Various fixes for inetd's TCP Wrappers support:

	1) Handle forking and non-forking internal services correctly.
	   Turn on wrapping for internal services because it works now.
	2) Preserve server names for each service on HUP.
	3) Honour hosts_options(5) severity option.
	4) Add IMPLEMENTATION NOTES section to clarify TCP Wrappers
	   usage and limitations.

This change may cause previously allowed builtin services (e.g. daytime)
to be denied in existing configurations.

PR:	12097
Reviewed by:	markm
1)
Reported by:	Pierre Beyssac <pb@fasterix.freenix.org>
2)
Submitted by:	Masachika ISHIZUKA <ishizuka@ish.org>
3)
Submitted by:	David Malone <dwmalone@maths.tcd.ie>

3 files changed, 26 insertions, 24 deletions

diff --git a/usr.sbin/inetd/Makefile b/usr.sbin/inetd/Makefile
index d3485d1..ddb15c5 100644
--- a/usr.sbin/inetd/Makefile
+++ b/usr.sbin/inetd/Makefile
@@ -1,11 +1,11 @@
 #	@(#)Makefile	8.1 (Berkeley) 6/6/93
-#	$Id: Makefile,v 1.7 1999/04/11 09:22:17 markm Exp $
+#	$Id: Makefile,v 1.8 1999/05/07 06:48:01 markm Exp $
 
 PROG=	inetd
 MAN8=	inetd.8
 MLINKS=	inetd.8 inetd.conf.5
 
-COPTS+=	-Wall -DLOGIN_CAP -DLIBWRAP
+COPTS+=	-Wall -DLOGIN_CAP -DLIBWRAP -DLIBWRAP_INTERNAL
 #COPTS+=	-DSANITY_CHECK
 
 DPADD+=	${LIBUTIL} ${LIBWRAP}
diff --git a/usr.sbin/inetd/inetd.8 b/usr.sbin/inetd/inetd.8
index 61b97cd..ec367ed 100644
--- a/usr.sbin/inetd/inetd.8
+++ b/usr.sbin/inetd/inetd.8
@@ -30,7 +30,7 @@
 .\" SUCH DAMAGE.
 .\"
 .\"     from: @(#)inetd.8	8.3 (Berkeley) 4/13/94
-.\"	$Id: inetd.8,v 1.22.2.1 1999/05/01 22:01:52 obrien Exp $
+.\"	$Id: inetd.8,v 1.25 1999/05/01 22:03:00 obrien Exp $
 .\"
 .Dd February 7, 1996
 .Dt INETD 8
@@ -382,14 +382,15 @@ Except when started in debugging mode,
 records its process ID in the file
 .Pa /var/run/inetd.pid
 to assist in reconfiguration.
+.Sh IMPLEMENTATION NOTES
 .Pp
 Support is provided for TCP Wrappers; see the relevant documentation (
 .Xr hosts_access 5
 ).
 The 
 .Pa tcpd
-daemon is not required, as that functionality is builtin. This also allows
-the ``internal'' services to be wrapped.
+daemon is not required, as that functionality is builtin.
+Only stream-based services, including ``internal'' services, may be wrapped.
 .Sh TCPMUX
 .Pp
 .Tn RFC 1078 
diff --git a/usr.sbin/inetd/inetd.c b/usr.sbin/inetd/inetd.c
index e72d954..64114ba 100644
--- a/usr.sbin/inetd/inetd.c
+++ b/usr.sbin/inetd/inetd.c
@@ -42,7 +42,7 @@ static const char copyright[] =
 static char sccsid[] = "@(#)from: inetd.c	8.4 (Berkeley) 4/13/94";
 #endif
 static const char rcsid[] =
-	"$Id: inetd.c,v 1.48 1999/04/11 09:22:17 markm Exp $";
+	"$Id: inetd.c,v 1.49 1999/05/11 12:50:14 des Exp $";
 #endif /* not lint */
 
