Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 1 | Upstream-Status: Backport |
| 2 | |
| 3 | diff -ruNp tcp_wrappers_7.6.orig/hosts_access.3 tcp_wrappers_7.6/hosts_access.3 |
| 4 | --- tcp_wrappers_7.6.orig/hosts_access.3 2005-03-09 18:30:25.000000000 +0100 |
| 5 | +++ tcp_wrappers_7.6/hosts_access.3 2005-03-09 18:27:03.000000000 +0100 |
| 6 | @@ -3,7 +3,7 @@ |
| 7 | hosts_access, hosts_ctl, request_init, request_set \- access control library |
| 8 | .SH SYNOPSIS |
| 9 | .nf |
| 10 | -#include "tcpd.h" |
| 11 | +#include <tcpd.h> |
| 12 | |
| 13 | extern int allow_severity; |
| 14 | extern int deny_severity; |
| 15 | diff -ruNp tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5 |
| 16 | --- tcp_wrappers_7.6.orig/hosts_access.5 2005-03-09 18:30:25.000000000 +0100 |
| 17 | +++ tcp_wrappers_7.6/hosts_access.5 2005-03-09 18:30:18.000000000 +0100 |
| 18 | @@ -8,9 +8,9 @@ name, host name/address) patterns. Exam |
| 19 | impatient reader is encouraged to skip to the EXAMPLES section for a |
| 20 | quick introduction. |
| 21 | .PP |
| 22 | -An extended version of the access control language is described in the |
| 23 | -\fIhosts_options\fR(5) document. The extensions are turned on at |
| 24 | -program build time by building with -DPROCESS_OPTIONS. |
| 25 | +The extended version of the access control language is described in the |
| 26 | +\fIhosts_options\fR(5) document. \fBNote that this language supersedes |
| 27 | +the meaning of \fIshell_command\fB as documented below.\fR |
| 28 | .PP |
| 29 | In the following text, \fIdaemon\fR is the the process name of a |
| 30 | network daemon process, and \fIclient\fR is the name and/or address of |
| 31 | @@ -346,8 +346,8 @@ in.tftpd: LOCAL, .my.domain |
| 32 | /etc/hosts.deny: |
| 33 | .in +3 |
| 34 | .nf |
| 35 | -in.tftpd: ALL: (/some/where/safe_finger -l @%h | \\ |
| 36 | - /usr/ucb/mail -s %d-%h root) & |
| 37 | +in.tftpd: ALL: (/usr/sbin/safe_finger -l @%h | \\ |
| 38 | + /usr/bin/mail -s %d-%h root) & |
| 39 | .fi |
| 40 | .PP |
| 41 | The safe_finger command comes with the tcpd wrapper and should be |
| 42 | @@ -383,6 +383,7 @@ that shouldn\'t. All problems are repor |
| 43 | .fi |
| 44 | .SH SEE ALSO |
| 45 | .nf |
| 46 | +hosts_options(5) extended syntax. |
| 47 | tcpd(8) tcp/ip daemon wrapper program. |
| 48 | tcpdchk(8), tcpdmatch(8), test programs. |
| 49 | .SH BUGS |
| 50 | diff -ruNp tcp_wrappers_7.6.orig/hosts_options.5 tcp_wrappers_7.6/hosts_options.5 |
| 51 | --- tcp_wrappers_7.6.orig/hosts_options.5 2005-03-09 18:30:24.000000000 +0100 |
| 52 | +++ tcp_wrappers_7.6/hosts_options.5 2005-03-09 18:27:03.000000000 +0100 |
| 53 | @@ -2,10 +2,8 @@ |
| 54 | .SH NAME |
| 55 | hosts_options \- host access control language extensions |
| 56 | .SH DESCRIPTION |
| 57 | -This document describes optional extensions to the language described |
| 58 | -in the hosts_access(5) document. The extensions are enabled at program |
| 59 | -build time. For example, by editing the Makefile and turning on the |
| 60 | -PROCESS_OPTIONS compile-time option. |
| 61 | +This document describes extensions to the language described |
| 62 | +in the hosts_access(5) document. |
| 63 | .PP |
