enabled when DEVELOPER=1
[openwrt.git] / openwrt / package / tcp_wrappers / patches / debian-subset.patch
1 --- tcp-wrappers-7.6.orig/hosts_access.c
2 +++ tcp-wrappers-7.6/hosts_access.c
3 @@ -240,6 +240,26 @@
4 }
5 }
6
7 +/* hostfile_match - look up host patterns from file */
8 +
9 +static int hostfile_match(path, host)
10 +char *path;
11 +struct hosts_info *host;
12 +{
13 + char tok[BUFSIZ];
14 + int match = NO;
15 + FILE *fp;
16 +
17 + if ((fp = fopen(path, "r")) != 0) {
18 + while (fscanf(fp, "%s", tok) == 1 && !(match = host_match(tok, host)))
19 + /* void */ ;
20 + fclose(fp);
21 + } else if (errno != ENOENT) {
22 + tcpd_warn("open %s: %m", path);
23 + }
24 + return (match);
25 +}
26 +
27 /* host_match - match host name and/or address against pattern */
28
29 static int host_match(tok, host)
30 @@ -267,6 +287,8 @@
31 tcpd_warn("netgroup support is disabled"); /* not tcpd_jump() */
32 return (NO);
33 #endif
34 + } else if (tok[0] == '/') { /* /file hack */
35 + return (hostfile_match(tok, host));
36 } else if (STR_EQ(tok, "KNOWN")) { /* check address and name */
37 char *name = eval_hostname(host);
38 return (STR_NE(eval_hostaddr(host), unknown) && HOSTNAME_KNOWN(name));
39 --- tcp-wrappers-7.6.orig/tcpd.h
40 +++ tcp-wrappers-7.6/tcpd.h
41 @@ -4,6 +4,25 @@
42 * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
43 */
44
45 +#ifndef _TCPWRAPPERS_TCPD_H
46 +#define _TCPWRAPPERS_TCPD_H
47 +
48 +/* someone else may have defined this */
49 +#undef __P
50 +
51 +/* use prototypes if we have an ANSI C compiler or are using C++ */
52 +#if defined(__STDC__) || defined(__cplusplus)
53 +#define __P(args) args
54 +#else
55 +#define __P(args) ()
56 +#endif
57 +
58 +/* Need definitions of struct sockaddr_in and FILE. */
59 +#include <netinet/in.h>
60 +#include <stdio.h>
61 +
62 +__BEGIN_DECLS
63 +
64 /* Structure to describe one communications endpoint. */
65
66 #define STRING_LENGTH 128 /* hosts, users, processes */
67 @@ -25,10 +44,10 @@
68 char pid[10]; /* access via eval_pid(request) */
69 struct host_info client[1]; /* client endpoint info */
70 struct host_info server[1]; /* server endpoint info */
71 - void (*sink) (); /* datagram sink function or 0 */
72 - void (*hostname) (); /* address to printable hostname */
73 - void (*hostaddr) (); /* address to printable address */
74 - void (*cleanup) (); /* cleanup function or 0 */
75 + void (*sink) __P((int)); /* datagram sink function or 0 */
76 + void (*hostname) __P((struct host_info *)); /* address to printable hostname */
77 + void (*hostaddr) __P((struct host_info *)); /* address to printable address */
78 + void (*cleanup) __P((struct request_info *)); /* cleanup function or 0 */
79 struct netconfig *config; /* netdir handle */
80 };
81
82 @@ -61,25 +80,30 @@
83 /* Global functions. */
84
85 #if defined(TLI) || defined(PTX) || defined(TLI_SEQUENT)
86 -extern void fromhost(); /* get/validate client host info */
87 +extern void fromhost __P((struct request_info *)); /* get/validate client host info */
88 #else
89 #define fromhost sock_host /* no TLI support needed */
90 #endif
91
92 -extern int hosts_access(); /* access control */
93 -extern void shell_cmd(); /* execute shell command */
94 -extern char *percent_x(); /* do %<char> expansion */
95 -extern void rfc931(); /* client name from RFC 931 daemon */
96 -extern void clean_exit(); /* clean up and exit */
97 -extern void refuse(); /* clean up and exit */
98 -extern char *xgets(); /* fgets() on steroids */
99 -extern char *split_at(); /* strchr() and split */
100 -extern unsigned long dot_quad_addr(); /* restricted inet_addr() */
101 +extern void shell_cmd __P((char *)); /* execute shell command */
102 +extern char *percent_x __P((char *, int, char *, struct request_info *)); /* do %<char> expansion */
103 +extern void rfc931 __P((struct sockaddr_in *, struct sockaddr_in *, char *)); /* client name from RFC 931 daemon */
104 +extern void clean_exit __P((struct request_info *)); /* clean up and exit */
105 +extern void refuse __P((struct request_info *)); /* clean up and exit */
106 +extern char *xgets __P((char *, int, FILE *)); /* fgets() on steroids */
107 +extern char *split_at __P((char *, int)); /* strchr() and split */
108 +extern unsigned long dot_quad_addr __P((char *)); /* restricted inet_addr() */
109
110 /* Global variables. */
111
112 +#ifdef HAVE_WEAKSYMS
113 +extern int allow_severity __attribute__ ((weak)); /* for connection logging */
114 +extern int deny_severity __attribute__ ((weak)); /* for connection logging */
115 +#else
116 extern int allow_severity; /* for connection logging */
117 extern int deny_severity; /* for connection logging */
118 +#endif
119 +
120 extern char *hosts_allow_table; /* for verification mode redirection */
121 extern char *hosts_deny_table; /* for verification mode redirection */
122 extern int hosts_access_verbose; /* for verbose matching mode */
123 @@ -92,9 +116,14 @@
124 */
125
126 #ifdef __STDC__
127 +extern int hosts_access(struct request_info *request);
128 +extern int hosts_ctl(char *daemon, char *client_name, char *client_addr,
129 + char *client_user);
130 extern struct request_info *request_init(struct request_info *,...);
131 extern struct request_info *request_set(struct request_info *,...);
132 #else
133 +extern int hosts_access();
134 +extern int hosts_ctl();
135 extern struct request_info *request_init(); /* initialize request */
136 extern struct request_info *request_set(); /* update request structure */
137 #endif
138 @@ -117,27 +146,31 @@
139 * host_info structures serve as caches for the lookup results.
