1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
|
Upstream-Status: Inactive-Upstream [current release is from 1997; no vcs anywhere]
diff -ruNp tcp_wrappers_7.6.orig/hosts_access.3 tcp_wrappers_7.6/hosts_access.3
--- tcp_wrappers_7.6.orig/hosts_access.3 2005-03-09 18:30:25.000000000 +0100
+++ tcp_wrappers_7.6/hosts_access.3 2005-03-09 18:27:03.000000000 +0100
@@ -3,7 +3,7 @@
hosts_access, hosts_ctl, request_init, request_set \- access control library
.SH SYNOPSIS
.nf
-#include "tcpd.h"
+#include <tcpd.h>
extern int allow_severity;
extern int deny_severity;
diff -ruNp tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5
--- tcp_wrappers_7.6.orig/hosts_access.5 2005-03-09 18:30:25.000000000 +0100
+++ tcp_wrappers_7.6/hosts_access.5 2005-03-09 18:30:18.000000000 +0100
@@ -8,9 +8,9 @@ name, host name/address) patterns. Exam
impatient reader is encouraged to skip to the EXAMPLES section for a
quick introduction.
.PP
-An extended version of the access control language is described in the
-\fIhosts_options\fR(5) document. The extensions are turned on at
-program build time by building with -DPROCESS_OPTIONS.
+The extended version of the access control language is described in the
+\fIhosts_options\fR(5) document. \fBNote that this language supersedes
+the meaning of \fIshell_command\fB as documented below.\fR
.PP
In the following text, \fIdaemon\fR is the the process name of a
network daemon process, and \fIclient\fR is the name and/or address of
@@ -346,8 +346,8 @@ in.tftpd: LOCAL, .my.domain
/etc/hosts.deny:
.in +3
.nf
-in.tftpd: ALL: (/some/where/safe_finger -l @%h | \\
- /usr/ucb/mail -s %d-%h root) &
+in.tftpd: ALL: (/usr/sbin/safe_finger -l @%h | \\
+ /usr/bin/mail -s %d-%h root) &
.fi
.PP
The safe_finger command comes with the tcpd wrapper and should be
@@ -383,6 +383,7 @@ that shouldn\'t. All problems are repor
.fi
.SH SEE ALSO
.nf
+hosts_options(5) extended syntax.
tcpd(8) tcp/ip daemon wrapper program.
tcpdchk(8), tcpdmatch(8), test programs.
.SH BUGS
diff -ruNp tcp_wrappers_7.6.orig/hosts_options.5 tcp_wrappers_7.6/hosts_options.5
--- tcp_wrappers_7.6.orig/hosts_options.5 2005-03-09 18:30:24.000000000 +0100
+++ tcp_wrappers_7.6/hosts_options.5 2005-03-09 18:27:03.000000000 +0100
@@ -2,10 +2,8 @@
.SH NAME
hosts_options \- host access control language extensions
.SH DESCRIPTION
-This document describes optional extensions to the language described
-in the hosts_access(5) document. The extensions are enabled at program
-build time. For example, by editing the Makefile and turning on the
-PROCESS_OPTIONS compile-time option.
+This document describes extensions to the language described
+in the hosts_access(5) document.
.PP
The extensible language uses the following format:
.sp
@@ -58,12 +56,12 @@ Notice the leading dot on the domain nam
Execute, in a child process, the specified shell command, after
performing the %<letter> expansions described in the hosts_access(5)
manual page. The command is executed with stdin, stdout and stderr
-connected to the null device, so that it won\'t mess up the
+connected to the null device, so that it won't mess up the
conversation with the client host. Example:
.sp
.nf
.ti +3
-spawn (/some/where/safe_finger -l @%h | /usr/ucb/mail root) &
+spawn (/usr/sbin/safe_finger -l @%h | /usr/bin/mail root) &
.fi
.sp
executes, in a background child process, the shell command "safe_finger
diff -ruNp tcp_wrappers_7.6.orig/inetcf.c tcp_wrappers_7.6/inetcf.c
--- tcp_wrappers_7.6.orig/inetcf.c 1997-02-12 02:13:24.000000000 +0100
+++ tcp_wrappers_7.6/inetcf.c 2005-03-09 18:27:03.000000000 +0100
@@ -26,13 +26,17 @@ extern void exit();
* guesses. Shorter names follow longer ones.
