~ubuntu-branches/ubuntu/natty/openbsd-inetd/natty

Viewing changes to debian/patches/libwrap

Committer: Bazaar Package Importer
Author(s): Marco d'Itri
Date: 2008-12-15 02:00:52 UTC
mfrom: (4.1.1 intrepid)
Revision ID: james.westby@ubuntu.com-20081215020052-gwpkva043fq6nb1s

Tags: 0.20080125-2

http://bugs.debian.org/484483

http://bugs.debian.org/507119

* Added dh_md5sums to debian/rules, since apparently people nowadays
  believe again that it is a good idea. (Closes: #484483)
* Fixed the init script to povide "openbsd-inetd" instead of "inetd".
  (Closes: #507119)
* Updated patches misc_portability and setproctitle with some missing
  prototypes.
* Updated patch misc_portability with missing arguments to two syslog(3)
  calls.
* Updated patch libwrap to fix a possibly uninitialized variable.
  The last three fixes are courtesy of Denis Zaitsev.

Show diffs side-by-side

added added

removed removed

debian/patches/libwrap

--- a/inetd.c

+++ b/inetd.c

@@ -175,6 +175,11 @@ size_t strlcpy(char *, const char *, siz

#define CNT_INTVL 60 /* servers in CNT_INTVL sec. */

#define RETRYTIME (60*10) /* retry after bind or server fail */

+#ifdef LIBWRAP

+# include <tcpd.h>

+int lflag = 0;

+#endif

int debug = 0;

int nsock, maxsock;

fd_set *allsockp;

@@ -347,7 +352,7 @@ main(int argc, char *argv[], char *envp[

initsetproctitle(argc, argv, envp);

- while ((ch = getopt(argc, argv, "dER:")) != -1)

+ while ((ch = getopt(argc, argv, "dElR:")) != -1)

switch (ch) {

case 'd':

debug = 1;

@@ -355,6 +360,15 @@ main(int argc, char *argv[], char *envp[

case 'E':

keepenv = 1;

break;

+ case 'l':

+#ifdef LIBWRAP

+ lflag = 1;

+ break;

+#else

+ fprintf(stderr, "%s: libwrap support not enabled",

+ progname);

+ exit(1);

+#endif

case 'R': { /* invocation rate */

char *p;

int val;

@@ -372,7 +386,7 @@ main(int argc, char *argv[], char *envp[

case '?':

default:

fprintf(stderr,

- "usage: %s [-dE] [-R rate] [configuration file]\n",

+ "usage: %s [-dEl] [-R rate] [configuration file]\n",

progname);

exit(1);

}

@@ -1970,6 +1984,47 @@ spawn(struct servtab *sep, int ctrl)

}

sigprocmask(SIG_SETMASK, &emptymask, NULL);

if (pid == 0) {

+#ifdef LIBWRAP

+ if (lflag && !sep->se_wait && sep->se_socktype == SOCK_STREAM) {

+ struct request_info req;

+ char *service;

+ /* do not execute tcpd if it is in the config */

+ if (strcmp(sep->se_server, "/usr/sbin/tcpd") == 0) {

+ char *p, *name;

+ free(sep->se_server);

+ name = sep->se_server = sep->se_argv[0];

+ for (p = name; *p; p++)

+ if (*p == '/')

+ name = p + 1;

+ sep->se_argv[0] = newstr(name);

+ }

+ request_init(&req, RQ_DAEMON, sep->se_argv[0],

+ RQ_FILE, ctrl, NULL);

+ fromhost(&req);

+ if (getnameinfo(&sep->se_ctrladdr,

+ sizeof(sep->se_ctrladdr), NULL, 0, buf,

+ sizeof(buf), 0) != 0) {

+ /* shouldn't happen */

+ snprintf(buf, sizeof buf, "%d",

+ ntohs(sep->se_ctrladdr_in.sin_port));

+ }

+ service = buf;

+ if (!hosts_access(&req)) {

+ syslog(deny_severity, "refused connection"

+ " from %.500s, service %s (%s)",

+ eval_client(&req), service, sep->se_proto);

+ if (sep->se_socktype != SOCK_STREAM)

+ recv(0, buf, sizeof (buf), 0);

+ exit(1);

+ }

+ syslog(allow_severity,

+ "connection from %.500s, service %s (%s)",

+ eval_client(&req), service, sep->se_proto);

+ }

+#endif

if (sep->se_bi)

(*sep->se_bi->bi_fn)(ctrl, sep);

else {

--- a/inetd.8

+++ b/inetd.8

@@ -39,6 +39,7 @@

100

.Nm inetd

101

.Op Fl d

102

.Op Fl E

103

+.Op Fl l

104

.Op Fl R Ar rate

105

.Op Ar configuration file

106

.Sh DESCRIPTION

107

@@ -70,6 +71,13 @@ from laundering the environment. Withou

108

potentially harmful environent variables, including

109

.Pa PATH ,

110

will be removed and not inherited by services.

111

+.It Fl l

112

+Turns on libwrap connection logging and access control.

113

+Internal services cannot be wrapped. When enabled,

114

+.Pa /usr/sbin/tcpd

115

+is silently not executed even if present in

116

+.Pa /etc/inetd.conf

117

+and instead libwrap is called directly by inetd.

118

.It Fl R Ar rate

119

Specify the maximum number of times a service can be invoked

120

in one minute; the default is 256.

121

@@ -353,6 +361,23 @@ is reread.

122

creates a file

123

.Em /var/run/inetd.pid

124

that contains its process identifier.

125

+.Ss libwrap

126

+Support for

127

+.Tn TCP

128

+wrappers is included with

129

+.Nm

130

+to provide built-in tcpd-like access control functionality.

131

+An external tcpd program is not needed.

132

+You do not need to change the

133

+.Pa /etc/inetd.conf

134

+server-program entry to enable this capability.

135

+.Nm

136

+uses

137

+.Pa /etc/hosts.allow

138

+and

139

+.Pa /etc/hosts.deny

140

+for access control facility configurations, as described in

141

+.Xr hosts_access 5 .

142

.Ss IPv6 TCP/UDP behavior

143

If you wish to run a server for IPv4 and IPv6 traffic,

144

you'll need to run two separate processes for the same server program,

Older »