From f15070b9aea1b418779b2ec9186b55362f8144d6 Mon Sep 17 00:00:00 2001
From: markm <markm@FreeBSD.org>
Date: Sun, 28 Mar 1999 10:50:30 +0000
Subject: Now inetd(8) has direct support for tcp_wrappers! Not working at the
 moment is support for the internal serfvices, so these are not enabled.
 Volunteers welcome!

---
 usr.sbin/inetd/Makefile |  7 ++---
 usr.sbin/inetd/inetd.8  | 10 +++++--
 usr.sbin/inetd/inetd.c  | 72 ++++++++++++++++++++++++++++++++++++++++++++++---
 3 files changed, 80 insertions(+), 9 deletions(-)

(limited to 'usr.sbin')

diff --git a/usr.sbin/inetd/Makefile b/usr.sbin/inetd/Makefile
index 2682ea5..1c671fc 100644
--- a/usr.sbin/inetd/Makefile
+++ b/usr.sbin/inetd/Makefile
@@ -1,13 +1,14 @@
 #	@(#)Makefile	8.1 (Berkeley) 6/6/93
+#	$Id$
 
 PROG=	inetd
 MAN8=	inetd.8
 MLINKS=	inetd.8 inetd.conf.5
 
-COPTS+=	-Wall -DLOGIN_CAP
+COPTS+=	-Wall -DLOGIN_CAP -DLIBWRAP
 #COPTS+=	-DSANITY_CHECK
 
-DPADD+=	${LIBUTIL}
-LDADD+=	-lutil
+DPADD+=	${LIBUTIL} ${LIBWRAP}
+LDADD+=	-lutil -lwrap
 
 .include <bsd.prog.mk>
diff --git a/usr.sbin/inetd/inetd.8 b/usr.sbin/inetd/inetd.8
index 272db94..55c2461 100644
--- a/usr.sbin/inetd/inetd.8
+++ b/usr.sbin/inetd/inetd.8
@@ -30,7 +30,7 @@
 .\" SUCH DAMAGE.
 .\"
 .\"     from: @(#)inetd.8	8.3 (Berkeley) 4/13/94
-.\"	$Id: inetd.8,v 1.21 1998/05/15 19:16:35 pb Exp $
+.\"	$Id: inetd.8,v 1.22 1998/06/10 12:34:25 phk Exp $
 .\"
 .Dd February 7, 1996
 .Dt INETD 8
@@ -382,6 +382,10 @@ Except when started in debugging mode,
 records its process ID in the file
 .Pa /var/run/inetd.pid
 to assist in reconfiguration.
+.Pp
+Support is provided for tcp_wrappers; see the relevant documentation. The
+.Pa tcpd
+daemon is not required.
 .Sh TCPMUX
 .Pp
 .Tn RFC 1078 
@@ -521,7 +525,9 @@ socket but was unable to.
 .Xr rlogind 8 ,
 .Xr rshd 8 ,
 .Xr telnetd 8 ,
-.Xr tftpd 8
+.Xr tftpd 8 ,
+.Xr hosts_access 5 ,
+.Xr hosts_options 5
 .Sh HISTORY
 The
 .Nm
diff --git a/usr.sbin/inetd/inetd.c b/usr.sbin/inetd/inetd.c
index 124d804..f7cd1d5 100644
--- a/usr.sbin/inetd/inetd.c
+++ b/usr.sbin/inetd/inetd.c
@@ -42,7 +42,7 @@ static const char copyright[] =
 static char sccsid[] = "@(#)from: inetd.c	8.4 (Berkeley) 4/13/94";
 #endif
 static const char rcsid[] =
-	"$Id: inetd.c,v 1.45 1999/01/02 16:04:19 des Exp $";
+	"$Id: inetd.c,v 1.46 1999/01/05 11:56:35 danny Exp $";
 #endif /* not lint */
 
 /*
@@ -132,6 +132,24 @@ static const char rcsid[] =
 #include <libutil.h>
 #include <sysexits.h>
 
