--- tcp-wrappers-7.6.orig/hosts_access.c +++ tcp-wrappers-7.6/hosts_access.c @@ -240,6 +240,26 @@ } } +/* hostfile_match - look up host patterns from file */ + +static int hostfile_match(path, host) +char *path; +struct hosts_info *host; +{ + char tok[BUFSIZ]; + int match = NO; + FILE *fp; + + if ((fp = fopen(path, "r")) != 0) { + while (fscanf(fp, "%s", tok) == 1 && !(match = host_match(tok, host))) + /* void */ ; + fclose(fp); + } else if (errno != ENOENT) { + tcpd_warn("open %s: %m", path); + } + return (match); +} + /* host_match - match host name and/or address against pattern */ static int host_match(tok, host) @@ -267,6 +287,8 @@ tcpd_warn("netgroup support is disabled"); /* not tcpd_jump() */ return (NO); #endif + } else if (tok[0] == '/') { /* /file hack */ + return (hostfile_match(tok, host)); } else if (STR_EQ(tok, "KNOWN")) { /* check address and name */ char *name = eval_hostname(host); return (STR_NE(eval_hostaddr(host), unknown) && HOSTNAME_KNOWN(name)); --- tcp-wrappers-7.6.orig/tcpd.h +++ tcp-wrappers-7.6/tcpd.h @@ -66,7 +66,6 @@ #define fromhost sock_host /* no TLI support needed */ #endif -extern int hosts_access(); /* access control */ extern void shell_cmd(); /* execute shell command */ extern char *percent_x(); /* do % expansion */ extern void rfc931(); /* client name from RFC 931 daemon */ @@ -78,8 +77,14 @@ /* Global variables. */ +#ifdef HAVE_WEAKSYMS +extern int allow_severity __attribute__ ((weak)); /* for connection logging */ +extern int deny_severity __attribute__ ((weak)); /* for connection logging */ +#else extern int allow_severity; /* for connection logging */ extern int deny_severity; /* for connection logging */ +#endif + extern char *hosts_allow_table; /* for verification mode redirection */ extern char *hosts_deny_table; /* for verification mode redirection */ extern int hosts_access_verbose; /* for verbose matching mode */ @@ -92,9 +97,14 @@ */ #ifdef __STDC__ +extern int hosts_access(struct request_info *request); +extern int hosts_ctl(char *daemon, char *client_name, char *client_addr, + char *client_user); extern struct request_info *request_init(struct request_info *,...); extern struct request_info *request_set(struct request_info *,...); #else +extern int hosts_access(); +extern int hosts_ctl(); extern struct request_info *request_init(); /* initialize request */ extern struct request_info *request_set(); /* update request structure */ #endif --- tcp-wrappers-7.6.orig/Makefile +++ tcp-wrappers-7.6/Makefile @@ -1,5 +1,10 @@ +GLIBC=$(shell grep -s -c __GLIBC__ /usr/include/features.h) + # @(#) Makefile 1.23 97/03/21 19:27:20 +# unset the HOSTNAME environment variable +HOSTNAME = + what: @echo @echo "Usage: edit the REAL_DAEMON_DIR definition in the Makefile then:" @@ -19,7 +24,7 @@ @echo " generic (most bsd-ish systems with sys5 compatibility)" @echo " 386bsd aix alpha apollo bsdos convex-ultranet dell-gcc dgux dgux543" @echo " dynix epix esix freebsd hpux irix4 irix5 irix6 isc iunix" - @echo " linux machten mips(untested) ncrsvr4 netbsd next osf power_unix_211" + @echo " linux gnu machten mips(untested) ncrsvr4 netbsd next osf power_unix_211" @echo " ptx-2.x ptx-generic pyramid sco sco-nis sco-od2 sco-os5 sinix sunos4" @echo " sunos40 sunos5 sysv4 tandem ultrix unicos7 unicos8 unixware1 unixware2" @echo " uts215 uxp" @@ -43,8 +48,8 @@ # Ultrix 4.x SunOS 4.x ConvexOS 10.x Dynix/ptx #REAL_DAEMON_DIR=/usr/etc # -# SysV.4 Solaris 2.x OSF AIX -#REAL_DAEMON_DIR=/usr/sbin +# SysV.4 Solaris 2.x OSF AIX Linux +REAL_DAEMON_DIR=/usr/sbin # # BSD 4.4 #REAL_DAEMON_DIR=/usr/libexec @@ -141,10 +146,21 @@ LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \ EXTRA_CFLAGS=-DSYS_ERRLIST_DEFINED VSYSLOG= all +ifneq ($(GLIBC),0) +MYLIB=-lnsl +endif + linux: @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ - LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=setenv.o \ - NETGROUP= TLI= EXTRA_CFLAGS="-DBROKEN_SO_LINGER" all + LIBS=$(MYLIB) RANLIB=ranlib ARFLAGS=rv AUX_OBJ=weak_symbols.o \ + NETGROUP=-DNETGROUP TLI= VSYSLOG= BUGS= all \ + EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_WEAKSYMS -D_REENTRANT" + +gnu: + @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ + LIBS=$(MYLIB) RANLIB=ranlib ARFLAGS=rv AUX_OBJ=weak_symbols.o \ + NETGROUP=-DNETGROUP TLI= VSYSLOG= BUGS= all \ + EXTRA_CFLAGS="-DHAVE_STRERROR -DHAVE_WEAKSYMS -D_REENTRANT" # This is good for many SYSV+BSD hybrids with NIS, probably also for HP-UX 7.x. hpux hpux8 hpux9 hpux10: @@ -391,7 +407,7 @@ # the ones provided with this source distribution. The environ.c module # implements setenv(), getenv(), and putenv(). -AUX_OBJ= setenv.o +#AUX_OBJ= setenv.o #AUX_OBJ= environ.o #AUX_OBJ= environ.o strcasecmp.o @@ -454,7 +470,8 @@ # host name aliases. Compile with -DSOLARIS_24_GETHOSTBYNAME_BUG to work # around this. The workaround does no harm on other Solaris versions. -BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DLIBC_CALLS_STRTOK +BUGS = +#BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DLIBC_CALLS_STRTOK #BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DINET_ADDR_BUG #BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DSOLARIS_24_GETHOSTBYNAME_BUG @@ -464,7 +481,7 @@ # If your system supports NIS or YP-style netgroups, enable the following # macro definition. Netgroups are used only for host access control. # -#NETGROUP= -DNETGROUP +NETGROUP= -DNETGROUP ############################################################### # System dependencies: whether or not your system has vsyslog() @@ -491,7 +508,7 @@ # Uncomment the next definition to turn on the language extensions # (examples: allow, deny, banners, twist and spawn). # -#STYLE = -DPROCESS_OPTIONS # Enable language extensions. +STYLE = -DPROCESS_OPTIONS # Enable language extensions. ################################################################ # Optional: Changing the default disposition of logfile records @@ -514,7 +531,7 @@ # # The LOG_XXX names below are taken from the /usr/include/syslog.h file. -FACILITY= LOG_MAIL # LOG_MAIL is what most sendmail daemons use +FACILITY= LOG_DAEMON # LOG_MAIL is what most sendmail daemons use # The syslog priority at which successful connections are logged. @@ -610,7 +627,7 @@ # Paranoid mode implies hostname lookup. In order to disable hostname # lookups altogether, see the next section. -PARANOID= -DPARANOID +#PARANOID= -DPARANOID ######################################## # Optional: turning off hostname lookups @@ -623,7 +640,7 @@ # In order to perform selective hostname lookups, disable paranoid # mode (see previous section) and comment out the following definition. -HOSTNAME= -DALWAYS_HOSTNAME +#HOSTNAME= -DALWAYS_HOSTNAME ############################################# # Optional: Turning on host ADDRESS checking @@ -649,28 +666,46 @@ # source-routed traffic in the kernel. Examples: 4.4BSD derivatives, # Solaris 2.x, and Linux. See your system documentation for details. # -# KILL_OPT= -DKILL_IP_OPTIONS +KILL_OPT= -DKILL_IP_OPTIONS ## End configuration options ############################ # Protection against weird shells or weird make programs. +CC = gcc SHELL = /bin/sh -.c.o:; $(CC) $(CFLAGS) -c $*.c +.c.o:; $(CC) $(CFLAGS) -o $*.o -c $*.c + +SOMAJOR = 0 +SOMINOR = 7.6 + +LIB = libwrap.a +SHLIB = shared/libwrap.so.$(SOMAJOR).$(SOMINOR) +SHLIBSOMAJ= shared/libwrap.so.$(SOMAJOR) +SHLIBSO = shared/libwrap.so +SHLIBFLAGS = -Lshared -lwrap -CFLAGS = -O -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \ +shared/%.o: %.c + $(CC) $(CFLAGS) $(SHCFLAGS) -c $< -o $@ + +CFLAGS = -O2 -g -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \ $(BUGS) $(SYSTYPE) $(AUTH) $(UMASK) \ -DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" $(STYLE) $(KILL_OPT) \ -DSEVERITY=$(SEVERITY) -DRFC931_TIMEOUT=$(RFC931_TIMEOUT) \ $(UCHAR) $(TABLES) $(STRINGS) $(TLI) $(EXTRA_CFLAGS) $(DOT) \ $(VSYSLOG) $(HOSTNAME) +SHLINKFLAGS = -shared -soname libwrap.so.