>Number:         5278
>Category:       lib
>Synopsis:       libwrap is broken w.r.t. logging and verbose printing (esp. with tcpdmatch)
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    lib-bug-people (Library Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Apr  9 20:20:00 1998
>Last-Modified:
>Originator:     Greg A. Woods
>Organization:
Planix, Inc.; Toronto, Ontario; Canada
>Release:        NetBSD-1.3
>Environment:

System: NetBSD most 1.3 NetBSD 1.3 (GENERIC_SCSI3) #0: Thu Jan 1 19:03:39 MET 1998 pk@flambard:/usr/src1/sys/arch/sparc/compile/GENERIC_SCSI3 sparc

>Description:

I first noted that the tcpdmatch binary in NetBSD didn't report the line
number of the rule it matched, if any.  Then I noted that the output
looked very strange -- as if some parts of the printf were missing.
After checking the source and seeing that it was effectively virgin, and
that the options to turn on logging of this information were still
there, I began to suspect the libwrap library had been incorrectly built.

>How-To-Repeat:

1. build the stock tcp_wrappers 7.4 distribution self contained

The exact options I ended up using on the compile lines were:

	-DFACILITY=LOG_DAEMON -DHOSTS_ACCESS -DPARANOID
	-DGETPEERNAME_BUG -DBROKEN_FGETS -DLIBC_CALLS_STRTOK
	-DDAEMON_UMASK=022 -DREAL_DAEMON_DIR=\"/usr/local/sbin/tcpd.d\"
	-DPROCESS_OPTIONS -DSEVERITY=LOG_INFO -DRFC931_TIMEOUT=10
	-DHOSTS_DENY=\"/etc/hosts.deny\"
	-DHOSTS_ALLOW=\"/etc/hosts.allow\" -DSYS_ERRLIST_DEFINED
	-DALWAYS_HOSTNAME

2. compare output of ./tcpdmatch and /usr/sbin/tcpdmatch

Note the extra warning in the official tcpdmatch output (the second one,
that is -- the first is an artifact of wanting to use tcpd which, though
it should be, is not included in NetBSD under the mistaken assumption
that everything possible will have libwrap directly integrated,
including inetd).

Note also the completely broken output in the NetBSD output of the
"matched:" and "option:" lines.

	$ ./tcpdmatch sendmail 205.231.111.4
	warning: REAL_DAEMON_DIR /usr/local/sbin/tcpd.d: No such file or directory
	warning: sendmail: no such process name in /etc/inetd.conf
	client:   address  205.231.111.4
	server:   process  sendmail
	matched:  /etc/hosts.allow line 140
	option:   DENY 
	access:   denied

	$ /usr/sbin/tcpdmatch sendmail 205.231.111.4         
	client:   address  205.231.111.4
	server:   process  sendmail
	/etc/hosts.allow
	DENY
	access:   denied

3. re-link the official tcpdmatch binary with -lwrap and re-compare the
output:

Note that I have to add 'workarounds.o' to the link load, and note that
there's still no warning line, and this time absolutely no output for the
"matched:" or "option:" lines.

	$ cc -O -DFACILITY=LOG_DAEMON -DHOSTS_ACCESS -DPARANOID   -DGETPEERNAME_BUG -DBROKEN_FGETS -DLIBC_CALLS_STRTOK   -DDAEMON_UMASK=022  -DREAL_DAEMON_DIR=\"/usr/local/sbin/tcpd.d\" -DPROCESS_OPTIONS   -DSEVERITY=LOG_INFO -DRFC931_TIMEOUT=10   -DHOSTS_DENY=\"/etc/hosts.deny\" -DHOSTS_ALLOW=\"/etc/hosts.allow\"   -DSYS_ERRLIST_DEFINED    -DALWAYS_HOSTNAME -o tcpdmatch tcpdmatch.o inetcf.o percent_m.o scaffold.o workarounds.o -lwrap

	$ ./tcpdmatch sendmail 205.231.111.4                                                                    
	client:   address  205.231.111.4
	server:   process  sendmail
	access:   denied

>Fix:

I suspect the problem is that the NetBSD build didn't use these
necessary options:

	-DBROKEN_FGETS
	-DLIBC_CALLS_STRTOK

Other options such as -DGETPEERNAME_BUG may also be necessary for
building on NetBSD, though in general the one application I'm using with
/etc/hosts.allow is working.

I've not yet tried to fix and test this properly as my build environment
is not yet ready to build in....

Of course the ideal fix would be to fix the system so that libwrap et al
didn't need to employ the workarounds it has for broken systems....

>Audit-Trail:
>Unformatted: