10Sstevel@tonic-gate# 2*10207SJames.McPherson@Sun.COM# Copyright 2009 Sun Microsystems, Inc. All rights reserved. 30Sstevel@tonic-gate# Use is subject to license terms. 40Sstevel@tonic-gate# 50Sstevel@tonic-gate 60Sstevel@tonic-gatePROG = safe_finger tcpd tcpdchk tcpdmatch try-from 70Sstevel@tonic-gate 80Sstevel@tonic-gateinclude ../Makefile.cmd 90Sstevel@tonic-gate 100Sstevel@tonic-gateERROFF = -erroff=E_FUNC_HAS_NO_RETURN_STMT \ 11395Smditto -erroff=E_IMPLICIT_DECL_FUNC_RETURN_INT \ 12395Smditto -_gcc=-Wno-return-type -_gcc=-Wno-implicit 130Sstevel@tonic-gateCFLAGS += $(CCVERBOSE) $(ERROFF) 140Sstevel@tonic-gateCPPFLAGS += $(ACCESS) $(PARANOID) $(NETGROUP) $(TLI) \ 150Sstevel@tonic-gate $(UMASK) $(STYLE) $(TABLES) $(KILL_OPT) $(BUGS) \ 160Sstevel@tonic-gate -DRFC931_TIMEOUT=$(RFC931_TIMEOUT) \ 170Sstevel@tonic-gate -DFACILITY=$(FACILITY) -DSEVERITY=$(SEVERITY) \ 180Sstevel@tonic-gate -DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" \ 196309Sceastha -I../../lib/libwrap 200Sstevel@tonic-gatetcpd tcpdmatch try-from := \ 216309Sceastha LDLIBS += -lwrap 220Sstevel@tonic-gatetcpdchk := \ 236309Sceastha LDLIBS += -lwrap -lnsl 240Sstevel@tonic-gate 254271Srie# Various components must export interfaces, but also contain name-space 264271Srie# clashes with system libraries. 274271SrieMAPFILE.INT.D = $(MAPFILE.NGB) mapfile-intf-tcpdchk 284271SrieMAPFILE.INT.M = $(MAPFILE.NGB) mapfile-intf-tcpdmatch 294271SrieMAPFILE.INT.F = $(MAPFILE.NGB) mapfile-intf-tryfrom 304271Srie 314271Srietcpdchk := LDFLAGS +=$(MAPFILE.INT.D:%=-M%) 324271Srietcpdmatch := LDFLAGS +=$(MAPFILE.INT.M:%=-M%) 334271Srietry-from := LDFLAGS +=$(MAPFILE.INT.F:%=-M%) 344271Srie 350Sstevel@tonic-gate# SRCONLY files are not used for building but are included in the source code 360Sstevel@tonic-gate# package SUNWtcpdS for consistency and completeness with respect to the 370Sstevel@tonic-gate# public tcp_wrappers distribution. 380Sstevel@tonic-gateSRCONLY = BLURB Banners.Makefile CHANGES DISCLAIMER Makefile \ 390Sstevel@tonic-gate Makefile.dist Makefile.org README README.IRIX README.NIS \ 400Sstevel@tonic-gate README.ipv6 hosts_access.c.org misc.c.org miscd.c myvsyslog.c \ 410Sstevel@tonic-gate ncr.c printf.ck ptx.c rfc931.c.org scaffold.c.org \ 420Sstevel@tonic-gate socket.c.diff socket.c.org strcasecmp.c tags tcpd.h.org \ 430Sstevel@tonic-gate tcpdchk.c.org tcpdmatch.c.org tli-sequent.c tli-sequent.h \ 440Sstevel@tonic-gate tli.c.org update.c.org vfprintf.c 450Sstevel@tonic-gate 460Sstevel@tonic-gateMANDIRS = man3 man4 man1m 470Sstevel@tonic-gateMANPAGES = man3/hosts_access.3 man3/libwrap.3 man4/hosts_access.4 \ 480Sstevel@tonic-gate man4/hosts_options.4 man4/hosts.allow.4 man4/hosts.deny.4 \ 490Sstevel@tonic-gate man1m/tcpd.1m man1m/tcpdchk.1m man1m/tcpdmatch.1m 500Sstevel@tonic-gateDISTFILES = environ.c fakelog.c hosts_access.3 hosts_access.4 \ 510Sstevel@tonic-gate hosts_options.4 inetcf.c inetcf.h safe_finger.c scaffold.c \ 520Sstevel@tonic-gate scaffold.h tcpd.1m tcpd.c tcpdchk.1m tcpdchk.c tcpdmatch.1m \ 530Sstevel@tonic-gate tcpdmatch.c try-from.c README.sfw $(SRCONLY) 540Sstevel@tonic-gate 556309SceasthaROOTSRC = $(ROOT)/usr/share/src/tcp_wrappers 566309SceasthaROOTMAN = $(ROOT)/usr/share/man 576309SceasthaROOTMANPAGES = $(MANPAGES:%=$(ROOTMAN)/%) 586309SceasthaROOTMANDIRS = $(MANDIRS:%=$(ROOTMAN)/%) 596309SceasthaROOTSRCFILES = $(DISTFILES:%=$(ROOTSRC)/%) 600Sstevel@tonic-gate 610Sstevel@tonic-gate.KEEP_STATE: 620Sstevel@tonic-gate 634162Skupferall: $(PROG) THIRDPARTYLICENSE 640Sstevel@tonic-gate 656309Sceasthainstall: all $(ROOTUSRSBINPROG) $(ROOTMANPAGES) $(ROOTSRCFILES) 660Sstevel@tonic-gate 670Sstevel@tonic-gateclean: 680Sstevel@tonic-gate $(RM) *.o 690Sstevel@tonic-gate $(RM) -r sunman 700Sstevel@tonic-gate 710Sstevel@tonic-gatelint: lint_PROG 720Sstevel@tonic-gate 730Sstevel@tonic-gate# These Solaris-specific man page aliases are installed verbatim. 740Sstevel@tonic-gatesunman/libwrap.3: libwrap.3 750Sstevel@tonic-gate mkdir -p sunman; cat libwrap.3 > $@ 760Sstevel@tonic-gatesunman/hosts.allow.4: hosts.allow.4 770Sstevel@tonic-gate mkdir -p sunman; cat hosts.allow.4 > $@ 780Sstevel@tonic-gatesunman/hosts.deny.4: hosts.deny.4 790Sstevel@tonic-gate mkdir -p sunman; cat hosts.deny.4 > $@ 800Sstevel@tonic-gate 810Sstevel@tonic-gate# The rest of the man pages are in the form provided in the original 820Sstevel@tonic-gate# distribution, but get edited and renamed to follow Solaris man page 836309Sceastha# conventions. E.g. tcpd.8 gets installed as /usr/share/man/man1m/tcpd.1m. 840Sstevel@tonic-gate# Create temporary copies in the sunman directory with modified names 850Sstevel@tonic-gate# and contents. The sed program man.sed contains the content edits. 860Sstevel@tonic-gate 870Sstevel@tonic-gatesunman/%.1m: %.8 880Sstevel@tonic-gate mkdir -p sunman; sed -f man.sed < $< > $@ 890Sstevel@tonic-gatesunman/%.4: %.5 900Sstevel@tonic-gate mkdir -p sunman; sed -f man.sed < $< > $@ 910Sstevel@tonic-gatesunman/%.3: %.3 920Sstevel@tonic-gate mkdir -p sunman; sed -f man.sed < $< > $@ 930Sstevel@tonic-gate 946309Sceastha$(ROOTMANPAGES) := FILEMODE = 0444 956309Sceastha$(ROOTMANPAGES): $(ROOTMANDIRS) $(ROOT)/usr/share/man 966309Sceastha$(ROOTMANDIRS): $(ROOTMAN) 970Sstevel@tonic-gate $(INS.dir) 986309Sceastha$(ROOTMAN): 990Sstevel@tonic-gate $(INS.dir) 1006309Sceastha$(ROOTMAN1M)/% $(ROOTMAN3)/% $(ROOTMAN)/man4/%: sunman/% 1010Sstevel@tonic-gate $(INS.file) 1020Sstevel@tonic-gate 1036309Sceastha$(ROOTSRCFILES) := FILEMODE = 0444 1046309Sceastha$(ROOTSRCFILES): $(ROOTSRC) 1056309Sceastha$(ROOTSRC): 1060Sstevel@tonic-gate $(INS.dir) 1076309Sceastha$(ROOTSRC)/%: %.sfwsrc 1080Sstevel@tonic-gate $(INS.rename) 1096309Sceastha$(ROOTSRC)/%: sunman/% 1100Sstevel@tonic-gate $(INS.file) 1116309Sceastha$(ROOTSRC)/%: % 1120Sstevel@tonic-gate $(INS.file) 1130Sstevel@tonic-gate 1146309Sceastha$(ROOT)/usr/share: $(ROOT)/usr 1150Sstevel@tonic-gate $(INS.dir) 1166309Sceastha$(ROOT)/usr: $(ROOT) 1170Sstevel@tonic-gate $(INS.dir) 1180Sstevel@tonic-gate 1190Sstevel@tonic-gateTCPDMATCH_OBJ = tcpdmatch.o fakelog.o inetcf.o scaffold.o 1200Sstevel@tonic-gate 1214271Srietcpdmatch: $(TCPDMATCH_OBJ) $(LIB) $(MAPFILE.INTF.M) 1220Sstevel@tonic-gate $(LINK.c) -o $@ $(TCPDMATCH_OBJ) $(LDLIBS) 1230Sstevel@tonic-gate $(POST_PROCESS) 1240Sstevel@tonic-gate 1254271Srietry-from: try-from.o fakelog.o $(LIB) $(MAPFILE.INTF.F) 1260Sstevel@tonic-gate $(LINK.c) -o $@ try-from.o fakelog.o $(LDLIBS) 1270Sstevel@tonic-gate $(POST_PROCESS) 1280Sstevel@tonic-gate 1290Sstevel@tonic-gateTCPDCHK_OBJ = tcpdchk.o fakelog.o inetcf.o scaffold.o 1300Sstevel@tonic-gate 1314271Srietcpdchk: $(TCPDCHK_OBJ) $(LIB) $(MAPFILE.INTF.C) 1320Sstevel@tonic-gate $(LINK.c) -o $@ $(TCPDCHK_OBJ) $(LDLIBS) 1330Sstevel@tonic-gate $(POST_PROCESS) 1340Sstevel@tonic-gate 1354162SkupferTHIRDPARTYLICENSE: DISCLAIMER 1364162Skupfer $(GREP) -v '\*\*\*\*' DISCLAIMER > $@ 1374162Skupfer 1384162SkupferCLOBBERFILES += THIRDPARTYLICENSE 1394162Skupfer 1400Sstevel@tonic-gateinclude ../Makefile.targ 1410Sstevel@tonic-gate 1420Sstevel@tonic-gate# The rest of this file contains definitions more-or-less directly from the 1430Sstevel@tonic-gate# original Makefile of the tcp_wrappers distribution. 1440Sstevel@tonic-gate 1450Sstevel@tonic-gate############################## 1460Sstevel@tonic-gate# System parameters appropriate for Solaris 9 1470Sstevel@tonic-gate 1480Sstevel@tonic-gateREAL_DAEMON_DIR = /usr/sbin 1490Sstevel@tonic-gateTLI = -DTLI 1500Sstevel@tonic-gateNETGROUP = -DNETGROUP 1510Sstevel@tonic-gate 1520Sstevel@tonic-gate############################## 1530Sstevel@tonic-gate# Start of the optional stuff. 1540Sstevel@tonic-gate 1550Sstevel@tonic-gate########################################### 1560Sstevel@tonic-gate# Optional: Turning on language extensions 1570Sstevel@tonic-gate# 1580Sstevel@tonic-gate# Instead of the default access control language that is documented in 1590Sstevel@tonic-gate# the hosts_access.5 document, the wrappers can be configured to 1600Sstevel@tonic-gate# implement an extensible language documented in the hosts_options.5 1610Sstevel@tonic-gate# document. This language is implemented by the "options.c" source 1620Sstevel@tonic-gate# module, which also gives hints on how to add your own extensions. 1630Sstevel@tonic-gate# Uncomment the next definition to turn on the language extensions 1640Sstevel@tonic-gate# (examples: allow, deny, banners, twist and spawn). 1650Sstevel@tonic-gate# 1660Sstevel@tonic-gateSTYLE = -DPROCESS_OPTIONS # Enable language extensions. 1670Sstevel@tonic-gate 1680Sstevel@tonic-gate################################################################ 1690Sstevel@tonic-gate# Optional: Changing the default disposition of logfile records 1700Sstevel@tonic-gate# 1710Sstevel@tonic-gate# By default, logfile entries are written to the same file as used for 1720Sstevel@tonic-gate# sendmail transaction logs. See your /etc/syslog.conf file for actual 1730Sstevel@tonic-gate# path names of logfiles. The tutorial section in the README file 1740Sstevel@tonic-gate# gives a brief introduction to the syslog daemon. 1750Sstevel@tonic-gate# 1760Sstevel@tonic-gate# Change the FACILITY definition below if you disagree with the default 1770Sstevel@tonic-gate# disposition. Some syslog versions (including Ultrix 4.x) do not provide 1780Sstevel@tonic-gate# this flexibility. 