From 764e46f5c5fe1a6e376f4cd350424f33afc9e838 Mon Sep 17 00:00:00 2001 From: hjl Date: Fri, 25 Aug 2000 23:10:40 +0000 Subject: [PATCH] 2000-08-25 H.J. Lu * support/include/tcpwrapper.h: New for the tcp wrapper support. * support/misc/Makefile: Likewise. * support/misc/from_local.c: Likewise. * support/misc/tcpwrapper.c: Likewise. * aclocal.m4 (AC_TCP_WRAPPER): New. * configure.in: Use it. Substitute LIBWRAP. * configure: Rebuilt. * config.mk.in (LIBNSL): New. (LIBWRAP): Likewise. * support/Makefile (SUBDIRS): Add misc. * support/lib/Makefile (LIBS): Add libmisc.a. * utils/rquotad/Makefile (LIBS): Add -lmisc $(LIBWRAP) $(LIBNSL) * utils/statd/Makefile (LIBS): Likewise. * utils/rquotad/rquota_svc.c: Include "tcpwrapper.h" if HAVE_TCP_WRAPPER is defined. (rquotaprog_1): Call check_default () if HAVE_TCP_WRAPPER is defined. Reject an RPC call if check_default () fails. * utils/statd/statd.c: Include "tcpwrapper.h" if HAVE_TCP_WRAPPER is defined. (sm_prog_1_wrapper): New. A wrapper for sm_prog_1. Call check_default () before calling sm_prog_1 (). Define it as sm_prog_1_wrapper if HAVE_TCP_WRAPPER is defined. --- ChangeLog | 36 +++++ aclocal.m4 | 21 ++- config.mk.in | 2 + configure | 163 +++++++++++++--------- configure.in | 3 + support/Makefile | 2 +- support/include/tcpwrapper.h | 18 +++ support/lib/Makefile | 2 +- support/misc/Makefile | 11 ++ support/misc/from_local.c | 188 +++++++++++++++++++++++++ support/misc/tcpwrapper.c | 256 +++++++++++++++++++++++++++++++++++ utils/rquotad/Makefile | 2 +- utils/rquotad/rquota_svc.c | 13 ++ utils/statd/Makefile | 2 +- utils/statd/statd.c | 21 ++- 15 files changed, 667 insertions(+), 73 deletions(-) create mode 100644 support/include/tcpwrapper.h create mode 100644 support/misc/Makefile create mode 100644 support/misc/from_local.c create mode 100644 support/misc/tcpwrapper.c diff --git a/ChangeLog b/ChangeLog index 8b6e4af..1fe0a6b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,39 @@ +2000-08-25 H.J. Lu + + * support/include/tcpwrapper.h: New for the tcp wrapper + support. + * support/misc/Makefile: Likewise. + * support/misc/from_local.c: Likewise. + * support/misc/tcpwrapper.c: Likewise. + + * aclocal.m4 (AC_TCP_WRAPPER): New. + * configure.in: Use it. Substitute LIBWRAP. + * configure: Rebuilt. + + * config.mk.in (LIBNSL): New. + (LIBWRAP): Likewise. + + * support/Makefile (SUBDIRS): Add misc. + + * support/lib/Makefile (LIBS): Add libmisc.a. + + * utils/rquotad/Makefile (LIBS): Add + + -lmisc $(LIBWRAP) $(LIBNSL) + + * utils/statd/Makefile (LIBS): Likewise. + + * utils/rquotad/rquota_svc.c: Include "tcpwrapper.h" if + HAVE_TCP_WRAPPER is defined. + (rquotaprog_1): Call check_default () if HAVE_TCP_WRAPPER is + defined. Reject an RPC call if check_default () fails. + + * utils/statd/statd.c: Include "tcpwrapper.h" if + HAVE_TCP_WRAPPER is defined. + (sm_prog_1_wrapper): New. A wrapper for sm_prog_1. Call + check_default () before calling sm_prog_1 (). Define it as + sm_prog_1_wrapper if HAVE_TCP_WRAPPER is defined. + 2000-08-25 Chip Salzenberg * debian/*: Complete Debian build support. diff --git a/aclocal.m4 b/aclocal.m4 index baa54d1..7a4df46 100644 --- a/aclocal.m4 +++ b/aclocal.m4 @@ -52,7 +52,7 @@ dnl ** we have to include sys/types.h. Ugh. define(AC_DEV_T_SIZE, [AC_MSG_CHECKING(size of dev_t) AC_CACHE_VAL(ac_cv_sizeof_dev_t, - [AC_TRY_RUN( + [AC_TRY_LINK( [#include #include main() @@ -118,3 +118,22 @@ define([AC_BSD_SIGNALS], AC_MSG_RESULT($knfsd_cv_bsd_signals) test $knfsd_cv_bsd_signals = yes && AC_DEFINE(HAVE_BSD_SIGNALS) ])dnl +dnl *********** the tcp wrapper library *************** +define(AC_TCP_WRAPPER, + [AC_MSG_CHECKING(for the tcp wrapper library) + AC_CACHE_VAL(knfsd_cv_tcp_wrapper, + [old_LIBS="$LIBS" + LIBS="$LIBS -lwrap $LIBNSL" + AC_TRY_LINK([ + int deny_severity = 0; + int allow_severity = 0;], + [return hosts_ctl ("nfsd", "", "")], + knfsd_cv_tcp_wrapper=yes, knfsd_cv_tcp_wrapper=no) + LDFLAGS="$old_LDFLAGS"]) + AC_MSG_RESULT($knfsd_cv_tcp_wrapper) + if test "$knfsd_cv_tcp_wrapper" = yes; then + CFLAGS="$CFLAGS -DHAVE_TCP_WRAPPER" + CXXFLAGS="$CXXFLAGS -DHAVE_TCP_WRAPPER" + LIBWRAP="-lwrap" + fi +]) dnl diff --git a/config.mk.in b/config.mk.in index 299170f..85e302a 100644 --- a/config.mk.in +++ b/config.mk.in @@ -29,6 +29,8 @@ MANGROUP = root # Various libs LIBBSD = @LIBBSD@ +LIBNSL = @LIBNSL@ +LIBWRAP = @LIBWRAP@ ################# END OF USER SERVICEABLE PARTS ################## ALLTARGETS = all clean distclean install installman \ diff --git a/configure b/configure index 4a17bdb..c624d88 100755 --- a/configure +++ b/configure @@ -37,7 +37,6 @@ program_suffix=NONE program_transform_name=s,x,x, silent= site= -sitefile= srcdir= target=NONE verbose= @@ -152,7 +151,6 @@ Configuration: --help print this message --no-create do not create output files --quiet, --silent do not print \`checking...' messages - --site-file=FILE use FILE as the site file --version print the version of autoconf that created configure Directory and file names: --prefix=PREFIX install architecture-independent files in PREFIX @@ -323,11 +321,6 @@ EOF -site=* | --site=* | --sit=*) site="$ac_optarg" ;; - -site-file | --site-file | --site-fil | --site-fi | --site-f) - ac_prev=sitefile ;; - -site-file=* | --site-file=* | --site-fil=* | --site-fi=* | --site-f=*) - sitefile="$ac_optarg" ;; - -srcdir | --srcdir | --srcdi | --srcd | --src | --sr) ac_prev=srcdir ;; -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*) @@ -493,16 +486,12 @@ fi srcdir=`echo "${srcdir}" | sed 's%\([^/]\)/*$%\1%'` # Prefer explicitly selected file to automatically selected ones. -if test -z "$sitefile"; then - if test -z "$CONFIG_SITE"; then - if test "x$prefix" != xNONE; then - CONFIG_SITE="$prefix/share/config.site $prefix/etc/config.site" - else - CONFIG_SITE="$ac_default_prefix/share/config.site $ac_default_prefix/etc/config.site" - fi +if test -z "$CONFIG_SITE"; then + if test "x$prefix" != xNONE; then + CONFIG_SITE="$prefix/share/config.site $prefix/etc/config.site" + else + CONFIG_SITE="$ac_default_prefix/share/config.site $ac_default_prefix/etc/config.site" fi -else - CONFIG_SITE="$sitefile" fi for ac_site_file in $CONFIG_SITE; do if test -r "$ac_site_file"; then @@ -602,7 +591,7 @@ EOF # Extract the first word of "gcc", so it can be a program name with args. set dummy gcc; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:606: checking for $ac_word" >&5 +echo "configure:595: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -632,7 +621,7 @@ if test -z "$CC"; then # Extract the first word of "cc", so it can be a program name with args. set dummy cc; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:636: checking for $ac_word" >&5 +echo "configure:625: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -683,7 +672,7 @@ fi # Extract the first word of "cl", so it can be a program name with args. set dummy cl; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:687: checking for $ac_word" >&5 +echo "configure:676: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -715,7 +704,7 @@ fi fi echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works""... $ac_c" 1>&6 -echo "configure:719: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5 +echo "configure:708: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5 ac_ext=c # CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options. @@ -726,12 +715,12 @@ cross_compiling=$ac_cv_prog_cc_cross cat > conftest.$ac_ext << EOF -#line 730 "configure" +#line 719 "configure" #include "confdefs.h" main(){return(0);} EOF -if { (eval echo configure:735: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:724: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then ac_cv_prog_cc_works=yes # If we can't run a trivial program, we are probably using a cross compiler. if (./conftest; exit) 2>/dev/null; then @@ -757,12 +746,12 @@ if test $ac_cv_prog_cc_works = no; then { echo "configure: error: installation or configuration problem: C compiler cannot create executables." 