Various fixes for inetd's TCP Wrappers support:

1) Handle forking and non-forking internal services correctly. Turn on wrapping for internal services because it works now. 2) Preserve server names for each service on HUP. 3) Honour hosts_options(5) severity option. 4) Add IMPLEMENTATION NOTES section to clarify TCP Wrappers usage and limitations. This change may cause previously allowed builtin services (e.g. daytime) to be denied in existing configurations. PR: 12097 Reviewed by: markm 1) Reported by: Pierre Beyssac <pb@fasterix.freenix.org> 2) Submitted by: Masachika ISHIZUKA <ishizuka@ish.org> 3) Submitted by: David Malone <dwmalone@maths.tcd.ie>
svn path=/head/; revision=47972
1999-06-17 09:16:08 +00:00 · 1999-06-17 09:16:08 +00:00 · 1181cf3c52 · 2020-12-20 02:59:44 +00:00
commit 1181cf3c52
parent a6bd23ccf6
3 changed files with 26 additions and 24 deletions
--- a/usr.sbin/inetd/Makefile
+++ b/usr.sbin/inetd/Makefile
@ -1,11 +1,11 @@
 #	@(#)Makefile	8.1 (Berkeley) 6/6/93
-#	$Id: Makefile,v 1.7 1999/04/11 09:22:17 markm Exp $
+#	$Id: Makefile,v 1.8 1999/05/07 06:48:01 markm Exp $

 PROG=	inetd
 MAN8=	inetd.8
 MLINKS=	inetd.8 inetd.conf.5

-COPTS+=	-Wall -DLOGIN_CAP -DLIBWRAP
+COPTS+=	-Wall -DLOGIN_CAP -DLIBWRAP -DLIBWRAP_INTERNAL
 #COPTS+=	-DSANITY_CHECK

 DPADD+=	${LIBUTIL} ${LIBWRAP}
--- a/usr.sbin/inetd/inetd.8
+++ b/usr.sbin/inetd/inetd.8
@ -30,7 +30,7 @@
 .\" SUCH DAMAGE.
 .\"
 .\"     from: @(#)inetd.8	8.3 (Berkeley) 4/13/94
-.\"	$Id: inetd.8,v 1.22.2.1 1999/05/01 22:01:52 obrien Exp $
+.\"	$Id: inetd.8,v 1.25 1999/05/01 22:03:00 obrien Exp $
 .\"
 .Dd February 7, 1996
 .Dt INETD 8
@ -382,14 +382,15 @@ Except when started in debugging mode,
 records its process ID in the file
 .Pa /var/run/inetd.pid
 to assist in reconfiguration.
+.Sh IMPLEMENTATION NOTES
 .Pp
 Support is provided for TCP Wrappers; see the relevant documentation (
 .Xr hosts_access 5
 ).
 The 
 .Pa tcpd
-daemon is not required, as that functionality is builtin. This also allows
-the ``internal'' services to be wrapped.
+daemon is not required, as that functionality is builtin.
+Only stream-based services, including ``internal'' services, may be wrapped.
 .Sh TCPMUX
 .Pp
 .Tn RFC 1078 
--- a/usr.sbin/inetd/inetd.c
+++ b/usr.sbin/inetd/inetd.c
@ -42,7 +42,7 @@ static const char copyright[] =
 static char sccsid[] = "@(#)from: inetd.c	8.4 (Berkeley) 4/13/94";
 #endif
 static const char rcsid[] =
-	"$Id: inetd.c,v 1.48 1999/04/11 09:22:17 markm Exp $";
+	"$Id: inetd.c,v 1.49 1999/05/11 12:50:14 des Exp $";
 #endif /* not lint */