*/
char *inet_files[] = {
+#if 0
"/private/etc/inetd.conf", /* NEXT */
"/etc/inet/inetd.conf", /* SYSV4 */
"/usr/etc/inetd.conf", /* IRIX?? */
+#endif
"/etc/inetd.conf", /* BSD */
+#if 0
"/etc/net/tlid.conf", /* SYSV4?? */
"/etc/saf/tlid.conf", /* SYSV4?? */
"/etc/tlid.conf", /* SYSV4?? */
+#endif
0,
};
diff -ruNp tcp_wrappers_7.6.orig/tcpd.8 tcp_wrappers_7.6/tcpd.8
--- tcp_wrappers_7.6.orig/tcpd.8 1996-02-21 16:39:16.000000000 +0100
+++ tcp_wrappers_7.6/tcpd.8 2005-03-09 18:27:03.000000000 +0100
@@ -12,7 +12,11 @@ The program supports both 4.3BSD-style s
TLI. Functionality may be limited when the protocol underneath TLI is
not an internet protocol.
.PP
-Operation is as follows: whenever a request for service arrives, the
+There are two possible modes of operation: execution of \fItcpd\fP
+before a service started by \fIinetd\fP, or linking a daemon with
+the \fIlibwrap\fP shared library as documented in the \fIhosts_access\fR(3)
+manual page. Operation when started by \fIinetd\fP
+is as follows: whenever a request for service arrives, the
\fIinetd\fP daemon is tricked into running the \fItcpd\fP program
instead of the desired server. \fItcpd\fP logs the request and does
some additional checks. When all is well, \fItcpd\fP runs the
@@ -88,11 +92,11 @@ configuration files.
.sp
.in +5
# mkdir /other/place
-# mv /usr/etc/in.fingerd /other/place
-# cp tcpd /usr/etc/in.fingerd
+# mv /usr/sbin/in.fingerd /other/place
+# cp tcpd /usr/sbin/in.fingerd
.fi
.PP
-The example assumes that the network daemons live in /usr/etc. On some
+The example assumes that the network daemons live in /usr/sbin. On some
systems, network daemons live in /usr/sbin or in /usr/libexec, or have
no `in.\' prefix to their name.
.SH EXAMPLE 2
@@ -101,35 +105,34 @@ are left in their original place.
.PP
In order to monitor access to the \fIfinger\fR service, perform the
following edits on the \fIinetd\fR configuration file (usually
-\fI/etc/inetd.conf\fR or \fI/etc/inet/inetd.conf\fR):
+\fI/etc/inetd.conf\fR):
.nf
.sp
.ti +5
-finger stream tcp nowait nobody /usr/etc/in.fingerd in.fingerd
+finger stream tcp nowait nobody /usr/sbin/in.fingerd in.fingerd
.sp
becomes:
.sp
.ti +5
-finger stream tcp nowait nobody /some/where/tcpd in.fingerd
+finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd
.sp
.fi
.PP
-The example assumes that the network daemons live in /usr/etc. On some
+The example assumes that the network daemons live in /usr/sbin. On some
systems, network daemons live in /usr/sbin or in /usr/libexec, the
daemons have no `in.\' prefix to their name, or there is no userid
field in the inetd configuration file.
.PP
Similar changes will be needed for the other services that are to be
covered by \fItcpd\fR. Send a `kill -HUP\' to the \fIinetd\fR(8)
-process to make the changes effective. AIX users may also have to
-execute the `inetimp\' command.
+process to make the changes effective.
.SH EXAMPLE 3
In the case of daemons that do not live in a common directory ("secret"
or otherwise), edit the \fIinetd\fR configuration file so that it
specifies an absolute path name for the process name field. For example:
.nf
.sp
- ntalk dgram udp wait root /some/where/tcpd /usr/local/lib/ntalkd
+ ntalk dgram udp wait root /usr/sbin/tcpd /usr/local/lib/ntalkd
.sp
.fi
.PP
@@ -164,6 +167,7 @@ The default locations of the host access
.SH SEE ALSO
.na
.nf
+hosts_access(3), functions provided by the libwrap library.
hosts_access(5), format of the tcpd access control tables.
syslog.conf(5), format of the syslogd control file.
inetd.conf(5), format of the inetd control file.
diff -ruNp tcp_wrappers_7.6.orig/tcpdchk.8 tcp_wrappers_7.6/tcpdchk.8
--- tcp_wrappers_7.6.orig/tcpdchk.8 1995-01-08 17:00:31.000000000 +0100
+++ tcp_wrappers_7.6/tcpdchk.8 2005-03-09 18:27:03.000000000 +0100
@@ -9,8 +9,8 @@ tcpdchk [-a] [-d] [-i inet_conf] [-v]
potential and real problems it can find. The program examines the
\fItcpd\fR access control files (by default, these are
\fI/etc/hosts.allow\fR and \fI/etc/hosts.deny\fR), and compares the
-entries in these files against entries in the \fIinetd\fR or \fItlid\fR
-network configuration files.
+entries in these files against entries in the \fIinetd\fR
+network configuration file.
.PP
\fItcpdchk\fR reports problems such as non-existent pathnames; services
that appear in \fItcpd\fR access control rules, but are not controlled
@@ -26,14 +26,13 @@ problem.
.SH OPTIONS
.IP -a
Report access control rules that permit access without an explicit
-ALLOW keyword. This applies only when the extended access control
-language is enabled (build with -DPROCESS_OPTIONS).
+ALLOW keyword.
.IP -d
Examine \fIhosts.allow\fR and \fIhosts.deny\fR files in the current
directory instead of the default ones.
.IP "-i inet_conf"
Specify this option when \fItcpdchk\fR is unable to find your
-\fIinetd.conf\fR or \fItlid.conf\fR network configuration file, or when
+\fIinetd.conf\fR network configuration file, or when
you suspect that the program uses the wrong one.
.IP -v
Display the contents of each access control rule. Daemon lists, client
@@ -54,7 +53,6 @@ tcpdmatch(8), explain what tcpd would do
hosts_access(5), format of the tcpd access control tables.
hosts_options(5), format of the language extensions.
inetd.conf(5), format of the inetd control file.
-tlid.conf(5), format of the tlid control file.
.SH AUTHORS
.na
.nf
diff -ruNp tcp_wrappers_7.6.orig/tcpdmatch.8 tcp_wrappers_7.6/tcpdmatch.8
--- tcp_wrappers_7.6.orig/tcpdmatch.8 2005-03-09 18:30:24.000000000 +0100
+++ tcp_wrappers_7.6/tcpdmatch.8 2005-03-09 18:27:03.000000000 +0100
@@ -13,7 +13,7 @@ request for service. Examples are given
The program examines the \fItcpd\fR access control tables (default
\fI/etc/hosts.allow\fR and \fI/etc/hosts.deny\fR) and prints its
conclusion. For maximal accuracy, it extracts additional information
-from your \fIinetd\fR or \fItlid\fR network configuration file.
+from your \fIinetd\fR network configuration file.
.PP
When \fItcpdmatch\fR finds a match in the access control tables, it
identifies the matched rule. In addition, it displays the optional
@@ -50,7 +50,7 @@ Examine \fIhosts.allow\fR and \fIhosts.d
directory instead of the default ones.
.IP "-i inet_conf"
Specify this option when \fItcpdmatch\fR is unable to find your
-\fIinetd.conf\fR or \fItlid.conf\fR network configuration file, or when
+\fIinetd.conf\fR network configuration file, or when
you suspect that the program uses the wrong one.
.SH EXAMPLES
To predict how \fItcpd\fR would handle a telnet request from the local
@@ -86,7 +86,6 @@ tcpdchk(8), tcpd configuration checker
hosts_access(5), format of the tcpd access control tables.
hosts_options(5), format of the language extensions.
inetd.conf(5), format of the inetd control file.
-tlid.conf(5), format of the tlid control file.
.SH AUTHORS
.na
.nf
|