forked from brl/citadel
251 lines
10 KiB
Diff
251 lines
10 KiB
Diff
|
Upstream-Status: Backport
|
||
|
|
||
|
diff -ruNp tcp_wrappers_7.6.orig/hosts_access.3 tcp_wrappers_7.6/hosts_access.3
|
||
|
--- tcp_wrappers_7.6.orig/hosts_access.3 2005-03-09 18:30:25.000000000 +0100
|
||
|
+++ tcp_wrappers_7.6/hosts_access.3 2005-03-09 18:27:03.000000000 +0100
|
||
|
@@ -3,7 +3,7 @@
|
||
|
hosts_access, hosts_ctl, request_init, request_set \- access control library
|
||
|
.SH SYNOPSIS
|
||
|
.nf
|
||
|
-#include "tcpd.h"
|
||
|
+#include <tcpd.h>
|
||
|
|
||
|
extern int allow_severity;
|
||
|
extern int deny_severity;
|
||
|
diff -ruNp tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5
|
||
|
--- tcp_wrappers_7.6.orig/hosts_access.5 2005-03-09 18:30:25.000000000 +0100
|
||
|
+++ tcp_wrappers_7.6/hosts_access.5 2005-03-09 18:30:18.000000000 +0100
|
||
|
@@ -8,9 +8,9 @@ name, host name/address) patterns. Exam
|
||
|
impatient reader is encouraged to skip to the EXAMPLES section for a
|
||
|
quick introduction.
|
||
|
.PP
|
||
|
-An extended version of the access control language is described in the
|
||
|
-\fIhosts_options\fR(5) document. The extensions are turned on at
|
||
|
-program build time by building with -DPROCESS_OPTIONS.
|
||
|
+The extended version of the access control language is described in the
|
||
|
+\fIhosts_options\fR(5) document. \fBNote that this language supersedes
|
||
|
+the meaning of \fIshell_command\fB as documented below.\fR
|
||
|
.PP
|
||
|
In the following text, \fIdaemon\fR is the the process name of a
|
||
|
network daemon process, and \fIclient\fR is the name and/or address of
|
||
|
@@ -346,8 +346,8 @@ in.tftpd: LOCAL, .my.domain
|
||
|
/etc/hosts.deny:
|
||
|
.in +3
|
||
|
.nf
|
||
|
-in.tftpd: ALL: (/some/where/safe_finger -l @%h | \\
|
||
|
- /usr/ucb/mail -s %d-%h root) &
|
||
|
+in.tftpd: ALL: (/usr/sbin/safe_finger -l @%h | \\
|
||
|
+ /usr/bin/mail -s %d-%h root) &
|
||
|
.fi
|
||
|
.PP
|
||
|
The safe_finger command comes with the tcpd wrapper and should be
|
||
|
@@ -383,6 +383,7 @@ that shouldn\'t. All problems are repor
|
||
|
.fi
|
||
|
.SH SEE ALSO
|
||
|
.nf
|
||
|
+hosts_options(5) extended syntax.
|
||
|
tcpd(8) tcp/ip daemon wrapper program.
|
||
|
tcpdchk(8), tcpdmatch(8), test programs.
|
||
|
.SH BUGS
|
||
|
diff -ruNp tcp_wrappers_7.6.orig/hosts_options.5 tcp_wrappers_7.6/hosts_options.5
|
||
|
--- tcp_wrappers_7.6.orig/hosts_options.5 2005-03-09 18:30:24.000000000 +0100
|
||
|
+++ tcp_wrappers_7.6/hosts_options.5 2005-03-09 18:27:03.000000000 +0100
|
||
|
@@ -2,10 +2,8 @@
|
||
|
.SH NAME
|
||
|
hosts_options \- host access control language extensions
|
||
|
.SH DESCRIPTION
|
||
|
-This document describes optional extensions to the language described
|
||
|
-in the hosts_access(5) document. The extensions are enabled at program
|
||
|
-build time. For example, by editing the Makefile and turning on the
|
||
|
-PROCESS_OPTIONS compile-time option.