140 */
141
142 -extern char *eval_user(); /* client user */
143 -extern char *eval_hostname(); /* printable hostname */
144 -extern char *eval_hostaddr(); /* printable host address */
145 -extern char *eval_hostinfo(); /* host name or address */
146 -extern char *eval_client(); /* whatever is available */
147 -extern char *eval_server(); /* whatever is available */
148 +extern char *eval_user __P((struct request_info *)); /* client user */
149 +extern char *eval_hostname __P((struct host_info *)); /* printable hostname */
150 +extern char *eval_hostaddr __P((struct host_info *)); /* printable host address */
151 +extern char *eval_hostinfo __P((struct host_info *)); /* host name or address */
152 +extern char *eval_client __P((struct request_info *)); /* whatever is available */
153 +extern char *eval_server __P((struct request_info *)); /* whatever is available */
154 #define eval_daemon(r) ((r)->daemon) /* daemon process name */
155 #define eval_pid(r) ((r)->pid) /* process id */
156
157 /* Socket-specific methods, including DNS hostname lookups. */
158
159 -extern void sock_host(); /* look up endpoint addresses */
160 -extern void sock_hostname(); /* translate address to hostname */
161 -extern void sock_hostaddr(); /* address to printable address */
162 +/* look up endpoint addresses */
163 +extern void sock_host __P((struct request_info *));
164 +/* translate address to hostname */
165 +extern void sock_hostname __P((struct host_info *));
166 +/* address to printable address */
167 +extern void sock_hostaddr __P((struct host_info *));
168 +
169 #define sock_methods(r) \
170 { (r)->hostname = sock_hostname; (r)->hostaddr = sock_hostaddr; }
171
172 /* The System V Transport-Level Interface (TLI) interface. */
173
174 #if defined(TLI) || defined(PTX) || defined(TLI_SEQUENT)
175 -extern void tli_host(); /* look up endpoint addresses etc. */
176 +extern void tli_host __P((struct request_info *)); /* look up endpoint addresses etc. */
177 #endif
178
179 /*
180 @@ -178,7 +211,7 @@
181 * behavior.
182 */
183
184 -extern void process_options(); /* execute options */
185 +extern void process_options __P((char *, struct request_info *)); /* execute options */
186 extern int dry_run; /* verification flag */
187
188 /* Bug workarounds. */
189 @@ -217,3 +250,7 @@
190 #define strtok my_strtok
191 extern char *my_strtok();
192 #endif
193 +
194 +__END_DECLS
195 +
196 +#endif /* tcpd.h */
197 --- tcp-wrappers-7.6.orig/Makefile
198 +++ tcp-wrappers-7.6/Makefile
199 @@ -1,5 +1,10 @@
200 +GLIBC=$(shell grep -s -c __GLIBC__ /usr/include/features.h)
201 +
202 # @(#) Makefile 1.23 97/03/21 19:27:20
203
204 +# unset the HOSTNAME environment variable
205 +HOSTNAME =
206 +
207 what:
208 @echo
209 @echo "Usage: edit the REAL_DAEMON_DIR definition in the Makefile then:"
210 @@ -19,7 +24,7 @@
211 @echo " generic (most bsd-ish systems with sys5 compatibility)"
212 @echo " 386bsd aix alpha apollo bsdos convex-ultranet dell-gcc dgux dgux543"
213 @echo " dynix epix esix freebsd hpux irix4 irix5 irix6 isc iunix"
214 - @echo " linux machten mips(untested) ncrsvr4 netbsd next osf power_unix_211"
215 + @echo " linux gnu machten mips(untested) ncrsvr4 netbsd next osf power_unix_211"
216 @echo " ptx-2.x ptx-generic pyramid sco sco-nis sco-od2 sco-os5 sinix sunos4"
217 @echo " sunos40 sunos5 sysv4 tandem ultrix unicos7 unicos8 unixware1 unixware2"
218 @echo " uts215 uxp"
219 @@ -43,8 +48,8 @@
220 # Ultrix 4.x SunOS 4.x ConvexOS 10.x Dynix/ptx
221 #REAL_DAEMON_DIR=/usr/etc
222 #
223 -# SysV.4 Solaris 2.x OSF AIX
224 -#REAL_DAEMON_DIR=/usr/sbin
225 +# SysV.4 Solaris 2.x OSF AIX Linux
226 +REAL_DAEMON_DIR=/usr/sbin
227 #
228 # BSD 4.4
229 #REAL_DAEMON_DIR=/usr/libexec
230 @@ -141,10 +146,21 @@
231 LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \
232 EXTRA_CFLAGS=-DSYS_ERRLIST_DEFINED VSYSLOG= all
233
234 +ifneq ($(GLIBC),0)
235 +MYLIB=-lnsl
236 +endif
237 +
238 linux:
239 @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
240 - LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=setenv.o \
241 - NETGROUP= TLI= EXTRA_CFLAGS="-DBROKEN_SO_LINGER" all
242 + LIBS=$(MYLIB) RANLIB=ranlib ARFLAGS=rv AUX_OBJ=weak_symbols.o \
243 + NETGROUP=-DNETGROUP TLI= VSYSLOG= BUGS= all \
244 + EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_WEAKSYMS -D_REENTRANT"
245 +
246 +gnu:
247 + @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
248 + LIBS=$(MYLIB) RANLIB=ranlib ARFLAGS=rv AUX_OBJ=weak_symbols.o \
249 + NETGROUP=-DNETGROUP TLI= VSYSLOG= BUGS= all \
250 + EXTRA_CFLAGS="-DHAVE_STRERROR -DHAVE_WEAKSYMS -D_REENTRANT"
251
252 # This is good for many SYSV+BSD hybrids with NIS, probably also for HP-UX 7.x.