$(SOMAJOR) -lc $(LIBS) +SHCFLAGS = -fPIC -shared -D_REENTRANT + LIB_OBJ= hosts_access.o options.o shell_cmd.o rfc931.o eval.o \ hosts_ctl.o refuse.o percent_x.o clean_exit.o $(AUX_OBJ) \ $(FROM_OBJ) fix_options.o socket.o tli.o workarounds.o \ update.o misc.o diag.o percent_m.o myvsyslog.o +SHLIB_OBJ= $(addprefix shared/, $(LIB_OBJ)); + FROM_OBJ= fromhost.o KIT = README miscd.c tcpd.c fromhost.c hosts_access.c shell_cmd.c \ @@ -684,46 +719,75 @@ refuse.c tcpdchk.8 setenv.c inetcf.c inetcf.h scaffold.c \ scaffold.h tcpdmatch.8 README.NIS -LIB = libwrap.a - -all other: config-check tcpd tcpdmatch try-from safe_finger tcpdchk +all other: config-check tcpd tcpdmatch try-from safe_finger tcpdchk $(LIB) # Invalidate all object files when the compiler options (CFLAGS) have changed. config-check: @set +e; test -n "$(REAL_DAEMON_DIR)" || { make; exit 1; } - @set +e; echo $(CFLAGS) >/tmp/cflags.$$$$ ; \ - if cmp cflags /tmp/cflags.$$$$ ; \ - then rm /tmp/cflags.$$$$ ; \ - else mv /tmp/cflags.$$$$ cflags ; \ + @set +e; echo $(CFLAGS) >cflags.new ; \ + if cmp cflags cflags.new ; \ + then rm cflags.new ; \ + else mv cflags.new cflags ; \ fi >/dev/null 2>/dev/null + @if [ ! -d shared ]; then mkdir shared; fi $(LIB): $(LIB_OBJ) rm -f $(LIB) $(AR) $(ARFLAGS) $(LIB) $(LIB_OBJ) -$(RANLIB) $(LIB) -tcpd: tcpd.o $(LIB) - $(CC) $(CFLAGS) -o $@ tcpd.o $(LIB) $(LIBS) +$(SHLIB): $(SHLIB_OBJ) + rm -f $(SHLIB) + $(LD) -o $(SHLIB) $(SHLINKFLAGS) $(SHLIB_OBJ) + ln -s $(notdir $(SHLIB)) $(SHLIBSOMAJ) + ln -s $(notdir $(SHLIBSOMAJ)) $(SHLIBSO) + +tcpd: tcpd.o $(SHLIB) + $(CC) $(CFLAGS) -o $@ tcpd.o $(SHLIBFLAGS) -miscd: miscd.o $(LIB) - $(CC) $(CFLAGS) -o $@ miscd.o $(LIB) $(LIBS) +miscd: miscd.o $(SHLIB) + $(CC) $(CFLAGS) -o $@ miscd.o $(SHLIBFLAGS) -safe_finger: safe_finger.o $(LIB) - $(CC) $(CFLAGS) -o $@ safe_finger.o $(LIB) $(LIBS) +safe_finger: safe_finger.o $(SHLIB) + $(CC) $(CFLAGS) -o $@ safe_finger.o $(SHLIBFLAGS) TCPDMATCH_OBJ = tcpdmatch.o fakelog.o inetcf.o scaffold.o -tcpdmatch: $(TCPDMATCH_OBJ) $(LIB) - $(CC) $(CFLAGS) -o $@ $(TCPDMATCH_OBJ) $(LIB) $(LIBS) +tcpdmatch: $(TCPDMATCH_OBJ) $(SHLIB) + $(CC) $(CFLAGS) -o $@ $(TCPDMATCH_OBJ) $(SHLIBFLAGS) -try-from: try-from.o fakelog.o $(LIB) - $(CC) $(CFLAGS) -o $@ try-from.o fakelog.o $(LIB) $(LIBS) +try-from: try-from.o fakelog.o $(SHLIB) + $(CC) $(CFLAGS) -o $@ try-from.o fakelog.o $(SHLIBFLAGS) TCPDCHK_OBJ = tcpdchk.o fakelog.o inetcf.o scaffold.o -tcpdchk: $(TCPDCHK_OBJ) $(LIB) - $(CC) $(CFLAGS) -o $@ $(TCPDCHK_OBJ) $(LIB) $(LIBS) +tcpdchk: $(TCPDCHK_OBJ) $(SHLIB) + $(CC) $(CFLAGS) -o $@ $(TCPDCHK_OBJ) $(SHLIBFLAGS) + +install: install-lib install-bin install-dev + +install-lib: + install -o root -g root -m 0644 $(SHLIB) ${DESTDIR}/lib/ + ln -s $(notdir $(SHLIB)) ${DESTDIR}/lib/$(notdir $(SHLIBSOMAJ)) + install -o root -g root -m 0644 hosts_access.5 ${DESTDIR}/usr/share/man/man5/ + install -o root -g root -m 0644 hosts_options.5 ${DESTDIR}/usr/share/man/man5/ + +install-bin: + install -o root -g root -m 0755 tcpd ${DESTDIR}/usr/sbin/ + install -o root -g root -m 0755 tcpdchk ${DESTDIR}/usr/sbin/ + install -o root -g root -m 0755 tcpdmatch ${DESTDIR}/usr/sbin/ + install -o root -g root -m 0755 try-from ${DESTDIR}/usr/sbin/ + install -o root -g root -m 0755 safe_finger ${DESTDIR}/usr/sbin/ + install -o root -g root -m 0644 tcpd.8 ${DESTDIR}/usr/share/man/man8/ + install -o root -g root -m 0644 tcpdchk.8 ${DESTDIR}/usr/share/man/man8/ + install -o root -g root -m 0644 tcpdmatch.8 ${DESTDIR}/usr/share/man/man8/ + +install-dev: + ln -s /lib/$(notdir $(SHLIBSOMAJ)) ${DESTDIR}/usr/lib/$(notdir $(SHLIBSO)) + install -o root -g root -m 0644 hosts_access.3 ${DESTDIR}/usr/share/man/man3/ + install -o root -g root -m 0644 tcpd.h ${DESTDIR}/usr/include/ + install -o root -g root -m 0644 $(LIB) ${DESTDIR}/usr/lib/ shar: $(KIT) @shar $(KIT) @@ -739,7 +803,8 @@ clean: rm -f tcpd miscd safe_finger tcpdmatch tcpdchk try-from *.