|
||
|
+This document describes extensions to the language described
|
||
|
+in the hosts_access(5) document.
|
||
|
.PP
|
||
|
The extensible language uses the following format:
|
||
|
.sp
|
||
|
@@ -58,12 +56,12 @@ Notice the leading dot on the domain nam
|
||
|
Execute, in a child process, the specified shell command, after
|
||
|
performing the %<letter> expansions described in the hosts_access(5)
|
||
|
manual page. The command is executed with stdin, stdout and stderr
|
||
|
-connected to the null device, so that it won\'t mess up the
|
||
|
+connected to the null device, so that it won't mess up the
|
||
|
conversation with the client host. Example:
|
||
|
.sp
|
||
|
.nf
|
||
|
.ti +3
|
||
|
-spawn (/some/where/safe_finger -l @%h | /usr/ucb/mail root) &
|
||
|
+spawn (/usr/sbin/safe_finger -l @%h | /usr/bin/mail root) &
|
||
|
.fi
|
||
|
.sp
|
||
|
executes, in a background child process, the shell command "safe_finger
|
||
|
diff -ruNp tcp_wrappers_7.6.orig/inetcf.c tcp_wrappers_7.6/inetcf.c
|
||
|
--- tcp_wrappers_7.6.orig/inetcf.c 1997-02-12 02:13:24.000000000 +0100
|
||
|
+++ tcp_wrappers_7.6/inetcf.c 2005-03-09 18:27:03.000000000 +0100
|
||
|
@@ -26,13 +26,17 @@ extern void exit();
|
||
|
* guesses. Shorter names follow longer ones.
|
||
|
*/
|
||
|
char *inet_files[] = {
|
||
|
+#if 0
|
||
|
"/private/etc/inetd.conf", /* NEXT */
|
||
|
"/etc/inet/inetd.conf", /* SYSV4 */
|
||
|
"/usr/etc/inetd.conf", /* IRIX?? */
|
||
|
+#endif
|
||
|
"/etc/inetd.conf", /* BSD */
|
||
|
+#if 0
|
||
|
"/etc/net/tlid.conf", /* SYSV4?? */
|
||
|
"/etc/saf/tlid.conf", /* SYSV4?? */
|
||
|
"/etc/tlid.conf", /* SYSV4?? */
|
||
|
+#endif
|
||
|
0,
|
||
|
};
|
||
|
|
||
|
diff -ruNp tcp_wrappers_7.6.orig/tcpd.8 tcp_wrappers_7.6/tcpd.8
|
||
|
--- tcp_wrappers_7.6.orig/tcpd.8 1996-02-21 16:39:16.000000000 +0100
|
||
|
+++ tcp_wrappers_7.6/tcpd.8 2005-03-09 18:27:03.000000000 +0100
|
||
|
@@ -12,7 +12,11 @@ The program supports both 4.3BSD-style s
|
||
|
TLI. Functionality may be limited when the protocol underneath TLI is
|
||
|
not an internet protocol.
|
||
|
.PP
|
||
|
-Operation is as follows: whenever a request for service arrives, the
|
||
|
+There are two possible modes of operation: execution of \fItcpd\fP
|
||
|
+before a service started by \fIinetd\fP, or linking a daemon with
|
||
|
+the \fIlibwrap\fP shared library as documented in the \fIhosts_access\fR(3)
|
||
|
+manual page. Operation when started by \fIinetd\fP
|
||
|
+is as follows: whenever a request for service arrives, the
|
||
|
\fIinetd\fP daemon is tricked into running the \fItcpd\fP program
|
||
|
instead of the desired server. \fItcpd\fP logs the request and does
|
||
|
some additional checks. When all is well, \fItcpd\fP runs the
|
||
|
@@ -88,11 +92,11 @@ configuration files.