253 hpux hpux8 hpux9 hpux10:
254 @@ -391,7 +407,7 @@
255 # the ones provided with this source distribution. The environ.c module
256 # implements setenv(), getenv(), and putenv().
257
258 -AUX_OBJ= setenv.o
259 +#AUX_OBJ= setenv.o
260 #AUX_OBJ= environ.o
261 #AUX_OBJ= environ.o strcasecmp.o
262
263 @@ -454,7 +470,8 @@
264 # host name aliases. Compile with -DSOLARIS_24_GETHOSTBYNAME_BUG to work
265 # around this. The workaround does no harm on other Solaris versions.
266
267 -BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DLIBC_CALLS_STRTOK
268 +BUGS =
269 +#BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DLIBC_CALLS_STRTOK
270 #BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DINET_ADDR_BUG
271 #BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DSOLARIS_24_GETHOSTBYNAME_BUG
272
273 @@ -464,7 +481,7 @@
274 # If your system supports NIS or YP-style netgroups, enable the following
275 # macro definition. Netgroups are used only for host access control.
276 #
277 -#NETGROUP= -DNETGROUP
278 +NETGROUP= -DNETGROUP
279
280 ###############################################################
281 # System dependencies: whether or not your system has vsyslog()
282 @@ -491,7 +508,7 @@
283 # Uncomment the next definition to turn on the language extensions
284 # (examples: allow, deny, banners, twist and spawn).
285 #
286 -#STYLE = -DPROCESS_OPTIONS # Enable language extensions.
287 +STYLE = -DPROCESS_OPTIONS # Enable language extensions.
288
289 ################################################################
290 # Optional: Changing the default disposition of logfile records
291 @@ -514,7 +531,7 @@
292 #
293 # The LOG_XXX names below are taken from the /usr/include/syslog.h file.
294
295 -FACILITY= LOG_MAIL # LOG_MAIL is what most sendmail daemons use
296 +FACILITY= LOG_DAEMON # LOG_MAIL is what most sendmail daemons use
297
298 # The syslog priority at which successful connections are logged.
299
300 @@ -610,7 +627,7 @@
301 # Paranoid mode implies hostname lookup. In order to disable hostname
302 # lookups altogether, see the next section.
303
304 -PARANOID= -DPARANOID
305 +#PARANOID= -DPARANOID
306
307 ########################################
308 # Optional: turning off hostname lookups
309 @@ -623,7 +640,7 @@
310 # In order to perform selective hostname lookups, disable paranoid
311 # mode (see previous section) and comment out the following definition.
312
313 -HOSTNAME= -DALWAYS_HOSTNAME
314 +#HOSTNAME= -DALWAYS_HOSTNAME
315
316 #############################################
317 # Optional: Turning on host ADDRESS checking
318 @@ -649,28 +666,46 @@
319 # source-routed traffic in the kernel. Examples: 4.4BSD derivatives,
320 # Solaris 2.x, and Linux. See your system documentation for details.
321 #
322 -# KILL_OPT= -DKILL_IP_OPTIONS
323 +KILL_OPT= -DKILL_IP_OPTIONS
324
325 ## End configuration options
326 ############################
327
328 # Protection against weird shells or weird make programs.
329
330 +CC = gcc
331 SHELL = /bin/sh
332 -.c.o:; $(CC) $(CFLAGS) -c $*.c
333 +.c.o:; $(CC) $(CFLAGS) -o $*.o -c $*.c
334 +
335 +SOMAJOR = 0
336 +SOMINOR = 7.6
337 +
338 +LIB = libwrap.a
339 +SHLIB = shared/libwrap.so.$(SOMAJOR).$(SOMINOR)
340 +SHLIBSOMAJ= shared/libwrap.so.$(SOMAJOR)
341 +SHLIBSO = shared/libwrap.so
342 +SHLIBFLAGS = -Lshared -lwrap
343
344 -CFLAGS = -O -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \
345 +shared/%.o: %.c
346 + $(CC) $(CFLAGS) $(SHCFLAGS) -c $< -o $@
347 +
348 +CFLAGS = -O2 -g -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \
349 $(BUGS) $(SYSTYPE) $(AUTH) $(UMASK) \
350 -DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" $(STYLE) $(KILL_OPT) \
351 -DSEVERITY=$(SEVERITY) -DRFC931_TIMEOUT=$(RFC931_TIMEOUT) \
352 $(UCHAR) $(TABLES) $(STRINGS) $(TLI) $(EXTRA_CFLAGS) $(DOT) \
353 $(VSYSLOG) $(HOSTNAME)
354
355 +SHLINKFLAGS = -shared -Xlinker -soname -Xlinker libwrap.so.$(SOMAJOR) -lc $(LIBS)
356 +SHCFLAGS = -fPIC -shared -D_REENTRANT
357 +
358 LIB_OBJ= hosts_access.o options.o shell_cmd.o rfc931.o eval.o \
359 hosts_ctl.o refuse.o percent_x.o clean_exit.o $(AUX_OBJ) \
360 $(FROM_OBJ) fix_options.o socket.o tli.o workarounds.o \
361 update.o misc.o diag.o percent_m.o myvsyslog.o
362
363 +SHLIB_OBJ= $(addprefix shared/, $(LIB_OBJ));
364 +
365 FROM_OBJ= fromhost.o
366
367 KIT = README miscd.c tcpd.c fromhost.c hosts_access.c shell_cmd.c \
368 @@ -684,46 +719,78 @@
369 refuse.c tcpdchk.8 setenv.c inetcf.c inetcf.h scaffold.c \
370 scaffold.h tcpdmatch.8 README.NIS
371
372 -LIB = libwrap.a
373 -
374 -all other: config-check tcpd tcpdmatch try-from safe_finger tcpdchk
375 +all other: config-check tcpd tcpdmatch try-from safe_finger tcpdchk $(LIB)
376
377 # Invalidate all object files when the compiler options (CFLAGS) have changed.
