--- eval.c.orig 1995-01-30 19:51:46.000000000 +0100 +++ eval.c 2010-11-14 19:55:36.000000000 +0100 @@ -98,6 +98,28 @@ } } +/* eval_port - return string with the port */ +char *eval_port(saddr) +#ifdef INET6 +struct sockaddr *saddr; +#else +struct sockaddr_in *saddr; +#endif +{ + static char port[16]; + if (saddr != 0) { + sprintf(port, "%u", +#ifdef INET6 + ntohs(((struct sockaddr_in *)saddr)->sin_port)); +#else + ntohs(saddr->sin_port)); +#endif + } else { + strcpy(port, "0"); + } + return (port); +} + /* eval_client - return string with as much about the client as we know */ char *eval_client(request) --- fix_options.c.orig 1997-04-08 02:29:19.000000000 +0200 +++ fix_options.c 2010-11-14 19:55:36.000000000 +0100 @@ -11,6 +11,9 @@ #include #include +#ifdef INET6 +#include +#endif #include #include #include @@ -35,12 +38,32 @@ #ifdef IP_OPTIONS unsigned char optbuf[BUFFER_SIZE / 3], *cp; char lbuf[BUFFER_SIZE], *lp; +#ifdef __GLIBC__ + size_t optsize = sizeof(optbuf), ipproto; +#else int optsize = sizeof(optbuf), ipproto; +#endif struct protoent *ip; int fd = request->fd; unsigned int opt; int optlen; struct in_addr dummy; +#ifdef INET6 + struct sockaddr_storage ss; + socklen_t sslen; + + /* + * check if this is AF_INET socket + * XXX IPv6 support? + */ + sslen = sizeof(ss); + if (getsockname(fd, (struct sockaddr *)&ss, &sslen) < 0) { + syslog(LOG_ERR, "getpeername: %m"); + clean_exit(request); + } + if (ss.ss_family != AF_INET) + return; +#endif if ((ip = getprotobyname("ip")) != 0) ipproto = ip->p_proto; --- hosts_access.3.orig 1996-02-11 17:01:27.000000000 +0100 +++ hosts_access.3 2010-11-14 19:55:36.000000000 +0100 @@ -3,7 +3,7 @@ hosts_access, hosts_ctl, request_init, request_set \- access control library .SH SYNOPSIS .nf -#include "tcpd.h" +#include extern int allow_severity; extern int deny_severity; @@ -14,6 +14,9 @@ struct request_info *request_set(request, key, value, ..., 0) struct request_info *request; +void fromhost(request) +struct request_info *request; + int hosts_access(request) struct request_info *request; @@ -60,6 +63,7 @@ is available, host names and client user names are looked up on demand, using the request structure as a cache. hosts_access() returns zero if access should be denied. +fromhost() must be called before hosts_access(). .PP hosts_ctl() is a wrapper around the request_init() and hosts_access() routines with a perhaps more convenient interface (though it does not --- hosts_access.5.orig 1995-01-30 19:51:47.000000000 +0100 +++ hosts_access.5 2010-11-14 19:55:36.000000000 +0100 @@ -8,11 +8,11 @@ impatient reader is encouraged to skip to the EXAMPLES section for a quick introduction. .PP -An extended version of the access control language is described in the -\fIhosts_options\fR(5) document. The extensions are turned on at -program build time by building with -DPROCESS_OPTIONS. +The extended version of the access control language is described in the +\fIhosts_options\fR(5) document. \fBNote that this language supersedes +the meaning of \fIshell_command\fB as documented below.\fR .PP -In the following text, \fIdaemon\fR is the the process name of a +In the following text, \fIdaemon\fR is the process name of a network daemon process, and \fIclient\fR is the name and/or address of a host requesting service. Network daemon process names are specified in the inetd configuration file. @@ -51,7 +51,7 @@ daemon_list : client_list [ : shell_command ] .PP \fIdaemon_list\fR is a list of one or more daemon process names -(argv[0] values) or wildcards (see below). +(argv[0] values) or server port numbers or wildcards (see below). .PP \fIclient_list\fR is a list of one or more host names, host addresses, patterns or wildcards (see @@ -85,10 +85,34 @@ for daemon process names or for client user names. .IP \(bu An expression of the form `n.n.n.n/m.m.m.m\' is interpreted as a -`net/mask\' pair. A host address is matched if `net\' is equal to the +`net/mask\' pair. An IPv4 host address is matched if `net\' is equal to the bitwise AND of the address and the `mask\'. For example, the net/mask pattern `131.155.72.0/255.255.254.0\' matches every address in the range `131.155.72.0\' through `131.155.73.255\'. +`255.255.255.255\' is not a valid mask value, so a single host can be +matched just by its IP. +.IP \(bu +An expression of the form `n.n.n.n/mm' is interpreted as a +`net/masklength' pair, where `mm' is the number of consecutive `1' +bits in the netmask applied to the `n.n.n.n' address. +.IP \(bu +An expression of the form `[n:n:n:n:n:n:n:n]/m\' is interpreted as a +`[net]/prefixlen\' pair. An IPv6 host address is matched if +`prefixlen\' bits of `net\' is equal to the `prefixlen\' bits of the +address. For example, the [net]/prefixlen pattern +`[3ffe:505:2:1::]/64\' matches every address in the range +`3ffe:505:2:1::\' through `3ffe:505:2:1:ffff:ffff:ffff:ffff\'. +.IP \(bu +A string that begins with a `/\' character is treated as a file +name. A host name or address is matched if it matches any host name +or address pattern listed in the named file. The file format is +zero or more lines with zero or more host name or address patterns +separated by whitespace. A file name pattern can be used anywhere +a host name or address pattern can be used. +.IP \(bu +Wildcards `*\' and `?\' can be used to match hostnames or IP addresses. This +method of matching cannot be used in conjunction with `net/mask\' matching, +hostname matching beginning with `.\' or IP address matching ending with `.\'. .SH WILDCARDS The access control language supports explicit wildcards: .IP ALL @@ -151,6 +175,8 @@ unavailable. .IP "%n (%N)" The client (server) host name (or "unknown" or "paranoid"). +.IP "%r (%R)" +The clients (servers) port number (or "0"). .IP %p The daemon process id. .IP %s @@ -173,7 +199,7 @@ Patterns like these can be used when the machine has different internet addresses with different internet hostnames. Service providers can use this facility to offer FTP, GOPHER or WWW archives with internet names -that may even belong to different organizations. See also the `twist' +that may even belong to different organizations. See also the `twist\' option in the hosts_options(5) document. Some systems (Solaris, FreeBSD) can have more than one internet address on one physical interface; with other systems you may have to resort to SLIP or PPP @@ -236,10 +262,10 @@ Before accepting a client request, the wrappers can use the IDENT service to find out that the client did not send the request at all. When the client host provides IDENT service, a negative IDENT lookup -result (the client matches `UNKNOWN@host') is strong evidence of a host +result (the client matches `UNKNOWN@host\') is strong evidence of a host spoofing attack. .PP -A positive IDENT lookup result (the client matches `KNOWN@host') is +A positive IDENT lookup result (the client matches `KNOWN@host\') is less trustworthy. It is possible for an intruder to spoof both the client connection and the IDENT lookup, although doing so is much harder than spoofing just a client connection. It may also be that @@ -322,8 +348,8 @@ /etc/hosts.deny: .in +3 .nf -in.tftpd: ALL: (/some/where/safe_finger -l @%h | \\ - /usr/ucb/mail -s %d-%h root) & +in.tftpd: ALL: (/usr/sbin/safe_finger -l @%h | \\ + /usr/bin/mail -s %d-%h root) & .fi .PP The safe_finger command comes with the tcpd wrapper and should be @@ -359,6 +385,7 @@ .fi .SH SEE ALSO .nf +hosts_options(5) extended syntax. tcpd(8) tcp/ip daemon wrapper program. tcpdchk(8), tcpdmatch(8), test programs. .SH BUGS --- hosts_access.c.orig 1997-02-12 02:13:23.000000000 +0100 +++ hosts_access.c 2010-11-14 19:55:36.000000000 +0100 @@ -24,7 +24,13 @@ /* System libraries. */ #include +#ifdef INT32_T + typedef uint32_t u_int32_t; +#endif #include +#ifdef INET6 +#include +#endif #include #include #include @@ -33,6 +39,9 @@ #include #include #include +#ifdef INET6 +#include +#endif extern char *fgets(); extern int errno; @@ -57,6 +66,7 @@ #define YES 1 #define NO 0 +#define ERR -1 /* * These variables are globally visible so that they can be redirected in @@ -72,6 +82,9 @@ */ int resident = (-1); /* -1, 0: unknown; +1: yes */ +#ifdef ACLEXEC +int aclexec_matched = 0; +#endif /* Forward declarations. */ @@ -82,6 +95,11 @@ static int host_match(); static int string_match(); static int masked_match(); +static int match_pattern_ylo(); +#ifdef INET6 +static int masked_match4(); +static int masked_match6(); +#endif /* Size of logical line buffer. */ @@ -114,11 +132,11 @@ verdict = setjmp(tcpd_buf); if (verdict != 0) return (verdict == AC_PERMIT); - if (table_match(hosts_allow_table, request)) + if (table_match(hosts_allow_table, request) == YES) return (YES); - if (table_match(hosts_deny_table, request)) - return (NO); - return (YES); + if (table_match(hosts_deny_table, request) == NO) + return (YES); + return (NO); } /* table_match - match table entries with (daemon, client) pair */ @@ -162,14 +180,21 @@ (void) fclose(fp); } else if (errno != ENOENT) { tcpd_warn("cannot open %s: %m", table); + match = ERR; } - if (match) { + if (match == YES) { if (hosts_access_verbose > 1) syslog(LOG_DEBUG, "matched: %s line %d", tcpd_context.file, tcpd_context.line); if (sh_cmd) { #ifdef PROCESS_OPTIONS process_options(sh_cmd, request); +# ifdef ACLEXEC + if (aclexec_matched) { + syslog(LOG_INFO, "aclexec returned %d", aclexec_matched); + match = NO; + } +# endif #else char cmd[BUFSIZ]; shell_cmd(percent_x(cmd, sizeof(cmd), sh_cmd, request)); @@ -208,6 +233,36 @@ return (NO); } +/* + * daemon_or_port_match - match server information: if the server endpoint + * pattern is a port number, match against port number of connection; + * otherwise match against daemon executable name + */ + +static int daemon_or_port_match(char *tok, struct request_info *request) { + unsigned int port, sin_port; + char junk; + + /* daemon name */ + if (sscanf(tok, "%u%c", &port, &junk) != 1 || port > 65535) + return (string_match(tok, eval_daemon(request))); + + /* port number */ + if (!request->server->sin) + return (NO); + +#ifdef INET6 + sin_port = ntohs(((struct sockaddr_in *)request->server->sin)->sin_port); +#else + sin_port = ntohs(request->server->sin->sin_port); +#endif + + if (port == sin_port) + return (YES); + else + return (NO); +} + /* server_match - match server information */ static int server_match(tok, request) @@ -217,9 +272,9 @@ char *host; if ((host = split_at(tok + 1, '@')) == 0) { /* plain daemon */ - return (string_match(tok, eval_daemon(request))); + return (daemon_or_port_match(tok, request)); } else { /* daemon@host */ - return (string_match(tok, eval_daemon(request)) + return (daemon_or_port_match(tok, request) && host_match(host, request->server)); } } @@ -240,6 +295,26 @@ } } +/* hostfile_match - look up host patterns from file */ + +static int hostfile_match(path, host) +char *path; +struct hosts_info *host; +{ + char tok[BUFSIZ]; + int match = NO; + FILE *fp; + + if ((fp = fopen(path, "r")) != 0) { + while (fscanf(fp, "%s", tok) == 1 && !