|
||
|
.sp
|
||
|
.in +5
|
||
|
# mkdir /other/place
|
||
|
-# mv /usr/etc/in.fingerd /other/place
|
||
|
-# cp tcpd /usr/etc/in.fingerd
|
||
|
+# mv /usr/sbin/in.fingerd /other/place
|
||
|
+# cp tcpd /usr/sbin/in.fingerd
|
||
|
.fi
|
||
|
.PP
|
||
|
-The example assumes that the network daemons live in /usr/etc. On some
|
||
|
+The example assumes that the network daemons live in /usr/sbin. On some
|
||
|
systems, network daemons live in /usr/sbin or in /usr/libexec, or have
|
||
|
no `in.\' prefix to their name.
|
||
|
.SH EXAMPLE 2
|
||
|
@@ -101,35 +105,34 @@ are left in their original place.
|
||
|
.PP
|
||
|
In order to monitor access to the \fIfinger\fR service, perform the
|
||
|
following edits on the \fIinetd\fR configuration file (usually
|
||
|
-\fI/etc/inetd.conf\fR or \fI/etc/inet/inetd.conf\fR):
|
||
|
+\fI/etc/inetd.conf\fR):
|
||
|
.nf
|
||
|
.sp
|
||
|
.ti +5
|
||
|
-finger stream tcp nowait nobody /usr/etc/in.fingerd in.fingerd
|
||
|
+finger stream tcp nowait nobody /usr/sbin/in.fingerd in.fingerd
|
||
|
.sp
|
||
|
becomes:
|
||
|
.sp
|
||
|
.ti +5
|
||
|
-finger stream tcp nowait nobody /some/where/tcpd in.fingerd
|
||
|
+finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd
|
||
|
.sp
|
||
|
.fi
|
||
|
.PP
|
||
|
-The example assumes that the network daemons live in /usr/etc. On some
|
||
|
+The example assumes that the network daemons live in /usr/sbin. On some
|
||
|
systems, network daemons live in /usr/sbin or in /usr/libexec, the
|
||
|
daemons have no `in.\' prefix to their name, or there is no userid
|
||
|
field in the inetd configuration file.
|
||
|
.PP
|
||
|
Similar changes will be needed for the other services that are to be
|
||
|
covered by \fItcpd\fR. Send a `kill -HUP\' to the \fIinetd\fR(8)
|
||
|
-process to make the changes effective. AIX users may also have to
|
||
|
-execute the `inetimp\' command.
|
||
|
+process to make the changes effective.
|
||
|
.SH EXAMPLE 3
|
||
|
In the case of daemons that do not live in a common directory ("secret"
|
||
|
or otherwise), edit the \fIinetd\fR configuration file so that it
|
||
|
specifies an absolute path name for the process name field. For example:
|
||
|
.nf
|
||
|
.sp
|
||
|
- ntalk dgram udp wait root /some/where/tcpd /usr/local/lib/ntalkd
|
||
|
+ ntalk dgram udp wait root /usr/sbin/tcpd /usr/local/lib/ntalkd
|
||
|
.sp
|
||
|
.fi
|
||
|
.PP
|
||
|
@@ -164,6 +167,7 @@ The default locations of the host access
|
||
|
.SH SEE ALSO
|
||
|
.na
|
||
|
.nf
|
||
|
+hosts_access(3), functions provided by the libwrap library.
|
||
|
hosts_access(5), format of the tcpd access control tables.
|
||
|
syslog.conf(5), format of the syslogd control file.
|
||
|
inetd.conf(5), format of the inetd control file.
|
||
|
diff -ruNp tcp_wrappers_7.6.orig/tcpdchk.8 tcp_wrappers_7.6/tcpdchk.8
|
||
|
--- tcp_wrappers_7.6.orig/tcpdchk.8 1995-01-08 17:00:31.000000000 +0100
|
||
|
+++ tcp_wrappers_7.6/tcpdchk.8 2005-03-09 18:27:03.000000000 +0100
|
||
|
@@ -9,8 +9,8 @@ tcpdchk [-a] [-d] [-i inet_conf] [-v]
|
||
|
potential and real problems it can find. The program examines the
|
||
|
\fItcpd\fR access control files (by default, these are
|
||
|
\fI/etc/hosts.allow\fR and \fI/etc/hosts.deny\fR), and compares the
|
||
|
-entries in these files against entries in the \fIinetd\fR or \fItlid\fR
|
||
|
-network configuration files.