| 64 | The extensible language uses the following format: |
| 65 | .sp |
| 66 | @@ -58,12 +56,12 @@ Notice the leading dot on the domain nam |
| 67 | Execute, in a child process, the specified shell command, after |
| 68 | performing the %<letter> expansions described in the hosts_access(5) |
| 69 | manual page. The command is executed with stdin, stdout and stderr |
| 70 | -connected to the null device, so that it won\'t mess up the |
| 71 | +connected to the null device, so that it won't mess up the |
| 72 | conversation with the client host. Example: |
| 73 | .sp |
| 74 | .nf |
| 75 | .ti +3 |
| 76 | -spawn (/some/where/safe_finger -l @%h | /usr/ucb/mail root) & |
| 77 | +spawn (/usr/sbin/safe_finger -l @%h | /usr/bin/mail root) & |
| 78 | .fi |
| 79 | .sp |
| 80 | executes, in a background child process, the shell command "safe_finger |
| 81 | diff -ruNp tcp_wrappers_7.6.orig/inetcf.c tcp_wrappers_7.6/inetcf.c |
| 82 | --- tcp_wrappers_7.6.orig/inetcf.c 1997-02-12 02:13:24.000000000 +0100 |
| 83 | +++ tcp_wrappers_7.6/inetcf.c 2005-03-09 18:27:03.000000000 +0100 |
| 84 | @@ -26,13 +26,17 @@ extern void exit(); |
| 85 | * guesses. Shorter names follow longer ones. |
| 86 | */ |
| 87 | char *inet_files[] = { |
| 88 | +#if 0 |
| 89 | "/private/etc/inetd.conf", /* NEXT */ |
| 90 | "/etc/inet/inetd.conf", /* SYSV4 */ |
| 91 | "/usr/etc/inetd.conf", /* IRIX?? */ |
| 92 | +#endif |
| 93 | "/etc/inetd.conf", /* BSD */ |
| 94 | +#if 0 |
| 95 | "/etc/net/tlid.conf", /* SYSV4?? */ |
| 96 | "/etc/saf/tlid.conf", /* SYSV4?? */ |
| 97 | "/etc/tlid.conf", /* SYSV4?? */ |
| 98 | +#endif |
| 99 | 0, |
| 100 | }; |
| 101 | |
| 102 | diff -ruNp tcp_wrappers_7.6.orig/tcpd.8 tcp_wrappers_7.6/tcpd.8 |
| 103 | --- tcp_wrappers_7.6.orig/tcpd.8 1996-02-21 16:39:16.000000000 +0100 |
| 104 | +++ tcp_wrappers_7.6/tcpd.8 2005-03-09 18:27:03.000000000 +0100 |
| 105 | @@ -12,7 +12,11 @@ The program supports both 4.3BSD-style s |
| 106 | TLI. Functionality may be limited when the protocol underneath TLI is |
| 107 | not an internet protocol. |
| 108 | .PP |
| 109 | -Operation is as follows: whenever a request for service arrives, the |
| 110 | +There are two possible modes of operation: execution of \fItcpd\fP |
| 111 | +before a service started by \fIinetd\fP, or linking a daemon with |
| 112 | +the \fIlibwrap\fP shared library as documented in the \fIhosts_access\fR(3) |
| 113 | +manual page. Operation when started by \fIinetd\fP |
| 114 | +is as follows: whenever a request for service arrives, the |
| 115 | \fIinetd\fP daemon is tricked into running the \fItcpd\fP program |
| 116 | instead of the desired server. \fItcpd\fP logs the request and does |
| 117 | some additional checks. When all is well, \fItcpd\fP runs the |
| 118 | @@ -88,11 +92,11 @@ configuration files. |
| 119 | .sp |
| 120 | .in +5 |
| 121 | # mkdir /other/place |
| 122 | -# mv /usr/etc/in.fingerd /other/place |
| 123 | -# cp tcpd /usr/etc/in.fingerd |
| 124 | +# mv /usr/sbin/in.fingerd /other/place |
| 125 | +# cp tcpd /usr/sbin/in.fingerd |
| 126 | .fi |
| 127 | .PP |
| 128 | -The example assumes that the network daemons live in /usr/etc. On some |
| 129 | +The example assumes that the network daemons live in /usr/sbin. On some |