(match = host_match(tok, host))) + /* void */ ; + fclose(fp); + } else if (errno != ENOENT) { + tcpd_warn("open %s: %m", path); + } + return (match); +} + /* host_match - match host name and/or address against pattern */ static int host_match(tok, host) @@ -267,6 +342,8 @@ tcpd_warn("netgroup support is disabled"); /* not tcpd_jump() */ return (NO); #endif + } else if (tok[0] == '/') { /* /file hack */ + return (hostfile_match(tok, host)); } else if (STR_EQ(tok, "KNOWN")) { /* check address and name */ char *name = eval_hostname(host); return (STR_NE(eval_hostaddr(host), unknown) && HOSTNAME_KNOWN(name)); @@ -289,6 +366,18 @@ { int n; +#ifdef INET6 + /* convert IPv4 mapped IPv6 address to IPv4 address */ + if (STRN_EQ(string, "::ffff:", 7) + && dot_quad_addr(string + 7) != INADDR_NONE) { + string += 7; + } +#endif +#ifndef DISABLE_WILDCARD_MATCHING + if (strchr(tok, '*') || strchr(tok,'?')) { /* contains '*' or '?' */ + return (match_pattern_ylo(string,tok)); + } else +#endif if (tok[0] == '.') { /* suffix */ n = strlen(string) - strlen(tok); return (n > 0 && STR_EQ(tok, string + n)); @@ -299,20 +388,72 @@ } else if (tok[(n = strlen(tok)) - 1] == '.') { /* prefix */ return (STRN_EQ(tok, string, n)); } else { /* exact match */ +#ifdef INET6 + struct addrinfo hints, *res; + struct sockaddr_in6 pat, addr; + int len, ret; + char ch; + + len = strlen(tok); + if (*tok == '[' && tok[len - 1] == ']') { + ch = tok[len - 1]; + tok[len - 1] = '\0'; + memset(&hints, 0, sizeof(hints)); + hints.ai_family = AF_INET6; + hints.ai_socktype = SOCK_STREAM; + hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; + if ((ret = getaddrinfo(tok + 1, NULL, &hints, &res)) == 0) { + memcpy(&pat, res->ai_addr, sizeof(pat)); + freeaddrinfo(res); + } + tok[len - 1] = ch; + if (ret != 0 || getaddrinfo(string, NULL, &hints, &res) != 0) + return NO; + memcpy(&addr, res->ai_addr, sizeof(addr)); + freeaddrinfo(res); +#ifdef NI_WITHSCOPEID + if (pat.sin6_scope_id != 0 && + addr.sin6_scope_id != pat.sin6_scope_id) + return NO; +#endif + return (!memcmp(&pat.sin6_addr, &addr.sin6_addr, + sizeof(struct in6_addr))); + return (ret); + } +#endif return (STR_EQ(tok, string)); } } /* masked_match - match address against netnumber/netmask */ +#ifdef INET6 static int masked_match(net_tok, mask_tok, string) char *net_tok; char *mask_tok; char *string; { + return (masked_match4(net_tok, mask_tok, string) || + masked_match6(net_tok, mask_tok, string)); +} + +static int masked_match4(net_tok, mask_tok, string) +#else +static int masked_match(net_tok, mask_tok, string) +#endif +char *net_tok; +char *mask_tok; +char *string; +{ +#ifdef INET6 + u_int32_t net; + u_int32_t mask; + u_int32_t addr; +#else unsigned long net; unsigned long mask; unsigned long addr; +#endif /* * Disallow forms other than dotted quad: the treatment that inet_addr() @@ -323,9 +464,153 @@ if ((addr = dot_quad_addr(string)) == INADDR_NONE) return (NO); if ((net = dot_quad_addr(net_tok)) == INADDR_NONE - || (mask = dot_quad_addr(mask_tok)) == INADDR_NONE) { + || ((mask = dot_quad_addr(mask_tok)) == INADDR_NONE + && (mask = cidr_mask_addr(mask_tok)) == 0)) { +#ifndef INET6 tcpd_warn("bad net/mask expression: %s/%s", net_tok, mask_tok); +#endif return (NO); /* not tcpd_jump() */ } return ((addr & mask) == net); } + +#ifdef INET6 +static int masked_match6(net_tok, mask_tok, string) +char *net_tok; +char *mask_tok; +char *string; +{ + struct addrinfo hints, *res; + struct sockaddr_in6 net, addr; + u_int32_t mask; + int len, mask_len, i = 0; + char ch; + + /* + * Behavior of getaddrinfo() against IPv4-mapped IPv6 address is + * different between KAME and Solaris8. While KAME returns + * AF_INET6, Solaris8 returns AF_INET. So, we avoid this here. + */ + if (STRN_EQ(string, "::ffff:", 7) + && dot_quad_addr(string + 7) != INADDR_NONE) + return (masked_match4(net_tok, mask_tok, string + 7)); + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = AF_INET6; + hints.ai_socktype = SOCK_STREAM; + hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; + if (getaddrinfo(string, NULL, &hints, &res) != 0) + return NO; + memcpy(&addr, res->ai_addr, sizeof(addr)); + freeaddrinfo(res); + + /* match IPv6 address against netnumber/prefixlen */ + len = strlen(net_tok); + if (*net_tok != '[' || net_tok[len - 1] != ']') + return NO; + ch = net_tok[len - 1]; + net_tok[len - 1] = '\0'; + if (getaddrinfo(net_tok + 1, NULL, &hints, &res) != 0) { + net_tok[len - 1] = ch; + return NO; + } + memcpy(&net, res->ai_addr, sizeof(net)); + freeaddrinfo(res); + net_tok[len - 1] = ch; + if ((mask_len = atoi(mask_tok)) < 0 || mask_len > 128) + return NO; + +#ifdef NI_WITHSCOPEID + if (net.sin6_scope_id != 0 && addr.sin6_scope_id != net.sin6_scope_id) + return NO; +#endif + while (mask_len > 0) { + if (mask_len < 32) { + mask = htonl(~(0xffffffff >> mask_len)); + if ((*(u_int32_t *)&addr.sin6_addr.s6_addr[i] & mask) != (*(u_int32_t *)&net.sin6_addr.s6_addr[i] & mask)) + return NO; + break; + } + if (*(u_int32_t *)&addr.sin6_addr.s6_addr[i] != *(u_int32_t *)&net.sin6_addr.s6_addr[i]) + return NO; + i += 4; + mask_len -= 32; + } + return YES; +} +#endif /* INET6 */ + +#ifndef DISABLE_WILDCARD_MATCHING +/* Note: this feature has been adapted in a pretty straightforward way + from Tatu Ylonen's last SSH version under free license by + Pekka Savola . + + Copyright (c) 1995 Tatu Ylonen , Espoo, Finland +*/ + +/* Returns true if the given string matches the pattern (which may contain + ? and * as wildcards), and zero if it does not match. */ + +static int match_pattern_ylo(const char *s, const char *pattern) +{ + char src; + char pat; + while (1) + { + /* If at end of pattern, accept if also at end of string. */ + if (!*pattern) + return !*s; + + /* Process '*'. */ + if (*pattern == '*') + { + /* Skip the asterisk. */ + pattern++; + + /* If at end of pattern, accept immediately. */ + if (!*pattern) + return 1; + + /* If next character in pattern is known, optimize. */ + if (*pattern != '?' && *pattern != '*') + { + /* Look instances of the next character in pattern, and try + to match starting from those. */ + pat = *pattern; + for (; *s; s++) { + src = *s; + if (toupper(src) == toupper(pat) && + match_pattern_ylo(s + 1, pattern + 1)) + return 1; + } + /* Failed. */ + return 0; + } + + /* Move ahead one character at a time and try to match at each + position. */ + for (; *s; s++) + if (match_pattern_ylo(s, pattern)) + return 1; + /* Failed. */ + return 0; + } + + /* There must be at least one more character in the string. If we are + at the end, fail. */ + if (!*s) + return 0; + + /* Check if the next character of the string is acceptable. */ + pat = *pattern; + src = *s; + if (*pattern != '?' && toupper(pat) != toupper(src)) + return 0; + + /* Move to the next character, both in string and in pattern. */ + s++; + pattern++; + } + /*NOTREACHED*/ +} +#endif /* DISABLE_WILDCARD_MATCHING */ --- hosts_options.5.orig 1994-12-28 17:42:29.000000000 +0100 +++ hosts_options.5 2010-11-14 19:55:36.000000000 +0100 @@ -2,10 +2,8 @@ .SH NAME hosts_options \- host access control language extensions .SH DESCRIPTION -This document describes optional extensions to the language described -in the hosts_access(5) document. The extensions are enabled at program -build time. For example, by editing the Makefile and turning on the -PROCESS_OPTIONS compile-time option. +This document describes extensions to the language described +in the hosts_access(5) document. .PP The extensible language uses the following format: .sp @@ -54,16 +52,33 @@ .sp Notice the leading dot on the domain name patterns. .SH RUNNING OTHER COMMANDS +.IP "aclexec shell_command" +Execute, in a child process, the specified shell command, after +performing the % expansions described in the hosts_access(5) +manual page. The command is executed with stdin, stdout and stderr +connected to the null device, so that it won't mess up the +conversation with the client host. Example: +.sp +.nf +.ti +3 +smtp : ALL : aclexec checkdnsbl %a +.fi +.sp +executes, in a background child process, the shell command "checkdnsbl %a" +after replacing %a by the address of the remote host. +.sp +The connection will be allowed or refused depending on whether the +command returns a true or false exit status. .IP "spawn shell_command" Execute, in a