1 diff -urN tcp_wrappers_7.6.orig/Makefile tcp_wrappers_7.6/Makefile
2 --- tcp_wrappers_7.6.orig/Makefile Mon Dec 13 13:58:15 1999
3 +++ tcp_wrappers_7.6/Makefile Mon Dec 13 14:07:48 1999
7 #REAL_DAEMON_DIR=/etc/...
8 +REAL_DAEMON_DIR=/usr/sbin
10 # End of mandatory section
11 ##########################
15 @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
16 - LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=setenv.o NETGROUP= TLI= \
17 - EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DBROKEN_SO_LINGER -DINET6=1 -Dss_family=__ss_family -Dss_len=__ss_len" all
18 + LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \
19 + EXTRA_CFLAGS="$(RPM_OPT_FLAGS) -DSYS_ERRLIST_DEFINED -DBROKEN_SO_LINGER -DINET6=1 -Dss_family=__ss_family -Dss_len=__ss_len" all
22 @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
26 ###############################################################
29 +###############################################################
30 # System dependencies: TLI (transport-level interface) support.
32 # Uncomment the following macro if your system has System V.4-style TLI
34 # Uncomment the next definition to turn on the language extensions
35 # (examples: allow, deny, banners, twist and spawn).
37 -#STYLE = -DPROCESS_OPTIONS # Enable language extensions.
38 +STYLE = -DPROCESS_OPTIONS # Enable language extensions.
40 ################################################################
41 # Optional: Changing the default disposition of logfile records
44 # The LOG_XXX names below are taken from the /usr/include/syslog.h file.
46 -FACILITY= LOG_MAIL # LOG_MAIL is what most sendmail daemons use
47 +FACILITY= LOG_AUTHPRIV
49 # The syslog priority at which successful connections are logged.
52 # and with Solaris < 2.4. APPEND_DOT will not work with hostnames taken
53 # from /etc/hosts or from NIS maps. It does work with DNS through NIS.
58 ##################################################
59 # Optional: Always attempt remote username lookups
61 # still do selective username lookups as documented in the hosts_access.5
62 # and hosts_options.5 manual pages (`nroff -man' format).
64 -#AUTH = -DALWAYS_RFC931
65 +AUTH = -DALWAYS_RFC931
67 # The default username lookup timeout is 10 seconds. This may not be long
68 # enough for slow hosts or networks, but is enough to irritate PC users.
70 # look for access control information. Watch out for the quotes and
71 # backslashes when you make changes.
73 -TABLES = -DHOSTS_DENY=\"/etc/hosts.deny\" -DHOSTS_ALLOW=\"/etc/hosts.allow\"
74 +TABLES = -DHOSTS_DENY=\"/etc/tcpd/hosts.deny\" -DHOSTS_ALLOW=\"/etc/tcpd/hosts.allow\"
76 ####################################################
77 # Optional: dealing with host name/address conflicts
79 # Paranoid mode implies hostname lookup. In order to disable hostname
80 # lookups altogether, see the next section.
83 +PARANOID= #-DPARANOID
85 ########################################
86 # Optional: turning off hostname lookups
88 # In order to perform selective hostname lookups, disable paranoid
89 # mode (see previous section) and comment out the following definition.
91 -HOSTNAME= -DALWAYS_HOSTNAME
92 +HOSTNAME= #-DALWAYS_HOSTNAME
94 #############################################
95 # Optional: Turning on host ADDRESS checking
97 # Protection against weird shells or weird make programs.
