aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMark Murray <markm@FreeBSD.org>1999-03-28 10:50:30 +0000
committerMark Murray <markm@FreeBSD.org>1999-03-28 10:50:30 +0000
commit9980037e50c813836fc1d6c60b482ee8848ee928 (patch)
treee1e8dc5a440ec3dd5578737d01a79d9fd351058f
parentf8b0e8c9ff02561cf6efcecbcf9dcab7f0aa8ca8 (diff)
downloadsrc-9980037e50c813836fc1d6c60b482ee8848ee928.tar.gz
src-9980037e50c813836fc1d6c60b482ee8848ee928.zip
Now inetd(8) has direct support for tcp_wrappers! Not working at the
moment is support for the internal serfvices, so these are not enabled. Volunteers welcome!
Notes
Notes: svn path=/head/; revision=45089
-rw-r--r--usr.sbin/inetd/Makefile7
-rw-r--r--usr.sbin/inetd/inetd.810
-rw-r--r--usr.sbin/inetd/inetd.c72
3 files changed, 80 insertions, 9 deletions
diff --git a/usr.sbin/inetd/Makefile b/usr.sbin/inetd/Makefile
index 2682ea5c9a0b..1c671fc66df2 100644
--- a/usr.sbin/inetd/Makefile
+++ b/usr.sbin/inetd/Makefile
@@ -1,13 +1,14 @@
# @(#)Makefile 8.1 (Berkeley) 6/6/93
+# $Id$
PROG= inetd
MAN8= inetd.8
MLINKS= inetd.8 inetd.conf.5
-COPTS+= -Wall -DLOGIN_CAP
+COPTS+= -Wall -DLOGIN_CAP -DLIBWRAP
#COPTS+= -DSANITY_CHECK
-DPADD+= ${LIBUTIL}
-LDADD+= -lutil
+DPADD+= ${LIBUTIL} ${LIBWRAP}
+LDADD+= -lutil -lwrap
.include <bsd.prog.mk>
diff --git a/usr.sbin/inetd/inetd.8 b/usr.sbin/inetd/inetd.8
index 272db9472bf0..55c246184d6c 100644
--- a/usr.sbin/inetd/inetd.8
+++ b/usr.sbin/inetd/inetd.8
@@ -30,7 +30,7 @@
.\" SUCH DAMAGE.
.\"
.\" from: @(#)inetd.8 8.3 (Berkeley) 4/13/94
-.\" $Id: inetd.8,v 1.21 1998/05/15 19:16:35 pb Exp $
+.\" $Id: inetd.8,v 1.22 1998/06/10 12:34:25 phk Exp $
.\"
.Dd February 7, 1996
.Dt INETD 8
@@ -382,6 +382,10 @@ Except when started in debugging mode,
records its process ID in the file
.Pa /var/run/inetd.pid
to assist in reconfiguration.
+.Pp
+Support is provided for tcp_wrappers; see the relevant documentation. The
+.Pa tcpd
+daemon is not required.
.Sh TCPMUX
.Pp
.Tn RFC 1078
@@ -521,7 +525,9 @@ socket but was unable to.
