| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
the Green Piece. :-)
In future, new builtin services are less likely to need to touch the
already tangled inetd.c .
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Restore default SIGHUP, SIGCHLD and SIGALRM handlers in forked inetd
processes. This happens to work around the fact that hosts_access()
doesn't (but should) set SIG_IGN as the handler for SIGCHLD while it
handles the spawn option, but it would make sense even if that were
not true.
This does not address the leaking descriptors issue discussed on the
same PR.
PR: 12731
Reviewed by: des
Submitted by: David Malone <dwmalone@maths.tcd.ie>
|
| |
|
|
| |
me the right comment and I bastardized it. :-(
|
| |
|
|
|
|
| |
configuration file.
Requested by: green
|
| |
|
|
|
|
|
|
|
| |
# This enables the old, fake ident service.
auth stream tcp nowait root internal
# This enables the new, real ident service.
auth stream tcp nowait root internal auth -r
# This enables ~/.fakeid support, too.
auth stream tcp nowait root internal auth -r -f
|
| |
|
|
|
|
| |
the make variable REAL_IDENT, and ~/.fakeid support can be added
with FAKEID set. Note that the default behavior is the same as
the old behavior.
|
| |
|
|
| |
PR: 12589
|
| |
|
|
|
|
|
|
| |
service. Inetd already uses the process title to indicate that a request
for an internal service is being serviced, so this addition is fairly
orthogonal.
Submitted by: David Malone <dwmalone@maths.tcd.ie>
|
| |
|
|
|
|
|
| |
each other. Instead of allowing the -w option to be specified twice,
we now take -w (wrap external) and -W (wrap internal).
Discussed with: markm
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
internal services in inetd.conf .
The inetd(8) manpage used to say that the official name of a service
_must_ be used, yet inetd itself was hardcoded to used a service alias for
the auth service, namely ident!
Rather than change inetd.conf and break existing configurations on next
upgrade, we now allow service aliases as well as official names. This
allows the software to work as expected and still support existing
configurations.
This should not breaking existing wrapped configurations either and the
inetd(8) manpage already states that it is the service name specified in
inetd.conf that is used for calls to hosts_access(3).
PR: 11796
Reported by: Alex Charalabidis <alex@wnm.net>
Approved by: des
|
| |
|
|
|
| |
internal service should be used as the daemon name when constructing
hosts_access(5) rules.
|
| |
|
|
| |
Submitted by: David Malone <dwmalone@maths.tcd.ie>
|
| |
|
|
| |
does log all connections.
|
| |
|
|
| |
Approved by: mpp
|
| |
|
|
| |
Reported by: David Malone <dwmalone@maths.tcd.ie>
|
| |
|
|
|
| |
Requested by: obrien
Approved by: mpp
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
twice to enable wrapping for internal wrapping as well. If the option is
not specified wrapping is turned off so that inetd will behave exactly
as it used to before TCP Wrappers was imported.
Change etc/defaults/rc.conf so as to encourage wrapping on new systems.
Clarify the use of TCP Wrappers in the IMPLEMENTATION NOTES of the
manual page.
Approved by: jkh
|
| | |
|
| |
|
|
| |
Submitted by: David Malone <dwmalone@maths.tcd.ie>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1) Handle forking and non-forking internal services correctly.
Turn on wrapping for internal services because it works now.
2) Preserve server names for each service on HUP.
3) Honour hosts_options(5) severity option.
4) Add IMPLEMENTATION NOTES section to clarify TCP Wrappers
usage and limitations.
This change may cause previously allowed builtin services (e.g. daytime)
to be denied in existing configurations.
PR: 12097
Reviewed by: markm
1)
Reported by: Pierre Beyssac <pb@fasterix.freenix.org>
2)
Submitted by: Masachika ISHIZUKA <ishizuka@ish.org>
3)
Submitted by: David Malone <dwmalone@maths.tcd.ie>
|
| |
|
|
|
|
| |
anything else to do.
PR: 10468, 11594
|
| |
|
|
| |
with wrapping the internal services, so do not wrap them for now.
|
| | |
|
| |
|
|
|
|
|
| |
the daemon name vs the path. Also fix some warnings and improve
the wrapper section of the man page.
Nice debugging work by: Sheldon Hearn
|
| |
|
|
|
| |
moment is support for the internal serfvices, so these are not
enabled. Volunteers welcome!
|
| |
|
|
| |
Reviewed by: phk
|
| |
|
|
| |
Requested by: bde
|
| |
|
|
|
|
| |
Reviewed by: jkh & eivind
Submitted by: Graham Wheeler <gram@cdsec.com>
PR: bin/8183
|
| | |
|
| |
|
|
|
| |
Fix signal/library corruption by blocking all signals except during
select(). The reported corruption was with reentrancy in the malloc lib.
|
| |
|
|
|
|
|
|
| |
It will return "ERROR:HIDDEN-USER" for all requests.
To use it add:
ident stream tcp nowait root internal
to inetd.conf
|
| |
|
|
|
| |
cast. There are pointers and then there are _pointers_. One day I'll
figure out which are which. 8-)
|
| | |
|
| | |
|
| |
|
|
|
| |
Add missing arg to error diagnostic
Print yet one arg of error diagnostic
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For a tcp/nowait connection, inetd invokes accept(2) for
each pending connection; this call returns a file descriptor
associated with the new connection.
Twelve years ago, code was added to inetd to detect "failing
servers". The heuristic that identifies a failing server is
one that has been invoked a large number of times over some
specified interval (e.g., more than 128 ftp services started
in 60 seconds may flag the ftp service as "failing"). These
compile-time constants vary depending on vendor.
The problem is that, when a failing server is detected, the
code neglects to close the file descriptor returned by the
accept(2).
Security-Implications:
I suppose someone with ample free time could orchestrate an
attack buy pummeling services until the inetd process finally
runs out of file descriptors thus rendering inetd useless to
any new connections that require a new descriptor.
PR: 7286
Reviewed by: phk
Submitted by: Jeff Forys <jeff@forys.cranbury.nj.us>
|
| |
|
|
|
|
| |
PR: 6903
Reviewed by: phk
Submitted by: Josh Gilliam <josh@quick.net>
|
| | |
|
| |
|
|
|
| |
reachable via T/TCP
Reviewed by: Garrett Wollman
|
| |
|
|
|
|
|
|
|
|
| |
to attempt to unblock SIGCHLD, but we actually want to unignore SIGPIPE.
Obtained from: OpenBSD
Finished conversion from sigvec to sigaction (don't assume that sa_mask
is a scalar...). Didn't convert from sigblock to sigprocmask. Didn't
fix missing error checking for sigaction...
|
| |
|
|
| |
Obtained from: OpenBSD
|
| |
|
|
|
|
|
| |
forks. Furthermore, invalid input for tcpmux does not lead to
an exiting inetd.
This patch is recommended for people running tcpmux (which is NOT
enabled by default)
|
| |
|
|
|
|
| |
service if any external TCPMUX servers are desired.
PR: 826
|
| |
|
|
| |
the command line or Makefile.
|
| |
|
|
|
| |
for a given IP address.
This should be very effective against DoS attacks.
|
| |
|
|
| |
user[:group][/login-class]
|
| |
|
|
|
| |
By default inetd run things with the same limits as from /etc/rc
(daemon class) to not break anything as in good old days.
|
