Usenet 1994 October

home *** CD-ROM | disk | FTP | other *** search

/ Usenet 1994 October / usenetsourcesnewsgroupsinfomagicoctober1994disk2.iso / misc / volume36 / log_tcp / part01 next >

Wrap

Text File | 1993-03-07 | 57.7 KB | 1,495 lines

Newsgroups: comp.sources.misc From: wietse@wzv.win.tue.nl (Wietse Venema) Subject: v36i004: log_tcp - TCP/IP daemon wrapper, v5.0, Part01/03 Message-ID: <csm-v36i004=log_tcp.221238@sparky.IMD.Sterling.COM> X-Md4-Signature: 19f2404d94df58075d924c1f0d5662ae Date: Mon, 8 Mar 1993 04:13:30 GMT Approved: kent@sparky.imd.sterling.com Submitted-by: wietse@wzv.win.tue.nl (Wietse Venema) Posting-number: Volume 36, Issue 4 Archive-name: log_tcp/part01 Environment: UNIX Supersedes: log_tcp: Volume 30, Issue 79-80 With the programs that come with this kit you can monitor incoming requests for IP services such as TFTP, EXEC, FTP, RSH, TELNET, RLOGIN, FINGER, SYSTAT, and many others. Optional features are: access control based on pattern matching; remote username lookup using the RFC 931 protocol; protection against attacks from hosts that pretend to have someone elses name; protection against attacks from hosts that pretend to have someone elses network address. The programs can be installed without requiring any changes to existing software or configuration files. By default, they just log the remote host name and do some sanity checks on the origin the request. No information is exchanged with the remote client process. The most notable differences with respect to the previous release are: - Additional protection against attacks from hosts that pretend to have someone elses network address. For example, the address of a trusted host within your own network. - The access control language has been extended with a simple but powerful operator that greatly simplifies the design of rule sets (ALL: .foo.edu EXCEPT dialup.foo.edu). Blank lines are permitted, and long lines can be continued with backslash-newline. - All configurable stuff, including path names, has been moved into the Makefile so that you no longer have to hack source code to just configure the programs. - Ported to Solaris 2. TLI-based applications not yet supported. Several workarounds for System V bugs. - A small loophole in the netgroup lookup code was closed, and the remote username lookup code was made more portable. - Still more documentation. The README file now provides tutorial sections with introductions to client, server, inetd and syslogd. With the exception of source routed connections, the default mode of operation should be backwards compatible with earlier versions. Wietse Venema (wietse@wzv.win.tue.nl), Department of Mathematics and Computing Science, Eindhoven University of Technology, The Netherlands. #! /bin/sh # This is a shell archive. Remove anything before this line, then unpack # it by saving it into a file and typing "sh file". To overwrite existing # files, type "sh file -c". You can also feed this as standard input via # unshar, or by typing "sh <file", e.g.. If this archive is complete, you # will see the following message at the end: # "End of archive 1 (of 3)." # Contents: BLURB README clean_exit.c fix_options.c hosts_access.3 # hosts_ctl.c hosts_info.c inet_addr_fix log_tcp.h miscd.c # patchlevel.h refuse.c setenv.c # Wrapped by wietse@wzv on Sun Mar 7 22:58:26 1993 PATH=/bin:/usr/bin:/usr/ucb ; export PATH if test -f BLURB -a "${1}" != "-c" ; then echo shar: Will not over-write existing file \"BLURB\" else echo shar: Extracting \"BLURB\" $2119 characters$ sed "s/^X//" >BLURB <<'END_OF_BLURB' X@(#) BLURB 1.7 93/03/07 22:47:49 X XWith the programs that come with this kit you can monitor incoming Xrequests for IP services such as TFTP, EXEC, FTP, RSH, TELNET, RLOGIN, XFINGER, SYSTAT, and many others. X XOptional features are: access control based on pattern matching; remote Xusername lookup using the RFC 931 protocol; protection against attacks Xfrom hosts that pretend to have someone elses name; protection against Xattacks from hosts that pretend to have someone elses network address. X XThe programs can be installed without requiring any changes to existing Xsoftware or configuration files. By default, they just log the remote Xhost name and do some sanity checks on the origin the request. No Xinformation is exchanged with the remote client process. X XThe most notable differences with respect to the previous release are: X X - Additional protection against attacks from hosts that pretend to X have someone elses network address. For example, the address of a X trusted host within your own network. X X - The access control language has been extended with a simple but X powerful operator that greatly simplifies the design of rule sets X (ALL: .foo.edu EXCEPT dialup.foo.edu). Blank lines are permitted, X and long lines can be continued with backslash-newline. X X - All configurable stuff, including path names, has been moved into X the Makefile so that you no longer have to hack source code to just X configure the programs. X X - Ported to Solaris 2. TLI-based applications not yet supported. X Several workarounds for System V bugs. X X - A small loophole in the netgroup lookup code was closed, and the X remote username lookup code was made more portable. X X - Still more documentation. The README file now provides tutorial X sections with introductions to client, server, inetd and syslogd. X XWith the exception of source routed connections, the default mode of Xoperation should be backwards compatible with earlier versions. X X Wietse Venema (wietse@wzv.win.tue.nl), X Department of Mathematics and Computing Science, X Eindhoven University of Technology, X The Netherlands. END_OF_BLURB if test 2119 -ne `wc -c <BLURB`; then echo shar: \"BLURB\" unpacked with wrong size! fi # end of overwriting check fi if test -f README -a "${1}" != "-c" ; then echo shar: Will not over-write existing file \"README\" else echo shar: Extracting \"README\" $34604 characters$ sed "s/^X//" >README <<'END_OF_README' X@(#) README 1.9 93/03/07 22:47:24 X X XTable of contents X----------------- X X 1 - Introduction X 2 - Disclaimer X 3 - Tutorials X 3.1 - How it works X 3.2 - Where the logging information goes X 4 - Features X 4.1 - Access control X 4.2 - Host name spoofing X 4.3 - Host address spoofing X 4.4 - Remote username lookups X 4.5 - Language extension hooks X 5 - Other works X 5.1 - Related documents X 5.2 - Related software X 6 - Limitations X 6.1 - Known wrapper limitations X 6.2 - Known system software bugs X 7 - Configuration and installation X 7.1 - Easy configuration and installation X 7.2 - Advanced configuration and installation X 7.3 - Daemons with arbitrary path names X 7.4 - Building and testing the access control rules X 7.5 - Other applications X 8 - Acknowledgements X X1 - Introduction X---------------- X XWith this package you can monitor incoming connections to the SYSTAT, XFINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other network Xservices. X XThe package provides tiny daemon wrapper programs that can be installed Xwithout any changes to existing software or to existing configuration Xfiles. The wrappers report the name of the remote host and of the Xrequested service; the wrappers do not