378
379 config-check:
380 @set +e; test -n "$(REAL_DAEMON_DIR)" || { make; exit 1; }
381 - @set +e; echo $(CFLAGS) >/tmp/cflags.$$$$ ; \
382 - if cmp cflags /tmp/cflags.$$$$ ; \
383 - then rm /tmp/cflags.$$$$ ; \
384 - else mv /tmp/cflags.$$$$ cflags ; \
385 + @set +e; echo $(CFLAGS) >cflags.new ; \
386 + if cmp cflags cflags.new ; \
387 + then rm cflags.new ; \
388 + else mv cflags.new cflags ; \
389 fi >/dev/null 2>/dev/null
390 + @if [ ! -d shared ]; then mkdir shared; fi
391
392 $(LIB): $(LIB_OBJ)
393 rm -f $(LIB)
394 $(AR) $(ARFLAGS) $(LIB) $(LIB_OBJ)
395 -$(RANLIB) $(LIB)
396
397 -tcpd: tcpd.o $(LIB)
398 - $(CC) $(CFLAGS) -o $@ tcpd.o $(LIB) $(LIBS)
399 +$(SHLIB): $(SHLIB_OBJ)
400 + rm -f $(SHLIB)
401 + $(CC) -o $(SHLIB) $(SHLINKFLAGS) $(SHLIB_OBJ)
402 + ln -s $(notdir $(SHLIB)) $(SHLIBSOMAJ)
403 + ln -s $(notdir $(SHLIBSOMAJ)) $(SHLIBSO)
404 +
405 +tcpd: tcpd.o $(SHLIB)
406 + $(CC) $(CFLAGS) -o $@ tcpd.o $(SHLIBFLAGS)
407
408 -miscd: miscd.o $(LIB)
409 - $(CC) $(CFLAGS) -o $@ miscd.o $(LIB) $(LIBS)
410 +miscd: miscd.o $(SHLIB)
411 + $(CC) $(CFLAGS) -o $@ miscd.o $(SHLIBFLAGS)
412
413 -safe_finger: safe_finger.o $(LIB)
414 - $(CC) $(CFLAGS) -o $@ safe_finger.o $(LIB) $(LIBS)
415 +safe_finger: safe_finger.o $(SHLIB)
416 + $(CC) $(CFLAGS) -o $@ safe_finger.o $(SHLIBFLAGS)
417
418 TCPDMATCH_OBJ = tcpdmatch.o fakelog.o inetcf.o scaffold.o
419
420 -tcpdmatch: $(TCPDMATCH_OBJ) $(LIB)
421 - $(CC) $(CFLAGS) -o $@ $(TCPDMATCH_OBJ) $(LIB) $(LIBS)
422 +tcpdmatch: $(TCPDMATCH_OBJ) $(SHLIB)
423 + $(CC) $(CFLAGS) -o $@ $(TCPDMATCH_OBJ) $(SHLIBFLAGS)
424
425 -try-from: try-from.o fakelog.o $(LIB)
426 - $(CC) $(CFLAGS) -o $@ try-from.o fakelog.o $(LIB) $(LIBS)
427 +try-from: try-from.o fakelog.o $(SHLIB)
428 + $(CC) $(CFLAGS) -o $@ try-from.o fakelog.o $(SHLIBFLAGS)
429
430 TCPDCHK_OBJ = tcpdchk.o fakelog.o inetcf.o scaffold.o
431
432 -tcpdchk: $(TCPDCHK_OBJ) $(LIB)
433 - $(CC) $(CFLAGS) -o $@ $(TCPDCHK_OBJ) $(LIB) $(LIBS)
434 +tcpdchk: $(TCPDCHK_OBJ) $(SHLIB)
435 + $(CC) $(CFLAGS) -o $@ $(TCPDCHK_OBJ) $(SHLIBFLAGS)
436 +
437 +install: install-lib install-bin install-dev
438 +
439 +install-lib:
440 + install -o root -g root -m 0644 $(SHLIB) ${DESTDIR}/lib/
441 + ln -s $(notdir $(SHLIB)) ${DESTDIR}/lib/$(notdir $(SHLIBSOMAJ))
442 +
443 +install-bin:
444 + install -o root -g root -m 0755 tcpd ${DESTDIR}/usr/sbin/
445 + install -o root -g root -m 0755 tcpdchk ${DESTDIR}/usr/sbin/
446 + install -o root -g root -m 0755 tcpdmatch ${DESTDIR}/usr/sbin/
447 + install -o root -g root -m 0755 try-from ${DESTDIR}/usr/sbin/
448 + install -o root -g root -m 0755 safe_finger ${DESTDIR}/usr/sbin/
449 + install -o root -g root -m 0644 tcpd.8 ${DESTDIR}/usr/share/man/man8/
450 + install -o root -g root -m 0644 tcpdchk.8 ${DESTDIR}/usr/share/man/man8/
451 + install -o root -g root -m 0644 tcpdmatch.8 ${DESTDIR}/usr/share/man/man8/
452 + install -o root -g root -m 0644 hosts_access.5 ${DESTDIR}/usr/share/man/man5/
453 + install -o root -g root -m 0644 hosts_options.5 ${DESTDIR}/usr/share/man/man5/
454 +
455 +install-dev:
456 + ln -s /lib/$(notdir $(SHLIBSOMAJ)) ${DESTDIR}/usr/lib/$(notdir $(SHLIBSO))
457 + install -o root -g root -m 0644 hosts_access.3 ${DESTDIR}/usr/share/man/man3/
458 + install -o root -g root -m 0644 tcpd.h ${DESTDIR}/usr/include/
459 + install -o root -g root -m 0644 $(LIB) ${DESTDIR}/usr/lib/
460 + ln -s hosts_access.3 ${DESTDIR}/usr/share/man/man3/hosts_ctl.3
461 + ln -s hosts_access.3 ${DESTDIR}/usr/share/man/man3/request_init.3
462 + ln -s hosts_access.3 ${DESTDIR}/usr/share/man/man3/request_set.3
463
