Subject: supfilesrv + libwrap
To: None <tech-userlevel@netbsd.org>
From: Manuel Bouyer <bouyer@antioche.lip6.fr>
List: tech-userlevel
Date: 08/02/1999 18:41:11
--KsGdsel6WgEHnImy
Content-Type: text/plain; charset=us-ascii
Hi,
I added libwrap support to supfilesrv (my main need was logging connections,
more than controlling the use of the sup server. Anyway libwrap is fine
for this as well :). Diffs are appened below. I just installed this on
sup2.fr.netbsd.org (aka antioche.lip6.fr).
Does someone object to this change ? If not I'll commit this before the
end of the week.
--
Manuel Bouyer, LIP6, Universite Paris VI. Manuel.Bouyer@lip6.fr
--
--KsGdsel6WgEHnImy
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="sup.diff"
Index: Makefile.inc
===================================================================
RCS file: /cvsroot/basesrc/usr.sbin/sup/Makefile.inc,v
retrieving revision 1.4
diff -u -r1.4 Makefile.inc
--- Makefile.inc 1998/01/21 09:07:04 1.4
+++ Makefile.inc 1999/08/02 16:35:13
@@ -1,6 +1,6 @@
# $NetBSD: Makefile.inc,v 1.4 1998/01/21 09:07:04 mikel Exp $
-CPPFLAGS+=-UCMUCS -UCMU -UMACH -DVAR_TMP -DHAS_DAEMON -DHAS_POSIX_DIR
+CPPFLAGS+=-UCMUCS -UCMU -UMACH -DVAR_TMP -DHAS_DAEMON -DHAS_POSIX_DIR -DLIBWRAP
CPPFLAGS+=-I${.CURDIR}/../source -I${.CURDIR}/../lib -I${.CURDIR}/../sys
CPPFLAGS+=-DEE_XXX
Index: source/log.c
===================================================================
RCS file: /cvsroot/basesrc/usr.sbin/sup/source/log.c,v
retrieving revision 1.4
diff -u -r1.4 log.c
--- log.c 1999/04/12 20:48:07 1.4
+++ log.c 1999/08/02 16:35:13
@@ -154,3 +154,82 @@
printf ("%s\n",buf);
(void) fflush (stdout);
}
+
+#ifdef LIBWRAP
+#include <tcpd.h>
+#ifndef LIBWRAP_ALLOW_FACILITY
+# define LIBWRAP_ALLOW_FACILITY LOG_AUTH
+#endif
+#ifndef LIBWRAP_ALLOW_SEVERITY
+# define LIBWRAP_ALLOW_SEVERITY LOG_INFO
+#endif
+#ifndef LIBWRAP_DENY_FACILITY
+# define LIBWRAP_DENY_FACILITY LOG_AUTH
+#endif
+#ifndef LIBWRAP_DENY_SEVERITY
+# define LIBWRAP_DENY_SEVERITY LOG_WARNING
+#endif
+int allow_severity = LIBWRAP_ALLOW_FACILITY|LIBWRAP_ALLOW_SEVERITY;
+int deny_severity = LIBWRAP_DENY_FACILITY|LIBWRAP_DENY_SEVERITY;
+
+void
+#ifdef __STDC__
+logdeny(char *fmt,...)
+#else
+/*VARARGS*//*ARGSUSED*/
+logdeny(va_alist)
+va_dcl
+#endif
+{
+ char buf[STRINGLENGTH];
+ va_list ap;
+
+#ifdef __STDC__
+ va_start(ap,fmt);
+#else
+ char *fmt;
+
+ va_start(ap);
+ fmt = va_arg(ap,char *);
+#endif
+ vsnprintf(buf, sizeof(buf), fmt, ap);
+ va_end(ap);
+ if (opened) {
+ syslog (deny_severity, buf);
+ return;
+ }
+ printf ("%s\n",buf);
+ (void) fflush (stdout);
+}
+
+void
+#ifdef __STDC__
+logallow(char *fmt,...)
