Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/usr.sbin/inetd Inetd enhancements by James Browning, Gabe Co...
details: https://anonhg.NetBSD.org/src/rev/c45f7bf357d9
branches: trunk
changeset: 985526:c45f7bf357d9
user: christos <christos%NetBSD.org@localhost>
date: Sun Aug 29 09:54:18 2021 +0000
description:
Inetd enhancements by James Browning, Gabe Coffland, Alex Gavin, Solomon Ritzow
Described in:
https://www.mail-archive.com/tech-userlevel%netbsd.org@localhost/msg03114.html
And developed in:
https://github.com/ritzow/src/pull/1
>From their notes:
All new functionality should be explained by the updated manpage.
The manpage has been refactored a bit: A new section "Directives"
has been added and the information about default hostnames and
IPsec directives has been moved there, and the new file include
directive information is also there.
getconfigent has the most major changes. A newline is no longer
read immediately, but is called only by a "goto more" (inside an
if(false) block). This allows multiple definitions or directives
to exist on a single line for anything that doesn't terminate using
a newline. This means a key-values service definition can be followed
by another key-values service definition, a positional definition,
or an ipsec, hostname, or .include directive on the same line.
memset is no longer used explicitly to clear the servtab structure,
a function init_servtab() is used instead, which uses a C struct
initializer.
The servtab se_group field is its own allocation now, and not just
a pointer into the user:group string.
Refactored some stuff out of getconfigent to separate functions
for use by parse_v2.c. These functions in inetd.c are named with
the form parse_*()
parse_v2.c only has code for parsing a key-values service definition
into a provided servtab. It should not have anything that affects
global state other than line and line_number.
Some function prototypes, structures, and #defines have been moved
from inetd.c to inetd.h.
The function config_root replaces config as the function called on
a config file load/reload. The code removed from the end of
config(void) is now called in config_root, so it is not run on each
recursive config call.
setconfig(void) was removed and its code added into config_root
because that is the only place it is called, and redundant checks
for non-null globals were removed because they are always freed by
endconfig. The fseek code was also removed because the config files
are always closed by endconfig.
Rate limiting code was updated to add a per-service per-IP rate
limiting form. Some of that code was refactored out of other places
into functions with names in the form rl_*()
We have not added any of the license or version information to the
new files parse_v2.c, parse_v2.h, and inetd.h and we have not
updated the license or version info for inetd.c.
Security related:
The behavior when reading invalid IPsec strings has changed. Inetd
no longer exits, it quits reading the current config file instead.
Could this impact program security?
We have not checked for memory leaks. Solomon tried to use dmalloc
without success. getconfigent seemed to have a memory leak at each
"goto more". It seems like inetd has never free'd allocated strings
when throwing away erroneous service definitions during parsing
(i.e. when "goto more" is called when parsing fields). OpenBSD's
version calls freeconfig on "goto more"
(https://github.com/openbsd/src/blob/c5eae130d6c937080c3d30d124e8c8b86db7d625/usr.sbin/inetd/inetd.c#L1049)
but NetBSD only calls it when service definitions are no longer
needed. This has been fixed. freeconfig is called immediately before
any "goto more". There shouldn't be any time when a servtab is in
an invalid state where freeconfig would break.
