlevel.h
+tcpd.o: tcpd.h
+tcpdchk.o: cflags
+tcpdchk.o: inetcf.h
+tcpdchk.o: scaffold.h
+tcpdchk.o: tcpd.h
+tcpdmatch.o: cflags
+tcpdmatch.o: scaffold.h
+tcpdmatch.o: tcpd.h
+tli-sequent.o: cflags
+tli-sequent.o: tcpd.h
+tli-sequent.o: tli-sequent.h
+tli.o: cflags
+tli.o: tcpd.h
+try-from.o: cflags
+try-from.o: tcpd.h
+update.o: cflags
+update.o: mystdarg.h
+update.o: tcpd.h
+vfprintf.o: cflags
+weak_symbols.o: tcpd.h
+workarounds.o: cflags
+workarounds.o: tcpd.h
Index: tcp_wrappers_7.6-new/eval.c
===================================================================
--- tcp_wrappers_7.6-new/eval.c (nonexistent)
+++ tcp_wrappers_7.6-new/eval.c (revision 5)
@@ -0,0 +1,136 @@
+ /*
+ * Routines for controlled evaluation of host names, user names, and so on.
+ * They are, in fact, wrappers around the functions that are specific for
+ * the sockets or TLI programming interfaces. The request_info and host_info
+ * structures are used for result cacheing.
+ *
+ * These routines allows us to postpone expensive operations until their
+ * results are really needed. Examples are hostname lookups and double
+ * checks, or username lookups. Information that cannot be retrieved is
+ * given the value "unknown" ("paranoid" in case of hostname problems).
+ *
+ * When ALWAYS_HOSTNAME is off, hostname lookup is done only when required by
+ * tcpd paranoid mode, by access control patterns, or by %letter expansions.
+ *
+ * When ALWAYS_RFC931 mode is off, user lookup is done only when required by
+ * access control patterns or %letter expansions.
+ *
+ * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+ */
+
+#ifndef lint
+static char sccsid[] = "@(#) eval.c 1.3 95/01/30 19:51:45";
+#endif
+
+/* System libraries. */
+
+#include <stdio.h>
+#include <string.h>
+
+/* Local stuff. */
+
+#include "tcpd.h"
+
+ /*
+ * When a string has the value STRING_UNKNOWN, it means: don't bother, I
+ * tried to look up the data but it was unavailable for some reason. When a
+ * host name has the value STRING_PARANOID it means there was a name/address
+ * conflict.
+ */
+char unknown[] = STRING_UNKNOWN;
+char paranoid[] = STRING_PARANOID;
+
+/* eval_user - look up user name */
+
+char *eval_user(request)
+struct request_info *request;
+{
+ if (request->user[0] == 0) {
+ strcpy(request->user, unknown);
+ if (request->sink == 0 && request->client->sin && request->server->sin)
+ rfc931(request->client->sin, request->server->sin, request->user);
+ }
+ return (request->user);
+}
+
+/* eval_hostaddr - look up printable address */
+
+char *eval_hostaddr(host)
+struct host_info *host;
+{
+ if (host->addr[0] == 0) {
+ strcpy(host->addr, unknown);
+ if (host->request->hostaddr != 0)
+ host->request->hostaddr(host);
+ }
+ return (host->addr);
+}
+
+/* eval_hostname - look up host name */
+
+char *eval_hostname(host)
+struct host_info *host;
+{
+ if (host->name[0] == 0) {
+ strcpy(host->name, unknown);
+ if (host->request->hostname != 0)
+ host->request->hostname(host);
+ }
+ return (host->name);
+}
+
+/* eval_hostinfo - return string with host name (preferred) or address */
+
+char *eval_hostinfo(host)
+struct host_info *host;
+{
+ char *hostname;
+
+#ifndef ALWAYS_HOSTNAME /* no implicit host lookups */
+ if (host->name[0] == 0)
+ return (eval_hostaddr(host));
+#endif
+ hostname = eval_hostname(host);
+ if (HOSTNAME_KNOWN(hostname)) {
+ return (host->name);
+ } else {
+ return (eval_hostaddr(host));
+ }
+}
+
+/* eval_client - return string with as much about the client as we know */
+
+char *eval_client(request)
+struct request_info *request;
+{
+ static char both[2 * STRING_LENGTH];
+ char *hostinfo = eval_hostinfo(request->client);
+
+#ifndef ALWAYS_RFC931 /* no implicit user lookups */
+ if (request->user[0] == 0)
+ return (hostinfo);
+#endif
+ if (STR_NE(eval_user(request), unknown)) {
+ snprintf(both, sizeof(both), "%s@%s", request->user, hostinfo);
+ return (both);
+ } else {
+ return (hostinfo);
+ }
+}
+
+/* eval_server - return string with as much about the server as we know */
+
+char *eval_server(request)
+struct request_info *request;
+{
+ static char both[2 * STRING_LENGTH];
+ char *host = eval_hostinfo(request->server);
+ char *daemon = eval_daemon(request);
+
+ if (STR_NE(host, unknown)) {
+ snprintf(both, sizeof(both), "%s@%s", daemon, host);
+ return (both);
+ } else {
+ return (daemon);
+ }
+}
Index: tcp_wrappers_7.6-new/fix_options.c
===================================================================
--- tcp_wrappers_7.6-new/fix_options.c (nonexistent)
+++ tcp_wrappers_7.6-new/fix_options.c (revision 5)
@@ -0,0 +1,128 @@
+ /*
+ * Routine to disable IP-level socket options. This code was taken from 4.4BSD
+ * rlogind and kernel source, but all mistakes in it are my fault.
+ *
+ * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+ */
+
+#ifndef lint
+static char sccsid[] = "@(#) fix_options.c 1.6 97/04/08 02:29:19";
+#endif
+
+#include <sys/types.h>
+#include <sys/param.h>
+#ifdef INET6
+#include <sys/socket.h>
+#endif
+#include <netinet/in.h>
+#include <netinet/in_systm.h>
+#include <netinet/ip.h>
+#include <netdb.h>
+#include <stdio.h>
+#include <syslog.h>
+
+#ifndef IPOPT_OPTVAL
+#define IPOPT_OPTVAL 0
+#define IPOPT_OLEN 1
+#endif
+
+#include "tcpd.h"
+
+#define BUFFER_SIZE 512 /* Was: BUFSIZ */
+
+/* fix_options - get rid of IP-level socket options */
+
+void fix_options(request)
+struct request_info *request;
+{
+#ifdef IP_OPTIONS
+ unsigned char optbuf[BUFFER_SIZE / 3], *cp;
+ char lbuf[BUFFER_SIZE], *lp;
+ int optsize = sizeof(optbuf), ipproto;
+ struct protoent *ip;
+ int fd = request->fd;
+ unsigned int opt;
+ int optlen;
+ struct in_addr dummy;
+#ifdef INET6
+ struct sockaddr_storage ss;
+ int sslen;
+
+ /*
+ * check if this is AF_INET socket
+ * XXX IPv6 support?
+ */
+ sslen = sizeof(ss);
+ if (getsockname(fd, (struct sockaddr *)&ss, &sslen) < 0) {
+ syslog(LOG_ERR, "getpeername: %m");
+ clean_exit(request);
+ }
+ if (ss.ss_family != AF_INET)
+ return;
+#endif
+
+ if ((ip = getprotobyname("ip")) != 0)
+ ipproto = ip->p_proto;
+ else
+ ipproto = IPPROTO_IP;
+
+ if (getsockopt(fd, ipproto, IP_OPTIONS, (char *) optbuf, &optsize) == 0
+ && optsize != 0) {
+
+ /*
+ * Horror! 4.[34] BSD getsockopt() prepends the first-hop destination
+ * address to the result IP options list when source routing options
+ * are present (see <netinet/ip_var.h>), but produces no output for
+ * other IP options. Solaris 2.x getsockopt() does produce output for
+ * non-routing IP options, and uses the same format as BSD even when
+ * the space for the destination address is unused. The code below
+ * does the right thing with 4.[34]BSD derivatives and Solaris 2, but
+ * may occasionally miss source routing options on incompatible
+ * systems such as Linux. Their choice.
+ *
+ * Look for source routing options. Drop the connection when one is
+ * found. Just wiping the IP options is insufficient: we would still
+ * help the attacker by providing a real TCP sequence number, and the
+ * attacker would still be able to send packets (blind spoofing). I
+ * discussed this attack with Niels Provos, half a year before the
+ * attack was described in open mailing lists.
+ *
+ * It would be cleaner to just return a yes/no reply and let the caller
+ * decide how to deal with it. Resident servers should not terminate.
+ * However I am not prepared to make changes to internal interfaces
+ * on short notice.
+ */
+#define ADDR_LEN sizeof(dummy.s_addr)
+
+ for (cp = optbuf + ADDR_LEN; cp < optbuf + optsize; cp += optlen) {
+ opt = cp[IPOPT_OPTVAL];
+ if (opt == IPOPT_LSRR || opt == IPOPT_SSRR) {
+ syslog(LOG_WARNING,
+ "refused connect from %s with IP source routing options",
+ eval_client(request));
+ shutdown(fd, 2);
+ return;
+ }
+ if (opt == IPOPT_EOL)
+ break;
+ if (opt == IPOPT_NOP) {
+ optlen = 1;
+ } else {
+ optlen = cp[IPOPT_OLEN];
+ if (optlen <= 0) /* Do not loop! */
+ break;
+ }
+ }
+ lp = lbuf;
+ for (cp = optbuf; optsize > 0; cp++, optsize--, lp += 3)
+ sprintf(lp, " %2.2x", *cp);
+ syslog(LOG_NOTICE,
+ "connect from %s with IP options (ignored):%s",
+ eval_client(request), lbuf);
+ if (setsockopt(fd, ipproto, IP_OPTIONS, (char *) 0, optsize) != 0) {
+ syslog(LOG_ERR, "setsockopt IP_OPTIONS NULL: %m");
+ shutdown(fd, 2);
+ }
+ }
+#endif
+}
Index: tcp_wrappers_7.6-new/hosts_access.5
===================================================================
--- tcp_wrappers_7.6-new/hosts_access.5 (nonexistent)
+++ tcp_wrappers_7.6-new/hosts_access.5 (revision 5)
@@ -0,0 +1,396 @@
+.TH HOSTS_ACCESS 5
+.SH NAME
+hosts_access \- format of host access control files
+.SH DESCRIPTION
+This manual page describes a simple access control language that is
+based on client (host name/address, user name), and server (process
+name, host name/address) patterns. Examples are given at the end. The
+impatient reader is encouraged to skip to the EXAMPLES section for a
+quick introduction.
+.PP
+An extended version of the access control language is described in the
+\fIhosts_options\fR(5) document. The extensions are turned on at
+program build time by building with -DPROCESS_OPTIONS.
+.PP
+In the following text, \fIdaemon\fR is the the process name of a
+network daemon process, and \fIclient\fR is the name and/or address of
+a host requesting service. Network daemon process names are specified
+in the inetd configuration file.
+.SH ACCESS CONTROL FILES
+The access control software consults two files. The search stops
+at the first match:
+.IP \(bu
+Access will be granted when a (daemon,client) pair matches an entry in
+the \fI/etc/hosts.allow\fR file.
+.IP \(bu
+Otherwise, access will be denied when a (daemon,client) pair matches an
+entry in the \fI/etc/hosts.deny\fR file.
+.IP \(bu
+Otherwise, access will be granted.
+.PP
+A non-existing access control file is treated as if it were an empty
+file. Thus, access control can be turned off by providing no access
+control files.
+.SH ACCESS CONTROL RULES
+Each access control file consists of zero or more lines of text. These
+lines are processed in order of appearance. The search terminates when a
+match is found.
+.IP \(bu
+A newline character is ignored when it is preceded by a backslash
+character. This permits you to break up long lines so that they are
+easier to edit.
+.IP \(bu
+Blank lines or lines that begin with a `#\' character are ignored.
+This permits you to insert comments and whitespace so that the tables
+are easier to read.
+.IP \(bu
+All other lines should satisfy the following format, things between []
+being optional:
+.sp
+.ti +3
+daemon_list : client_list [ : shell_command ]
+.PP
+\fIdaemon_list\fR is a list of one or more daemon process names
+(argv[0] values) or wildcards (see below).
+.PP
+\fIclient_list\fR is a list
+of one or more host names, host addresses, patterns or wildcards (see
+below) that will be matched against the client host name or address.
+.PP
+The more complex forms \fIdaemon@host\fR and \fIuser@host\fR are
+explained in the sections on server endpoint patterns and on client
+username lookups, respectively.
+.PP
+List elements should be separated by blanks and/or commas.
+.PP
+With the exception of NIS (YP) netgroup lookups, all access control
+checks are case insensitive.
+.ne 4
+.SH PATTERNS
+The access control language implements the following patterns:
+.IP \(bu
+A string that begins with a `.\' character. A host name is matched if
+the last components of its name match the specified pattern. For
+example, the pattern `.tue.nl\' matches the host name
+`wzv.win.tue.nl\'.
+.IP \(bu
+A string that ends with a `.\' character. A host address is matched if
+its first numeric fields match the given string. For example, the
+pattern `131.155.\' matches the address of (almost) every host on the
+Eind\%hoven University network (131.155.x.x).
+.IP \(bu
+A string that begins with an `@\' character is treated as an NIS
+(formerly YP) netgroup name. A host name is matched if it is a host
+member of the specified netgroup. Netgroup matches are not supported
+for daemon process names or for client user names.
+.IP \(bu
+An expression of the form `n.n.n.n/m.m.m.m\' is interpreted as a
+`net/mask\' pair. An IPv4 host address is matched if `net\' is equal to the
+bitwise AND of the address and the `mask\'. For example, the net/mask
+pattern `131.155.72.0/255.255.254.0\' matches every address in the
+range `131.155.72.0\' through `131.155.73.255\'.
+.IP \(bu
+An expression of the form `[n:n:n:n:n:n:n:n]/m\' is interpreted as a
+`[net]/prefixlen\' pair. An IPv6 host address is matched if
+`prefixlen\' bits of `net\' is equal to the `prefixlen\' bits of the
+address. For example, the [net]/prefixlen pattern
+`[3ffe:505:2:1::]/64\' matches every address in the range
+`3ffe:505:2:1::\' through `3ffe:505:2:1:ffff:ffff:ffff:ffff\'.
+.IP \(bu
+A string that begins with a `/\' character is treated as a file
+name. A host name or address is matched if it matches any host name
+or address pattern listed in the named file. The file format is
+zero or more lines with zero or more host name or address patterns
+separated by whitespace. A file name pattern can be used anywhere
+a host name or address pattern can be used.
+.IP \(bu
+Wildcards `*\' and `?\' can be used to match hostnames or IP addresses. This
+method of matching cannot be used in conjunction with `net/mask\' matching,
+hostname matching beginning with `.\' or IP address matching ending with `.\'.
+.SH WILDCARDS
+The access control language supports explicit wildcards:
+.IP ALL
+The universal wildcard, always matches.
+.IP LOCAL
+Matches any host whose name does not contain a dot character.
+.IP UNKNOWN
+Matches any user whose name is unknown, and matches any host whose name
+\fIor\fR address are unknown. This pattern should be used with care:
+host names may be unavailable due to temporary name server problems. A
+network address will be unavailable when the software cannot figure out
+what type of network it is talking to.
+.IP KNOWN
+Matches any user whose name is known, and matches any host whose name
+\fIand\fR address are known. This pattern should be used with care:
+host names may be unavailable due to temporary name server problems. A
+network address will be unavailable when the software cannot figure out
+what type of network it is talking to.
+.IP PARANOID
+Matches any host whose name does not match its address. When tcpd is
+built with -DPARANOID (default mode), it drops requests from such
+clients even before looking at the access control tables. Build
+without -DPARANOID when you want more control over such requests.
+.ne 6
+.SH OPERATORS
+.IP EXCEPT
+Intended use is of the form: `list_1 EXCEPT list_2\'; this construct
+matches anything that matches \fIlist_1\fR unless it matches
+\fIlist_2\fR. The EXCEPT operator can be used in daemon_lists and in
+client_lists. The EXCEPT operator can be nested: if the control
+language would permit the use of parentheses, `a EXCEPT b EXCEPT c\'
+would parse as `(a EXCEPT (b EXCEPT c))\'.
+.br
+.ne 6
+.SH SHELL COMMANDS
+If the first-matched access control rule contains a shell command, that
+command is subjected to %<letter> substitutions (see next section).
+The result is executed by a \fI/bin/sh\fR child process with standard
+input, output and error connected to \fI/dev/null\fR. Specify an `&\'
+at the end of the command if you do not want to wait until it has
+completed.
+.PP
+Shell commands should not rely on the PATH setting of the inetd.
+Instead, they should use absolute path names, or they should begin with
+an explicit PATH=whatever statement.
+.PP
+The \fIhosts_options\fR(5) document describes an alternative language
+that uses the shell command field in a different and incompatible way.
+.SH % EXPANSIONS
+The following expansions are available within shell commands:
+.IP "%a (%A)"
+The client (server) host address.
+.IP %c
+Client information: user@host, user@address, a host name, or just an
+address, depending on how much information is available.
+.IP %d
+The daemon process name (argv[0] value).
+.IP "%h (%H)"
+The client (server) host name or address, if the host name is
+unavailable.
+.IP "%n (%N)"
+The client (server) host name (or "unknown" or "paranoid").
+.IP %p
+The daemon process id.
+.IP %s
+Server information: daemon@host, daemon@address, or just a daemon name,
+depending on how much information is available.
+.IP %u
+The client user name (or "unknown").
+.IP %%
+Expands to a single `%\' character.
+.PP
+Characters in % expansions that may confuse the shell are replaced by
+underscores.
+.SH SERVER ENDPOINT PATTERNS
+In order to distinguish clients by the network address that they
+connect to, use patterns of the form:
+.sp
+.ti +3
+process_name@host_pattern : client_list ...
+.sp
+Patterns like these can be used when the machine has different internet
+addresses with different internet hostnames. Service providers can use
+this facility to offer FTP, GOPHER or WWW archives with internet names
+that may even belong to different organizations. See also the `twist'
+option in the hosts_options(5) document. Some systems (Solaris,
+FreeBSD) can have more than one internet address on one physical
+interface; with other systems you may have to resort to SLIP or PPP
+pseudo interfaces that live in a dedicated network address space.
+.sp
+The host_pattern obeys the same syntax rules as host names and
+addresses in client_list context. Usually, server endpoint information
+is available only with connection-oriented services.
+.SH CLIENT USERNAME LOOKUP
+When the client host supports the RFC 931 protocol or one of its
+descendants (TAP, IDENT, RFC 1413) the wrapper programs can retrieve
+additional information about the owner of a connection. Client username
+information, when available, is logged together with the client host
+name, and can be used to match patterns like:
+.PP
+.ti +3
+daemon_list : ... user_pattern@host_pattern ...
+.PP
+The daemon wrappers can be configured at compile time to perform
+rule-driven username lookups (default) or to always interrogate the
+client host. In the case of rule-driven username lookups, the above
+rule would cause username lookup only when both the \fIdaemon_list\fR
+and the \fIhost_pattern\fR match.
+.PP
+A user pattern has the same syntax as a daemon process pattern, so the
+same wildcards apply (netgroup membership is not supported). One
+should not get carried away with username lookups, though.
+.IP \(bu
+The client username information cannot be trusted when it is needed
+most, i.e. when the client system has been compromised. In general,
+ALL and (UN)KNOWN are the only user name patterns that make sense.
+.IP \(bu
+Username lookups are possible only with TCP-based services, and only
+when the client host runs a suitable daemon; in all other cases the
+result is "unknown".
+.IP \(bu
+A well-known UNIX kernel bug may cause loss of service when username
+lookups are blocked by a firewall. The wrapper README document
+describes a procedure to find out if your kernel has this bug.
+.IP \(bu
+Username lookups may cause noticeable delays for non-UNIX users. The
+default timeout for username lookups is 10 seconds: too short to cope
+with slow networks, but long enough to irritate PC users.
+.PP
+Selective username lookups can alleviate the last problem. For example,
+a rule like:
+.PP
+.ti +3
+daemon_list : @pcnetgroup ALL@ALL
+.PP
+would match members of the pc netgroup without doing username lookups,
+but would perform username lookups with all other systems.
+.SH DETECTING ADDRESS SPOOFING ATTACKS
+A flaw in the sequence number generator of many TCP/IP implementations
+allows intruders to easily impersonate trusted hosts and to break in
+via, for example, the remote shell service. The IDENT (RFC931 etc.)
+service can be used to detect such and other host address spoofing
+attacks.
+.PP
+Before accepting a client request, the wrappers can use the IDENT
+service to find out that the client did not send the request at all.
+When the client host provides IDENT service, a negative IDENT lookup
+result (the client matches `UNKNOWN@host') is strong evidence of a host
+spoofing attack.
+.PP
+A positive IDENT lookup result (the client matches `KNOWN@host') is
+less trustworthy. It is possible for an intruder to spoof both the
+client connection and the IDENT lookup, although doing so is much
+harder than spoofing just a client connection. It may also be that
+the client\'s IDENT server is lying.
+.PP
+Note: IDENT lookups don\'t work with UDP services.
+.SH EXAMPLES
+The language is flexible enough that different types of access control
+policy can be expressed with a minimum of fuss. Although the language
+uses two access control tables, the most common policies can be
+implemented with one of the tables being trivial or even empty.
+.PP
+When reading the examples below it is important to realize that the
+allow table is scanned before the deny table, that the search
+terminates when a match is found, and that access is granted when no
+match is found at all.
+.PP
+The examples use host and domain names. They can be improved by
+including address and/or network/netmask information, to reduce the
+impact of temporary name server lookup failures.
+.SH MOSTLY CLOSED
+In this case, access is denied by default. Only explicitly authorized
+hosts are permitted access.
+.PP
+The default policy (no access) is implemented with a trivial deny
+file:
+.PP
+.ne 2
+/etc/hosts.deny:
+.in +3
+ALL: ALL
+.PP
+This denies all service to all hosts, unless they are permitted access
+by entries in the allow file.
+.PP
+The explicitly authorized hosts are listed in the allow file.
+For example:
+.PP
+.ne 2
+/etc/hosts.allow:
+.in +3
+ALL: LOCAL @some_netgroup
+.br
+ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
+.PP
+The first rule permits access from hosts in the local domain (no `.\'
+in the host name) and from members of the \fIsome_netgroup\fP
+netgroup. The second rule permits access from all hosts in the
+\fIfoobar.edu\fP domain (notice the leading dot), with the exception of
+\fIterminalserver.foobar.edu\fP.
+.SH MOSTLY OPEN
+Here, access is granted by default; only explicitly specified hosts are
+refused service.
+.PP
+The default policy (access granted) makes the allow file redundant so
+that it can be omitted. The explicitly non-authorized hosts are listed
+in the deny file. For example:
+.PP
+/etc/hosts.deny:
+.in +3
+ALL: some.host.name, .some.domain
+.br
+ALL EXCEPT in.fingerd: other.host.name, .other.domain
+.PP
+The first rule denies some hosts and domains all services; the second
+rule still permits finger requests from other hosts and domains.
