openkylin
/
tcp-wrappers
mirror of https://gitee.com/openkylin/tcp-wrappers.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

changed debian/source/format to native

This commit is contained in:
openKylinBot 2022-05-14 02:57:49 +08:00
parent 91e3568252
commit 57e2f1edd5
35 changed files with 1 additions and 4026 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

88
debian/patches/00_man_quoting.diff vendored
View File

@ -1,88 +0,0 @@
From: Marco d'Itri <md@linux.it>
Date: Sat, 14 May 2022 02:57:48 +0800
Subject: _man_quoting
---
hosts_access.5 | 6 +++---
hosts_options.5 | 2 +-
tcpdmatch.8 | 10 +++++-----
3 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/hosts_access.5 b/hosts_access.5
index 5fe1f29..6b8d5dd 100644
--- a/hosts_access.5
+++ b/hosts_access.5
@@ -173,7 +173,7 @@ process_name@host_pattern : client_list ...
Patterns like these can be used when the machine has different internet
addresses with different internet hostnames. Service providers can use
this facility to offer FTP, GOPHER or WWW archives with internet names
-that may even belong to different organizations. See also the `twist'
+that may even belong to different organizations. See also the `twist\'
option in the hosts_options(5) document. Some systems (Solaris,
FreeBSD) can have more than one internet address on one physical
interface; with other systems you may have to resort to SLIP or PPP
@@ -236,10 +236,10 @@ attacks.
Before accepting a client request, the wrappers can use the IDENT
service to find out that the client did not send the request at all.
When the client host provides IDENT service, a negative IDENT lookup
-result (the client matches `UNKNOWN@host') is strong evidence of a host
+result (the client matches `UNKNOWN@host\') is strong evidence of a host
spoofing attack.
.PP
-A positive IDENT lookup result (the client matches `KNOWN@host') is
+A positive IDENT lookup result (the client matches `KNOWN@host\') is
less trustworthy. It is possible for an intruder to spoof both the
client connection and the IDENT lookup, although doing so is much
harder than spoofing just a client connection. It may also be that
diff --git a/hosts_options.5 b/hosts_options.5
index 3bd189e..ba9b08b 100644
--- a/hosts_options.5
+++ b/hosts_options.5
@@ -124,7 +124,7 @@ optional. If no timeout is specified a compile-time defined default
value is taken.
.SH MISCELLANEOUS
.IP "banners /some/directory"
-Look for a file in `/some/directory' with the same name as the daemon
+Look for a file in `/some/directory\' with the same name as the daemon
process (for example in.telnetd for the telnet service), and copy its
contents to the client. Newline characters are replaced by
carriage-return newline, and %<letter> sequences are expanded (see
diff --git a/tcpdmatch.8 b/tcpdmatch.8
index ebd8c78..2fa5121 100644
--- a/tcpdmatch.8
+++ b/tcpdmatch.8
@@ -26,7 +26,7 @@ The following two arguments are always required:
A daemon process name. Typically, the last component of a daemon
executable pathname.
.IP client
-A host name or network address, or one of the `unknown' or `paranoid'
+A host name or network address, or one of the `unknown\' or `paranoid\'
wildcard patterns.
.sp
When a client host name is specified, \fItcpdmatch\fR gives a
@@ -37,13 +37,13 @@ When a client address is specified, \fItcpdmatch\fR predicts what
.PP
Optional information specified with the \fIdaemon@server\fR form:
.IP server
-A host name or network address, or one of the `unknown' or `paranoid'
-wildcard patterns. The default server name is `unknown'.
+A host name or network address, or one of the `unknown\' or `paranoid\'
+wildcard patterns. The default server name is `unknown\'.
.PP
Optional information specified with the \fIuser@client\fR form:
.IP user
A client user identifier. Typically, a login name or a numeric userid.
-The default user name is `unknown'.
+The default user name is `unknown\'.
.SH OPTIONS
.IP -d
Examine \fIhosts.allow\fR and \fIhosts.deny\fR files in the current
@@ -70,7 +70,7 @@ client address:
.ti +5
tcpdmatch in.telnetd paranoid
.PP
-On some systems, daemon names have no `in.' prefix, or \fItcpdmatch\fR
+On some systems, daemon names have no `in.\' prefix, or \fItcpdmatch\fR
may need some help to locate the inetd configuration file.
.SH FILES
.PP

49
debian/patches/00_man_typos vendored
View File

@ -1,49 +0,0 @@
From: Marco d'Itri <md@linux.it>
Date: Sat, 14 May 2022 02:57:48 +0800
Subject: _man_typos
---
hosts_access.5 | 2 +-
tcpdchk.8 | 2 +-
tcpdmatch.8 | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/hosts_access.5 b/hosts_access.5
index 6b8d5dd..3629ecd 100644
--- a/hosts_access.5
+++ b/hosts_access.5
@@ -12,7 +12,7 @@ An extended version of the access control language is described in the
\fIhosts_options\fR(5) document. The extensions are turned on at
program build time by building with -DPROCESS_OPTIONS.
.PP
-In the following text, \fIdaemon\fR is the the process name of a
+In the following text, \fIdaemon\fR is the process name of a
network daemon process, and \fIclient\fR is the name and/or address of
a host requesting service. Network daemon process names are specified
in the inetd configuration file.
diff --git a/tcpdchk.8 b/tcpdchk.8
index acc65e6..e06203c 100644
--- a/tcpdchk.8
+++ b/tcpdchk.8
@@ -1,7 +1,7 @@
.TH TCPDCHK 8
.SH NAME
tcpdchk \- tcp wrapper configuration checker
-.SH SYNOPSYS
+.SH SYNOPSIS
tcpdchk [-a] [-d] [-i inet_conf] [-v]
.SH DESCRIPTION
.PP
diff --git a/tcpdmatch.8 b/tcpdmatch.8
index 2fa5121..2d15ad1 100644
--- a/tcpdmatch.8
+++ b/tcpdmatch.8
@@ -1,7 +1,7 @@
.TH TCPDMATCH 8
.SH NAME
tcpdmatch \- tcp wrapper oracle
-.SH SYNOPSYS
+.SH SYNOPSIS
tcpdmatch [-d] [-i inet_conf] daemon client
.sp
tcpdmatch [-d] [-i inet_conf] daemon[@server] [user@]client

269
debian/patches/01_man_portability vendored
View File

@ -1,269 +0,0 @@
From: Marco d'Itri <md@linux.it>
Date: Sat, 14 May 2022 02:57:48 +0800
Subject: _man_portability
---
hosts_access.3 | 2 +-
hosts_access.5 | 11 ++++++-----
hosts_options.5 | 10 ++++------
inetcf.c | 4 ++++
tcpd.8 | 26 +++++++++++++++-----------
tcpdchk.8 | 10 ++++------
tcpdmatch.8 | 5 ++---
7 files changed, 36 insertions(+), 32 deletions(-)
diff --git a/hosts_access.3 b/hosts_access.3
index 1485337..b240d7e 100644
--- a/hosts_access.3
+++ b/hosts_access.3
@@ -3,7 +3,7 @@
hosts_access, hosts_ctl, request_init, request_set \- access control library
.SH SYNOPSIS
.nf
-#include "tcpd.h"
+#include <tcpd.h>
extern int allow_severity;
extern int deny_severity;
diff --git a/hosts_access.5 b/hosts_access.5
index 3629ecd..beaae90 100644
--- a/hosts_access.5
+++ b/hosts_access.5
@@ -8,9 +8,9 @@ name, host name/address) patterns. Examples are given at the end. The
impatient reader is encouraged to skip to the EXAMPLES section for a
quick introduction.
.PP
-An extended version of the access control language is described in the
-\fIhosts_options\fR(5) document. The extensions are turned on at
-program build time by building with -DPROCESS_OPTIONS.
+The extended version of the access control language is described in the
+\fIhosts_options\fR(5) document. \fBNote that this language supersedes
+the meaning of \fIshell_command\fB as documented below.\fR
.PP
In the following text, \fIdaemon\fR is the process name of a
network daemon process, and \fIclient\fR is the name and/or address of
@@ -322,8 +322,8 @@ in.tftpd: LOCAL, .my.domain
/etc/hosts.deny:
.in +3
.nf
-in.tftpd: ALL: (/some/where/safe_finger -l @%h | \\
- /usr/ucb/mail -s %d-%h root) &
+in.tftpd: ALL: (/usr/sbin/safe_finger -l @%h | \\
+ /usr/bin/mail -s %d-%h root) &
.fi
.PP
The safe_finger command comes with the tcpd wrapper and should be
@@ -359,6 +359,7 @@ that shouldn\'t. All problems are reported via the syslog daemon.
.fi
.SH SEE ALSO
.nf
+hosts_options(5) extended syntax.
tcpd(8) tcp/ip daemon wrapper program.
tcpdchk(8), tcpdmatch(8), test programs.
.SH BUGS
diff --git a/hosts_options.5 b/hosts_options.5
index ba9b08b..4ed0479 100644
--- a/hosts_options.5
+++ b/hosts_options.5
@@ -2,10 +2,8 @@
.SH NAME
hosts_options \- host access control language extensions
.SH DESCRIPTION
-This document describes optional extensions to the language described
-in the hosts_access(5) document. The extensions are enabled at program
-build time. For example, by editing the Makefile and turning on the
-PROCESS_OPTIONS compile-time option.
+This document describes extensions to the language described
+in the hosts_access(5) document.
.PP
The extensible language uses the following format:
.sp
@@ -58,12 +56,12 @@ Notice the leading dot on the domain name patterns.
Execute, in a child process, the specified shell command, after
performing the %<letter> expansions described in the hosts_access(5)
manual page. The command is executed with stdin, stdout and stderr
-connected to the null device, so that it won\'t mess up the
+connected to the null device, so that it won't mess up the
conversation with the client host. Example:
.sp
.nf
.ti +3
-spawn (/some/where/safe_finger -l @%h | /usr/ucb/mail root) &
+spawn (/usr/sbin/safe_finger -l @%h | /usr/bin/mail root) &
.fi
.sp
executes, in a background child process, the shell command "safe_finger
diff --git a/inetcf.c b/inetcf.c
index 13838db..75017f2 100644
--- a/inetcf.c
+++ b/inetcf.c
@@ -26,13 +26,17 @@ extern void exit();
* guesses. Shorter names follow longer ones.
*/
char *inet_files[] = {
+#if 0
"/private/etc/inetd.conf", /* NEXT */
"/etc/inet/inetd.conf", /* SYSV4 */
"/usr/etc/inetd.conf", /* IRIX?? */
+#endif
"/etc/inetd.conf", /* BSD */
+#if 0
"/etc/net/tlid.conf", /* SYSV4?? */
"/etc/saf/tlid.conf", /* SYSV4?? */
"/etc/tlid.conf", /* SYSV4?? */
+#endif
0,
};
diff --git a/tcpd.8 b/tcpd.8
index 3513907..4ff221f 100644
--- a/tcpd.8
+++ b/tcpd.8
@@ -12,7 +12,11 @@ The program supports both 4.3BSD-style sockets and System V.4-style
TLI. Functionality may be limited when the protocol underneath TLI is
not an internet protocol.
.PP
-Operation is as follows: whenever a request for service arrives, the
+There are two possible modes of operation: execution of \fItcpd\fP
+before a service started by \fIinetd\fP, or linking a daemon with
+the \fIlibwrap\fP shared library as documented in the \fIhosts_access\fR(3)
+manual page. Operation when started by \fIinetd\fP
+is as follows: whenever a request for service arrives, the
\fIinetd\fP daemon is tricked into running the \fItcpd\fP program
instead of the desired server. \fItcpd\fP logs the request and does
some additional checks. When all is well, \fItcpd\fP runs the
@@ -88,11 +92,11 @@ configuration files.
.sp
.in +5
# mkdir /other/place
-# mv /usr/etc/in.fingerd /other/place
-# cp tcpd /usr/etc/in.fingerd
+# mv /usr/sbin/in.fingerd /other/place
+# cp tcpd /usr/sbin/in.fingerd
.fi
.PP
-The example assumes that the network daemons live in /usr/etc. On some
+The example assumes that the network daemons live in /usr/sbin. On some
systems, network daemons live in /usr/sbin or in /usr/libexec, or have
no `in.\' prefix to their name.
.SH EXAMPLE 2
@@ -101,35 +105,34 @@ are left in their original place.
.PP
In order to monitor access to the \fIfinger\fR service, perform the
following edits on the \fIinetd\fR configuration file (usually
-\fI/etc/inetd.conf\fR or \fI/etc/inet/inetd.conf\fR):
+\fI/etc/inetd.conf\fR):
.nf
.sp
.ti +5
-finger stream tcp nowait nobody /usr/etc/in.fingerd in.fingerd
+finger stream tcp nowait nobody /usr/sbin/in.fingerd in.fingerd
.sp
becomes:
.sp
.ti +5
-finger stream tcp nowait nobody /some/where/tcpd in.fingerd
+finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd
.sp
.fi
.PP
-The example assumes that the network daemons live in /usr/etc. On some
+The example assumes that the network daemons live in /usr/sbin. On some
systems, network daemons live in /usr/sbin or in /usr/libexec, the
daemons have no `in.\' prefix to their name, or there is no userid
field in the inetd configuration file.
.PP
Similar changes will be needed for the other services that are to be
covered by \fItcpd\fR. Send a `kill -HUP\' to the \fIinetd\fR(8)
-process to make the changes effective. AIX users may also have to
-execute the `inetimp\' command.
+process to make the changes effective.
.SH EXAMPLE 3
In the case of daemons that do not live in a common directory ("secret"
or otherwise), edit the \fIinetd\fR configuration file so that it
specifies an absolute path name for the process name field. For example:
.nf
.sp
- ntalk dgram udp wait root /some/where/tcpd /usr/local/lib/ntalkd
+ ntalk dgram udp wait root /usr/sbin/tcpd /usr/local/lib/ntalkd
.sp
.fi
.PP
@@ -164,6 +167,7 @@ The default locations of the host access control tables are:
.SH SEE ALSO
.na
.nf
+hosts_access(3), functions provided by the libwrap library.
hosts_access(5), format of the tcpd access control tables.
syslog.conf(5), format of the syslogd control file.
inetd.conf(5), format of the inetd control file.
diff --git a/tcpdchk.8 b/tcpdchk.8
index e06203c..fd48955 100644
--- a/tcpdchk.8
+++ b/tcpdchk.8
@@ -9,8 +9,8 @@ tcpdchk [-a] [-d] [-i inet_conf] [-v]
potential and real problems it can find. The program examines the
\fItcpd\fR access control files (by default, these are
\fI/etc/hosts.allow\fR and \fI/etc/hosts.deny\fR), and compares the
-entries in these files against entries in the \fIinetd\fR or \fItlid\fR
-network configuration files.
+entries in these files against entries in the \fIinetd\fR
+network configuration file.
.PP
\fItcpdchk\fR reports problems such as non-existent pathnames; services
that appear in \fItcpd\fR access control rules, but are not controlled
@@ -26,14 +26,13 @@ problem.
.SH OPTIONS
.IP -a
Report access control rules that permit access without an explicit
-ALLOW keyword. This applies only when the extended access control
-language is enabled (build with -DPROCESS_OPTIONS).
+ALLOW keyword.
.IP -d
Examine \fIhosts.allow\fR and \fIhosts.deny\fR files in the current
directory instead of the default ones.
.IP "-i inet_conf"
Specify this option when \fItcpdchk\fR is unable to find your
-\fIinetd.conf\fR or \fItlid.conf\fR network configuration file, or when
+\fIinetd.conf\fR network configuration file, or when
you suspect that the program uses the wrong one.
.IP -v
Display the contents of each access control rule. Daemon lists, client
@@ -54,7 +53,6 @@ tcpdmatch(8), explain what tcpd would do in specific cases.
hosts_access(5), format of the tcpd access control tables.
hosts_options(5), format of the language extensions.
inetd.conf(5), format of the inetd control file.
-tlid.conf(5), format of the tlid control file.
.SH AUTHORS
.na
.nf
diff --git a/tcpdmatch.8 b/tcpdmatch.8
index 2d15ad1..0ae304c 100644
--- a/tcpdmatch.8
+++ b/tcpdmatch.8
@@ -13,7 +13,7 @@ request for service. Examples are given below.
The program examines the \fItcpd\fR access control tables (default
\fI/etc/hosts.allow\fR and \fI/etc/hosts.deny\fR) and prints its
conclusion. For maximal accuracy, it extracts additional information
-from your \fIinetd\fR or \fItlid\fR network configuration file.
+from your \fIinetd\fR network configuration file.
.PP
When \fItcpdmatch\fR finds a match in the access control tables, it
identifies the matched rule. In addition, it displays the optional
@@ -50,7 +50,7 @@ Examine \fIhosts.allow\fR and \fIhosts.deny\fR files in the current
directory instead of the default ones.
.IP "-i inet_conf"
Specify this option when \fItcpdmatch\fR is unable to find your
-\fIinetd.conf\fR or \fItlid.conf\fR network configuration file, or when
+\fIinetd.conf\fR network configuration file, or when
you suspect that the program uses the wrong one.
.SH EXAMPLES
To predict how \fItcpd\fR would handle a telnet request from the local
@@ -86,7 +86,6 @@ tcpdchk(8), tcpd configuration checker
hosts_access(5), format of the tcpd access control tables.
hosts_options(5), format of the language extensions.
inetd.conf(5), format of the inetd control file.
-tlid.conf(5), format of the tlid control file.
.SH AUTHORS
.na
.nf

