d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add command-line option (-w), specified once to enable wrapping and

Browse Source 
twice to enable wrapping for internal wrapping as well. If the option is
not specified wrapping is turned off so that inetd will behave exactly
as it used to before TCP Wrappers was imported.

Change etc/defaults/rc.conf so as to encourage wrapping on new systems.

Clarify the use of TCP Wrappers in the IMPLEMENTATION NOTES of the
manual page.

Approved by:	jkh
This commit is contained in:
sheldonh 1999-06-27 18:05:34 +00:00
parent 7d8fa58ccd
commit 743f810e74
4 changed files with 47 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
etc/defaults/rc.conf
View File

@ -9,7 +9,7 @@
# #
# All arguments must be in double or single quotes. # All arguments must be in double or single quotes.
# #
# $Id: rc.conf,v 1.9 1999/05/16 09:19:44 phk Exp $ # $Id: rc.conf,v 1.10 1999/06/05 05:45:57 phk Exp $
############################################################## ##############################################################
### Important initial Boot-time options ##################### ### Important initial Boot-time options #####################
@ -56,7 +56,7 @@ sppp_interfaces="" # List of sppp interfaces.
syslogd_enable="YES" # Run syslog daemon (or NO). syslogd_enable="YES" # Run syslog daemon (or NO).
syslogd_flags="" # Flags to syslogd (if enabled). syslogd_flags="" # Flags to syslogd (if enabled).
inetd_enable="YES" # Run the network daemon dispatcher (or NO). inetd_enable="YES" # Run the network daemon dispatcher (or NO).
inetd_flags="" # Optional flags to inetd. inetd_flags="-w -w" # Optional flags to inetd
# #
# named. It may be possible to run named in a sandbox, man security for # named. It may be possible to run named in a sandbox, man security for
# details. # details.

4
usr.sbin/inetd/Makefile
View File

@ -1,11 +1,11 @@
# @(#)Makefile 8.1 (Berkeley) 6/6/93 # @(#)Makefile 8.1 (Berkeley) 6/6/93
# $Id: Makefile,v 1.8 1999/05/07 06:48:01 markm Exp $ # $Id: Makefile,v 1.9 1999/06/17 09:16:06 sheldonh Exp $
PROG= inetd PROG= inetd
MAN8= inetd.8 MAN8= inetd.8
MLINKS= inetd.8 inetd.conf.5 MLINKS= inetd.8 inetd.conf.5
COPTS+= -Wall -DLOGIN_CAP -DLIBWRAP -DLIBWRAP_INTERNAL COPTS+= -Wall -DLOGIN_CAP
#COPTS+= -DSANITY_CHECK #COPTS+= -DSANITY_CHECK
DPADD+= ${LIBUTIL} ${LIBWRAP} DPADD+= ${LIBUTIL} ${LIBWRAP}

32
usr.sbin/inetd/inetd.8
View File

@ -30,7 +30,7 @@
.\" SUCH DAMAGE. .\" SUCH DAMAGE.
.\" .\"
.\" from: @(#)inetd.8 8.3 (Berkeley) 4/13/94 .\" from: @(#)inetd.8 8.3 (Berkeley) 4/13/94
.\" $Id: inetd.8,v 1.26 1999/06/17 09:16:07 sheldonh Exp $ .\" $Id: inetd.8,v 1.27 1999/06/21 11:43:13 sheldonh Exp $
.\" .\"
.Dd February 7, 1996 .Dd February 7, 1996
.Dt INETD 8 .Dt INETD 8
@ -43,6 +43,7 @@
.Nm inetd .Nm inetd
.Op Fl d .Op Fl d
.Op Fl l .Op Fl l
.Op Fl w
.Op Fl c Ar maximum .Op Fl c Ar maximum
.Op Fl C Ar rate .Op Fl C Ar rate
.Op Fl a Ar address .Op Fl a Ar address
@ -78,6 +79,11 @@ The following options are available:
Turn on debugging. Turn on debugging.
.It Fl l .It Fl l
Turn on logging. Turn on logging.
.It Fl w
Turn on TCP Wrapping. If this option is specified twice, internal
services will also be wrapped. See the
.Sx "IMPLEMENTATION NOTES"
section for more information on TCP Wrappers support.
.It Fl c Ar maximum .It Fl c Ar maximum
Specify the default maximum number of services that can be invoked. Specify the default maximum number of services that can be invoked.
May be overridden on a per-service basis with the "max-child" May be overridden on a per-service basis with the "max-child"
@ -401,16 +407,26 @@ records its process ID in the file
.Pa /var/run/inetd.pid .Pa /var/run/inetd.pid
to assist in reconfiguration. to assist in reconfiguration.
.Sh IMPLEMENTATION NOTES .Sh IMPLEMENTATION NOTES
When given the
.Fl w
option,
.Nm
will wrap all services specified as
.Dq stream tcp nowait
except for
.Dq internal
services. If the
.Fl w
option is given twice, such
.Dq internal
services will be wrapped as well.
.Pp .Pp
Support is provided for TCP Wrappers; see the relevant documentation ( When wrapping is enabled, the
.Xr hosts_access 5
).
The
.Pa tcpd .Pa tcpd
daemon is not required, as that functionality is builtin. daemon is not required, as that functionality is builtin.
Only stream-based services, including For more information on TCP Wrappers; see the relevant documentation (
.Dq internal .Xr hosts_access 5
services, may be wrapped. ).
.Sh TCPMUX .Sh TCPMUX
.Pp .Pp
.Tn RFC 1078 .Tn RFC 1078