 /*
@@ -146,8 +146,8 @@ static const char rcsid[] =
 #ifndef LIBWRAP_DENY_SEVERITY
 # define LIBWRAP_DENY_SEVERITY LOG_WARNING
 #endif
-int allow_severity = LIBWRAP_ALLOW_FACILITY|LIBWRAP_ALLOW_SEVERITY;
-int deny_severity = LIBWRAP_DENY_FACILITY|LIBWRAP_DENY_SEVERITY;
+int allow_severity;
+int deny_severity;
 #endif
 
 #ifdef LOGIN_CAP
@@ -344,8 +344,6 @@ main(argc, argv, envp)
 	int tmpint, ch, dofork;
 	pid_t pid;
 	char buf[50];
-	struct  sockaddr_in peer;
-	int i;
 #ifdef LOGIN_CAP
 	login_cap_t *lc = NULL;
 #endif
@@ -353,6 +351,9 @@ main(argc, argv, envp)
 	struct request_info req;
 	int denied;
 	char *service = NULL;
+#else
+	struct  sockaddr_in peer;
+	int i;
 #endif
 
 
@@ -538,6 +539,7 @@ main(argc, argv, envp)
 				close(ctrl);
 				continue;
 			    }
+#ifndef LIBWRAP
 			    if (log) {
 				i = sizeof peer;
 				if (getpeername(ctrl, (struct sockaddr *)
@@ -552,11 +554,16 @@ main(argc, argv, envp)
 					sep->se_service,
 					inet_ntoa(peer.sin_addr));
 			    }
+#endif
 		    } else
 			    ctrl = sep->se_fd;
 		    (void) sigblock(SIGBLOCK);
 		    pid = 0;
 #ifdef LIBWRAP_INTERNAL
+		    /*
+		     * When builtins are wrapped, avoid a minor optimization
+		     * that breaks hosts_options(5) twist.
+		     */
 		    dofork = 1;
 #else
 		    dofork = (sep->se_bi == 0 || sep->se_bi->bi_fork);
@@ -624,21 +631,13 @@ main(argc, argv, envp)
 #endif
 			    if (sep->se_accept
 				&& sep->se_socktype == SOCK_STREAM) {
-				request_init(&req,
-				    RQ_DAEMON, sep->se_server_name ?
-					sep->se_server_name : sep->se_service,
-					RQ_FILE, ctrl, NULL);
+				service = sep->se_server_name ?
+				    sep->se_server_name : sep->se_service;
+				request_init(&req, RQ_DAEMON, service, RQ_FILE, ctrl, NULL);
 				fromhost(&req);
+				deny_severity = LIBWRAP_DENY_FACILITY|LIBWRAP_DENY_SEVERITY;
+				allow_severity = LIBWRAP_ALLOW_FACILITY|LIBWRAP_ALLOW_SEVERITY;
 				denied = !hosts_access(&req);
-				if (denied || log) {
-				    sp = getservbyport(sep->se_ctrladdr.sin_port, sep->se_proto);
-				    if (sp == NULL) {
-					(void)snprintf(buf, sizeof buf, "%d",
-					   ntohs(sep->se_ctrladdr.sin_port));
-					service = buf;
-				    } else
-					service = sp->s_name;
-				}
 				if (denied) {
 				    syslog(deny_severity,
 				        "refused connection from %.500s, service %s (%s)",
@@ -746,8 +745,9 @@ main(argc, argv, envp)
 #endif
 				if (sep->se_socktype != SOCK_STREAM)
 					recv(0, buf, sizeof (buf), 0);
-				_exit(EX_OSERR);
 			    }
+			    if (dofork)
+				_exit(0);
 		    }
 		    if (sep->se_accept && sep->se_socktype == SOCK_STREAM)
 			    close(ctrl);
@@ -911,6 +911,7 @@ void config()
 			SWAP(sep->se_class, new->se_class);
 #endif
 			SWAP(sep->se_server, new->se_server);
+			SWAP(sep->se_server_name, new->se_server_name);
 			for (i = 0; i < MAXARGV; i++)
 				SWAP(sep->se_argv[i], new->se_argv[i]);
 			sigsetmask(omask);