130
debian/patches/05_wildcard_matching vendored
View File

@ -1,130 +0,0 @@
From: Marco d'Itri <md@linux.it>
Date: Sat, 14 May 2022 02:57:48 +0800
Subject: _wildcard_matching
See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=17847
See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=17847
(Though the original code needs to be patched to be case-insensitive.)
---
hosts_access.5 | 4 +++
hosts_access.c | 81 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 85 insertions(+)
diff --git a/hosts_access.5 b/hosts_access.5
index beaae90..7388ee4 100644
--- a/hosts_access.5
+++ b/hosts_access.5
@@ -89,6 +89,10 @@ An expression of the form `n.n.n.n/m.m.m.m\' is interpreted as a
bitwise AND of the address and the `mask\'. For example, the net/mask
pattern `131.155.72.0/255.255.254.0\' matches every address in the
range `131.155.72.0\' through `131.155.73.255\'.
+.IP \(bu
+Wildcards `*\' and `?\' can be used to match hostnames or IP addresses. This
+method of matching cannot be used in conjunction with `net/mask\' matching,
+hostname matching beginning with `.\' or IP address matching ending with `.\'.
.SH WILDCARDS
The access control language supports explicit wildcards:
.IP ALL
diff --git a/hosts_access.c b/hosts_access.c
index 9bdc7bc..9a7c688 100644
--- a/hosts_access.c
+++ b/hosts_access.c
@@ -82,6 +82,7 @@ static int client_match();
static int host_match();
static int string_match();
static int masked_match();
+static int match_pattern_ylo();
/* Size of logical line buffer. */
@@ -289,6 +290,11 @@ char *string;
{
int n;
+#ifndef DISABLE_WILDCARD_MATCHING
+ if (strchr(tok, '*') || strchr(tok,'?')) { /* contains '*' or '?' */
+ return (match_pattern_ylo(string,tok));
+ } else
+#endif
if (tok[0] == '.') { /* suffix */
n = strlen(string) - strlen(tok);
return (n > 0 && STR_EQ(tok, string + n));
@@ -329,3 +335,78 @@ char *string;
}
return ((addr & mask) == net);
}
+
+#ifndef DISABLE_WILDCARD_MATCHING
+/* Note: this feature has been adapted in a pretty straightforward way
+ from Tatu Ylonen's last SSH version under free license by
+ Pekka Savola <pekkas@netcore.fi>.
+
+ Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+*/
+
+/* Returns true if the given string matches the pattern (which may contain
+ ? and * as wildcards), and zero if it does not match. */
+
+static int match_pattern_ylo(const char *s, const char *pattern)
+{
+ char src;
+ char pat;
+ while (1)
+ {
+ /* If at end of pattern, accept if also at end of string. */
+ if (!*pattern)
+ return !*s;
+
+ /* Process '*'. */
+ if (*pattern == '*')
+ {
+ /* Skip the asterisk. */
+ pattern++;
+
+ /* If at end of pattern, accept immediately. */
+ if (!*pattern)
+ return 1;
+
+ /* If next character in pattern is known, optimize. */
+ if (*pattern != '?' && *pattern != '*')
+ {
+ /* Look instances of the next character in pattern, and try
+ to match starting from those. */
+ pat = *pattern;
+ for (; *s; s++) {
+ src = *s;
+ if (toupper(src) == toupper(pat) &&
+ match_pattern_ylo(s + 1, pattern + 1))
+ return 1;
+ }
+ /* Failed. */
+ return 0;
+ }
+
+ /* Move ahead one character at a time and try to match at each
+ position. */
+ for (; *s; s++)
+ if (match_pattern_ylo(s, pattern))
+ return 1;
+ /* Failed. */
+ return 0;
+ }
+
+ /* There must be at least one more character in the string. If we are
+ at the end, fail. */
+ if (!*s)
+ return 0;
+
+ /* Check if the next character of the string is acceptable. */
+ pat = *pattern;
+ src = *s;
+ if (*pattern != '?' && toupper(pat) != toupper(src))
+ return 0;
+
+ /* Move to the next character, both in string and in pattern. */
+ s++;
+ pattern++;
+ }
+ /*NOTREACHED*/
+}
+#endif /* DISABLE_WILDCARD_MATCHING */

39
debian/patches/06_fix_gethostbyname vendored
View File

@ -1,39 +0,0 @@
From: Marco d'Itri <md@linux.it>
Date: Sat, 14 May 2022 02:57:48 +0800
Subject: _fix_gethostbyname
* Mon Feb 5 2001 Preston Brown <pbrown@redhat.com>
- fix gethostbyname to work better with dot "." notation (#16949)
---
socket.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/socket.c b/socket.c
index c659b16..a219882 100644
--- a/socket.c
+++ b/socket.c
@@ -52,7 +52,8 @@ static struct hostent *gethostbyname_dot(name)
char *name;
{
char dot_name[MAXHOSTNAMELEN + 1];
-
+ struct hostent *hp;
+
/*
* Don't append dots to unqualified names. Such names are likely to come
* from local hosts files or from NIS.
@@ -61,8 +62,12 @@ char *name;
if (strchr(name, '.') == 0 || strlen(name) >= MAXHOSTNAMELEN - 1) {
return (gethostbyname(name));
} else {
- sprintf(dot_name, "%s.", name);
- return (gethostbyname(dot_name));
+ sprintf(dot_name, "%s.", name);
+ hp = gethostbyname(dot_name);
+ if (hp)
+ return hp;
+ else
+ return (gethostbyname(name));
}
}