|
||
|
+entries in these files against entries in the \fIinetd\fR
|
||
|
+network configuration file.
|
||
|
.PP
|
||
|
\fItcpdchk\fR reports problems such as non-existent pathnames; services
|
||
|
that appear in \fItcpd\fR access control rules, but are not controlled
|
||
|
@@ -26,14 +26,13 @@ problem.
|
||
|
.SH OPTIONS
|
||
|
.IP -a
|
||
|
Report access control rules that permit access without an explicit
|
||
|
-ALLOW keyword. This applies only when the extended access control
|
||
|
-language is enabled (build with -DPROCESS_OPTIONS).
|
||
|
+ALLOW keyword.
|
||
|
.IP -d
|
||
|
Examine \fIhosts.allow\fR and \fIhosts.deny\fR files in the current
|
||
|
directory instead of the default ones.
|
||
|
.IP "-i inet_conf"
|
||
|
Specify this option when \fItcpdchk\fR is unable to find your
|
||
|
-\fIinetd.conf\fR or \fItlid.conf\fR network configuration file, or when
|
||
|
+\fIinetd.conf\fR network configuration file, or when
|
||
|
you suspect that the program uses the wrong one.
|
||
|
.IP -v
|
||
|
Display the contents of each access control rule. Daemon lists, client
|
||
|
@@ -54,7 +53,6 @@ tcpdmatch(8), explain what tcpd would do
|
||
|
hosts_access(5), format of the tcpd access control tables.
|
||
|
hosts_options(5), format of the language extensions.
|
||
|
inetd.conf(5), format of the inetd control file.
|
||
|
-tlid.conf(5), format of the tlid control file.
|
||
|
.SH AUTHORS
|
||
|
.na
|
||
|
.nf
|
||
|
diff -ruNp tcp_wrappers_7.6.orig/tcpdmatch.8 tcp_wrappers_7.6/tcpdmatch.8
|
||
|
--- tcp_wrappers_7.6.orig/tcpdmatch.8 2005-03-09 18:30:24.000000000 +0100
|
||
|
+++ tcp_wrappers_7.6/tcpdmatch.8 2005-03-09 18:27:03.000000000 +0100
|
||
|
@@ -13,7 +13,7 @@ request for service. Examples are given
|
||
|
The program examines the \fItcpd\fR access control tables (default
|
||
|
\fI/etc/hosts.allow\fR and \fI/etc/hosts.deny\fR) and prints its
|
||
|
conclusion. For maximal accuracy, it extracts additional information
|
||
|
-from your \fIinetd\fR or \fItlid\fR network configuration file.
|
||
|
+from your \fIinetd\fR network configuration file.
|
||
|
.PP
|
||
|
When \fItcpdmatch\fR finds a match in the access control tables, it
|
||
|
identifies the matched rule. In addition, it displays the optional
|
||
|
@@ -50,7 +50,7 @@ Examine \fIhosts.allow\fR and \fIhosts.d
|
||
|
directory instead of the default ones.
|
||
|
.IP "-i inet_conf"
|
||
|
Specify this option when \fItcpdmatch\fR is unable to find your
|
||
|
-\fIinetd.conf\fR or \fItlid.conf\fR network configuration file, or when
|
||
|
+\fIinetd.conf\fR network configuration file, or when
|
||
|
you suspect that the program uses the wrong one.
|
||
|
.SH EXAMPLES
|
||
|
To predict how \fItcpd\fR would handle a telnet request from the local
|
||
|
@@ -86,7 +86,6 @@ tcpdchk(8), tcpd configuration checker
|
||
|
hosts_access(5), format of the tcpd access control tables.
|
||
|
hosts_options(5), format of the language extensions.
|
||
|
inetd.conf(5), format of the inetd control file.
|
||
|
-tlid.conf(5), format of the tlid control file.
|
||
|
.SH AUTHORS
|
||
|
.na
|
||
|
.nf
|