1>&2; exit 1; } fi echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler""... $ac_c" 1>&6 -echo "configure:761: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5 +echo "configure:750: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5 echo "$ac_t""$ac_cv_prog_cc_cross" 1>&6 cross_compiling=$ac_cv_prog_cc_cross echo $ac_n "checking whether we are using GNU C""... $ac_c" 1>&6 -echo "configure:766: checking whether we are using GNU C" >&5 +echo "configure:755: checking whether we are using GNU C" >&5 if eval "test \"`echo '$''{'ac_cv_prog_gcc'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -771,7 +760,7 @@ else yes; #endif EOF -if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:775: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then +if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:764: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then ac_cv_prog_gcc=yes else ac_cv_prog_gcc=no @@ -790,7 +779,7 @@ ac_test_CFLAGS="${CFLAGS+set}" ac_save_CFLAGS="$CFLAGS" CFLAGS= echo $ac_n "checking whether ${CC-cc} accepts -g""... $ac_c" 1>&6 -echo "configure:794: checking whether ${CC-cc} accepts -g" >&5 +echo "configure:783: checking whether ${CC-cc} accepts -g" >&5 if eval "test \"`echo '$''{'ac_cv_prog_cc_g'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -826,7 +815,7 @@ do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:830: checking for $ac_word" >&5 +echo "configure:819: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_prog_CXX'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -858,7 +847,7 @@ test -n "$CXX" || CXX="gcc" echo $ac_n "checking whether the C++ compiler ($CXX $CXXFLAGS $LDFLAGS) works""... $ac_c" 1>&6 -echo "configure:862: checking whether the C++ compiler ($CXX $CXXFLAGS $LDFLAGS) works" >&5 +echo "configure:851: checking whether the C++ compiler ($CXX $CXXFLAGS $LDFLAGS) works" >&5 ac_ext=C # CXXFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options. @@ -869,12 +858,12 @@ cross_compiling=$ac_cv_prog_cxx_cross cat > conftest.$ac_ext << EOF -#line 873 "configure" +#line 862 "configure" #include "confdefs.h" int main(){return(0);} EOF -if { (eval echo configure:878: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:867: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then ac_cv_prog_cxx_works=yes # If we can't run a trivial program, we are probably using a cross compiler. if (./conftest; exit) 2>/dev/null; then @@ -900,12 +889,12 @@ if test $ac_cv_prog_cxx_works = no; then { echo "configure: error: installation or configuration problem: C++ compiler cannot create executables." 1>&2; exit 1; } fi echo $ac_n "checking whether the C++ compiler ($CXX $CXXFLAGS $LDFLAGS) is a cross-compiler""... $ac_c" 1>&6 -echo "configure:904: checking whether the C++ compiler ($CXX $CXXFLAGS $LDFLAGS) is a cross-compiler" >&5 +echo "configure:893: checking whether the C++ compiler ($CXX $CXXFLAGS $LDFLAGS) is a cross-compiler" >&5 echo "$ac_t""$ac_cv_prog_cxx_cross" 1>&6 cross_compiling=$ac_cv_prog_cxx_cross echo $ac_n "checking whether we are using GNU C++""... $ac_c" 1>&6 -echo "configure:909: checking whether we are using GNU C++" >&5 +echo "configure:898: checking whether we are using GNU C++" >&5 if eval "test \"`echo '$''{'ac_cv_prog_gxx'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -914,7 +903,7 @@ else yes; #endif EOF -if { ac_try='${CXX-g++} -E conftest.C'; { (eval echo configure:918: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then +if { ac_try='${CXX-g++} -E conftest.C'; { (eval echo configure:907: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then ac_cv_prog_gxx=yes else ac_cv_prog_gxx=no @@ -933,7 +922,7 @@ ac_test_CXXFLAGS="${CXXFLAGS+set}" ac_save_CXXFLAGS="$CXXFLAGS" CXXFLAGS= echo $ac_n "checking whether ${CXX-g++} accepts -g""... $ac_c" 1>&6 -echo "configure:937: checking whether ${CXX-g++} accepts -g" >&5 +echo "configure:926: checking whether ${CXX-g++} accepts -g" >&5 if eval "test \"`echo '$''{'ac_cv_prog_cxx_g'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -965,7 +954,7 @@ else fi echo $ac_n "checking how to run the C preprocessor""... $ac_c" 1>&6 -echo "configure:969: checking how to run the C preprocessor" >&5 +echo "configure:958: checking how to run the C preprocessor" >&5 # On Suns, sometimes $CPP names a directory. if test -n "$CPP" && test -d "$CPP"; then CPP= @@ -980,13 +969,13 @@ else # On the NeXT, cc -E runs the code through the compiler's parser, # not just through cpp. cat > conftest.$ac_ext < Syntax Error EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:990: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +{ (eval echo configure:979: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then : @@ -997,13 +986,13 @@ else rm -rf conftest* CPP="${CC-cc} -E -traditional-cpp" cat > conftest.$ac_ext < Syntax Error EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:1007: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +{ (eval echo configure:996: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then : @@ -1014,13 +1003,13 @@ else rm -rf conftest* CPP="${CC-cc} -nologo -E" cat > conftest.