1294
debian/patches/10_usagi-ipv6 vendored
View File

File diff suppressed because it is too large Load Diff

150
debian/patches/11_tcpd_blacklist vendored
View File

@ -1,150 +0,0 @@
From: Wietse Venema <wietse@((no)(spam)(please))wzv.win.tue.nl>
Date: Mon, 8 Sep 1997 18:53:13 -0400
Subject: TCP Wrapper Blacklist Extension
The patch below adds a new host pattern to the TCP Wrapper access
control language. Instead of a host name or address pattern, you
can specify an external /file/name with host name or address
patterns. The feature can be used recursively.
The /file/name extension makes it easy to blacklist bad sites, for
example, to block unwanted electronic mail when libwrap is linked
into sendmail. Adding hosts to a simple text file is much easier
than having to edit a more complex hosts.allow/deny file.
I developed this a year or so ago as a substitute for NIS netgroups.
At that time, I did not consider it of sufficient interest for
inclusion in the TCP Wrapper distribution. How times have changed.
The patch is relative to TCP Wrappers version 7.6. The main archive
site is ftp://ftp.win.tue.nl/pub/security/tcp_wrappers_7.6.tar.gz
Thanks to the Debian LINUX folks for expressing their interest in
this patch.
Wietse
[diff updated by Md]
---
hosts_access.5 | 7 +++++++
hosts_access.c | 22 ++++++++++++++++++++++
tcpdchk.c | 24 ++++++++++++++++++++++++
3 files changed, 53 insertions(+)
diff --git a/hosts_access.5 b/hosts_access.5
index 64164b8..2f51d9b 100644
--- a/hosts_access.5
+++ b/hosts_access.5
@@ -97,6 +97,13 @@ address. For example, the [net]/prefixlen pattern
`[3ffe:505:2:1::]/64\' matches every address in the range
`3ffe:505:2:1::\' through `3ffe:505:2:1:ffff:ffff:ffff:ffff\'.
.IP \(bu
+A string that begins with a `/\' character is treated as a file
+name. A host name or address is matched if it matches any host name
+or address pattern listed in the named file. The file format is
+zero or more lines with zero or more host name or address patterns
+separated by whitespace. A file name pattern can be used anywhere
+a host name or address pattern can be used.
+.IP \(bu
Wildcards `*\' and `?\' can be used to match hostnames or IP addresses. This
method of matching cannot be used in conjunction with `net/mask\' matching,
hostname matching beginning with `.\' or IP address matching ending with `.\'.
diff --git a/hosts_access.c b/hosts_access.c
index 21a7e43..8d6dcee 100644
--- a/hosts_access.c
+++ b/hosts_access.c
@@ -254,6 +254,26 @@ struct request_info *request;
}
}
+/* hostfile_match - look up host patterns from file */
+
+static int hostfile_match(path, host)
+char *path;
+struct hosts_info *host;
+{
+ char tok[BUFSIZ];
+ int match = NO;
+ FILE *fp;
+
+ if ((fp = fopen(path, "r")) != 0) {
+ while (fscanf(fp, "%s", tok) == 1 && !(match = host_match(tok, host)))
+ /* void */ ;
+ fclose(fp);
+ } else if (errno != ENOENT) {
+ tcpd_warn("open %s: %m", path);
+ }
+ return (match);
+}
+
/* host_match - match host name and/or address against pattern */
static int host_match(tok, host)
@@ -281,6 +301,8 @@ struct host_info *host;
tcpd_warn("netgroup support is disabled"); /* not tcpd_jump() */
return (NO);
#endif
+ } else if (tok[0] == '/') { /* /file hack */
+ return (hostfile_match(tok, host));
} else if (STR_EQ(tok, "KNOWN")) { /* check address and name */
char *name = eval_hostname(host);
return (STR_NE(eval_hostaddr(host), unknown) && HOSTNAME_KNOWN(name));
diff --git a/tcpdchk.c b/tcpdchk.c
index 163e6bf..19bd7d2 100644
--- a/tcpdchk.c
+++ b/tcpdchk.c
@@ -353,6 +353,8 @@ char *pat;
{
if (pat[0] == '@') {
tcpd_warn("%s: daemon name begins with \"@\"", pat);
+ } else if (pat[0] == '/') {
+ tcpd_warn("%s: daemon name begins with \"/\"", pat);
} else if (pat[0] == '.') {
tcpd_warn("%s: daemon name begins with dot", pat);
} else if (pat[strlen(pat) - 1] == '.') {
@@ -385,6 +387,8 @@ char *pat;
{
if (pat[0] == '@') { /* @netgroup */
tcpd_warn("%s: user name begins with \"@\"", pat);
+ } else if (pat[0] == '/') {
+ tcpd_warn("%s: user name begins with \"/\"", pat);
} else if (pat[0] == '.') {
tcpd_warn("%s: user name begins with dot", pat);
} else if (pat[strlen(pat) - 1] == '.') {
@@ -430,8 +434,13 @@ static int is_inet6_addr(pat)
static int check_host(pat)
char *pat;
{
+ char buf[BUFSIZ];
char *mask;
int addr_count = 1;
+ FILE *fp;
+ struct tcpd_context saved_context;
+ char *cp;
+ char *wsp = " \t\r\n";
if (pat[0] == '@') { /* @netgroup */
#ifdef NO_NETGRENT
@@ -450,6 +459,21 @@ char *pat;
tcpd_warn("netgroup support disabled");
#endif
#endif
+ } else if (pat[0] == '/') { /* /path/name */
+ if ((fp = fopen(pat, "r")) != 0) {
+ saved_context = tcpd_context;
+ tcpd_context.file = pat;
+ tcpd_context.line = 0;
+ while (fgets(buf, sizeof(buf), fp)) {
+ tcpd_context.line++;
+ for (cp = strtok(buf, wsp); cp; cp = strtok((char *) 0, wsp))
+ check_host(cp);
+ }
+ tcpd_context = saved_context;
+ fclose(fp);
+ } else if (errno != ENOENT) {
+ tcpd_warn("open %s: %m", pat);
+ }
} else if (mask = split_at(pat, '/')) { /* network/netmask */
#ifdef INET6
int mask_len;

56
debian/patches/11_usagi_fix vendored
View File

@ -1,56 +0,0 @@
From: Marco d'Itri <md@linux.it>
Date: Sat, 14 May 2022 02:57:49 +0800
Subject: _usagi_fix
---
hosts_access.c | 16 +++++++++-------
socket.c | 2 +-
2 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/hosts_access.c b/hosts_access.c
index 8d6dcee..1c783b9 100644
--- a/hosts_access.c
+++ b/hosts_access.c
@@ -444,6 +444,15 @@ char *string;
int len, mask_len, i = 0;
char ch;
+ /*
+ * Behavior of getaddrinfo() against IPv4-mapped IPv6 address is
+ * different between KAME and Solaris8. While KAME returns
+ * AF_INET6, Solaris8 returns AF_INET. So, we avoid this here.
+ */
+ if (STRN_EQ(string, "::ffff:", 7)
+ && dot_quad_addr(string + 7) != INADDR_NONE)
+ return (masked_match4(net_tok, mask_tok, string + 7));
+
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_INET6;
hints.ai_socktype = SOCK_STREAM;
@@ -453,13 +462,6 @@ char *string;
memcpy(&addr, res->ai_addr, sizeof(addr));
freeaddrinfo(res);
- if (IN6_IS_ADDR_V4MAPPED(&addr.sin6_addr)) {
- if ((*(u_int32_t *)&net.sin6_addr.s6_addr[12] = dot_quad_addr(net_tok)) == INADDR_NONE
- || (mask = dot_quad_addr(mask_tok)) == INADDR_NONE)
- return (NO);
- return ((*(u_int32_t *)&addr.sin6_addr.s6_addr[12] & mask) == *(u_int32_t *)&net.sin6_addr.s6_addr[12]);
- }
-
/* match IPv6 address against netnumber/prefixlen */
len = strlen(net_tok);
if (*net_tok != '[' || net_tok[len - 1] != ']')
diff --git a/socket.c b/socket.c
index 7e32a90..4b2c575 100644
--- a/socket.c
+++ b/socket.c
@@ -228,7 +228,7 @@ struct host_info *host;
hints.ai_family = sin->sa_family;
hints.ai_socktype = SOCK_STREAM;
hints.ai_flags = AI_PASSIVE | AI_CANONNAME | AI_NUMERICHOST;
- if ((err = getaddrinfo(host->name, NULL, &hints, &res0) == 0)) {
+ if ((err = getaddrinfo(host->name, NULL, &hints, &res0)) == 0) {
freeaddrinfo(res0);
res0 = NULL;
tcpd_warn("host name/name mismatch: "

91
debian/patches/12_makefile_config vendored
View File

@ -1,91 +0,0 @@
From: Marco d'Itri <md@linux.it>
Date: Sat, 14 May 2022 02:57:49 +0800
Subject: _makefile_config
---
Makefile | 21 ++++++++++++++-------
1 file changed, 14 insertions(+), 7 deletions(-)
diff --git a/Makefile b/Makefile
index a69b208..787ca95 100644
--- a/Makefile
+++ b/Makefile
@@ -45,7 +45,7 @@ what:
#
# SysV.4 Solaris 2.x OSF AIX
#REAL_DAEMON_DIR=/usr/sbin
-#
+REAL_DAEMON_DIR=/usr/sbin
# BSD 4.4
#REAL_DAEMON_DIR=/usr/libexec
#
@@ -513,6 +513,7 @@ VSYSLOG = -Dvsyslog=myvsyslog
# (examples: allow, deny, banners, twist and spawn).
#
#STYLE = -DPROCESS_OPTIONS # Enable language extensions.
+STYLE = "-DPROCESS_OPTIONS -DACLEXEC"
################################################################
# Optional: Changing the default disposition of logfile records
@@ -536,6 +537,7 @@ VSYSLOG = -Dvsyslog=myvsyslog
# The LOG_XXX names below are taken from the /usr/include/syslog.h file.
FACILITY= LOG_MAIL # LOG_MAIL is what most sendmail daemons use
+FACILITY= LOG_DAEMON
# The syslog priority at which successful connections are logged.
@@ -632,6 +634,7 @@ TABLES = -DHOSTS_DENY=\"/etc/hosts.deny\" -DHOSTS_ALLOW=\"/etc/hosts.allow\"
# lookups altogether, see the next section.
PARANOID= -DPARANOID
+PARANOID=
########################################
# Optional: turning off hostname lookups
@@ -645,6 +648,7 @@ PARANOID= -DPARANOID
# mode (see previous section) and comment out the following definition.
HOSTNAME= -DALWAYS_HOSTNAME
+HOSTNAME=
#############################################
# Optional: Turning on host ADDRESS checking
@@ -671,6 +675,7 @@ HOSTNAME= -DALWAYS_HOSTNAME
# Solaris 2.x, and Linux. See your system documentation for details.
#
# KILL_OPT= -DKILL_IP_OPTIONS
+KILL_OPT= -DKILL_IP_OPTIONS
## End configuration options
############################
@@ -678,9 +683,10 @@ HOSTNAME= -DALWAYS_HOSTNAME
# Protection against weird shells or weird make programs.
SHELL = /bin/sh
-.c.o:; $(CC) $(CFLAGS) -c $*.c
+.c.o:; $(CC) $(CFLAGS) -o $*.o -c $*.c
-CFLAGS = -O -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \
+COPTS = -O2 -g
+CFLAGS = $(COPTS) -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \
$(BUGS) $(SYSTYPE) $(AUTH) $(UMASK) \
-DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" $(STYLE) $(KILL_OPT) \
-DSEVERITY=$(SEVERITY) -DRFC931_TIMEOUT=$(RFC931_TIMEOUT) \
@@ -713,11 +719,12 @@ all other: config-check tcpd tcpdmatch try-from safe_finger tcpdchk
config-check:
@set +e; test -n "$(REAL_DAEMON_DIR)" || { make; exit 1; }
- @set +e; echo $(CFLAGS) >/tmp/cflags.$$$$ ; \
- if cmp cflags /tmp/cflags.$$$$ ; \
- then rm /tmp/cflags.$$$$ ; \
- else mv /tmp/cflags.$$$$ cflags ; \
+ @set +e; echo $(CFLAGS) >cflags.new ; \
+ if cmp cflags cflags.new ; \
+ then rm cflags.new ; \
+ else mv cflags.new cflags ; \
fi >/dev/null 2>/dev/null
+ @if [ ! -d shared ]; then mkdir shared; fi
$(LIB): $(LIB_OBJ)
rm -f $(LIB)

