1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
|
####################################
### Beginning of configurable stuff.
# By default, logfile entries are written to the same file as used for
# sendmail transaction logs. Change the definition of the following macro
# if you disagree. See `man 3 syslog' for examples. Some syslog versions
# do not provide this flexibility.
FACILITY=LOG_DAEMON
# To disable tcp-wrapper style access control, comment out the following
# macro definitions. Access control can also be turned off by providing
# no access control tables. The local system, since it runs the portmap
# daemon, is always treated as an authorized host.
# By default, access control does not do hostname lookup as there is a risk
# that will require portmap access, hence deadlock. If you are sure the
# target system will never user NIS for hostname lookup, you can define
# USE_DNS to add hostname tests in hosts.allow/deny.
ifeq ($(NO_TCP_WRAPPER),)
CPPFLAGS += -DHOSTS_ACCESS
WRAP_LIB = -lwrap
ifdef USE_DNS
CPPFLAGS += -DENABLE_DNS
MAN_SED += -e 's/USE_DNS/yes/'
endif
endif
# Comment out if your RPC library does not allocate privileged ports for
# requests from processes with root privilege, or the new portmap will
# always reject requests to register/unregister services on privileged
# ports. You can find out by running "rpcinfo -p"; if all mountd and NIS
# daemons use a port >= 1024 you should probably disable the next line.
CPPFLAGS += -DCHECK_PORT
# The portmap daemon runs a uid=1/gid=1 by default. You can change that
# be defining DAEMON_UID and DAMEON_GID to numbers, or RPCUSER to a
# name, though you must be sure that name lookup will not require use
# of portmap.
ifdef RPCUSER
CPPFLAGS += -DRPCUSER=\"$(RPCUSER)\"
MAN_SED += -e 's/RPCUSER/$(RPCUSER)/'
else
MAN_SED += -e 's/RPCUSER//'
endif
ifdef DAEMON_UID
CPPFLAGS += -DDAEMON_UID=$(DAEMON_UID) -DDAEMON_GID=$(DAEMON_GID)
MAN_SED += -e 's/DAEMON_UID/$(DAEMON_UID)/' -e 's/DAEMON_GID/$(DAEMON_GID)/'
else
MAN_SED += -e 's/DAEMON_UID/1/' -e 's/DAEMON_GID/1/'
endif
# Warning: troublesome feature ahead!! Enable only when you are really
# desperate!!
#
# It is possible to prevent an attacker from manipulating your portmapper
# tables from outside with requests that contain spoofed source addresses.
# The countermeasure is to force all rpc servers to register and
# unregister with the portmapper via the loopback network interface,
# instead of via the primary network interface that every host can talk
# to. For this countermeasure to work it is necessary to uncomment the
# LOOPBACK definition below, and to take the following additional steps:
#
# (1) Modify the libc library (or librpc if you have one) and replace
# get_myaddress() by a version that selects the loopback address instead
# of the primary network interface address. A suitable version is
# provided in the file get_myaddress.c. This forces rpc servers to send
# all set/unset requests to the loopback address.
#
# (2) Rebuild all statically-linked rpc servers with the modified
# library.
#
# (3) Disable IP source routing in the kernel (otherwise an outside
# attacker can still send requests that appear to come from the local
# machine).
#
# Instead of (1) it may be sufficient to run the rpc servers with a
# preload shared object that implements the alternate get_myaddress()
# behavior (see Makefile.shlib). You still need to disable IP source
# routing, though.
#
# I warned you, you need to be really desperate to do this. It is
# probably much easier to just block port UDP and TCP ports 111 on
# your routers.
#
# CPPFLAGS += -DLOOPBACK_SETUNSET
# When the portmapper cannot find any local interfaces (it will complain
# to the syslog daemon) your system probably has variable-length socket
# address structures (struct sockaddr has a sa_len component; examples:
# AIX 4.1 and 4.4BSD). Uncomment next macro definition in that case.
#
# CPPFLAGS += -DHAS_SA_LEN # AIX 4.x, BSD 4.4, FreeBSD, NetBSD
# With verbose logging on, HP-UX 9.x and AIX 4.1 leave zombies behind when
# SIGCHLD is not ignored. Enable next macro for a fix.
#
CPPFLAGS += -DIGNORE_SIGCHLD # AIX 4.x, HP-UX 9.x
# Uncomment the following macro if your system does not have u_long.
#
# CPPFLAGS +=-Du_long="unsigned long"
#
# LDLIBS += -m
# CFLAGS += -arch m68k -arch i386 -arch hppa
# Auxiliary libraries that you may have to specify
#
# LDLIBS += -lrpc
# Comment out if your compiler talks ANSI and understands const
#
# CPPFLAGS += -Dconst=
### End of configurable stuff.
##############################
CPPFLAGS += -DFACILITY=$(FACILITY)
CFLAGS ?= -O2
CFLAGS += -Wall -Wstrict-prototypes
all: portmap pmap_dump pmap_set portmap.man
CPPFLAGS += $(HOSTS_ACCESS)
portmap: CFLAGS += -fpie
portmap: LDLIBS += $(WRAP_LIB)
portmap: LDFLAGS += -pie
portmap: portmap.o pmap_check.o from_local.o
from_local: CPPFLAGS += -DTEST
portmap.man : portmap.8
sed $(MAN_SED) < portmap.8 > portmap.man
install: all
install -o root -g root -m 0755 -s portmap ${BASEDIR}/sbin
install -o root -g root -m 0755 -s pmap_dump ${BASEDIR}/sbin
install -o root -g root -m 0755 -s pmap_set ${BASEDIR}/sbin
install -o root -g root -m 0644 portmap.man ${BASEDIR}/usr/share/man/man8/portmap.8
install -o root -g root -m 0644 pmap_dump.8 ${BASEDIR}/usr/share/man/man8
install -o root -g root -m 0644 pmap_set.8 ${BASEDIR}/usr/share/man/man8
clean:
rm -f *.o portmap pmap_dump pmap_set from_local \
core portmap.man
-include .depend
.depend: *.c
$(CC) -MM $(CFLAGS) *.c > .depend
.PHONY: all clean install
|