child process, the specified shell command, after performing the % expansions described in the hosts_access(5) manual page. The command is executed with stdin, stdout and stderr -connected to the null device, so that it won\'t mess up the +connected to the null device, so that it won't mess up the conversation with the client host. Example: .sp .nf .ti +3 -spawn (/some/where/safe_finger -l @%h | /usr/ucb/mail root) & +spawn (/usr/sbin/safe_finger -l @%h | /usr/bin/mail root) & .fi .sp executes, in a background child process, the shell command "safe_finger @@ -124,7 +139,7 @@ value is taken. .SH MISCELLANEOUS .IP "banners /some/directory" -Look for a file in `/some/directory' with the same name as the daemon +Look for a file in `/some/directory\' with the same name as the daemon process (for example in.telnetd for the telnet service), and copy its contents to the client. Newline characters are replaced by carriage-return newline, and % sequences are expanded (see --- inetcf.c.orig 1997-02-12 02:13:24.000000000 +0100 +++ inetcf.c 2010-11-14 19:55:36.000000000 +0100 @@ -26,13 +26,17 @@ * guesses. Shorter names follow longer ones. */ char *inet_files[] = { +#if 0 "/private/etc/inetd.conf", /* NEXT */ "/etc/inet/inetd.conf", /* SYSV4 */ "/usr/etc/inetd.conf", /* IRIX?? */ +#endif "/etc/inetd.conf", /* BSD */ +#if 0 "/etc/net/tlid.conf", /* SYSV4?? */ "/etc/saf/tlid.conf", /* SYSV4?? */ "/etc/tlid.conf", /* SYSV4?? */ +#endif 0, }; --- libwrap.lds.orig 1970-01-01 01:00:00.000000000 +0100 +++ libwrap.lds 2010-11-14 19:55:36.000000000 +0100 @@ -0,0 +1,4 @@ +{ + local: + aclexec_matched; +}; --- Makefile.orig 1997-03-21 19:27:21.000000000 +0100 +++ Makefile 2010-11-14 19:55:36.000000000 +0100 @@ -21,7 +21,7 @@ @echo " dynix epix esix freebsd hpux irix4 irix5 irix6 isc iunix" @echo " linux machten mips(untested) ncrsvr4 netbsd next osf power_unix_211" @echo " ptx-2.x ptx-generic pyramid sco sco-nis sco-od2 sco-os5 sinix sunos4" - @echo " sunos40 sunos5 sysv4 tandem ultrix unicos7 unicos8 unixware1 unixware2" + @echo " sunos40 sunos5 solaris8 sysv4 tandem ultrix unicos7 unicos8 unixware1 unixware2" @echo " uts215 uxp" @echo @echo "If none of these match your environment, edit the system" @@ -45,7 +45,7 @@ # # SysV.4 Solaris 2.x OSF AIX #REAL_DAEMON_DIR=/usr/sbin -# +REAL_DAEMON_DIR=/usr/sbin # BSD 4.4 #REAL_DAEMON_DIR=/usr/libexec # @@ -131,20 +131,34 @@ NETGROUP=-DNETGROUP TLI= SYSTYPE="-systype bsd43" all # Freebsd and linux by default have no NIS. -386bsd netbsd bsdos: +386bsd bsdos: @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \ EXTRA_CFLAGS=-DSYS_ERRLIST_DEFINED VSYSLOG= all freebsd: @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ + LIBS="-L/usr/local/v6/lib -linet6" \ LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \ - EXTRA_CFLAGS=-DSYS_ERRLIST_DEFINED VSYSLOG= all + EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DINET6 -Dss_family=__ss_family -Dss_len=__ss_len" \ + VSYSLOG= all + +netbsd: + @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ + LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \ + EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DINET6 -Dss_family=__ss_family -Dss_len=__ss_len" VSYSLOG= all linux: @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ - LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=setenv.o \ - NETGROUP= TLI= EXTRA_CFLAGS="-DBROKEN_SO_LINGER" all + LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ=weak_symbols.o \ + NETGROUP="-DNETGROUP" TLI= VSYSLOG= BUGS= \ + EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR -DHAVE_WEAKSYMS -D_REENTRANT -DINET6=1 -Dss_family=__ss_family -Dss_len=__ss_len" all + +gnu: + @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ + LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ=weak_symbols.o \ + NETGROUP=-DNETGROUP TLI= VSYSLOG= BUGS= \ + EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR -DHAVE_WEAKSYMS -D_REENTRANT" all # This is good for many SYSV+BSD hybrids with NIS, probably also for HP-UX 7.x. hpux hpux8 hpux9 hpux10: @@ -196,6 +210,13 @@ NETGROUP=-DNETGROUP AUX_OBJ=setenv.o TLI=-DTLI \ BUGS="$(BUGS) -DSOLARIS_24_GETHOSTBYNAME_BUG" all +# SunOS 5.8 is another SYSV4 variant, but has IPv6 support +solaris8: + @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ + LIBS="-lsocket -lnsl" RANLIB=echo ARFLAGS=rv VSYSLOG= \ + NETGROUP=-DNETGROUP AUX_OBJ=setenv.o TLI=-DTLI \ + EXTRA_CFLAGS="-DINET6 -DNO_CLONE_DEVICE -DINT32_T" all + # Generic SYSV40 esix sysv4: @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ @@ -492,6 +513,7 @@ # (examples: allow, deny, banners, twist and spawn). # #STYLE = -DPROCESS_OPTIONS # Enable language extensions. +STYLE = "-DPROCESS_OPTIONS -DACLEXEC" ################################################################ # Optional: Changing the default disposition of logfile records @@ -515,6 +537,7 @@ # The LOG_XXX names below are taken from the /usr/include/syslog.h file. FACILITY= LOG_MAIL # LOG_MAIL is what most sendmail daemons use +FACILITY= LOG_DAEMON # The syslog priority at which successful connections are logged. @@ -611,6 +634,7 @@ # lookups altogether, see the next section. PARANOID= -DPARANOID +PARANOID= ######################################## # Optional: turning off hostname lookups @@ -624,6 +648,7 @@ # mode (see previous section) and comment out the following definition. HOSTNAME= -DALWAYS_HOSTNAME +HOSTNAME= ############################################# # Optional: Turning on host ADDRESS checking @@ -650,6 +675,7 @@ # Solaris 2.x, and Linux. See your system documentation for details. # # KILL_OPT= -DKILL_IP_OPTIONS +KILL_OPT= -DKILL_IP_OPTIONS ## End configuration options ############################ @@ -657,9 +683,10 @@ # Protection against weird shells or weird make programs. SHELL = /bin/sh -.c.o:; $(CC) $(CFLAGS) -c $*.c +.c.o:; $(CC) $(CFLAGS) -o $*.o -c $*.c -CFLAGS = -O -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \ +COPTS = -O2 -g +CFLAGS = $(COPTS) -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \ $(BUGS) $(SYSTYPE) $(AUTH) $(UMASK) \ -DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" $(STYLE) $(KILL_OPT) \ -DSEVERITY=$(SEVERITY) -DRFC931_TIMEOUT=$(RFC931_TIMEOUT) \ @@ -686,44 +713,66 @@ LIB = libwrap.a -all other: config-check tcpd tcpdmatch try-from safe_finger tcpdchk +shared/%.o: %.c + $(CC) $(CFLAGS) $(SHCFLAGS) -c $< -o $@ + +SOMAJOR = 0 +SOMINOR = 7.6 + +SHLIB = shared/libwrap.so.$(SOMAJOR).$(SOMINOR) +SHLIBSOMAJ = shared/libwrap.so.$(SOMAJOR) +SHLIBSO = shared/libwrap.so +SHLIBFLAGS = -Lshared -lwrap + +SHLINKFLAGS = -fpic -shared -Wl,-soname,libwrap.so.$(SOMAJOR) -Wl,--version-script=libwrap.lds $(LIBS) +SHCFLAGS = -fpic -shared -D_REENTRANT +SHLIB_OBJ= $(addprefix shared/, $(LIB_OBJ)); + +all other: config-check tcpd tcpdmatch try-from safe_finger tcpdchk $(LIB) # Invalidate all object files when the compiler options (CFLAGS) have changed. config-check: @set +e; test -n "$(REAL_DAEMON_DIR)" || { make; exit 1; } - @set +e; echo $(CFLAGS) >/tmp/cflags.$$$$ ; \ - if cmp cflags /tmp/cflags.$$$$ ; \ - then rm /tmp/cflags.$$$$ ; \ - else mv /tmp/cflags.$$$$ cflags ; \ + @set +e; echo $(CFLAGS) >cflags.new ; \ + if cmp cflags cflags.new ; \ + then rm cflags.new ; \ + else mv cflags.new cflags ; \ fi >/dev/null 2>/dev/null + @if [ ! -d shared ]; then mkdir shared; fi $(LIB): $(LIB_OBJ) rm -f $(LIB) $(AR) $(ARFLAGS) $(LIB) $(LIB_OBJ) -$(RANLIB) $(LIB) -tcpd: tcpd.o $(LIB) - $(CC) $(CFLAGS) -o $@ tcpd.o $(LIB) $(LIBS) +$(SHLIB): libwrap.lds $(SHLIB_OBJ) + rm -f $(SHLIB) + $(CC) -o $(SHLIB) $(SHLINKFLAGS) $(SHLIB_OBJ) + ln -sf $(notdir $(SHLIB)) $(SHLIBSOMAJ) + ln -sf $(notdir $(SHLIBSOMAJ)) $(SHLIBSO) + +tcpd: tcpd.o $(SHLIB) + $(CC) $(CFLAGS) -o $@ tcpd.o $(SHLIBFLAGS) miscd: miscd.o $(LIB) $(CC) $(CFLAGS) -o $@ miscd.o $(LIB) $(LIBS) -safe_finger: safe_finger.o $(LIB) - $(CC) $(CFLAGS) -o $@ safe_finger.o $(LIB) $(LIBS) +safe_finger: safe_finger.o + $(CC) $(CFLAGS) -o $@ safe_finger.o TCPDMATCH_OBJ = tcpdmatch.o fakelog.o inetcf.o scaffold.o -tcpdmatch: $(TCPDMATCH_OBJ) $(LIB) - $(CC) $(CFLAGS) -o $@ $(TCPDMATCH_OBJ) $(LIB) $(LIBS) +tcpdmatch: $(TCPDMATCH_OBJ) $(SHLIB) + $(CC) $(CFLAGS) -o $@ $(TCPDMATCH_OBJ) $(SHLIBFLAGS) -try-from: try-from.o fakelog.o $(LIB) - $(CC) $(CFLAGS) -o $@ try-from.o fakelog.o $(LIB) $(LIBS) +try-from: try-from.o fakelog.o $(SHLIB) + $(CC) $(CFLAGS) -o $@ try-from.o fakelog.o $(SHLIBFLAGS) TCPDCHK_OBJ = tcpdchk.o fakelog.o inetcf.o scaffold.o -tcpdchk: $(TCPDCHK_OBJ) $(LIB) - $(CC) $(CFLAGS) -o $@ $(TCPDCHK_OBJ) $(LIB) $(LIBS) +tcpdchk: $(TCPDCHK_OBJ) $(SHLIB) + $(CC) $(CFLAGS) -o $@ $(TCPDCHK_OBJ) $(SHLIBFLAGS) shar: $(KIT) @shar $(KIT) @@ -739,7 +788,9 @@ clean: rm -f tcpd miscd safe_finger tcpdmatch tcpdchk try-from *.