Commit 6786f311 authored by Khem Raj's avatar Khem Raj

tcp-wrappers: Use the recipe from oe-core

Signed-off-by: default avatarKhem Raj <raj.khem@gmail.com>
parent ae4ea40e
diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5
--- tcp_wrappers_7.6.orig/hosts_access.5 1995-01-30 19:51:47.000000000 +0100
+++ tcp_wrappers_7.6/hosts_access.5 2004-04-09 16:59:45.000000000 +0200
@@ -173,7 +173,7 @@
Patterns like these can be used when the machine has different internet
addresses with different internet hostnames. Service providers can use
this facility to offer FTP, GOPHER or WWW archives with internet names
-that may even belong to different organizations. See also the `twist'
+that may even belong to different organizations. See also the `twist\'
option in the hosts_options(5) document. Some systems (Solaris,
FreeBSD) can have more than one internet address on one physical
interface; with other systems you may have to resort to SLIP or PPP
@@ -236,10 +236,10 @@
Before accepting a client request, the wrappers can use the IDENT
service to find out that the client did not send the request at all.
When the client host provides IDENT service, a negative IDENT lookup
-result (the client matches `UNKNOWN@host') is strong evidence of a host
+result (the client matches `UNKNOWN@host\') is strong evidence of a host
spoofing attack.
.PP
-A positive IDENT lookup result (the client matches `KNOWN@host') is
+A positive IDENT lookup result (the client matches `KNOWN@host\') is
less trustworthy. It is possible for an intruder to spoof both the
client connection and the IDENT lookup, although doing so is much
harder than spoofing just a client connection. It may also be that
diff -ruN tcp_wrappers_7.6.orig/hosts_options.5 tcp_wrappers_7.6/hosts_options.5
--- tcp_wrappers_7.6.orig/hosts_options.5 1994-12-28 17:42:29.000000000 +0100
+++ tcp_wrappers_7.6/hosts_options.5 2004-04-09 16:59:49.000000000 +0200
@@ -124,7 +124,7 @@
value is taken.
.SH MISCELLANEOUS
.IP "banners /some/directory"
-Look for a file in `/some/directory' with the same name as the daemon
+Look for a file in `/some/directory\' with the same name as the daemon
process (for example in.telnetd for the telnet service), and copy its
contents to the client. Newline characters are replaced by
carriage-return newline, and %<letter> sequences are expanded (see
diff -ruN tcp_wrappers_7.6.orig/tcpdmatch.8 tcp_wrappers_7.6/tcpdmatch.8
--- tcp_wrappers_7.6.orig/tcpdmatch.8 1996-02-11 17:01:36.000000000 +0100
+++ tcp_wrappers_7.6/tcpdmatch.8 2004-04-09 17:00:49.000000000 +0200
@@ -26,7 +26,7 @@
A daemon process name. Typically, the last component of a daemon
executable pathname.
.IP client
-A host name or network address, or one of the `unknown' or `paranoid'
+A host name or network address, or one of the `unknown\' or `paranoid\'
wildcard patterns.
.sp
When a client host name is specified, \fItcpdmatch\fR gives a
@@ -37,13 +37,13 @@
.PP
Optional information specified with the \fIdaemon@server\fR form:
.IP server
-A host name or network address, or one of the `unknown' or `paranoid'
-wildcard patterns. The default server name is `unknown'.
+A host name or network address, or one of the `unknown\' or `paranoid\'
+wildcard patterns. The default server name is `unknown\'.
.PP
Optional information specified with the \fIuser@client\fR form:
.IP user
A client user identifier. Typically, a login name or a numeric userid.
-The default user name is `unknown'.
+The default user name is `unknown\'.