288
debian/patches/13_shlib_weaksym vendored
View File

@ -1,288 +0,0 @@
From: Marco d'Itri <md@linux.it>
Date: Sat, 14 May 2022 02:57:49 +0800
Subject: _shlib_weaksym
---
Makefile | 57 +++++++++++++++++++++++++++++++++-------------
libwrap.lds | 4 ++++
tcpd.h | 71 +++++++++++++++++++++++++++++++++++++++-------------------
weak_symbols.c | 10 +++++++++
4 files changed, 103 insertions(+), 39 deletions(-)
create mode 100644 libwrap.lds
create mode 100644 weak_symbols.c
diff --git a/Makefile b/Makefile
index 787ca95..fe97fe3 100644
--- a/Makefile
+++ b/Makefile
@@ -150,15 +150,15 @@ netbsd:
linux:
@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
- LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ= \
+ LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ=weak_symbols.o \
NETGROUP="-DNETGROUP" TLI= VSYSLOG= BUGS= \
- EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR -DINET6=1 -Dss_family=__ss_family -Dss_len=__ss_len" all
+ EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR -DHAVE_WEAKSYMS -DINET6=1 -Dss_family=__ss_family -Dss_len=__ss_len" all
gnu:
@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
- LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ= \
+ LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ=weak_symbols.o \
NETGROUP=-DNETGROUP TLI= VSYSLOG= BUGS= \
- EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR -DINET6=1" all
+ EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR -DINET6=1 -DHAVE_WEAKSYMS -D_REENTRANT" all
# This is good for many SYSV+BSD hybrids with NIS, probably also for HP-UX 7.x.
hpux hpux8 hpux9 hpux10:
@@ -692,6 +692,7 @@ CFLAGS = $(COPTS) -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \
-DSEVERITY=$(SEVERITY) -DRFC931_TIMEOUT=$(RFC931_TIMEOUT) \
$(UCHAR) $(TABLES) $(STRINGS) $(TLI) $(EXTRA_CFLAGS) $(DOT) \
$(VSYSLOG) $(HOSTNAME)
+LDFLAGS = $(LDOPTS)
LIB_OBJ= hosts_access.o options.o shell_cmd.o rfc931.o eval.o \
hosts_ctl.o refuse.o percent_x.o clean_exit.o $(AUX_OBJ) \
@@ -713,7 +714,22 @@ KIT = README miscd.c tcpd.c fromhost.c hosts_access.c shell_cmd.c \
LIB = libwrap.a
-all other: config-check tcpd tcpdmatch try-from safe_finger tcpdchk
+shared/%.o: %.c
+ $(CC) $(CFLAGS) $(SHCFLAGS) -c $< -o $@
+
+SOMAJOR = 0
+SOMINOR = 7.6
+
+SHLIB = shared/libwrap.so.$(SOMAJOR).$(SOMINOR)
+SHLIBSOMAJ = shared/libwrap.so.$(SOMAJOR)
+SHLIBSO = shared/libwrap.so
+SHLIBFLAGS = -Lshared -lwrap
+
+SHLINKFLAGS = -Bsymbolic-functions -shared -Wl,-soname=libwrap.so.$(SOMAJOR) -Wl,--version-script=libwrap.lds
+SHCFLAGS = -fpic
+SHLIB_OBJ= $(addprefix shared/, $(LIB_OBJ))
+
+all other: config-check tcpd tcpdmatch try-from safe_finger tcpdchk $(LIB)
# Invalidate all object files when the compiler options (CFLAGS) have changed.
@@ -731,27 +747,33 @@ $(LIB): $(LIB_OBJ)
$(AR) $(ARFLAGS) $(LIB) $(LIB_OBJ)
-$(RANLIB) $(LIB)
-tcpd: tcpd.o $(LIB)
- $(CC) $(CFLAGS) -o $@ tcpd.o $(LIB) $(LIBS)
+$(SHLIB): libwrap.lds $(SHLIB_OBJ)
+ rm -f $(SHLIB)
+ $(CC) $(CFLAGS) $(LDFLAGS) -o $(SHLIB) $(SHLINKFLAGS) $(SHLIB_OBJ) $(LIBS)
+ ln -sf $(notdir $(SHLIB)) $(SHLIBSOMAJ)
+ ln -sf $(notdir $(SHLIBSOMAJ)) $(SHLIBSO)
+
+tcpd: tcpd.o $(SHLIB)
+ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ tcpd.o $(SHLIBFLAGS)
miscd: miscd.o $(LIB)
- $(CC) $(CFLAGS) -o $@ miscd.o $(LIB) $(LIBS)
+ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ miscd.o $(LIB) $(LIBS)
-safe_finger: safe_finger.o $(LIB)
- $(CC) $(CFLAGS) -o $@ safe_finger.o $(LIB) $(LIBS)
+safe_finger: safe_finger.o
+ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ safe_finger.o
TCPDMATCH_OBJ = tcpdmatch.o fakelog.o inetcf.o scaffold.o
-tcpdmatch: $(TCPDMATCH_OBJ) $(LIB)
- $(CC) $(CFLAGS) -o $@ $(TCPDMATCH_OBJ) $(LIB) $(LIBS)
+tcpdmatch: $(TCPDMATCH_OBJ) $(SHLIB)
+ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(TCPDMATCH_OBJ) $(SHLIBFLAGS)
-try-from: try-from.o fakelog.o $(LIB)
- $(CC) $(CFLAGS) -o $@ try-from.o fakelog.o $(LIB) $(LIBS)
+try-from: try-from.o fakelog.o $(SHLIB)
+ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ try-from.o fakelog.o $(SHLIBFLAGS)
TCPDCHK_OBJ = tcpdchk.o fakelog.o inetcf.o scaffold.o
-tcpdchk: $(TCPDCHK_OBJ) $(LIB)
- $(CC) $(CFLAGS) -o $@ $(TCPDCHK_OBJ) $(LIB) $(LIBS)
+tcpdchk: $(TCPDCHK_OBJ) $(SHLIB)
+ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(TCPDCHK_OBJ) $(SHLIBFLAGS)
shar: $(KIT)
@shar $(KIT)
@@ -767,7 +789,9 @@ archive:
clean:
rm -f tcpd miscd safe_finger tcpdmatch tcpdchk try-from *.[oa] core \
+ libwrap*.so* \
cflags
+ rm -rf shared/
tidy: clean
chmod -R a+r .
@@ -913,5 +937,6 @@ update.o: cflags
update.o: mystdarg.h
update.o: tcpd.h
vfprintf.o: cflags
+weak_symbols.o: tcpd.h
workarounds.o: cflags
workarounds.o: tcpd.h
diff --git a/libwrap.lds b/libwrap.lds
new file mode 100644
index 0000000..1abf1c5
--- /dev/null
+++ b/libwrap.lds
@@ -0,0 +1,4 @@
+{
+ local:
+ aclexec_matched;
+};
diff --git a/tcpd.h b/tcpd.h
index 0f3c740..f425f24 100644
--- a/tcpd.h
+++ b/tcpd.h
@@ -4,6 +4,15 @@
* Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
*/
+#ifndef _TCPWRAPPERS_TCPD_H
+#define _TCPWRAPPERS_TCPD_H
+
+/* Need definitions of struct sockaddr_in and FILE. */
+#include <netinet/in.h>
+#include <stdio.h>
+
+__BEGIN_DECLS
+
/* Structure to describe one communications endpoint. */
#define STRING_LENGTH 128 /* hosts, users, processes */
@@ -29,10 +38,10 @@ struct request_info {
char pid[10]; /* access via eval_pid(request) */
struct host_info client[1]; /* client endpoint info */
struct host_info server[1]; /* server endpoint info */
- void (*sink) (); /* datagram sink function or 0 */
- void (*hostname) (); /* address to printable hostname */
- void (*hostaddr) (); /* address to printable address */
- void (*cleanup) (); /* cleanup function or 0 */
+ void (*sink) (int); /* datagram sink function or 0 */
+ void (*hostname) (struct host_info *); /* address to printable hostname */
+ void (*hostaddr) (struct host_info *); /* address to printable address */
+ void (*cleanup) (struct request_info *); /* cleanup function or 0 */
struct netconfig *config; /* netdir handle */
};
@@ -70,20 +79,27 @@ extern void fromhost(); /* get/validate client host info */
#define fromhost sock_host /* no TLI support needed */
#endif
-extern int hosts_access(); /* access control */
-extern void shell_cmd(); /* execute shell command */
-extern char *percent_x(); /* do %<char> expansion */
-extern void rfc931(); /* client name from RFC 931 daemon */
-extern void clean_exit(); /* clean up and exit */
-extern void refuse(); /* clean up and exit */
-extern char *xgets(); /* fgets() on steroids */
-extern char *split_at(); /* strchr() and split */
-extern unsigned long dot_quad_addr(); /* restricted inet_addr() */
+extern int hosts_access(struct request_info *request); /* access control */
+extern void shell_cmd(char *); /* execute shell command */
+extern char *percent_x(char *, int, char *, struct request_info *);
+ /* do %<char> expansion */
+extern void rfc931(struct sockaddr *, struct sockaddr *, char *);
+ /* client name from RFC 931 daemon */
+extern void clean_exit(struct request_info *); /* clean up and exit */
+extern void refuse(struct request_info *); /* clean up and exit */
+extern char *xgets(char *, int, FILE *); /* fgets() on steroids */
+extern char *split_at(char *, int); /* strchr() and split */
+extern unsigned long dot_quad_addr(char *); /* restricted inet_addr() */
/* Global variables. */
+#ifdef HAVE_WEAKSYMS
+extern int allow_severity __attribute__ ((weak)); /* for connection logging */
+extern int deny_severity __attribute__ ((weak)); /* for connection logging */
+#else
extern int allow_severity; /* for connection logging */
extern int deny_severity; /* for connection logging */
+#endif
extern char *hosts_allow_table; /* for verification mode redirection */
extern char *hosts_deny_table; /* for verification mode redirection */
extern int hosts_access_verbose; /* for verbose matching mode */
@@ -98,6 +114,8 @@ extern int resident; /* > 0 if resident process */
#ifdef __STDC__
extern struct request_info *request_init(struct request_info *,...);
extern struct request_info *request_set(struct request_info *,...);
+extern int hosts_ctl(char *daemon, char *client_name, char *client_addr,
+ char *client_user);
#else
extern struct request_info *request_init(); /* initialize request */
extern struct request_info *request_set(); /* update request structure */
@@ -121,20 +139,23 @@ extern struct request_info *request_set(); /* update request structure */
* host_info structures serve as caches for the lookup results.
*/
-extern char *eval_user(); /* client user */
-extern char *eval_hostname(); /* printable hostname */
-extern char *eval_hostaddr(); /* printable host address */
-extern char *eval_hostinfo(); /* host name or address */
-extern char *eval_client(); /* whatever is available */
-extern char *eval_server(); /* whatever is available */
+extern char *eval_user(struct request_info *); /* client user */
+extern char *eval_hostname(struct host_info *); /* printable hostname */
+extern char *eval_hostaddr(struct host_info *); /* printable host address */
+extern char *eval_hostinfo(struct host_info *); /* host name or address */
+extern char *eval_client(struct request_info *);/* whatever is available */
+extern char *eval_server(struct request_info *);/* whatever is available */
#define eval_daemon(r) ((r)->daemon) /* daemon process name */
#define eval_pid(r) ((r)->pid) /* process id */
/* Socket-specific methods, including DNS hostname lookups. */
-extern void sock_host(); /* look up endpoint addresses */
-extern void sock_hostname(); /* translate address to hostname */
-extern void sock_hostaddr(); /* address to printable address */
+/* look up endpoint addresses */
+extern void sock_host(struct request_info *);
+/* translate address to hostname */
+extern void sock_hostname(struct host_info *);
+/* address to printable address */
+extern void sock_hostaddr(struct host_info *);
#define sock_methods(r) \
{ (r)->hostname = sock_hostname; (r)->hostaddr = sock_hostaddr; }
@@ -182,7 +203,7 @@ extern struct tcpd_context tcpd_context;
* behavior.
*/
-extern void process_options(); /* execute options */
+extern void process_options(char *, struct request_info *);/* execute options */
extern int dry_run; /* verification flag */
/* Bug workarounds. */
@@ -221,3 +242,7 @@ extern char *fix_strtok();
#define strtok my_strtok
extern char *my_strtok();
#endif
+
+__END_DECLS
+
+#endif
diff --git a/weak_symbols.c b/weak_symbols.c
new file mode 100644
index 0000000..2f3fb04
--- /dev/null
+++ b/weak_symbols.c
@@ -0,0 +1,10 @@
+ /*
+ * Author: Anthony Towns <ajt@debian.org>
+ */
+
+#ifdef HAVE_WEAKSYMS
+#include "tcpd.h"
+#include <syslog.h>
+int deny_severity = LOG_WARNING;
+int allow_severity = SEVERITY;
+#endif

81
debian/patches/14_cidr_support vendored
View File

@ -1,81 +0,0 @@
From: Marco d'Itri <md@linux.it>
Date: Sat, 14 May 2022 02:57:49 +0800
Subject: _cidr_support
---
hosts_access.5 | 4 ++++
hosts_access.c | 3 ++-
misc.c | 14 ++++++++++++++
tcpdchk.c | 4 ++--
4 files changed, 22 insertions(+), 3 deletions(-)
diff --git a/hosts_access.5 b/hosts_access.5
index 2f51d9b..620a7c3 100644
--- a/hosts_access.5
+++ b/hosts_access.5
@@ -90,6 +90,10 @@ bitwise AND of the address and the `mask\'. For example, the net/mask
pattern `131.155.72.0/255.255.254.0\' matches every address in the
range `131.155.72.0\' through `131.155.73.255\'.
.IP \(bu
+An expression of the form `n.n.n.n/mm' is interpreted as a
+`net/masklength' pair, where `mm' is the number of consecutive `1'
+bits in the netmask applied to the `n.n.n.n' address.
+.IP \(bu
An expression of the form `[n:n:n:n:n:n:n:n]/m\' is interpreted as a
`[net]/prefixlen\' pair. An IPv6 host address is matched if
`prefixlen\' bits of `net\' is equal to the `prefixlen\' bits of the
diff --git a/hosts_access.c b/hosts_access.c
index 1c783b9..72b2cc2 100644
--- a/hosts_access.c
+++ b/hosts_access.c
@@ -423,7 +423,8 @@ char *string;
if ((addr = dot_quad_addr(string)) == INADDR_NONE)
return (NO);
if ((net = dot_quad_addr(net_tok)) == INADDR_NONE
- || (mask = dot_quad_addr(mask_tok)) == INADDR_NONE) {
+ || ((mask = dot_quad_addr(mask_tok)) == INADDR_NONE
+ && (mask = cidr_mask_addr(mask_tok)) == 0)) {
#ifndef INET6
tcpd_warn("bad net/mask expression: %s/%s", net_tok, mask_tok);
#endif
diff --git a/misc.c b/misc.c
index 34158c3..c283e06 100644
--- a/misc.c
+++ b/misc.c
@@ -107,3 +107,17 @@ char *str;
}
return (runs == 4 ? inet_addr(str) : INADDR_NONE);
}
+
+/* cidr_mask_addr - convert cidr netmask length to internal form */
+
+unsigned long cidr_mask_addr(str)
+char *str;
+{
+ int maskbits;
+
+ maskbits = atoi(str);
+ if (maskbits < 1 || maskbits > 32)
+ return (0);
+ return htonl(0xFFFFFFFF << (32 - maskbits));
+}
+
diff --git a/tcpdchk.c b/tcpdchk.c
index 19bd7d2..416c08d 100644
--- a/tcpdchk.c
+++ b/tcpdchk.c
@@ -479,12 +479,12 @@ char *pat;
int mask_len;
if ((dot_quad_addr(pat) == INADDR_NONE
- || dot_quad_addr(mask) == INADDR_NONE)
+ || dot_quad_addr(mask) == INADDR_NONE && cidr_mask_addr(mask) == 0)
&& (!is_inet6_addr(pat)
|| ((mask_len = atoi(mask)) < 0 || mask_len > 128)))
#else
if (dot_quad_addr(pat) == INADDR_NONE
- || dot_quad_addr(mask) == INADDR_NONE)
+ || dot_quad_addr(mask) == INADDR_NONE && cidr_mask_addr(mask) == 0)
#endif
tcpd_warn("%s/%s: bad net/mask pattern", pat, mask);
} else if (STR_EQ(pat, "FAIL")) { /* obsolete */