[oa] core \ + libwrap*.so* \ cflags + rm -rf shared/ tidy: clean chmod -R a+r . @@ -885,5 +936,6 @@ update.o: mystdarg.h update.o: tcpd.h vfprintf.o: cflags +weak_symbols.o: tcpd.h workarounds.o: cflags workarounds.o: tcpd.h --- misc.c.orig 1996-02-11 17:01:30.000000000 +0100 +++ misc.c 2010-11-14 19:55:36.000000000 +0100 @@ -58,9 +58,31 @@ { char *cp; +#ifdef INET6 + int bracket = 0; + + for (cp = string; cp && *cp; cp++) { + switch (*cp) { + case '[': + bracket++; + break; + case ']': + bracket--; + break; + default: + if (bracket == 0 && *cp == delimiter) { + *cp++ = 0; + return cp; + } + break; + } + } + return (NULL); +#else if ((cp = strchr(string, delimiter)) != 0) *cp++ = 0; return (cp); +#endif } /* dot_quad_addr - convert dotted quad to internal form */ @@ -85,3 +107,17 @@ } return (runs == 4 ? inet_addr(str) : INADDR_NONE); } + +/* cidr_mask_addr - convert cidr netmask length to internal form */ + +unsigned long cidr_mask_addr(str) +char *str; +{ + int maskbits; + + maskbits = atoi(str); + if (maskbits < 1 || maskbits > 32) + return (0); + return htonl(0xFFFFFFFF << (32 - maskbits)); +} + --- options.c.orig 1996-02-11 17:01:32.000000000 +0100 +++ options.c 2010-11-14 19:55:36.000000000 +0100 @@ -41,12 +41,14 @@ #include #include #include +#include #include #include #include #include #include #include +#include #ifndef MAXPATHNAMELEN #define MAXPATHNAMELEN BUFSIZ @@ -76,6 +78,7 @@ static void umask_option(); /* execute "umask mask" option */ static void linger_option(); /* execute "linger time" option */ static void keepalive_option(); /* execute "keepalive" option */ +static void aclexec_option(); /* execute "aclexec command" option */ static void spawn_option(); /* execute "spawn command" option */ static void twist_option(); /* execute "twist command" option */ static void rfc931_option(); /* execute "rfc931" option */ @@ -113,6 +116,9 @@ "umask", umask_option, NEED_ARG, "linger", linger_option, NEED_ARG, "keepalive", keepalive_option, 0, +#ifdef ACLEXEC + "aclexec", aclexec_option, NEED_ARG | EXPAND_ARG, +#endif "spawn", spawn_option, NEED_ARG | EXPAND_ARG, "twist", twist_option, NEED_ARG | EXPAND_ARG | USE_LAST, "rfc931", rfc931_option, OPT_ARG, @@ -310,6 +316,54 @@ shell_cmd(value); } +#ifdef ACLEXEC +/* aclexec_option - spawn a shell command and check status */ + +/* ARGSUSED */ + +static void aclexec_option(value, request) +char *value; +struct request_info *request; +{ + int status, child_pid, wait_pid; + extern int aclexec_matched; + + if (dry_run != 0) + return; + + child_pid = fork(); + + /* Something went wrong: we MUST terminate the process. */ + if (child_pid < 0) { + tcpd_warn("aclexec_option: /bin/sh: %m"); + clean_exit(request); + } + + if (child_pid == 0) { + execl("/bin/sh", "sh", "-c", value, (char *) 0); + + /* Something went wrong. We MUST terminate the child process. */ + tcpd_warn("execl /bin/sh: %m"); + _exit(0); + } + + while ((wait_pid = wait(&status)) != -1 && wait_pid != child_pid) + /* void */ ; + + aclexec_matched = 1; + + if (WIFEXITED(status) && WEXITSTATUS(status) == 0) { + aclexec_matched = 0; + } + + if (WIFSIGNALED(status)) + tcpd_warn("process %d exited with signal %d", child_pid, + WTERMSIG(status)); + + return; +} +#endif + /* linger_option - set the socket linger time (Marc Boucher ) */ /* ARGSUSED */ --- percent_m.c.orig 1994-12-28 17:42:37.000000000 +0100 +++ percent_m.c 2010-11-14 19:55:36.000000000 +0100 @@ -29,11 +29,15 @@ while (*bp = *cp) if (*cp == '%' && cp[1] == 'm') { +#ifdef HAVE_STRERROR + strcpy(bp, strerror(errno)); +#else if (errno < sys_nerr && errno > 0) { strcpy(bp, sys_errlist[errno]); } else { sprintf(bp, "Unknown error %d", errno); } +#endif bp += strlen(bp); cp += 2; } else { --- percent_x.c.orig 1994-12-28 17:42:38.000000000 +0100 +++ percent_x.c 2010-11-14 19:55:36.000000000 +0100 @@ -63,6 +63,8 @@ ch == 'n' ? eval_hostname(request->client) : ch == 'N' ? eval_hostname(request->server) : ch == 'p' ? eval_pid(request) : + ch == 'r' ? eval_port(request->client->sin) : + ch == 'R' ? eval_port(request->server->sin) : ch == 's' ? eval_server(request) : ch == 'u' ? eval_user(request) : ch == '%' ? "%" : (tcpd_warn("unrecognized %%%c", ch), ""); --- refuse.c.orig 1994-12-28 17:42:40.000000000 +0100 +++ refuse.c 2010-11-14 19:55:36.000000000 +0100 @@ -25,7 +25,12 @@ void refuse(request) struct request_info *request; { +#ifdef INET6 + syslog(deny_severity, "refused connect from %s (%s)", + eval_client(request), eval_hostaddr(request->client)); +#else syslog(deny_severity, "refused connect from %s", eval_client(request)); +#endif clean_exit(request); /* NOTREACHED */ } --- rfc931.c.orig 1995-01-02 16:11:34.000000000 +0100 +++ rfc931.c 2010-11-14 19:55:36.000000000 +0100 @@ -33,7 +33,7 @@ int rfc931_timeout = RFC931_TIMEOUT;/* Global so it can be changed */ -static jmp_buf timebuf; +static sigjmp_buf timebuf; /* fsocket - open stdio stream on top of socket */ @@ -62,25 +62,57 @@ static void timeout(sig) int sig; { - longjmp(timebuf, sig); + siglongjmp(timebuf, sig); } /* rfc931 - return remote user name, given socket structures */ void rfc931(rmt_sin, our_sin, dest) +#ifdef INET6 +struct sockaddr *rmt_sin; +struct sockaddr *our_sin; +#else struct sockaddr_in *rmt_sin; struct sockaddr_in *our_sin; +#endif char *dest; { unsigned rmt_port; unsigned our_port; +#ifdef INET6 + struct sockaddr_storage rmt_query_sin; + struct sockaddr_storage our_query_sin; + int alen; +#else struct sockaddr_in rmt_query_sin; struct sockaddr_in our_query_sin; +#endif char user[256]; /* XXX */ char buffer[512]; /* XXX */ char *cp; char *result = unknown; FILE *fp; + unsigned saved_timeout; + struct sigaction nact, oact; + +#ifdef INET6 + /* address family must be the same */ + if (rmt_sin->sa_family != our_sin->sa_family) { + STRN_CPY(dest, result, STRING_LENGTH); + return; + } + switch (our_sin->sa_family) { + case AF_INET: + alen = sizeof(struct sockaddr_in); + break; + case AF_INET6: + alen = sizeof(struct sockaddr_in6); + break; + default: + STRN_CPY(dest, result, STRING_LENGTH); + return; + } +#endif /* * Use one unbuffered stdio stream for writing to and for reading from @@ -92,15 +124,24 @@ * sockets. */ +#ifdef INET6 + if ((fp = fsocket(our_sin->sa_family, SOCK_STREAM, 0)) != 0) { +#else if ((fp = fsocket(AF_INET, SOCK_STREAM, 0)) != 0) { +#endif setbuf(fp, (char *) 0); /* * Set up a timer so we won't get stuck while waiting for the server. */ - if (setjmp(timebuf) == 0) { - signal(SIGALRM, timeout); + if (sigsetjmp(timebuf, 1) == 0) { + /* Save SIGALRM timer and handler. Sudheer Abdul-Salam, SUN. */ + saved_timeout = alarm(0); + nact.sa_handler = timeout; + nact.sa_flags = 0; + (void) sigemptyset(&nact.sa_mask); + (void) sigaction(SIGALRM, &nact, &oact); alarm(rfc931_timeout); /* @@ -112,6 +153,25 @@ * addresses from the query socket. */ +#ifdef INET6 + memcpy(&our_query_sin, our_sin, alen); + memcpy(&rmt_query_sin, rmt_sin, alen); + switch (our_sin->sa_family) { + case AF_INET: + ((struct sockaddr_in *)&our_query_sin)->sin_port = htons(ANY_PORT); + ((struct sockaddr_in *)&rmt_query_sin)->sin_port = htons(RFC931_PORT); + break; + case AF_INET6: + ((struct sockaddr_in6 *)&our_query_sin)->sin6_port = htons(ANY_PORT); + ((struct sockaddr_in6 *)&rmt_query_sin)->sin6_port = htons(RFC931_PORT); + break; + } + + if (bind(fileno(fp), (struct sockaddr *) & our_query_sin, + alen) >= 0 && + connect(fileno(fp), (struct sockaddr *) & rmt_query_sin, + alen) >= 0) { +#else our_query_sin = *our_sin; our_query_sin.sin_port = htons(ANY_PORT); rmt_query_sin = *rmt_sin; @@ -121,6 +181,7 @@ sizeof(our_query_sin)) >= 0 && connect(fileno(fp), (struct sockaddr *) & rmt_query_sin, sizeof(rmt_query_sin)) >= 0) { +#endif /* * Send query to server. Neglect the risk that a 13-byte @@ -129,8 +190,13 @@ */ fprintf(fp, "%u,%u\r\n", +#ifdef INET6 + ntohs(((struct sockaddr_in *)rmt_sin)->sin_port), + ntohs(((struct sockaddr_in *)our_sin)->sin_port)); +#else ntohs(rmt_sin->sin_port), ntohs(our_sin->sin_port)); +#endif fflush(fp); /* @@ -144,8 +210,13 @@ && ferror(fp) == 0 && feof(fp) == 0 && sscanf(buffer, "%u , %u : USERID :%*[^:]:%255s", &rmt_port, &our_port, user) == 3 +#ifdef INET6 + && ntohs(((struct sockaddr_in *)rmt_sin)->sin_port) == rmt_port + && ntohs(((struct sockaddr_in *)our_sin)->sin_port) == our_port) { +#else && ntohs(rmt_sin->sin_port) == rmt_port && ntohs(our_sin->sin_port) == our_port) { +#endif /* * Strip trailing carriage return. It is part of the @@ -159,6 +230,10 @@ } alarm(0); } + /* Restore SIGALRM timer and handler. Sudheer Abdul-Salam, SUN. */ + (void) sigaction(SIGALRM, &oact, NULL); + if (saved_timeout > 0) + alarm(saved_timeout); fclose(fp); } STRN_CPY(dest, result, STRING_LENGTH); --- safe_finger.8.orig 1970-01-01 01:00:00.000000000 +0100 +++ safe_finger.8 2010-11-14 19:55:36.000000000 +0100 @@ -0,0 +1,34 @@ +.TH SAFE_FINGER 8 "21th June 1997" Linux "Linux Programmer's Manual" +.SH NAME +safe_finger \- finger client wrapper that protects against nasty stuff +from finger servers +.SH SYNOPSIS +.B safe_finger [finger_options] +.SH DESCRIPTION +The +.B safe_finger +command protects against nasty stuff from finger servers. Use this +program for automatic reverse finger probes from the +.B tcp_wrapper +.B (tcpd) +, not the raw finger command. The +.B safe_finger +command makes sure that the finger client is not run with root +privileges. It also runs the finger client with a defined PATH +environment. +.B safe_finger +will also protect you from problems caused by the output of some +finger servers. The problem: some programs may react to stuff in +the first column. Other programs may get upset by thrash anywhere +on a line. File systems may fill up as the finger server keeps +sending data. Text editors may bomb out on extremely long lines. +The finger server may take forever because it is somehow wedged. +.B safe_finger +takes care of all this badness. +.SH SEE ALSO +.BR hosts_access (5), +.BR hosts_options (5), +.BR tcpd (8) +.SH AUTHOR +Wietse Venema, Eindhoven University of Technology, The Netherlands. + --- safe_finger.c.orig 1994-12-28 17:42:42.000000000 +0100 +++ safe_finger.c 2010-11-14 19:55:36.000000000 +0100 @@ -26,21 +26,24 @@ #include #include #include +#include extern void exit(); /* Local stuff */ -char path[] = "PATH=/bin:/usr/bin:/usr/ucb:/usr/bsd:/etc:/usr/etc:/usr/sbin"; +char path[] = "PATH=/bin:/usr/bin:/sbin:/usr/sbin"; #define TIME_LIMIT 60 /* Do not keep listinging forever */ #define INPUT_LENGTH 100000 /* Do not keep listinging forever */ #define LINE_LENGTH 128 /* Editors can choke on long lines */ #define FINGER_PROGRAM "finger" /* Most, if