.SH OPTIONS
.IP -d
Examine \fIhosts.allow\fR and \fIhosts.deny\fR files in the current
@@ -70,7 +70,7 @@
.ti +5
tcpdmatch in.telnetd paranoid
.PP
-On some systems, daemon names have no `in.' prefix, or \fItcpdmatch\fR
+On some systems, daemon names have no `in.\' prefix, or \fItcpdmatch\fR
may need some help to locate the inetd configuration file.
.SH FILES
.PP
See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=17847
diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5
--- tcp_wrappers_7.6.orig/hosts_access.5 2004-04-10 18:54:33.000000000 +0200
+++ tcp_wrappers_7.6/hosts_access.5 2004-04-10 18:54:27.000000000 +0200
@@ -89,6 +89,10 @@
bitwise AND of the address and the `mask\'. For example, the net/mask
pattern `131.155.72.0/255.255.254.0\' matches every address in the
range `131.155.72.0\' through `131.155.73.255\'.
+.IP \(bu
+Wildcards `*\' and `?\' can be used to match hostnames or IP addresses. This
+method of matching cannot be used in conjunction with `net/mask\' matching,
+hostname matching beginning with `.\' or IP address matching ending with `.\'.
.SH WILDCARDS
The access control language supports explicit wildcards:
.IP ALL
diff -ruN tcp_wrappers_7.6.orig/hosts_access.c tcp_wrappers_7.6/hosts_access.c
--- tcp_wrappers_7.6.orig/hosts_access.c 1997-02-12 02:13:23.000000000 +0100
+++ tcp_wrappers_7.6/hosts_access.c 2004-04-10 18:52:21.000000000 +0200
@@ -289,6 +289,11 @@
{
int n;
+#ifndef DISABLE_WILDCARD_MATCHING
+ if (strchr(tok, '*') || strchr(tok,'?')) { /* contains '*' or '?' */
+ return (match_pattern_ylo(string,tok));
+ } else
+#endif
if (tok[0] == '.') { /* suffix */
n = strlen(string) - strlen(tok);
return (n > 0 && STR_EQ(tok, string + n));
@@ -329,3 +334,71 @@
}
return ((addr & mask) == net);
}
+
+#ifndef DISABLE_WILDCARD_MATCHING
+/* Note: this feature has been adapted in a pretty straightforward way
+ from Tatu Ylonen's last SSH version under free license by
+ Pekka Savola <pekkas@netcore.fi>.
+
+ Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+*/
+
+/* Returns true if the given string matches the pattern (which may contain
+ ? and * as wildcards), and zero if it does not match. */
+
+int match_pattern_ylo(const char *s, const char *pattern)
+{
+ while (1)
+ {
+ /* If at end of pattern, accept if also at end of string. */
+ if (!*pattern)
+ return !*s;
+
+ /* Process '*'. */
+ if (*pattern == '*')
+ {
+ /* Skip the asterisk. */
+ pattern++;
+
+ /* If at end of pattern, accept immediately. */
+ if (!*pattern)
+ return 1;
+
+ /* If next character in pattern is known, optimize. */
+ if (*pattern != '?' && *pattern != '*')
+ {
+ /* Look instances of the next character in pattern, and try
+ to match starting from those. */
+ for (; *s; s++)
+ if (*s == *pattern &&
+ match_pattern_ylo(s + 1, pattern + 1))
+ return 1;
+ /* Failed. */
+ return 0;
+ }
+
+ /* Move ahead one character at a time and try to match at each
+ position. */
+ for (; *s; s++)
+ if (match_pattern_ylo(s, pattern))
+ return 1;
+ /* Failed. */
+ return 0;
+ }
+
+ /* There must be at least one more character in the string. If we are
+ at the end, fail. */
+ if (!*s)
+ return 0;
+
+ /* Check if the next character of the string is acceptable. */
+ if (*pattern != '?' && *pattern != *s)
+ return 0;
+
+ /* Move to the next character, both in string and in pattern. */
+ s++;
+ pattern++;
+ }
+ /*NOTREACHED*/
+}
+#endif /* DISABLE_WILDCARD_MATCHING */
* Mon Feb 5 2001 Preston Brown <pbrown@redhat.com>
- fix gethostbyname to work better with dot "." notation (#16949)
--- tcp_wrappers_7.6/socket.c.fixgethostbyname Fri Mar 21 13:27:25 1997
+++ tcp_wrappers_7.6/socket.c Mon Feb 5 14:09:40 2001
@@ -52,7 +52,8 @@
char *name;
{
char dot_name[MAXHOSTNAMELEN + 1];
-
+ struct hostent *hp;
+
/*
* Don't append dots to unqualified names. Such names are likely to come
* from local hosts files or from NIS.
@@ -61,8 +62,12 @@
if (strchr(name, '.') == 0 || strlen(name) >= MAXHOSTNAMELEN - 1) {
return (gethostbyname(name));
} else {
- sprintf(dot_name, "%s.", name);
- return (gethostbyname(dot_name));
+ sprintf(dot_name, "%s.", name);
+ hp = gethostbyname(dot_name);
+ if (hp)
+ return hp;
+ else
+ return (gethostbyname(name));
}
}
Path: news.porcupine.org!news.porcupine.org!not-for-mail
From: Wietse Venema <wietse@((no)(spam)(please))wzv.win.tue.nl>
Newsgroups: comp.mail.sendmail,comp.security.unix
Subject: TCP Wrapper Blacklist Extension
Followup-To: poster
Date: 8 Sep 1997 18:53:13 -0400
Organization: Wietse's hangout while on sabattical in the USA
Lines: 147
Sender: wietse@spike.porcupine.org
Message-ID: <5v1vkp$h4f$1@spike.porcupine.org>
NNTP-Posting-Host: spike.porcupine.org
Xref: news.porcupine.org comp.mail.sendmail:3541 comp.security.unix:7158
The patch below adds a new host pattern to the TCP Wrapper access
control language. Instead of a host name or address pattern, you
can specify an external /file/name with host name or address
patterns. The feature can be used recursively.
The /file/name extension makes it easy to blacklist bad sites, for
example, to block unwanted electronic mail when libwrap is linked
into sendmail. Adding hosts to a simple text file is much easier
than having to edit a more complex hosts.allow/deny file.
I developed this a year or so ago as a substitute for NIS netgroups.
At that time, I did not consider it of sufficient interest for
inclusion in the TCP Wrapper distribution. How times have changed.
The patch is relative to TCP Wrappers version 7.6. The main archive
site is ftp://ftp.win.tue.nl/pub/security/tcp_wrappers_7.6.tar.gz
Thanks to the Debian LINUX folks for expressing their interest in
this patch.
Wietse
[diff updated by Md]
diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5
--- tcp_wrappers_7.6.orig/hosts_access.5 2004-04-10 19:28:09.000000000 +0200
+++ tcp_wrappers_7.6/hosts_access.5 2004-04-10 19:28:01.000000000 +0200
@@ -97,6 +97,13 @@
`[3ffe:505:2:1::]/64\' matches every address in the range
`3ffe:505:2:1::\' through `3ffe:505:2:1:ffff:ffff:ffff:ffff\'.
.IP \(bu
+A string that begins with a `/\' character is treated as a file
+name. A host name or address is matched if it matches any host name
+or address pattern listed in the named file. The file format is
+zero or more lines with zero or more host name or address patterns
+separated by whitespace. A file name pattern can be used anywhere
+a host name or address pattern can be used.