1790Sstevel@tonic-gate# 1800Sstevel@tonic-gate# If nothing shows up on your system, it may be that the syslog records 1810Sstevel@tonic-gate# are sent to a dedicated loghost. It may also be that no syslog daemon 1820Sstevel@tonic-gate# is running at all. The README file gives pointers to surrogate syslog 1830Sstevel@tonic-gate# implementations for systems that have no syslog library routines or 1840Sstevel@tonic-gate# no syslog daemons. When changing the syslog.conf file, remember that 1850Sstevel@tonic-gate# there must be TABs between fields. 1860Sstevel@tonic-gate# 1870Sstevel@tonic-gate# The LOG_XXX names below are taken from the /usr/include/syslog.h file. 1880Sstevel@tonic-gate 1890Sstevel@tonic-gateFACILITY= LOG_MAIL # LOG_MAIL is what most sendmail daemons use 1900Sstevel@tonic-gate 1910Sstevel@tonic-gate# The syslog priority at which successful connections are logged. 1920Sstevel@tonic-gate 1930Sstevel@tonic-gateSEVERITY= LOG_INFO # LOG_INFO is normally not logged to the console 1940Sstevel@tonic-gate 1950Sstevel@tonic-gate###################################################### 1960Sstevel@tonic-gate# Optional: Changing the default file protection mask 1970Sstevel@tonic-gate# 1980Sstevel@tonic-gate# On many systems, network daemons and other system processes are started 1990Sstevel@tonic-gate# with a zero umask value, so that world-writable files may be produced. 2000Sstevel@tonic-gate# It is a good idea to edit your /etc/rc* files so that they begin with 2010Sstevel@tonic-gate# an explicit umask setting. On our site we use `umask 022' because it 2020Sstevel@tonic-gate# does not break anything yet gives adequate protection against tampering. 2030Sstevel@tonic-gate# 2040Sstevel@tonic-gate# The following macro specifies the default umask for processes run under 2050Sstevel@tonic-gate# control of the daemon wrappers. Comment it out only if you are certain 2060Sstevel@tonic-gate# that inetd and its children are started with a safe umask value. 2070Sstevel@tonic-gate 2080Sstevel@tonic-gateUMASK = -DDAEMON_UMASK=022 2090Sstevel@tonic-gate 2100Sstevel@tonic-gate####################################### 2110Sstevel@tonic-gate# Optional: Turning off access control 2120Sstevel@tonic-gate# 2130Sstevel@tonic-gate# By default, host access control is enabled. To disable host access 2140Sstevel@tonic-gate# control, comment out the following definition. Host access control 2150Sstevel@tonic-gate# can also be turned off at runtime by providing no or empty access 2160Sstevel@tonic-gate# control tables. 2170Sstevel@tonic-gate 2180Sstevel@tonic-gateACCESS = -DHOSTS_ACCESS 2190Sstevel@tonic-gate 2200Sstevel@tonic-gate#################################################### 2210Sstevel@tonic-gate# Optional: dealing with host name/address conflicts 2220Sstevel@tonic-gate# 2230Sstevel@tonic-gate# By default, the software tries to protect against hosts that claim to 2240Sstevel@tonic-gate# have someone elses host name. This is relevant for network services 2250Sstevel@tonic-gate# whose authentication depends on host names, such as rsh and rlogin. 2260Sstevel@tonic-gate# 2270Sstevel@tonic-gate# With paranoid mode on, connections will be rejected when the host name 2280Sstevel@tonic-gate# does not match the host address. Connections will also be rejected when 2290Sstevel@tonic-gate# the host name is available but cannot be verified. 