From aec6853281f09936fd519cca41357f5b654be378 Mon Sep 17 00:00:00 2001 From: nbd Date: Thu, 24 Mar 2005 23:17:53 +0000 Subject: add libwrap, portmap, nfs-server git-svn-id: svn://svn.openwrt.org/openwrt/trunk@450 3c298f89-4303-0410-b956-a3cf2f4a3e73 --- openwrt/package/Config.in | 2 + openwrt/package/Makefile | 4 + openwrt/package/nfs-server/Config.in | 6 + openwrt/package/nfs-server/Makefile | 71 ++ openwrt/package/nfs-server/files/etc/exports | 1 + .../package/nfs-server/files/etc/init.d/S60nfsd | 4 + openwrt/package/nfs-server/nfs-server.control | 16 + .../package/nfs-server/patches/build-config.patch | 67 ++ .../nfs-server/patches/cross-compile-fix.patch | 149 ++++ .../package/nfs-server/patches/debian-subset.patch | 698 +++++++++++++++ .../nfs-server/patches/remove-warning.patch | 30 + openwrt/package/portmap/Config.in | 5 + openwrt/package/portmap/Makefile | 49 ++ .../package/portmap/patches/debian-subset.patch | 531 ++++++++++++ openwrt/package/portmap/portmap.control | 11 + openwrt/package/tcp_wrappers/Makefile | 60 ++ .../tcp_wrappers/patches/debian-subset.patch | 936 +++++++++++++++++++++ 17 files changed, 2640 insertions(+) create mode 100644 openwrt/package/nfs-server/Config.in create mode 100644 openwrt/package/nfs-server/Makefile create mode 100644 openwrt/package/nfs-server/files/etc/exports create mode 100755 openwrt/package/nfs-server/files/etc/init.d/S60nfsd create mode 100644 openwrt/package/nfs-server/nfs-server.control create mode 100644 openwrt/package/nfs-server/patches/build-config.patch create mode 100644 openwrt/package/nfs-server/patches/cross-compile-fix.patch create mode 100644 openwrt/package/nfs-server/patches/debian-subset.patch create mode 100644 openwrt/package/nfs-server/patches/remove-warning.patch create mode 100644 openwrt/package/portmap/Config.in create mode 100644 openwrt/package/portmap/Makefile create mode 100644 openwrt/package/portmap/patches/debian-subset.patch create mode 100644 openwrt/package/portmap/portmap.control create mode 100644 openwrt/package/tcp_wrappers/Makefile create mode 100644 openwrt/package/tcp_wrappers/patches/debian-subset.patch diff --git a/openwrt/package/Config.in b/openwrt/package/Config.in index 46d62ffaf..67b1a620e 100644 --- a/openwrt/package/Config.in +++ b/openwrt/package/Config.in @@ -28,6 +28,8 @@ source "package/pptpd/Config.in" source "package/cups/Config.in" source "package/cifsmount/Config.in" source "package/ez-ipupdate/Config.in" +source "package/portmap/Config.in" +source "package/nfs-server/Config.in" comment "Libraries" source "package/zlib/Config.in" diff --git a/openwrt/package/Makefile b/openwrt/package/Makefile index 8aab7f146..5009a321a 100644 --- a/openwrt/package/Makefile +++ b/openwrt/package/Makefile @@ -21,11 +21,13 @@ package-$(BR2_PACKAGE_LZO) += lzo package-$(BR2_PACKAGE_MATRIXSSL) += matrixssl package-$(BR2_PACKAGE_MICROPERL) += microperl package-$(BR2_PACKAGE_NCURSES) += ncurses +package-$(BR2_PACKAGE_NFSD) += nfs-server package-$(BR2_PACKAGE_OPENSSL) += openssl package-$(BR2_PACKAGE_OPENNTPD) += openntpd package-$(BR2_PACKAGE_OPENVPN) += openvpn package-$(BR2_PACKAGE_PCRE) += pcre package-$(BR2_PACKAGE_POPT) += popt +package-$(BR2_PACKAGE_PORTMAP) += portmap package-$(BR2_PACKAGE_PPP) += ppp package-$(BR2_PACKAGE_PPTP) += pptp package-$(BR2_PACKAGE_PPTPD) += pptpd @@ -42,6 +44,8 @@ tcpdump-compile: libpcap-compile dropbear-compile: zlib-compile openssl-compile: zlib-compile openvpn-compile: openssl-compile +nfs-server-compile: portmap-compile +portmap-compile: tcp_wrappers-compile $(patsubst %,%-prepare,$(package-y) $(package-m)): linux-install %-prepare: diff --git a/openwrt/package/nfs-server/Config.in b/openwrt/package/nfs-server/Config.in new file mode 100644 index 000000000..d052541a0 --- /dev/null +++ b/openwrt/package/nfs-server/Config.in @@ -0,0 +1,6 @@ +config BR2_PACKAGE_NFSD + tristate "NFS Server" + default m + select BR2_PACKAGE_PORTMAP + help + User Space NFS Server diff --git a/openwrt/package/nfs-server/Makefile b/openwrt/package/nfs-server/Makefile new file mode 100644 index 000000000..2d5845137 --- /dev/null +++ b/openwrt/package/nfs-server/Makefile @@ -0,0 +1,71 @@ +# $Id$ + +include $(TOPDIR)/rules.mk + +PKG_NAME:=nfs-server +PKG_VERSION:=2.2beta47 +PKG_RELEASE:=1 +PKG_MD5SUM:=79a29fe9f79b2f3241d4915767b8c511 + +PKG_SOURCE_URL:=http://ftp.debian.org/debian/pool/main/n/nfs-user-server +PKG_SOURCE:=nfs-user-server_$(PKG_VERSION).orig.tar.gz +PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION) +PKG_CAT:=zcat +PKG_IPK:=$(PACKAGE_DIR)/$(PKG_NAME)_$(PKG_VERSION)-$(PKG_RELEASE)_$(ARCH).ipk +PKG_IPK_DIR:=$(PKG_BUILD_DIR)/ipkg + +$(DL_DIR)/$(PKG_SOURCE): + $(SCRIPT_DIR)/download.pl $(DL_DIR) $(PKG_SOURCE) $(PKG_MD5SUM) $(PKG_SOURCE_URL) + +$(PKG_BUILD_DIR)/.patched: $(DL_DIR)/$(PKG_SOURCE) + $(PKG_CAT) $(DL_DIR)/$(PKG_SOURCE) | tar -C $(BUILD_DIR) $(TAR_OPTIONS) - + $(PATCH) $(PKG_BUILD_DIR) ./patches + touch $(PKG_BUILD_DIR)/.patched + +$(PKG_BUILD_DIR)/.configured: $(PKG_BUILD_DIR)/.patched + (cd $(PKG_BUILD_DIR); rm -rf config.cache; \ + $(TARGET_CONFIGURE_OPTS) \ + CFLAGS="$(TARGET_CFLAGS)" \ + ./configure \ + --target=$(GNU_TARGET_NAME) \ + --host=$(GNU_TARGET_NAME) \ + --build=$(GNU_HOST_NAME) \ + --prefix=/usr \ + --exec-prefix=/usr \ + --bindir=/usr/bin \ + --sbindir=/usr/sbin \ + --libexecdir=/usr/lib \ + --sysconfdir=/etc \ + --datadir=/usr/share \ + --localstatedir=/var \ + --mandir=/usr/man \ + --infodir=/usr/info \ + $(DISABLE_NLS) \ + $(DISABLE_LARGEFILE) \ + ); + touch $(PKG_BUILD_DIR)/.configured + +$(PKG_BUILD_DIR)/rpc.nfsd: $(PKG_BUILD_DIR)/.configured + $(MAKE) CC=$(TARGET_CC) -C $(PKG_BUILD_DIR) + +$(PKG_IPK): $(PKG_BUILD_DIR)/rpc.nfsd + $(SCRIPT_DIR)/make-ipkg-dir.sh $(PKG_IPK_DIR) $(PKG_NAME).control $(PKG_VERSION)-$(PKG_RELEASE) $(ARCH) + mkdir -p $(PKG_IPK_DIR)/usr/sbin + cp $(PKG_BUILD_DIR)/rpc.* $(PKG_IPK_DIR)/usr/sbin/ + $(STRIP) $(PKG_IPK_DIR)/usr/sbin/* + cp -a ./files/* $(PKG_IPK_DIR)/ + mkdir -p $(PACKAGE_DIR) + find $(PKG_IPK_DIR) -name CVS | xargs rm -rf + $(IPKG_BUILD) $(PKG_IPK_DIR) $(PACKAGE_DIR) + +$(IPKG_STATE_DIR)/info/$(PKG_NAME).list: $(PKG_IPK) + $(IPKG) install $(PKG_IPK) + +source: $(DL_DIR)/$(PKG_SOURCE) +prepare: $(PKG_BUILD_DIR)/.patched +compile: $(PKG_IPK) +install: $(IPKG_STATE_DIR)/info/$(PKG_NAME).list + +clean: + rm -rf $(PKG_BUILD_DIR) + rm -f $(PKG_IPK) diff --git a/openwrt/package/nfs-server/files/etc/exports b/openwrt/package/nfs-server/files/etc/exports new file mode 100644 index 000000000..75a387a48 --- /dev/null +++ b/openwrt/package/nfs-server/files/etc/exports @@ -0,0 +1 @@ +/mnt (ro,all_squash,insecure) diff --git a/openwrt/package/nfs-server/files/etc/init.d/S60nfsd b/openwrt/package/nfs-server/files/etc/init.d/S60nfsd new file mode 100755 index 000000000..1b1e1bd3a --- /dev/null +++ b/openwrt/package/nfs-server/files/etc/init.d/S60nfsd @@ -0,0 +1,4 @@ +#!/bin/sh +/usr/sbin/portmap +/usr/sbin/rpc.mountd -r +/usr/sbin/rpc.nfsd diff --git a/openwrt/package/nfs-server/nfs-server.control b/openwrt/package/nfs-server/nfs-server.control new file mode 100644 index 000000000..72a6cf9d4 --- /dev/null +++ b/openwrt/package/nfs-server/nfs-server.control @@ -0,0 +1,16 @@ +Package: nfs-server +Section: net +Priority: optional +Maintainer: Felix Fietkau +Source: buildroot internal +Depends: portmap +Description: User space NFS server + This package contains all necessary programs to make your Linux machine act + as an NFS server, being an NFS daemon (rpc.nfsd), a mount daemon (rpc.mountd). + . + Unlike other NFS daemons, this NFS server runs entirely in user space. This + makes it a tad slower than other NFS implementations, and also introduces + some awkwardnesses in the semantics (for instance, moving a file to a + different directory will render its file handle invalid). + . + There is currently no support for file locking. diff --git a/openwrt/package/nfs-server/patches/build-config.patch b/openwrt/package/nfs-server/patches/build-config.patch new file mode 100644 index 000000000..5aa1cde63 --- /dev/null +++ b/openwrt/package/nfs-server/patches/build-config.patch @@ -0,0 +1,67 @@ +--- nfs-server-2.2beta47.old/site.mk 1970-01-01 01:00:00.000000000 +0100 ++++ nfs-server-2.2beta47/site.mk 2005-03-24 22:42:20.000000000 +0100 +@@ -0,0 +1,11 @@ ++# ++# Site-specific make options generated by BUILD. Please do not edit. ++# ++ ++# ugidd support ++UGIDD_PROG= ++UGIDD_MAN= ++# Location of tcp_wrapper library ++LIBWRAP_DIR=-L/usr/share/stuff/src/openwrt/experimental/buildroot/build_mipsel/staging_dir/lib ++LIBWRAP_LIB=-lwrap ++DEVTAB_FILE= +--- nfs-server-2.2beta47.old/site.h 1970-01-01 01:00:00.000000000 +0100 ++++ nfs-server-2.2beta47/site.h 2005-03-24 22:44:19.000000000 +0100 +@@ -0,0 +1,50 @@ ++/* ++ * Site-specific configuration options generated by BUILD. ++ * Please do not edit. ++ */ ++ ++/* ++ * If ENABLE_DEVTAB is defined, nfsd will use the new inode ++ * number generation scheme for avoiding inode number clashes ++ * on big hard disks. ++ */ ++/* #undef ENABLE_DEVTAB */ ++ ++/* ++ * If MULTIPLE_SERVER_READWRITE is defined, you will be able ++ * to run several nfsd process in parallel servicing all NFS ++ * requests. ++ */ ++#define MULTIPLE_SERVERS_READWRITE ++ ++/* ++ * If ENABLE_UGID_DAEMON is defined, the real rpc.ugidd is built, ++ * nfsd is built to support ugidd queries. ++ * Otherwise, a dummy program is created ++ */ ++/* #undef ENABLE_UGID_DAEMON */ ++ ++/* ++ * If ENABLE_UGID_NIS is defined, nfsd will support user mapping ++ * vie the client's NIS server. ++ */ ++/* #undef ENABLE_UGID_NIS */ ++ ++/* ++ * if HOSTS_ACCESS is defined, ugidd uses host access control ++ * provided by libwrap.a from tcp_wrappers ++ */ ++#define HOSTS_ACCESS ++ ++/* ++ * Define correct ownership of export control file ++ */ ++#define EXPORTSOWNERUID ((uid_t) 0) ++#define EXPORTSOWNERGID ((gid_t) 0) ++ ++/* ++ * If WANT_LOG_MOUNTS is defined, every mount request will be logged ++ * to syslogd with the name of source site and a path that was ++ * it requested ++ */ ++#define WANT_LOG_MOUNTS diff --git a/openwrt/package/nfs-server/patches/cross-compile-fix.patch b/openwrt/package/nfs-server/patches/cross-compile-fix.patch new file mode 100644 index 000000000..646a34a9a --- /dev/null +++ b/openwrt/package/nfs-server/patches/cross-compile-fix.patch @@ -0,0 +1,149 @@ +diff -urN nfs-server-2.2beta47.old/configure nfs-server-2.2beta47/configure +--- nfs-server-2.2beta47.old/configure 1999-06-11 12:06:04.000000000 +0200 ++++ nfs-server-2.2beta47/configure 2005-03-24 22:24:39.000000000 +0100 +@@ -1960,7 +1960,7 @@ + echo $ac_n "(cached) $ac_c" 1>&6 + else + if test "$cross_compiling" = yes; then +- { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; } ++ { echo "configure: error: can not run test program while cross compiling" 1>&2; } + else + cat > conftest.