+.IP \(bu
Wildcards `*\' and `?\' can be used to match hostnames or IP addresses. This
method of matching cannot be used in conjunction with `net/mask\' matching,
hostname matching beginning with `.\' or IP address matching ending with `.\'.
diff -ruN tcp_wrappers_7.6.orig/hosts_access.c tcp_wrappers_7.6/hosts_access.c
--- tcp_wrappers_7.6.orig/hosts_access.c 2004-04-10 19:28:09.000000000 +0200
+++ tcp_wrappers_7.6/hosts_access.c 2004-04-10 19:27:05.000000000 +0200
@@ -253,6 +253,26 @@
}
}
+/* hostfile_match - look up host patterns from file */
+
+static int hostfile_match(path, host)
+char *path;
+struct hosts_info *host;
+{
+ char tok[BUFSIZ];
+ int match = NO;
+ FILE *fp;
+
+ if ((fp = fopen(path, "r")) != 0) {
+ while (fscanf(fp, "%s", tok) == 1 && !(match = host_match(tok, host)))
+ /* void */ ;
+ fclose(fp);
+ } else if (errno != ENOENT) {
+ tcpd_warn("open %s: %m", path);
+ }
+ return (match);
+}
+
/* host_match - match host name and/or address against pattern */
static int host_match(tok, host)
@@ -280,6 +300,8 @@
tcpd_warn("netgroup support is disabled"); /* not tcpd_jump() */
return (NO);
#endif
+ } else if (tok[0] == '/') { /* /file hack */
+ return (hostfile_match(tok, host));
} else if (STR_EQ(tok, "KNOWN")) { /* check address and name */
char *name = eval_hostname(host);
return (STR_NE(eval_hostaddr(host), unknown) && HOSTNAME_KNOWN(name));
diff -ruN tcp_wrappers_7.6.orig/tcpdchk.c tcp_wrappers_7.6/tcpdchk.c
--- tcp_wrappers_7.6.orig/tcpdchk.c 2004-04-10 19:28:09.000000000 +0200
+++ tcp_wrappers_7.6/tcpdchk.c 2004-04-10 19:27:05.000000000 +0200
@@ -353,6 +353,8 @@
{
if (pat[0] == '@') {
tcpd_warn("%s: daemon name begins with \"@\"", pat);
+ } else if (pat[0] == '/') {
+ tcpd_warn("%s: daemon name begins with \"/\"", pat);
} else if (pat[0] == '.') {
tcpd_warn("%s: daemon name begins with dot", pat);
} else if (pat[strlen(pat) - 1] == '.') {
@@ -385,6 +387,8 @@
{
if (pat[0] == '@') { /* @netgroup */
tcpd_warn("%s: user name begins with \"@\"", pat);
+ } else if (pat[0] == '/') {
+ tcpd_warn("%s: user name begins with \"/\"", pat);
} else if (pat[0] == '.') {
tcpd_warn("%s: user name begins with dot", pat);
} else if (pat[strlen(pat) - 1] == '.') {
@@ -430,8 +434,13 @@
static int check_host(pat)
char *pat;
{
+ char buf[BUFSIZ];
char *mask;
int addr_count = 1;
+ FILE *fp;
+ struct tcpd_context saved_context;
+ char *cp;
+ char *wsp = " \t\r\n";
if (pat[0] == '@') { /* @netgroup */
#ifdef NO_NETGRENT
@@ -450,6 +459,21 @@
tcpd_warn("netgroup support disabled");
#endif
#endif
+ } else if (pat[0] == '/') { /* /path/name */
+ if ((fp = fopen(pat, "r")) != 0) {
+ saved_context = tcpd_context;
+ tcpd_context.file = pat;
+ tcpd_context.line = 0;
+ while (fgets(buf, sizeof(buf), fp)) {
+ tcpd_context.line++;
+ for (cp = strtok(buf, wsp); cp; cp = strtok((char *) 0, wsp))
+ check_host(cp);
+ }
+ tcpd_context = saved_context;
+ fclose(fp);
+ } else if (errno != ENOENT) {
+ tcpd_warn("open %s: %m", pat);
+ }
} else if (mask = split_at(pat, '/')) { /* network/netmask */
#ifdef INET6
int mask_len;
diff -uN tcp_wrappers_7.6/hosts_access.c tcp_wrappers_7.6.new/hosts_access.c
--- tcp_wrappers_7.6/hosts_access.c Mon May 20 14:00:56 2002
+++ tcp_wrappers_7.6.new/hosts_access.c Mon May 20 14:25:05 2002
@@ -448,6 +448,15 @@
int len, mask_len, i = 0;
char ch;
+ /*
+ * Behavior of getaddrinfo() against IPv4-mapped IPv6 address is
+ * different between KAME and Solaris8. While KAME returns
+ * AF_INET6, Solaris8 returns AF_INET. So, we avoid this here.