46
usr.sbin/inetd/inetd.c
View File

@ -42,7 +42,7 @@ static const char copyright[] =
static char sccsid[] = "@(#)from: inetd.c 8.4 (Berkeley) 4/13/94"; static char sccsid[] = "@(#)from: inetd.c 8.4 (Berkeley) 4/13/94";
#endif #endif
static const char rcsid[] = static const char rcsid[] =
"$Id: inetd.c,v 1.50 1999/06/17 09:16:08 sheldonh Exp $"; "$Id: inetd.c,v 1.51 1999/06/21 11:17:34 sheldonh Exp $";
#endif /* not lint */ #endif /* not lint */
/* /*
@ -128,12 +128,11 @@ static const char rcsid[] =
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
#include <syslog.h> #include <syslog.h>
#include <tcpd.h>
#include <unistd.h> #include <unistd.h>
#include <libutil.h> #include <libutil.h>
#include <sysexits.h> #include <sysexits.h>
#ifdef LIBWRAP
# include <tcpd.h>
#ifndef LIBWRAP_ALLOW_FACILITY #ifndef LIBWRAP_ALLOW_FACILITY
# define LIBWRAP_ALLOW_FACILITY LOG_AUTH # define LIBWRAP_ALLOW_FACILITY LOG_AUTH
#endif #endif
@ -146,9 +145,6 @@ static const char rcsid[] =
#ifndef LIBWRAP_DENY_SEVERITY #ifndef LIBWRAP_DENY_SEVERITY
# define LIBWRAP_DENY_SEVERITY LOG_WARNING # define LIBWRAP_DENY_SEVERITY LOG_WARNING
#endif #endif
int allow_severity;
int deny_severity;
#endif
#ifdef LOGIN_CAP #ifdef LOGIN_CAP
#include <login_cap.h> #include <login_cap.h>
@ -178,6 +174,10 @@ int deny_severity;
#define SIGBLOCK (sigmask(SIGCHLD)|sigmask(SIGHUP)|sigmask(SIGALRM)) #define SIGBLOCK (sigmask(SIGCHLD)|sigmask(SIGHUP)|sigmask(SIGALRM))
int allow_severity;
int deny_severity;
int wrap = 0;
int wrap_bi = 0;
int debug = 0; int debug = 0;
int log = 0; int log = 0;
int nsock, maxsock; int nsock, maxsock;
@ -347,14 +347,11 @@ main(argc, argv, envp)
#ifdef LOGIN_CAP #ifdef LOGIN_CAP
login_cap_t *lc = NULL; login_cap_t *lc = NULL;
#endif #endif
#ifdef LIBWRAP
struct request_info req; struct request_info req;
int denied; int denied;
char *service = NULL; char *service = NULL;
#else
struct sockaddr_in peer; struct sockaddr_in peer;
int i; int i;
#endif
#ifdef OLD_SETPROCTITLE #ifdef OLD_SETPROCTITLE
@ -369,7 +366,7 @@ main(argc, argv, envp)
openlog("inetd", LOG_PID | LOG_NOWAIT, LOG_DAEMON); openlog("inetd", LOG_PID | LOG_NOWAIT, LOG_DAEMON);
bind_address.s_addr = htonl(INADDR_ANY); bind_address.s_addr = htonl(INADDR_ANY);
while ((ch = getopt(argc, argv, "dlR:a:c:C:p:")) != -1) while ((ch = getopt(argc, argv, "dlwR:a:c:C:p:")) != -1)
switch(ch) { switch(ch) {
case 'd': case 'd':
debug = 1; debug = 1;
@ -400,10 +397,14 @@ main(argc, argv, envp)
case 'p': case 'p':
pid_file = optarg; pid_file = optarg;
break; break;
case 'w':
if (wrap++)
wrap_bi++;
break;