464 shar: $(KIT)
465 @shar $(KIT)
466 @@ -739,7 +806,8 @@
467
468 clean:
469 rm -f tcpd miscd safe_finger tcpdmatch tcpdchk try-from *.[oa] core \
470 - cflags
471 + cflags libwrap*.so*
472 + rm -rf shared
473
474 tidy: clean
475 chmod -R a+r .
476 @@ -885,5 +953,6 @@
477 update.o: mystdarg.h
478 update.o: tcpd.h
479 vfprintf.o: cflags
480 +weak_symbols.o: tcpd.h
481 workarounds.o: cflags
482 workarounds.o: tcpd.h
483 --- tcp-wrappers-7.6.orig/hosts_access.5
484 +++ tcp-wrappers-7.6/hosts_access.5
485 @@ -8,9 +8,9 @@
486 impatient reader is encouraged to skip to the EXAMPLES section for a
487 quick introduction.
488 .PP
489 -An extended version of the access control language is described in the
490 -\fIhosts_options\fR(5) document. The extensions are turned on at
491 -program build time by building with -DPROCESS_OPTIONS.
492 +The extended version of the access control language is described in the
493 +\fIhosts_options\fR(5) document. \fBNote that this language supersedes
494 +the meaning of \fIshell_command\fB as documented below.\fR
495 .PP
496 In the following text, \fIdaemon\fR is the the process name of a
497 network daemon process, and \fIclient\fR is the name and/or address of
498 @@ -40,7 +40,7 @@
499 character. This permits you to break up long lines so that they are
500 easier to edit.
501 .IP \(bu
502 -Blank lines or lines that begin with a `#\' character are ignored.
503 +Blank lines or lines that begin with a `#' character are ignored.
504 This permits you to insert comments and whitespace so that the tables
505 are easier to read.
506 .IP \(bu
507 @@ -69,26 +69,33 @@
508 .SH PATTERNS
509 The access control language implements the following patterns:
510 .IP \(bu
511 -A string that begins with a `.\' character. A host name is matched if
512 +A string that begins with a `.' character. A host name is matched if
513 the last components of its name match the specified pattern. For
514 -example, the pattern `.tue.nl\' matches the host name
515 -`wzv.win.tue.nl\'.
516 +example, the pattern `.tue.nl' matches the host name
517 +`wzv.win.tue.nl'.
518 .IP \(bu
519 -A string that ends with a `.\' character. A host address is matched if
520 +A string that ends with a `.' character. A host address is matched if
521 its first numeric fields match the given string. For example, the
522 -pattern `131.155.\' matches the address of (almost) every host on the
523 +pattern `131.155.' matches the address of (almost) every host on the
524 Eind\%hoven University network (131.155.x.x).
525 .IP \(bu
526 -A string that begins with an `@\' character is treated as an NIS
527 +A string that begins with an `@' character is treated as an NIS
528 (formerly YP) netgroup name. A host name is matched if it is a host
529 member of the specified netgroup. Netgroup matches are not supported
530 for daemon process names or for client user names.
531 .IP \(bu
532 -An expression of the form `n.n.n.n/m.m.m.m\' is interpreted as a
533 -`net/mask\' pair. A host address is matched if `net\' is equal to the
534 -bitwise AND of the address and the `mask\'. For example, the net/mask
535 -pattern `131.155.72.0/255.255.254.0\' matches every address in the
536 -range `131.155.72.0\' through `131.155.73.255\'.
537 +An expression of the form `n.n.n.n/m.m.m.m' is interpreted as a
538 +`net/mask' pair. A host address is matched if `net' is equal to the
539 +bitwise AND of the address and the `mask'. For example, the net/mask
540 +pattern `131.155.72.0/255.255.254.0' matches every address in the
541 +range `131.155.72.0' through `131.155.73.255'.