100 -.c.o:; $(CC) $(CFLAGS) -c $*.c
101 +.c.o:; $(LIBTOOL) $(CC) $(CFLAGS) -c $*.c
103 +%.lo:; $(LIBTOOL) $(CC) $(CFLAGS) -c $*.c
105 CFLAGS = -O -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \
106 $(BUGS) $(SYSTYPE) $(AUTH) $(UMASK) \
107 @@ -679,12 +685,12 @@
108 $(UCHAR) $(TABLES) $(STRINGS) $(TLI) $(EXTRA_CFLAGS) $(DOT) \
109 $(VSYSLOG) $(HOSTNAME)
111 -LIB_OBJ= hosts_access.o options.o shell_cmd.o rfc931.o eval.o \
112 - hosts_ctl.o refuse.o percent_x.o clean_exit.o $(AUX_OBJ) \
113 - $(FROM_OBJ) fix_options.o socket.o tli.o workarounds.o \
114 - update.o misc.o diag.o percent_m.o myvsyslog.o
115 +LIB_OBJ= hosts_access.lo options.lo shell_cmd.lo rfc931.lo eval.lo \
116 + hosts_ctl.lo refuse.lo percent_x.lo clean_exit.lo $(AUX_OBJ) \
117 + $(FROM_OBJ) fix_options.lo socket.lo tli.lo workarounds.lo \
118 + update.lo misc.lo diag.lo percent_m.lo myvsyslog.lo
120 -FROM_OBJ= fromhost.o
121 +FROM_OBJ= fromhost.lo
123 KIT = README miscd.c tcpd.c fromhost.c hosts_access.c shell_cmd.c \
124 tcpd.h tcpdmatch.c Makefile hosts_access.5 strcasecmp.c BLURB rfc931.c \
126 refuse.c tcpdchk.8 setenv.c inetcf.c inetcf.h scaffold.c \
127 scaffold.h tcpdmatch.8 README.NIS
132 all other: config-check tcpd tcpdmatch try-from safe_finger tcpdchk
134 @@ -713,30 +719,29 @@
138 - $(AR) $(ARFLAGS) $(LIB) $(LIB_OBJ)
140 + $(LIBTOOL) $(CC) -O -o $(LIB) $(LIB_OBJ) -rpath /usr/lib
143 - $(CC) $(CFLAGS) -o $@ tcpd.o $(LIB) $(LIBS)
144 + $(LIBTOOL) $(CC) $(CFLAGS) -o $@ tcpd.o $(LIB) $(LIBS)
146 miscd: miscd.o $(LIB)
147 - $(CC) $(CFLAGS) -o $@ miscd.o $(LIB) $(LIBS)
148 + $(LIBTOOL) $(CC) $(CFLAGS) -o $@ miscd.o $(LIB) $(LIBS)
150 safe_finger: safe_finger.o $(LIB)
151 - $(CC) $(CFLAGS) -o $@ safe_finger.o $(LIB) $(LIBS)
152 + $(LIBTOOL) $(CC) $(CFLAGS) -o $@ safe_finger.o $(LIB) $(LIBS)
154 TCPDMATCH_OBJ = tcpdmatch.o fakelog.o inetcf.o scaffold.o
156 tcpdmatch: $(TCPDMATCH_OBJ) $(LIB)
157 - $(CC) $(CFLAGS) -o $@ $(TCPDMATCH_OBJ) $(LIB) $(LIBS)
158 + $(LIBTOOL) $(CC) $(CFLAGS) -o $@ $(TCPDMATCH_OBJ) $(LIB) $(LIBS)
160 try-from: try-from.o fakelog.o $(LIB)
161 - $(CC) $(CFLAGS) -o $@ try-from.o fakelog.o $(LIB) $(LIBS)
162 + $(LIBTOOL) $(CC) $(CFLAGS) -o $@ try-from.o fakelog.o $(LIB) $(LIBS)
164 TCPDCHK_OBJ = tcpdchk.o fakelog.o inetcf.o scaffold.o
166 tcpdchk: $(TCPDCHK_OBJ) $(LIB)
167 - $(CC) $(CFLAGS) -o $@ $(TCPDCHK_OBJ) $(LIB) $(LIBS)
168 + $(LIBTOOL) $(CC) $(CFLAGS) -o $@ $(TCPDCHK_OBJ) $(LIB) $(LIBS)
178 + -install -d $(PREFIX)/{sbin,include}
179 + $(LIBTOOL) install -c $(LIB) $(PREFIX)/lib/$(LIB)
180 + for PROG in safe_finger tcpdchk try-from tcpd tcpdmatch ; do \
181 + $(LIBTOOL) install -c $$PROG $(PREFIX)/sbin/$$PROG ; done
182 + install tcpd.h $(PREFIX)/include/
184 # Enable all bells and whistles for linting.
186 diff -urN tcp_wrappers_7.6.orig/README tcp_wrappers_7.6/README
187 --- tcp_wrappers_7.6.orig/README Mon Dec 13 13:58:15 1999
188 +++ tcp_wrappers_7.6/README Mon Dec 13 14:09:31 1999
190 2) The advanced way: leave the network daemons alone and modify the
191 inetd configuration file. For example, an entry such as:
193 - tftp dgram udp wait root /usr/etc/tcpd in.tftpd -s /tftpboot
194 + tftp dgram udp wait root /usr/sbin/tcpd in.tftpd -s /tftpboot
196 When a tftp request arrives, inetd will run the wrapper program
197 (tcpd) with a process name `in.tftpd'. This is the name that the
198 @@ -821,12 +821,12 @@
199 Then perform the following edits on the inetd configuration file
200 (usually /etc/inetd.conf or /etc/inet/inetd.conf):