case '?': case '?':
default: default:
syslog(LOG_ERR, syslog(LOG_ERR,
"usage: inetd [-dl] [-a address] [-R rate]" "usage: inetd [-dlw] [-a address] [-R rate]"
" [-c maximum] [-C rate]" " [-c maximum] [-C rate]"
" [-p pidfile] [conf-file]"); " [-p pidfile] [conf-file]");
exit(EX_USAGE); exit(EX_USAGE);
@ -539,8 +540,7 @@ main(argc, argv, envp)
close(ctrl); close(ctrl);
continue; continue;
} }
#ifndef LIBWRAP if (!wrap || log) {
if (log) {
i = sizeof peer; i = sizeof peer;
if (getpeername(ctrl, (struct sockaddr *) if (getpeername(ctrl, (struct sockaddr *)
&peer, &i)) { &peer, &i)) {
@ -554,20 +554,18 @@ main(argc, argv, envp)
sep->se_service, sep->se_service,
inet_ntoa(peer.sin_addr)); inet_ntoa(peer.sin_addr));
} }
#endif
} else } else
ctrl = sep->se_fd; ctrl = sep->se_fd;
(void) sigblock(SIGBLOCK); (void) sigblock(SIGBLOCK);
pid = 0; pid = 0;
#ifdef LIBWRAP_INTERNAL
/* /*
* When builtins are wrapped, avoid a minor optimization * When builtins are wrapped, avoid a minor optimization
* that breaks hosts_options(5) twist. * that breaks hosts_options(5) twist.
*/ */
dofork = 1; if (wrap_bi)
#else dofork = 1;
dofork = (sep->se_bi == 0 || sep->se_bi->bi_fork); else
#endif dofork = (sep->se_bi == 0 || sep->se_bi->bi_fork);
if (dofork) { if (dofork) {
if (sep->se_count++ == 0) if (sep->se_count++ == 0)
(void)gettimeofday(&sep->se_time, (struct timezone *)NULL); (void)gettimeofday(&sep->se_time, (struct timezone *)NULL);
@ -625,11 +623,8 @@ main(argc, argv, envp)
_exit(0); _exit(0);
} }
} }
#ifdef LIBWRAP if ((wrap && (!sep->se_bi || wrap_bi))
#ifndef LIBWRAP_INTERNAL && sep->se_accept
if (sep->se_bi == 0)
#endif
if (sep->se_accept
&& sep->se_socktype == SOCK_STREAM) { && sep->se_socktype == SOCK_STREAM) {
service = sep->se_server_name ? service = sep->se_server_name ?
sep->se_server_name : sep->se_service; sep->se_server_name : sep->se_service;
@ -650,7 +645,6 @@ main(argc, argv, envp)
eval_client(&req), service, sep->se_proto); eval_client(&req), service, sep->se_proto);
} }
} }
#endif /* LIBWRAP */
if (sep->se_bi) { if (sep->se_bi) {
(*sep->se_bi->bi_fn)(ctrl, sep); (*sep->se_bi->bi_fn)(ctrl, sep);
/* NOTREACHED */ /* NOTREACHED */
@ -740,9 +734,7 @@ main(argc, argv, envp)
execv(sep->se_server, sep->se_argv); execv(sep->se_server, sep->se_argv);
syslog(LOG_ERR, syslog(LOG_ERR,
"cannot execute %s: %m", sep->se_server); "cannot execute %s: %m", sep->se_server);
#ifdef LIBWRAP
reject: reject:
#endif
if (sep->se_socktype != SOCK_STREAM) if (sep->se_socktype != SOCK_STREAM)
recv(0, buf, sizeof (buf), 0); recv(0, buf, sizeof (buf), 0);
} }