+ */
+ if (STRN_EQ(string, "::ffff:", 7)
+ && dot_quad_addr(string + 7) != INADDR_NONE)
+ return (masked_match4(net_tok, mask_tok, string + 7));
+
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_INET6;
hints.ai_socktype = SOCK_STREAM;
@@ -457,13 +466,6 @@
memcpy(&addr, res->ai_addr, sizeof(addr));
freeaddrinfo(res);
- if (IN6_IS_ADDR_V4MAPPED(&addr.sin6_addr)) {
- if ((*(u_int32_t *)&net.sin6_addr.s6_addr[12] = dot_quad_addr(net_tok)) == INADDR_NONE
- || (mask = dot_quad_addr(mask_tok)) == INADDR_NONE)
- return (NO);
- return ((*(u_int32_t *)&addr.sin6_addr.s6_addr[12] & mask) == *(u_int32_t *)&net.sin6_addr.s6_addr[12]);
- }
-
/* match IPv6 address against netnumber/prefixlen */
len = strlen(net_tok);
if (*net_tok != '[' || net_tok[len - 1] != ']')
diff -uN tcp_wrappers_7.6/socket.c tcp_wrappers_7.6.new/socket.c
--- tcp_wrappers_7.6/socket.c Mon May 20 13:48:35 2002
+++ tcp_wrappers_7.6.new/socket.c Mon May 20 14:22:27 2002
@@ -228,7 +228,7 @@
hints.ai_family = sin->sa_family;
hints.ai_socktype = SOCK_STREAM;
hints.ai_flags = AI_PASSIVE | AI_CANONNAME | AI_NUMERICHOST;
- if ((err = getaddrinfo(host->name, NULL, &hints, &res0) == 0)) {
+ if ((err = getaddrinfo(host->name, NULL, &hints, &res0)) == 0) {
freeaddrinfo(res0);
res0 = NULL;
tcpd_warn("host name/name mismatch: "
diff -ruN tcp_wrappers_7.6.orig/Makefile tcp_wrappers_7.6/Makefile
--- tcp_wrappers_7.6.orig/Makefile 2003-08-21 01:43:39.000000000 +0200
+++ tcp_wrappers_7.6/Makefile 2003-08-21 01:43:35.000000000 +0200
@@ -45,7 +45,7 @@
#
# SysV.4 Solaris 2.x OSF AIX
#REAL_DAEMON_DIR=/usr/sbin
-#
+REAL_DAEMON_DIR=/usr/sbin
# BSD 4.4
#REAL_DAEMON_DIR=/usr/libexec
#
@@ -512,6 +519,7 @@
# (examples: allow, deny, banners, twist and spawn).
#
#STYLE = -DPROCESS_OPTIONS # Enable language extensions.