$ac_ext < Syntax Error EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:1024: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +{ (eval echo configure:1013: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then : @@ -1075,7 +1064,7 @@ ac_configure=$ac_aux_dir/configure # This should be Cygnus configure. # SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff" # ./install, which can be erroneously created by make from ./install.sh. echo $ac_n "checking for a BSD compatible install""... $ac_c" 1>&6 -echo "configure:1079: checking for a BSD compatible install" >&5 +echo "configure:1068: checking for a BSD compatible install" >&5 if test -z "$INSTALL"; then if eval "test \"`echo '$''{'ac_cv_path_install'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -1128,12 +1117,12 @@ test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL_PROGRAM}' test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644' echo $ac_n "checking for ANSI C header files""... $ac_c" 1>&6 -echo "configure:1132: checking for ANSI C header files" >&5 +echo "configure:1121: checking for ANSI C header files" >&5 if eval "test \"`echo '$''{'ac_cv_header_stdc'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < #include @@ -1141,7 +1130,7 @@ else #include EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:1145: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +{ (eval echo configure:1134: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then rm -rf conftest* @@ -1158,7 +1147,7 @@ rm -f conftest* if test $ac_cv_header_stdc = yes; then # SunOS 4.x string.h does not declare mem*, contrary to ANSI. cat > conftest.$ac_ext < EOF @@ -1176,7 +1165,7 @@ fi if test $ac_cv_header_stdc = yes; then # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI. cat > conftest.$ac_ext < EOF @@ -1197,7 +1186,7 @@ if test "$cross_compiling" = yes; then : else cat > conftest.$ac_ext < #define ISLOWER(c) ('a' <= (c) && (c) <= 'z') @@ -1208,7 +1197,7 @@ if (XOR (islower (i), ISLOWER (i)) || toupper (i) != TOUPPER (i)) exit(2); exit (0); } EOF -if { (eval echo configure:1212: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:1201: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then : else @@ -1232,12 +1221,12 @@ EOF fi echo $ac_n "checking for GNU libc2""... $ac_c" 1>&6 -echo "configure:1236: checking for GNU libc2" >&5 +echo "configure:1225: checking for GNU libc2" >&5 if eval "test \"`echo '$''{'knfsd_cv_glibc2'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -1246,7 +1235,7 @@ else #endif EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:1250: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +{ (eval echo configure:1239: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then rm -rf conftest* @@ -1269,7 +1258,7 @@ fi echo $ac_n "checking for main in -lsocket""... $ac_c" 1>&6 -echo "configure:1273: checking for main in -lsocket" >&5 +echo "configure:1262: checking for main in -lsocket" >&5 ac_lib_var=`echo socket'_'main | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -1277,14 +1266,14 @@ else ac_save_LIBS="$LIBS" LIBS="-lsocket $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:1277: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -1305,7 +1294,7 @@ else fi echo $ac_n "checking for main in -lnsl""... $ac_c" 1>&6 -echo "configure:1309: checking for main in -lnsl" >&5 +echo "configure:1298: checking for main in -lnsl" >&5 ac_lib_var=`echo nsl'_'main | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -1313,14 +1302,14 @@ else ac_save_LIBS="$LIBS" LIBS="-lnsl $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:1313: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -1341,7 +1330,7 @@ else fi echo $ac_n "checking for crypt in -lcrypt""... $ac_c" 1>&6 -echo "configure:1345: checking for crypt in -lcrypt" >&5 +echo "configure:1334: checking for crypt in -lcrypt" >&5 ac_lib_var=`echo crypt'_'crypt | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -1349,7 +1338,7 @@ else ac_save_LIBS="$LIBS" LIBS="-lcrypt $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:1353: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -1382,7 +1371,7 @@ fi if test "$knfsd_cv_glibc2" = no; then