+.SH BOOBY TRAPS
+The next example permits tftp requests from hosts in the local domain
+(notice the leading dot). Requests from any other hosts are denied.
+Instead of the requested file, a finger probe is sent to the offending
+host. The result is mailed to the superuser.
+.PP
+.ne 2
+/etc/hosts.allow:
+.in +3
+.nf
+in.tftpd: LOCAL, .my.domain
+.PP
+.ne 2
+/etc/hosts.deny:
+.in +3
+.nf
+in.tftpd: ALL: spawn (/some/where/safe_finger -l @%h | \\
+ /usr/ucb/mail -s %d-%h root) &
+.fi
+.PP
+The safe_finger command comes with the tcpd wrapper and should be
+installed in a suitable place. It limits possible damage from data sent
+by the remote finger server. It gives better protection than the
+standard finger command.
+.PP
+The expansion of the %h (client host) and %d (service name) sequences
+is described in the section on shell commands.
+.PP
+Warning: do not booby-trap your finger daemon, unless you are prepared
+for infinite finger loops.
+.PP
+On network firewall systems this trick can be carried even further.
+The typical network firewall only provides a limited set of services to
+the outer world. All other services can be "bugged" just like the above
+tftp example. The result is an excellent early-warning system.
+.br
+.ne 4
+.SH DIAGNOSTICS
+An error is reported when a syntax error is found in a host access
+control rule; when the length of an access control rule exceeds the
+capacity of an internal buffer; when an access control rule is not
+terminated by a newline character; when the result of %<letter>
+expansion would overflow an internal buffer; when a system call fails
+that shouldn\'t. All problems are reported via the syslog daemon.
+.SH FILES
+.na
+.nf
+/etc/hosts.allow, (daemon,client) pairs that are granted access.
+/etc/hosts.deny, (daemon,client) pairs that are denied access.
+.ad
+.fi
+.SH SEE ALSO
+.nf
+tcpd(8) tcp/ip daemon wrapper program.
+tcpdchk(8), tcpdmatch(8), test programs.
+.SH BUGS
+If a name server lookup times out, the host name will not be available
+to the access control software, even though the host is registered.
+.PP
+Domain name server lookups are case insensitive; NIS (formerly YP)
+netgroup lookups are case sensitive.
+.SH AUTHOR
+.na
+.nf
+Wietse Venema (wietse@wzv.win.tue.nl)
+Department of Mathematics and Computing Science
+Eindhoven University of Technology
+Den Dolech 2, P.O. Box 513,
+5600 MB Eindhoven, The Netherlands
+\" @(#) hosts_access.5 1.20 95/01/30 19:51:46
Index: tcp_wrappers_7.6-new/hosts_access.c
===================================================================
--- tcp_wrappers_7.6-new/hosts_access.c (nonexistent)
+++ tcp_wrappers_7.6-new/hosts_access.c (revision 5)
@@ -0,0 +1,573 @@
+ /*
+ * This module implements a simple access control language that is based on
+ * host (or domain) names, NIS (host) netgroup names, IP addresses (or
+ * network numbers) and daemon process names. When a match is found the
+ * search is terminated, and depending on whether PROCESS_OPTIONS is defined,
+ * a list of options is executed or an optional shell command is executed.
+ *
+ * Host and user names are looked up on demand, provided that suitable endpoint
+ * information is available as sockaddr_in structures or TLI netbufs. As a
+ * side effect, the pattern matching process may change the contents of
+ * request structure fields.
+ *
+ * Diagnostics are reported through syslog(3).
+ *
+ * Compile with -DNETGROUP if your library provides support for netgroups.
+ *
+ * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+ */
+
+#ifndef lint
+static char sccsid[] = "@(#) hosts_access.c 1.21 97/02/12 02:13:22";
+#endif
+
+/* System libraries. */
+
+#include <sys/types.h>
+#ifdef INT32_T
+ typedef uint32_t u_int32_t;
+#endif
+#include <sys/param.h>
+#ifdef INET6
+#include <sys/socket.h>
+#endif
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <stdio.h>
+#include <syslog.h>
+#include <ctype.h>
+#include <errno.h>
+#include <setjmp.h>
+#include <string.h>
+#ifdef INET6
+#include <netdb.h>
+#endif
+
+extern char *fgets();
+extern int errno;
+
+#ifndef INADDR_NONE
+#define INADDR_NONE (-1) /* XXX should be 0xffffffff */
+#endif
+
+/* Local stuff. */
+
+#include "tcpd.h"
+
+/* Error handling. */
+
+extern jmp_buf tcpd_buf;
+
+/* Delimiters for lists of daemons or clients. */
+
+static char sep[] = ", \t\r\n";
+
+/* Constants to be used in assignments only, not in comparisons... */
+
+#define YES 1
+#define NO 0
+#define ERR -1
+
+ /*
+ * These variables are globally visible so that they can be redirected in
+ * verification mode.
+ */
+
+char *hosts_allow_table = HOSTS_ALLOW;
+char *hosts_deny_table = HOSTS_DENY;
+int hosts_access_verbose = 0;
+
+ /*
+ * In a long-running process, we are not at liberty to just go away.
+ */
+
+int resident = (-1); /* -1, 0: unknown; +1: yes */
+
+/* Forward declarations. */
+
+static int table_match();
+static int list_match();
+static int server_match();
+static int client_match();
+static int host_match();
+static int string_match();
+static int masked_match();
+#ifdef INET6
+static int masked_match4();
+static int masked_match6();
+#endif
+
+/* Size of logical line buffer. */
+
+#define BUFLEN 2048
+
+/* hosts_access - host access control facility */
+
+int hosts_access(request)
+struct request_info *request;
+{
+ int verdict;
+
+ /*
+ * If the (daemon, client) pair is matched by an entry in the file
+ * /etc/hosts.allow, access is granted. Otherwise, if the (daemon,
+ * client) pair is matched by an entry in the file /etc/hosts.deny,
+ * access is denied. Otherwise, access is granted. A non-existent
+ * access-control file is treated as an empty file.
+ *
+ * After a rule has been matched, the optional language extensions may
+ * decide to grant or refuse service anyway. Or, while a rule is being
+ * processed, a serious error is found, and it seems better to play safe
+ * and deny service. All this is done by jumping back into the
+ * hosts_access() routine, bypassing the regular return from the
+ * table_match() function calls below.
+ */
+
+ if (resident <= 0)
+ resident++;
+ verdict = setjmp(tcpd_buf);
+ if (verdict != 0)
+ return (verdict == AC_PERMIT);
+ if (table_match(hosts_allow_table, request))
+ return (YES);
+ if (table_match(hosts_deny_table, request) == NO)
+ return (YES);
+ return (NO);
+}
+
+/* table_match - match table entries with (daemon, client) pair */
+
+static int table_match(table, request)
+char *table;
+struct request_info *request;
+{
+ FILE *fp;
+ char sv_list[BUFLEN]; /* becomes list of daemons */
+ char *cl_list; /* becomes list of clients */
+ char *sh_cmd; /* becomes optional shell command */
+ int match = NO;
+ struct tcpd_context saved_context;
+
+ saved_context = tcpd_context; /* stupid compilers */
+
+ /*
+ * Between the fopen() and fclose() calls, avoid jumps that may cause
+ * file descriptor leaks.
+ */
+
+ if ((fp = fopen(table, "r")) != 0) {
+ tcpd_context.file = table;
+ tcpd_context.line = 0;
+ while (match == NO && xgets(sv_list, sizeof(sv_list), fp) != 0) {
+ if (sv_list[strlen(sv_list) - 1] != '\n') {
+ tcpd_warn("missing newline or line too long");
+ continue;
+ }
+ if (sv_list[0] == '#' || sv_list[strspn(sv_list, " \t\r\n")] == 0)
+ continue;
+ if ((cl_list = split_at(sv_list, ':')) == 0) {
+ tcpd_warn("missing \":\" separator");
+ continue;
+ }
+ sh_cmd = split_at(cl_list, ':');
+ match = list_match(sv_list, request, server_match)
+ && list_match(cl_list, request, client_match);
+ }
+ (void) fclose(fp);
+ } else if (errno != ENOENT) {
+ tcpd_warn("cannot open %s: %m", table);
+ match = ERR;
+ }
+ if (match) {
+ if (hosts_access_verbose > 1)
+ syslog(LOG_DEBUG, "matched: %s line %d",
+ tcpd_context.file, tcpd_context.line);
+ if (sh_cmd) {
+#ifdef PROCESS_OPTIONS
+ process_options(sh_cmd, request);
+#else
+ char cmd[BUFSIZ];
+ shell_cmd(percent_x(cmd, sizeof(cmd), sh_cmd, request));
+#endif
+ }
+ }
+ tcpd_context = saved_context;
+ return (match);
+}
+
+/* list_match - match a request against a list of patterns with exceptions */
+
+static int list_match(list, request, match_fn)
+char *list;
+struct request_info *request;
+int (*match_fn) ();
+{
+ char *tok;
+
+ /*
+ * Process tokens one at a time. We have exhausted all possible matches
+ * when we reach an "EXCEPT" token or the end of the list. If we do find
+ * a match, look for an "EXCEPT" list and recurse to determine whether
+ * the match is affected by any exceptions.
+ */
+
+ for (tok = strtok(list, sep); tok != 0; tok = strtok((char *) 0, sep)) {
+ if (STR_EQ(tok, "EXCEPT")) /* EXCEPT: give up */
+ return (NO);
+ if (match_fn(tok, request)) { /* YES: look for exceptions */
+ while ((tok = strtok((char *) 0, sep)) && STR_NE(tok, "EXCEPT"))
+ /* VOID */ ;
+ return (tok == 0 || list_match((char *) 0, request, match_fn) == 0);
+ }
+ }
+ return (NO);
+}
+
+/* server_match - match server information */
+
+static int server_match(tok, request)
+char *tok;
+struct request_info *request;
+{
+ char *host;
+
+ if ((host = split_at(tok + 1, '@')) == 0) { /* plain daemon */
+ return (string_match(tok, eval_daemon(request)));
+ } else { /* daemon@host */
+ return (string_match(tok, eval_daemon(request))
+ && host_match(host, request->server));
+ }
+}
+
+/* client_match - match client information */
+
+static int client_match(tok, request)
+char *tok;
+struct request_info *request;
+{
+ char *host;
+
+ if ((host = split_at(tok + 1, '@')) == 0) { /* plain host */
+ return (host_match(tok, request->client));
+ } else { /* user@host */
+ return (host_match(host, request->client)
+ && string_match(tok, eval_user(request)));
+ }
+}
+
+/* hostfile_match - look up host patterns from file */
+
+static int hostfile_match(path, host)
+char *path;
+struct hosts_info *host;
+{
+ char tok[BUFSIZ];
+ int match = NO;
+ FILE *fp;
+
+ if ((fp = fopen(path, "r")) != 0) {
+ while (fscanf(fp, "%s", tok) == 1 && !(match = host_match(tok, host)))
+ /* void */ ;
+ fclose(fp);
+ } else if (errno != ENOENT) {
+ tcpd_warn("open %s: %m", path);
+ }
+ return (match);
+}
+
+/* host_match - match host name and/or address against pattern */
+
+static int host_match(tok, host)
+char *tok;
+struct host_info *host;
+{
+ char *mask;
+
+ /*
+ * This code looks a little hairy because we want to avoid unnecessary
+ * hostname lookups.
+ *
+ * The KNOWN pattern requires that both address AND name be known; some
+ * patterns are specific to host names or to host addresses; all other
+ * patterns are satisfied when either the address OR the name match.
+ */
+
+ if (tok[0] == '@') { /* netgroup: look it up */
+#ifdef NETGROUP
+ static char *mydomain = 0;
+ if (mydomain == 0)
+ yp_get_default_domain(&mydomain);
+ return (innetgr(tok + 1, eval_hostname(host), (char *) 0, mydomain));
+#else
+ tcpd_warn("netgroup support is disabled"); /* not tcpd_jump() */
+ return (NO);
+#endif
+ } else if (tok[0] == '/') { /* /file hack */
+ return (hostfile_match(tok, host));
+ } else if (STR_EQ(tok, "KNOWN")) { /* check address and name */
+ char *name = eval_hostname(host);
+ return (STR_NE(eval_hostaddr(host), unknown) && HOSTNAME_KNOWN(name));
+ } else if (STR_EQ(tok, "LOCAL")) { /* local: no dots in name */
+ char *name = eval_hostname(host);
+ return (strchr(name, '.') == 0 && HOSTNAME_KNOWN(name));
+ } else if ((mask = split_at(tok, '/')) != 0) { /* net/mask */
+ return (masked_match(tok, mask, eval_hostaddr(host)));
+ } else { /* anything else */
+ return (string_match(tok, eval_hostaddr(host))
+ || (NOT_INADDR(tok) && string_match(tok, eval_hostname(host))));
+ }
+}
+
+/* string_match - match string against pattern */
+
+static int string_match(tok, string)
+char *tok;
+char *string;
+{
+ int n;
+
+#ifdef INET6
+ /* convert IPv4 mapped IPv6 address to IPv4 address */
+ if (STRN_EQ(string, "::ffff:", 7)
+ && dot_quad_addr(string + 7) != INADDR_NONE) {
+ string += 7;
+ }
+#endif
+#ifndef DISABLE_WILDCARD_MATCHING
+ if (strchr(tok, '*') || strchr(tok,'?')) { /* contains '*' or '?' */
+ /* we must convert the both to lowercase as match_pattern_ylo is case-sensitive */
+ for (n = 0; n < strlen(tok); n++)
+ tok[n] = isupper(tok[n]) ? tolower(tok[n]) : tok[n];
+ for (n = 0; n < strlen(string); n++)
+ string[n] = isupper(string[n]) ? tolower(string[n]) : string[n];
+ return (match_pattern_ylo(string,tok));
+ } else
+#endif
+ if (tok[0] == '.') { /* suffix */
+ n = strlen(string) - strlen(tok);
+ return (n > 0 && STR_EQ(tok, string + n));
+ } else if (STR_EQ(tok, "ALL")) { /* all: match any */
+ return (YES);
+ } else if (STR_EQ(tok, "KNOWN")) { /* not unknown */
+ return (STR_NE(string, unknown));
+ } else if (tok[(n = strlen(tok)) - 1] == '.') { /* prefix */
+ return (STRN_EQ(tok, string, n));
+ } else { /* exact match */
+#ifdef INET6
+ struct addrinfo hints, *res;
+ struct sockaddr_in6 pat, addr;
+ int len, ret;
+ char ch;
+
+ len = strlen(tok);
+ if (*tok == '[' && tok[len - 1] == ']') {
+ ch = tok[len - 1];
+ tok[len - 1] = '\0';
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = AF_INET6;
+ hints.ai_socktype = SOCK_STREAM;
+ hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
+ if ((ret = getaddrinfo(tok + 1, NULL, &hints, &res)) == 0) {
+ memcpy(&pat, res->ai_addr, sizeof(pat));
+ freeaddrinfo(res);
+ }
+ tok[len - 1] = ch;
+ if (ret != 0 || getaddrinfo(string, NULL, &hints, &res) != 0)
+ return NO;
+ memcpy(&addr, res->ai_addr, sizeof(addr));
+ freeaddrinfo(res);
+#ifdef NI_WITHSCOPEID
+ if (pat.sin6_scope_id != 0 &&
+ addr.sin6_scope_id != pat.sin6_scope_id)
+ return NO;
+#endif
+ return (!memcmp(&pat.sin6_addr, &addr.sin6_addr,
+ sizeof(struct in6_addr)));
+ return (ret);
+ }
+#endif
+ return (STR_EQ(tok, string));
+ }
+}
+
+/* masked_match - match address against netnumber/netmask */
+
+#ifdef INET6
+static int masked_match(net_tok, mask_tok, string)
+char *net_tok;
+char *mask_tok;
+char *string;
+{
+ return (masked_match4(net_tok, mask_tok, string) ||
+ masked_match6(net_tok, mask_tok, string));
+}
+
+static int masked_match4(net_tok, mask_tok, string)
+#else
+static int masked_match(net_tok, mask_tok, string)
+#endif
+char *net_tok;
+char *mask_tok;
+char *string;
+{
+#ifdef INET6
+ u_int32_t net;
+ u_int32_t mask;
+ u_int32_t addr;
+#else
+ unsigned long net;
+ unsigned long mask;
+ unsigned long addr;
+#endif
+
+ /*
+ * Disallow forms other than dotted quad: the treatment that inet_addr()
+ * gives to forms with less than four components is inconsistent with the
+ * access control language. John P. Rouillard <rouilj@cs.umb.edu>.
+ */
+
+ if ((addr = dot_quad_addr(string)) == INADDR_NONE)
+ return (NO);
+ if ((net = dot_quad_addr(net_tok)) == INADDR_NONE
+ || (mask = dot_quad_addr(mask_tok)) == INADDR_NONE) {
+#ifndef INET6
+ tcpd_warn("bad net/mask expression: %s/%s", net_tok, mask_tok);
+#endif
+ return (NO); /* not tcpd_jump() */
+ }
+ return ((addr & mask) == net);
+}
+
+#ifdef INET6
+static int masked_match6(net_tok, mask_tok, string)
+char *net_tok;
+char *mask_tok;
+char *string;
+{
+ struct addrinfo hints, *res;
+ struct sockaddr_in6 net, addr;
+ u_int32_t mask;
+ int len, mask_len, i = 0;
+ char ch;
+
+ /*
+ * Behavior of getaddrinfo() against IPv4-mapped IPv6 address is
+ * different between KAME and Solaris8. While KAME returns
+ * AF_INET6, Solaris8 returns AF_INET. So, we avoid this here.
+ */
+ if (STRN_EQ(string, "::ffff:", 7)
+ && dot_quad_addr(string + 7) != INADDR_NONE)
+ return (masked_match4(net_tok, mask_tok, string + 7));
+
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = AF_INET6;
+ hints.ai_socktype = SOCK_STREAM;
+ hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
+ if (getaddrinfo(string, NULL, &hints, &res) != 0)
+ return NO;
+ memcpy(&addr, res->ai_addr, sizeof(addr));
+ freeaddrinfo(res);
+
+ /* match IPv6 address against netnumber/prefixlen */
+ len = strlen(net_tok);
+ if (*net_tok != '[' || net_tok[len - 1] != ']')
+ return NO;
+ ch = net_tok[len - 1];
+ net_tok[len - 1] = '\0';
+ if (getaddrinfo(net_tok + 1, NULL, &hints, &res) != 0) {
+ net_tok[len - 1] = ch;
+ return NO;
+ }
+ memcpy(&net, res->ai_addr, sizeof(net));
+ freeaddrinfo(res);
+ net_tok[len - 1] = ch;
+ if ((mask_len = atoi(mask_tok)) < 0 || mask_len > 128)
+ return NO;
+
+#ifdef NI_WITHSCOPEID
+ if (net.sin6_scope_id != 0 && addr.sin6_scope_id != net.sin6_scope_id)
+ return NO;
+#endif
+ while (mask_len > 0) {
+ if (mask_len < 32) {
+ mask = htonl(~(0xffffffff >> mask_len));
+ if ((*(u_int32_t *)&addr.sin6_addr.s6_addr[i] & mask) != (*(u_int32_t *)&net.sin6_addr.s6_addr[i] & mask))
+ return NO;
+ break;
+ }
+ if (*(u_int32_t *)&addr.sin6_addr.s6_addr[i] != *(u_int32_t *)&net.sin6_addr.s6_addr[i])
+ return NO;
+ i += 4;
+ mask_len -= 32;
+ }
+ return YES;
+}
+#endif /* INET6 */
+
+#ifndef DISABLE_WILDCARD_MATCHING
+/* Note: this feature has been adapted in a pretty straightforward way
+ from Tatu Ylonen's last SSH version under free license by
+ Pekka Savola <pekkas@netcore.fi>.
+
+ Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+*/
+
+/* Returns true if the given string matches the pattern (which may contain
+ ? and * as wildcards), and zero if it does not match. */
+
+int match_pattern_ylo(const char *s, const char *pattern)
+{
+ while (1)
+ {
+ /* If at end of pattern, accept if also at end of string. */
+ if (!*pattern)
+ return !*s;
+
+ /* Process '*'. */
+ if (*pattern == '*')
+ {
+ /* Skip the asterisk. */
+ pattern++;
+
+ /* If at end of pattern, accept immediately. */
+ if (!*pattern)
+ return 1;
+
+ /* If next character in pattern is known, optimize. */
+ if (*pattern != '?' && *pattern != '*')
+ {
+ /* Look instances of the next character in pattern, and try
+ to match starting from those. */
+ for (; *s; s++)
+ if (*s == *pattern &&
+ match_pattern_ylo(s + 1, pattern + 1))
+ return 1;
+ /* Failed. */
+ return 0;
+ }
+
+ /* Move ahead one character at a time and try to match at each
+ position. */
+ for (; *s; s++)
+ if (match_pattern_ylo(s, pattern))
+ return 1;
+ /* Failed. */
+ return 0;
+ }
+
+ /* There must be at least one more character in the string. If we are
+ at the end, fail. */
+ if (!*s)
+ return 0;
+
+ /* Check if the next character of the string is acceptable. */
+ if (*pattern != '?' && *pattern != *s)
+ return 0;
+
+ /* Move to the next character, both in string and in pattern. */
+ s++;
+ pattern++;
+ }
+ /*NOTREACHED*/
+}
+#endif /* DISABLE_WILDCARD_MATCHING */
Index: tcp_wrappers_7.6-new/inetcf.c
===================================================================
--- tcp_wrappers_7.6-new/inetcf.c (nonexistent)
+++ tcp_wrappers_7.6-new/inetcf.c (revision 5)
@@ -0,0 +1,321 @@
+ /*
+ * Routines to parse an inetd.conf or tlid.conf file. This would be a great
+ * job for a PERL script.
+ *
+ * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+ */
+
+#ifndef lint
+static char sccsid[] = "@(#) inetcf.c 1.7 97/02/12 02:13:23";
+#endif
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <string.h>
+
+extern int errno;
+extern void exit();
+
+#include "tcpd.h"
+#include "inetcf.h"
+
+ /*
+ * Network configuration files may live in unusual places. Here are some
+ * guesses. Shorter names follow longer ones.
+ */
+char *inet_files[] = {
+#ifdef INET6
+ "/usr/local/v6/etc/inet6d.conf", /* KAME */
+#endif
+ "/private/etc/inetd.conf", /* NEXT */
+ "/etc/inet/inetd.conf", /* SYSV4 */
+ "/usr/etc/inetd.conf", /* IRIX?? */
+ "/etc/inetd.conf", /* BSD */
+ "/etc/net/tlid.conf", /* SYSV4?? */
+ "/etc/saf/tlid.conf", /* SYSV4?? */
+ "/etc/tlid.conf", /* SYSV4?? */
+ 0,
+};
+
+static void inet_chk();
+static char *base_name();
+
+ /*
+ * Structure with everything we know about a service.