not all, UNIX systems */ #define UNPRIV_NAME "nobody" /* Preferred privilege level */ -#define UNPRIV_UGID 32767 /* Default uid and gid */ +#define UNPRIV_UGID 65534 /* Default uid and gid */ int finger_pid; +int allow_severity = SEVERITY; +int deny_severity = LOG_WARNING; void cleanup(sig) int sig; --- scaffold.c.orig 1997-03-21 19:27:24.000000000 +0100 +++ scaffold.c 2010-11-14 19:55:36.000000000 +0100 @@ -17,6 +17,7 @@ #include #include #include +#include #include #include #include @@ -25,7 +26,9 @@ #define INADDR_NONE (-1) /* XXX should be 0xffffffff */ #endif +#ifndef INET6 extern char *malloc(); +#endif /* Application-specific. */ @@ -39,6 +42,7 @@ int deny_severity = LOG_WARNING; int rfc931_timeout = RFC931_TIMEOUT; +#ifndef INET6 /* dup_hostent - create hostent in one memory block */ static struct hostent *dup_hostent(hp) @@ -73,9 +77,46 @@ } return (&hb->host); } +#endif /* find_inet_addr - find all addresses for this host, result to free() */ +#ifdef INET6 +struct addrinfo *find_inet_addr(host) +char *host; +{ + struct addrinfo hints, *res; + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = SOCK_STREAM; + hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; + if (getaddrinfo(host, NULL, &hints, &res) == 0) + return (res); + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = SOCK_STREAM; + hints.ai_flags = AI_PASSIVE | AI_CANONNAME; + if (getaddrinfo(host, NULL, &hints, &res) != 0) { + tcpd_warn("%s: host not found", host); + return (0); + } + if (res->ai_family != AF_INET6 && res->ai_family != AF_INET) { + tcpd_warn("%d: not an internet host", res->ai_family); + freeaddrinfo(res); + return (0); + } + if (!res->ai_canonname) { + tcpd_warn("%s: hostname alias", host); + tcpd_warn("(cannot obtain official name)", res->ai_canonname); + } else if (STR_NE(host, res->ai_canonname)) { + tcpd_warn("%s: hostname alias", host); + tcpd_warn("(official name: %.*s)", STRING_LENGTH, res->ai_canonname); + } + return (res); +} +#else struct hostent *find_inet_addr(host) char *host; { @@ -118,6 +159,7 @@ } return (dup_hostent(hp)); } +#endif /* check_dns - give each address thorough workout, return address count */ @@ -125,8 +167,13 @@ char *host; { struct request_info request; +#ifdef INET6 + struct sockaddr_storage sin; + struct addrinfo *hp, *res; +#else struct sockaddr_in sin; struct hostent *hp; +#endif int count; char *addr; @@ -134,11 +181,18 @@ return (0); request_init(&request, RQ_CLIENT_SIN, &sin, 0); sock_methods(&request); +#ifndef INET6 memset((char *) &sin, 0, sizeof(sin)); sin.sin_family = AF_INET; +#endif +#ifdef INET6 + for (res = hp, count = 0; res; res = res->ai_next, count++) { + memcpy(&sin, res->ai_addr, res->ai_addrlen); +#else for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) { memcpy((char *) &sin.sin_addr, addr, sizeof(sin.sin_addr)); +#endif /* * Force host name and address conversions. Use the request structure @@ -151,7 +205,11 @@ tcpd_warn("host address %s->name lookup failed", eval_hostaddr(request.client)); } +#ifdef INET6 + freeaddrinfo(hp); +#else free((char *) hp); +#endif return (count); } @@ -180,10 +238,17 @@ /* ARGSUSED */ -void rfc931(request) -struct request_info *request; +void rfc931(rmt_sin, our_sin, dest) +#ifdef INET6 +struct sockaddr *rmt_sin; +struct sockaddr *our_sin; +#else +struct sockaddr_in *rmt_sin; +struct sockaddr_in *our_sin; +#endif +char *dest; { - strcpy(request->user, unknown); + strcpy(dest, unknown); } /* check_path - examine accessibility */ --- scaffold.h.orig 1994-12-31 18:19:20.000000000 +0100 +++ scaffold.h 2010-11-14 19:55:36.000000000 +0100 @@ -4,6 +4,10 @@ * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. */ +#ifdef INET6 +extern struct addrinfo *find_inet_addr(); +#else extern struct hostent *find_inet_addr(); +#endif extern int check_dns(); extern int check_path(); --- shell_cmd.c.orig 1994-12-28 17:42:44.000000000 +0100 +++ shell_cmd.c 2010-11-14 19:55:36.000000000 +0100 @@ -20,6 +20,11 @@ #include #include #include +#include +#include +#include +#include +#include extern void exit(); @@ -31,13 +36,42 @@ static void do_child(); +/* + * The sigchld handler. If there is a SIGCHLD caused by a child other than + * ours, we set a flag and raise the signal later. + */ +volatile static int foreign_sigchld; +volatile static int our_child_pid; +static void sigchld(int sig, siginfo_t *si, void *unused) +{ + if (si && si->si_pid != our_child_pid) + foreign_sigchld = 1; +} + /* shell_cmd - execute shell command */ void shell_cmd(command) char *command; { int child_pid; - int wait_pid; + + struct sigaction new_action, old_action; + sigset_t new_mask, old_mask, empty_mask; + + new_action.sa_sigaction = &sigchld; + new_action.sa_flags = SA_SIGINFO; + sigemptyset(&new_action.sa_mask); + sigemptyset(&new_mask); + sigemptyset(&empty_mask); + sigaddset(&new_mask, SIGCHLD); + + /* + * Set the variables for handler, set the handler and block the signal + * until we have the pid. + */ + foreign_sigchld = 0; our_child_pid = 0; + sigprocmask(SIG_BLOCK, &new_mask, &old_mask); + sigaction(SIGCHLD, &new_action, &old_action); /* * Most of the work is done within the child process, to minimize the @@ -49,12 +83,26 @@ tcpd_warn("cannot fork: %m"); break; case 00: /* child */ + /* Clear the blocked mask for the child not to be surprised. */ + sigprocmask(SIG_SETMASK, &empty_mask, 0); do_child(command); /* NOTREACHED */ default: /* parent */ - while ((wait_pid = wait((int *) 0)) != -1 && wait_pid != child_pid) - /* void */ ; + our_child_pid = child_pid; + sigprocmask(SIG_UNBLOCK, &new_mask, 0); + while (waitpid(child_pid, (int *) 0, 0) == -1 && errno == EINTR); } + + /* + * Revert the signal mask and the SIGCHLD handler. + */ + sigprocmask(SIG_SETMASK, &old_mask, 0); + sigaction(SIGCHLD, &old_action, 0); + + /* If there was a foreign SIGCHLD, raise it after we have restored the old + * mask and handler. */ + if (foreign_sigchld) + raise(SIGCHLD); } /* do_child - exec command with { stdin, stdout, stderr } to /dev/null */ --- socket.c.orig 1997-03-21 19:27:25.000000000 +0100 +++ socket.c 2010-11-14 19:55:36.000000000 +0100 @@ -24,13 +24,22 @@ #include #include #include +#ifdef INT32_T +typedef uint32_t u_int32_t; +#endif #include #include #include #include #include +#ifdef INET6 +#ifndef NI_WITHSCOPEID +#define NI_WITHSCOPEID 0 +#endif +#else extern char *inet_ntoa(); +#endif /* Local stuff. */ @@ -52,7 +61,8 @@ char *name; { char dot_name[MAXHOSTNAMELEN + 1]; - + struct hostent *hp; + /* * Don't append dots to unqualified names. Such names are likely to come * from local hosts files or from NIS. @@ -61,8 +71,12 @@ if (strchr(name, '.') == 0 || strlen(name) >= MAXHOSTNAMELEN - 1) { return (gethostbyname(name)); } else { - sprintf(dot_name, "%s.", name); - return (gethostbyname(dot_name)); + sprintf(dot_name, "%s.", name); + hp = gethostbyname(dot_name); + if (hp) + return hp; + else + return (gethostbyname(name)); } } @@ -74,9 +88,18 @@ void sock_host(request) struct request_info *request; { +#ifdef INET6 + static struct sockaddr_storage client; + static struct sockaddr_storage server; +#else static struct sockaddr_in client; static struct sockaddr_in server; +#endif +#ifdef __GLIBC__ + size_t len; +#else int len; +#endif char buf[BUFSIZ]; int fd = request->fd; @@ -104,7 +127,11 @@ memset(buf, 0 sizeof(buf)); #endif } +#ifdef INET6 + request->client->sin = (struct sockaddr *)&client; +#else request->client->sin = &client; +#endif /* * Determine the server binding. This is used for client username @@ -117,7 +144,11 @@ tcpd_warn("getsockname: %m"); return; } +#ifdef INET6 + request->server->sin = (struct sockaddr *)&server; +#else request->server->sin = &server; +#endif } /* sock_hostaddr - map endpoint address to printable form */ @@ -125,10 +156,26 @@ void sock_hostaddr(host) struct host_info *host; { +#ifdef INET6 + struct sockaddr *sin = host->sin; + int salen; + + if (!sin) + return; +#ifdef SIN6_LEN + salen = sin->sa_len; +#else + salen = (sin->sa_family == AF_INET) ? sizeof(struct sockaddr_in) + : sizeof(struct sockaddr_in6); +#endif + getnameinfo(sin, salen, host->addr, sizeof(host->addr), + NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID); +#else struct sockaddr_in *sin = host->sin; if (sin != 0) STRN_CPY(host->addr, inet_ntoa(sin->sin_addr), sizeof(host->addr)); +#endif } /* sock_hostname - map endpoint address to host name */ @@ -136,6 +183,160 @@ void sock_hostname(host) struct host_info *host; { +#ifdef INET6 + struct sockaddr *sin = host->sin; + struct sockaddr_in sin4; + struct addrinfo hints, *res, *res0 = NULL; + int salen, alen, err = 1; + char *ap = NULL, *rap, hname[NI_MAXHOST]; + + if (sin != NULL) { + if (sin->sa_family == AF_INET6) { + struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sin; + + if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) { + memset(&sin4, 0, sizeof(sin4)); +#ifdef SIN6_LEN + sin4.sin_len = sizeof(sin4); +#endif + sin4.sin_family = AF_INET; + sin4.sin_port = sin6->sin6_port; + sin4.sin_addr.s_addr = *(u_int32_t *)&sin6->sin6_addr.s6_addr[12]; + sin = (struct sockaddr *)&sin4; + } + } + switch (sin->sa_family) { + case AF_INET: + ap = (char *)&((struct sockaddr_in *)sin)->sin_addr; + alen = sizeof(struct in_addr); + salen = sizeof(struct sockaddr_in); + break; + case AF_INET6: + ap = (char *)&((struct sockaddr_in6 *)sin)->sin6_addr; + alen = sizeof(struct in6_addr); + salen = sizeof(struct sockaddr_in6); + break; + default: + break; + } + if (ap) + err = getnameinfo(sin, salen, hname, sizeof(hname), + NULL, 0, NI_WITHSCOPEID | NI_NAMEREQD); + } + if (!err) { + + STRN_CPY(host->name, hname, sizeof(host->name)); + + /* reject numeric addresses */ + memset(&hints, 0, sizeof(hints)); + hints.ai_family = sin->sa_family; + hints.ai_socktype = SOCK_STREAM; + hints.ai_flags = AI_PASSIVE | AI_CANONNAME | AI_NUMERICHOST; + if ((err = getaddrinfo(host->name, NULL, &hints, &res0)) == 0) { + freeaddrinfo(res0); + res0 = NULL; + tcpd_warn("host name/name mismatch: " + "reverse lookup results in non-FQDN %s", + host->name); + strcpy(host->name, paranoid); /* name is bad, clobber it */ + } + err = !err; + } + if (!err) { + /* we are now sure that this is non-numeric */ + + /* + * Verify that the address is a member of the address list returned + * by gethostbyname(hostname). + * + * Verify also that gethostbyaddr() and gethostbyname() return the same + * hostname, or rshd and rlogind may still end up being spoofed. + * + * On some sites, gethostbyname("localhost") returns "localhost.domain". + * This is a DNS artefact. We treat it as a special case. When we + * can't believe the address list from gethostbyname("localhost") + * we're in big trouble anyway. + */ + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = sin->sa_family; + hints.ai_socktype = SOCK_STREAM; + hints.ai_flags = AI_PASSIVE | AI_CANONNAME; + if (getaddrinfo(host->name, NULL, &hints, &res0) != 0) { + + /* + * Unable to verify that the host name matches the address. This + * may be a transient problem or a botched name server setup. + */ + + tcpd_warn("can't verify hostname: getaddrinfo(%s, %s) failed", + host->name, + (sin->sa_family == AF_INET) ? "AF_INET" : "AF_INET6"); + + } else if ((res0->ai_canonname == NULL + || STR_NE(host->name, res0->ai_canonname)) + && STR_NE(host->name, "localhost")) { + + /* + * The gethostbyaddr() and gethostbyname() calls did not return + * the same hostname. This could be a nameserver configuration + * problem. It could also be that someone is trying to spoof us. + */ + + tcpd_warn("host name/name mismatch: %s != %.*s", + host->name, STRING_LENGTH, + (res0->ai_canonname == NULL) ? "" : res0->ai_canonname); + + } else { + + /* + * The address should be a member of the address list returned by + * gethostbyname(). We should first verify that the h_addrtype + * field is AF_INET, but this program has already caused too much + * grief on systems with broken library code. + */ + + for (res = res0; res; res = res->ai_next) { + if (res->ai_family != sin->sa_family) + continue; + switch (res->ai_family) { + case AF_INET: + rap = (char *)&((struct sockaddr_in *)res->ai_addr)->sin_addr; + break; + case AF_INET6: + /* need to check scope_id */ + if (((struct sockaddr_in6 *)sin)->sin6_scope_id != + ((struct sockaddr_in6 *)res->ai_addr)->sin6_scope_id) { + continue; + } + rap = (char *)&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr; + break; + default: + continue; + } + if (memcmp(rap, ap, alen) == 0) { + freeaddrinfo(res0); + return; /* name is good, keep it */ + } + } + + /* + * The host name does not map to the initial address. Perhaps + * someone has messed up. Perhaps someone compromised a name + * server. + */ + + getnameinfo(sin, salen, hname, sizeof(hname), + NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID); + tcpd_warn("host name/address mismatch: %s != %.*s", + hname, STRING_LENGTH, + (res0->ai_canonname == NULL) ? "" : res0->ai_canonname); + } + strcpy(host->name, paranoid); /* name is bad, clobber it */ + if (res0) + freeaddrinfo(res0); + } +#else /* INET6 */ struct sockaddr_in *sin = host->sin; struct hostent *hp; int i; @@ -215,6 +416,7 @@ } strcpy(host->name, paranoid); /* name is bad, clobber it */ } +#endif /* INET6 */ } /* sock_sink - absorb unreceived IP datagram */ @@ -223,8 +425,16 @@ int fd; { char buf[BUFSIZ]; +#ifdef INET6 + struct sockaddr_storage sin; +#else struct sockaddr_in sin; +#endif +#ifdef __GLIBC__ + size_t size = sizeof(sin); +#else int size = sizeof(sin); +#endif /* * Eat up the not-yet received datagram. Some systems insist on a --- tcpd.8.orig 1996-02-21 16:39:16.000000000 +0100 +++ tcpd.8 2010-11-14 19:55:36.000000000 +0100 @@ -12,7 +12,11 @@ TLI. Functionality may be limited when the protocol underneath TLI is not an internet protocol. .PP -Operation is as follows: whenever a request for service arrives, the +There are two possible modes of operation: execution of \fItcpd\fP +before a service started by \fIinetd\fP, or linking a daemon with +the \fIlibwrap\fP shared library as documented in the \fIhosts_access\fR(3) +manual page. Operation when started by \fIinetd\fP +is as follows: whenever a request for service arrives, the \fIinetd\fP daemon is tricked into running the \fItcpd\fP program instead of the desired server. \fItcpd\fP logs the request and does some additional checks. When all is well, \fItcpd\fP runs the @@ -88,11 +92,11 @@ .sp .in +5 # mkdir /other/place -# mv /usr/etc/in.fingerd /other/place -# cp tcpd /usr/etc/in.fingerd +# mv /usr/sbin/in.fingerd /other/place +# cp tcpd /usr/sbin/in.fingerd .fi .PP -The example assumes that the network daemons live in /usr/etc. On some +The example assumes that the network daemons live in /usr/sbin. On some systems, network daemons live in /usr/sbin or in /usr/libexec, or have no `in.\' prefix to their name. .SH EXAMPLE 2 @@ -101,35 +105,34 @@ .PP In order to monitor access to the \fIfinger\fR service, perform the following edits on the \fIinetd\fR configuration file (usually -\fI/etc/inetd.conf\fR or \fI/etc/inet/inetd.conf\fR): +\fI/etc/inetd.conf\fR): .nf .sp .ti +5 -finger stream tcp nowait nobody /usr/etc/in.fingerd in.fingerd +finger stream tcp nowait nobody /usr/sbin/in.fingerd in.fingerd .sp becomes: .sp .ti +5 -finger stream tcp nowait nobody /some/where/tcpd in.fingerd +finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd .sp .fi .PP -The example assumes that the network daemons live in /usr/etc. On some +The example assumes that the network daemons live in /usr/sbin. On some systems, network daemons live in /usr/sbin or in /usr/libexec, the daemons have no `in.\' prefix to their name, or there is no userid field in the inetd configuration file. .PP Similar changes will be needed for the other services that are to be covered by \fItcpd\fR. Send a `kill -HUP\' to the \fIinetd\fR(8) -process to make the changes effective. AIX users may also have to -execute the `inetimp\' command. +process to make the changes effective. .SH EXAMPLE 3 In the case of daemons that do not live in a common directory ("secret" or otherwise), edit the \fIinetd\fR configuration file so that it specifies an absolute path name for the process name field. For example: .nf .sp - ntalk dgram udp wait root /some/where/tcpd /usr/local/lib/ntalkd + ntalk dgram udp wait root /usr/sbin/tcpd /usr/local/lib/ntalkd .sp .fi .PP @@ -164,6 +167,7 @@ .SH SEE ALSO .na .nf +hosts_access(3), functions provided by the libwrap library. hosts_access(5), format of the tcpd access control tables. syslog.conf(5), format of the syslogd control file. inetd.conf(5), format of the inetd control file. --- tcpd.c.orig 1996-02-11 17:01:33.000000000 +0100 +++ tcpd.c 2010-11-14 19:55:36.000000000 +0100 @@ -120,7 +120,12 @@ /* Report request and invoke the real daemon program. */ +#ifdef INET6 + syslog(allow_severity, "connect from %s (%s)", + eval_client(&request), eval_hostaddr(request.client)); +#else syslog(allow_severity, "connect from %s", eval_client(&request)); +#endif closelog(); (void) execv(path, argv); syslog(LOG_ERR, "error: cannot execute %s: %m", path); --- tcpdchk.8.orig 1995-01-08 17:00:31.000000000 +0100 +++ tcpdchk.8 2010-11-14 19:55:36.000000000 +0100 @@ -1,7 +1,7 @@ .TH TCPDCHK 8 .SH NAME tcpdchk \- tcp wrapper configuration checker -.SH SYNOPSYS +.SH SYNOPSIS tcpdchk [-a] [-d] [-i inet_conf] [-v] .SH DESCRIPTION .PP @@ -9,8 +9,8 @@ potential and real problems it can find. The program examines the \fItcpd\fR access control files (by default, these are \fI/etc/hosts.allow\fR and \fI/etc/hosts.deny\fR), and compares the -entries in these files against entries in the \fIinetd\fR or \fItlid\fR -network configuration files. +entries in these files against entries in the \fIinetd\fR +network configuration file. .PP \fItcpdchk\fR reports problems such as non-existent pathnames; services that appear in \fItcpd\fR access control rules, but are not controlled @@ -26,14 +26,13 @@ .SH OPTIONS .IP -a Report access control rules that permit access without an explicit -ALLOW keyword. This applies only when the extended access control -language is enabled (build with -DPROCESS_OPTIONS). +ALLOW keyword. .IP -d Examine \fIhosts.allow\fR and \fIhosts.deny\fR files in the current directory instead of the default ones. .IP "-i inet_conf" Specify this option when \fItcpdchk\fR is unable to find your -\fIinetd.conf\fR or \fItlid.conf\fR network configuration file, or when +\fIinetd.conf\fR network configuration file, or when you suspect that the program uses the wrong one. .IP -v Display the contents of each access control rule. Daemon lists, client @@ -54,7 +53,6 @@ hosts_access(5), format of the tcpd access control tables. hosts_options(5), format of the language extensions. inetd.conf(5), format of the inetd control file. -tlid.conf(5), format of the tlid control file. .SH AUTHORS .na .nf --- tcpdchk.c.orig 1997-02-12 02:13:25.000000000 +0100 +++ tcpdchk.c 2010-11-14 19:55:36.000000000 +0100 @@ -22,6 +22,9 @@ #include #include +#ifdef INET6 +#include +#endif #include #include #include @@ -50,6 +53,24 @@ #include "inetcf.h" #include "scaffold.h" +/* list of programs which are known to be linked with libwrap in debian */ +static const char *const