echo $ac_n "checking for daemon in -lbsd""... $ac_c" 1>&6 -echo "configure:1386: checking for daemon in -lbsd" >&5 +echo "configure:1375: checking for daemon in -lbsd" >&5 ac_lib_var=`echo bsd'_'daemon | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -1390,7 +1379,7 @@ else ac_save_LIBS="$LIBS" LIBS="-lbsd $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:1394: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -1427,16 +1416,55 @@ fi +echo $ac_n "checking for the tcp wrapper library""... $ac_c" 1>&6 +echo "configure:1421: checking for the tcp wrapper library" >&5 + if eval "test \"`echo '$''{'knfsd_cv_tcp_wrapper'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + old_LIBS="$LIBS" + LIBS="$LIBS -lwrap $LIBNSL" + cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + knfsd_cv_tcp_wrapper=yes +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + knfsd_cv_tcp_wrapper=no +fi +rm -f conftest* + LDFLAGS="$old_LDFLAGS" +fi + + echo "$ac_t""$knfsd_cv_tcp_wrapper" 1>&6 + if test "$knfsd_cv_tcp_wrapper" = yes; then + CFLAGS="$CFLAGS -DHAVE_TCP_WRAPPER" + CXXFLAGS="$CXXFLAGS -DHAVE_TCP_WRAPPER" + LIBWRAP="-lwrap" + fi + + + for ac_func in innetgr do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:1435: checking for $ac_func" >&5 +echo "configure:1463: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:1491: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -1640,6 +1668,7 @@ s%@LIBSOCKET@%$LIBSOCKET%g s%@LIBNSL@%$LIBNSL%g s%@LIBCRYPT@%$LIBCRYPT%g s%@LIBBSD@%$LIBBSD%g +s%@LIBWRAP@%$LIBWRAP%g CEOF EOF diff --git a/configure.in b/configure.in index b6298d9..3ca9f21 100644 --- a/configure.in +++ b/configure.in @@ -64,6 +64,9 @@ AC_SUBST(LIBNSL) AC_SUBST(LIBCRYPT) AC_SUBST(LIBBSD) +AC_TCP_WRAPPER +AC_SUBST(LIBWRAP) + dnl ************************************************************* dnl Check for headers dnl ************************************************************* diff --git a/support/Makefile b/support/Makefile index 6b8598b..37b6359 100644 --- a/support/Makefile +++ b/support/Makefile @@ -2,7 +2,7 @@ # Makefile for linux-nfs/support # -SUBDIRS = include nfs export lib +SUBDIRS = include nfs export lib misc .DEFAULT: all include $(TOP)rules.mk diff --git a/support/include/tcpwrapper.h b/support/include/tcpwrapper.h new file mode 100644 index 0000000..98cf806 --- /dev/null +++ b/support/include/tcpwrapper.h @@ -0,0 +1,18 @@ +#ifndef TCP_WRAPPER_H +#define TCP_WRAPPER_H + +#include +#include +#include + +extern int verboselog; + +extern int allow_severity; +extern int deny_severity; + +extern int good_client(char *daemon, struct sockaddr_in *addr); +extern int from_local (struct sockaddr_in *addr); +extern int check_default(char *daemon, struct sockaddr_in *addr, + u_long proc, u_long prog); + +#endif /* TCP_WRAPPER_H */ diff --git a/support/lib/Makefile b/support/lib/Makefile index b5fa14a..2eeb93b 100644 --- a/support/lib/Makefile +++ b/support/lib/Makefile @@ -1,7 +1,7 @@ include $(TOP)rules.mk -LIBS = libnfs.a libexport.a +LIBS = libnfs.a libexport.a libmisc.a all install:: $(LIBS) @: diff --git a/support/misc/Makefile b/support/misc/Makefile new file mode 100644 index 0000000..b2f73f8 --- /dev/null +++ b/support/misc/Makefile @@ -0,0 +1,11 @@ +# +# linux-nfs/support/misc/Makefile +# + +LIBNAME = libmisc.a +OBJS = tcpwrapper.o from_local.o + +include $(TOP)rules.mk + +install:: + @: diff --git a/support/misc/from_local.c b/support/misc/from_local.c new file mode 100644 index 0000000..56478d7 --- /dev/null +++ b/support/misc/from_local.c @@ -0,0 +1,188 @@ + /* + * Check if an address belongs to the local system. Adapted from: + * + * @(#)pmap_svc.c 1.32 91/03/11 Copyright 1984,1990 Sun Microsystems, Inc. + * @(#)get_myaddress.c 2.1 88/07/29 4.0 RPCSRC. + */ + +/* + * Sun RPC is a product of Sun Microsystems, Inc. and is provided for + * unrestricted use provided that this legend is included on all tape + * media and as a part of the software program in whole or part. Users + * may copy or modify Sun RPC without charge, but are not authorized + * to license or distribute it to anyone else except as part of a product or + * program developed by the user or with the express written consent of + * Sun Microsystems, Inc. + * + * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE + * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR + * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. + * + * Sun RPC is provided with no support and without any obligation on the + * part of Sun Microsystems, Inc. to assist in its use, correction, + * modification or enhancement. + * + * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE + * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC + * OR ANY PART THEREOF. + * + * In no event will Sun Microsystems, Inc. be liable for any lost revenue + * or profits or other special, indirect and consequential damages, even if + * Sun has been advised of the possibility of such damages. + * + * Sun Microsystems, Inc. + * 2550 Garcia Avenue + * Mountain View, California 94043 + */ + +#ifndef lint +static char sccsid[] = "@(#) from_local.c 1.3 96/05/31 15:52:57"; +#endif + +#ifdef TEST +#undef perror +#endif + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#ifndef TRUE +#define TRUE 1 +#define FALSE 0 +#endif + + /* + * With virtual hosting, each hardware network interface can have multiple + * network addresses. On such machines the number of machine addresses can + * be surprisingly large. + */ +static int num_local; +static int num_addrs; +static struct in_addr *addrs; + +/* grow_addrs - extend list of local interface addresses */ + +static int grow_addrs() +{ + struct in_addr *new_addrs; + int new_num; + + /* + * Keep the previous result if we run out of memory. The system would + * really get hosed if we simply give up. + */ + new_num = (addrs == 0) ? 1 : num_addrs + num_addrs; + new_addrs = (struct in_addr *) malloc(sizeof(*addrs) * new_num); + if (new_addrs == 0) { + perror("portmap: out of memory"); + return (0); + } else { + if (addrs != 0) { + memcpy((char *) new_addrs, (char *) addrs, + sizeof(*addrs) * num_addrs); + free((char *) addrs); + } + num_addrs = new_num; + addrs = new_addrs; + return (1); + } +} + +/* find_local - find all IP addresses for this host */ +static int +find_local() +{ + struct ifconf ifc; + struct ifreq ifreq; + struct ifreq *ifr; + struct ifreq *the_end; + int sock; + char buf[BUFSIZ]; + + /* + * Get list of network interfaces. We use a huge buffer to allow for the + * presence of non-IP interfaces. + */ + + if ((sock = socket(PF_INET, SOCK_DGRAM, 0)) < 0) { + perror("socket"); + return (0); + } + ifc.ifc_len = sizeof(buf); + ifc.ifc_buf = buf; + if (ioctl(sock, SIOCGIFCONF, (char *) &ifc) < 0) { + perror("SIOCGIFCONF"); + (void) close(sock); + return (0); + } + /* Get IP address of each active IP network interface. */ + + the_end = (struct ifreq *) (ifc.ifc_buf + ifc.ifc_len); + num_local = 0; + for (ifr = ifc.ifc_req; ifr < the_end; ifr++) { + if (ifr->ifr_addr.sa_family == AF_INET) { /* IP net interface */ + ifreq = *ifr; + if (ioctl(sock, SIOCGIFFLAGS, (char *) &ifreq) < 0) { + perror("SIOCGIFFLAGS"); + } else if (ifreq.ifr_flags & IFF_UP) { /* active interface */ + if (ioctl(sock, SIOCGIFADDR, (char *) &ifreq) < 0) { + perror("SIOCGIFADDR"); + } else { + if (num_local >= num_addrs) + if (grow_addrs() == 0) + break; + addrs[num_local++] = ((struct sockaddr_in *) + & ifreq.ifr_addr)->sin_addr; + } + } + } + /* Support for variable-length addresses. */ +#ifdef HAS_SA_LEN + ifr = (struct ifreq *) ((caddr_t) ifr + + ifr->ifr_addr.sa_len - sizeof(struct sockaddr)); +#endif + } + (void) close(sock); + return (num_local); +} + +/* from_local - determine whether request comes from the local system */ +int +from_local(addr) +struct sockaddr_in *addr; +{ + int i; + + if (addrs == 0 && find_local() == 0) + syslog(LOG_ERR, "cannot find any active local network interfaces"); + + for (i = 0; i < num_local; i++) { + if (memcmp((char *) &(addr->sin_addr), (char *) &(addrs[i]), + sizeof(struct in_addr)) == 0) + return (TRUE); + } + return (FALSE); +} + +#ifdef TEST + +main() +{ + char *inet_ntoa(); + int i; + + find_local(); + for (i = 0; i < num_local; i++) + printf("%s\n", inet_ntoa(addrs[i])); +} + +#endif diff --git a/support/misc/tcpwrapper.c b/support/misc/tcpwrapper.c new file mode 100644 index 0000000..498a829 --- /dev/null +++ b/support/misc/tcpwrapper.c @@ -0,0 +1,256 @@ +/* This is copied from portmap 4.0-29 in RedHat. */ + + /* + * pmap_check - additional portmap security. + * + * Always reject non-local requests to update the portmapper tables. + * + * Refuse to forward mount