$ac_ext <&6 + else + if test "$cross_compiling" = yes; then +- { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; } ++ { echo "configure: error: can not run test program while cross compiling" 1>&2; } + else + cat > conftest.$ac_ext <&6 + else + if test "$cross_compiling" = yes; then +- { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; } ++ { echo "configure: error: can not run test program while cross compiling" 1>&2; } + else + cat > conftest.$ac_ext <&6 + else + if test "$cross_compiling" = yes; then +- { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; } ++ { echo "configure: error: can not run test program while cross compiling" 1>&2; } + else + cat > conftest.$ac_ext <&6 + else + if test "$cross_compiling" = yes; then +- { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; } ++ { echo "configure: error: can not run test program while cross compiling" 1>&2; } + else + cat > conftest.$ac_ext <&6 + else + if test "$cross_compiling" = yes; then +- { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; } ++ { echo "configure: error: can not run test program while cross compiling" 1>&2; } + else + cat > conftest.$ac_ext <&6 + else + if test "$cross_compiling" = yes; then +- { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; } ++ { echo "configure: error: can not run test program while cross compiling" 1>&2; } + else + cat > conftest.$ac_ext <&6 + else + if test "$cross_compiling" = yes; then +- { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; } ++ { echo "configure: error: can not run test program while cross compiling" 1>&2; } + else + cat > conftest.$ac_ext <&2; exit 1; } ++ { echo "configure: error: can not run test program while cross compiling" 1>&2; } + else + cat > conftest.$ac_ext <&2; exit 1; } ++ { echo "configure: error: can not run test program while cross compiling" 1>&2; } + else + cat > conftest.$ac_ext <&6 + else + if test "$cross_compiling" = yes; then +- { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; } ++ { echo "configure: error: can not run test program while cross compiling" 1>&2; } + else + cat > conftest.$ac_ext < + + #ifdef HAVE_SYSLOG_H + #include +--- nfs-server-2.2beta47.old/fh.c 1999-11-10 10:41:14.000000000 +0100 ++++ nfs-server-2.2beta47/fh.c 2005-03-24 22:50:50.000000000 +0100 +@@ -50,6 +50,7 @@ + */ + + #include ++#include + #include "nfsd.h" + #include "rpcmisc.h" + #include "signals.h" +@@ -350,7 +351,7 @@ + #ifndef ENABLE_DEVTAB + psi_t dmajor, dminor; + +-#if SIZEOF_DEV_T == 4 ++#if (SIZEOF_DEV_T == 4) + /* This folds the upper 16 bits into bits 8..15, and + * the lower 16 bits into bits 0..7 + */ +--- nfs-server-2.2beta47.old/ugid_map.c 2005-03-24 22:34:56.000000000 +0100 ++++ nfs-server-2.2beta47/ugid_map.c 2005-03-24 22:54:00.000000000 +0100 +@@ -34,14 +34,8 @@ + #define UGID_CHUNK0_BYTES (UGID_CHUNK * sizeof(idmap_t)) + #define UGID_EXPIRE 300 /* 5 minutes */ + +-/* +- * Make sure we get the right size for ugid_t +- */ +-#if SIZEOF_UID_T != SIZEOF_GID_T +-#error Sorry, this code relies on sizeof(uid_t) == sizeof(gid_t) +-#endif + +-#define UGID_BITS (SIZEOF_UID_T * BITSPERBYTE) ++#define UGID_BITS (sizeof(uid_t) * BITSPERBYTE) + #define BITSTOLEVEL(b) ((UGID_BITS - (b)) / UGID_CHUNK_BITS - 1) + #define UGID_LOWER(id, b) ((id) & ~((1 << (b)) - 1)) + #define UGID_UPPER(id, b) (((id + (1 << (b))) & ~((1 << (b)) - 1))-1) diff --git a/openwrt/package/nfs-server/patches/debian-subset.patch b/openwrt/package/nfs-server/patches/debian-subset.patch new file mode 100644 index 000000000..2ac3f93d4 --- /dev/null +++ b/openwrt/package/nfs-server/patches/debian-subset.patch @@ -0,0 +1,698 @@ +--- nfs-user-server-2.2beta47.orig/BUILD ++++ nfs-user-server-2.2beta47/BUILD +@@ -48,7 +48,7 @@ + shift + done + +-function read_yesno { ++read_yesno() { + ans="" + echo >&2 + default=$2 +@@ -84,7 +84,7 @@ + echo $ans + } + +-function read_ugid { ++read_ugid() { + ans="" + prompt="$2 [default $3 $4] " + default=$3 +@@ -145,7 +145,7 @@ + + if ! $batch; then + echo -n "Please press return to continue" +- read ++ read ans + fi + + version=`cat .version` +--- nfs-user-server-2.2beta47.orig/Makefile.in ++++ nfs-user-server-2.2beta47/Makefile.in +@@ -95,20 +95,20 @@ + LIBSRCS = fileblocks.c fsusage.c realpath.c strerror.c \ + utimes.c mkdir.c rename.c getopt.c getopt_long.c \ + alloca.c mountlist.c xmalloc.c \ +- xstrdup.c strdup.c strstr.c nfsmounted.c faccess.c \ ++ xstrdup.c strdup.c strstr.c nfsmounted.c \ + haccess.c failsafe.c signals.c + XDRFILES = mount.x nfs_prot.x + GENFILES = mount.h mount_xdr.c mount_svc.c nfs_prot.h nfs_prot_xdr.c \ + ugid.h ugid_xdr.c ugid_clnt.c + HDRS = system.h nfsd.h auth.h fh.h logging.h fakefsuid.h \ +- rpcmisc.h faccess.h rquotad.h rquota.h haccess.h ++ rpcmisc.h rquotad.h rquota.h haccess.h + LIBHDRS = fsusage.h getopt.h mountlist.h failsafe.h signals.h + MANPAGES5 = exports + MANPAGES8p = mountd nfsd $(UGIDD_MAN) + MANPAGES8 = showmount + MANPAGES = $(MANPAGES5) $(MANPAGES8p) $(MANPAGES8) + LIBOBJS = version.o fsusage.o mountlist.o xmalloc.o xstrdup.o \ +- nfsmounted.o faccess.o haccess.o failsafe.o \ ++ nfsmounted.o haccess.o failsafe.o \ + signals.o @LIBOBJS@ @ALLOCA@ + OBJS = logging.o fh.o devtab.o auth_init.o auth_clnt.o auth.o + NFSD_OBJS = nfsd.o rpcmisc.o nfs_dispatch.o getattr.o setattr.o \ +@@ -116,7 +116,7 @@ + MOUNTD_OBJS = mountd.o rpcmisc.o mount_dispatch.o mount_xdr.o rmtab.o \ + $(OBJS) + SHOWMOUNT_OBJS = showmount.o mount_xdr.o +-UGIDD_OBJS = ugidd.o ugid_xdr.o logging.o ++UGIDD_OBJS = ugidd.o ugid_xdr.o logging.o rpcmisc.o + DAEMONS = $(rpcprefix)mountd $(rpcprefix)nfsd $(UGIDD_PROG) + CLIENTS = showmount + +--- nfs-user-server-2.2beta47.orig/auth.c ++++ nfs-user-server-2.2beta47/auth.c +@@ -143,6 +143,21 @@ + return okay; + } + ++static inline int ++auth_atob(const char *name, struct in_addr *ap) ++{ ++ int m; ++ ++ if (!isdigit(*name)) ++ return 0; ++ for (m = 0; isdigit(*name); name++) ++ m = m * 10 + (unsigned char) *name - '0'; ++ if (m > 32) ++ return 0; ++ ap->s_addr = m ? ~((1 << (32 - m)) - 1) : 0; ++ return 1; ++} ++ + /* + * Get a client entry for a specific name or pattern. + * If necessary, this function performs a hostname lookup to +@@ -614,7 +629,9 @@ + if (auth_aton(hname, &haddr, &ename)) { + if (*ename == '\0') + is_hostaddr = 1; +- else if (*ename == '/' && auth_aton(ename+1, &hmask, NULL)) ++ else if (*ename == '/' && ++ (auth_aton(ename+1, &hmask, NULL) || ++ auth_atob(ename+1, &hmask))) + is_netmask = 1; + } + is_special = is_wildcard + is_netgroup + is_netmask; +--- nfs-user-server-2.2beta47.orig/auth_init.c ++++ nfs-user-server-2.2beta47/auth_init.c +@@ -23,6 +23,7 @@ + #define EXPORTSFILE "/etc/exports" + #endif + ++#if 0 + /* Support for file access control on /etc/exports by Alex Yuriev. */ + #include "faccess.h" + #ifndef EXPORTSOWNERUID +@@ -31,6 +32,7 @@ + #ifndef EXPORTSOWNERGID + #define EXPORTSOWNERGID ((gid_t) 0) + #endif ++#endif + + exportnode * export_list = NULL; + int allow_non_root = 0; +@@ -395,6 +397,7 @@ + auth_file = fname; /* Save for re-initialization */ + + /* Check protection of exports file. */ ++#if 0 /* A man's house is his castle. */ + switch(iCheckAccess(auth_file, EXPORTSOWNERUID, EXPORTSOWNERGID)) { + case FACCESSWRITABLE: + Dprintf(L_ERROR, +@@ -409,6 +412,7 @@ + Dprintf(L_ERROR, "exiting because of security violation.\n"); + exit(1); + } ++#endif + + if ((ef = fopen(fname, "r")) == NULL) { + Dprintf(L_ERROR, "Could not open exports file %s: %s\n", +@@ -468,7 +472,7 @@ + + /* Build the RPC mount export list data structure. */ + resex = (exportnode *) xmalloc(sizeof *resex); +- resex->ex_dir = mount_point; ++ resex->ex_dir = xstrdup(path); + resex->ex_groups = NULL; + + #ifndef NEW_STYLE_EXPORTS_FILE +--- nfs-user-server-2.2beta47.orig/configure.in ++++ nfs-user-server-2.2beta47/configure.in +@@ -53,7 +53,7 @@ + AC_CHECK_LIB(crypt, main) + AC_CHECK_LIB(nys, main) + AC_REPLACE_FUNCS(strerror realpath mkdir rename utimes strdup strstr getopt getopt_long) +-AC_HAVE_FUNCS(getcwd seteuid setreuid getdtablesize setgroups lchown setsid setfsuid setfsgid innetgr quotactl authdes_getucred) ++AC_HAVE_FUNCS(getcwd seteuid setreuid getdtablesize setgroups lchown setsid setfsuid setfsgid innetgr quotactl authdes_getucred strsignal) + AC_AUTHDES_GETUCRED + AC_BROKEN_SETFSUID + AC_MOUNTLIST +--- nfs-user-server-2.2beta47.orig/exports.man ++++ nfs-user-server-2.2beta47/exports.man +@@ -8,7 +8,7 @@ + The file + .I /etc/exports + serves as the access control list for file systems which may be +-exported to NFS clients. It it used by both the NFS mount daemon, ++exported to NFS clients. It is used by both the NFS mount daemon, + .IR mountd (8) + and the NFS file server daemon + .IR nfsd (8). +@@ -75,11 +75,12 @@ + off, specify + .IR insecure . + .TP ++.IR ro ++Disallow the client to modify files and directories. The client is only ++allowed to issue read-only requests. ++.TP + .IR rw +-Allow the client to modify files and directories. The default is to +-restrict the client to read-only request, which can be made explicit +-by using the +-.IR ro " option. ++Allow the client to modify files and directories. This is the default. + .TP + .I noaccess + This makes everything below the directory inaccessible for the named +@@ -98,6 +99,14 @@ + .TP + .IR link_absolute + Leave all symbolic link as they are. This is the default operation. ++.SS Anonymous Entries ++.PP ++Entries where hosts are not specified are known as anonymous entries. They ++have different default settings compared to normal entries. The differences ++include ++.IR all_squash , ++.IR no_secure ", and" ++.IR ro . + .SS User ID Mapping + .PP + .I nfsd +--- nfs-user-server-2.2beta47.orig/failsafe.c ++++ nfs-user-server-2.2beta47/failsafe.c +@@ -10,8 +10,12 @@ + #include "logging.h" + #include "signals.h" + #include ++#ifdef HAVE_STRSIGNAL ++#include ++#else + + static const char * get_signame(int signo); ++#endif + + void + failsafe(int level, int ncopies) +@@ -111,9 +115,17 @@ + pid, running? "Continue" : "Exit"); + } else { + Dprintf(L_WARNING, "failsafe: " ++#ifdef HAVE_STRSIGNAL ++ "child %d terminated by: %s. " ++#else + "child %d terminated by %s. " ++#endif + "Restarting.", ++#ifdef HAVE_STRSIGNAL ++ pid, strsignal(signo)); ++#else + pid, get_signame(signo)); ++#endif + child = -1; /* Restart */ + } + } else if (WIFEXITED(status)) { +@@ -159,6 +171,7 @@ + /* NOP */ + } + ++#ifndef HAVE_STRSIGNAL + static const char * + get_signame(int signo) + { +@@ -199,3 +212,4 @@ + sprintf(namebuf, "signal #%d", signo); + return namebuf; + } ++#endif +--- nfs-user-server-2.2beta47.orig/mount_dispatch.c ++++ nfs-user-server-2.2beta47/mount_dispatch.c +@@ -131,7 +131,7 @@ + dent = &dtbl[proc_index]; + + memset(&argument, 0, dent->arg_size); +- if (!svc_getargs(transp, (xdrproc_t) dent->xdr_argument, &argument)) { ++ if (!svc_getargs(transp, (xdrproc_t) dent->xdr_argument, (caddr_t) &argument)) { + svcerr_decode(transp); + goto done; + } +@@ -148,7 +148,7 @@ + if (!svc_sendreply(transp, dent->xdr_result, (caddr_t) resp)) { + svcerr_systemerr(transp); + } +- if (!svc_freeargs(transp, (xdrproc_t) dent->xdr_argument, &argument)) { ++ if (!svc_freeargs(transp, (xdrproc_t) dent->xdr_argument, (caddr_t) &argument)) { + Dprintf(L_ERROR, "unable to free RPC arguments, exiting\n"); + exit(1); + } +--- nfs-user-server-2.2beta47.orig/mount_xdr.c ++++ nfs-user-server-2.2beta47/mount_xdr.c +@@ -190,7 +190,7 @@ + xdr_ppathcnf(XDR *xdrs, ppathcnf *objp) + { + +- register long *buf=buf; ++ int32_t *buf=buf; + + int i=i; + +--- nfs-user-server-2.2beta47.orig/mountd.c ++++ nfs-user-server-2.2beta47/mountd.c +@@ -310,6 +310,7 @@ + int c; + + program_name = argv[0]; ++ chdir("/"); + + /* Parse the command line options and arguments. */ + opterr = 0; +--- nfs-user-server-2.2beta47.orig/nfs_dispatch.c ++++ nfs-user-server-2.2beta47/nfs_dispatch.c +@@ -147,7 +147,7 @@ + nfsclient = NULL; + + memset(&argument, 0, dent->arg_size); +- if (!svc_getargs(transp, (xdrproc_t) dent->xdr_argument, &argument)) { ++ if (!svc_getargs(transp, (xdrproc_t) dent->xdr_argument, (caddr_t) &argument)) { + svcerr_decode(transp); + goto done; + } +@@ -173,7 +173,7 @@ + svc_sendreply(transp, dent->xdr_result, (caddr_t) &result); + #endif + +- if (!svc_freeargs(transp, (xdrproc_t) dent->xdr_argument, &argument)) { ++ if (!svc_freeargs(transp, (xdrproc_t) dent->xdr_argument, (caddr_t) &argument)) { + Dprintf(L_ERROR, "unable to free RPC arguments, exiting\n"); + exit(1); + } +--- nfs-user-server-2.2beta47.orig/nfs_prot_xdr.c ++++ nfs-user-server-2.2beta47/nfs_prot_xdr.c +@@ -98,7 +98,7 @@ + xdr_fattr(XDR *xdrs, fattr *objp) + { + +- register long *buf=buf; ++ int32_t *buf=buf; + + + if (xdrs->x_op == XDR_ENCODE) { +@@ -273,7 +273,7 @@ + xdr_sattr(XDR *xdrs, sattr *objp) + { + +- register long *buf=buf; ++ int32_t *buf=buf; + + + if (xdrs->x_op == XDR_ENCODE) { +@@ -553,7 +553,7 @@ + xdr_writeargs(XDR *xdrs, writeargs *objp) + { + +- register long *buf = buf; ++ int32_t *buf = buf; + + + if (xdrs->x_op == XDR_ENCODE) { +@@ -777,7 +777,7 @@ + xdr_statfsokres(XDR *xdrs, statfsokres *objp) + { + +- register long *buf=buf; ++ int32_t *buf=buf; + + + if (xdrs->x_op == XDR_ENCODE) { +--- nfs-user-server-2.2beta47.orig/nfsd.c ++++ nfs-user-server-2.2beta47/nfsd.c +@@ -36,6 +36,7 @@ + #define CHK_READ 0 + #define CHK_WRITE 1 + #define CHK_NOACCESS 2 ++#define CHK_ROOT 4 + + /* Make larger reads possible. Without crashing the machine :-) */ + #undef NFS_MAXDATA +@@ -173,7 +174,8 @@ + return NULL; + } + +- auth_user(nfsmount, rqstp); ++ if (!(flags & CHK_ROOT) || strcmp(nfsmount->path, fhc->path)) ++ auth_user(nfsmount, rqstp); + + *statp = NFS_OK; + return fhc; +@@ -244,7 +246,7 @@ + nfsstat status; + fhcache *fhc; + +- fhc = auth_fh(rqstp, argp, &status, CHK_READ); ++ fhc = auth_fh(rqstp, argp, &status, CHK_READ | CHK_ROOT); + if (fhc == NULL) + return status; + +@@ -575,7 +577,12 @@ + #endif + + /* MvS: Some clients use chardev 0xFFFF for a FIFO. */ ++#if defined(major) && defined(minor) ++ if (S_ISCHR(argp->attributes.mode) && ++ major(dev) == 0xff && minor(dev) == 0xff) { ++#else + if (S_ISCHR(argp->attributes.mode) && dev == 0xFFFF) { ++#endif + is_borc = 0; + dev = 0; + argp->attributes.mode &= ~S_IFMT; +@@ -882,7 +889,9 @@ + + /* This code is from Mark Shand's version */ + errno = 0; +- if (efs_lstat(h->path, &sbuf) < 0 || !(S_ISDIR(sbuf.st_mode))) ++ if (efs_lstat(h->path, &sbuf) < 0) ++ return (NFSERR_ACCES); ++ if (!S_ISDIR(sbuf.st_mode)) + return (NFSERR_NOTDIR); + if ((dirp = efs_opendir(h->path)) == NULL) + return ((errno ? nfs_errno() : NFSERR_NAMETOOLONG)); +@@ -940,7 +949,7 @@ + char *path; + struct fs_usage fs; + +- fhc = auth_fh(rqstp, argp, &status, CHK_READ | CHK_NOACCESS); ++ fhc = auth_fh(rqstp, argp, &status, CHK_READ | CHK_NOACCESS | CHK_ROOT); + if (fhc == NULL) + return status; + path = fhc->path; +--- nfs-user-server-2.2beta47.orig/rpcmisc.c ++++ nfs-user-server-2.2beta47/rpcmisc.c +@@ -64,25 +64,25 @@ + asize = sizeof(saddr); + sock = 0; + if (getsockname(0, (struct sockaddr *) &saddr, &asize) == 0) { +- int ssize = sizeof (int); ++ int ssize = sizeof (i); + + if (saddr.sin_family != AF_INET) + goto not_inetd; +- if (getsockopt(0, SOL_SOCKET, SO_TYPE, &_rpcfdtype, &ssize) < 0) ++ if (getsockopt(0, SOL_SOCKET, SO_TYPE, &i, &ssize) < 0) + goto not_inetd; ++ _rpcfdtype = i; + background_logging(); /* no more logging to stderr */ + closedown = time(NULL) + _RPCSVC_CLOSEDOWN; + _rpcpmstart = 1; + } else { + not_inetd: +- _rpcfdtype = 0; + for (i = 0; (vers = verstbl[i]) != 0; i++) + pmap_unset(prog, vers); + sock = RPC_ANYSOCK; + } + + if ((_rpcfdtype == 0) || (_rpcfdtype == SOCK_DGRAM)) { +- if (_rpcfdtype == 0 && defport != 0) ++ if (_rpcpmstart == 0 && defport != 0) + sock = makesock(defport, IPPROTO_UDP, bufsiz); + transp = svcudp_create(sock); + if (transp == NULL) +@@ -97,7 +97,7 @@ + } + + if ((_rpcfdtype == 0) || (_rpcfdtype == SOCK_STREAM)) { +- if (_rpcfdtype == 0 && defport != 0) ++ if (_rpcpmstart == 0 && defport != 0) + sock = makesock(defport, IPPROTO_TCP, bufsiz); + transp = svctcp_create(sock, 0, 0); + if (transp == NULL) +@@ -220,11 +220,14 @@ + } + #endif /* SO_SNDBUF */ + +- if (bind(s, (struct sockaddr *) &sin, sizeof(sin)) == -1) +- Dprintf(L_FATAL, "Could not bind %s socket to %s:%d: %s\n", ++ if (bind(s, (struct sockaddr *) &sin, sizeof(sin)) == -1) { ++ Dprintf(L_ERROR, "Could not bind %s socket to %s:%d: %s\n", + prot_name, inet_ntoa(sin.sin_addr), + ntohs(sin.sin_port), + strerror(errno)); ++ close(s); ++ s = RPC_ANYSOCK; ++ } + + return (s); + } +--- nfs-user-server-2.2beta47.orig/showmount.c ++++ nfs-user-server-2.2beta47/showmount.c +@@ -200,7 +200,7 @@ + memset(&exportlist, '\0', sizeof(exportlist)); + clnt_stat = clnt_call(mclient, MOUNTPROC_EXPORT, + (xdrproc_t) xdr_void, NULL, +- (xdrproc_t) xdr_exports, &exportlist, ++ (xdrproc_t) xdr_exports, (caddr_t) &exportlist, + total_timeout); + if (clnt_stat != RPC_SUCCESS) { + clnt_perror(mclient, "rpc mount export"); +@@ -233,7 +233,7 @@ + memset(&dumplist, '\0', sizeof(dumplist)); + clnt_stat = clnt_call(mclient, MOUNTPROC_DUMP, + (xdrproc_t) xdr_void, NULL, +- (xdrproc_t) xdr_mountlist, &dumplist, ++ (xdrproc_t) xdr_mountlist, (caddr_t) &dumplist, + total_timeout); + if (clnt_stat != RPC_SUCCESS) { + clnt_perror(mclient, "rpc mount dump"); +--- nfs-user-server-2.2beta47.orig/ugid_clnt.c ++++ nfs-user-server-2.2beta47/ugid_clnt.c +@@ -16,7 +16,7 @@ + static int clnt_res; + + memset((char *)&clnt_res, 0, sizeof(clnt_res)); +- if (clnt_call(clnt, AUTHENTICATE, (xdrproc_t) xdr_int, argp, (xdrproc_t) xdr_int, &clnt_res, TIMEOUT) != RPC_SUCCESS) { ++ if (clnt_call(clnt, AUTHENTICATE, (xdrproc_t) xdr_int, (caddr_t) argp, (xdrproc_t) xdr_int, (caddr_t) &clnt_res, TIMEOUT) != RPC_SUCCESS) { + return (NULL); + } + return (&clnt_res); +@@ -28,7 +28,7 @@ + static int clnt_res; + + memset((char *)&clnt_res, 0, sizeof(clnt_res)); +- if (clnt_call(clnt, NAME_UID, (xdrproc_t) xdr_ugname, argp, (xdrproc_t) xdr_int, &clnt_res, TIMEOUT) != RPC_SUCCESS) { ++ if (clnt_call(clnt, NAME_UID, (xdrproc_t) xdr_ugname, (caddr_t) argp, (xdrproc_t) xdr_int, (caddr_t) &clnt_res, TIMEOUT) != RPC_SUCCESS) { + return (NULL); + } + return (&clnt_res); +@@ -40,7 +40,7 @@ + static int clnt_res; + + memset((char *)&clnt_res, 0, sizeof(clnt_res)); +- if (clnt_call(clnt, GROUP_GID, (xdrproc_t) xdr_ugname, argp, (xdrproc_t) xdr_int, &clnt_res, TIMEOUT) != RPC_SUCCESS) { ++ if (clnt_call(clnt, GROUP_GID, (xdrproc_t) xdr_ugname, (caddr_t) argp, (xdrproc_t) xdr_int, (caddr_t) &clnt_res, TIMEOUT) != RPC_SUCCESS) { + return (NULL); + } + return (&clnt_res); +@@ -52,7 +52,7 @@ + static ugname clnt_res; + + memset((char *)&clnt_res, 0, sizeof(clnt_res)); +- if (clnt_call(clnt, UID_NAME, (xdrproc_t) xdr_int, argp, (xdrproc_t) xdr_ugname, &clnt_res, TIMEOUT) != RPC_SUCCESS) { ++ if (clnt_call(clnt, UID_NAME, (xdrproc_t) xdr_int, (caddr_t) argp, (xdrproc_t) xdr_ugname, (caddr_t) &clnt_res, TIMEOUT) != RPC_SUCCESS) { + return (NULL); + } + return (&clnt_res); +@@ -64,7 +64,7 @@ + static ugname clnt_res; + + memset((char *)&clnt_res, 0, sizeof(clnt_res)); +- if (clnt_call(clnt, GID_GROUP, (xdrproc_t) xdr_int, argp, (xdrproc_t) xdr_ugname, &clnt_res, TIMEOUT) != RPC_SUCCESS) { ++ if (clnt_call(clnt, GID_GROUP, (xdrproc_t) xdr_int, (caddr_t) argp, (xdrproc_t) xdr_ugname, (caddr_t) &clnt_res, TIMEOUT) != RPC_SUCCESS) { + return (NULL); + } + return (&clnt_res); +--- nfs-user-server-2.2beta47.orig/ugid_map.c ++++ nfs-user-server-2.2beta47/ugid_map.c +@@ -602,7 +602,7 @@ + * the server's port after clntudp_create, so we fetch it + * explicitly. + */ +- clnt_control(clnt, CLGET_SERVER_ADDR, &addr); ++ clnt_control(clnt, CLGET_SERVER_ADDR, (caddr_t) &addr); + if (!SECURE_PORT(addr.sin_port)) { + Dprintf(L_ERROR, "%s on %s runs on unprivileged port.\n", + name, inet_ntoa(addr.sin_addr)); +--- nfs-user-server-2.2beta47.orig/ugidd.c ++++ nfs-user-server-2.2beta47/ugidd.c +@@ -20,6 +20,8 @@ + #include "ugid.h" + #include "logging.h" + #include "haccess.h" ++#include "rpcmisc.h" ++#include "signals.h" + #ifdef HAVE_LIBWRAP_BUG + #include + #endif +@@ -27,6 +29,8 @@ + + static void ugidprog_1(struct svc_req *rqstp, SVCXPRT *transp); + static void usage(void); ++static void terminate(void); ++static RETSIGTYPE sigterm(int sig); + + #ifndef HAVE_RPCGEN_C + #define authenticate_1_svc authenticate_1 +@@ -39,17 +43,23 @@ + + static struct option longopts[] = { + { "debug", 0, 0, 'd' }, ++ { "port", required_argument, 0, 'P' }, + { NULL, 0, 0, 0 } + }; + ++static int ugidd_versions[] = { ++ UGIDVERS, ++ 0 ++}; ++ + int + main(argc, argv) + int argc; + char **argv; + { +- SVCXPRT *transp; + int c, longind; + int foreground = 0; ++ int port = 0; + + #ifndef HOSTS_ACCESS + fprintf(stderr, +@@ -59,40 +69,34 @@ + sleep(1); + #endif + +- while ((c = getopt_long(argc, argv, "d", longopts, &longind)) != EOF) { ++ chdir("/"); ++ ++ while ((c = getopt_long(argc, argv, "dP:", longopts, &longind)) != EOF) { + switch (c) { + case 'd': + foreground = 1; + enable_logging("ugid"); + break; ++ case 'P': ++ port = atoi(optarg); ++ if (port <= 0 || port > 65535) { ++ fprintf(stderr, "ugidd: bad port number: %s\n", ++ optarg); ++ usage(); ++ } ++ break; + default: + usage(); + } + } + +- (void)pmap_unset(UGIDPROG, UGIDVERS); ++ log_open("ugidd", foreground); + +- transp = svcudp_create(RPC_ANYSOCK); +- if (transp == NULL) { +- (void)fprintf(stderr, "cannot create udp service.\n"); +- exit(1); +- } +- if (!svc_register(transp, UGIDPROG, UGIDVERS, ugidprog_1, IPPROTO_UDP)) { +- fprintf(stderr, "unable to register (UGIDPROG, UGIDVERS, UDP)\n"); +- exit(1); +- } +- +- transp = svctcp_create(RPC_ANYSOCK, 0, 0); +- if (transp == NULL) { +- fprintf(stderr, "cannot create tcp service.