 /*
@ -146,8 +146,8 @@ static const char rcsid[] =
 #ifndef LIBWRAP_DENY_SEVERITY
 # define LIBWRAP_DENY_SEVERITY LOG_WARNING
 #endif
-int allow_severity = LIBWRAP_ALLOW_FACILITY|LIBWRAP_ALLOW_SEVERITY;
-int deny_severity = LIBWRAP_DENY_FACILITY|LIBWRAP_DENY_SEVERITY;
+int allow_severity;
+int deny_severity;
 #endif

 #ifdef LOGIN_CAP
@ -344,8 +344,6 @@ main(argc, argv, envp)
 	int tmpint, ch, dofork;
 	pid_t pid;
 	char buf[50];
-	struct  sockaddr_in peer;
-	int i;
 #ifdef LOGIN_CAP
 	login_cap_t *lc = NULL;
 #endif
@ -353,6 +351,9 @@ main(argc, argv, envp)
 	struct request_info req;
 	int denied;
 	char *service = NULL;
+#else
+	struct  sockaddr_in peer;
+	int i;
 #endif


@ -538,6 +539,7 @@ main(argc, argv, envp)
 				close(ctrl);
 				continue;
 			    }
+#ifndef LIBWRAP
 			    if (log) {
 				i = sizeof peer;
 				if (getpeername(ctrl, (struct sockaddr *)
@ -552,11 +554,16 @@ main(argc, argv, envp)
 					sep->se_service,
 					inet_ntoa(peer.sin_addr));
 			    }
+#endif
 		    } else
 			    ctrl = sep->se_fd;
 		    (void) sigblock(SIGBLOCK);
 		    pid = 0;
 #ifdef LIBWRAP_INTERNAL
+		    /*
+		     * When builtins are wrapped, avoid a minor optimization
+		     * that breaks hosts_options(5) twist.
+		     */
 		    dofork = 1;
 #else
 		    dofork = (sep->se_bi == 0 || sep->se_bi->bi_fork);
@ -624,21 +631,13 @@ main(argc, argv, envp)
 #endif
 			    if (sep->se_accept
 				&& sep->se_socktype == SOCK_STREAM) {
-				request_init(&req,
-				    RQ_DAEMON, sep->se_server_name ?
-					sep->se_server_name : sep->se_service,
-					RQ_FILE, ctrl, NULL);
+				service = sep->se_server_name ?
+				    sep->se_server_name : sep->se_service;
+				request_init(&req, RQ_DAEMON, service, RQ_FILE, ctrl, NULL);
 				fromhost(&req);
+				deny_severity = LIBWRAP_DENY_FACILITY|LIBWRAP_DENY_SEVERITY;
+				allow_severity = LIBWRAP_ALLOW_FACILITY|LIBWRAP_ALLOW_SEVERITY;
 				denied = !hosts_access(&req);
-				if (denied || log) {
-				    sp = getservbyport(sep->se_ctrladdr.sin_port, sep->se_proto);
-				    if (sp == NULL) {
-					(void)snprintf(buf, sizeof buf, "%d",
-					   ntohs(sep->se_ctrladdr.sin_port));
-					service = buf;
-				    } else
-					service = sp->s_name;
-				}
 				if (denied) {
 				    syslog(deny_severity,
 				        "refused connection from %.500s, service %s (%s)",
@ -746,8 +745,9 @@ main(argc, argv, envp)
 #endif
 				if (sep->se_socktype != SOCK_STREAM)
 					recv(0, buf, sizeof (buf), 0);
-				_exit(EX_OSERR);
 			    }
+			    if (dofork)
+				_exit(0);
 		    }
 		    if (sep->se_accept && sep->se_socktype == SOCK_STREAM)
 			    close(ctrl);
@ -911,6 +911,7 @@ void config()
 			SWAP(sep->se_class, new->se_class);
 #endif
 			SWAP(sep->se_server, new->se_server);
+			SWAP(sep->se_server_name, new->se_server_name);
 			for (i = 0; i < MAXARGV; i++)
 				SWAP(sep->se_argv[i], new->se_argv[i]);
 			sigsetmask(omask);