| 130 | systems, network daemons live in /usr/sbin or in /usr/libexec, or have |
| 131 | no `in.\' prefix to their name. |
| 132 | .SH EXAMPLE 2 |
| 133 | @@ -101,35 +105,34 @@ are left in their original place. |
| 134 | .PP |
| 135 | In order to monitor access to the \fIfinger\fR service, perform the |
| 136 | following edits on the \fIinetd\fR configuration file (usually |
| 137 | -\fI/etc/inetd.conf\fR or \fI/etc/inet/inetd.conf\fR): |
| 138 | +\fI/etc/inetd.conf\fR): |
| 139 | .nf |
| 140 | .sp |
| 141 | .ti +5 |
| 142 | -finger stream tcp nowait nobody /usr/etc/in.fingerd in.fingerd |
| 143 | +finger stream tcp nowait nobody /usr/sbin/in.fingerd in.fingerd |
| 144 | .sp |
| 145 | becomes: |
| 146 | .sp |
| 147 | .ti +5 |
| 148 | -finger stream tcp nowait nobody /some/where/tcpd in.fingerd |
| 149 | +finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd |
| 150 | .sp |
| 151 | .fi |
| 152 | .PP |
| 153 | -The example assumes that the network daemons live in /usr/etc. On some |
| 154 | +The example assumes that the network daemons live in /usr/sbin. On some |
| 155 | systems, network daemons live in /usr/sbin or in /usr/libexec, the |
| 156 | daemons have no `in.\' prefix to their name, or there is no userid |
| 157 | field in the inetd configuration file. |
| 158 | .PP |
| 159 | Similar changes will be needed for the other services that are to be |
| 160 | covered by \fItcpd\fR. Send a `kill -HUP\' to the \fIinetd\fR(8) |
| 161 | -process to make the changes effective. AIX users may also have to |
| 162 | -execute the `inetimp\' command. |
| 163 | +process to make the changes effective. |
| 164 | .SH EXAMPLE 3 |
| 165 | In the case of daemons that do not live in a common directory ("secret" |
| 166 | or otherwise), edit the \fIinetd\fR configuration file so that it |
| 167 | specifies an absolute path name for the process name field. For example: |
| 168 | .nf |
| 169 | .sp |
| 170 | - ntalk dgram udp wait root /some/where/tcpd /usr/local/lib/ntalkd |
| 171 | + ntalk dgram udp wait root /usr/sbin/tcpd /usr/local/lib/ntalkd |
| 172 | .sp |
| 173 | .fi |
| 174 | .PP |
| 175 | @@ -164,6 +167,7 @@ The default locations of the host access |
| 176 | .SH SEE ALSO |
| 177 | .na |
| 178 | .nf |
| 179 | +hosts_access(3), functions provided by the libwrap library. |
| 180 | hosts_access(5), format of the tcpd access control tables. |
| 181 | syslog.conf(5), format of the syslogd control file. |
| 182 | inetd.conf(5), format of the inetd control file. |
| 183 | diff -ruNp tcp_wrappers_7.6.orig/tcpdchk.8 tcp_wrappers_7.6/tcpdchk.8 |
| 184 | --- tcp_wrappers_7.6.orig/tcpdchk.8 1995-01-08 17:00:31.000000000 +0100 |
| 185 | +++ tcp_wrappers_7.6/tcpdchk.8 2005-03-09 18:27:03.000000000 +0100 |
| 186 | @@ -9,8 +9,8 @@ tcpdchk [-a] [-d] [-i inet_conf] [-v] |
| 187 | potential and real problems it can find. The program examines the |
| 188 | \fItcpd\fR access control files (by default, these are |
| 189 | \fI/etc/hosts.allow\fR and \fI/etc/hosts.deny\fR), and compares the |
| 190 | -entries in these files against entries in the \fIinetd\fR or \fItlid\fR |
| 191 | -network configuration files. |
| 192 | +entries in these files against entries in the \fIinetd\fR |