+STYLE = -DPROCESS_OPTIONS
################################################################
# Optional: Changing the default disposition of logfile records
@@ -535,6 +543,7 @@
# The LOG_XXX names below are taken from the /usr/include/syslog.h file.
FACILITY= LOG_MAIL # LOG_MAIL is what most sendmail daemons use
+FACILITY= LOG_DAEMON
# The syslog priority at which successful connections are logged.
@@ -631,6 +640,7 @@
# lookups altogether, see the next section.
PARANOID= -DPARANOID
+PARANOID=
########################################
# Optional: turning off hostname lookups
@@ -644,6 +654,7 @@
# mode (see previous section) and comment out the following definition.
HOSTNAME= -DALWAYS_HOSTNAME
+HOSTNAME=
#############################################
# Optional: Turning on host ADDRESS checking
@@ -670,6 +681,7 @@
# Solaris 2.x, and Linux. See your system documentation for details.
#
# KILL_OPT= -DKILL_IP_OPTIONS
+KILL_OPT= -DKILL_IP_OPTIONS
## End configuration options
############################
@@ -677,9 +689,10 @@
# Protection against weird shells or weird make programs.
SHELL = /bin/sh
-.c.o:; $(CC) $(CFLAGS) -c $*.c
+.c.o:; $(CC) $(CFLAGS) -o $*.o -c $*.c
-CFLAGS = -O -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \
+COPTS = -O2 -g
+CFLAGS = $(COPTS) -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \
$(BUGS) $(SYSTYPE) $(AUTH) $(UMASK) \
-DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" $(STYLE) $(KILL_OPT) \
-DSEVERITY=$(SEVERITY) -DRFC931_TIMEOUT=$(RFC931_TIMEOUT) \
@@ -712,10 +725,11 @@
config-check:
@set +e; test -n "$(REAL_DAEMON_DIR)" || { make; exit 1; }
- @set +e; echo $(CFLAGS) >/tmp/cflags.$$$$ ; \
- if cmp cflags /tmp/cflags.$$$$ ; \
- then rm /tmp/cflags.$$$$ ; \
- else mv /tmp/cflags.$$$$ cflags ; \
+ @set +e; echo $(CFLAGS) >cflags.new ; \
+ if cmp cflags cflags.new ; \
+ then rm cflags.new ; \
+ else mv cflags.new cflags ; \
fi >/dev/null 2>/dev/null
+ @if [ ! -d shared ]; then mkdir shared; fi
$(LIB): $(LIB_OBJ)
diff -ruN tcp_wrappers_7.6.orig/Makefile tcp_wrappers_7.6/Makefile
--- tcp_wrappers_7.6.orig/Makefile 2004-05-02 15:37:59.000000000 +0200
+++ tcp_wrappers_7.6/Makefile 2004-05-02 15:31:09.000000000 +0200
@@ -150,15 +150,15 @@
linux:
@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
- LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ= \
+ LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ=weak_symbols.o \
NETGROUP="-DNETGROUP" TLI= VSYSLOG= BUGS= \
- EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR -DINET6=1 -Dss_family=__ss_family -Dss_len=__ss_len" all
+ EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR -DHAVE_WEAKSYMS -D_REENTRANT -DINET6=1 -Dss_family=__ss_family -Dss_len=__ss_len" all
gnu:
@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
- LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ= \
+ LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ=weak_symbols.o \
NETGROUP=-DNETGROUP TLI= VSYSLOG= BUGS= \
- EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR" all
+ EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR -DHAVE_WEAKSYMS -D_REENTRANT" all
# This is good for many SYSV+BSD hybrids with NIS, probably also for HP-UX 7.x.
hpux hpux8 hpux9 hpux10:
@@ -713,7 +713,22 @@
LIB = libwrap.a
-all other: config-check tcpd tcpdmatch try-from safe_finger tcpdchk
+shared/%.o: %.c
+ $(CC) $(CFLAGS) $(SHCFLAGS) -c $< -o $@
+
+SOMAJOR = 0
+SOMINOR = 7.6
+
+SHLIB = shared/libwrap.so.$(SOMAJOR).$(SOMINOR)
+SHLIBSOMAJ = shared/libwrap.so.$(SOMAJOR)
+SHLIBSO = shared/libwrap.so
+SHLIBFLAGS = -Lshared -lwrap
+
+SHLINKFLAGS = -shared -Xlinker -soname -Xlinker libwrap.so.$(SOMAJOR) -lc $(LIBS)
+SHCFLAGS = -fPIC -shared -D_REENTRANT
+SHLIB_OBJ= $(addprefix shared/, $(LIB_OBJ));
+
+all other: config-check tcpd tcpdmatch try-from safe_finger tcpdchk $(LIB)