libwrap_programs[] = { + "rpcbind", "portmap", "mountd", "statd", "ugidd", + "redir", "rlinetd", + "sshd", + "atftpd", + "diald", + "esound", + "gdm", "gnome-session", + "icecast", "icecast_admin", "icecast_client", "icecast_source", + "mysqld", + "ntop", + "pptpd", + "rquotad", + "sendmail", "smail", + NULL +}; + /* * Stolen from hosts_access.c... */ @@ -144,8 +165,8 @@ /* * These are not run from inetd but may have built-in access control. */ - inet_set("portmap", WR_NOT); - inet_set("rpcbind", WR_NOT); + for (c = 0; libwrap_programs[c]; c++) + inet_set(libwrap_programs[c], WR_YES); /* * Check accessibility of access control files. @@ -350,6 +371,8 @@ { if (pat[0] == '@') { tcpd_warn("%s: daemon name begins with \"@\"", pat); + } else if (pat[0] == '/') { + tcpd_warn("%s: daemon name begins with \"/\"", pat); } else if (pat[0] == '.') { tcpd_warn("%s: daemon name begins with dot", pat); } else if (pat[strlen(pat) - 1] == '.') { @@ -382,6 +405,8 @@ { if (pat[0] == '@') { /* @netgroup */ tcpd_warn("%s: user name begins with \"@\"", pat); + } else if (pat[0] == '/') { + tcpd_warn("%s: user name begins with \"/\"", pat); } else if (pat[0] == '.') { tcpd_warn("%s: user name begins with dot", pat); } else if (pat[strlen(pat) - 1] == '.') { @@ -397,13 +422,43 @@ } } +#ifdef INET6 +static int is_inet6_addr(pat) + char *pat; +{ + struct addrinfo hints, *res; + int len, ret; + char ch; + + if (*pat != '[') + return (0); + len = strlen(pat); + if ((ch = pat[len - 1]) != ']') + return (0); + pat[len - 1] = '\0'; + memset(&hints, 0, sizeof(hints)); + hints.ai_family = AF_INET6; + hints.ai_socktype = SOCK_STREAM; + hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; + if ((ret = getaddrinfo(pat + 1, NULL, &hints, &res)) == 0) + freeaddrinfo(res); + pat[len - 1] = ch; + return (ret == 0); +} +#endif + /* check_host - criticize host pattern */ static int check_host(pat) char *pat; { + char buf[BUFSIZ]; char *mask; int addr_count = 1; + FILE *fp; + struct tcpd_context saved_context; + char *cp; + char *wsp = " \t\r\n"; if (pat[0] == '@') { /* @netgroup */ #ifdef NO_NETGRENT @@ -422,15 +477,43 @@ tcpd_warn("netgroup support disabled"); #endif #endif + } else if (pat[0] == '/') { /* /path/name */ + if ((fp = fopen(pat, "r")) != 0) { + saved_context = tcpd_context; + tcpd_context.file = pat; + tcpd_context.line = 0; + while (fgets(buf, sizeof(buf), fp)) { + tcpd_context.line++; + for (cp = strtok(buf, wsp); cp; cp = strtok((char *) 0, wsp)) + check_host(cp); + } + tcpd_context = saved_context; + fclose(fp); + } else if (errno != ENOENT) { + tcpd_warn("open %s: %m", pat); + } } else if (mask = split_at(pat, '/')) { /* network/netmask */ +#ifdef INET6 + int mask_len; + + if ((dot_quad_addr(pat) == INADDR_NONE + || dot_quad_addr(mask) == INADDR_NONE && cidr_mask_addr(mask) == 0) + && (!is_inet6_addr(pat) + || ((mask_len = atoi(mask)) < 0 || mask_len > 128))) +#else if (dot_quad_addr(pat) == INADDR_NONE - || dot_quad_addr(mask) == INADDR_NONE) + || dot_quad_addr(mask) == INADDR_NONE && cidr_mask_addr(mask) == 0) +#endif tcpd_warn("%s/%s: bad net/mask pattern", pat, mask); } else if (STR_EQ(pat, "FAIL")) { /* obsolete */ tcpd_warn("FAIL is no longer recognized"); tcpd_warn("(use EXCEPT or DENY instead)"); } else if (reserved_name(pat)) { /* other reserved */ /* void */ ; +#ifdef INET6 + } else if (is_inet6_addr(pat)) { /* IPv6 address */ + addr_count = 1; +#endif } else if (NOT_INADDR(pat)) { /* internet name */ if (pat[strlen(pat) - 1] == '.') { tcpd_warn("%s: domain or host name ends in dot", pat); --- tcpd.h.orig 1996-03-19 16:22:25.000000000 +0100 +++ tcpd.h 2010-11-14 19:55:36.000000000 +0100 @@ -4,6 +4,15 @@ * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. */ +#ifndef _TCPWRAPPERS_TCPD_H +#define _TCPWRAPPERS_TCPD_H + +/* Need definitions of struct sockaddr_in and FILE. */ +#include +#include + +__BEGIN_DECLS + /* Structure to describe one communications endpoint. */ #define STRING_LENGTH 128 /* hosts, users, processes */ @@ -11,7 +20,11 @@ struct host_info { char name[STRING_LENGTH]; /* access via eval_hostname(host) */ char addr[STRING_LENGTH]; /* access via eval_hostaddr(host) */ +#ifdef INET6 + struct sockaddr *sin; /* socket address or 0 */ +#else struct sockaddr_in *sin; /* socket address or 0 */ +#endif struct t_unitdata *unit; /* TLI transport address or 0 */ struct request_info *request; /* for shared information */ }; @@ -25,10 +38,10 @@ char pid[10]; /* access via eval_pid(request) */ struct host_info client[1]; /* client endpoint info */ struct host_info server[1]; /* server endpoint info */ - void (*sink) (); /* datagram sink function or 0 */ - void (*hostname) (); /* address to printable hostname */ - void (*hostaddr) (); /* address to printable address */ - void (*cleanup) (); /* cleanup function or 0 */ + void (*sink) (int); /* datagram sink function or 0 */ + void (*hostname) (struct host_info *); /* address to printable hostname */ + void (*hostaddr) (struct host_info *); /* address to printable address */ + void (*cleanup) (struct request_info *); /* cleanup function or 0 */ struct netconfig *config; /* netdir handle */ }; @@ -66,20 +79,31 @@ #define fromhost sock_host /* no TLI support needed */ #endif -extern int hosts_access(); /* access control */ -extern void shell_cmd(); /* execute shell command */ -extern char *percent_x(); /* do % expansion */ -extern void rfc931(); /* client name from RFC 931 daemon */ -extern void clean_exit(); /* clean up and exit */ -extern void refuse(); /* clean up and exit */ -extern char *xgets(); /* fgets() on steroids */ -extern char *split_at(); /* strchr() and split */ -extern unsigned long dot_quad_addr(); /* restricted inet_addr() */ +extern int hosts_access(struct request_info *request); /* access control */ +extern void shell_cmd(char *); /* execute shell command */ +extern char *percent_x(char *, int, char *, struct request_info *); + /* do % expansion */ +#ifdef INET6 +extern void rfc931(struct sockaddr *, struct sockaddr *, char *); +#else +extern void rfc931(struct sockaddr_in *, struct sockaddr_in *, char *); +#endif + /* client name from RFC 931 daemon */ +extern void clean_exit(struct request_info *); /* clean up and exit */ +extern void refuse(struct request_info *); /* clean up and exit */ +extern char *xgets(char *, int, FILE *); /* fgets() on steroids */ +extern char *split_at(char *, int); /* strchr() and split */ +extern unsigned long dot_quad_addr(char *); /* restricted inet_addr() */ /* Global variables. */ +#ifdef HAVE_WEAKSYMS +extern int allow_severity __attribute__ ((weak)); /* for connection logging */ +extern int deny_severity __attribute__ ((weak)); /* for connection logging */ +#else extern int allow_severity; /* for connection logging */ extern int deny_severity; /* for connection logging */ +#endif extern char *hosts_allow_table; /* for verification mode redirection */ extern char *hosts_deny_table; /* for verification mode redirection */ extern int hosts_access_verbose; /* for verbose matching mode */ @@ -94,6 +118,8 @@ #ifdef __STDC__ extern struct request_info *request_init(struct request_info *,...); extern struct request_info *request_set(struct request_info *,...); +extern int hosts_ctl(char *daemon, char *client_name, char *client_addr, + char *client_user); #else extern struct request_info *request_init(); /* initialize request */ extern struct request_info *request_set(); /* update request structure */ @@ -117,20 +143,28 @@ * host_info structures serve as caches for the lookup results. */ -extern char *eval_user(); /* client user */ -extern char *eval_hostname(); /* printable hostname */ -extern char *eval_hostaddr(); /* printable host address */ -extern char *eval_hostinfo(); /* host name or address */ -extern char *eval_client(); /* whatever is available */ -extern char *eval_server(); /* whatever is available */ +extern char *eval_user(struct request_info *); /* client user */ +extern char *eval_hostname(struct host_info *); /* printable hostname */ +extern char *eval_hostaddr(struct host_info *); /* printable host address */ +extern char *eval_hostinfo(struct host_info *); /* host name or address */ +extern char *eval_client(struct request_info *);/* whatever is available */ +extern char *eval_server(struct request_info *);/* whatever is available */ +#ifdef INET6 +extern char *eval_port(struct sockaddr *); +#else +extern char *eval_port(struct sockaddr_in *); +#endif #define eval_daemon(r) ((r)->daemon) /* daemon process name */ #define eval_pid(r) ((r)->pid) /* process id */ /* Socket-specific methods, including DNS hostname lookups. */ -extern void sock_host(); /* look up endpoint addresses */ -extern void sock_hostname(); /* translate address to hostname */ -extern void sock_hostaddr(); /* address to printable address */ +/* look up endpoint addresses */ +extern void sock_host(struct request_info *); +/* translate address to hostname */ +extern void sock_hostname(struct host_info *); +/* address to printable address */ +extern void sock_hostaddr(struct host_info *); #define sock_methods(r) \ { (r)->hostname = sock_hostname; (r)->hostaddr = sock_hostaddr; } @@ -178,7 +212,7 @@ * behavior. */ -extern void process_options(); /* execute options */ +extern void process_options(char *, struct request_info *);/* execute options */ extern int dry_run; /* verification flag */ /* Bug workarounds. */ @@ -217,3 +251,7 @@ #define strtok my_strtok extern char *my_strtok(); #endif + +__END_DECLS + +#endif --- tcpdmatch.8.orig 1996-02-11 17:01:36.000000000 +0100 +++ tcpdmatch.8 2010-11-14 19:55:36.000000000 +0100 @@ -1,7 +1,7 @@ .TH TCPDMATCH 8 .SH NAME tcpdmatch \- tcp wrapper oracle -.SH SYNOPSYS +.SH SYNOPSIS tcpdmatch [-d] [-i inet_conf] daemon client .sp tcpdmatch [-d] [-i inet_conf] daemon[@server] [user@]client @@ -13,7 +13,7 @@ The