\n"); +- exit(1); +- } +- if (!svc_register(transp, UGIDPROG, UGIDVERS, ugidprog_1, IPPROTO_TCP)) { +- fprintf(stderr, "unable to register (UGIDPROG, UGIDVERS, TCP)\n"); +- exit(1); +- } ++ /* Create services and register with portmapper */ ++ _rpcfdtype = SOCK_DGRAM; ++ rpc_init("ugidd", UGIDPROG, ugidd_versions, ugidprog_1, port, 0); + +- if (!foreground) { ++ if (!foreground && !_rpcpmstart) { + if ((c = fork()) > 0) + exit(0); + if (c < 0) { +@@ -117,7 +121,8 @@ + #endif + } + +- log_open("ugidd", foreground); ++ install_signal_handler(SIGTERM, sigterm); ++ atexit(terminate); + + svc_run(); + Dprintf(L_ERROR, "svc_run returned\n"); +@@ -127,7 +132,7 @@ + static void + usage() + { +- fprintf(stderr, "rpc.ugidd: [-d]\n"); ++ fprintf(stderr, "rpc.ugidd: [-d] [-P port]\n"); + exit (2); + } + +@@ -188,7 +193,7 @@ + return; + } + bzero((char *)&argument, sizeof(argument)); +- if (!svc_getargs(transp, xdr_argument, &argument)) { ++ if (!svc_getargs(transp, xdr_argument, (caddr_t) &argument)) { + svcerr_decode(transp); + return; + } +@@ -196,7 +201,7 @@ + if (result != NULL && !svc_sendreply(transp, xdr_result, result)) { + svcerr_systemerr(transp); + } +- if (!svc_freeargs(transp, xdr_argument, &argument)) { ++ if (!svc_freeargs(transp, xdr_argument, (caddr_t) &argument)) { + (void)fprintf(stderr, "unable to free arguments\n"); + exit(1); + } +@@ -321,6 +326,19 @@ + } + + ++static RETSIGTYPE ++sigterm(int sig) ++{ ++ exit(0); ++} ++ ++static void ++terminate(void) ++{ ++ rpc_exit(UGIDPROG, ugidd_versions); ++} ++ ++ + + #else /* ENABLE_UGID_DAEMON */ + diff --git a/openwrt/package/nfs-server/patches/remove-warning.patch b/openwrt/package/nfs-server/patches/remove-warning.patch new file mode 100644 index 000000000..5484b792c --- /dev/null +++ b/openwrt/package/nfs-server/patches/remove-warning.patch @@ -0,0 +1,30 @@ +--- nfs-server-2.2beta47.old/auth_clnt.c 1999-11-10 10:18:06.000000000 +0100 ++++ nfs-server-2.2beta47/auth_clnt.c 2005-03-24 23:44:16.000000000 +0100 +@@ -238,19 +238,23 @@ + + /* First, set the user ID. */ + if (auth_uid != cred_uid) { +- if (setfsuid(cred_uid) < 0) ++ if (setfsuid(cred_uid) < 0) { ++#if 0 + Dprintf(L_ERROR, "Unable to setfsuid %d: %s\n", + cred_uid, strerror(errno)); +- else ++#endif ++ } else + auth_uid = cred_uid; + } + + /* Next, the group ID. */ + if (auth_gid != cred_gid) { +- if (setfsgid(cred_gid) < 0) ++ if (setfsgid(cred_gid) < 0) { ++#if 0 + Dprintf(L_ERROR, "Unable to setfsgid %d: %s\n", + cred_gid, strerror(errno)); +- else ++#endif ++ } else + auth_gid = cred_gid; + } + diff --git a/openwrt/package/portmap/Config.in b/openwrt/package/portmap/Config.in new file mode 100644 index 000000000..3427e082c --- /dev/null +++ b/openwrt/package/portmap/Config.in @@ -0,0 +1,5 @@ +config BR2_PACKAGE_PORTMAP + tristate "RPC Portmapper" + default m + help + The RPC Portmapper (used by the NFS Server) diff --git a/openwrt/package/portmap/Makefile b/openwrt/package/portmap/Makefile new file mode 100644 index 000000000..0cdaa340f --- /dev/null +++ b/openwrt/package/portmap/Makefile @@ -0,0 +1,49 @@ +# $Id$ + +include $(TOPDIR)/rules.mk + +PKG_NAME:=portmap +PKG_VERSION:=5beta +PKG_RELEASE:=1 +PKG_MD5SUM:=781e16ed4487c4caa082c6fef09ead4f + +# space separated list or special @SF for sourceforge projects +PKG_SOURCE_URL:=ftp://ftp.porcupine.org/pub/security +PKG_SOURCE:=$(PKG_NAME)_$(PKG_VERSION).tar.gz +PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)_$(PKG_VERSION) +PKG_CAT:=zcat +PKG_IPK:=$(PACKAGE_DIR)/$(PKG_NAME)_$(PKG_VERSION)-$(PKG_RELEASE)_$(ARCH).ipk +PKG_IPK_DIR:=$(PKG_BUILD_DIR)/ipkg + +$(DL_DIR)/$(PKG_SOURCE): + $(SCRIPT_DIR)/download.pl $(DL_DIR) $(PKG_SOURCE) $(PKG_MD5SUM) $(PKG_SOURCE_URL) + +$(PKG_BUILD_DIR)/.patched: $(DL_DIR)/$(PKG_SOURCE) + $(PKG_CAT) $(DL_DIR)/$(PKG_SOURCE) | tar -C $(BUILD_DIR) $(TAR_OPTIONS) - + $(PATCH) $(PKG_BUILD_DIR) ./patches + touch $(PKG_BUILD_DIR)/.patched + +$(PKG_BUILD_DIR)/portmap: $(PKG_BUILD_DIR)/.patched + $(MAKE) -C $(PKG_BUILD_DIR) \ + $(TARGET_CONFIGURE_OPTS) \ + CFLAGS="$(TARGET_CFLAGS) -DHOSTS_ACCESS -DFACILITY=LOG_DAEMON -DIGNORE_SIGCHLD" all + +$(PKG_IPK): $(PKG_BUILD_DIR)/portmap + mkdir -p $(PKG_IPK_DIR)/usr/sbin + $(SCRIPT_DIR)/make-ipkg-dir.sh $(PKG_IPK_DIR) $(PKG_NAME).control $(PKG_VERSION)-$(PKG_RELEASE) $(ARCH) + cp $(PKG_BUILD_DIR)/portmap $(PKG_IPK_DIR)/usr/sbin/ + $(STRIP) $(PKG_IPK_DIR)/usr/sbin/* + mkdir -p $(PACKAGE_DIR) + $(IPKG_BUILD) $(PKG_IPK_DIR) $(PACKAGE_DIR) + +$(IPKG_STATE_DIR)/info/$(PKG_NAME).list: $(PKG_IPK) + $(IPKG) install $(PKG_IPK) + +source: $(DL_DIR)/$(PKG_SOURCE) +prepare: $(PKG_BUILD_DIR)/.patched +compile: $(PKG_IPK) +install: $(IPKG_STATE_DIR)/info/$(PKG_NAME).list + +clean: + rm -rf $(PKG_BUILD_DIR) + rm -f $(PKG_IPK) diff --git a/openwrt/package/portmap/patches/debian-subset.patch b/openwrt/package/portmap/patches/debian-subset.patch new file mode 100644 index 000000000..c5fecf7c4 --- /dev/null +++ b/openwrt/package/portmap/patches/debian-subset.patch @@ -0,0 +1,531 @@ +--- portmap-5.orig/Makefile ++++ portmap-5/Makefile +@@ -8,7 +8,7 @@ + # if you disagree. See `man 3 syslog' for examples. Some syslog versions + # do not provide this flexibility. + # +-FACILITY=LOG_MAIL ++FACILITY=LOG_DAEMON + + # To disable tcp-wrapper style access control, comment out the following + # macro definitions. Access control can also be turned off by providing +@@ -16,7 +16,8 @@ + # daemon, is always treated as an authorized host. + + HOSTS_ACCESS= -DHOSTS_ACCESS +-WRAP_LIB = $(WRAP_DIR)/libwrap.a ++#WRAP_LIB = $(WRAP_DIR)/libwrap.a ++WRAP_LIB = -lwrap + + # Comment out if your RPC library does not allocate privileged ports for + # requests from processes with root privilege, or the new portmap will +@@ -71,7 +72,7 @@ + # With verbose logging on, HP-UX 9.x and AIX 4.1 leave zombies behind when + # SIGCHLD is not ignored. Enable next macro for a fix. + # +-# ZOMBIES = -DIGNORE_SIGCHLD # AIX 4.x, HP-UX 9.x ++ZOMBIES = -DIGNORE_SIGCHLD # AIX 4.x, HP-UX 9.x + + # Uncomment the following macro if your system does not have u_long. + # +@@ -81,11 +82,14 @@ + # libwrap.a object library. WRAP_DIR should specify the directory with + # that library. + +-WRAP_DIR= ../tcp_wrappers ++WRAP_DIR= $(TCPD_DIR) + + # Auxiliary object files that may be missing from your C library. + # +-AUX = daemon.o strerror.o ++#AUX = daemon.o strerror.o ++ ++# glibc has strerror() (it's POSIX) and daemon() (when compiling -D_BSD_SOURCE) ++AUX = + + # NEXTSTEP is a little different. The following seems to work with NS 3.2 + # +@@ -99,22 +103,31 @@ + + # Comment out if your compiler talks ANSI and understands const + # +-CONST = -Dconst= ++#CONST = -Dconst= + + ### End of configurable stuff. + ############################## + ++GLIBC=$(shell grep -s -c __GLIBC__ /usr/include/features.h) ++ ++ifeq ($(GLIBC),0) ++LIBS += # -lbsd ++else ++LIBS += -lnsl ++endif ++ ++ + SHELL = /bin/sh + +-COPT = $(CONST) -Dperror=xperror $(HOSTS_ACCESS) $(CHECK_PORT) \ ++COPT = $(CONST) $(HOSTS_ACCESS) $(CHECK_PORT) \ + $(SYS) -DFACILITY=$(FACILITY) $(ULONG) $(ZOMBIES) $(SA_LEN) \ + $(LOOPBACK) $(SETPGRP) +-CFLAGS = $(COPT) -O $(NSARCHS) ++CFLAGS = -Wall $(COPT) -O2 $(NSARCHS) + OBJECTS = portmap.o pmap_check.o from_local.o $(AUX) + + all: portmap pmap_dump pmap_set + +-portmap: $(OBJECTS) $(WRAP_DIR)/libwrap.a ++portmap: $(OBJECTS) # $(WRAP_DIR)/libwrap.a + $(CC) $(CFLAGS) -o $@ $(OBJECTS) $(WRAP_LIB) $(LIBS) + + pmap_dump: pmap_dump.c +@@ -129,6 +142,17 @@ + get_myaddress: get_myaddress.c + cc $(CFLAGS) -DTEST -o $@ get_myaddress.c $(LIBS) + ++install: all ++ install -o root -g root -m 0755 -s portmap ${BASEDIR}/sbin ++ install -o root -g root -m 0755 -s pmap_dump ${BASEDIR}/sbin ++ install -o root -g root -m 0755 -s pmap_set ${BASEDIR}/sbin ++ install -o root -g root -m 0644 portmap.8 ${BASEDIR}/usr/share/man/man8 ++ install -o root -g root -m 0644 pmap_dump.8 ${BASEDIR}/usr/share/man/man8 ++ install -o root -g root -m 0644 pmap_set.8 ${BASEDIR}/usr/share/man/man8 ++ cat BLURB >${BASEDIR}/usr/share/doc/portmap/portmapper.txt ++ gzip -9f ${BASEDIR}/usr/share/doc/portmap/portmapper.txt ++ ++ + lint: + lint $(COPT) $(OBJECTS:%.o=%.c) + +--- portmap-5.orig/daemon.c ++++ portmap-5/daemon.c +@@ -36,11 +36,8 @@ + #endif /* LIBC_SCCS and not lint */ + + #include +- +-/* From unistd.h */ +-#define STDIN_FILENO 0 +-#define STDOUT_FILENO 1 +-#define STDERR_FILENO 2 ++#include ++#include + + /* From paths.h */ + #define _PATH_DEVNULL "/dev/null" +--- portmap-5.orig/pmap_check.c ++++ portmap-5/pmap_check.c +@@ -41,10 +41,14 @@ + #include + #include + #include ++#include + #ifdef SYSV40 + #include + #include + #endif ++#include ++#include ++#include + + extern char *inet_ntoa(); + +@@ -101,15 +105,25 @@ + * Give up root privileges so that we can never allocate a privileged + * port when forwarding an rpc request. + */ ++ if (setgid(1) == -1) { ++ syslog(LOG_ERR, "setgid(1) failed: %m"); ++ exit(1); ++ } ++ if (setgroups(0, 0) == -1) { ++ syslog(LOG_ERR, "setgroups(0, 0) failed: %m"); ++ exit(1); ++ } + if (setuid(1) == -1) { + syslog(LOG_ERR, "setuid(1) failed: %m"); + exit(1); + } ++ + (void) signal(SIGINT, toggle_verboselog); + } + + /* check_default - additional checks for NULL, DUMP, GETPORT and unknown */ + ++int + check_default(addr, proc, prog) + struct sockaddr_in *addr; + u_long proc; +@@ -128,6 +142,7 @@ + + /* check_privileged_port - additional checks for privileged-port updates */ + ++int + check_privileged_port(addr, proc, prog, port) + struct sockaddr_in *addr; + u_long proc; +@@ -173,6 +188,7 @@ + + #else + ++int + check_setunset(addr, proc, prog, port) + struct sockaddr_in *addr; + u_long proc; +@@ -197,6 +213,7 @@ + + /* check_callit - additional checks for forwarded requests */ + ++int + check_callit(addr, proc, prog, aproc) + struct sockaddr_in *addr; + u_long proc; +@@ -249,13 +266,13 @@ + }; + struct proc_map *procp; + static struct proc_map procmap[] = { +- PMAPPROC_CALLIT, "callit", +- PMAPPROC_DUMP, "dump", +- PMAPPROC_GETPORT, "getport", +- PMAPPROC_NULL, "null", +- PMAPPROC_SET, "set", +- PMAPPROC_UNSET, "unset", +- 0, 0, ++ {PMAPPROC_CALLIT, "callit"}, ++ {PMAPPROC_DUMP, "dump"}, ++ {PMAPPROC_GETPORT, "getport"}, ++ {PMAPPROC_NULL, "null"}, ++ {PMAPPROC_SET, "set"}, ++ {PMAPPROC_UNSET, "unset"}, ++ {0, 0}, + }; + + /* +@@ -269,7 +286,7 @@ + + if (prognum == 0) { + progname = ""; +- } else if (rpc = getrpcbynumber((int) prognum)) { ++ } else if ((rpc = getrpcbynumber((int) prognum))) { + progname = rpc->r_name; + } else { + sprintf(progname = progbuf, "%lu", prognum); +--- portmap-5.orig/from_local.c ++++ portmap-5/from_local.c +@@ -51,6 +51,9 @@ + #include + #include + #include ++#include ++#include ++#include + + #ifndef TRUE + #define TRUE 1 +@@ -96,6 +99,7 @@ + + /* find_local - find all IP addresses for this