# Invalidate all object files when the compiler options (CFLAGS) have changed.
@@ -731,27 +746,33 @@
$(AR) $(ARFLAGS) $(LIB) $(LIB_OBJ)
-$(RANLIB) $(LIB)
-tcpd: tcpd.o $(LIB)
- $(CC) $(CFLAGS) -o $@ tcpd.o $(LIB) $(LIBS)
+$(SHLIB): $(SHLIB_OBJ)
+ rm -f $(SHLIB)
+ $(CC) -o $(SHLIB) $(SHLINKFLAGS) $(SHLIB_OBJ)
+ ln -sf $(notdir $(SHLIB)) $(SHLIBSOMAJ)
+ ln -sf $(notdir $(SHLIBSOMAJ)) $(SHLIBSO)
+
+tcpd: tcpd.o $(SHLIB)
+ $(CC) $(CFLAGS) -o $@ tcpd.o $(SHLIBFLAGS)
miscd: miscd.o $(LIB)
$(CC) $(CFLAGS) -o $@ miscd.o $(LIB) $(LIBS)
-safe_finger: safe_finger.o $(LIB)
- $(CC) $(CFLAGS) -o $@ safe_finger.o $(LIB) $(LIBS)
+safe_finger: safe_finger.o $(SHLIB)
+ $(CC) $(CFLAGS) -o $@ safe_finger.o $(SHLIBFLAGS)
TCPDMATCH_OBJ = tcpdmatch.o fakelog.o inetcf.o scaffold.o
-tcpdmatch: $(TCPDMATCH_OBJ) $(LIB)
- $(CC) $(CFLAGS) -o $@ $(TCPDMATCH_OBJ) $(LIB) $(LIBS)
+tcpdmatch: $(TCPDMATCH_OBJ) $(SHLIB)
+ $(CC) $(CFLAGS) -o $@ $(TCPDMATCH_OBJ) $(SHLIBFLAGS)
-try-from: try-from.o fakelog.o $(LIB)
- $(CC) $(CFLAGS) -o $@ try-from.o fakelog.o $(LIB) $(LIBS)
+try-from: try-from.o fakelog.o $(SHLIB)
+ $(CC) $(CFLAGS) -o $@ try-from.o fakelog.o $(SHLIBFLAGS)
TCPDCHK_OBJ = tcpdchk.o fakelog.o inetcf.o scaffold.o
-tcpdchk: $(TCPDCHK_OBJ) $(LIB)
- $(CC) $(CFLAGS) -o $@ $(TCPDCHK_OBJ) $(LIB) $(LIBS)
+tcpdchk: $(TCPDCHK_OBJ) $(SHLIB)
+ $(CC) $(CFLAGS) -o $@ $(TCPDCHK_OBJ) $(SHLIBFLAGS)
shar: $(KIT)
@shar $(KIT)
@@ -767,7 +788,9 @@
clean:
rm -f tcpd miscd safe_finger tcpdmatch tcpdchk try-from *.[oa] core \
+ libwrap*.so* \
cflags
+ rm -rf shared/
tidy: clean
chmod -R a+r .