202 - finger stream tcp nowait nobody /usr/etc/in.fingerd in.fingerd
203 - ^^^^^^^^^^^^^^^^^^^
204 + finger stream tcp nowait nobody /usr/sbin/in.fingerd in.fingerd
205 + ^^^^^^^^^^^^^^^^^^^^
208 - finger stream tcp nowait nobody /usr/etc/tcpd in.fingerd
210 + finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd
212 Send a `kill -HUP' to the inetd process to make the change effective.
213 Some IRIX inetd implementations require that you first disable the
214 finger service (comment out the finger service and `kill -HUP' the
216 Instead you can specify, in the inetd configuration file, an absolute
217 path name for the daemon process name. For example,
219 - ntalk dgram udp wait root /usr/etc/tcpd /usr/local/lib/ntalkd
220 + ntalk dgram udp wait root /usr/sbin/tcpd /usr/sbin/in.ntalkd
222 When the daemon process name is an absolute path name, tcpd ignores the
223 value of the REAL_DAEMON_DIR constant, and uses the last path component
225 you can look up the name from the inetd configuration file. Coming back
226 to the tftp example in the tutorial section above:
228 - tftp dgram udp wait root /usr/etc/tcpd in.tftpd -s /tftpboot
229 + tftp dgram udp wait root /usr/sbin/tcpd in.tftpd -s /tftpboot
231 This entry causes the inetd to run the wrapper program (tcpd) with a
232 process name `in.tftpd'. This is the name that the wrapper will use
234 listener, but it should be registered in the inetd configuration file.
237 - smtp stream tcp nowait root /usr/etc/tcpd /usr/lib/sendmail -bs
238 + smtp stream tcp nowait root /usr/sbin/tcpd /usr/lib/sendmail -bs
240 You will still need to run one sendmail background process to handle
241 queued-up outgoing mail. A command like:
242 diff -urN tcp_wrappers_7.6.orig/fix_options.c tcp_wrappers_7.6/fix_options.c
243 --- tcp_wrappers_7.6.orig/fix_options.c Mon Dec 13 13:58:15 1999
244 +++ tcp_wrappers_7.6/fix_options.c Mon Dec 13 14:09:18 1999
247 unsigned char optbuf[BUFFER_SIZE / 3], *cp;
248 char lbuf[BUFFER_SIZE], *lp;
249 +#if !defined(__GLIBC__)
250 int optsize = sizeof(optbuf), ipproto;
252 + size_t optsize = sizeof(optbuf);
256 int fd = request->fd;
258 diff -urN tcp_wrappers_7.6.orig/rfc931.c tcp_wrappers_7.6/rfc931.c
259 --- tcp_wrappers_7.6.orig/rfc931.c Mon Dec 13 13:58:15 1999
260 +++ tcp_wrappers_7.6/rfc931.c Mon Dec 13 14:09:18 1999
263 int rfc931_timeout = RFC931_TIMEOUT;/* Global so it can be changed */
265 -static jmp_buf timebuf;
266 +static sigjmp_buf timebuf;
268 /* fsocket - open stdio stream on top of socket */
271 static void timeout(sig)
274 - longjmp(timebuf, sig);
275 + siglongjmp(timebuf, sig);
278 /* rfc931 - return remote user name, given socket structures */
280 * Set up a timer so we won't get stuck while waiting for the server.
283 - if (setjmp(timebuf) == 0) {
284 + if (sigsetjmp(timebuf,1) == 0) {
285 signal(SIGALRM, timeout);
286 alarm(rfc931_timeout);
288 diff -urN tcp_wrappers_7.6.orig/safe_finger.c tcp_wrappers_7.6/safe_finger.c
289 --- tcp_wrappers_7.6.orig/safe_finger.c Mon Dec 13 13:58:15 1999
290 +++ tcp_wrappers_7.6/safe_finger.c Mon Dec 13 14:15:09 1999
295 -char path[] = "PATH=/bin:/usr/bin:/usr/ucb:/usr/bsd:/etc:/usr/etc:/usr/sbin";
296 +char path[] = "PATH=/bin:/usr/bin:/sbin:/usr/sbin";
298 #define TIME_LIMIT 60 /* Do not keep listinging forever */
299 #define INPUT_LENGTH 100000 /* Do not keep listinging forever */
300 #define LINE_LENGTH 128 /* Editors can choke on long lines */
301 #define FINGER_PROGRAM "finger" /* Most, if not all, UNIX systems */
302 #define UNPRIV_NAME "nobody" /* Preferred privilege level */
303 -#define UNPRIV_UGID 32767 /* Default uid and gid */
304 +#define UNPRIV_UGID 99 /* Default uid and gid */
309 kill(finger_pid, SIGKILL);
313 +int allow_severity; /* for connection logging */
314 +int deny_severity; /* for connection logging */
318 diff -urN tcp_wrappers_7.6.orig/workarounds.c tcp_wrappers_7.6/workarounds.c
319 --- tcp_wrappers_7.6.orig/workarounds.c Mon Dec 13 13:58:15 1999
320 +++ tcp_wrappers_7.6/workarounds.c Mon Dec 13 14:09:18 1999
322 int fix_getpeername(sock, sa, len)
325 +#if !defined(__GLIBC__)