host */ + ++int + find_local() + { + struct ifconf ifc; +@@ -154,6 +158,7 @@ + + /* from_local - determine whether request comes from the local system */ + ++int + from_local(addr) + struct sockaddr_in *addr; + { +--- portmap-5.orig/pmap_dump.c ++++ portmap-5/pmap_dump.c +@@ -23,6 +23,20 @@ + + static char *protoname(); + ++#ifndef INADDR_LOOPBACK ++#define INADDR_LOOPBACK ntohl(inet_addr("127.0.0.1")) ++#endif ++ ++static void get_myloopaddress(addrp) ++struct sockaddr_in *addrp; ++{ ++ memset((char *) addrp, 0, sizeof(*addrp)); ++ addrp->sin_family = AF_INET; ++ addrp->sin_port = htons(PMAPPORT); ++ addrp->sin_addr.s_addr = htonl(INADDR_LOOPBACK); ++} ++ ++int + main(argc, argv) + int argc; + char **argv; +@@ -31,7 +45,7 @@ + register struct pmaplist *list; + register struct rpcent *rpc; + +- get_myaddress(&addr); ++ get_myloopaddress(&addr); + + for (list = pmap_getmaps(&addr); list; list = list->pml_next) { + rpc = getrpcbynumber((int) list->pml_map.pm_prog); +--- portmap-5.orig/pmap_set.c ++++ portmap-5/pmap_set.c +@@ -17,6 +17,10 @@ + #include + #include + ++int parse_line(char *buf, u_long *prog, u_long *vers, int *prot, ++ unsigned *port); ++ ++int + main(argc, argv) + int argc; + char **argv; +@@ -40,6 +44,7 @@ + + /* parse_line - convert line to numbers */ + ++int + parse_line(buf, prog, vers, prot, port) + char *buf; + u_long *prog; +@@ -47,9 +52,9 @@ + int *prot; + unsigned *port; + { +- char proto_name[BUFSIZ]; ++ char proto_name[256]; + +- if (sscanf(buf, "%lu %lu %s %u", prog, vers, proto_name, port) != 4) { ++ if (sscanf(buf, "%lu %lu %255s %u", prog, vers, proto_name, port) != 4) { + return (0); + } + if (strcmp(proto_name, "tcp") == 0) { +@@ -65,3 +70,4 @@ + } + return (0); + } ++ +--- portmap-5.orig/portmap.c ++++ portmap-5/portmap.c +@@ -80,6 +80,10 @@ + * Mountain View, California 94043 + */ + ++#if defined(__GLIBC__) ++#define _BSD_SOURCE 1 /* for daemon(3) */ ++#include ++#endif /* __GLIBC__ */ + #include + #include + #include +@@ -91,11 +95,13 @@ + #include + #include + #include +-#ifdef SYSV40 + #include +-#endif ++#include ++#include ++#include ++#include ++#include + +-extern char *strerror(); + #include + + #ifndef LOG_PERROR +@@ -124,7 +130,6 @@ + static void callit(); + struct pmaplist *pmaplist; + int debugging = 0; +-extern int errno; + + #include "pmap_check.h" + +@@ -148,6 +153,7 @@ + #endif + #endif + ++int + main(argc, argv) + int argc; + char **argv; +@@ -157,22 +163,31 @@ + struct sockaddr_in addr; + int len = sizeof(struct sockaddr_in); + register struct pmaplist *pml; ++ char *chroot_path = NULL; ++ struct in_addr bindaddr; ++ int have_bindaddr = 0; + +- while ((c = getopt(argc, argv, "dv")) != EOF) { ++ while ((c = getopt(argc, argv, "dt:vi:")) != EOF) { + switch (c) { + + case 'd': + debugging = 1; + break; +- ++ case 't': ++ chroot_path = optarg; ++ break; + case 'v': + verboselog = 1; + break; +- ++ case 'i': ++ have_bindaddr = inet_aton(optarg, &bindaddr); ++ break; + default: +- (void) fprintf(stderr, "usage: %s [-dv]\n", argv[0]); ++ (void) fprintf(stderr, "usage: %s [-dv] [-t path] [-i address]\n", argv[0]); + (void) fprintf(stderr, "-d: debugging mode\n"); ++ (void) fprintf(stderr, "-t path: chroot into path\n"); + (void) fprintf(stderr, "-v: verbose logging\n"); ++ (void) fprintf(stderr, "-i address: bind to address\n"); + exit(1); + } + } +@@ -201,6 +216,9 @@ + addr.sin_addr.s_addr = 0; + addr.sin_family = AF_INET; + addr.sin_port = htons(PMAPPORT); ++ if (have_bindaddr) ++ memcpy(&addr.sin_addr, &bindaddr, sizeof(bindaddr)); ++ + if (bind(sock, (struct sockaddr *)&addr, len) != 0) { + syslog(LOG_ERR, "cannot bind udp: %m"); + exit(1); +@@ -227,7 +245,7 @@ + setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &on, sizeof on); + #endif + if (bind(sock, (struct sockaddr *)&addr, len) != 0) { +- syslog(LOG_ERR, "cannot bind udp: %m"); ++ syslog(LOG_ERR, "cannot bind tcp: %m"); + exit(1); + } + if ((xprt = svctcp_create(sock, RPCSMALLMSGSIZE, RPCSMALLMSGSIZE)) +@@ -280,6 +298,14 @@ + (void)svc_register(xprt, PMAPPROG, PMAPVERS, reg_service, FALSE); + + /* additional initializations */ ++ if (chroot_path) ++ { ++ if (-1 == chroot(chroot_path)) ++ { ++ syslog(LOG_ERR, "couldn't do chroot"); ++ exit(1); ++ } ++ } + check_startup(); + #ifdef IGNORE_SIGCHLD /* Lionel Cons */ + (void)signal(SIGCHLD, SIG_IGN); +@@ -350,7 +376,7 @@ + */ + /* remote host authorization check */ + check_default(svc_getcaller(xprt), rqstp->rq_proc, (u_long) 0); +- if (!svc_sendreply(xprt, xdr_void, (caddr_t)0) && debugging) { ++ if (!svc_sendreply(xprt, (xdrproc_t) xdr_void, (caddr_t)0) && debugging) { + abort(); + } + break; +@@ -359,7 +385,7 @@ + /* + * Set a program,version to port mapping + */ +- if (!svc_getargs(xprt, xdr_pmap, ®)) ++ if (!svc_getargs(xprt, (xdrproc_t) xdr_pmap, (caddr_t) ®)) + svcerr_decode(xprt); + else { + /* reject non-local requests, protect priv. ports */ +@@ -401,7 +427,7 @@ + ans = 1; + } + done: +- if ((!svc_sendreply(xprt, xdr_int, (caddr_t)&ans)) && ++ if ((!svc_sendreply(xprt, (xdrproc_t) xdr_int, (caddr_t)&ans)) && + debugging) { + (void) fprintf(stderr, "svc_sendreply\n"); + abort(); +@@ -413,7 +439,7 @@ + /* + * Remove a program,version to port mapping. + */ +- if (!svc_getargs(xprt, xdr_pmap, ®)) ++ if (!svc_getargs(xprt, (xdrproc_t) xdr_pmap, (caddr_t) ®)) + svcerr_decode(xprt); + else { + ans = 0; +@@ -447,7 +473,7 @@ + prevpml->pml_next = pml; + free(t); + } +- if ((!svc_sendreply(xprt, xdr_int, (caddr_t)&ans)) && ++ if ((!svc_sendreply(xprt, (xdrproc_t) xdr_int, (caddr_t)&ans)) && + debugging) { + (void) fprintf(stderr, "svc_sendreply\n"); + abort(); +@@ -459,7 +485,7 @@ + /* + * Lookup the mapping for a program,version and return its port + */ +- if (!svc_getargs(xprt, xdr_pmap, ®)) ++ if (!svc_getargs(xprt, (xdrproc_t) xdr_pmap, (caddr_t) ®)) + svcerr_decode(xprt); + else { + /* remote host authorization check */ +@@ -474,7 +500,7 @@ + port = fnd->pml_map.pm_port; + else + port = 0; +- if ((!svc_sendreply(xprt, xdr_int, (caddr_t)&port)) && ++ if ((!svc_sendreply(xprt, (xdrproc_t) xdr_int, (caddr_t)&port)) && + debugging) { + (void) fprintf(stderr, "svc_sendreply\n"); + abort(); +@@ -486,7 +512,7 @@ + /* + * Return the current set of mapped program,version + */ +- if (!svc_getargs(xprt, xdr_void, NULL)) ++ if (!svc_getargs(xprt, (xdrproc_t) xdr_void, (caddr_t) NULL)) + svcerr_decode(xprt); + else { + /* remote host authorization check */ +@@ -497,7 +523,7 @@ + } else { + p = pmaplist; + } +- if ((!svc_sendreply(xprt, xdr_pmaplist, ++ if ((!svc_sendreply(xprt, (xdrproc_t) xdr_pmaplist, + (caddr_t)&p)) && debugging) { + (void) fprintf(stderr, "svc_sendreply\n"); + abort(); +@@ -645,7 +671,7 @@ + timeout.tv_sec = 5; + timeout.tv_usec = 0; + a.rmt_args.args = buf; +- if (!svc_getargs(xprt, xdr_rmtcall_args, &a)) ++ if (!svc_getargs(xprt, (xdrproc_t) xdr_rmtcall_args, (caddr_t) &a)) + return; + /* host and service access control */ + if (!check_callit(svc_getcaller(xprt), +@@ -674,9 +700,9 @@ + au->aup_uid, au->aup_gid, au->aup_len, au->aup_gids); + } + a.rmt_port = (u_long)port; +- if (clnt_call(client, a.rmt_proc, xdr_opaque_parms, &a, +- xdr_len_opaque_parms, &a, timeout) == RPC_SUCCESS) { +- svc_sendreply(xprt, xdr_rmtcall_result, (caddr_t)&a); ++ if (clnt_call(client, a.rmt_proc, (xdrproc_t) xdr_opaque_parms, (char*) &a, ++ (xdrproc_t) xdr_len_opaque_parms, (char*) &a, timeout) == RPC_SUCCESS) { ++ svc_sendreply(xprt, (xdrproc_t) xdr_rmtcall_result, (caddr_t)&a); + } + AUTH_DESTROY(client->cl_auth); + clnt_destroy(client); diff --git a/openwrt/package/portmap/portmap.control b/openwrt/package/portmap/portmap.control new file mode 100644 index 000000000..55fa61d33 --- /dev/null +++ b/openwrt/package/portmap/portmap.control @@ -0,0 +1,11 @@ +Package: portmap +Priority: optional +Section: net +Maintainer: Felix Fietkau +Source: buildroot internal +Description: The RPC Portmapper + Portmap is a server that converts RPC (Remote Procedure Call) program + numbers into DARPA protocol port numbers. It must be running in order + to make RPC calls. + . + Services that use RPC include NFS and NIS. diff --git a/openwrt/package/tcp_wrappers/Makefile b/openwrt/package/tcp_wrappers/Makefile new file mode 100644 index 000000000..84f98160d --- /dev/null +++ b/openwrt/package/tcp_wrappers/Makefile @@ -0,0 +1,60 @@ +# $Id$ + +include $(TOPDIR)/rules.mk + +PKG_NAME := tcp_wrappers +PKG_VERSION := 7.6 +PKG_RELEASE := 1 +PKG_MD5SUM := e6fa25f71226d090f34de3f6b122fb5a + +PKG_SOURCE_SITE := ftp://ftp.porcupine.org/pub/security +PKG_SOURCE_FILE := $(PKG_NAME)_$(PKG_VERSION).tar.gz +PKG_SOURCE_CAT := zcat +PKG_SOURCE_DIR := $(PKG_NAME)_$(PKG_VERSION) +PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_SOURCE_DIR) + +# only need libwrap.a at the moment +#PKG_IPK := $(PACKAGE_DIR)/zlib_$(PKG_VERSION)-$(PKG_RELEASE)_$(ARCH).ipk + + +$(DL_DIR)/$(PKG_SOURCE_FILE): + mkdir -p $(DL_DIR) + $(SCRIPT_DIR)/download.pl $(DL_DIR) $(PKG_SOURCE_FILE) $(PKG_MD5SUM) $(PKG_SOURCE_SITE) + +$(PKG_BUILD_DIR)/.patched: $(DL_DIR)/$(PKG_SOURCE_FILE) + mkdir -p $(TOOL_BUILD_DIR) + $(PKG_SOURCE_CAT) $(DL_DIR)/$(PKG_SOURCE_FILE) | tar -C $(BUILD_DIR) $(TAR_OPTIONS) - + $(PATCH) $(PKG_BUILD_DIR) ./patches + touch $(PKG_BUILD_DIR)/.patched + +$(PKG_BUILD_DIR)/libwrap.a: $(PKG_BUILD_DIR)/.patched + + $(MAKE) -C $(PKG_BUILD_DIR) \ + $(TARGET_CONFIGURE_OPTS) \ + COPTS="$(TARGET_CFLAGS)" \ + LIBS=-lnsl \ + NETGROUP= \ + VSYSLOG= \ + BUGS= \ + EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR -DHAVE_WEAKSYMS -D_REENTRANT -DINET6=1 \ + -Dss_family=__ss_family -Dss_len=__ss_len" \ + FACILITY=LOG_DAEMON \ + SEVERITY=LOG_INFO \ + REAL_DAEMON_DIR=/usr/sbin \ + STYLE="-DPROCESS_OPTIONS" \ + tidy all + +$(STAGING_DIR)/lib/libwrap.a: $(PKG_BUILD_DIR)/libwrap.a + mkdir -p $(STAGING_DIR)/include/ + cp -f $(PKG_BUILD_DIR)/tcpd.h $(STAGING_DIR)/include/ + cp -f $^ $@ + +source: $(DL_DIR)/$(PKG_SOURCE_FILE) +prepare: $(PKG_BUILD_DIR)/.patched +compile: $(STAGING_DIR)/lib/libwrap.a +install: + +clean: + rm -rf $(PKG_BUILD_DIR) + rm -f $(STAGING_DIR)/lib/libwrap.a + diff --git a/openwrt/package/tcp_wrappers/patches/debian-subset.patch b/openwrt/package/tcp_wrappers/patches/debian-subset.patch new file mode 100644 index 000000000..c0c37501d --- /dev/null +++ b/openwrt/package/tcp_wrappers/patches/debian-subset.patch @@ -0,0 +1,936 @@ +--- tcp-wrappers-7.6.orig/hosts_access.c ++++ tcp-wrappers-7.6/hosts_access.c +@@ -240,6 +240,26 @@ + } + } + ++/* hostfile_match - look up host patterns from file */ ++ ++static int hostfile_match(path, host) ++char *path; ++struct hosts_info *host; ++{ ++ char tok[BUFSIZ]; ++ int match = NO; ++ FILE *fp; ++ ++ if ((fp = fopen(path, "r")) != 0) { ++ while (fscanf(fp, "%s", tok) == 1 && !