@@ -913,5 +936,6 @@
update.o: mystdarg.h
update.o: tcpd.h
vfprintf.o: cflags
+weak_symbols.o: tcpd.h
workarounds.o: cflags
workarounds.o: tcpd.h
diff -ruN tcp_wrappers_7.6.orig/tcpd.h tcp_wrappers_7.6/tcpd.h
--- tcp_wrappers_7.6.orig/tcpd.h 2004-05-02 15:37:59.000000000 +0200
+++ tcp_wrappers_7.6/tcpd.h 2004-05-02 15:37:49.000000000 +0200
@@ -4,6 +4,15 @@
* Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
*/
+#ifndef _TCPWRAPPERS_TCPD_H
+#define _TCPWRAPPERS_TCPD_H
+
+/* Need definitions of struct sockaddr_in and FILE. */
+#include <netinet/in.h>
+#include <stdio.h>
+
+__BEGIN_DECLS
+
/* Structure to describe one communications endpoint. */
#define STRING_LENGTH 128 /* hosts, users, processes */
@@ -29,10 +38,10 @@
char pid[10]; /* access via eval_pid(request) */
struct host_info client[1]; /* client endpoint info */
struct host_info server[1]; /* server endpoint info */
- void (*sink) (); /* datagram sink function or 0 */
- void (*hostname) (); /* address to printable hostname */
- void (*hostaddr) (); /* address to printable address */
- void (*cleanup) (); /* cleanup function or 0 */
+ void (*sink) (int); /* datagram sink function or 0 */
+ void (*hostname) (struct host_info *); /* address to printable hostname */
+ void (*hostaddr) (struct host_info *); /* address to printable address */
+ void (*cleanup) (struct request_info *); /* cleanup function or 0 */
struct netconfig *config; /* netdir handle */
};
@@ -70,20 +79,27 @@
#define fromhost sock_host /* no TLI support needed */
#endif
-extern int hosts_access(); /* access control */
-extern void shell_cmd(); /* execute shell command */
-extern char *percent_x(); /* do %<char> expansion */
-extern void rfc931(); /* client name from RFC 931 daemon */
-extern void clean_exit(); /* clean up and exit */
-extern void refuse(); /* clean up and exit */
-extern char *xgets(); /* fgets() on steroids */
-extern char *split_at(); /* strchr() and split */
-extern unsigned long dot_quad_addr(); /* restricted inet_addr() */
+extern int hosts_access(struct request_info *request); /* access control */
+extern void shell_cmd(char *); /* execute shell command */
+extern char *percent_x(char *, int, char *, struct request_info *);
+ /* do %<char> expansion */
+extern void rfc931(struct sockaddr *, struct sockaddr *, char *);
+ /* client name from RFC 931 daemon */
+extern void clean_exit(struct request_info *); /* clean up and exit */
+extern void refuse(struct request_info *); /* clean up and exit */
+extern char *xgets(char *, int, FILE *); /* fgets() on steroids */
+extern char *split_at(char *, int); /* strchr() and split */
+extern unsigned long dot_quad_addr(char *); /* restricted inet_addr() */
/* Global variables. */
+#ifdef HAVE_WEAKSYMS
+extern int allow_severity __attribute__ ((weak)); /* for connection logging */
+extern int deny_severity __attribute__ ((weak)); /* for connection logging */
+#else
extern int allow_severity; /* for connection logging */
extern int deny_severity; /* for connection logging */
+#endif
extern char *hosts_allow_table; /* for verification mode redirection */
extern char *hosts_deny_table; /* for verification mode redirection */
extern int hosts_access_verbose; /* for verbose matching mode */
@@ -98,6 +114,8 @@
#ifdef __STDC__
extern struct request_info *request_init(struct request_info *,...);
extern struct request_info *request_set(struct request_info *,...);
+extern int hosts_ctl(char *daemon, char *client_name, char *client_addr,
+ char *client_user);
#else
extern struct request_info *request_init(); /* initialize request */
extern struct request_info *request_set(); /* update request structure */
@@ -121,20 +139,23 @@
* host_info structures serve as caches for the lookup results.
*/
-extern char *eval_user(); /* client user */
-extern char *eval_hostname(); /* printable hostname */
-extern char *eval_hostaddr(); /* printable host address */
-extern char *eval_hostinfo(); /* host name or address */
-extern char *eval_client(); /* whatever is available */