+ */
+struct inet_ent {
+ struct inet_ent *next;
+ int type;
+ char name[1];
+};
+
+static struct inet_ent *inet_list = 0;
+
+static char whitespace[] = " \t\r\n";
+
+/* inet_conf - read in and examine inetd.conf (or tlid.conf) entries */
+
+char *inet_cfg(conf)
+char *conf;
+{
+ char buf[BUFSIZ];
+ FILE *fp;
+ char *service;
+ char *protocol;
+ char *user;
+ char *path;
+ char *arg0;
+ char *arg1;
+ struct tcpd_context saved_context;
+ char *percent_m();
+ int i;
+ struct stat st;
+
+ saved_context = tcpd_context;
+
+ /*
+ * The inetd.conf (or tlid.conf) information is so useful that we insist
+ * on its availability. When no file is given run a series of educated
+ * guesses.
+ */
+ if (conf != 0) {
+ if ((fp = fopen(conf, "r")) == 0) {
+ fprintf(stderr, percent_m(buf, "open %s: %m\n"), conf);
+ exit(1);
+ }
+ } else {
+ for (i = 0; inet_files[i] && (fp = fopen(inet_files[i], "r")) == 0; i++)
+ /* void */ ;
+ if (fp == 0) {
+ fprintf(stderr, "Cannot find your inetd.conf or tlid.conf file.\n");
+ fprintf(stderr, "Please specify its location.\n");
+ exit(1);
+ }
+ conf = inet_files[i];
+ check_path(conf, &st);
+ }
+
+ /*
+ * Process the file. After the 7.0 wrapper release it became clear that
+ * there are many more inetd.conf formats than the 8 systems that I had
+ * studied. EP/IX uses a two-line specification for rpc services; HP-UX
+ * permits long lines to be broken with backslash-newline.
+ */
+ tcpd_context.file = conf;
+ tcpd_context.line = 0;
+ while (xgets(buf, sizeof(buf), fp)) {
+ service = strtok(buf, whitespace); /* service */
+ if (service == 0 || *service == '#')
+ continue;
+ if (STR_NE(service, "stream") && STR_NE(service, "dgram"))
+ strtok((char *) 0, whitespace); /* endpoint */
+ protocol = strtok((char *) 0, whitespace);
+ (void) strtok((char *) 0, whitespace); /* wait */
+ if ((user = strtok((char *) 0, whitespace)) == 0)
+ continue;
+ if (user[0] == '/') { /* user */
+ path = user;
+ } else { /* path */
+ if ((path = strtok((char *) 0, whitespace)) == 0)
+ continue;
+ }
+ if (path[0] == '?') /* IRIX optional service */
+ path++;
+ if (STR_EQ(path, "internal"))
+ continue;
+ if (path[strspn(path, "-0123456789")] == 0) {
+
+ /*
+ * ConvexOS puts RPC version numbers before path names. Jukka
+ * Ukkonen <ukkonen@csc.fi>.
+ */
+ if ((path = strtok((char *) 0, whitespace)) == 0)
+ continue;
+ }
+ if ((arg0 = strtok((char *) 0, whitespace)) == 0) {
+ tcpd_warn("incomplete line");
+ continue;
+ }
+ if (arg0[strspn(arg0, "0123456789")] == 0) {
+
+ /*
+ * We're reading a tlid.conf file, the format is:
+ *
+ * ...stuff... path arg_count arguments mod_count modules
+ */
+ if ((arg0 = strtok((char *) 0, whitespace)) == 0) {
+ tcpd_warn("incomplete line");
+ continue;
+ }
+ }
+ if ((arg1 = strtok((char *) 0, whitespace)) == 0)
+ arg1 = "";
+
+ inet_chk(protocol, path, arg0, arg1);
+ }
+ fclose(fp);
+ tcpd_context = saved_context;
+ return (conf);
+}
+
+/* inet_chk - examine one inetd.conf (tlid.conf?) entry */
+
+static void inet_chk(protocol, path, arg0, arg1)
+char *protocol;
+char *path;
+char *arg0;
+char *arg1;
+{
+ char daemon[BUFSIZ];
+ struct stat st;
+ int wrap_status = WR_MAYBE;
+ char *base_name_path = base_name(path);
+ char *tcpd_proc_name = (arg0[0] == '/' ? base_name(arg0) : arg0);
+
+ /*
+ * Always warn when the executable does not exist or when it is not
+ * executable.
+ */
+ if (check_path(path, &st) < 0) {
+ tcpd_warn("%s: not found: %m", path);
+ } else if ((st.st_mode & 0100) == 0) {
+ tcpd_warn("%s: not executable", path);
+ }
+
+ /*
+ * Cheat on the miscd tests, nobody uses it anymore.
+ */
+ if (STR_EQ(base_name_path, "miscd")) {
+ inet_set(arg0, WR_YES);
+ return;
+ }
+
+ /*
+ * While we are here...
+ */
+ if (STR_EQ(tcpd_proc_name, "rexd") || STR_EQ(tcpd_proc_name, "rpc.rexd"))
+ tcpd_warn("%s may be an insecure service", tcpd_proc_name);
+
+ /*
+ * The tcpd program gets most of the attention.
+ */
+ if (STR_EQ(base_name_path, "tcpd")) {
+
+ if (STR_EQ(tcpd_proc_name, "tcpd"))
+ tcpd_warn("%s is recursively calling itself", tcpd_proc_name);
+
+ wrap_status = WR_YES;
+
+ /*
+ * Check: some sites install the wrapper set-uid.
+ */
+ if ((st.st_mode & 06000) != 0)
+ tcpd_warn("%s: file is set-uid or set-gid", path);
+
+ /*
+ * Check: some sites insert tcpd in inetd.conf, instead of replacing
+ * the daemon pathname.
+ */
+ if (arg0[0] == '/' && STR_EQ(tcpd_proc_name, base_name(arg1)))
+ tcpd_warn("%s inserted before %s", path, arg0);
+
+ /*
+ * Check: make sure files exist and are executable. On some systems
+ * the network daemons are set-uid so we cannot complain. Note that
+ * tcpd takes the basename only in case of absolute pathnames.
+ */
+ if (arg0[0] == '/') { /* absolute path */
+ if (check_path(arg0, &st) < 0) {
+ tcpd_warn("%s: not found: %m", arg0);
+ } else if ((st.st_mode & 0100) == 0) {
+ tcpd_warn("%s: not executable", arg0);
+ }
+ } else { /* look in REAL_DAEMON_DIR */
+ sprintf(daemon, "%s/%s", REAL_DAEMON_DIR, arg0);
+ if (check_path(daemon, &st) < 0) {
+ tcpd_warn("%s: not found in %s: %m",
+ arg0, REAL_DAEMON_DIR);
+ } else if ((st.st_mode & 0100) == 0) {
+ tcpd_warn("%s: not executable", daemon);
+ }
+ }
+
+ } else {
+
+ /*
+ * No tcpd program found. Perhaps they used the "simple installation"
+ * recipe. Look for a file with the same basename in REAL_DAEMON_DIR.
+ * Draw some conservative conclusions when a distinct file is found.
+ */
+ sprintf(daemon, "%s/%s", REAL_DAEMON_DIR, arg0);
+ if (STR_EQ(path, daemon)) {
+ wrap_status = WR_NOT;
+ } else if (check_path(daemon, &st) >= 0) {
+ wrap_status = WR_MAYBE;
+ } else if (errno == ENOENT) {
+ wrap_status = WR_NOT;
+ } else {
+ tcpd_warn("%s: file lookup: %m", daemon);
+ wrap_status = WR_MAYBE;
+ }
+ }
+
+ /*
+ * Alas, we cannot wrap rpc/tcp services.
+ */
+ if (wrap_status == WR_YES && STR_EQ(protocol, "rpc/tcp"))
+ tcpd_warn("%s: cannot wrap rpc/tcp services", tcpd_proc_name);
+
+ inet_set(tcpd_proc_name, wrap_status);
+}
+
+/* inet_set - remember service status */
+
+void inet_set(name, type)
+char *name;
+int type;
+{
+ struct inet_ent *ip =
+ (struct inet_ent *) malloc(sizeof(struct inet_ent) + strlen(name));
+
+ if (ip == 0) {
+ fprintf(stderr, "out of memory\n");
+ exit(1);
+ }
+ ip->next = inet_list;
+ strcpy(ip->name, name);
+ ip->type = type;
+ inet_list = ip;
+}
+
+/* inet_get - look up service status */
+
+int inet_get(name)
+char *name;
+{
+ struct inet_ent *ip;
+
+ if (inet_list == 0)
+ return (WR_MAYBE);
+
+ for (ip = inet_list; ip; ip = ip->next)
+ if (STR_EQ(ip->name, name))
+ return (ip->type);
+
+ return (-1);
+}
+
+/* base_name - compute last pathname component */
+
+static char *base_name(path)
+char *path;
+{
+ char *cp;
+
+ if ((cp = strrchr(path, '/')) != 0)
+ path = cp + 1;
+ return (path);
+}
Index: tcp_wrappers_7.6-new/misc.c
===================================================================
--- tcp_wrappers_7.6-new/misc.c (nonexistent)
+++ tcp_wrappers_7.6-new/misc.c (revision 5)
@@ -0,0 +1,109 @@
+ /*
+ * Misc routines that are used by tcpd and by tcpdchk.
+ *
+ * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+ */
+
+#ifndef lint
+static char sccsic[] = "@(#) misc.c 1.2 96/02/11 17:01:29";
+#endif
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "tcpd.h"
+
+extern char *fgets();
+
+#ifndef INADDR_NONE
+#define INADDR_NONE (-1) /* XXX should be 0xffffffff */
+#endif
+
+/* xgets - fgets() with backslash-newline stripping */
+
+char *xgets(ptr, len, fp)
+char *ptr;
+int len;
+FILE *fp;
+{
+ int got;
+ char *start = ptr;
+
+ while (fgets(ptr, len, fp)) {
+ got = strlen(ptr);
+ if (got >= 1 && ptr[got - 1] == '\n') {
+ tcpd_context.line++;
+ if (got >= 2 && ptr[got - 2] == '\\') {
+ got -= 2;
+ } else {
+ return (start);
+ }
+ }
+ ptr += got;
+ len -= got;
+ ptr[0] = 0;
+ }
+ return (ptr > start ? start : 0);
+}
+
+/* split_at - break string at delimiter or return NULL */
+
+char *split_at(string, delimiter)
+char *string;
+int delimiter;
+{
+ char *cp;
+
+#ifdef INET6
+ int bracket = 0;
+
+ for (cp = string; cp && *cp; cp++) {
+ switch (*cp) {
+ case '[':
+ bracket++;
+ break;
+ case ']':
+ bracket--;
+ break;
+ default:
+ if (bracket == 0 && *cp == delimiter) {
+ *cp++ = 0;
+ return cp;
+ }
+ break;
+ }
+ }
+ return (NULL);
+#else
+ if ((cp = strchr(string, delimiter)) != 0)
+ *cp++ = 0;
+ return (cp);
+#endif
+}
+
+/* dot_quad_addr - convert dotted quad to internal form */
+
+unsigned long dot_quad_addr(str)
+char *str;
+{
+ int in_run = 0;
+ int runs = 0;
+ char *cp = str;
+
+ /* Count the number of runs of non-dot characters. */
+
+ while (*cp) {
+ if (*cp == '.') {
+ in_run = 0;
+ } else if (in_run == 0) {
+ in_run = 1;
+ runs++;
+ }
+ cp++;
+ }
+ return (runs == 4 ? inet_addr(str) : INADDR_NONE);
+}
Index: tcp_wrappers_7.6-new/options.c
===================================================================
--- tcp_wrappers_7.6-new/options.c (nonexistent)
+++ tcp_wrappers_7.6-new/options.c (revision 5)
@@ -0,0 +1,622 @@
+ /*
+ * General skeleton for adding options to the access control language. The
+ * features offered by this module are documented in the hosts_options(5)
+ * manual page (source file: hosts_options.5, "nroff -man" format).
+ *
+ * Notes and warnings for those who want to add features:
+ *
+ * In case of errors, abort options processing and deny access. There are too
+ * many irreversible side effects to make error recovery feasible. For
+ * example, it makes no sense to continue after we have already changed the
+ * userid.
+ *
+ * In case of errors, do not terminate the process: the routines might be
+ * called from a long-running daemon that should run forever. Instead, call
+ * tcpd_jump() which does a non-local goto back into the hosts_access()
+ * routine.
+ *
+ * In case of severe errors, use clean_exit() instead of directly calling
+ * exit(), or the inetd may loop on an UDP request.
+ *
+ * In verification mode (for example, with the "tcpdmatch" command) the
+ * "dry_run" flag is set. In this mode, an option function should just "say"
+ * what it is going to do instead of really doing it.
+ *
+ * Some option functions do not return (for example, the twist option passes
+ * control to another program). In verification mode (dry_run flag is set)
+ * such options should clear the "dry_run" flag to inform the caller of this
+ * course of action.
+ */
+
+#ifndef lint
+static char sccsid[] = "@(#) options.c 1.17 96/02/11 17:01:31";
+#endif
+
+/* System libraries. */
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#include <stdio.h>
+#include <syslog.h>
+#include <pwd.h>
+#include <grp.h>
+#include <ctype.h>
+#include <setjmp.h>
+#include <string.h>
+#include <unistd.h>
+
+#ifndef MAXPATHNAMELEN
+#define MAXPATHNAMELEN BUFSIZ
+#endif
+
+/* Local stuff. */
+
+#include "tcpd.h"
+
+/* Options runtime support. */
+
+int dry_run = 0; /* flag set in verification mode */
+extern jmp_buf tcpd_buf; /* tcpd_jump() support */
+
+/* Options parser support. */
+
+static char whitespace_eq[] = "= \t\r\n";
+#define whitespace (whitespace_eq + 1)
+
+static char *get_field(); /* chew :-delimited field off string */
+static char *chop_string(); /* strip leading and trailing blanks */
+
+/* List of functions that implement the options. Add yours here. */
+
+static void user_option(); /* execute "user name.group" option */
+static void group_option(); /* execute "group name" option */
+static void umask_option(); /* execute "umask mask" option */
+static void linger_option(); /* execute "linger time" option */
+static void keepalive_option(); /* execute "keepalive" option */
+static void spawn_option(); /* execute "spawn command" option */
+static void twist_option(); /* execute "twist command" option */
+static void rfc931_option(); /* execute "rfc931" option */
+static void setenv_option(); /* execute "setenv name value" */
+static void nice_option(); /* execute "nice" option */
+static void severity_option(); /* execute "severity value" */
+static void allow_option(); /* execute "allow" option */
+static void deny_option(); /* execute "deny" option */
+static void banners_option(); /* execute "banners path" option */
+
+/* Structure of the options table. */
+
+struct option {
+ char *name; /* keyword name, case is ignored */
+ void (*func) (); /* function that does the real work */
+ int flags; /* see below... */
+};
+
+#define NEED_ARG (1<<1) /* option requires argument */
+#define USE_LAST (1<<2) /* option must be last */
+#define OPT_ARG (1<<3) /* option has optional argument */
+#define EXPAND_ARG (1<<4) /* do %x expansion on argument */
+
+#define need_arg(o) ((o)->flags & NEED_ARG)
+#define opt_arg(o) ((o)->flags & OPT_ARG)
+#define permit_arg(o) ((o)->flags & (NEED_ARG | OPT_ARG))
+#define use_last(o) ((o)->flags & USE_LAST)
+#define expand_arg(o) ((o)->flags & EXPAND_ARG)
+
+/* List of known keywords. Add yours here. */
+
+static struct option option_table[] = {
+ "user", user_option, NEED_ARG,
+ "group", group_option, NEED_ARG,
+ "umask", umask_option, NEED_ARG,
+ "linger", linger_option, NEED_ARG,
+ "keepalive", keepalive_option, 0,
+ "spawn", spawn_option, NEED_ARG | EXPAND_ARG,
+ "twist", twist_option, NEED_ARG | EXPAND_ARG | USE_LAST,
+ "rfc931", rfc931_option, OPT_ARG,
+ "setenv", setenv_option, NEED_ARG | EXPAND_ARG,
+ "nice", nice_option, OPT_ARG,
+ "severity", severity_option, NEED_ARG,
+ "allow", allow_option, USE_LAST,
+ "deny", deny_option, USE_LAST,
+ "banners", banners_option, NEED_ARG,
+ 0,
+};
+
+/* process_options - process access control options */
+
+void process_options(options, request)
+char *options;
+struct request_info *request;
+{
+ char *key;
+ char *value;
+ char *curr_opt;
+ char *next_opt;
+ struct option *op;
+ char bf[BUFSIZ];
+
+ for (curr_opt = get_field(options); curr_opt; curr_opt = next_opt) {
+ next_opt = get_field((char *) 0);
+
+ /*
+ * Separate the option into name and value parts. For backwards
+ * compatibility we ignore exactly one '=' between name and value.
+ */
+ curr_opt = chop_string(curr_opt);
+ if (*(value = curr_opt + strcspn(curr_opt, whitespace_eq))) {
+ if (*value != '=') {
+ *value++ = 0;
+ value += strspn(value, whitespace);
+ }
+ if (*value == '=') {
+ *value++ = 0;
+ value += strspn(value, whitespace);
+ }
+ }
+ if (*value == 0)
+ value = 0;
+ key = curr_opt;
+
+ /*
+ * Disallow missing option names (and empty option fields).
+ */
+ if (*key == 0)
+ tcpd_jump("missing option name");
+
+ /*
+ * Lookup the option-specific info and do some common error checks.
+ * Delegate option-specific processing to the specific functions.
+ */
+
+ for (op = option_table; op->name && STR_NE(op->name, key); op++)
+ /* VOID */ ;
+ if (op->name == 0)
+ tcpd_jump("bad option name: \"%s\"", key);
+ if (!value && need_arg(op))
+ tcpd_jump("option \"%s\" requires value", key);
+ if (value && !permit_arg(op))
+ tcpd_jump("option \"%s\" requires no value", key);
+ if (next_opt && use_last(op))
+ tcpd_jump("option \"%s\" must be at end", key);
+ if (value && expand_arg(op))
+ value = chop_string(percent_x(bf, sizeof(bf), value, request));
+ if (hosts_access_verbose)
+ syslog(LOG_DEBUG, "option: %s %s", key, value ? value : "");
+ (*(op->func)) (value, request);
+ }
+}
+
+/* allow_option - grant access */
+
+/* ARGSUSED */
+
+static void allow_option(value, request)
+char *value;
+struct request_info *request;
+{
+ longjmp(tcpd_buf, AC_PERMIT);
+}
+
+/* deny_option - deny access */
+
+/* ARGSUSED */
+
+static void deny_option(value, request)
+char *value;
+struct request_info *request;
+{
+ longjmp(tcpd_buf, AC_DENY);
+}
+
+/* banners_option - expand %<char>, terminate each line with CRLF */
+
+static void banners_option(value, request)
+char *value;
+struct request_info *request;
+{
+ char path[MAXPATHNAMELEN];
+ char ibuf[BUFSIZ];
+ char obuf[2 * BUFSIZ];
+ struct stat st;
+ int ch;
+ FILE *fp;
+
+ sprintf(path, "%s/%s", value, eval_daemon(request));
+ if ((fp = fopen(path, "r")) != 0) {
+ while ((ch = fgetc(fp)) == 0)
+ write(request->fd, "", 1);
+ ungetc(ch, fp);
+ while (fgets(ibuf, sizeof(ibuf) - 1, fp)) {
+ if (split_at(ibuf, '\n'))
+ strcat(ibuf, "\r\n");
+ percent_x(obuf, sizeof(obuf), ibuf, request);
+ write(request->fd, obuf, strlen(obuf));
+ }
+ fclose(fp);
+ } else if (stat(value, &st) < 0) {
+ tcpd_warn("%s: %m", value);
+ }
+}
+
+/* group_option - switch group id */
+
+/* ARGSUSED */
+
+static void group_option(value, request)
+char *value;
+struct request_info *request;
+{
+ struct group *grp;
+ struct group *getgrnam();
+
+ if ((grp = getgrnam(value)) == 0)
+ tcpd_jump("unknown group: \"%s\"", value);
+ endgrent();
+
+ if (dry_run == 0 && setgid(grp->gr_gid))
+ tcpd_jump("setgid(%s): %m", value);
+}
+
+/* user_option - switch user id */
+
+/* ARGSUSED */
+
+static void user_option(value, request)
+char *value;
+struct request_info *request;
+{
+ struct passwd *pwd;
+ struct passwd *getpwnam();
+ char *group;
+
+ if ((group = split_at(value, '.')) != 0)
+ group_option(group, request);
+ if ((pwd = getpwnam(value)) == 0)
+ tcpd_jump("unknown user: \"%s\"", value);
+ endpwent();
+
+ if (dry_run == 0 && setuid(pwd->pw_uid))
+ tcpd_jump("setuid(%s): %m", value);
+}
+
+/* umask_option - set file creation mask */
+
+/* ARGSUSED */
+
+static void umask_option(value, request)
+char *value;
+struct request_info *request;
+{
+ unsigned mask;
+ char junk;
+
+ if (sscanf(value, "%o%c", &mask, &junk) != 1 || (mask & 0777) != mask)
+ tcpd_jump("bad umask value: \"%s\"", value);
+ (void) umask(mask);
+}
+
+/* spawn_option - spawn a shell command and wait */
+
+/* ARGSUSED */
+
+static void spawn_option(value, request)
+char *value;
+struct request_info *request;
+{
+ if (dry_run == 0)
+ shell_cmd(value);
+}
+
+/* linger_option - set the socket linger time (Marc Boucher <marc@cam.org>) */
+
+/* ARGSUSED */
+
+static void linger_option(value, request)
+char *value;
+struct request_info *request;
+{
+ struct linger linger;
+ char junk;
+
+ if (sscanf(value, "%d%c", &linger.l_linger, &junk) != 1
+ || linger.l_linger < 0)
+ tcpd_jump("bad linger value: \"%s\"", value);
+ if (dry_run == 0) {
+ linger.l_onoff = (linger.l_linger != 0);
+ if (setsockopt(request->fd, SOL_SOCKET, SO_LINGER, (char *) &linger,
+ sizeof(linger)) < 0)
+ tcpd_warn("setsockopt SO_LINGER %d: %m", linger.l_linger);
+ }
+}
+
+/* keepalive_option - set the socket keepalive option */
+
+/* ARGSUSED */
+
+static void keepalive_option(value, request)
+char *value;
+struct request_info *request;
+{
+ static int on = 1;
+
+ if (dry_run == 0 && setsockopt(request->fd, SOL_SOCKET, SO_KEEPALIVE,
+ (char *) &on, sizeof(on)) < 0)
+ tcpd_warn("setsockopt SO_KEEPALIVE: %m");
+}
+
+/* nice_option - set nice value */
+
+/* ARGSUSED */
+
+static void nice_option(value, request)
+char *value;
+struct request_info *request;
+{
+ int niceval = 10;
+ char junk;
+
+ if (value != 0 && sscanf(value, "%d%c", &niceval, &junk) != 1)
+ tcpd_jump("bad nice value: \"%s\"", value);
+ if (dry_run == 0 && nice(niceval) < 0)
+ tcpd_warn("nice(%d): %m", niceval);
+}
+
+/* twist_option - replace process by shell command */
+
+static void twist_option(value, request)
+char *value;
+struct request_info *request;
+{
+ char *error;
+
+ if (dry_run != 0) {
+ dry_run = 0;
+ } else {
+ if (resident > 0)
+ tcpd_jump("twist option in resident process");
+
+ syslog(deny_severity, "twist %s to %s", eval_client(request), value);
+
+ /* Before switching to the shell, set up stdin, stdout and stderr. */
+
+#define maybe_dup2(from, to) ((from == to) ? to : (close(to), dup(from)))
+
+ if (maybe_dup2(request->fd, 0) != 0 ||
+ maybe_dup2(request->fd, 1) != 1 ||
+ maybe_dup2(request->fd, 2) != 2) {
+ error = "twist_option: dup: %m";
+ } else {
+ if (request->fd > 2)
+ close(request->fd);
+ (void) execl("/bin/sh", "sh", "-c", value, (char *) 0);
+ error = "twist_option: /bin/sh: %m";
+ }
+
+ /* Something went wrong: we MUST terminate the process. */
+
+ tcpd_warn(error);
+ clean_exit(request);
+ }
+}
+
+/* rfc931_option - look up remote user name */
+
+static void rfc931_option(value, request)
+char *value;
+struct request_info *request;
+{
+ int timeout;
+ char junk;
+
+ if (value != 0) {
+ if (sscanf(value, "%d%c", &timeout, &junk) != 1 || timeout <= 0)
+ tcpd_jump("bad rfc931 timeout: \"%s\"", value);
+ rfc931_timeout = timeout;
+ }
+ (void) eval_user(request);
+}
+
+/* setenv_option - set environment variable */
+
+/* ARGSUSED */
+
+static void setenv_option(value, request)
+char *value;
+struct request_info *request;
+{
+ char *var_value;
+
+ if (*(var_value = value + strcspn(value, whitespace)))
+ *var_value++ = 0;
+ if (setenv(chop_string(value), chop_string(var_value), 1))
+ tcpd_jump("memory allocation failure");
+}
+
+ /*
+ * The severity option goes last because it comes with a huge amount of ugly
+ * #ifdefs and tables.