diffstat:
distrib/sets/lists/debug/mi | 4 +-
distrib/sets/lists/tests/mi | 9 +-
etc/mtree/NetBSD.dist.tests | 4 +-
tests/usr.sbin/Makefile | 3 +-
tests/usr.sbin/inetd/Makefile | 18 +
tests/usr.sbin/inetd/inetd_ratelimit.conf | 101 +
tests/usr.sbin/inetd/t_inetd.c | 296 +++++
tests/usr.sbin/inetd/test_server.c | 160 ++
usr.sbin/inetd/Makefile | 7 +-
usr.sbin/inetd/inetd.8 | 324 +++++-
usr.sbin/inetd/inetd.c | 1556 +++++++++++++++++++++-------
usr.sbin/inetd/inetd.h | 223 ++++
usr.sbin/inetd/parse_v2.c | 1153 +++++++++++++++++++++
13 files changed, 3379 insertions(+), 479 deletions(-)
diffs (truncated from 4622 to 300 lines):
diff -r 01c4ef7c567c -r c45f7bf357d9 distrib/sets/lists/debug/mi
--- a/distrib/sets/lists/debug/mi Sun Aug 29 09:48:02 2021 +0000
+++ b/distrib/sets/lists/debug/mi Sun Aug 29 09:54:18 2021 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.359 2021/08/12 13:27:42 martin Exp $
+# $NetBSD: mi,v 1.360 2021/08/29 09:54:18 christos Exp $
./etc/mtree/set.debug comp-sys-root
./usr/lib comp-sys-usr compatdir
./usr/lib/i18n/libBIG5_g.a comp-c-debuglib debuglib,compatfile
@@ -2489,6 +2489,8 @@
./usr/libdata/debug/usr/tests/usr.bin/id/h_id.debug tests-usr.bin-debug debug,atf,compattestfile
./usr/libdata/debug/usr/tests/usr.bin/mkdep/h_findcc.debug tests-usr.bin-debug debug,atf,compattestfile
./usr/libdata/debug/usr/tests/usr.bin/tar/h_tar.debug tests-usr.bin-debug debug,atf,compattestfile
+./usr/libdata/debug/usr/tests/usr.sbin/inetd/t_inetd.debug tests-usr.sbin-debug debug,atf,compattestfile
+./usr/libdata/debug/usr/tests/usr.sbin/inetd/test_server.debug tests-usr.sbin-debug debug,atf,compattestfile
./usr/libdata/debug/usr/tests/util/df/h_df.debug tests-obsolete obsolete,compattestfile
./usr/libdata/debug/usr/tests/util/id/h_id.debug tests-obsolete obsolete,compattestfile
./usr/libdata/debug/usr/tests/util/systrace/h_have_systrace.debug tests-obsolete obsolete,compattestfile
diff -r 01c4ef7c567c -r c45f7bf357d9 distrib/sets/lists/tests/mi
--- a/distrib/sets/lists/tests/mi Sun Aug 29 09:48:02 2021 +0000
+++ b/distrib/sets/lists/tests/mi Sun Aug 29 09:54:18 2021 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.1118 2021/08/28 19:45:18 rillig Exp $
+# $NetBSD: mi,v 1.1119 2021/08/29 09:54:18 christos Exp $
#
# Note: don't delete entries from here - mark them as "obsolete" instead.
#
@@ -201,6 +201,7 @@
./usr/libdata/debug/usr/tests/usr.bin/netpgpverify tests-usr.bin-debug compattestfile,atf
./usr/libdata/debug/usr/tests/usr.bin/tar tests-usr.bin-debug compattestfile,atf
./usr/libdata/debug/usr/tests/usr.sbin tests-usr.sbin-debug compattestfile,atf
+./usr/libdata/debug/usr/tests/usr.sbin/inetd tests-usr.sbin-debug compattestfile,atf
./usr/libdata/debug/usr/tests/util tests-obsolete obsolete
./usr/libdata/debug/usr/tests/util/df tests-obsolete obsolete
./usr/libdata/debug/usr/tests/util/id tests-obsolete obsolete
@@ -7107,6 +7108,12 @@
./usr/tests/usr.sbin/execsnoop/Atffile tests-usr.sbin-tests compattestfile,atf
./usr/tests/usr.sbin/execsnoop/Kyuafile tests-usr.sbin-tests compattestfile,atf,kyua
./usr/tests/usr.sbin/execsnoop/t_execsnoop tests-usr.sbin-tests compattestfile,atf
+./usr/tests/usr.sbin/inetd tests-usr.sbin-tests compattestfile,atf