21
debian/patches/15_match_clarify vendored
View File

@ -1,21 +0,0 @@
From: Marco d'Itri <md@linux.it>
Date: Sat, 14 May 2022 02:57:49 +0800
Subject: _match_clarify
---
hosts_access.5 | 2 ++
1 file changed, 2 insertions(+)
diff --git a/hosts_access.5 b/hosts_access.5
index 620a7c3..bb05289 100644
--- a/hosts_access.5
+++ b/hosts_access.5
@@ -89,6 +89,8 @@ An expression of the form `n.n.n.n/m.m.m.m\' is interpreted as a
bitwise AND of the address and the `mask\'. For example, the net/mask
pattern `131.155.72.0/255.255.254.0\' matches every address in the
range `131.155.72.0\' through `131.155.73.255\'.
+`255.255.255.255\' is not a valid mask value, so a single host can be
+matched just by its IP.
.IP \(bu
An expression of the form `n.n.n.n/mm' is interpreted as a
`net/masklength' pair, where `mm' is the number of consecutive `1'

150
debian/patches/aclexec vendored
View File

@ -1,150 +0,0 @@
From: Marco d'Itri <md@linux.it>
Date: Sat, 14 May 2022 02:57:49 +0800
Subject: aclexec
---
hosts_access.c | 9 +++++++++
hosts_options.5 | 17 +++++++++++++++++
options.c | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 79 insertions(+)
diff --git a/hosts_access.c b/hosts_access.c
index 72b2cc2..a2c6abf 100644
--- a/hosts_access.c
+++ b/hosts_access.c
@@ -81,6 +81,9 @@ int hosts_access_verbose = 0;
*/
int resident = (-1); /* -1, 0: unknown; +1: yes */
+#ifdef ACLEXEC
+int aclexec_matched = 0;
+#endif
/* Forward declarations. */
@@ -184,6 +187,12 @@ struct request_info *request;
if (sh_cmd) {
#ifdef PROCESS_OPTIONS
process_options(sh_cmd, request);
+# ifdef ACLEXEC
+ if (aclexec_matched) {
+ syslog(LOG_INFO, "aclexec returned %d", aclexec_matched);
+ match = NO;
+ }
+# endif
#else
char cmd[BUFSIZ];
shell_cmd(percent_x(cmd, sizeof(cmd), sh_cmd, request));
diff --git a/hosts_options.5 b/hosts_options.5
index 4ed0479..d2fd7e1 100644
--- a/hosts_options.5
+++ b/hosts_options.5
@@ -52,6 +52,23 @@ ALL: ALL: ALLOW
.sp
Notice the leading dot on the domain name patterns.
.SH RUNNING OTHER COMMANDS
+.IP "aclexec shell_command"
+Execute, in a child process, the specified shell command, after
+performing the %<letter> expansions described in the hosts_access(5)
+manual page. The command is executed with stdin, stdout and stderr
+connected to the null device, so that it won't mess up the
+conversation with the client host. Example:
+.sp
+.nf
+.ti +3
+smtp : ALL : aclexec checkdnsbl %a
+.fi
+.sp
+executes, in a background child process, the shell command "checkdnsbl %a"
+after replacing %a by the address of the remote host.
+.sp
+The connection will be allowed or refused depending on whether the
+command returns a true or false exit status.
.IP "spawn shell_command"
Execute, in a child process, the specified shell command, after
performing the %<letter> expansions described in the hosts_access(5)
diff --git a/options.c b/options.c
index 4fc6c94..58d7639 100644
--- a/options.c
+++ b/options.c
@@ -47,6 +47,7 @@ static char sccsid[] = "@(#) options.c 1.17 96/02/11 17:01:31";
#include <ctype.h>
#include <setjmp.h>
#include <string.h>
+#include <sys/wait.h>
#ifndef MAXPATHNAMELEN
#define MAXPATHNAMELEN BUFSIZ
@@ -76,6 +77,7 @@ static void group_option(); /* execute "group name" option */
static void umask_option(); /* execute "umask mask" option */
static void linger_option(); /* execute "linger time" option */
static void keepalive_option(); /* execute "keepalive" option */
+static void aclexec_option(); /* execute "aclexec command" option */
static void spawn_option(); /* execute "spawn command" option */
static void twist_option(); /* execute "twist command" option */
static void rfc931_option(); /* execute "rfc931" option */
@@ -113,6 +115,9 @@ static struct option option_table[] = {
"umask", umask_option, NEED_ARG,
"linger", linger_option, NEED_ARG,
"keepalive", keepalive_option, 0,
+#ifdef ACLEXEC
+ "aclexec", aclexec_option, NEED_ARG | EXPAND_ARG,
+#endif
"spawn", spawn_option, NEED_ARG | EXPAND_ARG,
"twist", twist_option, NEED_ARG | EXPAND_ARG | USE_LAST,
"rfc931", rfc931_option, OPT_ARG,
@@ -310,6 +315,54 @@ struct request_info *request;
shell_cmd(value);
}
+#ifdef ACLEXEC
+/* aclexec_option - spawn a shell command and check status */
+
+/* ARGSUSED */
+
+static void aclexec_option(value, request)
+char *value;
+struct request_info *request;
+{
+ int status, child_pid, wait_pid;
+ extern int aclexec_matched;
+
+ if (dry_run != 0)
+ return;
+
+ child_pid = fork();
+
+ /* Something went wrong: we MUST terminate the process. */
+ if (child_pid < 0) {
+ tcpd_warn("aclexec_option: /bin/sh: %m");
+ clean_exit(request);
+ }
+
+ if (child_pid == 0) {
+ execl("/bin/sh", "sh", "-c", value, (char *) 0);
+
+ /* Something went wrong. We MUST terminate the child process. */
+ tcpd_warn("execl /bin/sh: %m");
+ _exit(0);
+ }
+
+ while ((wait_pid = wait(&status)) != -1 && wait_pid != child_pid)
+ /* void */ ;
+
+ aclexec_matched = 1;
+
+ if (WIFEXITED(status) && WEXITSTATUS(status) == 0) {
+ aclexec_matched = 0;
+ }
+
+ if (WIFSIGNALED(status))
+ tcpd_warn("process %d exited with signal %d", child_pid,
+ WTERMSIG(status));
+
+ return;
+}
+#endif
+
/* linger_option - set the socket linger time (Marc Boucher <marc@cam.org>) */
/* ARGSUSED */

97
debian/patches/catch-sigchld vendored
View File

@ -1,97 +0,0 @@
From: Marco d'Itri <md@linux.it>
Date: Sat, 14 May 2022 02:57:49 +0800
Subject: catch-sigchld
---
shell_cmd.c | 54 +++++++++++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 51 insertions(+), 3 deletions(-)
diff --git a/shell_cmd.c b/shell_cmd.c
index 62d31bc..b0ffdd9 100644
--- a/shell_cmd.c
+++ b/shell_cmd.c
@@ -20,6 +20,11 @@ static char sccsid[] = "@(#) shell_cmd.c 1.5 94/12/28 17:42:44";
#include <stdio.h>
#include <syslog.h>
#include <string.h>
+#include <errno.h>
+#include <unistd.h>
+#include <sys/wait.h>
+#include <sys/stat.h>
+#include <fcntl.h>
extern void exit();
@@ -31,13 +36,42 @@ extern void exit();
static void do_child();
+/*
+ * The sigchld handler. If there is a SIGCHLD caused by a child other than
+ * ours, we set a flag and raise the signal later.
+ */
+volatile static int foreign_sigchld;
+volatile static int our_child_pid;
+static void sigchld(int sig, siginfo_t *si, void *unused)
+{
+ if (si && si->si_pid != our_child_pid)
+ foreign_sigchld = 1;
+}
+
/* shell_cmd - execute shell command */
void shell_cmd(command)
char *command;
{
int child_pid;
- int wait_pid;
+
+ struct sigaction new_action, old_action;
+ sigset_t new_mask, old_mask, empty_mask;
+
+ new_action.sa_sigaction = &sigchld;
+ new_action.sa_flags = SA_SIGINFO;
+ sigemptyset(&new_action.sa_mask);
+ sigemptyset(&new_mask);
+ sigemptyset(&empty_mask);
+ sigaddset(&new_mask, SIGCHLD);
+
+ /*
+ * Set the variables for handler, set the handler and block the signal
+ * until we have the pid.
+ */
+ foreign_sigchld = 0; our_child_pid = 0;
+ sigprocmask(SIG_BLOCK, &new_mask, &old_mask);
+ sigaction(SIGCHLD, &new_action, &old_action);
/*
* Most of the work is done within the child process, to minimize the
@@ -49,12 +83,26 @@ char *command;
tcpd_warn("cannot fork: %m");
break;
case 00: /* child */
+ /* Clear the blocked mask for the child not to be surprised. */
+ sigprocmask(SIG_SETMASK, &empty_mask, 0);
do_child(command);
/* NOTREACHED */
default: /* parent */
- while ((wait_pid = wait((int *) 0)) != -1 && wait_pid != child_pid)
- /* void */ ;
+ our_child_pid = child_pid;
+ sigprocmask(SIG_UNBLOCK, &new_mask, 0);
+ while (waitpid(child_pid, (int *) 0, 0) == -1 && errno == EINTR);
}
+
+ /*
+ * Revert the signal mask and the SIGCHLD handler.
+ */
+ sigprocmask(SIG_SETMASK, &old_mask, 0);
+ sigaction(SIGCHLD, &old_action, 0);
+
+ /* If there was a foreign SIGCHLD, raise it after we have restored the old
+ * mask and handler. */
+ if (foreign_sigchld)
+ raise(SIGCHLD);
}
/* do_child - exec command with { stdin, stdout, stderr } to /dev/null */

86
debian/patches/expand_remote_port vendored
View File

@ -1,86 +0,0 @@
From: Marco d'Itri <md@linux.it>
Date: Sat, 14 May 2022 02:57:49 +0800
Subject: expand_remote_port
---
eval.c | 22 ++++++++++++++++++++++
hosts_access.5 | 2 ++
percent_x.c | 2 ++
tcpd.h | 5 +++++
4 files changed, 31 insertions(+)
diff --git a/eval.c b/eval.c
index d68358f..4c0bd8d 100644
--- a/eval.c
+++ b/eval.c
@@ -98,6 +98,28 @@ struct host_info *host;
}
}
+/* eval_port - return string with the port */
+char *eval_port(saddr)
+#ifdef INET6
+struct sockaddr *saddr;
+#else
+struct sockaddr_in *saddr;
+#endif
+{
+ static char port[16];
+ if (saddr != 0) {
+ sprintf(port, "%u",
+#ifdef INET6
+ ntohs(((struct sockaddr_in *)saddr)->sin_port));
+#else
+ ntohs(saddr->sin_port));
+#endif
+ } else {
+ strcpy(port, "0");
+ }
+ return (port);
+}
+
/* eval_client - return string with as much about the client as we know */
char *eval_client(request)
diff --git a/hosts_access.5 b/hosts_access.5
index bb05289..bd8903a 100644
--- a/hosts_access.5
+++ b/hosts_access.5
@@ -175,6 +175,8 @@ The client (server) host name or address, if the host name is
unavailable.
.IP "%n (%N)"
The client (server) host name (or "unknown" or "paranoid").
+.IP "%r (%R)"
+The clients (servers) port number (or "0").
.IP %p
The daemon process id.
.IP %s
diff --git a/percent_x.c b/percent_x.c
index c95a1ea..1b5b83d 100644
--- a/percent_x.c
+++ b/percent_x.c
@@ -63,6 +63,8 @@ ABCDEFGHIJKLMNOPQRSTUVWXYZ";
ch == 'n' ? eval_hostname(request->client) :
ch == 'N' ? eval_hostname(request->server) :
ch == 'p' ? eval_pid(request) :
+ ch == 'r' ? eval_port(request->client->sin) :
+ ch == 'R' ? eval_port(request->server->sin) :
ch == 's' ? eval_server(request) :
ch == 'u' ? eval_user(request) :
ch == '%' ? "%" : (tcpd_warn("unrecognized %%%c", ch), "");
diff --git a/tcpd.h b/tcpd.h
index b6690d9..1277cea 100644
--- a/tcpd.h
+++ b/tcpd.h
@@ -155,6 +155,11 @@ extern char *eval_hostaddr(struct host_info *); /* printable host address */
extern char *eval_hostinfo(struct host_info *); /* host name or address */
extern char *eval_client(struct request_info *);/* whatever is available */
extern char *eval_server(struct request_info *);/* whatever is available */
+#ifdef INET6
+extern char *eval_port(struct sockaddr *);
+#else
+extern char *eval_port(struct sockaddr_in *);
+#endif
#define eval_daemon(r) ((r)->daemon) /* daemon process name */
#define eval_pid(r) ((r)->pid) /* process id */