.Xr rlogind 8 ,
.Xr rshd 8 ,
.Xr telnetd 8 ,
-.Xr tftpd 8
+.Xr tftpd 8 ,
+.Xr hosts_access 5 ,
+.Xr hosts_options 5
.Sh HISTORY
The
.Nm
diff --git a/usr.sbin/inetd/inetd.c b/usr.sbin/inetd/inetd.c
index 124d8042ac9a..f7cd1d56c42d 100644
--- a/usr.sbin/inetd/inetd.c
+++ b/usr.sbin/inetd/inetd.c
@@ -42,7 +42,7 @@ static const char copyright[] =
static char sccsid[] = "@(#)from: inetd.c 8.4 (Berkeley) 4/13/94";
#endif
static const char rcsid[] =
- "$Id: inetd.c,v 1.45 1999/01/02 16:04:19 des Exp $";
+ "$Id: inetd.c,v 1.46 1999/01/05 11:56:35 danny Exp $";
#endif /* not lint */
/*
@@ -132,6 +132,24 @@ static const char rcsid[] =
#include <libutil.h>
#include <sysexits.h>
+#ifdef LIBWRAP
+# include <tcpd.h>
+#ifndef LIBWRAP_ALLOW_FACILITY
+# define LIBWRAP_ALLOW_FACILITY LOG_AUTH
+#endif
+#ifndef LIBWRAP_ALLOW_SEVERITY
+# define LIBWRAP_ALLOW_SEVERITY LOG_INFO
+#endif
+#ifndef LIBWRAP_DENY_FACILITY
+# define LIBWRAP_DENY_FACILITY LOG_AUTH
+#endif
+#ifndef LIBWRAP_DENY_SEVERITY
+# define LIBWRAP_DENY_SEVERITY LOG_WARNING
+#endif
+int allow_severity = LIBWRAP_ALLOW_FACILITY|LIBWRAP_ALLOW_SEVERITY;
+int deny_severity = LIBWRAP_DENY_FACILITY|LIBWRAP_DENY_SEVERITY;
+#endif
+
#ifdef LOGIN_CAP
#include <login_cap.h>
@@ -268,7 +286,7 @@ struct biltin {
{ "discard", SOCK_STREAM, 1, 0, discard_stream },
{ "discard", SOCK_DGRAM, 0, 0, discard_dg },
- /* Return 32 bit time since 1900 */
+ /* Return 32 bit time since 1970 */
{ "time", SOCK_STREAM, 0, 0, machtime_stream },
{ "time", SOCK_DGRAM, 0, 0, machtime_dg },
@@ -330,6 +348,11 @@ main(argc, argv, envp)
#ifdef LOGIN_CAP
login_cap_t *lc = NULL;
#endif
+#ifdef LIBWRAP
+ struct request_info req;
+ int denied;
+ char *service = NULL;
+#endif
#ifdef OLD_SETPROCTITLE
@@ -532,7 +555,11 @@ main(argc, argv, envp)
ctrl = sep->se_fd;
(void) sigblock(SIGBLOCK);
pid = 0;
+#ifdef LIBWRAP_INTERNAL
+ dofork = 1;
+#else
dofork = (sep->se_bi == 0 || sep->se_bi->bi_fork);
+#endif
if (dofork) {
if (sep->se_count++ == 0)
(void)gettimeofday(&sep->se_time, (struct timezone *)NULL);
@@ -590,6 +617,40 @@ main(argc, argv, envp)
_exit(0);
}
}
+#ifdef LIBWRAP
+#ifndef LIBWRAP_INTERNAL
+ if (sep->se_bi == 0)
+#endif
+ if (sep->se_accept
+ && sep->se_socktype == SOCK_STREAM) {
+ request_init(&req,
+ RQ_DAEMON, sep->se_argv[0] ?
+ sep->se_argv[0] : sep->se_service,
+ RQ_FILE, ctrl, NULL);
+ fromhost(&req);
+ denied = !hosts_access(&req);
+ if (denied || log) {
+ sp = getservbyport(sep->se_ctrladdr.sin_port, sep->se_proto);
+ if (sp == NULL) {
+ (void)snprintf(buf, sizeof buf, "%d",
+ ntohs(sep->se_ctrladdr.sin_port));
+ service = buf;
+ } else
+ service = sp->s_name;
+ }
+ if (denied) {
+ syslog(deny_severity,
+ "refused connection from %.500s, service %s (%s)",
+ eval_client(&req), service, sep->se_proto);
+ goto reject;
+ }
+ if (log) {
+ syslog(allow_severity,
+ "connection from %.500s, service %s (%s)",
+ eval_client(&req), service, sep->se_proto);
+ }
+ }
+#endif /* LIBWRAP */
if (sep->se_bi) {
(*sep->se_bi->bi_fn)(ctrl, sep);
/* NOTREACHED */
@@ -677,10 +738,13 @@ main(argc, argv, envp)
sigaction(SIGPIPE, &sapipe,
(struct sigaction *)0);
execv(sep->se_server, sep->se_argv);
- if (sep->se_socktype != SOCK_STREAM)
- recv(0, buf, sizeof (buf), 0);
syslog(LOG_ERR,
"cannot execute %s: %m", sep->se_server);
+#ifdef LIBWRAP
+ reject:
+#endif
+ if (sep->se_socktype != SOCK_STREAM)
+ recv(0, buf, sizeof (buf), 0);
_exit(EX_OSERR);
}
}