requests to the nfs mount daemon. Otherwise, the + * requests would appear to come from the local system, and nfs export + * restrictions could be bypassed. + * + * Refuse to forward requests to the nfsd process. + * + * Refuse to forward requests to NIS (YP) daemons; The only exception is the + * YPPROC_DOMAIN_NONACK broadcast rpc call that is used to establish initial + * contact with the NIS server. + * + * Always allocate an unprivileged port when forwarding a request. + * + * If compiled with -DCHECK_PORT, require that requests to register or + * unregister a privileged port come from a privileged port. This makes it + * more difficult to replace a critical service by a trojan. + * + * If compiled with -DHOSTS_ACCESS, reject requests from hosts that are not + * authorized by the /etc/hosts.{allow,deny} files. The local system is + * always treated as an authorized host. The access control tables are never + * consulted for requests from the local system, and are always consulted + * for requests from other hosts. Access control is based on IP addresses + * only; attempts to map an address to a host name might cause the + * portmapper to hang. + * + * Author: Wietse Venema (wietse@wzv.win.tue.nl), dept. of Mathematics and + * Computing Science, Eindhoven University of Technology, The Netherlands. + */ + +#include "tcpwrapper.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#ifdef SYSV40 +#include +#include +#endif + +static void logit(); +static void toggle_verboselog(); +int verboselog = 0; +int allow_severity = LOG_INFO; +int deny_severity = LOG_WARNING; + +/* A handful of macros for "readability". */ + +/* coming from libwrap.a (tcp_wrappers) */ +extern int hosts_ctl(char *daemon, char *name, char *addr, char *user); + +#define legal_port(a,p) \ + (ntohs((a)->sin_port) < IPPORT_RESERVED || (p) >= IPPORT_RESERVED) + +#define log_bad_port(addr, proc, prog) \ + logit(deny_severity, addr, proc, prog, ": request from unprivileged port") + +#define log_bad_host(addr, proc, prog) \ + logit(deny_severity, addr, proc, prog, ": request from unauthorized host") + +#define log_bad_owner(addr, proc, prog) \ + logit(deny_severity, addr, proc, prog, ": request from non-local host") + +#define log_no_forward(addr, proc, prog) \ + logit(deny_severity, addr, proc, prog, ": request not forwarded") + +#define log_client(addr, proc, prog) \ + logit(allow_severity, addr, proc, prog, "") + +int +good_client(daemon, addr) +char *daemon; +struct sockaddr_in *addr; +{ + struct hostent *hp; + char **sp; + char *tmpname; + + /* Check the IP address first. */ + if (hosts_ctl(daemon, "", inet_ntoa(addr->sin_addr), "")) + return 1; + + /* Check the hostname. */ + hp = gethostbyaddr ((const char *) &(addr->sin_addr), + sizeof (addr->sin_addr), AF_INET); + + if (!hp) + return 0; + + /* must make sure the hostent is authorative. */ + tmpname = alloca (strlen (hp->h_name) + 1); + strcpy (tmpname, hp->h_name); + hp = gethostbyname(tmpname); + if (hp) { + /* now make sure the "addr->sin_addr" is on the list */ + for (sp = hp->h_addr_list ; *sp ; sp++) { + if (memcmp(*sp, &(addr->sin_addr), hp->h_length)==0) + break; + } + if (!*sp) + /* it was a FAKE. */ + return 0; + } + else + /* never heard of it. misconfigured DNS? */ + return 0; + + /* Check the official name first. */ + if (hosts_ctl(daemon, "", hp->h_name, "")) + return 1; + + /* Check aliases. */ + for (sp = hp->h_aliases; *sp ; sp++) { + if (hosts_ctl(daemon, "", *sp, "")) + return 1; + } + + /* No match */ + return 0; +} + +/* check_startup - additional startup code */ + +void check_startup() +{ + + /* + * Give up root privileges so that we can never allocate a privileged + * port when forwarding an rpc request. + * + * Fix 8/3/00 Philipp Knirsch: First lookup our rpc user. If we find it, + * switch to that uid, otherwise simply resue the old bin user and print + * out a warning in syslog. + */ + + struct passwd *pwent; + + pwent = getpwnam("rpc"); + if (pwent == NULL) { + syslog(LOG_WARNING, "user rpc not found, reverting to user bin"); + if (setuid(1) == -1) { + syslog(LOG_ERR, "setuid(1) failed: %m"); + exit(1); + } + } + else { + if (setuid(pwent->pw_uid) == -1) { + syslog(LOG_WARNING, "setuid() to rpc user failed: %m"); + if (setuid(1) == -1) { + syslog(LOG_ERR, "setuid(1) failed: %m"); + exit(1); + } + } + } + + (void) signal(SIGINT, toggle_verboselog); +} + +/* check_default - additional checks for NULL, DUMP, GETPORT and unknown */ + +int +check_default(daemon, addr, proc, prog) +char *daemon; +struct sockaddr_in *addr; +u_long proc; +u_long prog; +{ + if (!