(match = host_match(tok, host))) ++ /* void */ ; ++ fclose(fp); ++ } else if (errno != ENOENT) { ++ tcpd_warn("open %s: %m", path); ++ } ++ return (match); ++} ++ + /* host_match - match host name and/or address against pattern */ + + static int host_match(tok, host) +@@ -267,6 +287,8 @@ + tcpd_warn("netgroup support is disabled"); /* not tcpd_jump() */ + return (NO); + #endif ++ } else if (tok[0] == '/') { /* /file hack */ ++ return (hostfile_match(tok, host)); + } else if (STR_EQ(tok, "KNOWN")) { /* check address and name */ + char *name = eval_hostname(host); + return (STR_NE(eval_hostaddr(host), unknown) && HOSTNAME_KNOWN(name)); +--- tcp-wrappers-7.6.orig/tcpd.h ++++ tcp-wrappers-7.6/tcpd.h +@@ -4,6 +4,25 @@ + * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. + */ + ++#ifndef _TCPWRAPPERS_TCPD_H ++#define _TCPWRAPPERS_TCPD_H ++ ++/* someone else may have defined this */ ++#undef __P ++ ++/* use prototypes if we have an ANSI C compiler or are using C++ */ ++#if defined(__STDC__) || defined(__cplusplus) ++#define __P(args) args ++#else ++#define __P(args) () ++#endif ++ ++/* Need definitions of struct sockaddr_in and FILE. */ ++#include ++#include ++ ++__BEGIN_DECLS ++ + /* Structure to describe one communications endpoint. */ + + #define STRING_LENGTH 128 /* hosts, users, processes */ +@@ -25,10 +44,10 @@ + char pid[10]; /* access via eval_pid(request) */ + struct host_info client[1]; /* client endpoint info */ + struct host_info server[1]; /* server endpoint info */ +- void (*sink) (); /* datagram sink function or 0 */ +- void (*hostname) (); /* address to printable hostname */ +- void (*hostaddr) (); /* address to printable address */ +- void (*cleanup) (); /* cleanup function or 0 */ ++ void (*sink) __P((int)); /* datagram sink function or 0 */ ++ void (*hostname) __P((struct host_info *)); /* address to printable hostname */ ++ void (*hostaddr) __P((struct host_info *)); /* address to printable address */ ++ void (*cleanup) __P((struct request_info *)); /* cleanup function or 0 */ + struct netconfig *config; /* netdir handle */ + }; + +@@ -61,25 +80,30 @@ + /* Global functions. */ + + #if defined(TLI) || defined(PTX) || defined(TLI_SEQUENT) +-extern void fromhost(); /* get/validate client host info */ ++extern void fromhost __P((struct request_info *)); /* get/validate client host info */ + #else + #define fromhost sock_host /* no TLI support needed */ + #endif + +-extern int hosts_access(); /* access control */ +-extern void shell_cmd(); /* execute shell command */ +-extern char *percent_x(); /* do % expansion */ +-extern void rfc931(); /* client name from RFC 931 daemon */ +-extern void clean_exit(); /* clean up and exit */ +-extern void refuse(); /* clean up and exit */ +-extern char *xgets(); /* fgets() on steroids */ +-extern char *split_at(); /* strchr() and split */ +-extern unsigned long dot_quad_addr(); /* restricted inet_addr() */ ++extern void shell_cmd __P((char *)); /* execute shell command */ ++extern char *percent_x __P((char *, int, char *, struct request_info *)); /* do % expansion */ ++extern void rfc931 __P((struct sockaddr_in *, struct sockaddr_in *, char *)); /* client name from RFC 931 daemon */ ++extern void clean_exit __P((struct request_info *)); /* clean up and exit */ ++extern void refuse __P((struct request_info *)); /* clean up and exit */ ++extern char *xgets __P((char *, int, FILE *)); /* fgets() on steroids */ ++extern char *split_at __P((char *, int)); /* strchr() and split */ ++extern unsigned long dot_quad_addr __P((char *)); /* restricted inet_addr() */ + + /* Global variables. */ + ++#ifdef HAVE_WEAKSYMS ++extern int allow_severity __attribute__ ((weak)); /* for connection logging */ ++extern int deny_severity __attribute__ ((weak)); /* for connection logging */ ++#else + extern int allow_severity; /* for connection logging */ + extern int deny_severity; /* for connection logging */ ++#endif ++ + extern char *hosts_allow_table; /* for verification mode redirection */ + extern char *hosts_deny_table; /* for verification mode redirection */ + extern int hosts_access_verbose; /* for verbose matching mode */ +@@ -92,9 +116,14 @@ + */ + + #ifdef __STDC__ ++extern int hosts_access(struct request_info *request); ++extern int hosts_ctl(char *daemon, char *client_name, char *client_addr, ++ char *client_user); + extern struct request_info *request_init(struct request_info *,...); + extern struct request_info *request_set(struct request_info *,...); + #else ++extern int hosts_access(); ++extern int hosts_ctl(); + extern struct request_info *request_init(); /* initialize request */ + extern struct request_info *request_set(); /* update request structure */ + #endif +@@ -117,27 +146,31 @@ + * host_info structures serve as caches for the lookup results. + */ + +-extern char *eval_user(); /* client user */ +-extern char *eval_hostname(); /* printable hostname */ +-extern char *eval_hostaddr(); /* printable host address */ +-extern char *eval_hostinfo(); /* host name or address */ +-extern char *eval_client(); /* whatever is available */ +-extern char *eval_server(); /* whatever is available */ ++extern char *eval_user __P((struct request_info *)); /* client user */ ++extern char *eval_hostname __P((struct host_info *)); /* printable hostname */ ++extern char *eval_hostaddr __P((struct host_info *)); /* printable host address */ ++extern char *eval_hostinfo __P((struct host_info *)); /* host name or address */ ++extern char *eval_client __P((struct request_info *)); /* whatever is available */ ++extern char *eval_server __P((struct request_info *)); /* whatever is available */ + #define eval_daemon(r) ((r)->daemon) /* daemon process name */ + #define eval_pid(r) ((r)->pid) /* process id */ + + /* Socket-specific methods, including DNS hostname lookups. */ + +-extern void sock_host(); /* look up endpoint addresses */ +-extern void sock_hostname(); /* translate address to hostname */ +-extern void sock_hostaddr(); /* address to printable address */ ++/* look up endpoint addresses */ ++extern void sock_host __P((struct request_info *)); ++/* translate address to hostname */ ++extern void sock_hostname __P((struct host_info *)); ++/* address to printable address */ ++extern void sock_hostaddr __P((struct host_info *)); ++ + #define sock_methods(r) \ + { (r)->hostname = sock_hostname; (r)->hostaddr = sock_hostaddr; } + + /* The System V Transport-Level Interface (TLI) interface. */ + + #if defined(TLI) || defined(PTX) || defined(TLI_SEQUENT) +-extern void tli_host(); /* look up endpoint addresses etc. */ ++extern void tli_host __P((struct request_info *)); /* look up endpoint addresses etc. */ + #endif + + /* +@@ -178,7 +211,7 @@ + * behavior. + */ + +-extern void process_options(); /* execute options */ ++extern void process_options __P((char *, struct request_info *)); /* execute options */ + extern int dry_run; /* verification flag */ + + /* Bug workarounds. */ +@@ -217,3 +250,7 @@ + #define strtok my_strtok + extern char *my_strtok(); + #endif ++ ++__END_DECLS ++ ++#endif /* tcpd.h */ +--- tcp-wrappers-7.6.orig/Makefile ++++ tcp-wrappers-7.6/Makefile +@@ -1,5 +1,10 @@ ++GLIBC=$(shell grep -s -c __GLIBC__ /usr/include/features.h) ++ + # @(#) Makefile 1.23 97/03/21 19:27:20 + ++# unset the HOSTNAME environment variable ++HOSTNAME = ++ + what: + @echo + @echo "Usage: edit the REAL_DAEMON_DIR definition in the Makefile then:" +@@ -19,7 +24,7 @@ + @echo " generic (most bsd-ish systems with sys5 compatibility)" + @echo " 386bsd aix alpha apollo bsdos convex-ultranet dell-gcc dgux dgux543" + @echo " dynix epix esix freebsd hpux irix4 irix5 irix6 isc iunix" +- @echo " linux machten mips(untested) ncrsvr4 netbsd next osf power_unix_211" ++ @echo " linux gnu machten mips(untested) ncrsvr4 netbsd next osf power_unix_211" + @echo " ptx-2.x ptx-generic pyramid sco sco-nis sco-od2 sco-os5 sinix sunos4" + @echo " sunos40 sunos5 sysv4 tandem ultrix unicos7 unicos8 unixware1 unixware2" + @echo " uts215 uxp" +@@ -43,8 +48,8 @@ + # Ultrix 4.x SunOS 4.x ConvexOS 10.x Dynix/ptx + #REAL_DAEMON_DIR=/usr/etc + # +-# SysV.4 Solaris 2.x OSF AIX +-#REAL_DAEMON_DIR=/usr/sbin ++# SysV.4 Solaris 2.x OSF AIX Linux ++REAL_DAEMON_DIR=/usr/sbin + # + # BSD 4.4 + #REAL_DAEMON_DIR=/usr/libexec +@@ -141,10 +146,21 @@ + LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \ + EXTRA_CFLAGS=-DSYS_ERRLIST_DEFINED VSYSLOG= all + ++ifneq ($(GLIBC),0) ++MYLIB=-lnsl ++endif ++ + linux: + @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ +- LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=setenv.o \ +- NETGROUP= TLI= EXTRA_CFLAGS="-DBROKEN_SO_LINGER" all ++ LIBS=$(MYLIB) RANLIB=ranlib ARFLAGS=rv AUX_OBJ=weak_symbols.o \ ++ NETGROUP=-DNETGROUP TLI= VSYSLOG= BUGS= all \ ++ EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_WEAKSYMS -D_REENTRANT" ++ ++gnu: ++ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ ++ LIBS=$(MYLIB) RANLIB=ranlib ARFLAGS=rv AUX_OBJ=weak_symbols.o \ ++ NETGROUP=-DNETGROUP TLI= VSYSLOG= BUGS= all \ ++ EXTRA_CFLAGS="-DHAVE_STRERROR -DHAVE_WEAKSYMS -D_REENTRANT" + + # This is good for many SYSV+BSD hybrids with NIS, probably also for HP-UX 7.x. + hpux hpux8 hpux9 hpux10: +@@ -391,7 +407,7 @@ + # the ones provided with this source distribution. The environ.c module + # implements setenv(), getenv(), and putenv(). + +-AUX_OBJ= setenv.o ++#AUX_OBJ= setenv.o + #AUX_OBJ= environ.o + #AUX_OBJ= environ.o strcasecmp.o + +@@ -454,7 +470,8 @@ + # host name aliases. Compile with -DSOLARIS_24_GETHOSTBYNAME_BUG to work + # around this. The workaround does no harm on other Solaris versions. + +-BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DLIBC_CALLS_STRTOK ++BUGS = ++#BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DLIBC_CALLS_STRTOK + #BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DINET_ADDR_BUG + #BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DSOLARIS_24_GETHOSTBYNAME_BUG + +@@ -464,7 +481,7 @@ + # If your system supports NIS or YP-style netgroups, enable the following + # macro definition. Netgroups are used only for host access control. + # +-#NETGROUP= -DNETGROUP ++NETGROUP= -DNETGROUP + + ############################################################### + # System dependencies: whether or not your system has vsyslog() +@@ -491,7 +508,7 @@ + # Uncomment the next definition to turn on the language extensions + # (examples: allow, deny, banners, twist and spawn). + # +-#STYLE = -DPROCESS_OPTIONS # Enable language extensions. ++STYLE = -DPROCESS_OPTIONS # Enable language extensions. + + ################################################################ + # Optional: Changing the default disposition of logfile records +@@ -514,7 +531,7 @@ + # + # The LOG_XXX names below are taken from the /usr/include/syslog.h file. + +-FACILITY= LOG_MAIL # LOG_MAIL is what most sendmail daemons use ++FACILITY= LOG_DAEMON # LOG_MAIL is what most sendmail daemons use + + # The syslog priority at which successful connections are logged. + +@@ -610,7 +627,7 @@ + # Paranoid mode implies hostname lookup. In order to disable hostname + # lookups altogether, see the next section. + +-PARANOID= -DPARANOID ++#PARANOID= -DPARANOID + + ######################################## + # Optional: turning off hostname lookups +@@ -623,7 +640,7 @@ + # In order to perform selective hostname lookups, disable paranoid + # mode (see previous section) and comment out the following definition. + +-HOSTNAME= -DALWAYS_HOSTNAME ++#HOSTNAME= -DALWAYS_HOSTNAME + + ############################################# + # Optional: Turning on host ADDRESS checking +@@ -649,28 +666,46 @@ + # source-routed traffic in the kernel. Examples: 4.4BSD derivatives, + # Solaris 2.x, and Linux. See your system documentation for details. + # +-# KILL_OPT= -DKILL_IP_OPTIONS ++KILL_OPT= -DKILL_IP_OPTIONS + + ## End configuration options + ############################ + + # Protection against weird shells or weird make programs. + ++CC = gcc + SHELL = /bin/sh +-.c.o:; $(CC) $(CFLAGS) -c $*.c ++.c.o:; $(CC) $(CFLAGS) -o $*.o -c $*.c ++ ++SOMAJOR = 0 ++SOMINOR = 7.6 ++ ++LIB = libwrap.a ++SHLIB = shared/libwrap.so.