+ */
+
+struct syslog_names {
+ char *name;
+ int value;
+};
+
+static struct syslog_names log_fac[] = {
+#ifdef LOG_KERN
+ "kern", LOG_KERN,
+#endif
+#ifdef LOG_USER
+ "user", LOG_USER,
+#endif
+#ifdef LOG_MAIL
+ "mail", LOG_MAIL,
+#endif
+#ifdef LOG_DAEMON
+ "daemon", LOG_DAEMON,
+#endif
+#ifdef LOG_AUTH
+ "auth", LOG_AUTH,
+#endif
+#ifdef LOG_LPR
+ "lpr", LOG_LPR,
+#endif
+#ifdef LOG_NEWS
+ "news", LOG_NEWS,
+#endif
+#ifdef LOG_UUCP
+ "uucp", LOG_UUCP,
+#endif
+#ifdef LOG_CRON
+ "cron", LOG_CRON,
+#endif
+#ifdef LOG_LOCAL0
+ "local0", LOG_LOCAL0,
+#endif
+#ifdef LOG_LOCAL1
+ "local1", LOG_LOCAL1,
+#endif
+#ifdef LOG_LOCAL2
+ "local2", LOG_LOCAL2,
+#endif
+#ifdef LOG_LOCAL3
+ "local3", LOG_LOCAL3,
+#endif
+#ifdef LOG_LOCAL4
+ "local4", LOG_LOCAL4,
+#endif
+#ifdef LOG_LOCAL5
+ "local5", LOG_LOCAL5,
+#endif
+#ifdef LOG_LOCAL6
+ "local6", LOG_LOCAL6,
+#endif
+#ifdef LOG_LOCAL7
+ "local7", LOG_LOCAL7,
+#endif
+ 0,
+};
+
+static struct syslog_names log_sev[] = {
+#ifdef LOG_EMERG
+ "emerg", LOG_EMERG,
+#endif
+#ifdef LOG_ALERT
+ "alert", LOG_ALERT,
+#endif
+#ifdef LOG_CRIT
+ "crit", LOG_CRIT,
+#endif
+#ifdef LOG_ERR
+ "err", LOG_ERR,
+#endif
+#ifdef LOG_WARNING
+ "warning", LOG_WARNING,
+#endif
+#ifdef LOG_NOTICE
+ "notice", LOG_NOTICE,
+#endif
+#ifdef LOG_INFO
+ "info", LOG_INFO,
+#endif
+#ifdef LOG_DEBUG
+ "debug", LOG_DEBUG,
+#endif
+ 0,
+};
+
+/* severity_map - lookup facility or severity value */
+
+static int severity_map(table, name)
+struct syslog_names *table;
+char *name;
+{
+ struct syslog_names *t;
+
+ for (t = table; t->name; t++)
+ if (STR_EQ(t->name, name))
+ return (t->value);
+ tcpd_jump("bad syslog facility or severity: \"%s\"", name);
+ /* NOTREACHED */
+}
+
+/* severity_option - change logging severity for this event (Dave Mitchell) */
+
+/* ARGSUSED */
+
+static void severity_option(value, request)
+char *value;
+struct request_info *request;
+{
+ char *level = split_at(value, '.');
+
+ allow_severity = deny_severity = level ?
+ severity_map(log_fac, value) | severity_map(log_sev, level) :
+ severity_map(log_sev, value);
+}
+
+/* get_field - return pointer to next field in string */
+
+static char *get_field(string)
+char *string;
+{
+ static char *last = "";
+ char *src;
+ char *dst;
+ char *ret;
+ int ch;
+
+ /*
+ * This function returns pointers to successive fields within a given
+ * string. ":" is the field separator; warn if the rule ends in one. It
+ * replaces a "\:" sequence by ":", without treating the result of
+ * substitution as field terminator. A null argument means resume search
+ * where the previous call terminated. This function destroys its
+ * argument.
+ *
+ * Work from explicit source or from memory. While processing \: we
+ * overwrite the input. This way we do not have to maintain buffers for
+ * copies of input fields.
+ */
+
+ src = dst = ret = (string ? string : last);
+ if (src[0] == 0)
+ return (0);
+
+ while (ch = *src) {
+ if (ch == ':') {
+ if (*++src == 0)
+ tcpd_warn("rule ends in \":\"");
+ break;
+ }
+ if (ch == '\\' && src[1] == ':')
+ src++;
+ *dst++ = *src++;
+ }
+ last = src;
+ *dst = 0;
+ return (ret);
+}
+
+/* chop_string - strip leading and trailing blanks from string */
+
+static char *chop_string(string)
+register char *string;
+{
+ char *start = 0;
+ char *end;
+ char *cp;
+
+ for (cp = string; *cp; cp++) {
+ if (!isspace(*cp)) {
+ if (start == 0)
+ start = cp;
+ end = cp;
+ }
+ }
+ return (start ? (end[1] = 0, start) : cp);
+}
Index: tcp_wrappers_7.6-new/percent_m.c
===================================================================
--- tcp_wrappers_7.6-new/percent_m.c (nonexistent)
+++ tcp_wrappers_7.6-new/percent_m.c (revision 5)
@@ -0,0 +1,47 @@
+ /*
+ * Replace %m by system error message.
+ *
+ * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+ */
+
+#ifndef lint
+static char sccsid[] = "@(#) percent_m.c 1.1 94/12/28 17:42:37";
+#endif
+
+#include <stdio.h>
+#include <errno.h>
+#include <string.h>
+
+extern int errno;
+#if !defined(SYS_ERRLIST_DEFINED) && !defined(HAVE_STRERROR)
+extern char *sys_errlist[];
+extern int sys_nerr;
+#endif
+
+#include "mystdarg.h"
+
+char *percent_m(obuf, ibuf)
+char *obuf;
+char *ibuf;
+{
+ char *bp = obuf;
+ char *cp = ibuf;
+
+ while (*bp = *cp)
+ if (*cp == '%' && cp[1] == 'm') {
+#ifdef HAVE_STRERROR
+ strcpy(bp, strerror(errno));
+#else
+ if (errno < sys_nerr && errno > 0) {
+ strcpy(bp, sys_errlist[errno]);
+ } else {
+ sprintf(bp, "Unknown error %d", errno);
+ }
+#endif
+ bp += strlen(bp);
+ cp += 2;
+ } else {
+ bp++, cp++;
+ }
+ return (obuf);
+}
Index: tcp_wrappers_7.6-new/refuse.c
===================================================================
--- tcp_wrappers_7.6-new/refuse.c (nonexistent)
+++ tcp_wrappers_7.6-new/refuse.c (revision 5)
@@ -0,0 +1,37 @@
+ /*
+ * refuse() reports a refused connection, and takes the consequences: in
+ * case of a datagram-oriented service, the unread datagram is taken from
+ * the input queue (or inetd would see the same datagram again and again);
+ * the program is terminated.
+ *
+ * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+ */
+
+#ifndef lint
+static char sccsid[] = "@(#) refuse.c 1.5 94/12/28 17:42:39";
+#endif
+
+/* System libraries. */
+
+#include <stdio.h>
+#include <syslog.h>
+
+/* Local stuff. */
+
+#include "tcpd.h"
+
+/* refuse - refuse request */
+
+void refuse(request)
+struct request_info *request;
+{
+#ifdef INET6
+ syslog(deny_severity, "refused connect from %s (%s)",
+ eval_client(request), eval_hostaddr(request->client));
+#else
+ syslog(deny_severity, "refused connect from %s", eval_client(request));
+#endif
+ clean_exit(request);
+ /* NOTREACHED */
+}
+
Index: tcp_wrappers_7.6-new/rfc931.c
===================================================================
--- tcp_wrappers_7.6-new/rfc931.c (nonexistent)
+++ tcp_wrappers_7.6-new/rfc931.c (revision 5)
@@ -0,0 +1,229 @@
+ /*
+ * rfc931() speaks a common subset of the RFC 931, AUTH, TAP, IDENT and RFC
+ * 1413 protocols. It queries an RFC 931 etc. compatible daemon on a remote
+ * host to look up the owner of a connection. The information should not be
+ * used for authentication purposes. This routine intercepts alarm signals.
+ *
+ * Diagnostics are reported through syslog(3).
+ *
+ * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+ */
+
+#ifndef lint
+static char sccsid[] = "@(#) rfc931.c 1.10 95/01/02 16:11:34";
+#endif
+
+/* System libraries. */
+
+#include <stdio.h>
+#include <syslog.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <setjmp.h>
+#include <signal.h>
+#include <string.h>
+
+/* Local stuff. */
+
+#include "tcpd.h"
+
+#define RFC931_PORT 113 /* Semi-well-known port */
+#define ANY_PORT 0 /* Any old port will do */
+
+int rfc931_timeout = RFC931_TIMEOUT;/* Global so it can be changed */
+
+static jmp_buf timebuf;
+
+/* fsocket - open stdio stream on top of socket */
+
+static FILE *fsocket(domain, type, protocol)
+int domain;
+int type;
+int protocol;
+{
+ int s;
+ FILE *fp;
+
+ if ((s = socket(domain, type, protocol)) < 0) {
+ tcpd_warn("socket: %m");
+ return (0);
+ } else {
+ if ((fp = fdopen(s, "r+")) == 0) {
+ tcpd_warn("fdopen: %m");
+ close(s);
+ }
+ return (fp);
+ }
+}
+
+/* timeout - handle timeouts */
+
+static void timeout(sig)
+int sig;
+{
+ longjmp(timebuf, sig);
+}
+
+/* rfc931 - return remote user name, given socket structures */
+
+void rfc931(rmt_sin, our_sin, dest)
+#ifdef INET6
+struct sockaddr *rmt_sin;
+struct sockaddr *our_sin;
+#else
+struct sockaddr_in *rmt_sin;
+struct sockaddr_in *our_sin;
+#endif
+char *dest;
+{
+ unsigned rmt_port;
+ unsigned our_port;
+#ifdef INET6
+ struct sockaddr_storage rmt_query_sin;
+ struct sockaddr_storage our_query_sin;
+ int alen;
+#else
+ struct sockaddr_in rmt_query_sin;
+ struct sockaddr_in our_query_sin;
+#endif
+ char user[256]; /* XXX */
+ char buffer[512]; /* XXX */
+ char *cp;
+ char *result = unknown;
+ FILE *fp;
+
+#ifdef INET6
+ /* address family must be the same */
+ if (rmt_sin->sa_family != our_sin->sa_family) {
+ STRN_CPY(dest, result, STRING_LENGTH);
+ return;
+ }
+ switch (our_sin->sa_family) {
+ case AF_INET:
+ alen = sizeof(struct sockaddr_in);
+ break;
+ case AF_INET6:
+ alen = sizeof(struct sockaddr_in6);
+ break;
+ default:
+ STRN_CPY(dest, result, STRING_LENGTH);
+ return;
+ }
+#endif
+
+ /*
+ * Use one unbuffered stdio stream for writing to and for reading from
+ * the RFC931 etc. server. This is done because of a bug in the SunOS
+ * 4.1.x stdio library. The bug may live in other stdio implementations,
+ * too. When we use a single, buffered, bidirectional stdio stream ("r+"
+ * or "w+" mode) we read our own output. Such behaviour would make sense
+ * with resources that support random-access operations, but not with
+ * sockets.
+ */
+
+#ifdef INET6
+ if ((fp = fsocket(our_sin->sa_family, SOCK_STREAM, 0)) != 0) {
+#else
+ if ((fp = fsocket(AF_INET, SOCK_STREAM, 0)) != 0) {
+#endif
+ setbuf(fp, (char *) 0);
+
+ /*
+ * Set up a timer so we won't get stuck while waiting for the server.
+ */
+
+ if (setjmp(timebuf) == 0) {
+ signal(SIGALRM, timeout);
+ alarm(rfc931_timeout);
+
+ /*
+ * Bind the local and remote ends of the query socket to the same
+ * IP addresses as the connection under investigation. We go
+ * through all this trouble because the local or remote system
+ * might have more than one network address. The RFC931 etc.
+ * client sends only port numbers; the server takes the IP
+ * addresses from the query socket.
+ */
+
+#ifdef INET6
+ memcpy(&our_query_sin, our_sin, alen);
+ memcpy(&rmt_query_sin, rmt_sin, alen);
+ switch (our_sin->sa_family) {
+ case AF_INET:
+ ((struct sockaddr_in *)&our_query_sin)->sin_port = htons(ANY_PORT);
+ ((struct sockaddr_in *)&rmt_query_sin)->sin_port = htons(RFC931_PORT);
+ break;
+ case AF_INET6:
+ ((struct sockaddr_in6 *)&our_query_sin)->sin6_port = htons(ANY_PORT);
+ ((struct sockaddr_in6 *)&rmt_query_sin)->sin6_port = htons(RFC931_PORT);
+ break;
+ }
+
+ if (bind(fileno(fp), (struct sockaddr *) & our_query_sin,
+ alen) >= 0 &&
+ connect(fileno(fp), (struct sockaddr *) & rmt_query_sin,
+ alen) >= 0) {
+#else
+ our_query_sin = *our_sin;
+ our_query_sin.sin_port = htons(ANY_PORT);
+ rmt_query_sin = *rmt_sin;
+ rmt_query_sin.sin_port = htons(RFC931_PORT);
+
+ if (bind(fileno(fp), (struct sockaddr *) & our_query_sin,
+ sizeof(our_query_sin)) >= 0 &&
+ connect(fileno(fp), (struct sockaddr *) & rmt_query_sin,
+ sizeof(rmt_query_sin)) >= 0) {
+#endif
+
+ /*
+ * Send query to server. Neglect the risk that a 13-byte
+ * write would have to be fragmented by the local system and
+ * cause trouble with buggy System V stdio libraries.
+ */
+
+ fprintf(fp, "%u,%u\r\n",
+#ifdef INET6
+ ntohs(((struct sockaddr_in *)rmt_sin)->sin_port),
+ ntohs(((struct sockaddr_in *)our_sin)->sin_port));
+#else
+ ntohs(rmt_sin->sin_port),
+ ntohs(our_sin->sin_port));
+#endif
+ fflush(fp);
+
+ /*
+ * Read response from server. Use fgets()/sscanf() so we can
+ * work around System V stdio libraries that incorrectly
+ * assume EOF when a read from a socket returns less than
+ * requested.
+ */
+
+ if (fgets(buffer, sizeof(buffer), fp) != 0
+ && ferror(fp) == 0 && feof(fp) == 0
+ && sscanf(buffer, "%u , %u : USERID :%*[^:]:%255s",
+ &rmt_port, &our_port, user) == 3
+#ifdef INET6
+ && ntohs(((struct sockaddr_in *)rmt_sin)->sin_port) == rmt_port
+ && ntohs(((struct sockaddr_in *)our_sin)->sin_port) == our_port) {
+#else
+ && ntohs(rmt_sin->sin_port) == rmt_port
+ && ntohs(our_sin->sin_port) == our_port) {
+#endif
+
+ /*
+ * Strip trailing carriage return. It is part of the
+ * protocol, not part of the data.
+ */
+
+ if (cp = strchr(user, '\r'))
+ *cp = 0;
+ result = user;
+ }
+ }
+ alarm(0);
+ }
+ fclose(fp);
+ }
+ STRN_CPY(dest, result, STRING_LENGTH);
+}
Index: tcp_wrappers_7.6-new/scaffold.c
===================================================================
--- tcp_wrappers_7.6-new/scaffold.c (nonexistent)
+++ tcp_wrappers_7.6-new/scaffold.c (revision 5)
@@ -0,0 +1,278 @@
+ /*
+ * Routines for testing only. Not really industrial strength.
+ *
+ * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+ */
+
+#ifndef lint
+static char sccs_id[] = "@(#) scaffold.c 1.6 97/03/21 19:27:24";
+#endif
+
+/* System libraries. */
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <netdb.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <syslog.h>
+#include <setjmp.h>
+#include <string.h>
+
+#ifndef INADDR_NONE
+#define INADDR_NONE (-1) /* XXX should be 0xffffffff */
+#endif
+
+#ifndef INET6
+extern char *malloc();
+#endif
+
+/* Application-specific. */
+
+#include "tcpd.h"
+#include "scaffold.h"
+
+ /*
+ * These are referenced by the options module and by rfc931.c.
+ */
+int allow_severity = SEVERITY;
+int deny_severity = LOG_WARNING;
+int rfc931_timeout = RFC931_TIMEOUT;
+
+#ifndef INET6
+/* dup_hostent - create hostent in one memory block */
+
+static struct hostent *dup_hostent(hp)
+struct hostent *hp;
+{
+ struct hostent_block {
+ struct hostent host;
+ char *addr_list[1];
+ };
+ struct hostent_block *hb;
+ int count;
+ char *data;
+ char *addr;
+
+ for (count = 0; hp->h_addr_list[count] != 0; count++)
+ /* void */ ;
+
+ if ((hb = (struct hostent_block *) malloc(sizeof(struct hostent_block)
+ + (hp->h_length + sizeof(char *)) * count)) == 0) {
+ fprintf(stderr, "Sorry, out of memory\n");
+ exit(1);
+ }
+ memset((char *) &hb->host, 0, sizeof(hb->host));
+ hb->host.h_length = hp->h_length;
+ hb->host.h_addr_list = hb->addr_list;
+ hb->host.h_addr_list[count] = 0;
+ data = (char *) (hb->host.h_addr_list + count + 1);
+
+ for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) {
+ hb->host.h_addr_list[count] = data + hp->h_length * count;
+ memcpy(hb->host.h_addr_list[count], addr, hp->h_length);
+ }
+ return (&hb->host);
+}
+#endif
+
+/* find_inet_addr - find all addresses for this host, result to free() */
+
+#ifdef INET6
+struct addrinfo *find_inet_addr(host)
+char *host;
+{
+ struct addrinfo hints, *res;
+
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = PF_UNSPEC;
+ hints.ai_socktype = SOCK_STREAM;
+ hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
+ if (getaddrinfo(host, NULL, &hints, &res) == 0)
+ return (res);
+
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = PF_UNSPEC;
+ hints.ai_socktype = SOCK_STREAM;
+ hints.ai_flags = AI_PASSIVE | AI_CANONNAME;
+ if (getaddrinfo(host, NULL, &hints, &res) != 0) {
+ tcpd_warn("%s: host not found", host);
+ return (0);
+ }
+ if (res->ai_family != AF_INET6 && res->ai_family != AF_INET) {
+ tcpd_warn("%d: not an internet host", res->ai_family);
+ freeaddrinfo(res);
+ return (0);
+ }
+ if (!res->ai_canonname) {
+ tcpd_warn("%s: hostname alias", host);
+ tcpd_warn("(cannot obtain official name)", res->ai_canonname);
+ } else if (STR_NE(host, res->ai_canonname)) {
+ tcpd_warn("%s: hostname alias", host);
+ tcpd_warn("(official name: %.*s)", STRING_LENGTH, res->ai_canonname);
+ }
+ return (res);
+}
+#else
+struct hostent *find_inet_addr(host)
+char *host;
+{
+ struct in_addr addr;
+ struct hostent *hp;
+ static struct hostent h;
+ static char *addr_list[2];
+
+ /*
+ * Host address: translate it to internal form.
+ */
+ if ((addr.s_addr = dot_quad_addr(host)) != INADDR_NONE) {
+ h.h_addr_list = addr_list;
+ h.h_addr_list[0] = (char *) &addr;
+ h.h_length = sizeof(addr);
+ return (dup_hostent(&h));
+ }
+
+ /*
+ * Map host name to a series of addresses. Watch out for non-internet
+ * forms or aliases. The NOT_INADDR() is here in case gethostbyname() has
+ * been "enhanced" to accept numeric addresses. Make a copy of the
+ * address list so that later gethostbyXXX() calls will not clobber it.
+ */
+ if (NOT_INADDR(host) == 0) {
+ tcpd_warn("%s: not an internet address", host);
+ return (0);
+ }
+ if ((hp = gethostbyname(host)) == 0) {
+ tcpd_warn("%s: host not found", host);
+ return (0);
+ }
+ if (hp->h_addrtype != AF_INET) {
+ tcpd_warn("%d: not an internet host", hp->h_addrtype);
+ return (0);
+ }
+ if (STR_NE(host, hp->h_name)) {
+ tcpd_warn("%s: hostname alias", host);
+ tcpd_warn("(official name: %.*s)", STRING_LENGTH, hp->h_name);
+ }
+ return (dup_hostent(hp));
+}
+#endif
+
+/* check_dns - give each address thorough workout, return address count */
+
+int check_dns(host)
+char *host;
+{
+ struct request_info request;
+#ifdef INET6
+ struct sockaddr_storage sin;
+ struct addrinfo *hp, *res;
+#else
+ struct sockaddr_in sin;
+ struct hostent *hp;
+#endif
+ int count;
+ char *addr;
+
+ if ((hp = find_inet_addr(host)) == 0)
+ return (0);
+ request_init(&request, RQ_CLIENT_SIN, &sin, 0);
+ sock_methods(&request);
+#ifndef INET6
+ memset((char *) &sin, 0, sizeof(sin));
+ sin.sin_family = AF_INET;
+#endif
+
+#ifdef INET6
+ for (res = hp, count = 0; res; res = res->ai_next, count++) {
+ memcpy(&sin, res->ai_addr, res->ai_addrlen);
+#else
+ for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) {
+ memcpy((char *) &sin.sin_addr, addr, sizeof(sin.sin_addr));
+#endif
+
+ /*
+ * Force host name and address conversions. Use the request structure
+ * as a cache. Detect hostname lookup problems. Any name/name or
+ * name/address conflicts will be reported while eval_hostname() does
+ * its job.
