Add command-line option (-w), specified once to enable wrapping and

twice to enable wrapping for internal wrapping as well. If the option is not specified wrapping is turned off so that inetd will behave exactly as it used to before TCP Wrappers was imported. Change etc/defaults/rc.conf so as to encourage wrapping on new systems. Clarify the use of TCP Wrappers in the IMPLEMENTATION NOTES of the manual page. Approved by: jkh
svn path=/head/; revision=48279
1999-06-27 18:05:34 +00:00 · 1999-06-27 18:05:34 +00:00 · 54f5ebed00 · 2020-12-20 02:59:44 +00:00
commit 54f5ebed00
parent 6bef9f10bb
4 changed files with 47 additions and 39 deletions
--- a/etc/defaults/rc.conf
+++ b/etc/defaults/rc.conf
@ -9,7 +9,7 @@
 #
 # All arguments must be in double or single quotes.
 #
-#	$Id: rc.conf,v 1.9 1999/05/16 09:19:44 phk Exp $
+#	$Id: rc.conf,v 1.10 1999/06/05 05:45:57 phk Exp $

 ##############################################################
 ### Important initial Boot-time options  #####################
@ -56,7 +56,7 @@ sppp_interfaces=""		# List of sppp interfaces.
 syslogd_enable="YES"		# Run syslog daemon (or NO).
 syslogd_flags=""		# Flags to syslogd (if enabled).
 inetd_enable="YES"		# Run the network daemon dispatcher (or NO).
-inetd_flags=""			# Optional flags to inetd.
+inetd_flags="-w -w"		# Optional flags to inetd
 #
 # named.  It may be possible to run named in a sandbox, man security for
 # details.
--- a/usr.sbin/inetd/Makefile
+++ b/usr.sbin/inetd/Makefile
@ -1,11 +1,11 @@
 #	@(#)Makefile	8.1 (Berkeley) 6/6/93
-#	$Id: Makefile,v 1.8 1999/05/07 06:48:01 markm Exp $
+#	$Id: Makefile,v 1.9 1999/06/17 09:16:06 sheldonh Exp $

 PROG=	inetd
 MAN8=	inetd.8
 MLINKS=	inetd.8 inetd.conf.5

-COPTS+=	-Wall -DLOGIN_CAP -DLIBWRAP -DLIBWRAP_INTERNAL
+COPTS+=	-Wall -DLOGIN_CAP
 #COPTS+=	-DSANITY_CHECK

 DPADD+=	${LIBUTIL} ${LIBWRAP}
--- a/usr.sbin/inetd/inetd.8
+++ b/usr.sbin/inetd/inetd.8
@ -30,7 +30,7 @@
 .\" SUCH DAMAGE.
 .\"
 .\"     from: @(#)inetd.8	8.3 (Berkeley) 4/13/94
-.\"	$Id: inetd.8,v 1.26 1999/06/17 09:16:07 sheldonh Exp $
+.\"	$Id: inetd.8,v 1.27 1999/06/21 11:43:13 sheldonh Exp $
 .\"
 .Dd February 7, 1996
 .Dt INETD 8
@ -43,6 +43,7 @@
 .Nm inetd
 .Op Fl d
 .Op Fl l
+.Op Fl w
 .Op Fl c Ar maximum
 .Op Fl C Ar rate
 .Op Fl a Ar address
@ -78,6 +79,11 @@ The following options are available:
 Turn on debugging.
 .It Fl l
 Turn on logging.
+.It Fl w
+Turn on TCP Wrapping. If this option is specified twice, internal
+services will also be wrapped. See the
+.Sx "IMPLEMENTATION NOTES"
+section for more information on TCP Wrappers support.
 .It Fl c Ar maximum
 Specify the default maximum number of services that can be invoked.
 May be overridden on a per-service basis with the "max-child"
@ -401,16 +407,26 @@ records its process ID in the file
 .Pa /var/run/inetd.pid
 to assist in reconfiguration.
 .Sh IMPLEMENTATION NOTES
+When given the
+.Fl w
+option,
+.Nm
+will wrap all services specified as
+.Dq stream tcp nowait
+except for 
+.Dq internal
+services. If the
+.Fl w
+option is given twice, such
+.Dq internal
+services will be wrapped as well.
 .Pp
-Support is provided for TCP Wrappers; see the relevant documentation (
-.Xr hosts_access 5
-).
-The 
+When wrapping is enabled, the
 .Pa tcpd
 daemon is not required, as that functionality is builtin.
-Only stream-based services, including
-.Dq internal
-services, may be wrapped.
+For more information on TCP Wrappers; see the relevant documentation (
+.Xr hosts_access 5
+).
 .Sh TCPMUX
 .Pp
 .Tn RFC 1078 
--- a/usr.sbin/inetd/inetd.c
+++ b/usr.sbin/inetd/inetd.c
@ -42,7 +42,7 @@ static const char copyright[] =
 static char sccsid[] = "@(#)from: inetd.c	8.4 (Berkeley) 4/13/94";
 #endif
 static const char rcsid[] =
-	"$Id: inetd.c,v 1.50 1999/06/17 09:16:08 sheldonh Exp $";
+	"$Id: inetd.c,v 1.51 1999/06/21 11:17:34 sheldonh Exp $";
 #endif /* not lint */

 /*
@ -128,12 +128,11 @@ static const char rcsid[] =
 #include <stdlib.h>
 #include <string.h>
 #include <syslog.h>
+#include <tcpd.h>
 #include <unistd.h>
 #include <libutil.h>
 #include <sysexits.h>

-#ifdef LIBWRAP
-# include <tcpd.h>
 #ifndef LIBWRAP_ALLOW_FACILITY
 # define LIBWRAP_ALLOW_FACILITY LOG_AUTH
 #endif
@ -146,9 +145,6 @@ static const char rcsid[] =
 #ifndef LIBWRAP_DENY_SEVERITY
 # define LIBWRAP_DENY_SEVERITY LOG_WARNING
 #endif
-int allow_severity;
-int deny_severity;
-#endif

 #ifdef LOGIN_CAP
 #include <login_cap.h>
@ -178,6 +174,10 @@ int deny_severity;

 #define	SIGBLOCK	(sigmask(SIGCHLD)|sigmask(SIGHUP)|sigmask(SIGALRM))

+int	allow_severity;
+int	deny_severity;
+int	wrap = 0;
+int	wrap_bi = 0;
 int	debug = 0;
 int	log = 0;
 int	nsock, maxsock;
@ -347,14 +347,11 @@ main(argc, argv, envp)
 #ifdef LOGIN_CAP
 	login_cap_t *lc = NULL;
 #endif
-#ifdef LIBWRAP
 	struct request_info req;
 	int denied;
 	char *service = NULL;
-#else
 	struct  sockaddr_in peer;
 	int i;
-#endif


 #ifdef OLD_SETPROCTITLE
@ -369,7 +366,7 @@ main(argc, argv, envp)
 	openlog("inetd", LOG_PID | LOG_NOWAIT, LOG_DAEMON);

 	bind_address.s_addr = htonl(INADDR_ANY);
-	while ((ch = getopt(argc, argv, "dlR:a:c:C:p:")) != -1)
+	while ((ch = getopt(argc, argv, "dlwR:a:c:C:p:")) != -1)
 		switch(ch) {
 		case 'd':
 			debug = 1;
@ -400,10 +397,14 @@ main(argc, argv, envp)
 		case 'p':
 			pid_file = optarg;
 			break;
+		case 'w':
+			if (wrap++)
+				wrap_bi++;
+			break;
 		case '?':
 		default:
 			syslog(LOG_ERR,
-				"usage: inetd [-dl] [-a address] [-R rate]"
+				"usage: inetd [-dlw] [-a address] [-R rate]"
 				" [-c maximum] [-C rate]"
 				" [-p pidfile] [conf-file]");
 			exit(EX_USAGE);
@ -539,8 +540,7 @@ main(argc, argv, envp)
 				close(ctrl);
 				continue;
 			    }
-#ifndef LIBWRAP
-			    if (log) {
+			    if (!wrap || log) {
 				i = sizeof peer;
 				if (getpeername(ctrl, (struct sockaddr *)
 						&peer, &i)) {
@ -554,20 +554,18 @@ main(argc, argv, envp)
 					sep->se_service,
 					inet_ntoa(peer.sin_addr));
 			    }
-#endif
 		    } else
 			    ctrl = sep->se_fd;
 		    (void) sigblock(SIGBLOCK);
 		    pid = 0;
-#ifdef LIBWRAP_INTERNAL
 		    /*
 		     * When builtins are wrapped, avoid a minor optimization
 		     * that breaks hosts_options(5) twist.
 		     */
-		    dofork = 1;
-#else
-		    dofork = (sep->se_bi == 0 || sep->se_bi->bi_fork);
-#endif
+		    if (wrap_bi)
+			   dofork = 1;
+		    else
+			   dofork = (sep->se_bi == 0 || sep->se_bi->bi_fork);
 		    if (dofork) {
 			    if (sep->se_count++ == 0)
 				(void)gettimeofday(&sep->se_time, (struct timezone *)NULL);
@ -625,11 +623,8 @@ main(argc, argv, envp)
 					    _exit(0);
 				    }
 			    }
-#ifdef LIBWRAP
-#ifndef LIBWRAP_INTERNAL
-			    if (sep->se_bi == 0)
-#endif
-			    if (sep->se_accept
+			    if ((wrap && (!sep->se_bi || wrap_bi))
+				&& sep->se_accept
 				&& sep->se_socktype == SOCK_STREAM) {
 				service = sep->se_server_name ?
 				    sep->se_server_name : sep->se_service;
@ -650,7 +645,6 @@ main(argc, argv, envp)
 					eval_client(&req), service, sep->se_proto);
 				}
 			    }
-#endif /* LIBWRAP */
 			    if (sep->se_bi) {
 				(*sep->se_bi->bi_fn)(ctrl, sep);
 				/* NOTREACHED */
@ -740,9 +734,7 @@ main(argc, argv, envp)
 				execv(sep->se_server, sep->se_argv);
 				syslog(LOG_ERR,
 				    "cannot execute %s: %m", sep->se_server);
-#ifdef LIBWRAP
 			    reject:
-#endif
 				if (sep->se_socktype != SOCK_STREAM)
 					recv(0, buf, sizeof (buf), 0);
 			    }