$(SOMAJOR).$(SOMINOR) ++SHLIBSOMAJ= shared/libwrap.so.$(SOMAJOR) ++SHLIBSO = shared/libwrap.so ++SHLIBFLAGS = -Lshared -lwrap + +-CFLAGS = -O -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \ ++shared/%.o: %.c ++ $(CC) $(CFLAGS) $(SHCFLAGS) -c $< -o $@ ++ ++CFLAGS = -O2 -g -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \ + $(BUGS) $(SYSTYPE) $(AUTH) $(UMASK) \ + -DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" $(STYLE) $(KILL_OPT) \ + -DSEVERITY=$(SEVERITY) -DRFC931_TIMEOUT=$(RFC931_TIMEOUT) \ + $(UCHAR) $(TABLES) $(STRINGS) $(TLI) $(EXTRA_CFLAGS) $(DOT) \ + $(VSYSLOG) $(HOSTNAME) + ++SHLINKFLAGS = -shared -Xlinker -soname -Xlinker libwrap.so.$(SOMAJOR) -lc $(LIBS) ++SHCFLAGS = -fPIC -shared -D_REENTRANT ++ + LIB_OBJ= hosts_access.o options.o shell_cmd.o rfc931.o eval.o \ + hosts_ctl.o refuse.o percent_x.o clean_exit.o $(AUX_OBJ) \ + $(FROM_OBJ) fix_options.o socket.o tli.o workarounds.o \ + update.o misc.o diag.o percent_m.o myvsyslog.o + ++SHLIB_OBJ= $(addprefix shared/, $(LIB_OBJ)); ++ + FROM_OBJ= fromhost.o + + KIT = README miscd.c tcpd.c fromhost.c hosts_access.c shell_cmd.c \ +@@ -684,46 +719,78 @@ + refuse.c tcpdchk.8 setenv.c inetcf.c inetcf.h scaffold.c \ + scaffold.h tcpdmatch.8 README.NIS + +-LIB = libwrap.a +- +-all other: config-check tcpd tcpdmatch try-from safe_finger tcpdchk ++all other: config-check tcpd tcpdmatch try-from safe_finger tcpdchk $(LIB) + + # Invalidate all object files when the compiler options (CFLAGS) have changed. + + config-check: + @set +e; test -n "$(REAL_DAEMON_DIR)" || { make; exit 1; } +- @set +e; echo $(CFLAGS) >/tmp/cflags.$$$$ ; \ +- if cmp cflags /tmp/cflags.$$$$ ; \ +- then rm /tmp/cflags.$$$$ ; \ +- else mv /tmp/cflags.$$$$ cflags ; \ ++ @set +e; echo $(CFLAGS) >cflags.new ; \ ++ if cmp cflags cflags.new ; \ ++ then rm cflags.new ; \ ++ else mv cflags.new cflags ; \ + fi >/dev/null 2>/dev/null ++ @if [ ! -d shared ]; then mkdir shared; fi + + $(LIB): $(LIB_OBJ) + rm -f $(LIB) + $(AR) $(ARFLAGS) $(LIB) $(LIB_OBJ) + -$(RANLIB) $(LIB) + +-tcpd: tcpd.o $(LIB) +- $(CC) $(CFLAGS) -o $@ tcpd.o $(LIB) $(LIBS) ++$(SHLIB): $(SHLIB_OBJ) ++ rm -f $(SHLIB) ++ $(CC) -o $(SHLIB) $(SHLINKFLAGS) $(SHLIB_OBJ) ++ ln -s $(notdir $(SHLIB)) $(SHLIBSOMAJ) ++ ln -s $(notdir $(SHLIBSOMAJ)) $(SHLIBSO) ++ ++tcpd: tcpd.o $(SHLIB) ++ $(CC) $(CFLAGS) -o $@ tcpd.o $(SHLIBFLAGS) + +-miscd: miscd.o $(LIB) +- $(CC) $(CFLAGS) -o $@ miscd.o $(LIB) $(LIBS) ++miscd: miscd.o $(SHLIB) ++ $(CC) $(CFLAGS) -o $@ miscd.o $(SHLIBFLAGS) + +-safe_finger: safe_finger.o $(LIB) +- $(CC) $(CFLAGS) -o $@ safe_finger.o $(LIB) $(LIBS) ++safe_finger: safe_finger.o $(SHLIB) ++ $(CC) $(CFLAGS) -o $@ safe_finger.o $(SHLIBFLAGS) + + TCPDMATCH_OBJ = tcpdmatch.o fakelog.o inetcf.o scaffold.o + +-tcpdmatch: $(TCPDMATCH_OBJ) $(LIB) +- $(CC) $(CFLAGS) -o $@ $(TCPDMATCH_OBJ) $(LIB) $(LIBS) ++tcpdmatch: $(TCPDMATCH_OBJ) $(SHLIB) ++ $(CC) $(CFLAGS) -o $@ $(TCPDMATCH_OBJ) $(SHLIBFLAGS) + +-try-from: try-from.o fakelog.o $(LIB) +- $(CC) $(CFLAGS) -o $@ try-from.o fakelog.o $(LIB) $(LIBS) ++try-from: try-from.o fakelog.o $(SHLIB) ++ $(CC) $(CFLAGS) -o $@ try-from.o fakelog.o $(SHLIBFLAGS) + + TCPDCHK_OBJ = tcpdchk.o fakelog.o inetcf.o scaffold.o + +-tcpdchk: $(TCPDCHK_OBJ) $(LIB) +- $(CC) $(CFLAGS) -o $@ $(TCPDCHK_OBJ) $(LIB) $(LIBS) ++tcpdchk: $(TCPDCHK_OBJ) $(SHLIB) ++ $(CC) $(CFLAGS) -o $@ $(TCPDCHK_OBJ) $(SHLIBFLAGS) ++ ++install: install-lib install-bin install-dev ++ ++install-lib: ++ install -o root -g root -m 0644 $(SHLIB) ${DESTDIR}/lib/ ++ ln -s $(notdir $(SHLIB)) ${DESTDIR}/lib/$(notdir $(SHLIBSOMAJ)) ++ ++install-bin: ++ install -o root -g root -m 0755 tcpd ${DESTDIR}/usr/sbin/ ++ install -o root -g root -m 0755 tcpdchk ${DESTDIR}/usr/sbin/ ++ install -o root -g root -m 0755 tcpdmatch ${DESTDIR}/usr/sbin/ ++ install -o root -g root -m 0755 try-from ${DESTDIR}/usr/sbin/ ++ install -o root -g root -m 0755 safe_finger ${DESTDIR}/usr/sbin/ ++ install -o root -g root -m 0644 tcpd.8 ${DESTDIR}/usr/share/man/man8/ ++ install -o root -g root -m 0644 tcpdchk.8 ${DESTDIR}/usr/share/man/man8/ ++ install -o root -g root -m 0644 tcpdmatch.8 ${DESTDIR}/usr/share/man/man8/ ++ install -o root -g root -m 0644 hosts_access.5 ${DESTDIR}/usr/share/man/man5/ ++ install -o root -g root -m 0644 hosts_options.5 ${DESTDIR}/usr/share/man/man5/ ++ ++install-dev: ++ ln -s /lib/$(notdir $(SHLIBSOMAJ)) ${DESTDIR}/usr/lib/$(notdir $(SHLIBSO)) ++ install -o root -g root -m 0644 hosts_access.3 ${DESTDIR}/usr/share/man/man3/ ++ install -o root -g root -m 0644 tcpd.h ${DESTDIR}/usr/include/ ++ install -o root -g root -m 0644 $(LIB) ${DESTDIR}/usr/lib/ ++ ln -s hosts_access.3 ${DESTDIR}/usr/share/man/man3/hosts_ctl.3 ++ ln -s hosts_access.3 ${DESTDIR}/usr/share/man/man3/request_init.3 ++ ln -s hosts_access.3 ${DESTDIR}/usr/share/man/man3/request_set.3 + + shar: $(KIT) + @shar $(KIT) +@@ -739,7 +806,8 @@ + + clean: + rm -f tcpd miscd safe_finger tcpdmatch tcpdchk try-from *.[oa] core \ +- cflags ++ cflags libwrap*.so* ++ rm -rf shared + + tidy: clean + chmod -R a+r . +@@ -885,5 +953,6 @@ + update.o: mystdarg.h + update.o: tcpd.h + vfprintf.o: cflags ++weak_symbols.o: tcpd.h + workarounds.o: cflags + workarounds.o: tcpd.h +--- tcp-wrappers-7.6.orig/hosts_access.5 ++++ tcp-wrappers-7.6/hosts_access.5 +@@ -8,9 +8,9 @@ + impatient reader is encouraged to skip to the EXAMPLES section for a + quick introduction. + .PP +-An extended version of the access control language is described in the +-\fIhosts_options\fR(5) document. The extensions are turned on at +-program build time by building with -DPROCESS_OPTIONS. ++The extended version of the access control language is described in the ++\fIhosts_options\fR(5) document. \fBNote that this language supersedes ++the meaning of \fIshell_command\fB as documented below.\fR + .PP + In the following text, \fIdaemon\fR is the the process name of a + network daemon process, and \fIclient\fR is the name and/or address of +@@ -40,7 +40,7 @@ + character. This permits you to break up long lines so that they are + easier to edit. + .IP \(bu +-Blank lines or lines that begin with a `#\' character are ignored. ++Blank lines or lines that begin with a `#' character are ignored. + This permits you to insert comments and whitespace so that the tables + are easier to read. + .IP \(bu +@@ -69,26 +69,33 @@ + .SH PATTERNS + The access control language implements the following patterns: + .IP \(bu +-A string that begins with a `.\' character. A host name is matched if ++A string that begins with a `.' character. A host name is matched if + the last components of its name match the specified pattern. For +-example, the pattern `.tue.nl\' matches the host name +-`wzv.win.tue.nl\'. ++example, the pattern `.tue.nl' matches the host name ++`wzv.win.tue.nl'. + .IP \(bu +-A string that ends with a `.\' character. A host address is matched if ++A string that ends with a `.' character. A host address is matched if + its first numeric fields match the given string. For example, the +-pattern `131.155.\' matches the address of (almost) every host on the ++pattern `131.155.' matches the address of (almost) every host on the + Eind\%hoven University network (131.155.x.x). + .IP \(bu +-A string that begins with an `@\' character is treated as an NIS ++A string that begins with an `@' character is treated as an NIS + (formerly YP) netgroup name. A host name is matched if it is a host + member of the specified netgroup. Netgroup matches are not supported + for daemon process names or for client user names. + .IP \(bu +-An expression of the form `n.n.n.n/m.m.m.m\' is interpreted as a +-`net/mask\' pair. A host address is matched if `net\' is equal to the +-bitwise AND of the address and the `mask\'. For example, the net/mask +-pattern `131.155.72.0/255.255.254.0\' matches every address in the +-range `131.155.72.0\' through `131.155.73.255\'. ++An expression of the form `n.n.n.n/m.m.m.m' is interpreted as a ++`net/mask' pair. A host address is matched if `net' is equal to the ++bitwise AND of the address and the `mask'. For example, the net/mask ++pattern `131.155.72.0/255.255.254.0' matches every address in the ++range `131.155.72.0' through `131.155.73.255'. ++.IP \(bu ++A string that begins with a `/' character is treated as a file ++name. A host name or address is matched if it matches any host name ++or address pattern listed in the named file. The file format is ++zero or more lines with zero or more host name or address patterns ++separated by whitespace. A file name pattern can be used anywhere ++a host name or address pattern can be used. + .SH WILDCARDS + The access control language supports explicit wildcards: + .IP ALL +@@ -115,19 +122,19 @@ + .ne 6 + .SH OPERATORS + .IP EXCEPT +-Intended use is of the form: `list_1 EXCEPT list_2\'; this construct ++Intended use is of the form: `list_1 EXCEPT list_2'; this construct + matches anything that matches \fIlist_1\fR unless it matches + \fIlist_2\fR. The EXCEPT operator can be used in daemon_lists and in + client_lists. The EXCEPT operator can be nested: if the control +-language would permit the use of parentheses, `a EXCEPT b EXCEPT c\' +-would parse as `(a EXCEPT (b EXCEPT c))\'. ++language would permit the use of parentheses, `a EXCEPT b EXCEPT c' ++would parse as `(a EXCEPT (b EXCEPT c))'. + .br + .ne 6 + .SH SHELL COMMANDS + If the first-matched access control rule contains a shell command, that + command is subjected to % substitutions (see next section). + The result is executed by a \fI/bin/sh\fR child process with standard +-input, output and error connected to \fI/dev/null\fR. Specify an `&\' ++input, output and error connected to \fI/dev/null\fR. Specify an `&' + at the end of the command if you do not want to wait until it has + completed. + .PP +@@ -159,7 +166,7 @@ + .IP %u + The client user name (or "unknown"). + .IP %% +-Expands to a single `%\' character. ++Expands to a single `%' character. + .PP + Characters in % expansions that may confuse the shell are replaced by + underscores. +@@ -243,9 +250,9 @@ + less trustworthy. It is possible for an intruder to spoof both the + client connection and the IDENT lookup, although doing so is much + harder than spoofing just a client connection. It may also be that +-the client\'s IDENT server is lying. ++the client's IDENT server is lying. + .PP +-Note: IDENT lookups don\'t work with UDP services. ++Note: IDENT lookups don't work with UDP services. + .SH EXAMPLES + The language is flexible enough that different types of access control + policy can be expressed with a minimum of fuss. Although the language +@@ -285,7 +292,7 @@ + .br + ALL: .foobar.edu EXCEPT terminalserver.foobar.edu + .PP +-The first rule permits access from hosts in the local domain (no `.