+ */
+ request_set(&request, RQ_CLIENT_ADDR, "", RQ_CLIENT_NAME, "", 0);
+ if (STR_EQ(eval_hostname(request.client), unknown))
+ tcpd_warn("host address %s->name lookup failed",
+ eval_hostaddr(request.client));
+ }
+#ifdef INET6
+ freeaddrinfo(hp);
+#else
+ free((char *) hp);
+#endif
+ return (count);
+}
+
+/* dummy function to intercept the real shell_cmd() */
+
+/* ARGSUSED */
+
+void shell_cmd(command)
+char *command;
+{
+ if (hosts_access_verbose)
+ printf("command: %s", command);
+}
+
+/* dummy function to intercept the real clean_exit() */
+
+/* ARGSUSED */
+
+void clean_exit(request)
+struct request_info *request;
+{
+ exit(0);
+}
+
+/* dummy function to intercept the real rfc931() */
+
+/* ARGSUSED */
+
+void rfc931(rmt_sin, our_sin, dest)
+#ifndef INET6
+struct sockaddr_in *rmt_sin;
+struct sockaddr_in *our_sin;
+#else
+struct sockaddr *rmt_sin;
+struct sockaddr *our_sin;
+#endif
+char *dest;
+{
+ strcpy(dest, unknown);
+}
+
+/* check_path - examine accessibility */
+
+int check_path(path, st)
+char *path;
+struct stat *st;
+{
+ struct stat stbuf;
+ char buf[BUFSIZ];
+
+ if (stat(path, st) < 0)
+ return (-1);
+#ifdef notdef
+ if (st->st_uid != 0)
+ tcpd_warn("%s: not owned by root", path);
+ if (st->st_mode & 020)
+ tcpd_warn("%s: group writable", path);
+#endif
+ if (st->st_mode & 002)
+ tcpd_warn("%s: world writable", path);
+ if (path[0] == '/' && path[1] != 0) {
+ strrchr(strcpy(buf, path), '/')[0] = 0;
+ (void) check_path(buf[0] ? buf : "/", &stbuf);
+ }
+ return (0);
+}
Index: tcp_wrappers_7.6-new/scaffold.h
===================================================================
--- tcp_wrappers_7.6-new/scaffold.h (nonexistent)
+++ tcp_wrappers_7.6-new/scaffold.h (revision 5)
@@ -0,0 +1,13 @@
+ /*
+ * @(#) scaffold.h 1.3 94/12/31 18:19:19
+ *
+ * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+ */
+
+#ifdef INET6
+extern struct addrinfo *find_inet_addr();
+#else
+extern struct hostent *find_inet_addr();
+#endif
+extern int check_dns();
+extern int check_path();
Index: tcp_wrappers_7.6-new/shell_cmd.c
===================================================================
--- tcp_wrappers_7.6-new/shell_cmd.c (nonexistent)
+++ tcp_wrappers_7.6-new/shell_cmd.c (revision 5)
@@ -0,0 +1,93 @@
+ /*
+ * shell_cmd() takes a shell command after %<character> substitutions. The
+ * command is executed by a /bin/sh child process, with standard input,
+ * standard output and standard error connected to /dev/null.
+ *
+ * Diagnostics are reported through syslog(3).
+ *
+ * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+ */
+
+#ifndef lint
+static char sccsid[] = "@(#) shell_cmd.c 1.5 94/12/28 17:42:44";
+#endif
+
+/* System libraries. */
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <signal.h>
+#include <stdio.h>
+#include <syslog.h>
+#include <string.h>
+#include <unistd.h>
+
+extern void exit();
+
+/* Local stuff. */
+
+#include "tcpd.h"
+
+/* Forward declarations. */
+
+static void do_child();
+
+/* shell_cmd - execute shell command */
+
+void shell_cmd(command)
+char *command;
+{
+ int child_pid;
+ int wait_pid;
+
+ /*
+ * Most of the work is done within the child process, to minimize the
+ * risk of damage to the parent.
+ */
+
+ switch (child_pid = fork()) {
+ case -1: /* error */
+ tcpd_warn("cannot fork: %m");
+ break;
+ case 00: /* child */
+ do_child(command);
+ /* NOTREACHED */
+ default: /* parent */
+ while ((wait_pid = wait((int *) 0)) != -1 && wait_pid != child_pid)
+ /* void */ ;
+ }
+}
+
+/* do_child - exec command with { stdin, stdout, stderr } to /dev/null */
+
+static void do_child(command)
+char *command;
+{
+ char *error;
+ int tmp_fd;
+
+ /*
+ * Systems with POSIX sessions may send a SIGHUP to grandchildren if the
+ * child exits first. This is sick, sessions were invented for terminals.
+ */
+
+ signal(SIGHUP, SIG_IGN);
+
+ /* Set up new stdin, stdout, stderr, and exec the shell command. */
+
+ for (tmp_fd = 0; tmp_fd < 3; tmp_fd++)
+ (void) close(tmp_fd);
+ if (open("/dev/null", 2) != 0) {
+ error = "open /dev/null: %m";
+ } else if (dup(0) != 1 || dup(0) != 2) {
+ error = "dup: %m";
+ } else {
+ (void) execl("/bin/sh", "sh", "-c", command, (char *) 0);
+ error = "execl /bin/sh: %m";
+ }
+
+ /* Something went wrong. We MUST terminate the child process. */
+
+ tcpd_warn(error);
+ _exit(0);
+}
Index: tcp_wrappers_7.6-new/socket.c
===================================================================
--- tcp_wrappers_7.6-new/socket.c (nonexistent)
+++ tcp_wrappers_7.6-new/socket.c (revision 5)
@@ -0,0 +1,438 @@
+ /*
+ * This module determines the type of socket (datagram, stream), the client
+ * socket address and port, the server socket address and port. In addition,
+ * it provides methods to map a transport address to a printable host name
+ * or address. Socket address information results are in static memory.
+ *
+ * The result from the hostname lookup method is STRING_PARANOID when a host
+ * pretends to have someone elses name, or when a host name is available but
+ * could not be verified.
+ *
+ * When lookup or conversion fails the result is set to STRING_UNKNOWN.
+ *
+ * Diagnostics are reported through syslog(3).
+ *
+ * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+ */
+
+#ifndef lint
+static char sccsid[] = "@(#) socket.c 1.15 97/03/21 19:27:24";
+#endif
+
+/* System libraries. */
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+#ifdef INT32_T
+typedef uint32_t u_int32_t;
+#endif
+#include <netinet/in.h>
+#include <netdb.h>
+#include <stdio.h>
+#include <syslog.h>
+#include <string.h>
+
+#ifdef INET6
+#ifndef NI_WITHSCOPEID
+#define NI_WITHSCOPEID 0
+#endif
+#else
+extern char *inet_ntoa();
+#endif
+
+/* Local stuff. */
+
+#include "tcpd.h"
+
+/* Forward declarations. */
+
+static void sock_sink();
+
+#ifdef APPEND_DOT
+
+ /*
+ * Speed up DNS lookups by terminating the host name with a dot. Should be
+ * done with care. The speedup can give problems with lookups from sources
+ * that lack DNS-style trailing dot magic, such as local files or NIS maps.
+ */
+
+static struct hostent *gethostbyname_dot(name)
+char *name;
+{
+ char dot_name[MAXHOSTNAMELEN + 1];
+
+ struct hostent *hp;
+
+ /*
+ * Don't append dots to unqualified names. Such names are likely to come
+ * from local hosts files or from NIS.
+ */
+
+ if (strchr(name, '.') == 0 || strlen(name) >= MAXHOSTNAMELEN - 1) {
+ return (gethostbyname(name));
+ } else {
+ sprintf(dot_name, "%s.", name);
+ hp = gethostbyname(dot_name);
+ if (hp)
+ return hp;
+ else
+ return (gethostbyname(name));
+ }
+}
+
+#define gethostbyname gethostbyname_dot
+#endif
+
+/* sock_host - look up endpoint addresses and install conversion methods */
+
+void sock_host(request)
+struct request_info *request;
+{
+#ifdef INET6
+ static struct sockaddr_storage client;
+ static struct sockaddr_storage server;
+#else
+ static struct sockaddr_in client;
+ static struct sockaddr_in server;
+#endif
+ int len;
+ char buf[BUFSIZ];
+ int fd = request->fd;
+
+ sock_methods(request);
+
+ /*
+ * Look up the client host address. Hal R. Brand <BRAND@addvax.llnl.gov>
+ * suggested how to get the client host info in case of UDP connections:
+ * peek at the first message without actually looking at its contents. We
+ * really should verify that client.sin_family gets the value AF_INET,
+ * but this program has already caused too much grief on systems with
+ * broken library code.
+ */
+
+ len = sizeof(client);
+ if (getpeername(fd, (struct sockaddr *) & client, &len) < 0) {
+ request->sink = sock_sink;
+ len = sizeof(client);
+ if (recvfrom(fd, buf, sizeof(buf), MSG_PEEK,
+ (struct sockaddr *) & client, &len) < 0) {
+ tcpd_warn("can't get client address: %m");
+ return; /* give up */
+ }
+#ifdef really_paranoid
+ memset(buf, 0 sizeof(buf));
+#endif
+ }
+#ifdef INET6
+ request->client->sin = (struct sockaddr *)&client;
+#else
+ request->client->sin = &client;
+#endif
+
+ /*
+ * Determine the server binding. This is used for client username
+ * lookups, and for access control rules that trigger on the server
+ * address or name.
+ */
+
+ len = sizeof(server);
+ if (getsockname(fd, (struct sockaddr *) & server, &len) < 0) {
+ tcpd_warn("getsockname: %m");
+ return;
+ }
+#ifdef INET6
+ request->server->sin = (struct sockaddr *)&server;
+#else
+ request->server->sin = &server;
+#endif
+}
+
+/* sock_hostaddr - map endpoint address to printable form */
+
+void sock_hostaddr(host)
+struct host_info *host;
+{
+#ifdef INET6
+ struct sockaddr *sin = host->sin;
+ int salen;
+
+ if (!sin)
+ return;
+#ifdef SIN6_LEN
+ salen = sin->sa_len;
+#else
+ salen = (sin->sa_family == AF_INET) ? sizeof(struct sockaddr_in)
+ : sizeof(struct sockaddr_in6);
+#endif
+ getnameinfo(sin, salen, host->addr, sizeof(host->addr),
+ NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID);
+#else
+ struct sockaddr_in *sin = host->sin;
+
+ if (sin != 0)
+ STRN_CPY(host->addr, inet_ntoa(sin->sin_addr), sizeof(host->addr));
+#endif
+}
+
+/* sock_hostname - map endpoint address to host name */
+
+void sock_hostname(host)
+struct host_info *host;
+{
+#ifdef INET6
+ struct sockaddr *sin = host->sin;
+ struct sockaddr_in sin4;
+ struct addrinfo hints, *res, *res0 = NULL;
+ int salen, alen, err = 1;
+ char *ap = NULL, *rap, hname[NI_MAXHOST];
+
+ if (sin != NULL) {
+ if (sin->sa_family == AF_INET6) {
+ struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sin;
+
+ if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
+ memset(&sin4, 0, sizeof(sin4));
+#ifdef SIN6_LEN
+ sin4.sin_len = sizeof(sin4);
+#endif
+ sin4.sin_family = AF_INET;
+ sin4.sin_port = sin6->sin6_port;
+ sin4.sin_addr.s_addr = *(u_int32_t *)&sin6->sin6_addr.s6_addr[12];
+ sin = (struct sockaddr *)&sin4;
+ }
+ }
+ switch (sin->sa_family) {
+ case AF_INET:
+ ap = (char *)&((struct sockaddr_in *)sin)->sin_addr;
+ alen = sizeof(struct in_addr);
+ salen = sizeof(struct sockaddr_in);
+ break;
+ case AF_INET6:
+ ap = (char *)&((struct sockaddr_in6 *)sin)->sin6_addr;
+ alen = sizeof(struct in6_addr);
+ salen = sizeof(struct sockaddr_in6);
+ break;
+ default:
+ break;
+ }
+ if (ap)
+ err = getnameinfo(sin, salen, hname, sizeof(hname),
+ NULL, 0, NI_WITHSCOPEID | NI_NAMEREQD);
+ }
+ if (!err) {
+
+ STRN_CPY(host->name, hname, sizeof(host->name));
+
+ /* reject numeric addresses */
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = sin->sa_family;
+ hints.ai_socktype = SOCK_STREAM;
+ hints.ai_flags = AI_PASSIVE | AI_CANONNAME | AI_NUMERICHOST;
+ if ((err = getaddrinfo(host->name, NULL, &hints, &res0)) == 0) {
+ freeaddrinfo(res0);
+ res0 = NULL;
+ tcpd_warn("host name/name mismatch: "
+ "reverse lookup results in non-FQDN %s",
+ host->name);
+ strcpy(host->name, paranoid); /* name is bad, clobber it */
+ }
+ err = !err;
+ }
+ if (!err) {
+ /* we are now sure that this is non-numeric */
+
+ /*
+ * Verify that the address is a member of the address list returned
+ * by gethostbyname(hostname).
+ *
+ * Verify also that gethostbyaddr() and gethostbyname() return the same
+ * hostname, or rshd and rlogind may still end up being spoofed.
+ *
+ * On some sites, gethostbyname("localhost") returns "localhost.domain".
+ * This is a DNS artefact. We treat it as a special case. When we
+ * can't believe the address list from gethostbyname("localhost")
+ * we're in big trouble anyway.
+ */
+
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = sin->sa_family;
+ hints.ai_socktype = SOCK_STREAM;
+ hints.ai_flags = AI_PASSIVE | AI_CANONNAME;
+ if (getaddrinfo(host->name, NULL, &hints, &res0) != 0) {
+
+ /*
+ * Unable to verify that the host name matches the address. This
+ * may be a transient problem or a botched name server setup.
+ */
+
+ tcpd_warn("can't verify hostname: getaddrinfo(%s, %s) failed",
+ host->name,
+ (sin->sa_family == AF_INET) ? "AF_INET" : "AF_INET6");
+
+ } else if ((res0->ai_canonname == NULL
+ || STR_NE(host->name, res0->ai_canonname))
+ && STR_NE(host->name, "localhost")) {
+
+ /*
+ * The gethostbyaddr() and gethostbyname() calls did not return
+ * the same hostname. This could be a nameserver configuration
+ * problem. It could also be that someone is trying to spoof us.
+ */
+
+ tcpd_warn("host name/name mismatch: %s != %.*s",
+ host->name, STRING_LENGTH,
+ (res0->ai_canonname == NULL) ? "" : res0->ai_canonname);
+
+ } else {
+
+ /*
+ * The address should be a member of the address list returned by
+ * gethostbyname(). We should first verify that the h_addrtype
+ * field is AF_INET, but this program has already caused too much
+ * grief on systems with broken library code.
+ */
+
+ for (res = res0; res; res = res->ai_next) {
+ if (res->ai_family != sin->sa_family)
+ continue;
+ switch (res->ai_family) {
+ case AF_INET:
+ rap = (char *)&((struct sockaddr_in *)res->ai_addr)->sin_addr;
+ break;
+ case AF_INET6:
+ /* need to check scope_id */
+ if (((struct sockaddr_in6 *)sin)->sin6_scope_id !=
+ ((struct sockaddr_in6 *)res->ai_addr)->sin6_scope_id) {
+ continue;
+ }
+ rap = (char *)&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
+ break;
+ default:
+ continue;
+ }
+ if (memcmp(rap, ap, alen) == 0) {
+ freeaddrinfo(res0);
+ return; /* name is good, keep it */
+ }
+ }
+
+ /*
+ * The host name does not map to the initial address. Perhaps
+ * someone has messed up. Perhaps someone compromised a name
+ * server.
+ */
+
+ getnameinfo(sin, salen, hname, sizeof(hname),
+ NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID);
+ tcpd_warn("host name/address mismatch: %s != %.*s",
+ hname, STRING_LENGTH,
+ (res0->ai_canonname == NULL) ? "" : res0->ai_canonname);
+ }
+ strcpy(host->name, paranoid); /* name is bad, clobber it */
+ if (res0)
+ freeaddrinfo(res0);
+ }
+#else /* INET6 */
+ struct sockaddr_in *sin = host->sin;
+ struct hostent *hp;
+ int i;
+
+ /*
+ * On some systems, for example Solaris 2.3, gethostbyaddr(0.0.0.0) does
+ * not fail. Instead it returns "INADDR_ANY". Unfortunately, this does
+ * not work the other way around: gethostbyname("INADDR_ANY") fails. We
+ * have to special-case 0.0.0.0, in order to avoid false alerts from the
+ * host name/address checking code below.
+ */
+ if (sin != 0 && sin->sin_addr.s_addr != 0
+ && (hp = gethostbyaddr((char *) &(sin->sin_addr),
+ sizeof(sin->sin_addr), AF_INET)) != 0) {
+
+ STRN_CPY(host->name, hp->h_name, sizeof(host->name));
+
+ /*
+ * Verify that the address is a member of the address list returned
+ * by gethostbyname(hostname).
+ *
+ * Verify also that gethostbyaddr() and gethostbyname() return the same
+ * hostname, or rshd and rlogind may still end up being spoofed.
+ *
+ * On some sites, gethostbyname("localhost") returns "localhost.domain".
+ * This is a DNS artefact. We treat it as a special case. When we
+ * can't believe the address list from gethostbyname("localhost")
+ * we're in big trouble anyway.
+ */
+
+ if ((hp = gethostbyname(host->name)) == 0) {
+
+ /*
+ * Unable to verify that the host name matches the address. This
+ * may be a transient problem or a botched name server setup.
+ */
+
+ tcpd_warn("can't verify hostname: gethostbyname(%s) failed",
+ host->name);
+
+ } else if (STR_NE(host->name, hp->h_name)
+ && STR_NE(host->name, "localhost")) {
+
+ /*
+ * The gethostbyaddr() and gethostbyname() calls did not return
+ * the same hostname. This could be a nameserver configuration
+ * problem. It could also be that someone is trying to spoof us.
+ */
+
+ tcpd_warn("host name/name mismatch: %s != %.*s",
+ host->name, STRING_LENGTH, hp->h_name);
+
+ } else {
+
+ /*
+ * The address should be a member of the address list returned by
+ * gethostbyname(). We should first verify that the h_addrtype
+ * field is AF_INET, but this program has already caused too much
+ * grief on systems with broken library code.
+ */
+
+ for (i = 0; hp->h_addr_list[i]; i++) {
+ if (memcmp(hp->h_addr_list[i],
+ (char *) &sin->sin_addr,
+ sizeof(sin->sin_addr)) == 0)
+ return; /* name is good, keep it */
+ }
+
+ /*
+ * The host name does not map to the initial address. Perhaps
+ * someone has messed up. Perhaps someone compromised a name
+ * server.
+ */
+
+ tcpd_warn("host name/address mismatch: %s != %.*s",
+ inet_ntoa(sin->sin_addr), STRING_LENGTH, hp->h_name);
+ }
+ strcpy(host->name, paranoid); /* name is bad, clobber it */
+ }
+#endif /* INET6 */
+}
+
+/* sock_sink - absorb unreceived IP datagram */
+
+static void sock_sink(fd)
+int fd;
+{
+ char buf[BUFSIZ];
+#ifdef INET6
+ struct sockaddr_storage sin;
+#else
+ struct sockaddr_in sin;
+#endif
+ int size = sizeof(sin);
+
+ /*
+ * Eat up the not-yet received datagram. Some systems insist on a
+ * non-zero source address argument in the recvfrom() call below.
+ */
+
+ (void) recvfrom(fd, buf, sizeof(buf), 0, (struct sockaddr *) & sin, &size);
+}
Index: tcp_wrappers_7.6-new/tcpd.c
===================================================================
--- tcp_wrappers_7.6-new/tcpd.c (nonexistent)
+++ tcp_wrappers_7.6-new/tcpd.c (revision 5)
@@ -0,0 +1,134 @@
+ /*
+ * General front end for stream and datagram IP services. This program logs
+ * the remote host name and then invokes the real daemon. For example,
+ * install as /usr/etc/{tftpd,fingerd,telnetd,ftpd,rlogind,rshd,rexecd},
+ * after saving the real daemons in the directory specified with the
+ * REAL_DAEMON_DIR macro. This arrangement requires that the network daemons
+ * are started by inetd or something similar. Connections and diagnostics
+ * are logged through syslog(3).
+ *
+ * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+ */
+
+#ifndef lint
+static char sccsid[] = "@(#) tcpd.c 1.10 96/02/11 17:01:32";
+#endif
+
+/* System libraries. */
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <stdio.h>
+#include <syslog.h>
+#include <string.h>
+
+#ifndef MAXPATHNAMELEN
+#define MAXPATHNAMELEN BUFSIZ
+#endif
+
+#ifndef STDIN_FILENO
+#define STDIN_FILENO 0
+#endif
+
+/* Local stuff. */
+
+#include "patchlevel.h"
+#include "tcpd.h"
+
+int allow_severity = SEVERITY; /* run-time adjustable */
+int deny_severity = LOG_WARNING; /* ditto */
+
+main(argc, argv)
+int argc;
+char **argv;
+{
+ struct request_info request;
+ char path[MAXPATHNAMELEN];
+
+ /* Attempt to prevent the creation of world-writable files. */
+
+#ifdef DAEMON_UMASK
+ umask(DAEMON_UMASK);
+#endif
+
+ /*
+ * If argv[0] is an absolute path name, ignore REAL_DAEMON_DIR, and strip
+ * argv[0] to its basename.
+ */
+
+ if (argv[0][0] == '/') {
+ strncpy(path, argv[0], sizeof(path));
+ argv[0] = strrchr(argv[0], '/') + 1;
+ } else {
+ snprintf(path, sizeof(path), "%s/%s", REAL_DAEMON_DIR, argv[0]);
+ }
+
+ /*
+ * Open a channel to the syslog daemon. Older versions of openlog()
+ * require only two arguments.
+ */
+
+#ifdef LOG_MAIL
+ (void) openlog(argv[0], LOG_PID, FACILITY);
+#else
+ (void) openlog(argv[0], LOG_PID);
+#endif
+
+ /*
+ * Find out the endpoint addresses of this conversation. Host name
+ * lookups and double checks will be done on demand.