[oa] core \ - cflags + cflags libwrap*.so* + rm -rf shared tidy: clean chmod -R a+r . @@ -885,5 +950,6 @@ update.o: mystdarg.h update.o: tcpd.h vfprintf.o: cflags +weak_symbols.o: tcpd.h workarounds.o: cflags workarounds.o: tcpd.h --- tcp-wrappers-7.6.orig/hosts_access.5 +++ tcp-wrappers-7.6/hosts_access.5 @@ -8,9 +8,9 @@ impatient reader is encouraged to skip to the EXAMPLES section for a quick introduction. .PP -An extended version of the access control language is described in the -\fIhosts_options\fR(5) document. The extensions are turned on at -program build time by building with -DPROCESS_OPTIONS. +The extended version of the access control language is described in the +\fIhosts_options\fR(5) document. \fBNote that this language supersedes +the meaning of \fIshell_command\fB as documented below.\fR .PP In the following text, \fIdaemon\fR is the the process name of a network daemon process, and \fIclient\fR is the name and/or address of @@ -89,6 +89,13 @@ bitwise AND of the address and the `mask\'. For example, the net/mask pattern `131.155.72.0/255.255.254.0\' matches every address in the range `131.155.72.0\' through `131.155.73.255\'. +.IP \(bu +A string that begins with a `/\' character is treated as a file +name. A host name or address is matched if it matches any host name +or address pattern listed in the named file. The file format is +zero or more lines with zero or more host name or address patterns +separated by whitespace. A file name pattern can be used anywhere +a host name or address pattern can be used. .SH WILDCARDS The access control language supports explicit wildcards: .IP ALL --- tcp-wrappers-7.6.orig/rfc931.c +++ tcp-wrappers-7.6/rfc931.c @@ -33,7 +33,7 @@ int rfc931_timeout = RFC931_TIMEOUT;/* Global so it can be changed */ -static jmp_buf timebuf; +static sigjmp_buf timebuf; /* fsocket - open stdio stream on top of socket */ @@ -62,7 +62,7 @@ static void timeout(sig) int sig; { - longjmp(timebuf, sig); + siglongjmp(timebuf, sig); } /* rfc931 - return remote user name, given socket structures */ @@ -99,7 +99,7 @@ * Set up a timer so we won't get stuck while waiting for the server. */ - if (setjmp(timebuf) == 0) { + if (sigsetjmp(timebuf,1) == 0) { signal(SIGALRM, timeout); alarm(rfc931_timeout); --- tcp-wrappers-7.6.orig/options.c +++ tcp-wrappers-7.6/options.c @@ -473,6 +473,9 @@ #ifdef LOG_CRON "cron", LOG_CRON, #endif +#ifdef LOG_FTP + "ftp", LOG_FTP, +#endif #ifdef LOG_LOCAL0 "local0", LOG_LOCAL0, #endif --- tcp-wrappers-7.6.orig/fix_options.c +++ tcp-wrappers-7.6/fix_options.c @@ -35,7 +35,12 @@ #ifdef IP_OPTIONS unsigned char optbuf[BUFFER_SIZE / 3], *cp; char lbuf[BUFFER_SIZE], *lp; +#if !defined(__GLIBC__) int optsize = sizeof(optbuf), ipproto; +#else /* __GLIBC__ */ + size_t optsize = sizeof(optbuf); + int ipproto; +#endif /* __GLIBC__ */ struct protoent *ip; int fd = request->fd; unsigned int opt; --- tcp-wrappers-7.6.orig/workarounds.c +++ tcp-wrappers-7.6/workarounds.c @@ -163,7 +163,11 @@ int fix_getpeername(sock, sa, len) int sock; struct sockaddr *sa; +#if !defined(__GLIBC__) int *len; +#else /* __GLIBC__ */ +size_t *len; +#endif /* __GLIBC__ */ { int ret; struct sockaddr_in *sin = (struct sockaddr_in *) sa; --- tcp-wrappers-7.6.orig/socket.c +++ tcp-wrappers-7.6/socket.c @@ -76,7 +76,11 @@ { static struct sockaddr_in client; static struct sockaddr_in server; +#if !defined (__GLIBC__) int len; +#else /* __GLIBC__ */ + size_t len; +#endif /* __GLIBC__ */ char buf[BUFSIZ]; int fd = request->fd; @@ -224,7 +228,11 @@ { char buf[BUFSIZ]; struct sockaddr_in sin; +#if !defined(__GLIBC__) int size = sizeof(sin); +#else /* __GLIBC__ */ + size_t size = sizeof(sin); +#endif /* __GLIBC__ */ /* * Eat up the not-yet received datagram. Some systems insist on a --- tcp-wrappers-7.6.orig/safe_finger.c +++ tcp-wrappers-7.6/safe_finger.c @@ -26,21 +26,24 @@ #include #include #include +#include extern void exit(); /* Local stuff */ -char path[] = "PATH=/bin:/usr/bin:/usr/ucb:/usr/bsd:/etc:/usr/etc:/usr/sbin"; +char path[] = "PATH=/bin:/usr/bin:/sbin:/usr/sbin"; #define TIME_LIMIT 60 /* Do not keep listinging forever */ #define INPUT_LENGTH 100000 /* Do not keep listinging forever */ #define LINE_LENGTH 128 /* Editors can choke on long lines */ #define FINGER_PROGRAM "finger" /* Most, if not all, UNIX systems */ #define UNPRIV_NAME "nobody" /* Preferred privilege level */ -#define UNPRIV_UGID 32767 /* Default uid and gid */ +#define UNPRIV_UGID 65534 /* Default uid and gid */ int finger_pid; +int allow_severity = SEVERITY; +int deny_severity = LOG_WARNING; void cleanup(sig) int sig; --- tcp-wrappers-7.6.orig/tcpdchk.c +++ tcp-wrappers-7.6/tcpdchk.c @@ -350,6 +350,8 @@ { if (pat[0] == '@') { tcpd_warn("%s: daemon name begins with \"@\"", pat); + } else if (pat[0] == '/') { + tcpd_warn("%s: daemon name begins with \"/\"", pat); } else if (pat[0] == '.') { tcpd_warn("%s: daemon name begins with dot", pat); } else if (pat[strlen(pat) - 1] == '.') { @@ -382,6 +384,8 @@ { if (pat[0] == '@') { /* @netgroup */ tcpd_warn("%s: user name begins with \"@\"", pat); + } else if (pat[0] == '/') { + tcpd_warn("%s: user name begins with \"/\"", pat); } else if (pat[0] == '.') { tcpd_warn("%s: user name begins with dot", pat); } else if (pat[strlen(pat) - 1] == '.') { @@ -402,8 +406,13 @@ static int check_host(pat) char *pat; { + char buf[BUFSIZ]; char *mask; int addr_count = 1; + FILE *fp; + struct tcpd_context saved_context; + char *cp; + char *wsp = " \t\r\n"; if (pat[0] == '@') { /* @netgroup */ #ifdef NO_NETGRENT @@ -422,6 +431,21 @@ tcpd_warn("netgroup support disabled"); #endif #endif + } else if (pat[0] == '/') { /* /path/name */ + if ((fp = fopen(pat, "r")) != 0) { + saved_context = tcpd_context; + tcpd_context.file = pat; + tcpd_context.line = 0; + while (fgets(buf, sizeof(buf), fp)) { + tcpd_context.line++; + for (cp = strtok(buf, wsp); cp; cp = strtok((char *) 0, wsp)) + check_host(cp); + } + tcpd_context = saved_context; + fclose(fp); + } else if (errno != ENOENT) { + tcpd_warn("open %s: %m", pat); + } } else if (mask = split_at(pat, '/')) { /* network/netmask */ if (dot_quad_addr(pat) == INADDR_NONE || dot_quad_addr(mask) == INADDR_NONE) --- tcp-wrappers-7.6.orig/percent_m.c +++ tcp-wrappers-7.6/percent_m.c @@ -13,7 +13,7 @@ #include extern int errno; -#ifndef SYS_ERRLIST_DEFINED +#if !defined(SYS_ERRLIST_DEFINED) && !defined(HAVE_STRERROR) extern char *sys_errlist[]; extern int sys_nerr; #endif @@ -29,11 +29,15 @@ while (*bp = *cp) if (*cp == '%' && cp[1] == 'm') { +#ifdef HAVE_STRERROR + strcpy(bp, strerror(errno)); +#else if (errno < sys_nerr && errno > 0) { strcpy(bp, sys_errlist[errno]); } else { sprintf(bp, "Unknown error %d", errno); } +#endif bp += strlen(bp); cp += 2; } else { --- tcp-wrappers-7.6.orig/weak_symbols.c +++ tcp-wrappers-7.6/weak_symbols.c @@ -0,0 +1,11 @@ + /* + * @(#) weak_symbols.h 1.5 99/12/29 23:50 + * + * Author: Anthony Towns + */ + +#ifdef HAVE_WEAKSYMS +#include +int deny_severity = LOG_WARNING; +int allow_severity = SEVERITY; +#endif --- tcp-wrappers-7.6.orig/debian/README.Debian +++ tcp-wrappers-7.6/debian/README.Debian @@ -0,0 +1,59 @@ +tcp_wrappers for Debian +---------------------- + +Extensions: +---------- + +There are a number of Debian specific changes to TCP wrappers: + + * libwrap.so.0 is available for dynamic linking. + + * You can blacklist a whole bunch of hosts at once by specifying a + file that contains a list of those hosts instead of just naming + a host. See the hosts_access(5) manpage. + +Library versioning: +------------------ + +TCP wrappers isn't distributed as a shared library upstream, so the +versioning scheme used for TCP wrappers may not match Linux's library +versioning schme. Hence, libwrap has a soname of libwrap0 (version 7.6), +instead of libwrap7 (version 6). + +Build options: +------------- + +STYLE = -DPROCESS_OPTIONS + + Debian TCP Wrappers use the extended syntax for /etc/hosts.allow + and /etc/hosts.deny. This particularly affects spawning other + commands on connections, see the hosts_options(5) manpage for + more details. + +FACILITY = LOG_DAEMON +SEVERITY = LOG_INFO + + TCP Wrappers logs as daemon.info (rather than mail.info). + +BUGS = + + Linux has no bugs. :) + +VSYSLOG = + + libc6 has vsyslog built in. + +UMASK = -DDAEMON_UMASK=022 +NETGROUP = -DNETGROUP + +RFC931_TIMEOUT = 10 +ACCESS = -DHOSTS_ACCESS +TABLES = -DHOSTS_DENY=\"/etc/hosts.deny\" -DHOSTS_ALLOW=\"/etc/hosts.al +low\" +KILL_OPT = -DKILL_IP_OPTIONS + +The options ALWAYS_RFC931, ALWAYS_HOSTNAME and PARANOID have not been +enabled because these features can be enabled at runtime. The option +APPEND_DOT is not enabled because of compatibility reasons. + + -- Anthony Towns , Tue, 10 Aug 1999 12:06:33 +1000 --- tcp-wrappers-7.6.orig/debian/changelog +++ tcp-wrappers-7.6/debian/changelog @@ -0,0 +1,42 @@ +tcp-wrappers (7.6-4) frozen unstable; urgency=high + + * Actually compile in the weak_symbols. Thanks to Tomas Ogren for + working out where things were going wrong. (Closes: Bug#57780, + Bug#55824) + + -- Anthony Towns Fri, 11 Feb 2000 15:52:44 +1000 + +tcp-wrappers (7.6-3) frozen unstable; urgency=medium + + * Define hosts_ctl in tcpd.h (Closes: Bug#55265, Bug#53887) + + -- Anthony Towns Tue, 25 Jan 2000 11:14:33 +1000 + +tcp-wrappers (7.6-2) unstable; urgency=low + + * Move libwrap0 to /lib (Closes: Bug#52534) + + * Make weak symbols for allow_severity and deny_severity + (Closes: Bug#44542) + * Adjust shlibs file to require libwrap0 (>= 7.6-1.1) thanks to + the above (Closes: Bug#51217) + + * Change how the Hurd is handled, thanks to Marcus Brinkmann + (Closes: Bug#44408) + + * Add support for `ftp' severity specifier. (Closes: Bug#53575) + + * Add -D_REENTRANT when compiling. + + -- Anthony Towns Sun, 29 Aug 1999 00:08:36 +1000 + +tcp-wrappers (7.6-1) unstable; urgency=low + + * Initial Release. + * Split from netbase. + + -- Anthony Towns Tue, 10 Aug 1999 12:06:33 +1000 + +Local variables: +mode: debian-changelog +End: --- tcp-wrappers-7.6.orig/debian/copyright +++ tcp-wrappers-7.6/debian/copyright @@ -0,0 +1,28 @@ +This package was debianized by Anthony Towns on +Tue, 10 Aug 1999 12:06:33 +1000. + +It was downloaded from ftp://ftp.porcupine.org/pub/security/index.html + +Upstream Author(s): Wietse Venema + +Copyright: + +/************************************************************************ +* Copyright 1995 by Wietse Venema. All rights reserved. Some individual +* files may be covered by other copyrights. +* +* This material was originally written and compiled by Wietse Venema at +* Eindhoven University of Technology, The Netherlands, in 1990, 1991, +* 1992, 1993, 1994 and 1995. +* +* Redistribution and use in source and binary forms are permitted +* provided that this entire copyright notice is duplicated in all such +* copies. +* +* This software is provided "as is" and without any expressed or implied +* warranties, including, without limitation, the implied warranties of +* merchantibility and fitness for any particular purpose. +************************************************************************/ + +Thanks to Wietse Venema for his permission to include the tcp_wrapper +package in the Debian Distribution. --- tcp-wrappers-7.6.orig/debian/tcpd.dirs +++ tcp-wrappers-7.6/debian/tcpd.dirs @@ -0,0 +1,2 @@ +usr/sbin +usr/share/man/man8 --- tcp-wrappers-7.6.orig/debian/libwrap0-dev.dirs +++ tcp-wrappers-7.6/debian/libwrap0-dev.dirs @@ -0,0 +1,3 @@ +usr/lib +usr/include +usr/share/man/man3 --- tcp-wrappers-7.6.orig/debian/libwrap0.postinst +++ tcp-wrappers-7.6/debian/libwrap0.postinst @@ -0,0 +1,6 @@ +#! /bin/sh + +set -e +ldconfig + +##DEBHELPER## --- tcp-wrappers-7.6.orig/debian/libwrap0.dirs +++ tcp-wrappers-7.6/debian/libwrap0.dirs @@ -0,0 +1,2 @@ +lib +usr/share/man/man5 --- tcp-wrappers-7.6.orig/debian/libwrap0.shlibs +++ tcp-wrappers-7.6/debian/libwrap0.shlibs @@ -0,0 +1 @@ +libwrap 0 libwrap0 --- tcp-wrappers-7.6.orig/debian/shlibs.local +++ tcp-wrappers-7.6/debian/shlibs.local @@ -0,0 +1 @@ +libwrap 0 libwrap0 (>= 7.6-1.1) --- tcp-wrappers-7.6.orig/debian/control +++ tcp-wrappers-7.6/debian/control @@ -0,0 +1,48 @@ +Source: tcp-wrappers +Section: base +Priority: standard +Maintainer: Anthony Towns +Standards-Version: 3.1.1 + +Package: libwrap0 +Architecture: any +Depends: ${shlibs:Depends} +Recommends: tcpd +Conflicts: netbase (<< 3.16-1) +Description: Wietse Venema's TCP wrappers library + Wietse Venema's network logger, also known as TCPD or LOG_TCP. + . + These programs log the client host name of incoming telnet, + ftp, rsh, rlogin, finger etc. requests. Security options are: + access control per host, domain and/or service; detection of + host name spoofing or host address spoofing; booby traps to + implement an early-warning system. + +Package: libwrap0-dev +Architecture: any +Section: devel +Priority: optional +Depends: libwrap0 (= ${Source-Version}), libc6-dev +Provides: libwrap-dev +Conflicts: libwrap-dev, netbase (<< 3.16-1) +Description: Wietse Venema's TCP wrappers library, development files + Wietse Venema's network logger, also known as TCPD or LOG_TCP. + . + These programs log the client host name of incoming telnet, + ftp, rsh, rlogin, finger etc. requests. Security options are: + access control per host, domain and/or service; detection of + host name spoofing or host address spoofing; booby traps to + implement an early-warning system. + +Package: tcpd +Architecture: any +Depends: ${shlibs:Depends} +Conflicts: netbase (<< 3.16-1) +Description: Wietse Venema's TCP wrapper utilities + Wietse Venema's network logger, also known as TCPD or LOG_TCP. + . + These programs log the client host name of incoming telnet, + ftp, rsh, rlogin, finger etc. requests. Security options are: + access control per host, domain and/or service; detection of + host name spoofing or host address spoofing; booby traps to + implement an early-warning system. --- tcp-wrappers-7.6.orig/debian/safe_finger.8 +++ tcp-wrappers-7.6/debian/safe_finger.8 @@ -0,0 +1,34 @@ +.TH SAFE_FINGER 8 "21th June 1997" Linux "Linux Programmer's Manual" +.SH NAME +safe_finger \- finger client wrapper that protects against nasty stuff +from finger servers +.SH SYNOPSIS +.B safe_finger [finger_options] +.SH DESCRIPTION +The +.B safe_finger +command protects against nasty stuff from finger servers. Use this +program for automatic reverse finger probes from the +.B tcp_wrapper +.B (tcpd) +, not the raw finger command. The +.B safe_finger +command makes sure that the finger client is not run with root +privileges. It also runs the finger client with a defined PATH +environment. +.B safe_finger +will also protect you from problems caused by the output of some +finger servers. The problem: some programs may react to stuff in +the first column. Other programs may get upset by thrash anywhere +on a line. File systems may fill up as the finger server keeps +sending data. Text editors may bomb out on extremely long lines. +The finger server may take forever because it is somehow wedged. +.B safe_finger +takes care of all this badness. +.SH SEE ALSO +.BR hosts_access (5), +.BR hosts_options (5), +.BR tcpd (8) +.SH AUTHOR +Wietse Venema, Eindhoven University of Technology, The Netherlands. + --- tcp-wrappers-7.6.orig/debian/rules +++ tcp-wrappers-7.6/debian/rules @@ -0,0 +1,111 @@ +#!