diff options
author | sheldonh <sheldonh@FreeBSD.org> | 1999-06-17 09:16:08 +0000 |
---|---|---|
committer | sheldonh <sheldonh@FreeBSD.org> | 1999-06-17 09:16:08 +0000 |
commit | e9effd7443bb52603e3ca3974904ac18fb2de6cc (patch) | |
tree | cf96ed8b40ad97a7f60e2aa01677210e1eb4b9d8 | |
parent | c75e24138456dd073280dc8b0237bdf487570743 (diff) | |
download | FreeBSD-src-e9effd7443bb52603e3ca3974904ac18fb2de6cc.zip FreeBSD-src-e9effd7443bb52603e3ca3974904ac18fb2de6cc.tar.gz |
Various fixes for inetd's TCP Wrappers support:
1) Handle forking and non-forking internal services correctly.
Turn on wrapping for internal services because it works now.
2) Preserve server names for each service on HUP.
3) Honour hosts_options(5) severity option.
4) Add IMPLEMENTATION NOTES section to clarify TCP Wrappers
usage and limitations.
This change may cause previously allowed builtin services (e.g. daytime)
to be denied in existing configurations.
PR: 12097
Reviewed by: markm
1)
Reported by: Pierre Beyssac <pb@fasterix.freenix.org>
2)
Submitted by: Masachika ISHIZUKA <ishizuka@ish.org>
3)
Submitted by: David Malone <dwmalone@maths.tcd.ie>
-rw-r--r-- | usr.sbin/inetd/Makefile | 4 | ||||
-rw-r--r-- | usr.sbin/inetd/inetd.8 | 7 | ||||
-rw-r--r-- | usr.sbin/inetd/inetd.c | 39 |
3 files changed, 26 insertions, 24 deletions
diff --git a/usr.sbin/inetd/Makefile b/usr.sbin/inetd/Makefile index d3485d1..ddb15c5 100644 --- a/usr.sbin/inetd/Makefile +++ b/usr.sbin/inetd/Makefile @@ -1,11 +1,11 @@ # @(#)Makefile 8.1 (Berkeley) 6/6/93 -# $Id: Makefile,v 1.7 1999/04/11 09:22:17 markm Exp $ +# $Id: Makefile,v 1.8 1999/05/07 06:48:01 markm Exp $ PROG= inetd MAN8= inetd.8 MLINKS= inetd.8 inetd.conf.5 -COPTS+= -Wall -DLOGIN_CAP -DLIBWRAP +COPTS+= -Wall -DLOGIN_CAP -DLIBWRAP -DLIBWRAP_INTERNAL #COPTS+= -DSANITY_CHECK DPADD+= ${LIBUTIL} ${LIBWRAP} diff --git a/usr.sbin/inetd/inetd.8 b/usr.sbin/inetd/inetd.8 index 61b97cd..ec367ed 100644 --- a/usr.sbin/inetd/inetd.8 +++ b/usr.sbin/inetd/inetd.8 @@ -30,7 +30,7 @@ .\" SUCH DAMAGE. .\" .\" from: @(#)inetd.8 8.3 (Berkeley) 4/13/94 -.\" $Id: inetd.8,v 1.22.2.1 1999/05/01 22:01:52 obrien Exp $ +.\" $Id: inetd.8,v 1.25 1999/05/01 22:03:00 obrien Exp $ .\" .Dd February 7, 1996 .Dt INETD 8 @@ -382,14 +382,15 @@ Except when started in debugging mode, records its process ID in the file .Pa /var/run/inetd.pid to assist in reconfiguration. +.Sh IMPLEMENTATION NOTES .Pp Support is provided for TCP Wrappers; see the relevant documentation ( .Xr hosts_access 5 ). The .Pa tcpd -daemon is not required, as that functionality is builtin. This also allows -the ``internal'' services to be wrapped. +daemon is not required, as that functionality is builtin. +Only stream-based services, including ``internal'' services, may be wrapped. .Sh TCPMUX .Pp .Tn RFC 1078 diff --git a/usr.sbin/inetd/inetd.c b/usr.sbin/inetd/inetd.c index e72d954..64114ba 