+ */
+
+ request_init(&request, RQ_DAEMON, argv[0], RQ_FILE, STDIN_FILENO, 0);
+ fromhost(&request);
+
+ /*
+ * Optionally look up and double check the remote host name. Sites
+ * concerned with security may choose to refuse connections from hosts
+ * that pretend to have someone elses host name.
+ */
+
+#ifdef PARANOID
+ if (STR_EQ(eval_hostname(request.client), paranoid))
+ refuse(&request);
+#endif
+
+ /*
+ * The BSD rlogin and rsh daemons that came out after 4.3 BSD disallow
+ * socket options at the IP level. They do so for a good reason.
+ * Unfortunately, we cannot use this with SunOS 4.1.x because the
+ * getsockopt() system call can panic the system.
+ */
+
+#ifdef KILL_IP_OPTIONS
+ fix_options(&request);
+#endif
+
+ /*
+ * Check whether this host can access the service in argv[0]. The
+ * access-control code invokes optional shell commands as specified in
+ * the access-control tables.
+ */
+
+#ifdef HOSTS_ACCESS
+ if (!hosts_access(&request))
+ refuse(&request);
+#endif
+
+ /* Report request and invoke the real daemon program. */
+
+#ifdef INET6
+ syslog(allow_severity, "connect from %s (%s)",
+ eval_client(&request), eval_hostaddr(request.client));
+#else
+ syslog(allow_severity, "connect from %s", eval_client(&request));
+#endif
+ closelog();
+ (void) execv(path, argv);
+ syslog(LOG_ERR, "error: cannot execute %s: %m", path);
+ clean_exit(&request);
+ /* NOTREACHED */
+}
Index: tcp_wrappers_7.6-new/tcpd.h
===================================================================
--- tcp_wrappers_7.6-new/tcpd.h (nonexistent)
+++ tcp_wrappers_7.6-new/tcpd.h (revision 5)
@@ -0,0 +1,264 @@
+ /*
+ * @(#) tcpd.h 1.5 96/03/19 16:22:24
+ *
+ * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+ */
+
+#ifndef _TCPWRAPPERS_TCPD_H
+#define _TCPWRAPPERS_TCPD_H
+
+/* someone else may have defined this */
+#undef __P
+
+/* use prototypes if we have an ANSI C compiler or are using C++ */
+#if defined(__STDC__) || defined(__cplusplus)
+#define __P(args) args
+#else
+#define __P(args) ()
+#endif
+
+/* Need definitions of struct sockaddr_in and FILE. */
+#include <netinet/in.h>
+#include <stdio.h>
+
+__BEGIN_DECLS
+
+/* Structure to describe one communications endpoint. */
+
+#define STRING_LENGTH 128 /* hosts, users, processes */
+
+struct host_info {
+ char name[STRING_LENGTH]; /* access via eval_hostname(host) */
+ char addr[STRING_LENGTH]; /* access via eval_hostaddr(host) */
+#ifdef INET6
+ struct sockaddr *sin; /* socket address or 0 */
+#else
+ struct sockaddr_in *sin; /* socket address or 0 */
+#endif
+ struct t_unitdata *unit; /* TLI transport address or 0 */
+ struct request_info *request; /* for shared information */
+};
+
+/* Structure to describe what we know about a service request. */
+
+struct request_info {
+ int fd; /* socket handle */
+ char user[STRING_LENGTH]; /* access via eval_user(request) */
+ char daemon[STRING_LENGTH]; /* access via eval_daemon(request) */
+ char pid[10]; /* access via eval_pid(request) */
+ struct host_info client[1]; /* client endpoint info */
+ struct host_info server[1]; /* server endpoint info */
+ void (*sink) __P((int)); /* datagram sink function or 0 */
+ void (*hostname) __P((struct host_info *)); /* address to printable hostname */
+ void (*hostaddr) __P((struct host_info *)); /* address to printable address */
+ void (*cleanup) __P((struct request_info *)); /* cleanup function or 0 */
+ struct netconfig *config; /* netdir handle */
+};
+
+/* Common string operations. Less clutter should be more readable. */
+
+#define STRN_CPY(d,s,l) { strncpy((d),(s),(l)); (d)[(l)-1] = 0; }
+
+#define STRN_EQ(x,y,l) (strncasecmp((x),(y),(l)) == 0)
+#define STRN_NE(x,y,l) (strncasecmp((x),(y),(l)) != 0)
+#define STR_EQ(x,y) (strcasecmp((x),(y)) == 0)
+#define STR_NE(x,y) (strcasecmp((x),(y)) != 0)
+
+ /*
+ * Initially, all above strings have the empty value. Information that
+ * cannot be determined at runtime is set to "unknown", so that we can
+ * distinguish between `unavailable' and `not yet looked up'. A hostname
+ * that we do not believe in is set to "paranoid".
+ */
+
+#define STRING_UNKNOWN "unknown" /* lookup failed */
+#define STRING_PARANOID "paranoid" /* hostname conflict */
+
+extern char unknown[];
+extern char paranoid[];
+
+#define HOSTNAME_KNOWN(s) (STR_NE((s),unknown) && STR_NE((s),paranoid))
+
+#define NOT_INADDR(s) (s[strspn(s,"01234567890./")] != 0)
+
+/* Global functions. */
+
+#if defined(TLI) || defined(PTX) || defined(TLI_SEQUENT)
+extern void fromhost __P((struct request_info *)); /* get/validate client host info */
+#else
+#define fromhost sock_host /* no TLI support needed */
+#endif
+
+extern void shell_cmd __P((char *)); /* execute shell command */
+extern char *percent_x __P((char *, int, char *, struct request_info *)); /* do %<char> expansion */
+#ifdef INET6
+extern void rfc931 __P((struct sockaddr *, struct sockaddr *, char *)); /* client name from RFC 931 daemon */
+#else
+extern void rfc931 __P((struct sockaddr_in *, struct sockaddr_in *, char *)); /* client name from RFC 931 daemon */
+#endif
+extern void clean_exit __P((struct request_info *)); /* clean up and exit */
+extern void refuse __P((struct request_info *)); /* clean up and exit */
+extern char *xgets __P((char *, int, FILE *)); /* fgets() on steroids */
+extern char *split_at __P((char *, int)); /* strchr() and split */
+extern unsigned long dot_quad_addr __P((char *)); /* restricted inet_addr() */
+
+/* Global variables. */
+
+#ifdef HAVE_WEAKSYMS
+extern int allow_severity __attribute__ ((weak)); /* for connection logging */
+extern int deny_severity __attribute__ ((weak)); /* for connection logging */
+#else
+extern int allow_severity; /* for connection logging */
+extern int deny_severity; /* for connection logging */
+#endif
+
+extern char *hosts_allow_table; /* for verification mode redirection */
+extern char *hosts_deny_table; /* for verification mode redirection */
+extern int hosts_access_verbose; /* for verbose matching mode */
+extern int rfc931_timeout; /* user lookup timeout */
+extern int resident; /* > 0 if resident process */
+
+ /*
+ * Routines for controlled initialization and update of request structure
+ * attributes. Each attribute has its own key.
+ */
+
+#ifdef __STDC__
+extern int hosts_access(struct request_info *request);
+extern int hosts_ctl(char *daemon, char *client_name, char *client_addr,
+ char *client_user);
+extern struct request_info *request_init(struct request_info *,...);
+extern struct request_info *request_set(struct request_info *,...);
+#else
+extern int hosts_access();
+extern int hosts_ctl();
+extern struct request_info *request_init(); /* initialize request */
+extern struct request_info *request_set(); /* update request structure */
+#endif
+
+#define RQ_FILE 1 /* file descriptor */
+#define RQ_DAEMON 2 /* server process (argv[0]) */
+#define RQ_USER 3 /* client user name */
+#define RQ_CLIENT_NAME 4 /* client host name */
+#define RQ_CLIENT_ADDR 5 /* client host address */
+#define RQ_CLIENT_SIN 6 /* client endpoint (internal) */
+#define RQ_SERVER_NAME 7 /* server host name */
+#define RQ_SERVER_ADDR 8 /* server host address */
+#define RQ_SERVER_SIN 9 /* server endpoint (internal) */
+
+ /*
+ * Routines for delayed evaluation of request attributes. Each attribute
+ * type has its own access method. The trivial ones are implemented by
+ * macros. The other ones are wrappers around the transport-specific host
+ * name, address, and client user lookup methods. The request_info and
+ * host_info structures serve as caches for the lookup results.
+ */
+
+extern char *eval_user __P((struct request_info *)); /* client user */
+extern char *eval_hostname __P((struct host_info *)); /* printable hostname */
+extern char *eval_hostaddr __P((struct host_info *)); /* printable host address */
+extern char *eval_hostinfo __P((struct host_info *)); /* host name or address */
+extern char *eval_client __P((struct request_info *)); /* whatever is available */
+extern char *eval_server __P((struct request_info *)); /* whatever is available */
+#define eval_daemon(r) ((r)->daemon) /* daemon process name */
+#define eval_pid(r) ((r)->pid) /* process id */
+
+/* Socket-specific methods, including DNS hostname lookups. */
+
+/* look up endpoint addresses */
+extern void sock_host __P((struct request_info *));
+/* translate address to hostname */
+extern void sock_hostname __P((struct host_info *));
+/* address to printable address */
+extern void sock_hostaddr __P((struct host_info *));
+
+#define sock_methods(r) \
+ { (r)->hostname = sock_hostname; (r)->hostaddr = sock_hostaddr; }
+
+/* The System V Transport-Level Interface (TLI) interface. */
+
+#if defined(TLI) || defined(PTX) || defined(TLI_SEQUENT)
+extern void tli_host __P((struct request_info *)); /* look up endpoint addresses etc. */
+#endif
+
+ /*
+ * Problem reporting interface. Additional file/line context is reported
+ * when available. The jump buffer (tcpd_buf) is not declared here, or
+ * everyone would have to include <setjmp.h>.
+ */
+
+#ifdef __STDC__
+extern void tcpd_warn(char *, ...); /* report problem and proceed */
+extern void tcpd_jump(char *, ...); /* report problem and jump */
+#else
+extern void tcpd_warn();
+extern void tcpd_jump();
+#endif
+
+struct tcpd_context {
+ char *file; /* current file */
+ int line; /* current line */
+};
+extern struct tcpd_context tcpd_context;
+
+ /*
+ * While processing access control rules, error conditions are handled by
+ * jumping back into the hosts_access() routine. This is cleaner than
+ * checking the return value of each and every silly little function. The
+ * (-1) returns are here because zero is already taken by longjmp().
+ */
+
+#define AC_PERMIT 1 /* permit access */
+#define AC_DENY (-1) /* deny_access */
+#define AC_ERROR AC_DENY /* XXX */
+
+ /*
+ * In verification mode an option function should just say what it would do,
+ * instead of really doing it. An option function that would not return
+ * should clear the dry_run flag to inform the caller of this unusual
+ * behavior.
+ */
+
+extern void process_options __P((char *, struct request_info *)); /* execute options */
+extern int dry_run; /* verification flag */
+
+/* Bug workarounds. */
+
+#ifdef INET_ADDR_BUG /* inet_addr() returns struct */
+#define inet_addr fix_inet_addr
+extern long fix_inet_addr();
+#endif
+
+#ifdef BROKEN_FGETS /* partial reads from sockets */
+#define fgets fix_fgets
+extern char *fix_fgets();
+#endif
+
+#ifdef RECVFROM_BUG /* no address family info */
+#define recvfrom fix_recvfrom
+extern int fix_recvfrom();
+#endif
+
+#ifdef GETPEERNAME_BUG /* claims success with UDP */
+#define getpeername fix_getpeername
+extern int fix_getpeername();
+#endif
+
+#ifdef SOLARIS_24_GETHOSTBYNAME_BUG /* lists addresses as aliases */
+#define gethostbyname fix_gethostbyname
+extern struct hostent *fix_gethostbyname();
+#endif
+
+#ifdef USE_STRSEP /* libc calls strtok() */
+#define strtok fix_strtok
+extern char *fix_strtok();
+#endif
+
+#ifdef LIBC_CALLS_STRTOK /* libc calls strtok() */
+#define strtok my_strtok
+extern char *my_strtok();
+#endif
+
+__END_DECLS
+
+#endif /* tcpd.h */
Index: tcp_wrappers_7.6-new/tcpdchk.c
===================================================================
--- tcp_wrappers_7.6-new/tcpdchk.c (nonexistent)
+++ tcp_wrappers_7.6-new/tcpdchk.c (revision 5)
@@ -0,0 +1,503 @@
+ /*
+ * tcpdchk - examine all tcpd access control rules and inetd.conf entries
+ *
+ * Usage: tcpdchk [-a] [-d] [-i inet_conf] [-v]
+ *
+ * -a: complain about implicit "allow" at end of rule.
+ *
+ * -d: rules in current directory.
+ *
+ * -i: location of inetd.conf file.
+ *
+ * -v: show all rules.
+ *
+ * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+ */
+
+#ifndef lint
+static char sccsid[] = "@(#) tcpdchk.c 1.8 97/02/12 02:13:25";
+#endif
+
+/* System libraries. */
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#ifdef INET6
+#include <sys/socket.h>
+#endif
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <stdio.h>
+#include <syslog.h>
+#include <setjmp.h>
+#include <errno.h>
+#include <netdb.h>
+#include <string.h>
+
+extern int errno;
+extern void exit();
+extern int optind;
+extern char *optarg;
+
+#ifndef INADDR_NONE
+#define INADDR_NONE (-1) /* XXX should be 0xffffffff */
+#endif
+
+#ifndef S_ISDIR
+#define S_ISDIR(m) (((m) & S_IFMT) == S_IFDIR)
+#endif
+
+/* Application-specific. */
+
+#include "tcpd.h"
+#include "inetcf.h"
+#include "scaffold.h"
+
+ /*
+ * Stolen from hosts_access.c...
+ */
+static char sep[] = ", \t\n";
+
+#define BUFLEN 2048
+
+int resident = 0;
+int hosts_access_verbose = 0;
+char *hosts_allow_table = HOSTS_ALLOW;
+char *hosts_deny_table = HOSTS_DENY;
+extern jmp_buf tcpd_buf;
+
+ /*
+ * Local stuff.
+ */
+static void usage();
+static void parse_table();
+static void print_list();
+static void check_daemon_list();
+static void check_client_list();
+static void check_daemon();
+static void check_user();
+static int check_host();
+static int reserved_name();
+
+#define PERMIT 1
+#define DENY 0
+
+#define YES 1
+#define NO 0
+
+static int defl_verdict;
+static char *myname;
+static int allow_check;
+static char *inetcf;
+
+int main(argc, argv)
+int argc;
+char **argv;
+{
+ struct request_info request;
+ struct stat st;
+ int c;
+
+ myname = argv[0];
+
+ /*
+ * Parse the JCL.
+ */
+ while ((c = getopt(argc, argv, "adi:v")) != EOF) {
+ switch (c) {
+ case 'a':
+ allow_check = 1;
+ break;
+ case 'd':
+ hosts_allow_table = "hosts.allow";
+ hosts_deny_table = "hosts.deny";
+ break;
+ case 'i':
+ inetcf = optarg;
+ break;
+ case 'v':
+ hosts_access_verbose++;
+ break;
+ default:
+ usage();
+ /* NOTREACHED */
+ }
+ }
+ if (argc != optind)
+ usage();
+
+ /*
+ * When confusion really strikes...
+ */
+ if (check_path(REAL_DAEMON_DIR, &st) < 0) {
+ tcpd_warn("REAL_DAEMON_DIR %s: %m", REAL_DAEMON_DIR);
+ } else if (!S_ISDIR(st.st_mode)) {
+ tcpd_warn("REAL_DAEMON_DIR %s is not a directory", REAL_DAEMON_DIR);
+ }
+
+ /*
+ * Process the inet configuration file (or its moral equivalent). This
+ * information is used later to find references in hosts.allow/deny to
+ * unwrapped services, and other possible problems.
+ */
+ inetcf = inet_cfg(inetcf);
+ if (hosts_access_verbose)
+ printf("Using network configuration file: %s\n", inetcf);
+
+ /*
+ * These are not run from inetd but may have built-in access control.
+ */
+ inet_set("portmap", WR_NOT);
+ inet_set("rpcbind", WR_NOT);
+
+ /*
+ * Check accessibility of access control files.
+ */
+ (void) check_path(hosts_allow_table, &st);
+ (void) check_path(hosts_deny_table, &st);
+
+ /*
+ * Fake up an arbitrary service request.
+ */
+ request_init(&request,
+ RQ_DAEMON, "daemon_name",
+ RQ_SERVER_NAME, "server_hostname",
+ RQ_SERVER_ADDR, "server_addr",
+ RQ_USER, "user_name",
+ RQ_CLIENT_NAME, "client_hostname",
+ RQ_CLIENT_ADDR, "client_addr",
+ RQ_FILE, 1,
+ 0);
+
+ /*
+ * Examine all access-control rules.
+ */
+ defl_verdict = PERMIT;
+ parse_table(hosts_allow_table, &request);
+ defl_verdict = DENY;
+ parse_table(hosts_deny_table, &request);
+ return (0);
+}
+
+/* usage - explain */
+
+static void usage()
+{
+ fprintf(stderr, "usage: %s [-a] [-d] [-i inet_conf] [-v]\n", myname);
+ fprintf(stderr, " -a: report rules with implicit \"ALLOW\" at end\n");
+ fprintf(stderr, " -d: use allow/deny files in current directory\n");
+ fprintf(stderr, " -i: location of inetd.conf file\n");
+ fprintf(stderr, " -v: list all rules\n");
+ exit(1);
+}
+
+/* parse_table - like table_match(), but examines _all_ entries */
+
+static void parse_table(table, request)
+char *table;
+struct request_info *request;
+{
+ FILE *fp;
+ int real_verdict;
+ char sv_list[BUFLEN]; /* becomes list of daemons */
+ char *cl_list; /* becomes list of requests */
+ char *sh_cmd; /* becomes optional shell command */
+ char buf[BUFSIZ];
+ int verdict;
+ struct tcpd_context saved_context;
+
+ saved_context = tcpd_context; /* stupid compilers */
+
+ if (fp = fopen(table, "r")) {
+ tcpd_context.file = table;
+ tcpd_context.line = 0;
+ while (xgets(sv_list, sizeof(sv_list), fp)) {
+ if (sv_list[strlen(sv_list) - 1] != '\n') {
+ tcpd_warn("missing newline or line too long");
+ continue;
+ }
+ if (sv_list[0] == '#' || sv_list[strspn(sv_list, " \t\r\n")] == 0)
+ continue;
+ if ((cl_list = split_at(sv_list, ':')) == 0) {
+ tcpd_warn("missing \":\" separator");
+ continue;
+ }
+ sh_cmd = split_at(cl_list, ':');
+
+ if (hosts_access_verbose)
+ printf("\n>>> Rule %s line %d:\n",
+ tcpd_context.file, tcpd_context.line);
+
+ if (hosts_access_verbose)
+ print_list("daemons: ", sv_list);
+ check_daemon_list(sv_list);
+
+ if (hosts_access_verbose)
+ print_list("clients: ", cl_list);
+ check_client_list(cl_list);
+
+#ifdef PROCESS_OPTIONS
+ real_verdict = defl_verdict;
+ if (sh_cmd) {
+ verdict = setjmp(tcpd_buf);
+ if (verdict != 0) {
+ real_verdict = (verdict == AC_PERMIT);
+ } else {
+ dry_run = 1;
+ process_options(sh_cmd, request);
+ if (dry_run == 1 && real_verdict && allow_check)
+ tcpd_warn("implicit \"allow\" at end of rule");
+ }
+ } else if (defl_verdict && allow_check) {
+ tcpd_warn("implicit \"allow\" at end of rule");
+ }
+ if (hosts_access_verbose)
+ printf("access: %s\n", real_verdict ? "granted" : "denied");
+#else
+ if (sh_cmd)
+ shell_cmd(percent_x(buf, sizeof(buf), sh_cmd, request));
+ if (hosts_access_verbose)
+ printf("access: %s\n", defl_verdict ? "granted" : "denied");
+#endif
+ }
+ (void) fclose(fp);
+ } else if (errno != ENOENT) {
+ tcpd_warn("cannot open %s: %m", table);
+ }
+ tcpd_context = saved_context;
+}
+
+/* print_list - pretty-print a list */
+
+static void print_list(title, list)
+char *title;
+char *list;
+{
+ char buf[BUFLEN];
+ char *cp;
+ char *next;
+
+ fputs(title, stdout);
+ strcpy(buf, list);
+
+ for (cp = strtok(buf, sep); cp != 0; cp = next) {
+ fputs(cp, stdout);
+ next = strtok((char *) 0, sep);
+ if (next != 0)
+ fputs(" ", stdout);
+ }
+ fputs("\n", stdout);
+}
+
+/* check_daemon_list - criticize daemon list */
+
+static void check_daemon_list(list)
+char *list;
+{
+ char buf[BUFLEN];
+ char *cp;
+ char *host;
+ int daemons = 0;
+
+ strcpy(buf, list);
+
+ for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) {
+ if (STR_EQ(cp, "EXCEPT")) {
+ daemons = 0;
+ } else {
+ daemons++;
+ if ((host = split_at(cp + 1, '@')) != 0 && check_host(host) > 1) {
+ tcpd_warn("host %s has more than one address", host);
+ tcpd_warn("(consider using an address instead)");
+ }
+ check_daemon(cp);
+ }
+ }
+ if (daemons == 0)
+ tcpd_warn("daemon list is empty or ends in EXCEPT");
+}
+
+/* check_client_list - criticize client list */
+
+static void check_client_list(list)
+char *list;
+{
+ char buf[BUFLEN];
+ char *cp;
+ char *host;
+ int clients = 0;
+
+ strcpy(buf, list);
+
+ for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) {
+ if (STR_EQ(cp, "EXCEPT")) {
+ clients = 0;
+ } else {
+ clients++;
+ if (host = split_at(cp + 1, '@')) { /* user@host */
+ check_user(cp);
+ check_host(host);
+ } else {
+ check_host(cp);
+ }
+ }
+ }
+ if (clients == 0)
+ tcpd_warn("client list is empty or ends in EXCEPT");
+}
+
+/* check_daemon - criticize daemon pattern */
+
+static void check_daemon(pat)
+char *pat;
+{
+ if (pat[0] == '@') {
+ tcpd_warn("%s: daemon name begins with \"@\"", pat);
+ } else if (pat[0] == '.') {
+ tcpd_warn("%s: daemon name begins with dot", pat);
+ } else if (pat[strlen(pat) - 1] == '.') {
+ tcpd_warn("%s: daemon name ends in dot", pat);
+ } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown)) {
+ /* void */ ;
+ } else if (STR_EQ(pat, "FAIL")) { /* obsolete */
+ tcpd_warn("FAIL is no longer recognized");
+ tcpd_warn("(use EXCEPT or DENY instead)");
+ } else if (reserved_name(pat)) {
+ tcpd_warn("%s: daemon name may be reserved word", pat);
+ } else {
+ switch (inet_get(pat)) {
+ case WR_UNKNOWN:
+ tcpd_warn("%s: no such process name in %s", pat, inetcf);
+ inet_set(pat, WR_YES); /* shut up next time */
+ break;
+ case WR_NOT:
+ tcpd_warn("%s: service possibly not wrapped", pat);
+ inet_set(pat, WR_YES);
+ break;
+ }
+ }
+}
+
+/* check_user - criticize user pattern */
+
+static void check_user(pat)
+char *pat;
+{
+ if (pat[0] == '@') { /* @netgroup */
+ tcpd_warn("%s: user name begins with \"@\"", pat);
+ } else if (pat[0] == '.') {
+ tcpd_warn("%s: user name begins with dot", pat);
+ } else if (pat[strlen(pat) - 1] == '.') {
+ tcpd_warn("%s: user name ends in dot", pat);
+ } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown)
+ || STR_EQ(pat, "KNOWN")) {
+ /* void */ ;
+ } else if (STR_EQ(pat, "FAIL")) { /* obsolete */
+ tcpd_warn("FAIL is no longer recognized");
+ tcpd_warn("(use EXCEPT or DENY instead)");
+ } else if (reserved_name(pat)) {
+ tcpd_warn("%s: user name may be reserved word", pat);
+ }
+}
+
+#ifdef INET6
+static int is_inet6_addr(pat)
+ char *pat;
+{
+ struct addrinfo hints, *res;
+ int len, ret;
+ char ch;
+
+ if (*pat != '[')
+ return (0);
+ len = strlen(pat);
+ if ((ch = pat[len - 1]) != ']')
+ return (0);
+ pat[len - 1] = '\0';
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = AF_INET6;
+ hints.ai_socktype = SOCK_STREAM;
+ hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
+ if ((ret = getaddrinfo(pat + 1, NULL, &hints, &res)) == 0)
+ freeaddrinfo(res);
+ pat[len - 1] = ch;
+ return (ret == 0);
+}
+#endif
+
+/* check_host - criticize host pattern */
+
+static int check_host(pat)
+char *pat;
+{
+ char *mask;
+ int addr_count = 1;
+
+ if (pat[0] == '@') { /* @netgroup */
+#ifdef NO_NETGRENT
+ /* SCO has no *netgrent() support */
+#else
+#ifdef NETGROUP
+ char *machinep;
+ char *userp;
+ char *domainp;
+
+ setnetgrent(pat + 1);
+ if (getnetgrent(&machinep, &userp, &domainp) == 0)
+ tcpd_warn("%s: unknown or empty netgroup", pat + 1);
+ endnetgrent();
+#else
+ tcpd_warn("netgroup support disabled");
+#endif
+#endif
+ } else if (mask = split_at(pat, '/')) { /* network/netmask */
+#ifdef INET6
+ int mask_len;
+
+ if ((dot_quad_addr(pat) == INADDR_NONE
+ || dot_quad_addr(mask) == INADDR_NONE)
+ && (!is_inet6_addr(pat)
+ || ((mask_len = atoi(mask)) < 0 || mask_len > 128)))
+#else
+ if (dot_quad_addr(pat) == INADDR_NONE
+ || dot_quad_addr(mask) == INADDR_NONE)
+#endif
+ tcpd_warn("%s/%s: bad net/mask pattern", pat, mask);
+ } else if (STR_EQ(pat, "FAIL")) { /* obsolete */
+ tcpd_warn("FAIL is no longer recognized");
+ tcpd_warn("(use EXCEPT or DENY instead)");
+ } else if (reserved_name(pat)) { /* other reserved */
+ /* void */ ;
+#ifdef INET6
+ } else if (is_inet6_addr(pat)) { /* IPv6 address */
+ addr_count = 1;
+#endif
+ } else if (NOT_INADDR(pat)) { /* internet name */
+ if (pat[strlen(pat) - 1] == '.') {
+ tcpd_warn("%s: domain or host name ends in dot", pat);
+ } else if (pat[0] != '.') {
+ addr_count = check_dns(pat);
+ }
+ } else { /* numeric form */
+ if (STR_EQ(pat, "0.0.0.0") || STR_EQ(pat, "255.255.255.255")) {
+ /* void */ ;
+ } else if (pat[0] == '.') {
+ tcpd_warn("%s: network number begins with dot", pat);
+ } else if (pat[strlen(pat) - 1] != '.') {
+ check_dns(pat);
+ }
+ }
+ return (addr_count);
+}
+
+/* reserved_name - determine if name is reserved */
+
+static int reserved_name(pat)
+char *pat;
+{
+ return (STR_EQ(pat, unknown)
+ || STR_EQ(pat, "KNOWN")
+ || STR_EQ(pat, paranoid)
+ || STR_EQ(pat, "ALL")
+ || STR_EQ(pat, "LOCAL"));
+}
Index: tcp_wrappers_7.6-new/tcpdmatch.c
===================================================================
--- tcp_wrappers_7.6-new/tcpdmatch.c (nonexistent)
+++ tcp_wrappers_7.6-new/tcpdmatch.c (revision 5)
@@ -0,0 +1,389 @@
+ /*
+ * tcpdmatch - explain what tcpd would do in a specific case
+ *
+ * usage: tcpdmatch [-d] [-i inet_conf] daemon[@host] [user@]host
+ *
+ * -d: use the access control tables in the current directory.