/usr/bin/make -f +#-*- makefile -*- +# Made with the aid of dh_make, by Craig Small +# Sample debian/rules that uses debhelper. GNU copyright 1997 by Joey Hess. +# This version is for a hypothetical package that builds an +# architecture-dependant package, as well as an architecture-independant +# package. + +package=libwrap + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +DEB_BUILD_ARCH := $(shell dpkg --print-installation-architecture) +ifeq ($(filter-out hurd-%,$(DEB_BUILD_ARCH)),) + DEB_BUILD_GNU_SYSTEM := gnu +else + DEB_BUILD_GNU_SYSTEM := linux +endif +DEB_HOST_GNU_SYSTEM=$(DEB_BUILD_GNU_SYSTEM) + +build: build-stamp +build-stamp: + dh_testdir + + $(MAKE) $(DEB_HOST_GNU_SYSTEM) + + touch build-stamp + +clean: + dh_testdir + dh_testroot + rm -f build-stamp install-stamp + + # Add here commands to clean up after the build process. + -$(MAKE) clean + + dh_clean + +install: install-stamp +install-stamp: build-stamp + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + + # Add here commands to install the package into debian/tmp. + $(MAKE) install-lib DESTDIR=$(PWD)/debian/tmp + $(MAKE) install-bin DESTDIR=$(PWD)/debian/tcpd + $(MAKE) install-dev DESTDIR=$(PWD)/debian/libwrap0-dev + + touch install-stamp + +# Build architecture-independent files here. +binary-indep: build install +# dh_testversion +## dh_testdir -i +## dh_testroot -i +## dh_installdocs -i +## dh_installexamples -i +## dh_installmenu -i +# dh_installemacsen -i +# dh_installinit -i +## dh_installcron -i +# dh_installmanpages -i +# dh_undocumented +## dh_installchangelogs -i CHANGES +## dh_link -i +## dh_compress -i +## dh_fixperms -i +## # You may want to make some executables suid here +## dh_suidregister -i +## dh_installdeb -i +## dh_gencontrol -i +## dh_md5sums -i +## dh_builddeb -i + +binary-arch: build install +# dh_testversion + dh_testdir -a + dh_testroot -a + dh_installdocs -a + dh_installexamples -a + dh_installmenu -a +# dh_installemacsen -a +# dh_installinit -a + dh_installcron -a +# dh_installmanpages -a + install -o root -g root debian/try-from.8 $(shell pwd)/debian/tcpd/usr/share/man/man8/ + install -o root -g root debian/safe_finger.8 $(shell pwd)/debian/tcpd/usr/share/man/man8/ +# dh_undocumented + dh_installchangelogs -a CHANGES + dh_link -a + dh_strip -a + dh_compress -a + dh_fixperms -a + # You may want to make some executables suid here + dh_suidregister -a + dh_makeshlibs -a + dh_installdeb -a +# dh_perl -a + dh_shlibdeps -a + dh_gencontrol -a + dh_md5sums -a + dh_builddeb -a + +source diff: + @echo >&2 'source and diff are obsolete - use dpkg-source -b'; false + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary --- tcp-wrappers-7.6.orig/debian/docs +++ tcp-wrappers-7.6/debian/docs @@ -0,0 +1,3 @@ +README +README.IRIX +README.NIS --- tcp-wrappers-7.6.orig/debian/tcp_wrappers1.files +++ tcp-wrappers-7.6/debian/tcp_wrappers1.files @@ -0,0 +1 @@ +usr/lib/*.so.* --- tcp-wrappers-7.6.orig/debian/try-from.8 +++ tcp-wrappers-7.6/debian/try-from.8 @@ -0,0 +1,28 @@ +.TH TRY-FROM 8 "21th June 1997" Linux "Linux Programmer's Manual" +.SH NAME +try-from \- test program for the tcp_wrapper +.SH SYNOPSIS +.B try-from +.SH DESCRIPTION +The +.B try-from +command can be called via a remote shell command to find out +if the hostname and address are properly recognized +by the +.B tcp_wrapper +library, if username lookup works, and (SysV only) if the TLI +on top of IP heuristics work. Diagnostics are reported through +.BR syslog (3) +and redirected to stderr. + +Example: + +rsh host /some/where/try-from + +.SH SEE ALSO +.BR hosts_access (5), +.BR hosts_options (5), +.BR tcpd (8) +.SH AUTHOR +Wietse Venema, Eindhoven University of Technology, The Netherlands. +