+#ifdef LIBWRAP
+# include <tcpd.h>
+#ifndef LIBWRAP_ALLOW_FACILITY
+# define LIBWRAP_ALLOW_FACILITY LOG_AUTH
+#endif
+#ifndef LIBWRAP_ALLOW_SEVERITY
+# define LIBWRAP_ALLOW_SEVERITY LOG_INFO
+#endif
+#ifndef LIBWRAP_DENY_FACILITY
+# define LIBWRAP_DENY_FACILITY LOG_AUTH
+#endif
+#ifndef LIBWRAP_DENY_SEVERITY
+# define LIBWRAP_DENY_SEVERITY LOG_WARNING
+#endif
+int allow_severity = LIBWRAP_ALLOW_FACILITY|LIBWRAP_ALLOW_SEVERITY;
+int deny_severity = LIBWRAP_DENY_FACILITY|LIBWRAP_DENY_SEVERITY;
+#endif
+
 #ifdef LOGIN_CAP
 #include <login_cap.h>
 
@@ -268,7 +286,7 @@ struct biltin {
 	{ "discard",	SOCK_STREAM,	1, 0,	discard_stream },
 	{ "discard",	SOCK_DGRAM,	0, 0,	discard_dg },
 
-	/* Return 32 bit time since 1900 */
+	/* Return 32 bit time since 1970 */
 	{ "time",	SOCK_STREAM,	0, 0,	machtime_stream },
 	{ "time",	SOCK_DGRAM,	0, 0,	machtime_dg },
 
@@ -330,6 +348,11 @@ main(argc, argv, envp)
 #ifdef LOGIN_CAP
 	login_cap_t *lc = NULL;
 #endif
+#ifdef LIBWRAP
+	struct request_info req;
+	int denied;
+	char *service = NULL;
+#endif
 
 
 #ifdef OLD_SETPROCTITLE
@@ -532,7 +555,11 @@ main(argc, argv, envp)
 			    ctrl = sep->se_fd;
 		    (void) sigblock(SIGBLOCK);
 		    pid = 0;
+#ifdef LIBWRAP_INTERNAL
+		    dofork = 1;
+#else
 		    dofork = (sep->se_bi == 0 || sep->se_bi->bi_fork);
+#endif
 		    if (dofork) {
 			    if (sep->se_count++ == 0)
 				(void)gettimeofday(&sep->se_time, (struct timezone *)NULL);
@@ -590,6 +617,40 @@ main(argc, argv, envp)
 					    _exit(0);
 				    }
 			    }
+#ifdef LIBWRAP
+#ifndef LIBWRAP_INTERNAL
+			    if (sep->se_bi == 0)
+#endif
+			    if (sep->se_accept
+				&& sep->se_socktype == SOCK_STREAM) {
+				request_init(&req,
+				    RQ_DAEMON, sep->se_argv[0] ?
+					 sep->se_argv[0] : sep->se_service,
+					RQ_FILE, ctrl, NULL);
+				fromhost(&req);
+				denied = !hosts_access(&req);
+				if (denied || log) {
+				    sp = getservbyport(sep->se_ctrladdr.sin_port, sep->se_proto);
+				    if (sp == NULL) {
+					(void)snprintf(buf, sizeof buf, "%d",
+					   ntohs(sep->se_ctrladdr.sin_port));
+					service = buf;
+				    } else
+					service = sp->s_name;
+				}
+				if (denied) {
+				    syslog(deny_severity,
+				        "refused connection from %.500s, service %s (%s)",
+				        eval_client(&req), service, sep->se_proto);
+				    goto reject;
+				}
+				if (log) {
+				    syslog(allow_severity,
+				        "connection from %.500s, service %s (%s)",
+					eval_client(&req), service, sep->se_proto);
+				}
+			    }
+#endif /* LIBWRAP */
 			    if (sep->se_bi) {
 				(*sep->se_bi->bi_fn)(ctrl, sep);
 				/* NOTREACHED */
@@ -677,10 +738,13 @@ main(argc, argv, envp)
 				sigaction(SIGPIPE, &sapipe,
 				    (struct sigaction *)0);
 				execv(sep->se_server, sep->se_argv);
-				if (sep->se_socktype != SOCK_STREAM)
-					recv(0, buf, sizeof (buf), 0);
 				syslog(LOG_ERR,
 				    "cannot execute %s: %m", sep->se_server);
+#ifdef LIBWRAP
+			    reject:
+#endif
+				if (sep->se_socktype != SOCK_STREAM)
+					recv(0, buf, sizeof (buf), 0);
 				_exit(EX_OSERR);
 			    }
 		    }
-- 
cgit v1.1