(from_local(addr) || good_client(daemon, addr))) { + log_bad_host(addr, proc, prog); + return (FALSE); + } + if (verboselog) + log_client(addr, proc, prog); + return (TRUE); +} + +/* check_privileged_port - additional checks for privileged-port updates */ +int +check_privileged_port(addr, proc, prog, port) +struct sockaddr_in *addr; +u_long proc; +u_long prog; +u_long port; +{ +#ifdef CHECK_PORT + if (!legal_port(addr, port)) { + log_bad_port(addr, proc, prog); + return (FALSE); + } +#endif + return (TRUE); +} + +/* toggle_verboselog - toggle verbose logging flag */ + +static void toggle_verboselog(sig) +int sig; +{ + (void) signal(sig, toggle_verboselog); + verboselog = !verboselog; +} + +/* logit - report events of interest via the syslog daemon */ + +static void logit(severity, addr, procnum, prognum, text) +int severity; +struct sockaddr_in *addr; +u_long procnum; +u_long prognum; +char *text; +{ + char *procname; + char procbuf[4 * sizeof(u_long)]; + char *progname; + char progbuf[4 * sizeof(u_long)]; + struct rpcent *rpc; + + /* + * Fork off a process or the portmap daemon might hang while + * getrpcbynumber() or syslog() does its thing. + */ + + if (fork() == 0) { + + /* Try to map program number to name. */ + + if (prognum == 0) { + progname = ""; + } else if ((rpc = getrpcbynumber((int) prognum))) { + progname = rpc->r_name; + } else { + sprintf(progname = progbuf, "%lu", prognum); + } + + /* Try to map procedure number to name. */ + + sprintf(procname = procbuf, "%lu", (u_long) procnum); + + /* Write syslog record. */ + + syslog(severity, "connect from %s to %s(%s)%s", + inet_ntoa(addr->sin_addr), procname, progname, text); + exit(0); + } +} diff --git a/utils/rquotad/Makefile b/utils/rquotad/Makefile index 1572655..82928b6 100644 --- a/utils/rquotad/Makefile +++ b/utils/rquotad/Makefile @@ -8,6 +8,6 @@ OBJS = rquota_server.o rquota_svc.o rquota_xdr.o quotactl.o hasquota.o DEPLIBS = MAN8 = rquotad -LIBS += -lnfs $(LIBBSD) +LIBS += -lnfs -lmisc $(LIBBSD) $(LIBWRAP) $(LIBNSL) include $(TOP)rules.mk diff --git a/utils/rquotad/rquota_svc.c b/utils/rquotad/rquota_svc.c index d402f0b..81b6928 100644 --- a/utils/rquotad/rquota_svc.c +++ b/utils/rquotad/rquota_svc.c @@ -20,6 +20,10 @@ */ #include "config.h" +#ifdef HAVE_TCP_WRAPPER +#include "tcpwrapper.h" +#endif + #include #include #include "rquota.h" @@ -59,6 +63,15 @@ static void rquotaprog_1(struct svc_req *rqstp, register SVCXPRT *transp) xdrproc_t xdr_argument, xdr_result; char *(*local)(char *, struct svc_req *); +#ifdef HAVE_TCP_WRAPPER + /* remote host authorization check */ + if (!check_default("rquotad", svc_getcaller(transp), + rqstp->rq_proc, (u_long) 0)) { + svcerr_auth (transp, AUTH_FAILED); + return; + } +#endif + /* * Don't bother authentication for NULLPROC. */ diff --git a/utils/statd/Makefile b/utils/statd/Makefile index 3a3a794..211e22d 100644 --- a/utils/statd/Makefile +++ b/utils/statd/Makefile @@ -16,7 +16,7 @@ PROGRAM = statd PREFIX = rpc. OBJS = $(SRCS:.c=.o) CCOPTS = $(DEBUG) $(SIMUL) -LIBS = -lexport +LIBS = -lexport -lmisc $(LIBWRAP) $(LIBNSL) SRCS = $(RPCSRCS) $(SIMSRCS) \ callback.c notlist.c log.c misc.c monitor.c notify.c simu.c \ diff --git a/utils/statd/statd.c b/utils/statd/statd.c index 91cb3bc..d07a260 100644 --- a/utils/statd/statd.c +++ b/utils/statd/statd.c @@ -21,13 +21,32 @@ int _rpcpmstart = 0; /* flags for tirpc rpcgen */ int _rpcfdtype = 0; int _rpcsvcdirty = 0; -extern void sm_prog_1 (struct svc_req *, register SVCXPRT); +extern void sm_prog_1 (struct svc_req *, register SVCXPRT *); #ifdef SIMULATIONS extern void simulator (int, char **); #endif +#ifdef HAVE_TCP_WRAPPER +#include "tcpwrapper.h" + +static void +sm_prog_1_wrapper (struct svc_req *rqstp, register SVCXPRT *transp) +{ + /* remote host authorization check */ + if (!check_default("statd", svc_getcaller(transp), + rqstp->rq_proc, (u_long) 0)) { + svcerr_auth (transp, AUTH_FAILED); + return; + } + + sm_prog_1 (rqstp, transp); +} + +#define sm_prog_1 sm_prog_1_wrapper +#endif + /* * Signal handler. */ -- 2.39.5