100644 --- a/usr.sbin/inetd/inetd.c +++ b/usr.sbin/inetd/inetd.c @@ -42,7 +42,7 @@ static const char copyright[] = static char sccsid[] = "@(#)from: inetd.c 8.4 (Berkeley) 4/13/94"; #endif static const char rcsid[] = - "$Id: inetd.c,v 1.48 1999/04/11 09:22:17 markm Exp $"; + "$Id: inetd.c,v 1.49 1999/05/11 12:50:14 des Exp $"; #endif /* not lint */ /* @@ -146,8 +146,8 @@ static const char rcsid[] = #ifndef LIBWRAP_DENY_SEVERITY # define LIBWRAP_DENY_SEVERITY LOG_WARNING #endif -int allow_severity = LIBWRAP_ALLOW_FACILITY|LIBWRAP_ALLOW_SEVERITY; -int deny_severity = LIBWRAP_DENY_FACILITY|LIBWRAP_DENY_SEVERITY; +int allow_severity; +int deny_severity; #endif #ifdef LOGIN_CAP @@ -344,8 +344,6 @@ main(argc, argv, envp) int tmpint, ch, dofork; pid_t pid; char buf[50]; - struct sockaddr_in peer; - int i; #ifdef LOGIN_CAP login_cap_t *lc = NULL; #endif @@ -353,6 +351,9 @@ main(argc, argv, envp) struct request_info req; int denied; char *service = NULL; +#else + struct sockaddr_in peer; + int i; #endif @@ -538,6 +539,7 @@ main(argc, argv, envp) close(ctrl); continue; } +#ifndef LIBWRAP if (log) { i = sizeof peer; if (getpeername(ctrl, (struct sockaddr *) @@ -552,11 +554,16 @@ main(argc, argv, envp) sep->se_service, inet_ntoa(peer.sin_addr)); } +#endif } else ctrl = sep->se_fd; (void) sigblock(SIGBLOCK); pid = 0; #ifdef LIBWRAP_INTERNAL + /* + * When builtins are wrapped, avoid a minor optimization + * that breaks hosts_options(5) twist. + */ dofork = 1; #else dofork = (sep->se_bi == 0 || sep->se_bi->bi_fork); @@ -624,21 +631,13 @@ main(argc, argv, envp) #endif if (sep->se_accept && sep->se_socktype == SOCK_STREAM) { - request_init(&req, - RQ_DAEMON, sep->se_server_name ? - sep->se_server_name : sep->se_service, - RQ_FILE, ctrl, NULL); + service = sep->se_server_name ? + sep->se_server_name : sep->se_service; + request_init(&req, RQ_DAEMON, service, RQ_FILE, ctrl, NULL); fromhost(&req); + deny_severity = LIBWRAP_DENY_FACILITY|LIBWRAP_DENY_SEVERITY; + allow_severity = LIBWRAP_ALLOW_FACILITY|LIBWRAP_ALLOW_SEVERITY; denied = !hosts_access(&req); - if (denied || log) { - sp = getservbyport(sep->se_ctrladdr.sin_port, sep->se_proto); - if (sp == NULL) { - (void)snprintf(buf, sizeof buf, "%d", - ntohs(sep->se_ctrladdr.sin_port)); - service = buf; - } else - service = sp->s_name; - } if (denied) { syslog(deny_severity, "refused connection from %.500s, service %s (%s)", @@ -746,8 +745,9 @@ main(argc, argv, envp) #endif if (sep->se_socktype != SOCK_STREAM) recv(0, buf, sizeof (buf), 0); - _exit(EX_OSERR); } + if (dofork) + _exit(0); } if (sep->se_accept && sep->se_socktype == SOCK_STREAM) close(ctrl); @@ -911,6 +911,7 @@ void config() SWAP(sep->se_class, new->se_class); #endif SWAP(sep->se_server, new->se_server); + SWAP(sep->se_server_name, new->se_server_name); for (i = 0; i < MAXARGV; i++) SWAP(sep->se_argv[i], new->se_argv[i]); sigsetmask(omask); |