\' ++The first rule permits access from hosts in the local domain (no `.' + in the host name) and from members of the \fIsome_netgroup\fP + netgroup. The second rule permits access from all hosts in the + \fIfoobar.edu\fP domain (notice the leading dot), with the exception of +@@ -322,8 +329,8 @@ + /etc/hosts.deny: + .in +3 + .nf +-in.tftpd: ALL: (/some/where/safe_finger -l @%h | \\ +- /usr/ucb/mail -s %d-%h root) & ++in.tftpd: ALL: (/usr/sbin/safe_finger -l @%h | \\ ++ /usr/bin/mail -s %d-%h root) & + .fi + .PP + The safe_finger command comes with the tcpd wrapper and should be +@@ -349,7 +356,7 @@ + capacity of an internal buffer; when an access control rule is not + terminated by a newline character; when the result of % + expansion would overflow an internal buffer; when a system call fails +-that shouldn\'t. All problems are reported via the syslog daemon. ++that shouldn't. All problems are reported via the syslog daemon. + .SH FILES + .na + .nf +--- tcp-wrappers-7.6.orig/rfc931.c ++++ tcp-wrappers-7.6/rfc931.c +@@ -33,7 +33,7 @@ + + int rfc931_timeout = RFC931_TIMEOUT;/* Global so it can be changed */ + +-static jmp_buf timebuf; ++static sigjmp_buf timebuf; + + /* fsocket - open stdio stream on top of socket */ + +@@ -62,7 +62,7 @@ + static void timeout(sig) + int sig; + { +- longjmp(timebuf, sig); ++ siglongjmp(timebuf, sig); + } + + /* rfc931 - return remote user name, given socket structures */ +@@ -99,7 +99,7 @@ + * Set up a timer so we won't get stuck while waiting for the server. + */ + +- if (setjmp(timebuf) == 0) { ++ if (sigsetjmp(timebuf,1) == 0) { + signal(SIGALRM, timeout); + alarm(rfc931_timeout); + +--- tcp-wrappers-7.6.orig/tcpd.8 ++++ tcp-wrappers-7.6/tcpd.8 +@@ -94,7 +94,7 @@ + .PP + The example assumes that the network daemons live in /usr/etc. On some + systems, network daemons live in /usr/sbin or in /usr/libexec, or have +-no `in.\' prefix to their name. ++no `in.' prefix to their name. + .SH EXAMPLE 2 + This example applies when \fItcpd\fR expects that the network daemons + are left in their original place. +@@ -110,26 +110,26 @@ + becomes: + .sp + .ti +5 +-finger stream tcp nowait nobody /some/where/tcpd in.fingerd ++finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd + .sp + .fi + .PP + The example assumes that the network daemons live in /usr/etc. On some + systems, network daemons live in /usr/sbin or in /usr/libexec, the +-daemons have no `in.\' prefix to their name, or there is no userid ++daemons have no `in.' prefix to their name, or there is no userid + field in the inetd configuration file. + .PP + Similar changes will be needed for the other services that are to be +-covered by \fItcpd\fR. Send a `kill -HUP\' to the \fIinetd\fR(8) ++covered by \fItcpd\fR. Send a `kill -HUP' to the \fIinetd\fR(8) + process to make the changes effective. AIX users may also have to +-execute the `inetimp\' command. ++execute the `inetimp' command. + .SH EXAMPLE 3 + In the case of daemons that do not live in a common directory ("secret" + or otherwise), edit the \fIinetd\fR configuration file so that it + specifies an absolute path name for the process name field. For example: + .nf + .sp +- ntalk dgram udp wait root /some/where/tcpd /usr/local/lib/ntalkd ++ ntalk dgram udp wait root /usr/sbin/tcpd /usr/sbin/in.ntalkd + .sp + .fi + .PP +--- tcp-wrappers-7.6.orig/hosts_access.3 ++++ tcp-wrappers-7.6/hosts_access.3 +@@ -3,7 +3,7 @@ + hosts_access, hosts_ctl, request_init, request_set \- access control library + .SH SYNOPSIS + .nf +-#include "tcpd.h" ++#include + + extern int allow_severity; + extern int deny_severity; +--- tcp-wrappers-7.6.orig/options.c ++++ tcp-wrappers-7.6/options.c +@@ -473,6 +473,9 @@ + #ifdef LOG_CRON + "cron", LOG_CRON, + #endif ++#ifdef LOG_FTP ++ "ftp", LOG_FTP, ++#endif + #ifdef LOG_LOCAL0 + "local0", LOG_LOCAL0, + #endif +--- tcp-wrappers-7.6.orig/fix_options.c ++++ tcp-wrappers-7.6/fix_options.c +@@ -35,7 +35,12 @@ + #ifdef IP_OPTIONS + unsigned char optbuf[BUFFER_SIZE / 3], *cp; + char lbuf[BUFFER_SIZE], *lp; ++#if !defined(__GLIBC__) + int optsize = sizeof(optbuf), ipproto; ++#else /* __GLIBC__ */ ++ size_t optsize = sizeof(optbuf); ++ int ipproto; ++#endif /* __GLIBC__ */ + struct protoent *ip; + int fd = request->fd; + unsigned int opt; +--- tcp-wrappers-7.6.orig/workarounds.c ++++ tcp-wrappers-7.6/workarounds.c +@@ -163,7 +163,11 @@ + int fix_getpeername(sock, sa, len) + int sock; + struct sockaddr *sa; ++#if !defined(__GLIBC__) + int *len; ++#else /* __GLIBC__ */ ++size_t *len; ++#endif /* __GLIBC__ */ + { + int ret; + struct sockaddr_in *sin = (struct sockaddr_in *) sa; +--- tcp-wrappers-7.6.orig/socket.c ++++ tcp-wrappers-7.6/socket.c +@@ -76,7 +76,11 @@ + { + static struct sockaddr_in client; + static struct sockaddr_in server; ++#if !defined (__GLIBC__) + int len; ++#else /* __GLIBC__ */ ++ size_t len; ++#endif /* __GLIBC__ */ + char buf[BUFSIZ]; + int fd = request->fd; + +@@ -224,7 +228,11 @@ + { + char buf[BUFSIZ]; + struct sockaddr_in sin; ++#if !defined(__GLIBC__) + int size = sizeof(sin); ++#else /* __GLIBC__ */ ++ size_t size = sizeof(sin); ++#endif /* __GLIBC__ */ + + /* + * Eat up the not-yet received datagram. Some systems insist on a +--- tcp-wrappers-7.6.orig/safe_finger.c ++++ tcp-wrappers-7.6/safe_finger.c +@@ -26,21 +26,24 @@ + #include + #include + #include ++#include + + extern void exit(); + + /* Local stuff */ + +-char path[] = "PATH=/bin:/usr/bin:/usr/ucb:/usr/bsd:/etc:/usr/etc:/usr/sbin"; ++char path[] = "PATH=/bin:/usr/bin:/sbin:/usr/sbin"; + + #define TIME_LIMIT 60 /* Do not keep listinging forever */ + #define INPUT_LENGTH 100000 /* Do not keep listinging forever */ + #define LINE_LENGTH 128 /* Editors can choke on long lines */ + #define FINGER_PROGRAM "finger" /* Most, if not all, UNIX systems */ + #define UNPRIV_NAME "nobody" /* Preferred privilege level */ +-#define UNPRIV_UGID 32767 /* Default uid and gid */ ++#define UNPRIV_UGID 65534 /* Default uid and gid */ + + int finger_pid; ++int allow_severity = SEVERITY; ++int deny_severity = LOG_WARNING; + + void cleanup(sig) + int sig; +--- tcp-wrappers-7.6.orig/hosts_options.5 ++++ tcp-wrappers-7.6/hosts_options.5 +@@ -58,12 +58,12 @@ + Execute, in a child process, the specified shell command, after + performing the % expansions described in the hosts_access(5) + manual page. The command is executed with stdin, stdout and stderr +-connected to the null device, so that it won\'t mess up the ++connected to the null device, so that it won't mess up the + conversation with the client host. Example: + .sp + .nf + .ti +3 +-spawn (/some/where/safe_finger -l @%h | /usr/ucb/mail root) & ++spawn (/usr/sbin/safe_finger -l @%h | /usr/bin/mail root) & + .fi + .sp + executes, in a background child process, the shell command "safe_finger +--- tcp-wrappers-7.6.orig/tcpdchk.c ++++ tcp-wrappers-7.6/tcpdchk.c +@@ -350,6 +350,8 @@ + { + if (pat[0] == '@') { + tcpd_warn("%s: daemon name begins with \"@\"", pat); ++ } else if (pat[0] == '/') { ++ tcpd_warn("%s: daemon name begins with \"/\"", pat); + } else if (pat[0] == '.') { + tcpd_warn("%s: daemon name begins with dot", pat); + } else if (pat[strlen(pat) - 1] == '.') { +@@ -382,6 +384,8 @@ + { + if (pat[0] == '@') { /* @netgroup */ + tcpd_warn("%s: user name begins with \"@\"", pat); ++ } else if (pat[0] == '/') { ++ tcpd_warn("%s: user name begins with \"/\"", pat); + } else if (pat[0] == '.') { + tcpd_warn("%s: user name begins with dot", pat); + } else if (pat[strlen(pat) - 1] == '.') { +@@ -402,8 +406,13 @@ + static int check_host(pat) + char *pat; + { ++ char buf[BUFSIZ]; + char *mask; + int addr_count = 1; ++ FILE *fp; ++ struct tcpd_context saved_context; ++ char *cp; ++ char *wsp = " \t\r\n"; + + if (pat[0] == '@') { /* @netgroup */ + #ifdef NO_NETGRENT +@@ -422,6 +431,21 @@ + tcpd_warn("netgroup support disabled"); + #endif + #endif ++ } else if (pat[0] == '/') { /* /path/name */ ++ if ((fp = fopen(pat, "r")) != 0) { ++ saved_context = tcpd_context; ++ tcpd_context.file = pat; ++ tcpd_context.line = 0; ++ while (fgets(buf, sizeof(buf), fp)) { ++ tcpd_context.line++; ++ for (cp = strtok(buf, wsp); cp; cp = strtok((char *) 0, wsp)) ++ check_host(cp); ++ } ++ tcpd_context = saved_context; ++ fclose(fp); ++ } else if (errno != ENOENT) { ++ tcpd_warn("open %s: %m", pat); ++ } + } else if (mask = split_at(pat, '/')) { /* network/netmask */ + if (dot_quad_addr(pat) == INADDR_NONE + || dot_quad_addr(mask) == INADDR_NONE) +--- tcp-wrappers-7.6.orig/percent_m.c ++++ tcp-wrappers-7.6/percent_m.c +@@ -13,7 +13,7 @@ + #include + + extern int errno; +-#ifndef SYS_ERRLIST_DEFINED ++#if !defined(SYS_ERRLIST_DEFINED) && !defined(HAVE_STRERROR) + extern char *sys_errlist[]; + extern int sys_nerr; + #endif +@@ -29,11 +29,15 @@ + + while (*bp = *cp) + if (*cp == '%' && cp[1] == 'm') { ++#ifdef HAVE_STRERROR ++ strcpy(bp, strerror(errno)); ++#else + if (errno < sys_nerr && errno > 0) { + strcpy(bp, sys_errlist[errno]); + } else { + sprintf(bp, "Unknown error %d", errno); + } ++#endif + bp += strlen(bp); + cp += 2; + } else { +--- tcp-wrappers-7.6.orig/scaffold.c ++++ tcp-wrappers-7.6/scaffold.c +@@ -180,10 +180,12 @@ + + /* ARGSUSED */ + +-void rfc931(request) +-struct request_info *request; ++void rfc931(rmt_sin, our_sin, dest) ++struct sockaddr_in *rmt_sin; ++struct sockaddr_in *our_sin; ++char *dest; + { +- strcpy(request->user, unknown); ++ strcpy(dest, unknown); + } + + /* check_path - examine accessibility */ +--- tcp-wrappers-7.6.orig/weak_symbols.c ++++ tcp-wrappers-7.6/weak_symbols.c +@@ -0,0 +1,11 @@ ++ /* ++ * @(#) weak_symbols.h 1.5 99/12/29 23:50 ++ * ++ * Author: Anthony Towns ++ */ ++ ++#ifdef HAVE_WEAKSYMS ++#include ++int deny_severity = LOG_WARNING; ++int allow_severity = SEVERITY; ++#endif -- cgit v1.2.3