542 +.IP \(bu
543 +A string that begins with a `/' character is treated as a file
544 +name. A host name or address is matched if it matches any host name
545 +or address pattern listed in the named file. The file format is
546 +zero or more lines with zero or more host name or address patterns
547 +separated by whitespace. A file name pattern can be used anywhere
548 +a host name or address pattern can be used.
549 .SH WILDCARDS
550 The access control language supports explicit wildcards:
551 .IP ALL
552 @@ -115,19 +122,19 @@
553 .ne 6
554 .SH OPERATORS
555 .IP EXCEPT
556 -Intended use is of the form: `list_1 EXCEPT list_2\'; this construct
557 +Intended use is of the form: `list_1 EXCEPT list_2'; this construct
558 matches anything that matches \fIlist_1\fR unless it matches
559 \fIlist_2\fR. The EXCEPT operator can be used in daemon_lists and in
560 client_lists. The EXCEPT operator can be nested: if the control
561 -language would permit the use of parentheses, `a EXCEPT b EXCEPT c\'
562 -would parse as `(a EXCEPT (b EXCEPT c))\'.
563 +language would permit the use of parentheses, `a EXCEPT b EXCEPT c'
564 +would parse as `(a EXCEPT (b EXCEPT c))'.
565 .br
566 .ne 6
567 .SH SHELL COMMANDS
568 If the first-matched access control rule contains a shell command, that
569 command is subjected to %<letter> substitutions (see next section).
570 The result is executed by a \fI/bin/sh\fR child process with standard
571 -input, output and error connected to \fI/dev/null\fR. Specify an `&\'
572 +input, output and error connected to \fI/dev/null\fR. Specify an `&'
573 at the end of the command if you do not want to wait until it has
574 completed.
575 .PP
576 @@ -159,7 +166,7 @@
577 .IP %u
578 The client user name (or "unknown").
579 .IP %%
580 -Expands to a single `%\' character.
581 +Expands to a single `%' character.
582 .PP
583 Characters in % expansions that may confuse the shell are replaced by
584 underscores.
585 @@ -243,9 +250,9 @@
586 less trustworthy. It is possible for an intruder to spoof both the
587 client connection and the IDENT lookup, although doing so is much
588 harder than spoofing just a client connection. It may also be that
589 -the client\'s IDENT server is lying.
590 +the client's IDENT server is lying.
591 .PP
592 -Note: IDENT lookups don\'t work with UDP services.
593 +Note: IDENT lookups don't work with UDP services.
594 .SH EXAMPLES
595 The language is flexible enough that different types of access control
596 policy can be expressed with a minimum of fuss. Although the language
597 @@ -285,7 +292,7 @@
598 .br
599 ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
600 .PP
601 -The first rule permits access from hosts in the local domain (no `.\'
602 +The first rule permits access from hosts in the local domain (no `.'
603 in the host name) and from members of the \fIsome_netgroup\fP
604 netgroup. The second rule permits access from all hosts in the
605 \fIfoobar.edu\fP domain (notice the leading dot), with the exception of
606 @@ -322,8 +329,8 @@
607 /etc/hosts.deny:
608 .in +3
609 .nf
610 -in.tftpd: ALL: (/some/where/safe_finger -l @%h | \\
611 - /usr/ucb/mail -s %d-%h root) &
612 +in.tftpd: ALL: (/usr/sbin/safe_finger -l @%h | \\
613 + /usr/bin/mail -s %d-%h root) &
614 .fi
615 .PP
616 The safe_finger command comes with the tcpd wrapper and should be
617 @@ -349,7 +356,7 @@
618 capacity of an internal buffer; when an access control rule is not
619 terminated by a newline character; when the result of %<letter>
620 expansion would overflow an internal buffer; when a system call fails
621 -that shouldn\'t. All problems are reported via the syslog daemon.
622 +that shouldn't. All problems are reported via the syslog daemon.
623 .SH FILES
624 .na
625 .nf
626 --- tcp-wrappers-7.6.orig/rfc931.c
627 +++ tcp-wrappers-7.6/rfc931.c
628 @@ -33,7 +33,7 @@
629
630 int rfc931_timeout = RFC931_TIMEOUT;/* Global so it can be changed */
631
632 -static jmp_buf timebuf;
633 +static sigjmp_buf timebuf;
634
635 /* fsocket - open stdio stream on top of socket */
636
637 @@ -62,7 +62,7 @@
638 static void timeout(sig)
639 int sig;
640 {
641 - longjmp(timebuf, sig);
642 + siglongjmp(timebuf, sig);
643 }
644
645 /* rfc931 - return remote user name, given socket structures */
646 @@ -99,7 +99,7 @@
647 * Set up a timer so we won't get stuck while waiting for the server.
648 */
649
650 - if (setjmp(timebuf) == 0) {
651 + if (sigsetjmp(timebuf,1) == 0) {
652 signal(SIGALRM, timeout);
653 alarm(rfc931_timeout);
654
655 --- tcp-wrappers-7.6.orig/tcpd.8
656 +++ tcp-wrappers-7.6/tcpd.8
657 @@ -94,7 +94,7 @@
658 .PP
659 The example assumes that the network daemons live in /usr/etc. On some
660 systems, network daemons live in /usr/sbin or in /usr/libexec, or have
661 -no `in.\' prefix to their name.
662 +no `in.' prefix to their name.
663 .SH EXAMPLE 2
664 This example applies when \fItcpd\fR expects that the network daemons
665 are left in their original place.
666 @@ -110,26 +110,26 @@
667 becomes:
668 .sp
669 .ti +5
670 -finger stream tcp nowait nobody /some/where/tcpd in.fingerd
671 +finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd
672 .sp
673 .fi
674 .PP
675 The example assumes that the network daemons live in /usr/etc. On some
676 systems, network daemons live in /usr/sbin or in /usr/libexec, the
677 -daemons have no `in.\' prefix to their name, or there is no userid
678 +daemons have no `in.' prefix to their name, or there is no userid
679 field in the inetd configuration file.