+#else
+/*VARARGS*//*ARGSUSED*/
+logallow(va_alist)
+va_dcl
+#endif
+{
+ char buf[STRINGLENGTH];
+ va_list ap;
+
+#ifdef __STDC__
+ va_start(ap,fmt);
+#else
+ char *fmt;
+
+ va_start(ap);
+ fmt = va_arg(ap,char *);
+#endif
+ vsnprintf(buf, sizeof(buf), fmt, ap);
+ va_end(ap);
+ if (opened) {
+ syslog (allow_severity, buf);
+ return;
+ }
+ printf ("%s\n",buf);
+ (void) fflush (stdout);
+}
+
+#endif /* LIBWRAP */
Index: source/supextern.h
===================================================================
RCS file: /cvsroot/basesrc/usr.sbin/sup/source/supextern.h,v
retrieving revision 1.9
diff -u -r1.9 supextern.h
--- supextern.h 1999/08/02 05:36:05 1.9
+++ supextern.h 1999/08/02 16:35:13
@@ -35,6 +35,10 @@
void logquit __P((int, char *, ...));
void logerr __P((char *, ...));
void loginfo __P((char *, ...));
+#ifdef LIBWRAP
+void logdeny __P((char *, ...));
+void logallow __P((char *, ...));
+#endif
/* netcryptvoid.c */
int netcrypt __P((char *));
Index: source/supfilesrv.c
===================================================================
RCS file: /cvsroot/basesrc/usr.sbin/sup/source/supfilesrv.c,v
retrieving revision 1.17
diff -u -r1.17 supfilesrv.c
--- supfilesrv.c 1999/04/12 20:48:08 1.17
+++ supfilesrv.c 1999/08/02 16:35:13
@@ -28,8 +28,9 @@
/*
* supfilesrv -- SUP File Server
*
- * Usage: supfilesrv [-l] [-P] [-N] [-R] [-S]
- * -l "live" -- don't fork daemon
+ * Usage: supfilesrv [-d] [-l] [-P] [-N] [-R] [-S]
+ * -d "debug" -- don't fork daemon
+ * -l "log" -- print successull connects (when compiled with libwrap)
* -P "debug ports" -- use debugging network ports
* -N "debug network" -- print debugging messages for network i/o
* -R "RCS mode" -- if file is an rcs file, use co to get contents
@@ -37,6 +38,9 @@
*
**********************************************************************
* HISTORY
+ * 2-Aug-99 Manuel Bouyer at LIP6
+ * Added libwrap support
+ *
* 13-Sep-92 Mary Thompson (mrt) at Carnegie-Mellon University
* Changed name of sup program in xpatch from /usr/cs/bin/sup to
* /usr/bin/sup for exported version of sup.
@@ -250,6 +254,9 @@
# include <sys/mkdev.h>
# include <sys/statvfs.h>
#endif
+#ifdef LIBWRAP
+#include <tcpd.h>
+#endif
#include "supcdefs.h"
#include "supextern.h"
@@ -302,7 +309,10 @@
TREELIST *listTL; /* list of trees to upgrade */
int silent; /* -S flag */
-int live; /* -l flag */
+#ifdef LIBWRAP
+int clog; /* -l flag */
+#endif
+int live; /* -d flag */
int dbgportsq; /* -P flag */
extern int scmdebug; /* -N flag */
extern int netfile;
@@ -376,6 +386,9 @@
sigset_t nset, oset;
struct sigaction chld,ign;
time_t tloc;
+#ifdef LIBWRAP
+ struct request_info req;
+#endif
/* initialize global variables */
pgmversion = PGMVERSION; /* export version number */
@@ -396,8 +409,23 @@
PROTOVERSION,PGMVERSION,scmversion,fmttime (tloc));
if (live) {
x = service ();
+
if (x != SCMOK)
logquit (1,"Can't connect to network");
+#ifdef LIBWRAP
+ request_init(&req, RQ_DAEMON, "supfilesrv", RQ_FILE, netfile,
+ NULL);
+ fromhost(&req);
+ if (hosts_access(&req) == 0) {
+ logdeny("refused connection from %.500s",
+ eval_client(&req));