+./usr/tests/usr.sbin/inetd/Atffile tests-usr.sbin-tests compattestfile,atf
+./usr/tests/usr.sbin/inetd/Kyuafile tests-usr.sbin-tests compattestfile,atf,kyua
+./usr/tests/usr.sbin/inetd/inetd_ratelimit.conf tests-usr.sbin-tests compattestfile,atf
+./usr/tests/usr.sbin/inetd/t_inetd tests-usr.sbin-tests compattestfile,atf
+./usr/tests/usr.sbin/inetd/test_server tests-usr.sbin-tests compattestfile,atf
./usr/tests/usr.sbin/mtree tests-usr.sbin-tests compattestfile,atf
./usr/tests/usr.sbin/mtree/Atffile tests-usr.sbin-tests compattestfile,atf
./usr/tests/usr.sbin/mtree/Kyuafile tests-usr.sbin-tests compattestfile,atf,kyua
diff -r 01c4ef7c567c -r c45f7bf357d9 etc/mtree/NetBSD.dist.tests
--- a/etc/mtree/NetBSD.dist.tests Sun Aug 29 09:48:02 2021 +0000
+++ b/etc/mtree/NetBSD.dist.tests Sun Aug 29 09:54:18 2021 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: NetBSD.dist.tests,v 1.187 2021/08/12 11:50:42 martin Exp $
+# $NetBSD: NetBSD.dist.tests,v 1.188 2021/08/29 09:54:18 christos Exp $
./usr/libdata/debug/usr/tests
./usr/libdata/debug/usr/tests/atf
@@ -180,6 +180,7 @@
./usr/libdata/debug/usr/tests/usr.bin/mkdep
./usr/libdata/debug/usr/tests/usr.bin/netpgpverify
./usr/libdata/debug/usr/tests/usr.sbin
+./usr/libdata/debug/usr/tests/usr.sbin/inetd
./usr/tests
./usr/tests/atf
./usr/tests/atf/atf-c
@@ -468,6 +469,7 @@
./usr/tests/usr.sbin
./usr/tests/usr.sbin/cpuctl
./usr/tests/usr.sbin/execsnoop
+./usr/tests/usr.sbin/inetd
./usr/tests/usr.sbin/mtree
./usr/tests/usr.sbin/opensnoop
./usr/tests/usr.sbin/stdethers
diff -r 01c4ef7c567c -r c45f7bf357d9 tests/usr.sbin/Makefile
--- a/tests/usr.sbin/Makefile Sun Aug 29 09:48:02 2021 +0000
+++ b/tests/usr.sbin/Makefile Sun Aug 29 09:54:18 2021 +0000
@@ -1,10 +1,11 @@
-# $NetBSD: Makefile,v 1.6 2020/06/30 14:30:49 jruoho Exp $
+# $NetBSD: Makefile,v 1.7 2021/08/29 09:54:18 christos Exp $
.include <bsd.own.mk>
TESTSDIR= ${TESTSBASE}/usr.sbin
TESTS_SUBDIRS+= cpuctl
TESTS_SUBDIRS+= execsnoop
+TESTS_SUBDIRS+= inetd
TESTS_SUBDIRS+= mtree
TESTS_SUBDIRS+= opensnoop
TESTS_SUBDIRS+= stdethers
diff -r 01c4ef7c567c -r c45f7bf357d9 tests/usr.sbin/inetd/Makefile
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/usr.sbin/inetd/Makefile Sun Aug 29 09:54:18 2021 +0000
@@ -0,0 +1,18 @@
+# $NetBSD: Makefile,v 1.1 2021/08/29 09:54:18 christos Exp $
+
+.include <bsd.own.mk>
+
+TESTSDIR=${TESTSBASE}/usr.sbin/inetd
+
+TESTS_C += t_inetd
+
+#inetd service, supports dgram and stream via args
+MKMAN = no
+PROGS += test_server
+BINDIR=${TESTSDIR}
+
+#Other files that should be copied to /usr/tests
+FILESDIR=${TESTSDIR}
+FILES=test_server inetd_ratelimit.conf
+
+.include <bsd.test.mk>
diff -r 01c4ef7c567c -r c45f7bf357d9 tests/usr.sbin/inetd/inetd_ratelimit.conf
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/usr.sbin/inetd/inetd_ratelimit.conf Sun Aug 29 09:54:18 2021 +0000
@@ -0,0 +1,101 @@
+# $NetBSD: inetd_ratelimit.conf,v 1.1 2021/08/29 09:54:18 christos Exp $
+
+127.0.0.1:
+
+#DGRAM WAIT SERVICE
+
+#Test ip_max of 3
+5432 on
+ protocol = udp,
+ wait = yes,
+ user = root,
+ service_max = 5,
+ ip_max = 3,
+ exec = test_server,
+ args = test_server dgram wait;
+
+#Test ip_max of 0
+5433 on
+ protocol = udp,
+ wait = yes,
+ user = root,
+ ip_max = 0,
+ exec = test_server,
+ args = test_server dgram wait;