2300Sstevel@tonic-gate# 2310Sstevel@tonic-gate# Comment out the following definition if you want more control over such 2320Sstevel@tonic-gate# requests. When paranoid mode is off and a host name double check fails, 2330Sstevel@tonic-gate# the client can be matched with the PARANOID access control pattern. 2340Sstevel@tonic-gate# 2350Sstevel@tonic-gate# Paranoid mode implies hostname lookup. In order to disable hostname 2360Sstevel@tonic-gate# lookups altogether, see the next section. 2370Sstevel@tonic-gate 2380Sstevel@tonic-gatePARANOID= -DPARANOID 2390Sstevel@tonic-gate 2400Sstevel@tonic-gate# The default username lookup timeout is 10 seconds. This may not be long 2410Sstevel@tonic-gate# enough for slow hosts or networks, but is enough to irritate PC users. 2420Sstevel@tonic-gate 2430Sstevel@tonic-gateRFC931_TIMEOUT = 10 2440Sstevel@tonic-gate 2450Sstevel@tonic-gate######################################################## 2460Sstevel@tonic-gate# Optional: Changing the access control table pathnames 2470Sstevel@tonic-gate# 2480Sstevel@tonic-gate# The HOSTS_ALLOW and HOSTS_DENY macros define where the programs will 2490Sstevel@tonic-gate# look for access control information. Watch out for the quotes and 2500Sstevel@tonic-gate# backslashes when you make changes. 2510Sstevel@tonic-gate 2520Sstevel@tonic-gateTABLES = -DHOSTS_DENY=\"/etc/hosts.deny\" -DHOSTS_ALLOW=\"/etc/hosts.allow\" 2530Sstevel@tonic-gate 2540Sstevel@tonic-gate############################################# 2550Sstevel@tonic-gate# Optional: Turning on host ADDRESS checking 2560Sstevel@tonic-gate# 2570Sstevel@tonic-gate# Optionally, the software tries to protect against hosts that pretend to 2580Sstevel@tonic-gate# have someone elses host address. This is relevant for network services 2590Sstevel@tonic-gate# whose authentication depends on host names, such as rsh and rlogin, 2600Sstevel@tonic-gate# because the network address is used to look up the remote host name. 2610Sstevel@tonic-gate# 2620Sstevel@tonic-gate# The protection is to refuse TCP connections with IP source routing 2630Sstevel@tonic-gate# options. 2640Sstevel@tonic-gate# 2650Sstevel@tonic-gate# This feature cannot be used with SunOS 4.x because of a kernel bug in 2660Sstevel@tonic-gate# the implementation of the getsockopt() system call. Kernel panics have 2670Sstevel@tonic-gate# been observed for SunOS 4.1.[1-3]. Symptoms are "BAD TRAP" and "Data 2680Sstevel@tonic-gate# fault" while executing the tcp_ctloutput() kernel function. 2690Sstevel@tonic-gate# 2700Sstevel@tonic-gate# Reportedly, Sun patch 100804-03 or 101790 fixes this for SunOS 4.1.x. 2710Sstevel@tonic-gate# 2720Sstevel@tonic-gate# Uncomment the following macro definition if your getsockopt() is OK. 2730Sstevel@tonic-gate# 2740Sstevel@tonic-gate# -DKILL_IP_OPTIONS is not needed on modern UNIX systems that can stop 2750Sstevel@tonic-gate# source-routed traffic in the kernel. Examples: 4.4BSD derivatives, 2760Sstevel@tonic-gate# Solaris 2.x, and Linux. See your system documentation for details. 2770Sstevel@tonic-gate# 2780Sstevel@tonic-gate# KILL_OPT= -DKILL_IP_OPTIONS 2790Sstevel@tonic-gate 2800Sstevel@tonic-gate## End configuration options 2810Sstevel@tonic-gate############################ 282