+ servicekill();
+ exit(1);
+ }
+ if (clog) {
+ logallow("connection from %.500s", eval_client(&req));
+ }
+#endif
answer ();
(void) serviceend ();
exit (0);
@@ -424,6 +452,21 @@
sigaddset(&nset, SIGCHLD);
sigprocmask(SIG_BLOCK, &nset, &oset);
if ((pid = fork()) == 0) { /* server process */
+#ifdef LIBWRAP
+ request_init(&req, RQ_DAEMON, "supfilesrv", RQ_FILE,
+ netfile, NULL);
+ fromhost(&req);
+ if (hosts_access(&req) == 0) {
+ logdeny("refused connection from %.500s",
+ eval_client(&req));
+ servicekill();
+ exit(1);
+ }
+ if (clog) {
+ logallow("connection from %.500s",
+ eval_client(&req));
+ }
+#endif
(void) serviceprep ();
answer ();
(void) serviceend ();
@@ -457,7 +500,11 @@
void
usage ()
{
- quit (1,"Usage: supfilesrv [ -l | -P | -N | -C <max children> | -H <host> <user> <cryptfile> <supargs> ]\n");
+#ifdef LIBWRAP
+ quit (1,"Usage: supfilesrv [ -l | -d | -P | -N | -C <max children> | -H <host> <user> <cryptfile> <supargs> ]\n");
+#else
+ quit (1,"Usage: supfilesrv [ -d | -P | -N | -C <max children> | -H <host> <user> <cryptfile> <supargs> ]\n");
+#endif
}
void
@@ -477,6 +524,9 @@
candorcs = FALSE;
#endif
live = FALSE;
+#ifdef LIBWRAP
+ clog = FALSE;
+#endif
dbgportsq = FALSE;
scmdebug = 0;
clienthost = NULL;
@@ -490,7 +540,12 @@
case 'S':
silent = TRUE;
break;
+#ifdef LIBWRAP
case 'l':
+ clog = TRUE;
+ break;
+#endif
+ case 'd':
live = TRUE;
break;
case 'P':
Index: source/supservers.8
===================================================================
RCS file: /cvsroot/basesrc/usr.sbin/sup/source/supservers.8,v
retrieving revision 1.5
diff -u -r1.5 supservers.8
--- supservers.8 1999/04/12 20:48:08 1.5
+++ supservers.8 1999/08/02 16:35:13
@@ -36,6 +36,9 @@
supfilesrv
[
.I
+-d
+] [
+.I
-l
] [
.I
@@ -103,7 +106,7 @@
generally runs as a network server process that listens for connections,
and for each connection (double-)forks a process to handle the interaction
with the client.
-However, with the -l flag, no forking will take place:
+However, with the -d flag, no forking will take place:
the server will listen for a network connection, handle it, and exit.
This is useful for debugging the servers in "live" mode rather than as
daemons.
@@ -122,6 +125,10 @@
To suppress
log messages, the -q "quiet" flag can be used.
+.I supfilesrv
+uses libwrap style access control (the /etc/hosts.allow and /etc/hosts.deny
+files) with service name "supfilesrv". The -l "log" flag turn on loggin of
+accepted connections (denied connections are always logged).
Normally the
.I supfilesrv
@@ -206,6 +213,8 @@
.PP
.SH "SEE ALSO"
sup(1)
+hosts_access(5)
+hosts_options(5)
.br
.I
The SUP Software Upgrade Protocol,
Index: supfilesrv/Makefile
===================================================================
RCS file: /cvsroot/basesrc/usr.sbin/sup/supfilesrv/Makefile,v
retrieving revision 1.1
diff -u -r1.1 Makefile
--- Makefile 1997/10/07 01:31:21 1.1
+++ Makefile 1999/08/02 16:35:13
@@ -8,7 +8,7 @@
.PATH: ${.CURDIR}/../source
DPADD= ${LIBSUP} ${LIBCRYPT}
-LDADD= ${SUPLIB} -lcrypt
+LDADD= ${SUPLIB} -lcrypt -lwrap
supfilesrv: .NOPATH
--KsGdsel6WgEHnImy--