51
debian/patches/fix_parsing_long_lines vendored
View File

@ -1,51 +0,0 @@
From: Marco d'Itri <md@linux.it>
Date: Sat, 14 May 2022 02:57:49 +0800
Subject: Fix parsing of lines longer than 2047 characters
If a line in /etc/hosts.{allow,deny} is longer than BUFLEN-1 (2047)
characters then len will be set to 1 at the end of the xgets() loop.
At the next iteration, fgets will be passed a buffer of length 1, so it
will only be able to read an empty string (the buffer must always have
space for the trailing NUL).
strlen(3) on the empty string will return 0, so len will not be modified
anymore and the last step will repeat forever.
To reproduce:
perl -e 'print "#sshd: " . ("127.0.0.1, " x 210) . "\n"' > hosts.deny
tcpdmatch -d test localhost
Bug-Debian: http://bugs.debian.org/596261
---
hosts_access.c | 4 +++-
misc.c | 2 ++
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/hosts_access.c b/hosts_access.c
index 761e644..cd73d8f 100644
--- a/hosts_access.c
+++ b/hosts_access.c
@@ -165,7 +165,9 @@ struct request_info *request;
while (match == NO && xgets(sv_list, sizeof(sv_list), fp) != 0) {
if (sv_list[strlen(sv_list) - 1] != '\n') {
tcpd_warn("missing newline or line too long");
- continue;
+ tcpd_warn("all the subsequent rules will be ignored");
+ match = ERR;
+ break;
}
if (sv_list[0] == '#' || sv_list[strspn(sv_list, " \t\r\n")] == 0)
continue;
diff --git a/misc.c b/misc.c
index c283e06..1eb3334 100644
--- a/misc.c
+++ b/misc.c
@@ -45,6 +45,8 @@ FILE *fp;
}
ptr += got;
len -= got;
+ if (len == 1)
+ return(start);
ptr[0] = 0;
}
return (ptr > start ? start : 0);

21
debian/patches/fix_static vendored
View File

@ -1,21 +0,0 @@
From: Marco d'Itri <md@linux.it>
Date: Sat, 14 May 2022 02:57:49 +0800
Subject: fix_static
---
workarounds.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/workarounds.c b/workarounds.c
index b22b378..59600f4 100644
--- a/workarounds.c
+++ b/workarounds.c
@@ -8,7 +8,7 @@
*/
#ifndef lint
-char sccsid[] = "@(#) workarounds.c 1.6 96/03/19 16:22:25";
+static char sccsid[] = "@(#) workarounds.c 1.6 96/03/19 16:22:25";
#endif
#include <sys/types.h>

56
debian/patches/fix_warnings vendored
View File

@ -1,56 +0,0 @@
From: Marco d'Itri <md@linux.it>
Date: Sat, 14 May 2022 02:57:49 +0800
Subject: fix_warnings
---
fix_options.c | 4 ++--
options.c | 1 +
scaffold.c | 1 +
3 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/fix_options.c b/fix_options.c
index 7473adf..2eb206a 100644
--- a/fix_options.c
+++ b/fix_options.c
@@ -32,7 +32,7 @@ static char sccsid[] = "@(#) fix_options.c 1.6 97/04/08 02:29:19";
/* fix_options - get rid of IP-level socket options */
-fix_options(request)
+void fix_options(request)
struct request_info *request;
{
#ifdef IP_OPTIONS
@@ -46,7 +46,7 @@ struct request_info *request;
struct in_addr dummy;
#ifdef INET6
struct sockaddr_storage ss;
- int sslen;
+ socklen_t sslen;
/*
* check if this is AF_INET socket
diff --git a/options.c b/options.c
index 58d7639..23f907f 100644
--- a/options.c
+++ b/options.c
@@ -41,6 +41,7 @@ static char sccsid[] = "@(#) options.c 1.17 96/02/11 17:01:31";
#include <netinet/in.h>
#include <netdb.h>
#include <stdio.h>
+#include <unistd.h>
#include <syslog.h>
#include <pwd.h>
#include <grp.h>
diff --git a/scaffold.c b/scaffold.c
index 9668776..9330588 100644
--- a/scaffold.c
+++ b/scaffold.c
@@ -17,6 +17,7 @@ static char sccs_id[] = "@(#) scaffold.c 1.6 97/03/21 19:27:24";
#include <arpa/inet.h>
#include <netdb.h>
#include <stdio.h>
+#include <stdlib.h>
#include <syslog.h>
#include <setjmp.h>
#include <string.h>

286
debian/patches/fix_warnings2 vendored
View File

@ -1,286 +0,0 @@
From: Marco d'Itri <md@linux.it>
Date: Sat, 14 May 2022 02:57:49 +0800
Subject: fix_warnings2
---
clean_exit.c | 1 +
fakelog.c | 8 ++++----
hosts_access.c | 4 ++++
inetcf.c | 2 ++
misc.c | 1 +
options.c | 1 +
percent_x.c | 1 +
rfc931.c | 1 +
safe_finger.c | 9 ++++++++-
tcpd.c | 5 ++++-
tcpdchk.c | 4 ++++
tcpdmatch.c | 1 +
try-from.c | 2 +-
update.c | 1 +
14 files changed, 34 insertions(+), 7 deletions(-)
diff --git a/clean_exit.c b/clean_exit.c
index cb9d4f5..41caaf0 100644
--- a/clean_exit.c
+++ b/clean_exit.c
@@ -13,6 +13,7 @@ static char sccsid[] = "@(#) clean_exit.c 1.4 94/12/28 17:42:19";
#endif
#include <stdio.h>
+#include <unistd.h>
extern void exit();
diff --git a/fakelog.c b/fakelog.c
index fa9e06e..97802db 100644
--- a/fakelog.c
+++ b/fakelog.c
@@ -17,7 +17,7 @@ static char sccsid[] = "@(#) fakelog.c 1.3 94/12/28 17:42:21";
/* ARGSUSED */
-openlog(name, logopt, facility)
+void openlog(name, logopt, facility)
char *name;
int logopt;
int facility;
@@ -27,7 +27,7 @@ int facility;
/* vsyslog - format one record */
-vsyslog(severity, fmt, ap)
+void vsyslog(severity, fmt, ap)
int severity;
char *fmt;
va_list ap;
@@ -43,7 +43,7 @@ va_list ap;
/* VARARGS */
-VARARGS(syslog, int, severity)
+void VARARGS(syslog, int, severity)
{
va_list ap;
char *fmt;
@@ -56,7 +56,7 @@ VARARGS(syslog, int, severity)
/* closelog - dummy */
-closelog()
+void closelog()
{
/* void */
}
diff --git a/hosts_access.c b/hosts_access.c
index cd73d8f..6486dde 100644
--- a/hosts_access.c
+++ b/hosts_access.c
@@ -34,6 +34,7 @@ static char sccsid[] = "@(#) hosts_access.c 1.21 97/02/12 02:13:22";
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
+#include <stdlib.h>
#include <syslog.h>
#include <ctype.h>
#include <errno.h>
@@ -54,6 +55,9 @@ extern int errno;
#include "tcpd.h"
+unsigned long cidr_mask_addr(char *str);
+int yp_get_default_domain(char **ptr);
+
/* Error handling. */
extern jmp_buf tcpd_buf;
diff --git a/inetcf.c b/inetcf.c
index 49aa2f7..22200c8 100644
--- a/inetcf.c
+++ b/inetcf.c
@@ -12,6 +12,7 @@ static char sccsid[] = "@(#) inetcf.c 1.7 97/02/12 02:13:23";
#include <sys/types.h>
#include <sys/stat.h>
#include <stdio.h>
+#include <stdlib.h>
#include <errno.h>
#include <string.h>
@@ -20,6 +21,7 @@ extern void exit();
#include "tcpd.h"
#include "inetcf.h"
+#include "scaffold.h"
/*
* Network configuration files may live in unusual places. Here are some
diff --git a/misc.c b/misc.c
index 1eb3334..61014d4 100644
--- a/misc.c
+++ b/misc.c
@@ -13,6 +13,7 @@ static char sccsic[] = "@(#) misc.c 1.2 96/02/11 17:01:29";
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
+#include <stdlib.h>
#include <string.h>
#include "tcpd.h"
diff --git a/options.c b/options.c
index 7a21ca0..2156d84 100644
--- a/options.c
+++ b/options.c
@@ -41,6 +41,7 @@ static char sccsid[] = "@(#) options.c 1.17 96/02/11 17:01:31";
#include <netinet/in.h>
#include <netdb.h>
#include <stdio.h>
+#include <stdlib.h>
#include <unistd.h>
#include <syslog.h>
#include <pwd.h>
diff --git a/percent_x.c b/percent_x.c
index 1b5b83d..a100697 100644
--- a/percent_x.c
+++ b/percent_x.c
@@ -17,6 +17,7 @@ static char sccsid[] = "@(#) percent_x.c 1.4 94/12/28 17:42:37";
/* System libraries. */
#include <stdio.h>
+#include <unistd.h>
#include <syslog.h>
#include <string.h>
diff --git a/rfc931.c b/rfc931.c
index ef22f2d..d9d7251 100644
--- a/rfc931.c
+++ b/rfc931.c
@@ -16,6 +16,7 @@ static char sccsid[] = "@(#) rfc931.c 1.10 95/01/02 16:11:34";
/* System libraries. */
#include <stdio.h>
+#include <unistd.h>
#include <syslog.h>
#include <sys/types.h>
#include <sys/socket.h>
diff --git a/safe_finger.c b/safe_finger.c
index 0886832..0b2d0dd 100644
--- a/safe_finger.c
+++ b/safe_finger.c
@@ -22,10 +22,15 @@ static char sccsid[] = "@(#) safe_finger.c 1.4 94/12/28 17:42:41";
#include <sys/types.h>
#include <sys/stat.h>
+#include <sys/wait.h>
+#include <fcntl.h>
#include <signal.h>
#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
#include <ctype.h>
#include <pwd.h>
+#include <grp.h>
#include <syslog.h>
extern void exit();
@@ -45,6 +50,8 @@ int finger_pid;
int allow_severity = SEVERITY;
int deny_severity = LOG_WARNING;
+int pipe_stdin(char **argv);
+
void cleanup(sig)
int sig;
{
@@ -52,7 +59,7 @@ int sig;
exit(0);
}
-main(argc, argv)
+int main(argc, argv)
int argc;
char **argv;
{
diff --git a/tcpd.c b/tcpd.c
index f02daae..7dd33f8 100644
--- a/tcpd.c
+++ b/tcpd.c
@@ -22,6 +22,7 @@ static char sccsid[] = "@(#) tcpd.c 1.10 96/02/11 17:01:32";
#include <sys/socket.h>
#include <netinet/in.h>
#include <stdio.h>
+#include <unistd.h>
#include <syslog.h>
#include <string.h>
@@ -38,10 +39,12 @@ static char sccsid[] = "@(#) tcpd.c 1.10 96/02/11 17:01:32";
#include "patchlevel.h"
#include "tcpd.h"
+void fix_options(struct request_info *);
+
int allow_severity = SEVERITY; /* run-time adjustable */
int deny_severity = LOG_WARNING; /* ditto */
-main(argc, argv)
+int main(argc, argv)
int argc;
char **argv;
{
diff --git a/tcpdchk.c b/tcpdchk.c
index 4931e99..ced93c3 100644
--- a/tcpdchk.c
+++ b/tcpdchk.c
@@ -28,6 +28,8 @@ static char sccsid[] = "@(#) tcpdchk.c 1.8 97/02/12 02:13:25";
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
#include <syslog.h>
#include <setjmp.h>
#include <errno.h>
@@ -53,6 +55,8 @@ extern char *optarg;
#include "inetcf.h"
#include "scaffold.h"
+unsigned long cidr_mask_addr(char *str);
+
/* list of programs which are known to be linked with libwrap in debian */
static const char *const libwrap_programs[] = {
"portmap", "mountd", "statd", "ugidd",
diff --git a/tcpdmatch.c b/tcpdmatch.c
index b45ff2d..06764ce 100644
--- a/tcpdmatch.c
+++ b/tcpdmatch.c
@@ -26,6 +26,7 @@ static char sccsid[] = "@(#) tcpdmatch.c 1.5 96/02/11 17:01:36";
#include <arpa/inet.h>
#include <netdb.h>
#include <stdio.h>
+#include <unistd.h>
#include <syslog.h>
#include <setjmp.h>
#include <string.h>
diff --git a/try-from.c b/try-from.c
index 925e144..a246d4c 100644
--- a/try-from.c
+++ b/try-from.c
@@ -37,7 +37,7 @@ static char sccsid[] = "@(#) try-from.c 1.2 94/12/28 17:42:55";
int allow_severity = SEVERITY; /* run-time adjustable */
int deny_severity = LOG_WARNING; /* ditto */
-main(argc, argv)
+int main(argc, argv)
int argc;
char **argv;
{
diff --git a/update.c b/update.c
index 34aafc7..5370f2d 100644
--- a/update.c
+++ b/update.c
@@ -20,6 +20,7 @@ static char sccsid[] = "@(#) update.c 1.1 94/12/28 17:42:56";
/* System libraries */
#include <stdio.h>
+#include <unistd.h>
#include <syslog.h>
#include <string.h>

