Upstream-Status: Backport diff -ruNp tcp_wrappers_7.6.orig/hosts_access.3 tcp_wrappers_7.6/hosts_access.3 --- tcp_wrappers_7.6.orig/hosts_access.3 2005-03-09 18:30:25.000000000 +0100 +++ tcp_wrappers_7.6/hosts_access.3 2005-03-09 18:27:03.000000000 +0100 @@ -3,7 +3,7 @@ hosts_access, hosts_ctl, request_init, request_set \- access control library .SH SYNOPSIS .nf -#include "tcpd.h" +#include extern int allow_severity; extern int deny_severity; diff -ruNp tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5 --- tcp_wrappers_7.6.orig/hosts_access.5 2005-03-09 18:30:25.000000000 +0100 +++ tcp_wrappers_7.6/hosts_access.5 2005-03-09 18:30:18.000000000 +0100 @@ -8,9 +8,9 @@ name, host name/address) patterns. Exam impatient reader is encouraged to skip to the EXAMPLES section for a quick introduction. .PP -An extended version of the access control language is described in the -\fIhosts_options\fR(5) document. The extensions are turned on at -program build time by building with -DPROCESS_OPTIONS. +The extended version of the access control language is described in the +\fIhosts_options\fR(5) document. \fBNote that this language supersedes +the meaning of \fIshell_command\fB as documented below.\fR .PP In the following text, \fIdaemon\fR is the the process name of a network daemon process, and \fIclient\fR is the name and/or address of @@ -346,8 +346,8 @@ in.tftpd: LOCAL, .my.domain /etc/hosts.deny: .in +3 .nf -in.tftpd: ALL: (/some/where/safe_finger -l @%h | \\ - /usr/ucb/mail -s %d-%h root) & +in.tftpd: ALL: (/usr/sbin/safe_finger -l @%h | \\ + /usr/bin/mail -s %d-%h root) & .fi .PP The safe_finger command comes with the tcpd wrapper and should be @@ -383,6 +383,7 @@ that shouldn\'t. All problems are repor .fi .SH SEE ALSO .nf +hosts_options(5) extended syntax. tcpd(8) tcp/ip daemon wrapper program. tcpdchk(8), tcpdmatch(8), test programs. .SH BUGS diff -ruNp tcp_wrappers_7.6.orig/hosts_options.5 tcp_wrappers_7.6/hosts_options.5 --- tcp_wrappers_7.6.orig/hosts_options.5 2005-03-09 18:30:24.000000000 +0100 +++ tcp_wrappers_7.6/hosts_options.5 2005-03-09 18:27:03.000000000 +0100 @@ -2,10 +2,8 @@ .SH NAME hosts_options \- host access control language extensions .SH DESCRIPTION -This document describes optional extensions to the language described -in the hosts_access(5) document. The extensions are enabled at program -build time. For example, by editing the Makefile and turning on the -PROCESS_OPTIONS compile-time option. +This document describes extensions to the language described +in the hosts_access(5) document. .PP The extensible language uses the following format: .sp @@ -58,12 +56,12 @@ Notice the leading dot on the domain nam Execute, in a child process, the specified shell command, after performing the % expansions described in the hosts_access(5) manual page. The command is executed with stdin, stdout and stderr -connected to the null device, so that it won\'t mess up the +connected to the null device, so that it won't mess up the conversation with the client host. Example: .sp .nf .ti +3 -spawn (/some/where/safe_finger -l @%h | /usr/ucb/mail root) & +spawn (/usr/sbin/safe_finger -l @%h | /usr/bin/mail root) & .fi .sp executes, in a background child process, the shell command "safe_finger diff -ruNp tcp_wrappers_7.6.orig/inetcf.c tcp_wrappers_7.6/inetcf.c --- tcp_wrappers_7.6.orig/inetcf.c 1997-02-12 02:13:24.000000000 +0100 +++ tcp_wrappers_7.6/inetcf.c 2005-03-09 18:27:03.000000000 +0100 @@ -26,13 +26,17 @@ extern void exit(); * guesses. Shorter names follow longer ones. */ char *inet_files[] = { +#if 0 "/private/etc/inetd.conf", /* NEXT */ "/etc/inet/inetd.conf", /* SYSV4 */ "/usr/etc/inetd.conf", /* IRIX?? */ +#endif "/etc/inetd.conf", /* BSD */ +#if 0 "/etc/net/tlid.conf", /* SYSV4?? */ "/etc/saf/tlid.conf", /* SYSV4?? */ "/etc/tlid.conf", /* SYSV4?? */ +#endif 0, }; diff -ruNp tcp_wrappers_7.6.orig/tcpd.8 tcp_wrappers_7.6/tcpd.8 --- tcp_wrappers_7.6.orig/tcpd.8 1996-02-21 16:39:16.000000000 +0100 +++ tcp_wrappers_7.6/tcpd.8 2005-03-09 18:27:03.000000000 +0100 @@ -12,7 +12,11 @@ The program supports both 4.3BSD-style s TLI. Functionality may be limited when the protocol underneath TLI is not an internet protocol. .PP -Operation is as follows: whenever a request for service arrives, the +There are two possible modes of operation: execution of \fItcpd\fP +before a service started by \fIinetd\fP, or linking a daemon with +the \fIlibwrap\fP shared library as documented in the \fIhosts_access\fR(3) +manual page. Operation when started by \fIinetd\fP +is as follows: whenever a request for service arrives, the \fIinetd\fP daemon is tricked into running the \fItcpd\fP program instead of the desired server. \fItcpd\fP logs the request and does some additional checks. When all is well, \fItcpd\fP runs the @@ -88,11 +92,11 @@ configuration files. .sp .in +5 # mkdir /other/place -# mv /usr/etc/in.fingerd /other/place -# cp tcpd /usr/etc/in.fingerd +# mv /usr/sbin/in.fingerd /other/place +# cp tcpd /usr/sbin/in.fingerd .fi .PP -The example assumes that the network daemons live in /usr/etc. On some +The example assumes that the network daemons live in /usr/sbin. On some systems, network daemons live in /usr/sbin or in /usr/libexec, or have no `in.\' prefix to their name. .SH EXAMPLE 2 @@ -101,35 +105,34 @@ are left in their original place. .PP In order to monitor access to the \fIfinger\fR service, perform the following edits on the \fIinetd\fR configuration file (usually -\fI/etc/inetd.conf\fR or \fI/etc/inet/inetd.conf\fR): +\fI/etc/inetd.conf\fR): .nf .sp .ti +5 -finger stream tcp nowait nobody /usr/etc/in.fingerd in.fingerd +finger stream tcp nowait nobody /usr/sbin/in.fingerd in.fingerd .sp becomes: .sp .ti +5 -finger stream tcp nowait nobody /some/where/tcpd in.fingerd +finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd .sp .fi .PP -The example assumes that the network daemons live in /usr/etc. On some +The example assumes that the network daemons live in /usr/sbin. On some systems, network daemons live in /usr/sbin or in /usr/libexec, the daemons have no `in.\' prefix to their name, or there is no userid field in the inetd configuration file. .PP Similar changes will be needed for the other services that are to be covered by \fItcpd\fR. Send a `kill -HUP\' to the \fIinetd\fR(8) -process to make the changes effective. AIX users may also have to -execute the `inetimp\' command. +process to make the changes effective. .SH EXAMPLE 3 In the case of daemons that do not live in a common directory ("secret" or otherwise), edit the \fIinetd\fR configuration file so that it specifies an absolute path name for the process name field. For example: .nf .sp - ntalk dgram udp wait root /some/where/tcpd /usr/local/lib/ntalkd + ntalk dgram udp wait root /usr/sbin/tcpd /usr/local/lib/ntalkd .sp .fi .PP @@ -164,6 +167,7 @@ The default locations of the host access .SH SEE ALSO .na .nf +hosts_access(3), functions provided by the libwrap library. hosts_access(5), format of the tcpd access control tables. syslog.conf(5), format of the syslogd control file. inetd.conf(5), format of the inetd control file. diff -ruNp tcp_wrappers_7.6.orig/tcpdchk.8 tcp_wrappers_7.6/tcpdchk.8 --- tcp_wrappers_7.6.orig/tcpdchk.8 1995-01-08 17:00:31.000000000 +0100 +++ tcp_wrappers_7.6/tcpdchk.8 2005-03-09 18:27:03.000000000 +0100 @@ -9,8 +9,8 @@ tcpdchk [-a] [-d] [-i inet_conf] [-v] potential and real problems it can find. The program examines the \fItcpd\fR access control files (by default, these are \fI/etc/hosts.allow\fR and \fI/etc/hosts.deny\fR), and compares the -entries in these files against entries in the \fIinetd\fR or \fItlid\fR -network configuration files. +entries in these files against entries in the \fIinetd\fR +network configuration file. .PP \fItcpdchk\fR reports problems such as non-existent pathnames; services that appear in \fItcpd\fR access control rules, but are not controlled @@ -26,14 +26,13 @@ problem. .SH OPTIONS .IP -a Report access control rules that permit access without an explicit -ALLOW keyword. This applies only when the extended access control -language is enabled (build with -DPROCESS_OPTIONS). +ALLOW keyword. .IP -d Examine \fIhosts.allow\fR and \fIhosts.deny\fR files in the current directory instead of the default ones. .IP "-i inet_conf" Specify this option when \fItcpdchk\fR is unable to find your -\fIinetd.conf\fR or \fItlid.conf\fR network configuration file, or when +\fIinetd.conf\fR network configuration file, or when you suspect that the program uses the wrong one. .IP -v Display the contents of each access control rule. Daemon lists, client @@ -54,7 +53,6 @@ tcpdmatch(8), explain what tcpd would do hosts_access(5), format of the tcpd access control tables. hosts_options(5), format of the language extensions. inetd.conf(5), format of the inetd control file. -tlid.conf(5), format of the tlid control file. .SH AUTHORS .na .nf diff -ruNp tcp_wrappers_7.6.orig/tcpdmatch.8 tcp_wrappers_7.6/tcpdmatch.8 --- tcp_wrappers_7.6.orig/tcpdmatch.8 2005-03-09 18:30:24.000000000 +0100 +++ tcp_wrappers_7.6/tcpdmatch.8 2005-03-09 18:27:03.000000000 +0100 @@ -13,7 +13,7 @@ request for service. Examples are given The program examines the \fItcpd\fR access control tables (default \fI/etc/hosts.allow\fR and \fI/etc/hosts.deny\fR) and prints its conclusion. For maximal accuracy, it extracts additional information -from your \fIinetd\fR or \fItlid\fR network configuration file. +from your \fIinetd\fR network configuration file. .PP When \fItcpdmatch\fR finds a match in the access control tables, it identifies the matched rule. In addition, it displays the optional @@ -50,7 +50,7 @@ Examine \fIhosts.allow\fR and \fIhosts.d directory instead of the default ones. .IP "-i inet_conf" Specify this option when \fItcpdmatch\fR is unable to find your -\fIinetd.conf\fR or \fItlid.conf\fR network configuration file, or when +\fIinetd.conf\fR network configuration file, or when you suspect that the program uses the wrong one. .SH EXAMPLES To predict how \fItcpd\fR would handle a telnet request from the local @@ -86,7 +86,6 @@ tcpdchk(8), tcpd configuration checker hosts_access(5), format of the tcpd access control tables. hosts_options(5), format of the language extensions. inetd.conf(5), format of the inetd control file. -tlid.conf(5), format of the tlid control file. .SH AUTHORS .na .nf