680 .PP
681 Similar changes will be needed for the other services that are to be
682 -covered by \fItcpd\fR. Send a `kill -HUP\' to the \fIinetd\fR(8)
683 +covered by \fItcpd\fR. Send a `kill -HUP' to the \fIinetd\fR(8)
684 process to make the changes effective. AIX users may also have to
685 -execute the `inetimp\' command.
686 +execute the `inetimp' command.
687 .SH EXAMPLE 3
688 In the case of daemons that do not live in a common directory ("secret"
689 or otherwise), edit the \fIinetd\fR configuration file so that it
690 specifies an absolute path name for the process name field. For example:
691 .nf
692 .sp
693 - ntalk dgram udp wait root /some/where/tcpd /usr/local/lib/ntalkd
694 + ntalk dgram udp wait root /usr/sbin/tcpd /usr/sbin/in.ntalkd
695 .sp
696 .fi
697 .PP
698 --- tcp-wrappers-7.6.orig/hosts_access.3
699 +++ tcp-wrappers-7.6/hosts_access.3
700 @@ -3,7 +3,7 @@
701 hosts_access, hosts_ctl, request_init, request_set \- access control library
702 .SH SYNOPSIS
703 .nf
704 -#include "tcpd.h"
705 +#include <tcpd.h>
706
707 extern int allow_severity;
708 extern int deny_severity;
709 --- tcp-wrappers-7.6.orig/options.c
710 +++ tcp-wrappers-7.6/options.c
711 @@ -473,6 +473,9 @@
712 #ifdef LOG_CRON
713 "cron", LOG_CRON,
714 #endif
715 +#ifdef LOG_FTP
716 + "ftp", LOG_FTP,
717 +#endif
718 #ifdef LOG_LOCAL0
719 "local0", LOG_LOCAL0,
720 #endif
721 --- tcp-wrappers-7.6.orig/fix_options.c
722 +++ tcp-wrappers-7.6/fix_options.c
723 @@ -35,7 +35,12 @@
724 #ifdef IP_OPTIONS
725 unsigned char optbuf[BUFFER_SIZE / 3], *cp;
726 char lbuf[BUFFER_SIZE], *lp;
727 +#if !defined(__GLIBC__)
728 int optsize = sizeof(optbuf), ipproto;
729 +#else /* __GLIBC__ */
730 + size_t optsize = sizeof(optbuf);
731 + int ipproto;
732 +#endif /* __GLIBC__ */
733 struct protoent *ip;
734 int fd = request->fd;
735 unsigned int opt;
736 --- tcp-wrappers-7.6.orig/workarounds.c
737 +++ tcp-wrappers-7.6/workarounds.c
738 @@ -163,7 +163,11 @@
739 int fix_getpeername(sock, sa, len)
740 int sock;
741 struct sockaddr *sa;
742 +#if !defined(__GLIBC__)
743 int *len;
744 +#else /* __GLIBC__ */
745 +size_t *len;
746 +#endif /* __GLIBC__ */
747 {
748 int ret;
749 struct sockaddr_in *sin = (struct sockaddr_in *) sa;
750 --- tcp-wrappers-7.6.orig/socket.c
751 +++ tcp-wrappers-7.6/socket.c
752 @@ -76,7 +76,11 @@
753 {
754 static struct sockaddr_in client;
755 static struct sockaddr_in server;
756 +#if !defined (__GLIBC__)
757 int len;
758 +#else /* __GLIBC__ */
759 + size_t len;
760 +#endif /* __GLIBC__ */
761 char buf[BUFSIZ];
762 int fd = request->fd;
763
764 @@ -224,7 +228,11 @@
765 {
766 char buf[BUFSIZ];
767 struct sockaddr_in sin;
768 +#if !defined(__GLIBC__)
769 int size = sizeof(sin);
770 +#else /* __GLIBC__ */
771 + size_t size = sizeof(sin);
772 +#endif /* __GLIBC__ */
773
774 /*
775 * Eat up the not-yet received datagram. Some systems insist on a
776 --- tcp-wrappers-7.6.orig/safe_finger.c
777 +++ tcp-wrappers-7.6/safe_finger.c
778 @@ -26,21 +26,24 @@
779 #include <stdio.h>
780 #include <ctype.h>
781 #include <pwd.h>
782 +#include <syslog.h>
783
784 extern void exit();
785
786 /* Local stuff */
787
788 -char path[] = "PATH=/bin:/usr/bin:/usr/ucb:/usr/bsd:/etc:/usr/etc:/usr/sbin";
789 +char path[] = "PATH=/bin:/usr/bin:/sbin:/usr/sbin";
790
791 #define TIME_LIMIT 60 /* Do not keep listinging forever */
792 #define INPUT_LENGTH 100000 /* Do not keep listinging forever */
793 #define LINE_LENGTH 128 /* Editors can choke on long lines */
794 #define FINGER_PROGRAM "finger" /* Most, if not all, UNIX systems */
795 #define UNPRIV_NAME "nobody" /* Preferred privilege level */
796 -#define UNPRIV_UGID 32767 /* Default uid and gid */
797 +#define UNPRIV_UGID 65534 /* Default uid and gid */
798
799 int finger_pid;
800 +int allow_severity = SEVERITY;
801 +int deny_severity = LOG_WARNING;
802
803 void cleanup(sig)
804 int sig;
805 --- tcp-wrappers-7.6.orig/hosts_options.5
806 +++ tcp-wrappers-7.6/hosts_options.5
807 @@ -58,12 +58,12 @@