| 193 | +network configuration file. |
| 194 | .PP |
| 195 | \fItcpdchk\fR reports problems such as non-existent pathnames; services |
| 196 | that appear in \fItcpd\fR access control rules, but are not controlled |
| 197 | @@ -26,14 +26,13 @@ problem. |
| 198 | .SH OPTIONS |
| 199 | .IP -a |
| 200 | Report access control rules that permit access without an explicit |
| 201 | -ALLOW keyword. This applies only when the extended access control |
| 202 | -language is enabled (build with -DPROCESS_OPTIONS). |
| 203 | +ALLOW keyword. |
| 204 | .IP -d |
| 205 | Examine \fIhosts.allow\fR and \fIhosts.deny\fR files in the current |
| 206 | directory instead of the default ones. |
| 207 | .IP "-i inet_conf" |
| 208 | Specify this option when \fItcpdchk\fR is unable to find your |
| 209 | -\fIinetd.conf\fR or \fItlid.conf\fR network configuration file, or when |
| 210 | +\fIinetd.conf\fR network configuration file, or when |
| 211 | you suspect that the program uses the wrong one. |
| 212 | .IP -v |
| 213 | Display the contents of each access control rule. Daemon lists, client |
| 214 | @@ -54,7 +53,6 @@ tcpdmatch(8), explain what tcpd would do |
| 215 | hosts_access(5), format of the tcpd access control tables. |
| 216 | hosts_options(5), format of the language extensions. |
| 217 | inetd.conf(5), format of the inetd control file. |
| 218 | -tlid.conf(5), format of the tlid control file. |
| 219 | .SH AUTHORS |
| 220 | .na |
| 221 | .nf |
| 222 | diff -ruNp tcp_wrappers_7.6.orig/tcpdmatch.8 tcp_wrappers_7.6/tcpdmatch.8 |
| 223 | --- tcp_wrappers_7.6.orig/tcpdmatch.8 2005-03-09 18:30:24.000000000 +0100 |
| 224 | +++ tcp_wrappers_7.6/tcpdmatch.8 2005-03-09 18:27:03.000000000 +0100 |
| 225 | @@ -13,7 +13,7 @@ request for service. Examples are given |
| 226 | The program examines the \fItcpd\fR access control tables (default |
| 227 | \fI/etc/hosts.allow\fR and \fI/etc/hosts.deny\fR) and prints its |
| 228 | conclusion. For maximal accuracy, it extracts additional information |
| 229 | -from your \fIinetd\fR or \fItlid\fR network configuration file. |
| 230 | +from your \fIinetd\fR network configuration file. |
| 231 | .PP |
| 232 | When \fItcpdmatch\fR finds a match in the access control tables, it |
| 233 | identifies the matched rule. In addition, it displays the optional |
| 234 | @@ -50,7 +50,7 @@ Examine \fIhosts.allow\fR and \fIhosts.d |
| 235 | directory instead of the default ones. |
| 236 | .IP "-i inet_conf" |
| 237 | Specify this option when \fItcpdmatch\fR is unable to find your |
| 238 | -\fIinetd.conf\fR or \fItlid.conf\fR network configuration file, or when |
| 239 | +\fIinetd.conf\fR network configuration file, or when |
| 240 | you suspect that the program uses the wrong one. |
| 241 | .SH EXAMPLES |
| 242 | To predict how \fItcpd\fR would handle a telnet request from the local |
| 243 | @@ -86,7 +86,6 @@ tcpdchk(8), tcpd configuration checker |
| 244 | hosts_access(5), format of the tcpd access control tables. |
| 245 | hosts_options(5), format of the language extensions. |
| 246 | inetd.conf(5), format of the inetd control file. |
| 247 | -tlid.conf(5), format of the tlid control file. |
| 248 | .SH AUTHORS |
| 249 | .na |
| 250 | .nf |