program examines the \fItcpd\fR access control tables (default \fI/etc/hosts.allow\fR and \fI/etc/hosts.deny\fR) and prints its conclusion. For maximal accuracy, it extracts additional information -from your \fIinetd\fR or \fItlid\fR network configuration file. +from your \fIinetd\fR network configuration file. .PP When \fItcpdmatch\fR finds a match in the access control tables, it identifies the matched rule. In addition, it displays the optional @@ -26,7 +26,7 @@ A daemon process name. Typically, the last component of a daemon executable pathname. .IP client -A host name or network address, or one of the `unknown' or `paranoid' +A host name or network address, or one of the `unknown\' or `paranoid\' wildcard patterns. .sp When a client host name is specified, \fItcpdmatch\fR gives a @@ -37,20 +37,20 @@ .PP Optional information specified with the \fIdaemon@server\fR form: .IP server -A host name or network address, or one of the `unknown' or `paranoid' -wildcard patterns. The default server name is `unknown'. +A host name or network address, or one of the `unknown\' or `paranoid\' +wildcard patterns. The default server name is `unknown\'. .PP Optional information specified with the \fIuser@client\fR form: .IP user A client user identifier. Typically, a login name or a numeric userid. -The default user name is `unknown'. +The default user name is `unknown\'. .SH OPTIONS .IP -d Examine \fIhosts.allow\fR and \fIhosts.deny\fR files in the current directory instead of the default ones. .IP "-i inet_conf" Specify this option when \fItcpdmatch\fR is unable to find your -\fIinetd.conf\fR or \fItlid.conf\fR network configuration file, or when +\fIinetd.conf\fR network configuration file, or when you suspect that the program uses the wrong one. .SH EXAMPLES To predict how \fItcpd\fR would handle a telnet request from the local @@ -70,7 +70,7 @@ .ti +5 tcpdmatch in.telnetd paranoid .PP -On some systems, daemon names have no `in.' prefix, or \fItcpdmatch\fR +On some systems, daemon names have no `in.\' prefix, or \fItcpdmatch\fR may need some help to locate the inetd configuration file. .SH FILES .PP @@ -86,7 +86,6 @@ hosts_access(5), format of the tcpd access control tables. hosts_options(5), format of the language extensions. inetd.conf(5), format of the inetd control file. -tlid.conf(5), format of the tlid control file. .SH AUTHORS .na .nf --- tcpdmatch.c.orig 1996-02-11 17:01:36.000000000 +0100 +++ tcpdmatch.c 2010-11-14 19:55:36.000000000 +0100 @@ -57,7 +57,11 @@ int argc; char **argv; { +#ifdef INET6 + struct addrinfo hints, *hp, *res; +#else struct hostent *hp; +#endif char *myname = argv[0]; char *client; char *server; @@ -68,8 +72,13 @@ int ch; char *inetcf = 0; int count; +#ifdef INET6 + struct sockaddr_storage server_sin; + struct sockaddr_storage client_sin; +#else struct sockaddr_in server_sin; struct sockaddr_in client_sin; +#endif struct stat st; /* @@ -172,13 +181,20 @@ if (NOT_INADDR(server) == 0 || HOSTNAME_KNOWN(server)) { if ((hp = find_inet_addr(server)) == 0) exit(1); +#ifndef INET6 memset((char *) &server_sin, 0, sizeof(server_sin)); server_sin.sin_family = AF_INET; +#endif request_set(&request, RQ_SERVER_SIN, &server_sin, 0); +#ifdef INET6 + for (res = hp, count = 0; res; res = res->ai_next, count++) { + memcpy(&server_sin, res->ai_addr, res->ai_addrlen); +#else for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) { memcpy((char *) &server_sin.sin_addr, addr, sizeof(server_sin.sin_addr)); +#endif /* * Force evaluation of server host name and address. Host name @@ -194,7 +210,11 @@ fprintf(stderr, "Please specify an address instead\n"); exit(1); } +#ifdef INET6 + freeaddrinfo(hp); +#else free((char *) hp); +#endif } else { request_set(&request, RQ_SERVER_NAME, server, 0); } @@ -208,6 +228,18 @@ tcpdmatch(&request); exit(0); } +#ifdef INET6 + memset(&hints, 0, sizeof(hints)); + hints.ai_family = AF_INET6; + hints.ai_socktype = SOCK_STREAM; + hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; + if (getaddrinfo(client, NULL, &hints, &res) == 0) { + freeaddrinfo(res); + request_set(&request, RQ_CLIENT_ADDR, client, 0); + tcpdmatch(&request); + exit(0); + } +#endif /* * Perhaps they are testing special client hostname patterns that aren't @@ -229,6 +261,34 @@ */ if ((hp = find_inet_addr(client)) == 0) exit(1); +#ifdef INET6 + request_set(&request, RQ_CLIENT_SIN, &client_sin, 0); + + for (res = hp, count = 0; res; res = res->ai_next, count++) { + memcpy(&client_sin, res->ai_addr, res->ai_addrlen); + + /* + * getnameinfo() doesn't do reverse lookup against link-local + * address. So, we pass through host name evaluation against + * such addresses. + */ + if (res->ai_family != AF_INET6 || + !IN6_IS_ADDR_LINKLOCAL(&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr)) { + /* + * Force evaluation of client host name and address. Host name + * conflicts will be reported while eval_hostname() does its job. + */ + request_set(&request, RQ_CLIENT_NAME, "", RQ_CLIENT_ADDR, "", 0); + if (STR_EQ(eval_hostname(request.client), unknown)) + tcpd_warn("host address %s->name lookup failed", + eval_hostaddr(request.client)); + } + tcpdmatch(&request); + if (res->ai_next) + printf("\n"); + } + freeaddrinfo(hp); +#else memset((char *) &client_sin, 0, sizeof(client_sin)); client_sin.sin_family = AF_INET; request_set(&request, RQ_CLIENT_SIN, &client_sin, 0); @@ -250,6 +310,7 @@ printf("\n"); } free((char *) hp); +#endif exit(0); } --- tli.c.orig 1997-03-21 19:27:26.000000000 +0100 +++ tli.c 2010-11-14 19:55:36.000000000 +0100 @@ -65,8 +65,13 @@ void tli_host(request) struct request_info *request; { +#ifdef INET6 + static struct sockaddr_storage client; + static struct sockaddr_storage server; +#else static struct sockaddr_in client; static struct sockaddr_in server; +#endif /* * If we discover that we are using an IP transport, pretend we never @@ -76,14 +81,29 @@ tli_endpoints(request); if ((request->config = tli_transport(request->fd)) != 0 +#ifdef INET6 + && (STR_EQ(request->config->nc_protofmly, "inet") || + STR_EQ(request->config->nc_protofmly, "inet6"))) { +#else && STR_EQ(request->config->nc_protofmly, "inet")) { +#endif if (request->client->unit != 0) { +#ifdef INET6 + client = *(struct sockaddr_storage *) request->client->unit->addr.buf; + request->client->sin = (struct sockaddr *) &client; +#else client = *(struct sockaddr_in *) request->client->unit->addr.buf; request->client->sin = &client; +#endif } if (request->server->unit != 0) { +#ifdef INET6 + server = *(struct sockaddr_storage *) request->server->unit->addr.buf; + request->server->sin = (struct sockaddr *) &server; +#else server = *(struct sockaddr_in *) request->server->unit->addr.buf; request->server->sin = &server; +#endif } tli_cleanup(request); sock_methods(request); @@ -187,7 +207,15 @@ } while (config = getnetconfig(handlep)) { if (stat(config->nc_device, &from_config) == 0) { +#ifdef NO_CLONE_DEVICE + /* + * If the network devices are not cloned (as is the case for + * Solaris 8 Beta), we must compare the major device numbers. + */ + if (major(from_config.st_rdev) == major(from_client.st_rdev)) +#else if (minor(from_config.st_rdev) == major(from_client.st_rdev)) +#endif break; } } --- try-from.8.orig 1970-01-01 01:00:00.000000000 +0100 +++ try-from.8 2010-11-14 19:55:36.000000000 +0100 @@ -0,0 +1,28 @@ +.TH TRY-FROM 8 "21th June 1997" Linux "Linux Programmer's Manual" +.SH NAME +try-from \- test program for the tcp_wrapper +.SH SYNOPSIS +.B try-from +.SH DESCRIPTION +The +.B try\-from +command can be called via a remote shell command to find out +if the hostname and address are properly recognized +by the +.B tcp_wrapper +library, if username lookup works, and (SysV only) if the TLI +on top of IP heuristics work. Diagnostics are reported through +.BR syslog (3) +and redirected to stderr. + +Example: + +rsh host /some/where/try\-from + +.SH SEE ALSO +.BR hosts_access (5), +.BR hosts_options (5), +.BR tcpd (8) +.SH AUTHOR +Wietse Venema, Eindhoven University of Technology, The Netherlands. + --- update.c.orig 1994-12-28 17:42:56.000000000 +0100 +++ update.c 2010-11-14 19:55:36.000000000 +0100 @@ -46,10 +46,18 @@ request->fd = va_arg(ap, int); continue; case RQ_CLIENT_SIN: +#ifdef INET6 + request->client->sin = va_arg(ap, struct sockaddr *); +#else request->client->sin = va_arg(ap, struct sockaddr_in *); +#endif continue; case RQ_SERVER_SIN: +#ifdef INET6 + request->server->sin = va_arg(ap, struct sockaddr *); +#else request->server->sin = va_arg(ap, struct sockaddr_in *); +#endif continue; /* --- weak_symbols.c.orig 1970-01-01 01:00:00.000000000 +0100 +++ weak_symbols.c 2010-11-14 19:55:36.000000000 +0100 @@ -0,0 +1,12 @@ + /* + * @(#) weak_symbols.h 1.5 99/12/29 23:50 + * + * Author: Anthony Towns + */ + +#ifdef HAVE_WEAKSYMS +#include "tcpd.h" +#include +int deny_severity = LOG_WARNING; +int allow_severity = SEVERITY; +#endif --- workarounds.c.orig 1996-03-19 16:22:26.000000000 +0100 +++ workarounds.c 2010-11-14 19:55:36.000000000 +0100 @@ -8,7 +8,7 @@ */ #ifndef lint -char sccsid[] = "@(#) workarounds.c 1.6 96/03/19 16:22:25"; +static char sccsid[] = "@(#) workarounds.c 1.6 96/03/19 16:22:25"; #endif #include @@ -166,11 +166,22 @@ int *len; { int ret; +#ifdef INET6 + struct sockaddr *sin = sa; +#else struct sockaddr_in *sin = (struct sockaddr_in *) sa; +#endif if ((ret = getpeername(sock, sa, len)) >= 0 +#ifdef INET6 + && ((sin->su_si.si_family == AF_INET6 + && IN6_IS_ADDR_UNSPECIFIED(&sin->su_sin6.sin6_addr)) + || (sin->su_si.si_family == AF_INET + && sin->su_sin.sin_addr.s_addr == 0))) { +#else && sa->sa_family == AF_INET && sin->sin_addr.s_addr == 0) { +#endif errno = ENOTCONN; return (-1); } else {