808 Execute, in a child process, the specified shell command, after
809 performing the %<letter> expansions described in the hosts_access(5)
810 manual page. The command is executed with stdin, stdout and stderr
811 -connected to the null device, so that it won\'t mess up the
812 +connected to the null device, so that it won't mess up the
813 conversation with the client host. Example:
814 .sp
815 .nf
816 .ti +3
817 -spawn (/some/where/safe_finger -l @%h | /usr/ucb/mail root) &
818 +spawn (/usr/sbin/safe_finger -l @%h | /usr/bin/mail root) &
819 .fi
820 .sp
821 executes, in a background child process, the shell command "safe_finger
822 --- tcp-wrappers-7.6.orig/tcpdchk.c
823 +++ tcp-wrappers-7.6/tcpdchk.c
824 @@ -350,6 +350,8 @@
825 {
826 if (pat[0] == '@') {
827 tcpd_warn("%s: daemon name begins with \"@\"", pat);
828 + } else if (pat[0] == '/') {
829 + tcpd_warn("%s: daemon name begins with \"/\"", pat);
830 } else if (pat[0] == '.') {
831 tcpd_warn("%s: daemon name begins with dot", pat);
832 } else if (pat[strlen(pat) - 1] == '.') {
833 @@ -382,6 +384,8 @@
834 {
835 if (pat[0] == '@') { /* @netgroup */
836 tcpd_warn("%s: user name begins with \"@\"", pat);
837 + } else if (pat[0] == '/') {
838 + tcpd_warn("%s: user name begins with \"/\"", pat);
839 } else if (pat[0] == '.') {
840 tcpd_warn("%s: user name begins with dot", pat);
841 } else if (pat[strlen(pat) - 1] == '.') {
842 @@ -402,8 +406,13 @@
843 static int check_host(pat)
844 char *pat;
845 {
846 + char buf[BUFSIZ];
847 char *mask;
848 int addr_count = 1;
849 + FILE *fp;
850 + struct tcpd_context saved_context;
851 + char *cp;
852 + char *wsp = " \t\r\n";
853
854 if (pat[0] == '@') { /* @netgroup */
855 #ifdef NO_NETGRENT
856 @@ -422,6 +431,21 @@
857 tcpd_warn("netgroup support disabled");
858 #endif
859 #endif
860 + } else if (pat[0] == '/') { /* /path/name */
861 + if ((fp = fopen(pat, "r")) != 0) {
862 + saved_context = tcpd_context;
863 + tcpd_context.file = pat;
864 + tcpd_context.line = 0;
865 + while (fgets(buf, sizeof(buf), fp)) {
866 + tcpd_context.line++;
867 + for (cp = strtok(buf, wsp); cp; cp = strtok((char *) 0, wsp))
868 + check_host(cp);
869 + }
870 + tcpd_context = saved_context;
871 + fclose(fp);
872 + } else if (errno != ENOENT) {
873 + tcpd_warn("open %s: %m", pat);
874 + }
875 } else if (mask = split_at(pat, '/')) { /* network/netmask */
876 if (dot_quad_addr(pat) == INADDR_NONE
877 || dot_quad_addr(mask) == INADDR_NONE)
878 --- tcp-wrappers-7.6.orig/percent_m.c
879 +++ tcp-wrappers-7.6/percent_m.c
880 @@ -13,7 +13,7 @@
881 #include <string.h>
882
883 extern int errno;
884 -#ifndef SYS_ERRLIST_DEFINED
885 +#if !defined(SYS_ERRLIST_DEFINED) && !defined(HAVE_STRERROR)
886 extern char *sys_errlist[];
887 extern int sys_nerr;
888 #endif
889 @@ -29,11 +29,15 @@
890
891 while (*bp = *cp)
892 if (*cp == '%' && cp[1] == 'm') {
893 +#ifdef HAVE_STRERROR
894 + strcpy(bp, strerror(errno));
895 +#else
896 if (errno < sys_nerr && errno > 0) {
897 strcpy(bp, sys_errlist[errno]);
898 } else {
899 sprintf(bp, "Unknown error %d", errno);
900 }
901 +#endif
902 bp += strlen(bp);
903 cp += 2;
904 } else {
905 --- tcp-wrappers-7.6.orig/scaffold.c
906 +++ tcp-wrappers-7.6/scaffold.c
907 @@ -180,10 +180,12 @@
908
909 /* ARGSUSED */
910
911 -void rfc931(request)
912 -struct request_info *request;
913 +void rfc931(rmt_sin, our_sin, dest)
914 +struct sockaddr_in *rmt_sin;
915 +struct sockaddr_in *our_sin;
916 +char *dest;
917 {
918 - strcpy(request->user, unknown);
919 + strcpy(dest, unknown);
920 }
921
922 /* check_path - examine accessibility */
923 --- tcp-wrappers-7.6.orig/weak_symbols.c
924 +++ tcp-wrappers-7.6/weak_symbols.c
925 @@ -0,0 +1,11 @@
926 + /*
927 + * @(#) weak_symbols.h 1.5 99/12/29 23:50
928 + *
929 + * Author: Anthony Towns <ajt@debian.org>
930 + */
931 +
932 +#ifdef HAVE_WEAKSYMS
933 +#include <syslog.h>
934 +int deny_severity = LOG_WARNING;
935 +int allow_severity = SEVERITY;
936 +#endif
This page took 0.095852 seconds and 5 git commands to generate.