28
debian/patches/have_strerror vendored
View File

@ -1,28 +0,0 @@
From: Marco d'Itri <md@linux.it>
Date: Sat, 14 May 2022 02:57:49 +0800
Subject: have_strerror
---
percent_m.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/percent_m.c b/percent_m.c
index bb11b22..da4473a 100644
--- a/percent_m.c
+++ b/percent_m.c
@@ -29,11 +29,15 @@ char *ibuf;
while (*bp = *cp)
if (*cp == '%' && cp[1] == 'm') {
+#ifdef HAVE_STRERROR
+ strcpy(bp, strerror(errno));
+#else
if (errno < sys_nerr && errno > 0) {
strcpy(bp, sys_errlist[errno]);
} else {
sprintf(bp, "Unknown error %d", errno);
}
+#endif
bp += strlen(bp);
cp += 2;
} else {

23
debian/patches/ignore_missing_inetdconf vendored
View File

@ -1,23 +0,0 @@
From: Marco d'Itri <md@linux.it>
Date: Sat, 14 May 2022 02:57:49 +0800
Subject: ignore_missing_inetdconf
---
inetcf.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/inetcf.c b/inetcf.c
index 75017f2..49aa2f7 100644
--- a/inetcf.c
+++ b/inetcf.c
@@ -90,9 +90,7 @@ char *conf;
for (i = 0; inet_files[i] && (fp = fopen(inet_files[i], "r")) == 0; i++)
/* void */ ;
if (fp == 0) {
- fprintf(stderr, "Cannot find your inetd.conf or tlid.conf file.\n");
- fprintf(stderr, "Please specify its location.\n");
- exit(1);
+ return inet_files[i];
}
conf = inet_files[i];
check_path(conf, &st);

73
debian/patches/initgroups vendored
View File

@ -1,73 +0,0 @@
From: Marco d'Itri <md@linux.it>
Date: Sat, 14 May 2022 02:57:49 +0800
Subject: initgroups
---
options.c | 23 +++++++++++++++++++----
safe_finger.c | 2 ++
2 files changed, 21 insertions(+), 4 deletions(-)
diff --git a/options.c b/options.c
index 23f907f..7a21ca0 100644
--- a/options.c
+++ b/options.c
@@ -262,8 +262,12 @@ struct request_info *request;
tcpd_jump("unknown group: \"%s\"", value);
endgrent();
- if (dry_run == 0 && setgid(grp->gr_gid))
- tcpd_jump("setgid(%s): %m", value);
+ if (dry_run != 0) {
+ if (setgid(grp->gr_gid))
+ tcpd_jump("setgid(%s): %m", value);
+ if (setgroups(0, NULL))
+ tcpd_jump("setgroups(%s): %m", value);
+ }
}
/* user_option - switch user id */
@@ -277,15 +281,26 @@ struct request_info *request;
struct passwd *pwd;
struct passwd *getpwnam();
char *group;
+ int defaultgroup = 0;
if ((group = split_at(value, '.')) != 0)
group_option(group, request);
+ else
+ defaultgroup = 1;
if ((pwd = getpwnam(value)) == 0)
tcpd_jump("unknown user: \"%s\"", value);
endpwent();
- if (dry_run == 0 && setuid(pwd->pw_uid))
- tcpd_jump("setuid(%s): %m", value);
+ if (dry_run != 0) {
+ if (setuid(pwd->pw_uid))
+ tcpd_jump("setuid(%s): %m", value);
+ if (defaultgroup) {
+ if (setgid(pwd->pw_gid))
+ tcpd_jump("setgid(%s): %m", value);
+ if (initgroups(value, pwd->pw_gid))
+ tcpd_jump("initgroups(%s): %m", value);
+ }
+ }
}
/* umask_option - set file creation mask */
diff --git a/safe_finger.c b/safe_finger.c
index 0567ac0..0886832 100644
--- a/safe_finger.c
+++ b/safe_finger.c
@@ -69,9 +69,11 @@ char **argv;
if (getuid() == 0 || geteuid() == 0) {
if ((pwd = getpwnam(UNPRIV_NAME)) && pwd->pw_uid > 0) {
setgid(pwd->pw_gid);
+ initgroups(UNPRIV_NAME, pwd->pw_gid);
setuid(pwd->pw_uid);
} else {
setgid(UNPRIV_UGID);
+ setgroups(0, NULL);
setuid(UNPRIV_UGID);
}
}

30
debian/patches/man_fromhost vendored
View File

@ -1,30 +0,0 @@
From: Marco d'Itri <md@linux.it>
Date: Sat, 14 May 2022 02:57:49 +0800
Subject: man_fromhost
---
hosts_access.3 | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/hosts_access.3 b/hosts_access.3
index b240d7e..f16c446 100644
--- a/hosts_access.3
+++ b/hosts_access.3
@@ -14,6 +14,9 @@ struct request_info *request;
struct request_info *request_set(request, key, value, ..., 0)
struct request_info *request;
+void fromhost(request)
+struct request_info *request;
+
int hosts_access(request)
struct request_info *request;
@@ -60,6 +63,7 @@ hosts_access() consults the access control tables described in the
is available, host names and client user names are looked up on demand,
using the request structure as a cache. hosts_access() returns zero if
access should be denied.
+fromhost() must be called before hosts_access().
.PP
hosts_ctl() is a wrapper around the request_init() and hosts_access()
routines with a perhaps more convenient interface (though it does not

75
debian/patches/match_port vendored
View File

@ -1,75 +0,0 @@
From: Marco d'Itri <md@linux.it>
Date: Sat, 14 May 2022 02:57:49 +0800
Subject: match_port
---
hosts_access.5 | 2 +-
hosts_access.c | 34 ++++++++++++++++++++++++++++++++--
2 files changed, 33 insertions(+), 3 deletions(-)
diff --git a/hosts_access.5 b/hosts_access.5
index bd8903a..044d0e0 100644
--- a/hosts_access.5
+++ b/hosts_access.5
@@ -51,7 +51,7 @@ being optional:
daemon_list : client_list [ : shell_command ]
.PP
\fIdaemon_list\fR is a list of one or more daemon process names
-(argv[0] values) or wildcards (see below).
+(argv[0] values) or server port numbers or wildcards (see below).
.PP
\fIclient_list\fR is a list
of one or more host names, host addresses, patterns or wildcards (see
diff --git a/hosts_access.c b/hosts_access.c
index a2c6abf..7ef0554 100644
--- a/hosts_access.c
+++ b/hosts_access.c
@@ -231,6 +231,36 @@ int (*match_fn) ();
return (NO);
}
+/*
+ * daemon_or_port_match - match server information: if the server endpoint
+ * pattern is a port number, match against port number of connection;
+ * otherwise match against daemon executable name
+ */
+
+static int daemon_or_port_match(char *tok, struct request_info *request) {
+ unsigned int port, sin_port;
+ char junk;
+
+ /* daemon name */
+ if (sscanf(tok, "%u%c", &port, &junk) != 1 || port > 65535)
+ return (string_match(tok, eval_daemon(request)));
+
+ /* port number */
+ if (!request->server->sin)
+ return (NO);
+
+#ifdef INET6
+ sin_port = ntohs(((struct sockaddr_in *)request->server->sin)->sin_port);
+#else
+ sin_port = ntohs(request->server->sin->sin_port);
+#endif
+
+ if (port == sin_port)
+ return (YES);
+ else
+ return (NO);
+}
+
/* server_match - match server information */
static int server_match(tok, request)
@@ -240,9 +270,9 @@ struct request_info *request;
char *host;
if ((host = split_at(tok + 1, '@')) == 0) { /* plain daemon */
- return (string_match(tok, eval_daemon(request)));
+ return (daemon_or_port_match(tok, request));
} else { /* daemon@host */
- return (string_match(tok, eval_daemon(request))
+ return (daemon_or_port_match(tok, request)
&& host_match(host, request->server));
}
}

85
debian/patches/more_man_pages vendored
View File

@ -1,85 +0,0 @@
From: Marco d'Itri <md@linux.it>
Date: Sat, 14 May 2022 02:57:49 +0800
Subject: more_man_pages
---
safe_finger.8 | 34 ++++++++++++++++++++++++++++++++++
try-from.8 | 28 ++++++++++++++++++++++++++++
2 files changed, 62 insertions(+)
create mode 100644 safe_finger.8
create mode 100644 try-from.8
diff --git a/safe_finger.8 b/safe_finger.8
new file mode 100644
index 0000000..875616b
--- /dev/null
+++ b/safe_finger.8
@@ -0,0 +1,34 @@
+.TH SAFE_FINGER 8 "21th June 1997" Linux "Linux Programmer's Manual"
+.SH NAME
+safe_finger \- finger client wrapper that protects against nasty stuff
+from finger servers
+.SH SYNOPSIS
+.B safe_finger [finger_options]
+.SH DESCRIPTION
+The
+.B safe_finger
+command protects against nasty stuff from finger servers. Use this
+program for automatic reverse finger probes from the
+.B tcp_wrapper
+.B (tcpd)
+, not the raw finger command. The
+.B safe_finger
+command makes sure that the finger client is not run with root
+privileges. It also runs the finger client with a defined PATH
+environment.
+.B safe_finger
+will also protect you from problems caused by the output of some
+finger servers. The problem: some programs may react to stuff in
+the first column. Other programs may get upset by thrash anywhere
+on a line. File systems may fill up as the finger server keeps
+sending data. Text editors may bomb out on extremely long lines.
+The finger server may take forever because it is somehow wedged.
+.B safe_finger
+takes care of all this badness.
+.SH SEE ALSO
+.BR hosts_access (5),
+.BR hosts_options (5),
+.BR tcpd (8)
+.SH AUTHOR
+Wietse Venema, Eindhoven University of Technology, The Netherlands.
+
diff --git a/try-from.8 b/try-from.8
new file mode 100644
index 0000000..9c62f66
--- /dev/null
+++ b/try-from.8
@@ -0,0 +1,28 @@
+.TH TRY-FROM 8 "21th June 1997" Linux "Linux Programmer's Manual"
+.SH NAME
+try-from \- test program for the tcp_wrapper
+.SH SYNOPSIS
+.B try-from
+.SH DESCRIPTION
+The
+.B try\-from
+command can be called via a remote shell command to find out
+if the hostname and address are properly recognized
+by the
+.B tcp_wrapper
+library, if username lookup works, and (SysV only) if the TLI
+on top of IP heuristics work. Diagnostics are reported through
+.BR syslog (3)
+and redirected to stderr.
+
+Example:
+
+rsh host /usr/sbin/try\-from
+
+.SH SEE ALSO
+.BR hosts_access (5),
+.BR hosts_options (5),
+.BR tcpd (8)
+.SH AUTHOR
+Wietse Venema, Eindhoven University of Technology, The Netherlands.
+

47
debian/patches/musl_support vendored
View File

@ -1,47 +0,0 @@
From: Marco d'Itri <md@linux.it>
Date: Sat, 14 May 2022 02:57:49 +0800
Subject: musl_support
---
Makefile | 6 ++++++
tcpd.h | 10 ++++++++++
2 files changed, 16 insertions(+)
diff --git a/Makefile b/Makefile
index fe97fe3..34f1400 100644
--- a/Makefile
+++ b/Makefile
@@ -154,6 +154,12 @@ linux:
NETGROUP="-DNETGROUP" TLI= VSYSLOG= BUGS= \
EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR -DHAVE_WEAKSYMS -DINET6=1 -Dss_family=__ss_family -Dss_len=__ss_len" all
+musl:
+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=weak_symbols.o \
+ NETGROUP= TLI= VSYSLOG= BUGS= \
+ EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR -DHAVE_WEAKSYMS -DINET6=1 -Dss_family=__ss_family -Dss_len=__ss_len" all
+
gnu:
@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ=weak_symbols.o \
diff --git a/tcpd.h b/tcpd.h
index f425f24..b6690d9 100644
--- a/tcpd.h
+++ b/tcpd.h
@@ -11,6 +11,16 @@
#include <netinet/in.h>
#include <stdio.h>
+#ifndef __BEGIN_DECLS
+#ifdef __cplusplus
+#define __BEGIN_DECLS extern "C" {
+#define __END_DECLS }
+#else
+#define __BEGIN_DECLS
+#define __END_DECLS
+#endif
+#endif
+
__BEGIN_DECLS
/* Structure to describe one communications endpoint. */

46
debian/patches/restore_sigalarm vendored
View File

@ -1,46 +0,0 @@
From: Marco d'Itri <md@linux.it>
Date: Sat, 14 May 2022 02:57:49 +0800
Subject: restore_sigalarm
---
rfc931.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/rfc931.c b/rfc931.c
index bca1ce9..bfdfe6e 100644
--- a/rfc931.c
+++ b/rfc931.c
@@ -92,6 +92,8 @@ char *dest;
char *cp;
char *result = unknown;
FILE *fp;
+ unsigned saved_timeout;
+ struct sigaction nact, oact;
#ifdef INET6
/* address family must be the same */
@@ -134,7 +136,12 @@ char *dest;
*/
if (setjmp(timebuf) == 0) {
- signal(SIGALRM, timeout);
+ /* Save SIGALRM timer and handler. Sudheer Abdul-Salam, SUN. */
+ saved_timeout = alarm(0);
+ nact.sa_handler = timeout;
+ nact.sa_flags = 0;
+ (void) sigemptyset(&nact.sa_mask);
+ (void) sigaction(SIGALRM, &nact, &oact);
alarm(rfc931_timeout);
/*
@@ -223,6 +230,10 @@ char *dest;
}
alarm(0);
}
+ /* Restore SIGALRM timer and handler. Sudheer Abdul-Salam, SUN. */
+ (void) sigaction(SIGALRM, &oact, NULL);
+ if (saved_timeout > 0)
+ alarm(saved_timeout);
fclose(fp);
}
STRN_CPY(dest, result, STRING_LENGTH);

50
debian/patches/rfc931.diff vendored
View File

@ -1,50 +0,0 @@
From: Marco d'Itri <md@linux.it>
Date: Sat, 14 May 2022 02:57:49 +0800
Subject: rfc931
---
scaffold.c | 13 ++++++++++---
tcpd.h | 4 ++++
2 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/scaffold.c b/scaffold.c
index 9330588..6098274 100644
--- a/scaffold.c
+++ b/scaffold.c
@@ -238,10 +238,17 @@ struct request_info *request;
/* ARGSUSED */
-void rfc931(request)
-struct request_info *request;
+void rfc931(rmt_sin, our_sin, dest)
+#ifdef INET6
+struct sockaddr *rmt_sin;
+struct sockaddr *our_sin;
+#else
+struct sockaddr_in *rmt_sin;
+struct sockaddr_in *our_sin;
+#endif
+char *dest;
{
- strcpy(request->user, unknown);
+ strcpy(dest, unknown);
}
/* check_path - examine accessibility */
diff --git a/tcpd.h b/tcpd.h
index 1277cea..7807662 100644
--- a/tcpd.h
+++ b/tcpd.h
@@ -93,7 +93,11 @@ extern int hosts_access(struct request_info *request); /* access control */
extern void shell_cmd(char *); /* execute shell command */
extern char *percent_x(char *, int, char *, struct request_info *);
/* do %<char> expansion */
+#ifdef INET6
extern void rfc931(struct sockaddr *, struct sockaddr *, char *);
+#else
+extern void rfc931(struct sockaddr_in *, struct sockaddr_in *, char *);
+#endif
/* client name from RFC 931 daemon */
extern void clean_exit(struct request_info *); /* clean up and exit */
extern void refuse(struct request_info *); /* clean up and exit */

39
debian/patches/safe_finger vendored
View File

@ -1,39 +0,0 @@
From: Marco d'Itri <md@linux.it>
Date: Sat, 14 May 2022 02:57:49 +0800
Subject: safe_finger
---
safe_finger.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/safe_finger.c b/safe_finger.c
index 7b8f3cd..0567ac0 100644
--- a/safe_finger.c
+++ b/safe_finger.c
@@ -26,21 +26,24 @@ static char sccsid[] = "@(#) safe_finger.c 1.4 94/12/28 17:42:41";
#include <stdio.h>
#include <ctype.h>
#include <pwd.h>
+#include <syslog.h>
extern void exit();
/* Local stuff */
-char path[] = "PATH=/bin:/usr/bin:/usr/ucb:/usr/bsd:/etc:/usr/etc:/usr/sbin";
+char path[] = "PATH=/bin:/usr/bin:/sbin:/usr/sbin";
#define TIME_LIMIT 60 /* Do not keep listinging forever */
#define INPUT_LENGTH 100000 /* Do not keep listinging forever */
#define LINE_LENGTH 128 /* Editors can choke on long lines */
#define FINGER_PROGRAM "finger" /* Most, if not all, UNIX systems */
#define UNPRIV_NAME "nobody" /* Preferred privilege level */
-#define UNPRIV_UGID 32767 /* Default uid and gid */
+#define UNPRIV_UGID 65534 /* Default uid and gid */
int finger_pid;
+int allow_severity = SEVERITY;
+int deny_severity = LOG_WARNING;
void cleanup(sig)
int sig;

33
debian/patches/series vendored
View File

@ -1,33 +0,0 @@
00_man_quoting.diff
00_man_typos
01_man_portability
05_wildcard_matching
06_fix_gethostbyname
10_usagi-ipv6
11_tcpd_blacklist
11_usagi_fix
12_makefile_config
13_shlib_weaksym
14_cidr_support
15_match_clarify
musl_support
aclexec
expand_remote_port
catch-sigchld
fix_warnings
have_strerror
man_fromhost
more_man_pages
match_port
restore_sigalarm
rfc931.diff
safe_finger
sig_fix
siglongjmp
size_t
tcpdchk_libwrapped
fix_static
fix_parsing_long_lines
initgroups
ignore_missing_inetdconf
fix_warnings2

52
debian/patches/sig_fix vendored
View File

@ -1,52 +0,0 @@
From: Marco d'Itri <md@linux.it>
Date: Sat, 14 May 2022 02:57:49 +0800
Subject: sig_fix
* Fri May 6 2005 Thomas Woerner <twoerner@redhat.com> 7.6-39
- fixed sig patch (#141110). Thanks to Nikita Shulga for the patch
* Mon Feb 10 2003 Harald Hoyer <harald@redhat.de> 7.6-29
- added security patch tcp_wrappers-7.6-sig.patch
---
hosts_access.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/hosts_access.c b/hosts_access.c
index 7ef0554..761e644 100644
--- a/hosts_access.c
+++ b/hosts_access.c
@@ -66,6 +66,7 @@ static char sep[] = ", \t\r\n";
#define YES 1
#define NO 0
+#define ERR -1
/*
* These variables are globally visible so that they can be redirected in
@@ -131,11 +132,11 @@ struct request_info *request;
verdict = setjmp(tcpd_buf);
if (verdict != 0)
return (verdict == AC_PERMIT);
- if (table_match(hosts_allow_table, request))
+ if (table_match(hosts_allow_table, request) == YES)
return (YES);
- if (table_match(hosts_deny_table, request))
- return (NO);
- return (YES);
+ if (table_match(hosts_deny_table, request) == NO)
+ return (YES);
+ return (NO);
}
/* table_match - match table entries with (daemon, client) pair */
@@ -179,8 +180,9 @@ struct request_info *request;
(void) fclose(fp);
} else if (errno != ENOENT) {
tcpd_warn("cannot open %s: %m", table);
+ match = ERR;
}
- if (match) {
+ if (match == YES) {
if (hosts_access_verbose > 1)
syslog(LOG_DEBUG, "matched: %s line %d",
tcpd_context.file, tcpd_context.line);

39
debian/patches/siglongjmp vendored
View File

@ -1,39 +0,0 @@
From: Marco d'Itri <md@linux.it>
Date: Sat, 14 May 2022 02:57:49 +0800
Subject: siglongjmp
---
rfc931.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/rfc931.c b/rfc931.c
index bfdfe6e..ef22f2d 100644
--- a/rfc931.c
+++ b/rfc931.c
@@ -33,7 +33,7 @@ static char sccsid[] = "@(#) rfc931.c 1.10 95/01/02 16:11:34";
int rfc931_timeout = RFC931_TIMEOUT;/* Global so it can be changed */
-static jmp_buf timebuf;
+static sigjmp_buf timebuf;
/* fsocket - open stdio stream on top of socket */
@@ -62,7 +62,7 @@ int protocol;
static void timeout(sig)
int sig;
{
- longjmp(timebuf, sig);
+ siglongjmp(timebuf, sig);
}
/* rfc931 - return remote user name, given socket structures */
@@ -135,7 +135,7 @@ char *dest;
* Set up a timer so we won't get stuck while waiting for the server.
*/
- if (setjmp(timebuf) == 0) {
+ if (sigsetjmp(timebuf, 1) == 0) {
/* Save SIGALRM timer and handler. Sudheer Abdul-Salam, SUN. */
saved_timeout = alarm(0);
nact.sa_handler = timeout;

54
debian/patches/size_t vendored
View File

@ -1,54 +0,0 @@
From: Marco d'Itri <md@linux.it>
Date: Sat, 14 May 2022 02:57:49 +0800
Subject: size_t
---
fix_options.c | 5 +++++
socket.c | 8 ++++++++
2 files changed, 13 insertions(+)
diff --git a/fix_options.c b/fix_options.c
index 2eb206a..a0c5dec 100644
--- a/fix_options.c
+++ b/fix_options.c
@@ -38,7 +38,12 @@ struct request_info *request;
#ifdef IP_OPTIONS
unsigned char optbuf[BUFFER_SIZE / 3], *cp;
char lbuf[BUFFER_SIZE], *lp;
+#ifdef __GLIBC__
+ socklen_t optsize = sizeof(optbuf);
+ int ipproto;
+#else
int optsize = sizeof(optbuf), ipproto;
+#endif
struct protoent *ip;
int fd = request->fd;
unsigned int opt;
diff --git a/socket.c b/socket.c
index 4b2c575..a0d2987 100644
--- a/socket.c
+++ b/socket.c
@@ -95,7 +95,11 @@ struct request_info *request;
static struct sockaddr_in client;
static struct sockaddr_in server;
#endif
+#ifdef __GLIBC__
+ socklen_t len;
+#else
int len;
+#endif
char buf[BUFSIZ];
int fd = request->fd;
@@ -426,7 +430,11 @@ int fd;
#else
struct sockaddr_in sin;
#endif
+#ifdef __GLIBC__
+ socklen_t size = sizeof(sin);
+#else
int size = sizeof(sin);
+#endif
/*
* Eat up the not-yet received datagram. Some systems insist on a

48
debian/patches/tcpdchk_libwrapped vendored
View File

@ -1,48 +0,0 @@
From: Marco d'Itri <md@linux.it>
Date: Sat, 14 May 2022 02:57:49 +0800
Subject: tcpdchk_libwrapped
---
tcpdchk.c | 22 ++++++++++++++++++++--
1 file changed, 20 insertions(+), 2 deletions(-)
diff --git a/tcpdchk.c b/tcpdchk.c
index 416c08d..4931e99 100644
--- a/tcpdchk.c
+++ b/tcpdchk.c
@@ -53,6 +53,24 @@ extern char *optarg;
#include "inetcf.h"
#include "scaffold.h"
+/* list of programs which are known to be linked with libwrap in debian */
+static const char *const libwrap_programs[] = {
+ "portmap", "mountd", "statd", "ugidd",
+ "redir", "rlinetd",
+ "sshd",
+ "atftpd",
+ "diald",
+ "esound",
+ "gdm", "gnome-session",
+ "icecast", "icecast_admin", "icecast_client", "icecast_source",
+ "mysqld",
+ "ntop",
+ "pptpd",
+ "rquotad",
+ "sendmail", "smail",
+ NULL
+};
+
/*
* Stolen from hosts_access.c...
*/
@@ -147,8 +165,8 @@ char **argv;
/*
* These are not run from inetd but may have built-in access control.
*/
- inet_set("portmap", WR_NOT);
- inet_set("rpcbind", WR_NOT);
+ for (c = 0; libwrap_programs[c]; c++)
+ inet_set(libwrap_programs[c], WR_YES);
/*
* Check accessibility of access control files.

2
debian/source/format vendored
View File

@ -1 +1 @@
3.0 (quilt)
3.0 (native)