+
+#Test service_max of 2
+5434 on
+ protocol = udp,
+ wait = yes,
+ user = root,
+ service_max = 2,
+ exec = test_server,
+ args = test_server dgram wait;
+
+#Test service_max of 0
+5435 on
+ protocol = udp,
+ wait = yes,
+ user = root,
+ service_max = 0,
+ exec = test_server,
+ args = test_server dgram wait;
+
+#STREAM WAIT SERVICE
+
+#Test service_max of 2
+5434 on
+ protocol = tcp,
+ wait = yes,
+ user = root,
+ service_max = 2,
+ exec = test_server,
+ args = test_server stream wait;
+
+#Test service_max of 0
+5435 on
+ protocol = tcp,
+ wait = yes,
+ user = root,
+ service_max = 0,
+ exec = test_server,
+ args = test_server stream wait;
+
+#STREAM NOWAIT SERVICE
+
+#Test ip_max of 3
+5436 on
+ protocol = tcp,
+ wait = no,
+ user = root,
+ service_max = 5,
+ ip_max = 3,
+ exec = test_server,
+ args = test_server stream nowait;
+
+#Test ip_max of 0
+5437 on
+ protocol = tcp,
+ wait = no,
+ user = root,
+ ip_max = 0,
+ exec = test_server,
+ args = test_server stream nowait;
+
+#Test service_max of 2
+5438 on
+ protocol = tcp,
+ wait = no,
+ user = root,
+ service_max = 2,
+ exec = test_server,
+ args = test_server stream nowait;
+
+#Test service_max of 0
+5439 on
+ protocol = tcp,
+ wait = no,
+ user = root,
+ service_max = 0,
+ exec = test_server,
+ args = test_server stream nowait;
diff -r 01c4ef7c567c -r c45f7bf357d9 tests/usr.sbin/inetd/t_inetd.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/usr.sbin/inetd/t_inetd.c Sun Aug 29 09:54:18 2021 +0000
@@ -0,0 +1,296 @@
+/* $NetBSD: t_inetd.c,v 1.1 2021/08/29 09:54:18 christos Exp $ */
+
+/*-
+ * Copyright (c) 2021 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by James Browning, Gabe Coffland, Alex Gavin, and Solomon Ritzow.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__RCSID("$NetBSD: t_inetd.c,v 1.1 2021/08/29 09:54:18 christos Exp $");
+
+#include <atf-c.h>
+#include <spawn.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <signal.h>
+#include <stdio.h>
+#include <string.h>
+#include <err.h>
+#include <sys/wait.h>
+#include <sys/time.h>
+#include <sys/socket.h>
+#include <netdb.h>
+
+#define CHECK_ERROR(expr) ATF_REQUIRE_MSG((expr) != -1,\
+ "%s", strerror(errno))
+
+#define TCP 6
+#define UDP 17
+
+static pid_t run(const char *, char **);
+static char *concat(const char *restrict, const char *restrict);
+static void waitfor(pid_t, const char *);
+static bool run_udp_client(const char *);
+static int create_socket(const char *, const char *, int, int, time_t, struct sockaddr_storage *);
+static bool run_tcp_client(const char *);
+
+/* This test should take around 5 to 7 seconds to complete. */
+ATF_TC(test_ratelimit);
+
+ATF_TC_HEAD(test_ratelimit, tc)
+{
+ atf_tc_set_md_var(tc, "descr", "Test inetd rate limiting values, "
+ "uses UDP/TCP ports 5432-5439 with localhost.");
+ /* Need to run as root so inetd can set uid */
+ atf_tc_set_md_var(tc, "require.user", "root");
+ atf_tc_set_md_var(tc, "require.progs", "inetd");
+ /* Time out after 10 seconds, just in case */
+ atf_tc_set_md_var(tc, "timeout", "10");
+}
+
+ATF_TC_BODY(test_ratelimit, tc)
+{
+ pid_t proc;
+
+ /* Copy test server to relative path used in inetd_ratelimit.conf */
+ atf_utils_copy_file(
Home |
Main Index |
Thread Index |
Old Index