+ *
+ * -i: location of inetd.conf file.
+ *
+ * All errors are reported to the standard error stream, including the errors
+ * that would normally be reported via the syslog daemon.
+ *
+ * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+ */
+
+#ifndef lint
+static char sccsid[] = "@(#) tcpdmatch.c 1.5 96/02/11 17:01:36";
+#endif
+
+/* System libraries. */
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <netdb.h>
+#include <stdio.h>
+#include <syslog.h>
+#include <setjmp.h>
+#include <string.h>
+
+extern void exit();
+extern int optind;
+extern char *optarg;
+
+#ifndef INADDR_NONE
+#define INADDR_NONE (-1) /* XXX should be 0xffffffff */
+#endif
+
+#ifndef S_ISDIR
+#define S_ISDIR(m) (((m) & S_IFMT) == S_IFDIR)
+#endif
+
+/* Application-specific. */
+
+#include "tcpd.h"
+#include "inetcf.h"
+#include "scaffold.h"
+
+static void usage();
+static void tcpdmatch();
+
+/* The main program */
+
+int main(argc, argv)
+int argc;
+char **argv;
+{
+#ifdef INET6
+ struct addrinfo hints, *hp, *res;
+#else
+ struct hostent *hp;
+#endif
+ char *myname = argv[0];
+ char *client;
+ char *server;
+ char *addr;
+ char *user;
+ char *daemon;
+ struct request_info request;
+ int ch;
+ char *inetcf = 0;
+ int count;
+#ifdef INET6
+ struct sockaddr_storage server_sin;
+ struct sockaddr_storage client_sin;
+#else
+ struct sockaddr_in server_sin;
+ struct sockaddr_in client_sin;
+#endif
+ struct stat st;
+
+ /*
+ * Show what rule actually matched.
+ */
+ hosts_access_verbose = 2;
+
+ /*
+ * Parse the JCL.
+ */
+ while ((ch = getopt(argc, argv, "di:")) != EOF) {
+ switch (ch) {
+ case 'd':
+ hosts_allow_table = "hosts.allow";
+ hosts_deny_table = "hosts.deny";
+ break;
+ case 'i':
+ inetcf = optarg;
+ break;
+ default:
+ usage(myname);
+ /* NOTREACHED */
+ }
+ }
+ if (argc != optind + 2)
+ usage(myname);
+
+ /*
+ * When confusion really strikes...
+ */
+ if (check_path(REAL_DAEMON_DIR, &st) < 0) {
+ tcpd_warn("REAL_DAEMON_DIR %s: %m", REAL_DAEMON_DIR);
+ } else if (!S_ISDIR(st.st_mode)) {
+ tcpd_warn("REAL_DAEMON_DIR %s is not a directory", REAL_DAEMON_DIR);
+ }
+
+ /*
+ * Default is to specify a daemon process name. When daemon@host is
+ * specified, separate the two parts.
+ */
+ if ((server = split_at(argv[optind], '@')) == 0)
+ server = unknown;
+ if (argv[optind][0] == '/') {
+ daemon = strrchr(argv[optind], '/') + 1;
+ tcpd_warn("%s: daemon name normalized to: %s", argv[optind], daemon);
+ } else {
+ daemon = argv[optind];
+ }
+
+ /*
+ * Default is to specify a client hostname or address. When user@host is
+ * specified, separate the two parts.
+ */
+ if ((client = split_at(argv[optind + 1], '@')) != 0) {
+ user = argv[optind + 1];
+ } else {
+ client = argv[optind + 1];
+ user = unknown;
+ }
+
+ /*
+ * Analyze the inetd (or tlid) configuration file, so that we can warn
+ * the user about services that may not be wrapped, services that are not
+ * configured, or services that are wrapped in an incorrect manner. Allow
+ * for services that are not run from inetd, or that have tcpd access
+ * control built into them.
+ */
+ inetcf = inet_cfg(inetcf);
+ inet_set("portmap", WR_NOT);
+ inet_set("rpcbind", WR_NOT);
+ switch (inet_get(daemon)) {
+ case WR_UNKNOWN:
+ tcpd_warn("%s: no such process name in %s", daemon, inetcf);
+ break;
+ case WR_NOT:
+ tcpd_warn("%s: service possibly not wrapped", daemon);
+ break;
+ }
+
+ /*
+ * Check accessibility of access control files.
+ */
+ (void) check_path(hosts_allow_table, &st);
+ (void) check_path(hosts_deny_table, &st);
+
+ /*
+ * Fill in what we have figured out sofar. Use socket and DNS routines
+ * for address and name conversions. We attach stdout to the request so
+ * that banner messages will become visible.
+ */
+ request_init(&request, RQ_DAEMON, daemon, RQ_USER, user, RQ_FILE, 1, 0);
+ sock_methods(&request);
+
+ /*
+ * If a server hostname is specified, insist that the name maps to at
+ * most one address. eval_hostname() warns the user about name server
+ * problems, while using the request.server structure as a cache for host
+ * address and name conversion results.
+ */
+ if (NOT_INADDR(server) == 0 || HOSTNAME_KNOWN(server)) {
+ if ((hp = find_inet_addr(server)) == 0)
+ exit(1);
+#ifndef INET6
+ memset((char *) &server_sin, 0, sizeof(server_sin));
+ server_sin.sin_family = AF_INET;
+#endif
+ request_set(&request, RQ_SERVER_SIN, &server_sin, 0);
+
+#ifdef INET6
+ for (res = hp, count = 0; res; res = res->ai_next, count++) {
+ memcpy(&server_sin, res->ai_addr, res->ai_addrlen);
+#else
+ for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) {
+ memcpy((char *) &server_sin.sin_addr, addr,
+ sizeof(server_sin.sin_addr));
+#endif
+
+ /*
+ * Force evaluation of server host name and address. Host name
+ * conflicts will be reported while eval_hostname() does its job.
+ */
+ request_set(&request, RQ_SERVER_NAME, "", RQ_SERVER_ADDR, "", 0);
+ if (STR_EQ(eval_hostname(request.server), unknown))
+ tcpd_warn("host address %s->name lookup failed",
+ eval_hostaddr(request.server));
+ }
+ if (count > 1) {
+ fprintf(stderr, "Error: %s has more than one address\n", server);
+ fprintf(stderr, "Please specify an address instead\n");
+ exit(1);
+ }
+#ifdef INET6
+ freeaddrinfo(hp);
+#else
+ free((char *) hp);
+#endif
+ } else {
+ request_set(&request, RQ_SERVER_NAME, server, 0);
+ }
+
+ /*
+ * If a client address is specified, we simulate the effect of client
+ * hostname lookup failure.
+ */
+ if (dot_quad_addr(client) != INADDR_NONE) {
+ request_set(&request, RQ_CLIENT_ADDR, client, 0);
+ tcpdmatch(&request);
+ exit(0);
+ }
+#ifdef INET6
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = AF_INET6;
+ hints.ai_socktype = SOCK_STREAM;
+ hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
+ if (getaddrinfo(client, NULL, &hints, &res) == 0) {
+ freeaddrinfo(res);
+ request_set(&request, RQ_CLIENT_ADDR, client, 0);
+ tcpdmatch(&request);
+ exit(0);
+ }
+#endif
+
+ /*
+ * Perhaps they are testing special client hostname patterns that aren't
+ * really host names at all.
+ */
+ if (NOT_INADDR(client) && HOSTNAME_KNOWN(client) == 0) {
+ request_set(&request, RQ_CLIENT_NAME, client, 0);
+ tcpdmatch(&request);
+ exit(0);
+ }
+
+ /*
+ * Otherwise, assume that a client hostname is specified, and insist that
+ * the address can be looked up. The reason for this requirement is that
+ * in real life the client address is available (at least with IP). Let
+ * eval_hostname() figure out if this host is properly registered, while
+ * using the request.client structure as a cache for host name and
+ * address conversion results.
+ */
+ if ((hp = find_inet_addr(client)) == 0)
+ exit(1);
+#ifdef INET6
+ request_set(&request, RQ_CLIENT_SIN, &client_sin, 0);
+
+ for (res = hp, count = 0; res; res = res->ai_next, count++) {
+ memcpy(&client_sin, res->ai_addr, res->ai_addrlen);
+
+ /*
+ * getnameinfo() doesn't do reverse lookup against link-local
+ * address. So, we pass through host name evaluation against
+ * such addresses.
+ */
+ if (res->ai_family != AF_INET6 ||
+ !IN6_IS_ADDR_LINKLOCAL(&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr)) {
+ /*
+ * Force evaluation of client host name and address. Host name
+ * conflicts will be reported while eval_hostname() does its job.
+ */
+ request_set(&request, RQ_CLIENT_NAME, "", RQ_CLIENT_ADDR, "", 0);
+ if (STR_EQ(eval_hostname(request.client), unknown))
+ tcpd_warn("host address %s->name lookup failed",
+ eval_hostaddr(request.client));
+ }
+ tcpdmatch(&request);
+ if (res->ai_next)
+ printf("\n");
+ }
+ freeaddrinfo(hp);
+#else
+ memset((char *) &client_sin, 0, sizeof(client_sin));
+ client_sin.sin_family = AF_INET;
+ request_set(&request, RQ_CLIENT_SIN, &client_sin, 0);
+
+ for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) {
+ memcpy((char *) &client_sin.sin_addr, addr,
+ sizeof(client_sin.sin_addr));
+
+ /*
+ * Force evaluation of client host name and address. Host name
+ * conflicts will be reported while eval_hostname() does its job.
+ */
+ request_set(&request, RQ_CLIENT_NAME, "", RQ_CLIENT_ADDR, "", 0);
+ if (STR_EQ(eval_hostname(request.client), unknown))
+ tcpd_warn("host address %s->name lookup failed",
+ eval_hostaddr(request.client));
+ tcpdmatch(&request);
+ if (hp->h_addr_list[count + 1])
+ printf("\n");
+ }
+ free((char *) hp);
+#endif
+ exit(0);
+}
+
+/* Explain how to use this program */
+
+static void usage(myname)
+char *myname;
+{
+ fprintf(stderr, "usage: %s [-d] [-i inet_conf] daemon[@host] [user@]host\n",
+ myname);
+ fprintf(stderr, " -d: use allow/deny files in current directory\n");
+ fprintf(stderr, " -i: location of inetd.conf file\n");
+ exit(1);
+}
+
+/* Print interesting expansions */
+
+static void expand(text, pattern, request)
+char *text;
+char *pattern;
+struct request_info *request;
+{
+ char buf[BUFSIZ];
+
+ if (STR_NE(percent_x(buf, sizeof(buf), pattern, request), unknown))
+ printf("%s %s\n", text, buf);
+}
+
+/* Try out a (server,client) pair */
+
+static void tcpdmatch(request)
+struct request_info *request;
+{
+ int verdict;
+
+ /*
+ * Show what we really know. Suppress uninteresting noise.
+ */
+ expand("client: hostname", "%n", request);
+ expand("client: address ", "%a", request);
+ expand("client: username", "%u", request);
+ expand("server: hostname", "%N", request);
+ expand("server: address ", "%A", request);
+ expand("server: process ", "%d", request);
+
+ /*
+ * Reset stuff that might be changed by options handlers. In dry-run
+ * mode, extension language routines that would not return should inform
+ * us of their plan, by clearing the dry_run flag. This is a bit clumsy
+ * but we must be able to verify hosts with more than one network
+ * address.
+ */
+ rfc931_timeout = RFC931_TIMEOUT;
+ allow_severity = SEVERITY;
+ deny_severity = LOG_WARNING;
+ dry_run = 1;
+
+ /*
+ * When paranoid mode is enabled, access is rejected no matter what the
+ * access control rules say.
+ */
+#ifdef PARANOID
+ if (STR_EQ(eval_hostname(request->client), paranoid)) {
+ printf("access: denied (PARANOID mode)\n\n");
+ return;
+ }
+#endif
+
+ /*
+ * Report the access control verdict.
+ */
+ verdict = hosts_access(request);
+ printf("access: %s\n",
+ dry_run == 0 ? "delegated" :
+ verdict ? "granted" : "denied");
+}
Index: tcp_wrappers_7.6-new/tli.c
===================================================================
--- tcp_wrappers_7.6-new/tli.c (nonexistent)
+++ tcp_wrappers_7.6-new/tli.c (revision 5)
@@ -0,0 +1,369 @@
+ /*
+ * tli_host() determines the type of transport (connected, connectionless),
+ * the transport address of a client host, and the transport address of a
+ * server endpoint. In addition, it provides methods to map a transport
+ * address to a printable host name or address. Socket address results are
+ * in static memory; tli structures are allocated from the heap.
+ *
+ * The result from the hostname lookup method is STRING_PARANOID when a host
+ * pretends to have someone elses name, or when a host name is available but
+ * could not be verified.
+ *
+ * Diagnostics are reported through syslog(3).
+ *
+ * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+ */
+
+#ifndef lint
+static char sccsid[] = "@(#) tli.c 1.15 97/03/21 19:27:25";
+#endif
+
+#ifdef TLI
+
+/* System libraries. */
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/stream.h>
+#include <sys/stat.h>
+#include <sys/mkdev.h>
+#include <sys/tiuser.h>
+#include <sys/timod.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <stdio.h>
+#include <syslog.h>
+#include <errno.h>
+#include <netconfig.h>
+#include <netdir.h>
+#include <string.h>
+
+extern char *nc_sperror();
+extern int errno;
+extern char *sys_errlist[];
+extern int sys_nerr;
+extern int t_errno;
+extern char *t_errlist[];
+extern int t_nerr;
+
+/* Local stuff. */
+
+#include "tcpd.h"
+
+/* Forward declarations. */
+
+static void tli_endpoints();
+static struct netconfig *tli_transport();
+static void tli_hostname();
+static void tli_hostaddr();
+static void tli_cleanup();
+static char *tli_error();
+static void tli_sink();
+
+/* tli_host - look up endpoint addresses and install conversion methods */
+
+void tli_host(request)
+struct request_info *request;
+{
+#ifdef INET6
+ static struct sockaddr_storage client;
+ static struct sockaddr_storage server;
+#else
+ static struct sockaddr_in client;
+ static struct sockaddr_in server;
+#endif
+
+ /*
+ * If we discover that we are using an IP transport, pretend we never
+ * were here. Otherwise, use the transport-independent method and stick
+ * to generic network addresses. XXX hard-coded protocol family name.
+ */
+
+ tli_endpoints(request);
+ if ((request->config = tli_transport(request->fd)) != 0
+#ifdef INET6
+ && (STR_EQ(request->config->nc_protofmly, "inet") ||
+ STR_EQ(request->config->nc_protofmly, "inet6"))) {
+#else
+ && STR_EQ(request->config->nc_protofmly, "inet")) {
+#endif
+ if (request->client->unit != 0) {
+#ifdef INET6
+ client = *(struct sockaddr_storage *) request->client->unit->addr.buf;
+ request->client->sin = (struct sockaddr *) &client;
+#else
+ client = *(struct sockaddr_in *) request->client->unit->addr.buf;
+ request->client->sin = &client;
+#endif
+ }
+ if (request->server->unit != 0) {
+#ifdef INET6
+ server = *(struct sockaddr_storage *) request->server->unit->addr.buf;
+ request->server->sin = (struct sockaddr *) &server;
+#else
+ server = *(struct sockaddr_in *) request->server->unit->addr.buf;
+ request->server->sin = &server;
+#endif
+ }
+ tli_cleanup(request);
+ sock_methods(request);
+ } else {
+ request->hostname = tli_hostname;
+ request->hostaddr = tli_hostaddr;
+ request->cleanup = tli_cleanup;
+ }
+}
+
+/* tli_cleanup - cleanup some dynamically-allocated data structures */
+
+static void tli_cleanup(request)
+struct request_info *request;
+{
+ if (request->config != 0)
+ freenetconfigent(request->config);
+ if (request->client->unit != 0)
+ t_free((char *) request->client->unit, T_UNITDATA);
+ if (request->server->unit != 0)
+ t_free((char *) request->server->unit, T_UNITDATA);
+}
+
+/* tli_endpoints - determine TLI client and server endpoint information */
+
+static void tli_endpoints(request)
+struct request_info *request;
+{
+ struct t_unitdata *server;
+ struct t_unitdata *client;
+ int fd = request->fd;
+ int flags;
+
+ /*
+ * Determine the client endpoint address. With unconnected services, peek
+ * at the sender address of the pending protocol data unit without
+ * popping it off the receive queue. This trick works because only the
+ * address member of the unitdata structure has been allocated.
+ *
+ * Beware of successful returns with zero-length netbufs (for example,
+ * Solaris 2.3 with ticlts transport). The netdir(3) routines can't
+ * handle that. Assume connection-less transport when TI_GETPEERNAME
+ * produces no usable result, even when t_rcvudata() is unable to figure
+ * out the peer address. Better to hang than to loop.
+ */
+
+ if ((client = (struct t_unitdata *) t_alloc(fd, T_UNITDATA, T_ADDR)) == 0) {
+ tcpd_warn("t_alloc: %s", tli_error());
+ return;
+ }
+ if (ioctl(fd, TI_GETPEERNAME, &client->addr) < 0 || client->addr.len == 0) {
+ request->sink = tli_sink;
+ if (t_rcvudata(fd, client, &flags) < 0 || client->addr.len == 0) {
+ tcpd_warn("can't get client address: %s", tli_error());
+ t_free((void *) client, T_UNITDATA);
+ return;
+ }
+ }
+ request->client->unit = client;
+
+ /*
+ * Look up the server endpoint address. This can be used for filtering on
+ * server address or name, or to look up the client user.
+ */
+
+ if ((server = (struct t_unitdata *) t_alloc(fd, T_UNITDATA, T_ADDR)) == 0) {
+ tcpd_warn("t_alloc: %s", tli_error());
+ return;
+ }
+ if (ioctl(fd, TI_GETMYNAME, &server->addr) < 0) {
+ tcpd_warn("TI_GETMYNAME: %m");
+ t_free((void *) server, T_UNITDATA);
+ return;
+ }
+ request->server->unit = server;
+}
+
+/* tli_transport - find out TLI transport type */
+
+static struct netconfig *tli_transport(fd)
+int fd;
+{
+ struct stat from_client;
+ struct stat from_config;
+ void *handlep;
+ struct netconfig *config;
+
+ /*
+ * Assuming that the network device is a clone device, we must compare
+ * the major device number of stdin to the minor device number of the
+ * devices listed in the netconfig table.
+ */
+
+ if (fstat(fd, &from_client) != 0) {
+ tcpd_warn("fstat(fd %d): %m", fd);
+ return (0);
+ }
+ if ((handlep = setnetconfig()) == 0) {
+ tcpd_warn("setnetconfig: %m");
+ return (0);
+ }
+ while (config = getnetconfig(handlep)) {
+ if (stat(config->nc_device, &from_config) == 0) {
+#ifdef NO_CLONE_DEVICE
+ /*
+ * If the network devices are not cloned (as is the case for
+ * Solaris 8 Beta), we must compare the major device numbers.
+ */
+ if (major(from_config.st_rdev) == major(from_client.st_rdev))
+#else
+ if (minor(from_config.st_rdev) == major(from_client.st_rdev))
+#endif
+ break;
+ }
+ }
+ if (config == 0) {
+ tcpd_warn("unable to identify transport protocol");
+ return (0);
+ }
+
+ /*
+ * Something else may clobber our getnetconfig() result, so we'd better
+ * acquire our private copy.
+ */
+
+ if ((config = getnetconfigent(config->nc_netid)) == 0) {
+ tcpd_warn("getnetconfigent(%s): %s", config->nc_netid, nc_sperror());
+ return (0);
+ }
+ return (config);
+}
+
+/* tli_hostaddr - map TLI transport address to printable address */
+
+static void tli_hostaddr(host)
+struct host_info *host;
+{
+ struct request_info *request = host->request;
+ struct netconfig *config = request->config;
+ struct t_unitdata *unit = host->unit;
+ char *uaddr;
+
+ if (config != 0 && unit != 0
+ && (uaddr = taddr2uaddr(config, &unit->addr)) != 0) {
+ STRN_CPY(host->addr, uaddr, sizeof(host->addr));
+ free(uaddr);
+ }
+}
+
+/* tli_hostname - map TLI transport address to hostname */
+
+static void tli_hostname(host)
+struct host_info *host;
+{
+ struct request_info *request = host->request;
+ struct netconfig *config = request->config;
+ struct t_unitdata *unit = host->unit;
+ struct nd_hostservlist *servlist;
+
+ if (config != 0 && unit != 0
+ && netdir_getbyaddr(config, &servlist, &unit->addr) == ND_OK) {
+
+ struct nd_hostserv *service = servlist->h_hostservs;
+ struct nd_addrlist *addr_list;
+ int found = 0;
+
+ if (netdir_getbyname(config, service, &addr_list) != ND_OK) {
+
+ /*
+ * Unable to verify that the name matches the address. This may
+ * be a transient problem or a botched name server setup. We
+ * decide to play safe.
+ */
+
+ tcpd_warn("can't verify hostname: netdir_getbyname(%.*s) failed",
+ STRING_LENGTH, service->h_host);
+
+ } else {
+
+ /*
+ * Look up the host address in the address list we just got. The
+ * comparison is done on the textual representation, because the
+ * transport address is an opaque structure that may have holes
+ * with uninitialized garbage. This approach obviously loses when
+ * the address does not have a textual representation.
+ */
+
+ char *uaddr = eval_hostaddr(host);
+ char *ua;
+ int i;
+
+ for (i = 0; found == 0 && i < addr_list->n_cnt; i++) {
+ if ((ua = taddr2uaddr(config, &(addr_list->n_addrs[i]))) != 0) {
+ found = !strcmp(ua, uaddr);
+ free(ua);
+ }
+ }
+ netdir_free((void *) addr_list, ND_ADDRLIST);
+
+ /*
+ * When the host name does not map to the initial address, assume
+ * someone has compromised a name server. More likely someone
+ * botched it, but that could be dangerous, too.
+ */
+
+ if (found == 0)
+ tcpd_warn("host name/address mismatch: %s != %.*s",
+ host->addr, STRING_LENGTH, service->h_host);
+ }
+ STRN_CPY(host->name, found ? service->h_host : paranoid,
+ sizeof(host->name));
+ netdir_free((void *) servlist, ND_HOSTSERVLIST);
+ }
+}
+
+/* tli_error - convert tli error number to text */
+
+static char *tli_error()
+{
+ static char buf[40];
+
+ if (t_errno != TSYSERR) {
+ if (t_errno < 0 || t_errno >= t_nerr) {
+ sprintf(buf, "Unknown TLI error %d", t_errno);
+ return (buf);
+ } else {
+ return (t_errlist[t_errno]);
+ }
+ } else {
+ if (errno < 0 || errno >= sys_nerr) {
+ sprintf(buf, "Unknown UNIX error %d", errno);
+ return (buf);
+ } else {
+ return (sys_errlist[errno]);
+ }
+ }
+}
+
+/* tli_sink - absorb unreceived datagram */
+
+static void tli_sink(fd)
+int fd;
+{
+ struct t_unitdata *unit;
+ int flags;
+
+ /*
+ * Something went wrong. Absorb the datagram to keep inetd from looping.
+ * Allocate storage for address, control and data. If that fails, sleep
+ * for a couple of seconds in an attempt to keep inetd from looping too
+ * fast.
+ */
+
+ if ((unit = (struct t_unitdata *) t_alloc(fd, T_UNITDATA, T_ALL)) == 0) {
+ tcpd_warn("t_alloc: %s", tli_error());
+ sleep(5);
+ } else {
+ (void) t_rcvudata(fd, unit, &flags);
+ t_free((void *) unit, T_UNITDATA);
+ }
+}
+
+#endif /* TLI */
Index: tcp_wrappers_7.6-new/update.c
===================================================================
--- tcp_wrappers_7.6-new/update.c (nonexistent)
+++ tcp_wrappers_7.6-new/update.c (revision 5)
@@ -0,0 +1,127 @@
+ /*
+ * Routines for controlled update/initialization of request structures.
+ *
+ * request_init() initializes its argument. Pointers and string-valued members
+ * are initialized to zero, to indicate that no lookup has been attempted.
+ *
+ * request_set() adds information to an already initialized request structure.
+ *
+ * Both functions take a variable-length name-value list.
+ *
+ * Diagnostics are reported through syslog(3).
+ *
+ * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+ */
+
+#ifndef lint
+static char sccsid[] = "@(#) update.c 1.1 94/12/28 17:42:56";
+#endif
+
+/* System libraries */
+
+#include <stdio.h>
+#include <syslog.h>
+#include <string.h>
+
+/* Local stuff. */
+
+#include "mystdarg.h"
+#include "tcpd.h"
+
+/* request_fill - request update engine */
+
+static struct request_info *request_fill(request, ap)
+struct request_info *request;
+va_list ap;
+{
+ int key;
+ char *ptr;
+
+ while ((key = va_arg(ap, int)) > 0) {
+ switch (key) {
+ default:
+ tcpd_warn("request_fill: invalid key: %d", key);
+ return (request);
+ case RQ_FILE:
+ request->fd = va_arg(ap, int);
+ continue;
+ case RQ_CLIENT_SIN:
+#ifdef INET6
+ request->client->sin = va_arg(ap, struct sockaddr *);
+#else
+ request->client->sin = va_arg(ap, struct sockaddr_in *);
+#endif
+ continue;
+ case RQ_SERVER_SIN:
+#ifdef INET6
+ request->server->sin = va_arg(ap, struct sockaddr *);
+#else
+ request->server->sin = va_arg(ap, struct sockaddr_in *);
+#endif
+ continue;
+
+ /*
+ * All other fields are strings with the same maximal length.
+ */
+
+ case RQ_DAEMON:
+ ptr = request->daemon;
+ break;
+ case RQ_USER:
+ ptr = request->user;
+ break;
+ case RQ_CLIENT_NAME:
+ ptr = request->client->name;
+ break;
+ case RQ_CLIENT_ADDR:
+ ptr = request->client->addr;
+ break;
+ case RQ_SERVER_NAME:
+ ptr = request->server->name;
+ break;
+ case RQ_SERVER_ADDR:
+ ptr = request->server->addr;
+ break;
+ }
+ STRN_CPY(ptr, va_arg(ap, char *), STRING_LENGTH);
+ }
+ return (request);
+}
+
+/* request_init - initialize request structure */
+
+struct request_info *VARARGS(request_init, struct request_info *, request)
+{
+ static struct request_info default_info;
+ struct request_info *r;
+ va_list ap;
+
+ /*
+ * Initialize data members. We do not assign default function pointer
+ * members, to avoid pulling in the whole socket module when it is not
+ * really needed.
+ */
+ VASTART(ap, struct request_info *, request);
+ *request = default_info;
+ request->fd = -1;
+ strcpy(request->daemon, unknown);
+ sprintf(request->pid, "%d", getpid());
+ request->client->request = request;
+ request->server->request = request;
+ r = request_fill(request, ap);
+ VAEND(ap);
+ return (r);
+}
+
+/* request_set - update request structure */
+
+struct request_info *VARARGS(request_set, struct request_info *, request)
+{
+ struct request_info *r;
+ va_list ap;
+
+ VASTART(ap, struct request_info *, request);
+ r = request_fill(request, ap);
+ VAEND(ap);
+ return (r);
+}
Index: tcp_wrappers_7.6-new/weak_symbols.c
===================================================================
--- tcp_wrappers_7.6-new/weak_symbols.c (nonexistent)
+++ tcp_wrappers_7.6-new/weak_symbols.c (revision 5)
@@ -0,0 +1,11 @@
+ /*
+ * @(#) weak_symbols.h 1.5 99/12/29 23:50
+ *
+ * Author: Anthony Towns <ajt@debian.org>
+ */
+
+#ifdef HAVE_WEAKSYMS
+#include <syslog.h>
+int deny_severity = LOG_WARNING;
+int allow_severity = SEVERITY;
+#endif
Index: tcp_wrappers_7.6-new/workarounds.c
===================================================================
--- tcp_wrappers_7.6-new/workarounds.c (nonexistent)
+++ tcp_wrappers_7.6-new/workarounds.c (revision 5)
@@ -0,0 +1,319 @@
+ /*
+ * Workarounds for known system software bugs. This module provides wrappers
+ * around library functions and system calls that are known to have problems
+ * on some systems. Most of these workarounds won't do any harm on regular
+ * systems.
+ *
+ * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+ */
+
+#ifndef lint
+char sccsid[] = "@(#) workarounds.c 1.6 96/03/19 16:22:25";
+#endif
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <netdb.h>
+#include <errno.h>
+#include <stdio.h>
+#include <syslog.h>
+#include <string.h>
+
+extern int errno;
+
+#include "tcpd.h"
+
+ /*
+ * Some AIX versions advertise a too small MAXHOSTNAMELEN value (32).
+ * Result: long hostnames would be truncated, and connections would be
+ * dropped because of host name verification failures. Adrian van Bloois
+ * (A.vanBloois@info.nic.surfnet.nl) figured out what was the problem.
+ */
+
+#if (MAXHOSTNAMELEN < 64)
+#undef MAXHOSTNAMELEN
+#endif
+
+/* In case not defined in <sys/param.h>. */
+
+#ifndef MAXHOSTNAMELEN
+#define MAXHOSTNAMELEN 256 /* storage for host name */
+#endif
+
+ /*
+ * Some DG/UX inet_addr() versions return a struct/union instead of a long.
+ * You have this problem when the compiler complains about illegal lvalues
+ * or something like that. The following code fixes this mutant behaviour.
+ * It should not be enabled on "normal" systems.
+ *
+ * Bug reported by ben@piglet.cr.usgs.gov (Rev. Ben A. Mesander).
+ */
+
+#ifdef INET_ADDR_BUG
+
+#undef inet_addr
+
+long fix_inet_addr(string)
+char *string;
+{
+ return (inet_addr(string).s_addr);
+}
+
+#endif /* INET_ADDR_BUG */
+
+ /*
+ * With some System-V versions, the fgets() library function does not
+ * account for partial reads from e.g. sockets. The result is that fgets()
+ * gives up too soon, causing username lookups to fail. Problem first
+ * reported for IRIX 4.0.5, by Steve Kotsopoulos <steve@ecf.toronto.edu>.
+ * The following code works around the problem. It does no harm on "normal"
+ * systems.
+ */
+
+#ifdef BROKEN_FGETS
+
+#undef fgets
+
+char *fix_fgets(buf, len, fp)
+char *buf;
+int len;
+FILE *fp;
+{
+ char *cp = buf;
+ int c;
+
+ /*
+ * Copy until the buffer fills up, until EOF, or until a newline is
+ * found.
+ */
+ while (len > 1 && (c = getc(fp)) != EOF) {
+ len--;
+ *cp++ = c;
+ if (c == '\n')
+ break;
+ }
+
+ /*
+ * Return 0 if nothing was read. This is correct even when a silly buffer
+ * length was specified.
+ */
+ if (cp > buf) {
+ *cp = 0;
+ return (buf);
+ } else {
+ return (0);
+ }
+}
+
+#endif /* BROKEN_FGETS */
+
+ /*
+ * With early SunOS 5 versions, recvfrom() does not completely fill in the
+ * source address structure when doing a non-destructive read. The following
+ * code works around the problem. It does no harm on "normal" systems.
+ */
+
+#ifdef RECVFROM_BUG
+
+#undef recvfrom
+
+int fix_recvfrom(sock, buf, buflen, flags, from, fromlen)
+int sock;
+char *buf;
+int buflen;
+int flags;
+struct sockaddr *from;
+int *fromlen;
+{
+ int ret;
+
+ /* Assume that both ends of a socket belong to the same address family. */
+
+ if ((ret = recvfrom(sock, buf, buflen, flags, from, fromlen)) >= 0) {
+ if (from->sa_family == 0) {
+ struct sockaddr my_addr;
+ int my_addr_len = sizeof(my_addr);
+
+ if (getsockname(0, &my_addr, &my_addr_len)) {
+ tcpd_warn("getsockname: %m");
+ } else {
+ from->sa_family = my_addr.sa_family;
+ }
+ }
+ }
+ return (ret);
+}
+
+#endif /* RECVFROM_BUG */
+
+ /*
+ * The Apollo SR10.3 and some SYSV4 getpeername(2) versions do not return an
+ * error in case of a datagram-oriented socket. Instead, they claim that all
+ * UDP requests come from address 0.0.0.0. The following code works around
+ * the problem. It does no harm on "normal" systems.
+ */
+
+#ifdef GETPEERNAME_BUG
+
+#undef getpeername
+
+int fix_getpeername(sock, sa, len)
+int sock;
+struct sockaddr *sa;
+int *len;
+{
+ int ret;
+#ifdef INET6
+ struct sockaddr *sin = sa;
+#else
+ struct sockaddr_in *sin = (struct sockaddr_in *) sa;
+#endif
+
+ if ((ret = getpeername(sock, sa, len)) >= 0
+#ifdef INET6
+ && ((sin->su_si.si_family == AF_INET6
+ && IN6_IS_ADDR_UNSPECIFIED(&sin->su_sin6.sin6_addr))
+ || (sin->su_si.si_family == AF_INET
+ && sin->su_sin.sin_addr.s_addr == 0))) {
+#else
+ && sa->sa_family == AF_INET
+ && sin->sin_addr.s_addr == 0) {
+#endif
+ errno = ENOTCONN;
+ return (-1);
+ } else {
+ return (ret);
+ }
+}
+
+#endif /* GETPEERNAME_BUG */
+
+ /*
+ * According to Karl Vogel (vogelke@c-17igp.wpafb.af.mil) some Pyramid
+ * versions have no yp_default_domain() function. We use getdomainname()
+ * instead.
+ */
+
+#ifdef USE_GETDOMAIN
+
+int yp_get_default_domain(ptr)
+char **ptr;
+{
+ static char mydomain[MAXHOSTNAMELEN];
+
+ *ptr = mydomain;
+ return (getdomainname(mydomain, MAXHOSTNAMELEN));
+}
+
+#endif /* USE_GETDOMAIN */
+
+#ifndef INADDR_NONE
+#define INADDR_NONE 0xffffffff
+#endif
+
+ /*
+ * Solaris 2.4 gethostbyname() has problems with multihomed hosts. When
+ * doing DNS through NIS, only one host address ends up in the address list.
+ * All other addresses end up in the hostname alias list, interspersed with
+ * copies of the official host name. This would wreak havoc with tcpd's
+ * hostname double checks. Below is a workaround that should do no harm when
+ * accidentally left in. A side effect of the workaround is that address
+ * list members are no longer properly aligned for structure access.
+ */
+
+#ifdef SOLARIS_24_GETHOSTBYNAME_BUG
+
+#undef gethostbyname
+
+struct hostent *fix_gethostbyname(name)
+char *name;
+{
+ struct hostent *hp;
+ struct in_addr addr;
+ char **o_addr_list;
+ char **o_aliases;
+ char **n_addr_list;
+ int broken_gethostbyname = 0;
+
+ if ((hp = gethostbyname(name)) && !hp->h_addr_list[1] && hp->h_aliases[1]) {
+ for (o_aliases = n_addr_list = hp->h_aliases; *o_aliases; o_aliases++) {
+ if ((addr.s_addr = inet_addr(*o_aliases)) != INADDR_NONE) {
+ memcpy(*n_addr_list++, (char *) &addr, hp->h_length);
+ broken_gethostbyname = 1;
+ }
+ }
+ if (broken_gethostbyname) {
+ o_addr_list = hp->h_addr_list;
+ memcpy(*n_addr_list++, *o_addr_list, hp->h_length);
+ *n_addr_list = 0;
+ hp->h_addr_list = hp->h_aliases;
+ hp->h_aliases = o_addr_list + 1;
+ }
+ }
+ return (hp);
+}
+
+#endif /* SOLARIS_24_GETHOSTBYNAME_BUG */
+
+ /*
+ * Horror! Some FreeBSD 2.0 libc routines call strtok(). Since tcpd depends
+ * heavily on strtok(), strange things may happen. Workaround: use our
+ * private strtok(). This has been fixed in the meantime.
+ */
+
+#ifdef USE_STRSEP
+
+char *fix_strtok(buf, sep)
+char *buf;
+char *sep;
+{
+ static char *state;
+ char *result;
+
+ if (buf)
+ state = buf;
+ while ((result = strsep(&state, sep)) && result[0] == 0)
+ /* void */ ;
+ return (result);
+}
+
+#endif /* USE_STRSEP */
+
+ /*
+ * IRIX 5.3 (and possibly earlier versions, too) library routines call the
+ * non-reentrant strtok() library routine, causing hosts to slip through
+ * allow/deny filters. Workaround: don't rely on the vendor and use our own
+ * strtok() function. FreeBSD 2.0 has a similar problem (fixed in 2.0.5).
+ */
+
+#ifdef LIBC_CALLS_STRTOK
+
+char *my_strtok(buf, sep)
+char *buf;
+char *sep;
+{
+ static char *state;
+ char *result;
+
+ if (buf)
+ state = buf;
+
+ /*
+ * Skip over separator characters and detect end of string.
+ */
+ if (*(state += strspn(state, sep)) == 0)
+ return (0);
+
+ /*
+ * Skip over non-separator characters and terminate result.
+ */
+ result = state;
+ if (*(state += strcspn(state, sep)) != 0)
+ *state++ = 0;
+ return (result);
+}
+
+#endif /* LIBC_CALLS_STRTOK */
Index: tcp_wrappers_7.6-new
===================================================================
--- tcp_wrappers_7.6-new (nonexistent)
+++ tcp_wrappers_7.6-new (revision 5)
Property changes on: tcp_wrappers_7.6-new
___________________________________________________________________
Added: svn:ignore
## -0,0 +1,73 ##
+
+# install dir
+dist
+
+# Target build dirs
+.a1x-newlib
+.a2x-newlib
+.at91sam7s-newlib
+
+.build-machine
+
+.a1x-glibc
+.a2x-glibc
+.h3-glibc
+.h5-glibc
+.i586-glibc
+.i686-glibc
+.imx6-glibc
+.jz47xx-glibc
+.makefile
+.am335x-glibc
+.omap543x-glibc
+.p5600-glibc
+.power8-glibc
+.power8le-glibc
+.power9-glibc
+.power9le-glibc
+.m1000-glibc
+.riscv64-glibc
+.rk328x-glibc
+.rk33xx-glibc
+.rk339x-glibc
+.s8xx-glibc
+.s9xx-glibc
+.x86_64-glibc
+
+# Hidden files (each file)
+.makefile
+.dist
+.rootfs
+
+# src & hw requires
+.src_requires
+.src_requires_depend
+.requires
+.requires_depend
+
+# Tarballs
+*.gz
+*.bz2
+*.lz
+*.xz
+*.tgz
+*.txz
+
+# Signatures
+*.asc
+*.sig
+*.sign
+*.sha1sum
+
+# Patches
+*.patch
+
+# Descriptions
+*.dsc
+*.txt
+
+# Default linux config files
+*.defconfig
+
+# backup copies
+*~
Index: .
===================================================================
--- . (nonexistent)
+++ . (revision 5)
Property changes on: .
___________________________________________________________________
Added: svn:ignore
## -0,0 +1,73 ##
+
+# install dir
+dist
+
+# Target build dirs
+.a1x-newlib
+.a2x-newlib
+.at91sam7s-newlib
+
+.build-machine
+
+.a1x-glibc
+.a2x-glibc
+.h3-glibc
+.h5-glibc
+.i586-glibc
+.i686-glibc
+.imx6-glibc
+.jz47xx-glibc
+.makefile
+.am335x-glibc
+.omap543x-glibc
+.p5600-glibc
+.power8-glibc
+.power8le-glibc
+.power9-glibc
+.power9le-glibc
+.m1000-glibc
+.riscv64-glibc
+.rk328x-glibc
+.rk33xx-glibc
+.rk339x-glibc
+.s8xx-glibc
+.s9xx-glibc
+.x86_64-glibc
+
+# Hidden files (each file)
+.makefile
+.dist
+.rootfs
+
+# src & hw requires
+.src_requires
+.src_requires_depend
+.requires
+.requires_depend
+
+# Tarballs
+*.gz
+*.bz2
+*.lz
+*.xz
+*.tgz
+*.txz
+
+# Signatures
+*.asc
+*.sig
+*.sign
+*.sha1sum
+
+# Patches
+*.patch
+
+# Descriptions
+*.dsc
+*.txt
+
+# Default linux config files
+*.defconfig
+
+# backup copies
+*~
Radix cross Linux
The main Radix cross Linux repository contains the build scripts of packages, which have the most complete and common functionality for desktop machines
452 Commits
2 Branches
1 Tag