exchange information with the Xremote client process, and impose no overhead on the actual Xcommunication between the client and server applications. X XOptional features are: access control to restrict what systems can Xconnect to your network daemons; remote user name lookups with the RFC X931 protocol; additional protection against hosts that pretend to have Xsomeone elses host name; additional protection against hosts that Xpretend to have someone elses host address. X XEarly versions of the programs were tested with Ultrix >= 2.2, with XSunOS >= 3.4 and ISC 2.2. Later versions have been installed on a wide Xvariety of platforms such as SunOS 4.x and 5.x, Ultrix 3.x and 4.x, DEC XOSF/1 T1.2-2, HP-UX 8.x, AIX 3.1.5, Apollo SR10.3.5, Sony, NeXT, SCO XUNIX, DG/UX, Cray, and an unknown number of other ones. X XRequirements are that the network daemons are spawned by a super server Xsuch as the inetd; a 4.3BSD-style socket programming interface; and the Xavailability of a syslog(3) library and of a syslogd(8) daemon. The Xwrappers should run without modification on any system that satisfies Xthese requirements. Workarounds have been implemented for several Xcommon bugs in systems software. X XWhat to do if this is your first encounter with the wrapper programs: X1) read the tutorial sections for an introduction to the relevant Xconcepts and terminology; 2) glance over the security feature sections Xin this document; 3) follow the installation instructions (easy or Xadvanced). I recommend that you first use the default security feature Xsettings. Run the wrappers for a few days to become familiar with Xtheir logs, before doing anything drastic such as cutting off access or Xinstalling booby traps. X X2 - Disclaimer X-------------- X XThe wrapper programs rely on source address information obtained from Xnetwork packets. Such information is not 100 percent reliable, although Xthe wrappers do their best to expose forgeries. X XIn the absence of cryptographic protection of message contents, and of Xcryptographic authentication of message originators, all data from the Xnetwork should be treated with sound scepticism. X XTHIS RESTRICTION IS BY NO MEANS SPECIFIC TO THE TCP/IP PROTOCOLS. X X3 - Tutorials X------------- X XThe tutorial sections give a gentle introduction to the operation of Xthe wrapper programs, and introduce some of the terminology that is Xused in the remainder of the document: client, server, the inetd and Xsyslogd daemons, and their configuration files. X X3.1 - How it works X------------------ X XAlmost every application of the TCP/IP protocols is based on a client- Xserver model. For example, when a user invokes the telnet command to Xconnect to one of your systems, a telnet server process is executed on Xthe target host. The telnet server process connects the user to a login Xprocess. A few examples of client and server programs are shown in the Xtable below: X X client server application X -------------------------------- X telnet telnetd remote login X ftp ftpd file transfer X finger fingerd show users X XThe usual approach is to run one single daemon process that waits for Xall kinds of incoming network connections. Whenever a connection is Xestablished, this daemon (usually called inetd) runs the appropriate Xserver program and goes back to sleep, waiting for other connections. X XThe wrapper programs rely on a simple, but powerful mechanism. Instead Xof directly running the desired server program, the inetd is tricked Xinto running a small wrapper program. The wrapper logs the remote host Xname or address and performs some additional checks. When all is well, Xthe wrapper executes the desired server program and goes away. X XThe wrapper programs have no interaction with the remote user (or Xclient process). This has two major advantages: 1) the wrappers are Xapplication-independent, so that the same program can protect many Xkinds of network services; 2) no interaction also means that the Xwrappers are invisible from outside (at least for regular users). X XAnother important property is that the wrapper programs are active only Xwhen the initial contact between client and server is established. Once Xa wrapper has done its work there is no overhead on the client-server Xcommunication. X XThe simple mechanism has one major drawback: since the wrappers go away Xafter the initial contact between client and server processes, the Xwrappers are of little use with network daemons that service more than Xone client. The wrappers would only see the first client attempt to Xcontact such a server. The NFS mount daemon is a typical example of Xa daemon that services requests from multiple clients. X XThere are two ways to use the wrapper programs: X X1) The easy way: move network daemons to some other directory and fill X the resulting holes with copies of the wrapper programs. This X approach involves no changes to configuration files, so there is X very little risk of breaking things. X X2) The advanced way: leave the network daemons alone and modify the X inetd configuration file. For example, an entry such as: X X tftp dgram udp wait root /usr/etc/tcpd in.tftpd -s /tftpboot X X When a tftp request arrives, inetd will run the wrapper program X (tcpd) with a process name `in.tftpd'. This is the name that the X wrapper will use when logging the request and when scanning the X optional access control tables. `in.tftpd' is also the name of the X server program that the wrapper will attempt to run when all is X well. Any arguments (`-s /tftpboot' in this particular example) are X transparently passed on to the server program. X XFor an account of the history of the wrapper programs, with real-life Xexamples, see the section below on related documents. X X3.2 - Where the logging information goes X---------------------------------------- X XThe wrapper programs send their logging information to the syslog Xdaemon (syslogd). The disposition of the wrapper logs is determined by Xthe syslog configuration file (usually /etc/syslog.conf). Messages are Xwritten to files, to the console, or are forwarded to a @loghost. X XOlder syslog implementations (still found on Ultrix systems) only Xsupport priority levels ranging from 9 (debug-level messages) to 0 X(alerts). All logging information of the same priority level (or more Xurgent) is written to the same destination. In the syslog.conf file, Xpriority levels are specified in numerical form. For example, X X 8/usr/spool/mqueue/syslog X Xcauses all messages with priority 8 (informational messages), and Xanything that is more urgent, to be appended to the file X/usr/spool/mqueue/syslog. X XNewer syslog implementations support message classes in addition to Xpriority levels. Examples of message classes are: mail, daemon, auth Xand news. In the syslog.conf file, priority levels are specified with Xsymbolic names: debug, info, notice, ..., emerg. For example, X X mail.debug /var/log/syslog X Xcauses all messages of class mail with priority debug (or more urgent) Xto be appended to the /var/log/syslog file. X XBy default, the wrapper logs go to the same place as the transaction Xlogs of the sendmail daemon. The disposition can be changed by editing Xthe Makefile and/or the syslog.conf file. Send a `kill -HUP' to the Xsyslogd after changing its configuration file. Remember that syslogd, Xjust like sendmail, insists on one or more TABs between the left-hand Xside and the right-hand side expressions in its configuration file. X X4 - Features X------------ X X4.1 - Access control X-------------------- X XWhen compiled with -DHOSTS_ACCESS, the wrapper programs support a Xsimple form of access control. Access can be controlled per host, per Xservice, or combinations thereof. The software provides hooks for the Xexecution of shell commands when an access control rule fires; this Xfeature may be used to install "booby traps". For details, see the Xhosts_access.5 manual page, which is in `nroff -man' format. A later Xsection describes how you can test your access control rules. X XAccess control is enabled by default. It can be turned off by editing Xthe Makefile, or by providing no access control tables. The install Xinstructions below describe the Makefile editing process. X X4.2 - Host name spoofing X------------------------ X XWith some network applications, such as RSH or RLOGIN, the remote host Xname plays an important role in the authentication process. Host name Xinformation can be reliable when lookups are done from a _local_ hosts Xtable, provided that the client IP address can be trusted. X XWith _distributed_ name services, authentication schemes that rely on Xhost names become more problematic. The security of your system now may Xdepend on some far-away DNS (domain name server) outside your own Xcontrol. Paradoxically, running NIS (YP) can actually improve hostname Xsecurity because it provides you with the equivalent of a local hosts Xfile. X XThe wrapper programs verify the remote host name that is returned by Xthe address->name DNS server, by asking for a second opinion. To this Xend, the programs look at the name and addresses that are returned by Xthe name->address DNS server. If any discrepancies are found, the Xwrappers conclude that at least one of the two name servers is lying, Xand assume that they are dealing with a host that pretends to have Xsomeone elses host name. X XWhen the wrappers are unable to verify the remote host name (the Xaddress->name lookup succeeds but the name->address lookup fails), they Xalso assume that the host name is wrong. X XWhen the remote host name is unavailable (the address->name lookup Xfails) the wrappers just use the remote host address when logging the Xconnection and when consulting the optional access control tables. X XWhen the sources are compiled with -DPARANOID, the wrappers will drop Xthe connection in case of a host name/address mismatch. When the Xsources are not compiled with -DPARANOID, the wrappers just pretend Xthat the host name is unknown when logging the connection and when Xconsulting the optional access control tables. X XParanoid mode is enabled by default. It can be turned off by editing Xthe Makefile. The configuration and installation below describes the XMakefile editing process. X X4.3 - Host address spoofing X--------------------------- X XWhile host name spoofing can be found out by asking a second opinion, Xit is much harder to find out that a host claims to have someone elses Xnetwork address. And since host names are deduced from network Xaddresses, address spoofing is at least as effective as name spoofing. X XThe wrapper programs can give additional protection against hosts that Xclaim to have an address that lies outside their own network. For Xexample, some far-away host that claims to be a trusted host within Xyour own network. Such things are possible even while the impersonated Xsystem is up and running. X XThis additional protection is not an invention of my own; it has been Xpresent for at least five years in the BSD rsh and rlogin daemons. XUnfortunately, that feature was added *after* 4.3 BSD came out, so that Xvery few, if any, UNIX vendors have adopted it. Our site, and many Xother ones, has been running these enhanced daemons for several years, Xand without any ill effects. X XWhen the programs are compiled with -DKILL_IP_OPTIONS, source routing Xwill be disabled for all TCP connections that are handled by the Xwrapper programs. X XThe feature is enabled by default. It can be turned off by editing the XMakefile. The configuration and installation section below describes Xthe Makefile editing process. X XUDP services do not benefit from this additional protection. With UDP, Xall you can be certain of is the network packet's destination address. X X4.4 - Remote username lookups X----------------------------- X XThe protocol proposed in RFC 931 provides a means to get the remote Xuser name from the client host. The requirement is that the client Xhost runs an RFC 931-compliant daemon. The information provided by such Xa daemon is not intended to be used for authentication purposes, but it Xcan provide additional information about the owner of a TCP connection. X XRemote user name lookups are enabled when the wrappers are compiled Xwith -DRFC931. There are some limitations: the number of hosts that Xrun an RFC 931 (or compatible) daemon is small (but growing); remote Xuser name lookups do not work for datagram (UDP) connections. More Xseriously, remote user name lookups can cause noticeable delays with Xconnections from non-UNIX PCs. The wrappers use a 30-second timeout for XRFC931 lookups, to accommodate slow networks and slow hosts. X XBy default, remote username lookups are not enabled. You can enable Xthem by editing the Makefile. The remote username lookup timeout period X(30 seconds default) can also be changed by editing the Makefile. The Xinstallation sections below describe the Makefile editing process. X XThe RFC 931 protocol has diverged into different directions (IDENT and XTAP). To add to the confusion, both protocols use the same network Xport. The daemon wrappers implement a common subset of the protocols. X X4.5 - Language extension hooks X------------------------------ X XThe wrappers sport only a limited number of features. This is for a Xgood reason: programs that are run at high privilege levels must be Xeasy to verify. X XHowever, some sites have very specific needs. The options.c file Xprovides a framework for adding extensions to the access control Xlanguage. It comes with sample extensions that: (1) switch to another Xuser or group id; (2) perform remote user name lookups; (3) run an Xalternate server program (this allows you to produce customized bounce Xmessages or to do really nasty stuff); (4) set arbitrary environment Xvariables; (5) change the default file protection mask. X XThe language extension hook is not enabled by default because it Xintroduces an incompatible change to the access control language Xsyntax. Instructions to enable the extensions are given in the XMakefile. X X5 - Other works X--------------- X X5.1 - Related documents X----------------------- X XThe war story behind the wrapper tools is described in: X X W.Z. Venema, "TCP WRAPPER, network monitoring, access control and X booby traps", UNIX Security Symposium III Proceedings (Baltimore), X September 1992. X X ftp.win.tue.nl:/pub/security/tcp_wrapper.ps.Z (postscript) X ftp.win.tue.nl:/pub/security/tcp_wrapper.txt.Z (flat text) X XThe same cracker is also described in: X X W.R. Cheswick, "An Evening with Berferd, In Which a Cracker is X Lured, Endured, and Studied", Proceedings of the Winter USENIX X Conference (San Francisco), January 1992. X X research.att.com:/dist/internet_security/berferd.ps X X5.2 - Related software X---------------------- X XNetwork daemons etc. with enhanced logging capabilities can generate Xmassive amounts of information: our 100+ workstations generate several Xhundred kbytes each day. egrep-based filters can help to suppress some Xof the noise. A more powerful tool is the Swatch monitoring system by XStephen E. Hansen and E. Todd Atkins. Swatch can process log files in Xreal time and can associate arbitrary actions with patterns; its Xapplications are by no means restricted to security. Swatch is Xavailable from sierra.stanford.edu, directory /pub/sources. X XSocks, described in the UNIX Security III proceedings, can be used to Xcontrol network traffic from hosts on an internal network, through a Xfirewall host, to the outer world. Socks consists of a daemon that is Xrun on the firewall host, and of a library with routines that redirect Xapplication socket calls through the firewall daemon. Socks is Xavailable from s1.gov in /pub/socks.tar.Z. X XVersions of rshd and rlogind, modified to report the remote user name Xin addition to the remote host name, are available for anonymous ftp X(ftp.win.tue.nl:/pub/security/logdaemon-2.tar.Z). These programs are Xdrop-in replacements for SunOS 4.x, Ultrix 4.x, and SunOS 5.x. X XThe securelib shared library by William LeFebvre can be used to control Xaccess to network daemons that are not run under control of the inetd, Xsuch as the RPC daemons that run until the machine goes down. XAvailable from eecs.nwu.edu, file /pub/securelib.tar. X XWhere shared libraries or router-based packet filtering are not an Xoption, an alternative portmap daemon can help to improve RPC security, Xin particular that of NFS and of the NIS (YP) information service. Xftp.win.tue.nl:/pub/security/portmap.shar.Z was tested with SunOS 4.1.1 Xand 4.1.2, Ultrix 3.0 and Ultrix 4.x, HP-UX 8.x and AIX. The protection Xis less effective than that of the securelib library because portmap is Xmostly a dictionary service. SunOS 4.x users should install the latest Xrevision of the portmap and NIS daemons instead, or adopt NIS+ which Xhas access control built in. X XSource for a portable RFC 931 (TAP, IDENT)-compatible daemon by Peter XEriksson is available from ftp.lysator.liu.se:/pub/ident/servers. X XSome TCP/IP implementations come without syslog library. Some come with Xthe library but have no syslog daemon. A replacement can be found in Xftp.win.tue.nl:/pub/security/surrogate-syslog.tar.Z. The fakesyslog Xlibrary that comes with the nntp sources reportedly works well, too. X X6 - Limitations X--------------- X X6.1 - Known wrapper limitations X------------------------------- X XSome UDP (and RPC) daemons linger around for a while after they have Xserviced a request, just in case another request comes in. In the Xinetd configuration file these daemons are registered with the `wait' Xoption. Only the request that started such a daemon will be seen by the Xwrappers. This restriction does not apply to connection-oriented (TCP) Xservices. X XTLI (transport level interface), the System V stream-based and Xprotocol-independent network programming interface, is not yet Xsupported, but we're working on it. X XThe wrappers do not work with RPC services over TCP. These services are Xregistered as rpc/tcp in the inetd configuration file. The only non- Xtrivial service that is affected by this limitation is rexd, which is Xused by the on(1) command. This is no great loss. On most systems, Xrexd is less secure than a wildcard in /etc/hosts.equiv. X XRPC broadcast requests (for example: rwall, rup, rusers) always appear Xto come from the responding host. What happens is that the client Xbroadcasts its request to all portmap daemons on its network; each Xportmap daemon forwards the request to its own system. As far as the Xrwall etc. daemons know, the request comes from the local host. X XPortmap and RPC (e.g. NIS and NFS) security is a topic in itself. See Xthe section in this document on related software. X X6.2 - Known system software bugs X-------------------------------- X XWorkarounds have been implemented for several bugs in system software. XThey are described in the Makefile. Unfortunately, some system software Xbugs cannot be worked around. The result is loss of functionality. X XOlder ConvexOS versions come with a broken recvfrom(2) implementation. XThis makes it impossible for the daemon wrappers to look up the Xremote host address (and hence, the name) in case of UDP requests. XA patch is available for ConvexOS 10.1; later releases should be OK. X XOn some systems, the optional RFC 931 remote username lookups may Xtrigger a kernel bug. When a client host connects to your system, and Xthe RFC 931 connection from your system to that client is rejected by a Xrouter, your kernel may drop all connections with that client. This is Xnot a bug in the wrapper programs: complain to your vendor, and don't Xenable remote user name lookups until the bug has been fixed. X XReportedly, SunOS 4.1.1, Next 2.0a, ISC 3.0 with TCP 1.3, and AIX 3.2.2 Xare OK. X XSony News/OS 4.51, HP-UX 8-something and Ultrix 4.3 still have the bug. XAt the time of writing, a fix for Ultrix is being field tested (CXO-8919). X XThe following procedure can be used (from outside the tue.nl domain) to Xfind out if your kernel has the bug. From the system under test, do: X X % ftp 131.155.70.100 X XThis command attempts to make an ftp connection to our anonymous ftp Xserver (ftp.win.tue.nl). When the connection has been established, run Xthe following command from the same system under test, while keeping Xthe ftp connection open: X X % telnet 131.155.70.100 111 X XDo not forget the `111' at the end of the command. This telnet command Xattempts to connect to our portmap process. The telnet command should Xfail with: "host not reachable", or something like that. If your ftp Xconnection gets messed up, you have the bug. If the telnet command does Xnot fail, please let me know a.s.a.p.! X XFor those who care, the bug is that the BSD kernel code was not careful Xenough with incoming ICMP UNREACHABLE control messages (it ignored the Xlocal and remote port numbers). The bug is still present in the BSD XNET/1 source release (1989) but apparently has been fixed in BSD NET/2 X(1991). You can see it with your own eyes, if you have the courage. X X7 - Configuration and installation X---------------------------------- X X7.1 - Easy configuration and installation X----------------------------------------- X XThe "easy" recipe requires no changes to existing software or Xconfiguration files. Basically, you move the daemons that you want to Xprotect to a different directory and plug the resulting holes with Xcopies of the wrapper programs. X XIf you don't run Ultrix, you won't need the miscd wrapper program. The Xmiscd daemon implements among others the SYSTAT service, which produces Xthe same output as the the WHO command. X XCopy the file Makefile.dist to Makefile, edit the Makefile according to Xthe instructions at the beginning of that file, and type `make'. X XWhen the `make' succeeds the result is two executables (maybe three in Xcase of Ultrix). The `try' program can be used to play with host access Xcontrol tables and is described in a later section. X XThe tcpd program can be used to monitor the telnet, finger, ftp, exec, Xrsh, rlogin, tftp, talk, comsat and other tcp or udp services that have Xa one-to-one mapping onto executable files. X XThe tcpd program can also be used for services that are marked as Xrpc/udp in the inetd configuration file, but not for rpc/tcp services Xsuch as rexd. You probably do not want to run rexd anyway. On most Xsystems it is even less secure than a wildcard in /etc/hosts.equiv. X XThe wrappers are not yet able to deal with TLI-based services. X XDecide which services you want to monitor. Move the corresponding Xvendor-provided daemon programs to the location specified by the XREAL_DAEMON_DIR constant in the Makefile, and fill the holes with Xcopies of the tcpd wrapper. That is, one copy of (or link to) the tcpd Xprogram for each service that you want to monitor. For example, to Xmonitor the use of your finger service: X X # mkdir REAL_DAEMON_DIR X # mv /usr/etc/in.fingerd REAL_DAEMON_DIR X # cp tcpd /usr/etc/in.fingerd X XThe example applies to SunOS 4. With other UNIX implementations the Xnetwork daemons live in /usr/libexec or /usr/sbin, or have no "in." Xprefix to their names, but you get the idea. X XUltrix only: If you want to monitor the SYSTAT service, move the Xvendor-provided miscd daemon to the location specified by the XREAL_MISCD macro in the Makefile, and install the miscd wrapper into Xthe original miscd location. X XIn the absence of any access-control tables, the daemon wrappers Xwill just maintain a record of network connections made to your system. X X7.2 - Advanced configuration and installation X--------------------------------------------- X XThe advanced recipe leaves your daemon executables alone, but involves Xsimple modifications to the inetd configuration file. X XCopy the file Makefile.dist to Makefile. In the Makefile, define the XREAL_DAEMON_DIR macro (if you run Ultrix, the REAL_MISCD macro, too) to Xreflect the path to your existing network daemons. Don't panic when Xsome daemons live elsewhere; we'll deal with that later. Have a look Xat the other instructions in the Makefile and type `make'. X XWhen the `make' succeeds the result is two executables (maybe three in Xcase of Ultrix). The `try' program can be used to play with host access Xcontrol tables and is described in a later section. X XThe tcpd program can be used to monitor the telnet, finger, ftp, exec, Xrsh, rlogin, tftp, talk, comsat and other tcp or udp services that have Xa one-to-one mapping onto executable files. X XThe tcpd program can also be used for services that are marked as Xrpc/udp in the inetd configuration file, but not for rpc/tcp services Xsuch as rexd. You probably do not want to run rexd anyway. On most Xsystems it is even less secure than a wildcard in /etc/hosts.equiv. X XThe wrappers are not yet able to deal with TLI-based services. X XInstall the tcpd command in a suitable place. Apollo UNIX users will Xwant to install it under a different name because the name "tcpd" is Xalready taken; a suitable name for the wrapper program would be X"frontd". Then perform the following edits on the inetd configuration Xfile (usually /etc/inetd.conf or /etc/inet/inetd.conf): X X finger stream tcp nowait nobody /usr/etc/in.fingerd in.fingerd X Xbecomes: X X finger stream tcp nowait nobody /usr/etc/tcpd in.fingerd X XSend a `kill -HUP' to the inetd process to make the change effective. X XThe example applies to SunOS 4. With other UNIX implementations the Xnetwork daemons live in /usr/libexec or /usr/sbin, the network daemons Xhave no "in." prefix to their names, or the username field in the inetd Xconfiguration file may be missing. X XWhen the finger service works as expected you can perform similar Xchanges for other network services. Do not forget the `kill -HUP'. X XThe miscd daemon that comes with Ultrix implements several network Xservices. It decides what to do by looking at its process name. One of Xthe services is systat, which is a kind of limited finger service. If Xyou want to monitor the systat service, install the miscd wrapper in Xa suitable place and update the inetd configuration file: X X systat stream tcp nowait /suitable/place/miscd systatd X XUltrix 4.3 allows you to specify a user id under which the daemon will Xbe executed. This feature is not documented in the manual pages. Thus, Xthe example would become: X X systat stream tcp nowait nobody /suitable/place/miscd systatd X XOlder Ultrix systems still run all their network daemons as root. X XIn the absence of any access-control tables, the daemon wrappers Xwill just maintain a record of network connections made to your system. X X7.3 - Daemons with arbitrary path names X--------------------------------------- X XThe above tcpd examples work fine with network daemons that live in a Xcommon directory, but sometimes that is not practical. Having soft Xlinks all over your file system is not a clean solution, either. X XInstead you can specify, in the inetd configuration file, an absolute Xpath name for the daemon process name. For example, X X ntalk dgram udp wait root /usr/etc/tcpd /usr/local/lib/ntalkd X XWhen the daemon process name is an absolute path name, tcpd ignores the Xvalue of the REAL_DAEMON_DIR constant, and uses the last path component Xof the daemon process name for logging and for access control. X X7.4 - Building and testing the access control rules X--------------------------------------------------- X XIn order to support access control the wrappers must be compiled with Xthe -DHOSTS_ACCESS option. The access control policy is given in the Xform of two tables (default: /etc/hosts.allow and /etc/hosts.deny). XAccess control is disabled when there are no access control tables, or Xwhen the tables are empty. X XIf you haven't used the wrappers before I recommend that you first run Xthem a couple of days without any access control restrictions. The Xlogfile records should give you an idea of the process names and of the Xhost names that you will have to build into your access control rules. X XThe syntax of the access control rules is documented in the file Xhosts_access.5, which is in `nroff -man' format. This is a lengthy Xdocument, and no-one expects you to read it right away from beginning Xto end. Instead, after reading the introductory section, skip to the Xexamples at the end so that you get a general idea of the language. XThen you can appreciate the detailed reference sections near the Xbeginning of the document. X XThe examples in the hosts_access.5 document show two specific types of Xaccess control policy: 1) mostly closed (only permitting access from a Xlimited number of systems) and 2) mostly open (permitting access from Xeveryone except a limited number of trouble makers). You will have to Xchoose what model suits your situation best. Implementing a mixed Xpolicy should not be overly difficult either. X XThe `try' command can be used to try out your local access control Xfiles. The command syntax is: X X ./try process_name hostname (e.g.: ./try in.tftpd localhost) X X ./try process_name address (e.g.: ./try in.tftpd 127.0.0.1) X XIn order to find out what process name to use, just use the service and Xwatch the process name that shows up in the logfile. Alternatively, Xyou can look up the name from the inetd configuration file. Coming back Xto the tftp example in the tutorial section above: X X tftp dgram udp wait root /usr/etc/tcpd in.tftpd -s /tftpboot X XThis entry causes the inetd to run the wrapper program (tcpd) with a Xprocess name `in.tftpd'. This is the name that the wrapper will use Xwhen scanning the access control tables. Therefore, `in.tftpd' is the Xprocess name that should be given to the `try' command. On your system Xthe actual inetd.conf entry may differ (tftpd instead of in.tftpd, and Xno `root' field), but you get the idea. X XWhen you specify a host name, the `try' program will use both the host Xname and address. This way you can simulate the most common case where Xthe wrappers know both the host address and the host name. The `try' Xprogram will iterate over all addresses that it can find for the given Xhost name. X XWhen you specify a host address instead of a host name, the `try' Xprogram will pretend that the host name is unknown, so that you can Xsimulate what happens when the wrapper is unable to look up the remote Xhost name. X XSerious errors in the configuration file syntax will be reported via Xthe syslog daemon. Run a `tail -f' on the logfile while playing with Xthe `try' command. The tutorial section at the beginning of this file Xdescribes where to look for your logfile. X X7.5 - Other applications X------------------------ X XThe access control routines can easily be integrated with other Xprograms. The hosts_access.3 manual page (`nroff -man' format) Xdescribes the external interface of the libwrap.a library. X XThe tcpd wrapper can even be used to control access to the smtp port. XIn that case, sendmail should not be run as a stand-alone daemon, but Xit should be registered in the inetd configuration file. For example: X X smtp stream tcp nowait root /usr/etc/tcpd /usr/lib/sendmail -bs X XYou will periodically want to run sendmail to process queued-up Xmessages. A crontab entry like: X X 0,15,30,45 * * * * /usr/lib/sendmail -q X Xshould take care of that. When you are going to "protect" your sendmail Xdaemon this way, you should realize that there are many "unprotected" Xsendmail daemons all over the network that can still be abused. X X8 - Acknowledgements X-------------------- X XMany people contributed to the evolution of the programs, by asking Xinspiring questions, by suggesting features or bugfixes, or by Xsubmitting source code. Nevertheless, all mistakes and bugs in the Xwrappers are my own. X XThanks to Brendan Kehoe (brendan@cs.widener.edu), Heimir Sverrisson X(heimir@hafro.is) and Dan Bernstein (brnstnd@kramden.acf.nyu.edu) for Xfeedback on an early release of this product. The host name/address Xcheck was suggested by John Kimball (jkimball@src.honeywell.com). XApollo's UNIX environment has some peculiar quirks: Willem-Jan Withagen X(wjw@eb.ele.tue.nl), Pieter Schoenmakers (tiggr@es.ele.tue.nl) and XCharles S. Fuller (fuller@wccs.psc.edu) provided assistance. Hal R. XBrand (BRAND@addvax.llnl.gov) told me how to get the remote IP address Xin case of datagram-oriented services, and suggested the optional shell Xcommand feature. Shabbir Safdar (shabby@mentor.cc.purdue.edu) provided Xa first version of a much-needed manual page. Granville Boman Goza, IV X(gbg@sei.cmu.edu) suggested to use the remote IP address even when the Xhost name is available. Casper H.S. Dik (casper@fwi.uva.nl) provided Xadditional insight into DNS spoofing techniques. The bogus daemon Xfeature was inspired by code from Andrew Macpherson (BNR Europe Ltd). XSteve Bellovin (smb@research.att.com) confirmed some of my suspicions Xabout the darker sides of TCP/IP insecurity. X XIn no particular order, Howard Chu (hyc@hanauma.jpl.nasa.gov), John P. XRouillard (rouilj@cs.umb.edu), Darren Reed (avalon@coombs.anu.edu.au), XIcarus Sparry (I.Sparry@gdr.bath.ac.uk), Scott Schwartz (schwartz@ Xcs.psu.edu), John A. Kunze (jak@violet.berkeley.edu), Daniel Len XSchales (dan@engr.latech.edu), Chris Turbeville <turbo@cse.uta.edu>, XPaul Kranenburg <pk@cs.few.eur.nl>, and many, many others provided Xfixes, code fragments, or other improvements to the wrappers. X X Wietse Venema (wietse@wzv.win.tue.nl) X Department of Mathematics and Computing Science X Eindhoven University of Technology X P.O. Box 513 X 5600 MB Eindhoven X The Netherlands END_OF_README if test 34604 -ne `wc -c <README`; then echo shar: \"README\" unpacked with wrong size! fi # end of overwriting check fi if test -f clean_exit.c -a "${1}" != "-c" ; then echo shar: Will not over-write existing file \"clean_exit.c\" else echo shar: Extracting \"clean_exit.c\" $1268 characters$ sed "s/^X//" >clean_exit.c <<'END_OF_clean_exit.c' X /* X * clean_exit() cleans up and terminates the program. It should be called X * instead of exit when for some reason the real network daemon will not or X * cannot be run. Reason: in the case of a datagram-oriented service we must X * discard the not-yet received data from the client. Otherwise, inetd will X * see the same datagram again and again, and go into a loop. X * X * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. X */ X X#ifndef lint Xstatic char sccsid[] = "@(#) clean_exit.c 1.1 92/06/11 22:21:52"; X#endif X X#include <sys/types.h> X#include <sys/socket.h> X#include <stdio.h> X Xextern void exit(); X X#include "log_tcp.h" X X/* clean_exit - clean up and exit */ X Xvoid clean_exit(client) Xstruct from_host *client; X{ X char buf[BUFSIZ]; X struct sockaddr sa; X int size = sizeof(sa); X X /* X * Eat up the not-yet received packet. Some systems insist on a non-zero X * source address argument in the recvfrom() call below. X */ X X if (client->sock_type == FROM_UNCONNECTED) X (void) recvfrom(0, buf, sizeof(buf), 0, &sa, &size); X X /* X * Be kind to the inetd. We already reported the problem via the syslogd, X * and there is no need for additional garbage in the logfile. X */ X X exit(0); X} END_OF_clean_exit.c if test 1268 -ne `wc -c <clean_exit.c`; then echo shar: \"clean_exit.c\" unpacked with wrong size! fi # end of overwriting check fi if test -f fix_options.c -a "${1}" != "-c" ; then echo shar: Will not over-write existing file \"fix_options.c\" else echo shar: Extracting \"fix_options.c\" $1315 characters$ sed "s/^X//" >fix_options.c <<'END_OF_fix_options.c' X /* X * Routine to disable IP-level socket options. This code was taken from 4.4BSD X * rlogind source, but all mistakes in it are my fault. X * X * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. X */ X X#ifndef lint Xstatic char sccsid[] = "@(#) fix_options.c 1.1 93/03/07 22:48:02"; X#endif X X#include <sys/types.h> X#include <sys/param.h> X#include <netinet/in.h> X#include <netdb.h> X#include <stdio.h> X#include <syslog.h> X X#include "log_tcp.h" X X/* fix_options - get rid of IP-level socket options */ X Xfix_options(client) Xstruct from_host *client; X{ X#ifdef IP_OPTIONS X unsigned char optbuf[BUFSIZ / 3], *cp; X char lbuf[BUFSIZ], *lp; X int optsize = sizeof(optbuf), ipproto; X struct protoent *ip; X X if ((ip = getprotobyname("ip")) != 0) X ipproto = ip->p_proto; X else X ipproto = IPPROTO_IP; X X if (getsockopt(0, ipproto, IP_OPTIONS, (char *) optbuf, &optsize) == 0 X && optsize != 0) { X lp = lbuf; X for (cp = optbuf; optsize > 0; cp++, optsize--, lp += 3) X sprintf(lp, " %2.2x", *cp); X syslog(LOG_NOTICE, X "connect from %s with IP options (ignored):%s", X hosts_info(client), lbuf); X if (setsockopt(0, ipproto, IP_OPTIONS, (char *) 0, optsize) != 0) { X syslog(LOG_ERR, "setsockopt IP_OPTIONS NULL: %m"); X clean_exit(client); X } X } X#endif X} END_OF_fix_options.c if test 1315 -ne `wc -c <fix_options.c`; then echo shar: \"fix_options.c\" unpacked with wrong size! fi # end of overwriting check fi if test -f hosts_access.3 -a "${1}" != "-c" ; then echo shar: Will not over-write existing file \"hosts_access.3\" else echo shar: Extracting \"hosts_access.3\" $2018 characters$ sed "s/^X//" >hosts_access.3 <<'END_OF_hosts_access.3' X.TH HOSTS_ACCESS 3 X.SH Xhosts_access, hosts_ctl \- access control library X.SH SYNOPSIS X.nf X#include "log_tcp.h" X Xint hosts_access(daemon, client) Xchar *daemon; Xstruct from_host *client; X Xint hosts_ctl(daemon, client_name, client_addr, client_user) Xchar *daemon; Xchar *client_host; Xchar *client_addr; Xchar *client_user; X.fi X.SH DESCRIPTION XThe routines described in this document are part of the \fIlibwrap.a\fR Xlibrary. They implement a pattern-based access control language with Xoptional shell commands that are executed when a pattern fires. X.PP XIn all cases, the daemon argument should specify a daemon process name X(argv[0] value). The client host address should be a valid address, or XFROM_UNKNOWN if address lookup failed. The client host name and user Xname should be empty strings if no information is available, XFROM_UNKNOWN if lookup failed, or an actual host or user name. X.PP Xhosts_access() consults the access control tables described in the X\fIhosts_access(5)\fR manual page. If a match is found, an optional Xshell command is executed and the search terminates. hosts_access() Xreturns zero if access should be denied. X.PP Xhosts_ctl() is a wrapper around the hosts_access() routine with a Xperhaps more convenient interface. hosts_ctl() returns zero if access Xshould be denied. X.SH DIAGNOSTICS XProblems are reported via the syslog daemon. X.SH SEE ALSO Xhosts_access(5), format of the access control tables. X.SH FILES X/etc/hosts.access, /etc/hosts.deny, access control tables. X.SH BUGS XThe functions described here do not make copies of their string-valued Xarguments. Beware of data from functions that overwrite their results Xupon each call. X.sp Xhosts_access() uses the strtok() library function. This may interfere Xwith other code that relies on strtok(). X.SH AUTHOR X.na X.nf XWietse Venema (wietse@wzv.win.tue.nl) XDepartment of Mathematics and Computing Science XEindhoven University of Technology XDen Dolech 2, P.O. Box 513, 5600 MB Eindhoven, The Netherlands X\" @(#) hosts_access.3 1.1 92/06/11 22:21:45 END_OF_hosts_access.3 if test 2018 -ne `wc -c <hosts_access.3`; then echo shar: \"hosts_access.3\" unpacked with wrong size! fi # end of overwriting check fi if test -f hosts_ctl.c -a "${1}" != "-c" ; then echo shar: Will not over-write existing file \"hosts_ctl.c\" else echo shar: Extracting \"hosts_ctl.c\" $969 characters$ sed "s/^X//" >hosts_ctl.c <<'END_OF_hosts_ctl.c' X /* X * hosts_ctl() combines the most common applications of the host access X * control library. routine. It bundles its arguments into a from_host X * structure, then calls the hosts_access() access control checker. The host X * name and user name arguments should be empty strings, "unknown" or real X * data. if a match is found, the optional shell command is executed. X * X * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. X */ X X#ifndef lint Xstatic char sccsid[] = "@(#) hosts_ctl.c 1.1 92/06/11 22:21:48"; X#endif X X#include <stdio.h> X X#include "log_tcp.h" X X/* hosts_ctl - general interface for the hosts_access() routine */ X Xint hosts_ctl(daemon, name, addr, user) Xchar *daemon; Xchar *name; Xchar *addr; Xchar *user; X{ X struct from_host client; X static struct from_host zeros; X X client = zeros; X client.name = name; X client.addr = addr; X client.user = user; X X return (hosts_access(daemon, &client)); X} END_OF_hosts_ctl.c if test 969 -ne `wc -c <hosts_ctl.c`; then echo shar: \"hosts_ctl.c\" unpacked with wrong size! fi # end of overwriting check fi if test -f hosts_info.c -a "${1}" != "-c" ; then echo shar: Will not over-write existing file \"hosts_info.c\" else echo shar: Extracting \"hosts_info.c\" $788 characters$ sed "s/^X//" >hosts_info.c <<'END_OF_hosts_info.c' X /* X * hosts_info() returns a string with as much information about the origin X * of a connection as we have: the user name, if known, and the host name, X * or the host address if the name is not available. X * X * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. X */ X X#ifndef lint Xstatic char sccsid[] = "@(#) hosts_info.c 1.1 92/06/11 22:21:44"; X#endif X X#include <stdio.h> X X#include "log_tcp.h" X X/* hosts_info - return string with as much about the client as we know */ X Xchar *hosts_info(client) Xstruct from_host *client; X{ X static char buf[BUFSIZ]; /* XXX */ X X if (client->user[0] && strcmp(client->user, FROM_UNKNOWN)) { X sprintf(buf, "%s@%s", client->user, FROM_HOST(client)); X return (buf); X } else { X return (FROM_HOST(client)); X } X} END_OF_hosts_info.c if test 788 -ne `wc -c <hosts_info.c`; then echo shar: \"hosts_info.c\" unpacked with wrong size! fi # end of overwriting check fi if test -f inet_addr_fix -a "${1}" != "-c" ; then echo shar: Will not over-write existing file \"inet_addr_fix\" else echo shar: Extracting \"inet_addr_fix\" $552 characters$ sed "s/^X//" >inet_addr_fix <<'END_OF_inet_addr_fix' X#ifndef lint Xstatic char sccsid[] = "@(#) inet_addr_fix 1.1 93/03/07 22:48:04"; X#endif X X /* X * Some inet_addr() versions return a struct/union instead of a long. You X * have this problem when the compiler complains about illegal lvalues or X * something like that. The following code fixes this mutant behaviour. X * X * Bug reported by ben@piglet.cr.usgs.gov (Rev. Ben A. Mesander). X */ X Xstatic long fix_inet_addr(string) Xchar *string; X{ X struct in_addr addr = inet_addr(string); X X return (addr.s_addr); X} X X#define inet_addr fix_inet_addr END_OF_inet_addr_fix if test 552 -ne `wc -c <inet_addr_fix`; then echo shar: \"inet_addr_fix\" unpacked with wrong size! fi # end of overwriting check fi if test -f log_tcp.h -a "${1}" != "-c" ; then echo shar: Will not over-write existing file \"log_tcp.h\" else echo shar: Extracting \"log_tcp.h\" $1448 characters$ sed "s/^X//" >log_tcp.h <<'END_OF_log_tcp.h' X/* @(#) log_tcp.h 1.3 93/03/07 22:47:41 */ X X/* Location of the access control files. */ X X#ifndef HOSTS_ALLOW X#define HOSTS_ALLOW "/etc/hosts.allow" X#endif X X#ifndef HOSTS_DENY X#define HOSTS_DENY "/etc/hosts.deny" X#endif X X /* Structure filled in by the fromhost() routine. */ X Xstruct from_host { X int sock_type; /* socket type, see below */ X char *name; /* host name */ X char *addr; /* host address */ X char *user; /* user name */ X struct sockaddr_in *sin; /* their side of the link */ X}; X X#define FROM_UNKNOWN "unknown" /* name or address lookup failed */ X#define FROM_HOST(f) \ X (((f)->name[0] && strcmp((f)->name, FROM_UNKNOWN)) ? (f)->name : (f)->addr) X X#define FROM_ADDRLEN (4*3+3+1) /* string with IP address */ X X/* Socket types: 0 means unknown. */ X X#define FROM_CONNECTED 1 /* connection-oriented */ X#define FROM_UNCONNECTED 2 /* non connection-oriented */ X X/* Global functions. */ X Xextern int fromhost(); /* get/validate remote host info */ Xextern int hosts_access(); /* access control */ Xextern void refuse(); /* refuse request */ Xextern void shell_cmd(); /* execute shell command */ Xextern void percent_x(); /* do %<char> expansion */ Xextern char *rfc931_name(); /* remote name from RFC 931 daemon */ Xextern char *hosts_info(); /* show origin of connection */ Xextern void clean_exit(); /* clean up and exit */ X X/* Global variables. */ X Xextern int log_severity; /* for connection logging */ END_OF_log_tcp.h if test 1448 -ne `wc -c <log_tcp.h`; then echo shar: \"log_tcp.h\" unpacked with wrong size! fi # end of overwriting check fi if test -f miscd.c -a "${1}" != "-c" ; then echo shar: Will not over-write existing file \"miscd.c\" else echo shar: Extracting \"miscd.c\" $2602 characters$ sed "s/^X//" >miscd.c <<'END_OF_miscd.c' X /* X * Front end to the ULTRIX miscd service. The front end logs the remote host X * name and then invokes the real miscd daemon. Install as "/usr/etc/miscd", X * after moving the real miscd daemon to the "/usr/etc/..." directory. X * Connections and diagnostics are logged through syslog(3). X * X * The Ultrix miscd program implements (among others) the systat service, which X * pipes the output from who(1) to stdout. This information is potentially X * useful to systems crackers. X * X * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. X */ X X#ifndef lint Xstatic char sccsid[] = "@(#) miscd.c 1.4 93/03/07 22:47:28"; X#endif X X/* System libraries. */ X X#include <sys/types.h> X#include <sys/param.h> X#include <sys/stat.h> X#include <stdio.h> X#include <syslog.h> X X/* Local stuff. */ X X#include "patchlevel.h" X#include "log_tcp.h" X X/* The following specifies where the vendor-provided daemon should go. */ X X#ifndef REAL_MISCD X#define REAL_MISCD "/usr/etc/.../miscd" X#endif X Xint log_severity = SEVERITY; /* run-time adjustable */ X Xmain(argc, argv) Xint argc; Xchar **argv; X{ X struct from_host from; X int from_stat; X X /* Attempt to prevent the creation of world-writable files. */ X X#ifdef DAEMON_UMASK X umask(DAEMON_UMASK); X#endif X X /* X * Open a channel to the syslog daemon. Older versions of openlog() X * require only two arguments. X */ X X#ifdef LOG_MAIL X (void) openlog(argv[0], LOG_PID, FACILITY); X#else X (void) openlog(argv[0], LOG_PID); X#endif X X /* X * Find out and verify the remote host name. Sites concerned with X * security may choose to refuse connections from hosts that pretend to X * have someone elses host name. X */ X X from_stat = fromhost(&from); X#ifdef PARANOID X if (from_stat == -1) X refuse(&from); X#endif X X /* X * The BSD rlogin and rsh daemons that came out after 4.3 BSD disallow X * socket options at the IP level. They do so for a good reason. Let's X * follow their example. X */ X X#ifdef KILL_IP_OPTIONS X fix_options(&from); X#endif X X /* X * Check whether this host can access the service in argv[0]. The X * access-control code invokes optional shell commands as specified in X * the access-control tables. X */ X X#ifdef HOSTS_ACCESS X if (!hosts_access(argv[0], &from)) X refuse(&from); X#endif X X /* Report remote client and invoke the real daemon program. */ X X syslog(log_severity, "connect from %s", hosts_info(&from)); X (void) execv(REAL_MISCD, argv); X syslog(LOG_ERR, "%s: %m", REAL_MISCD); X clean_exit(&from); X /* NOTREACHED */ X} END_OF_miscd.c if test 2602 -ne `wc -c <miscd.c`; then echo shar: \"miscd.c\" unpacked with wrong size! fi # end of overwriting check fi if test -f patchlevel.h -a "${1}" != "-c" ; then echo shar: Will not over-write existing file \"patchlevel.h\" else echo shar: Extracting \"patchlevel.h\" $70 characters$ sed "s/^X//" >patchlevel.h <<'END_OF_patchlevel.h' X#ifndef lint Xstatic char patchlevel[] = "@(#) patchlevel 5.0"; X#endif END_OF_patchlevel.h if test 70 -ne `wc -c <patchlevel.h`; then echo shar: \"patchlevel.h\" unpacked with wrong size! fi # end of overwriting check fi if test -f refuse.c -a "${1}" != "-c" ; then echo shar: Will not over-write existing file \"refuse.c\" else echo shar: Extracting \"refuse.c\" $737 characters$ sed "s/^X//" >refuse.c <<'END_OF_refuse.c' X /* X * refuse() reports a refused connection, and takes the consequences: in X * case of a datagram-oriented service, the unread datagram is taken from X * the input queue (or inetd would see the same datagram again and again); X * the program is terminated. X * X * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. X */ X X#ifndef lint Xstatic char sccsid[] = "@(#) refuse.c 1.2 92/06/11 22:21:34"; X#endif X X/* System libraries. */ X X#include <syslog.h> X X/* Local stuff. */ X X#include "log_tcp.h" X X/* refuse - refuse request from bad host */ X Xvoid refuse(client) Xstruct from_host *client; X{ X syslog(LOG_WARNING, "refused connect from %s", hosts_info(client)); X clean_exit(client); X /* NOTREACHED */ X} END_OF_refuse.c if test 737 -ne `wc -c <refuse.c`; then echo shar: \"refuse.c\" unpacked with wrong size! fi # end of overwriting check fi if test -f setenv.c -a "${1}" != "-c" ; then echo shar: Will not over-write existing file \"setenv.c\" else echo shar: Extracting \"setenv.c\" $931 characters$ sed "s/^X//" >setenv.c <<'END_OF_setenv.c' X /* X * Some systems do not have setenv(). This one is modeled after 4.4 BSD, but X * is implemented in terms of portable primitives only: getenv(), putenv() X * and malloc(). It should therefore be safe to use on every UNIX system. X * X * If clobber == 0, do not overwrite an existing variable. X * X * Returns nonzero if memory allocation fails. X * X * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. X */ X X#ifndef lint Xstatic char sccsid[] = "@(#) setenv.c 1.1 93/03/07 22:47:58"; X#endif X X/* setenv - update or insert environment (name,value) pair */ X Xint setenv(name, value, clobber) Xchar *name; Xchar *value; Xint clobber; X{ X char *malloc(); X char *getenv(); X char *cp; X X if (clobber == 0 && getenv(name) != 0) X return (0); X if ((cp = malloc(strlen(name) + strlen(value) + 2)) == 0) X return (1); X sprintf(cp, "%s=%s", name, value); X return (putenv(cp)); X} END_OF_setenv.c if test 931 -ne `wc -c <setenv.c`; then echo shar: \"setenv.c\" unpacked with wrong size! fi # end of overwriting check fi echo shar: End of archive 1 $of 3$. cp /dev/null ark1isdone MISSING="" for I in 1 2 3 ; do if test ! -f ark${I}isdone ; then MISSING="${MISSING} ${I}" fi done if test "${MISSING}" = "" ; then echo You have unpacked all 3 archives. rm -f ark[1-9]isdone else echo You still need to unpack the following archives: echo " " ${MISSING} fi ## End of shell archive. exit 0 exit 0 # Just in case...