1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
|
/*
* @(#) tcpd.h 1.5 96/03/19 16:22:24
*
* Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
*/
#ifndef _TCPWRAPPERS_TCPD_H
#define _TCPWRAPPERS_TCPD_H
/* Need definitions of struct sockaddr_in and FILE. */
#include <netinet/in.h>
#include <stdio.h>
#ifndef __BEGIN_DECLS
#ifdef __cplusplus
#define __BEGIN_DECLS extern "C" {
#define __END_DECLS }
#else
#define __BEGIN_DECLS
#define __END_DECLS
#endif
#endif
__BEGIN_DECLS
/* Structure to describe one communications endpoint. */
#define STRING_LENGTH 128 /* hosts, users, processes */
struct host_info {
char name[STRING_LENGTH]; /* access via eval_hostname(host) */
char addr[STRING_LENGTH]; /* access via eval_hostaddr(host) */
#ifdef INET6
struct sockaddr *sin; /* socket address or 0 */
#else
struct sockaddr_in *sin; /* socket address or 0 */
#endif
struct t_unitdata *unit; /* TLI transport address or 0 */
struct request_info *request; /* for shared information */
};
/* Structure to describe what we know about a service request. */
struct request_info {
int fd; /* socket handle */
char user[STRING_LENGTH]; /* access via eval_user(request) */
char daemon[STRING_LENGTH]; /* access via eval_daemon(request) */
char pid[10]; /* access via eval_pid(request) */
struct host_info client[1]; /* client endpoint info */
struct host_info server[1]; /* server endpoint info */
void (*sink) (int); /* datagram sink function or 0 */
void (*hostname) (struct host_info *); /* address to printable hostname */
void (*hostaddr) (struct host_info *); /* address to printable address */
void (*cleanup) (struct request_info *); /* cleanup function or 0 */
struct netconfig *config; /* netdir handle */
};
/* Common string operations. Less clutter should be more readable. */
#define STRN_CPY(d,s,l) { strncpy((d),(s),(l)); (d)[(l)-1] = 0; }
#define STRN_EQ(x,y,l) (strncasecmp((x),(y),(l)) == 0)
#define STRN_NE(x,y,l) (strncasecmp((x),(y),(l)) != 0)
#define STR_EQ(x,y) (strcasecmp((x),(y)) == 0)
#define STR_NE(x,y) (strcasecmp((x),(y)) != 0)
/*
* Initially, all above strings have the empty value. Information that
* cannot be determined at runtime is set to "unknown", so that we can
* distinguish between `unavailable' and `not yet looked up'. A hostname
* that we do not believe in is set to "paranoid".
*/
#define STRING_UNKNOWN "unknown" /* lookup failed */
#define STRING_PARANOID "paranoid" /* hostname conflict */
extern char unknown[];
extern char paranoid[];
#define HOSTNAME_KNOWN(s) (STR_NE((s),unknown) && STR_NE((s),paranoid))
#define NOT_INADDR(s) (s[strspn(s,"01234567890./")] != 0)
/* Global functions. */
#if defined(TLI) || defined(PTX) || defined(TLI_SEQUENT)
extern void fromhost(); /* get/validate client host info */
#else
#define fromhost sock_host /* no TLI support needed */
#endif
extern int hosts_access(struct request_info *request); /* access control */
extern void shell_cmd(char *); /* execute shell command */
extern char *percent_x(char *, int, char *, struct request_info *);
/* do %<char> expansion */
#ifdef INET6
extern void rfc931(struct sockaddr *, struct sockaddr *, char *);
#else
extern void rfc931(struct sockaddr_in *, struct sockaddr_in *, char *);
#endif
/* client name from RFC 931 daemon */
extern void clean_exit(struct request_info *); /* clean up and exit */
extern void refuse(struct request_info *); /* clean up and exit */
extern char *xgets(char *, int, FILE *); /* fgets() on steroids */
extern char *split_at(char *, int); /* strchr() and split */
extern unsigned long dot_quad_addr(char *); /* restricted inet_addr() */
/* Global variables. */
#ifdef HAVE_WEAKSYMS
extern int allow_severity __attribute__ ((weak)); /* for connection logging */
extern int deny_severity __attribute__ ((weak)); /* for connection logging */
#else
extern int allow_severity; /* for connection logging */
extern int deny_severity; /* for connection logging */
#endif
extern char *hosts_allow_table; /* for verification mode redirection */
extern char *hosts_deny_table; /* for verification mode redirection */
extern int hosts_access_verbose; /* for verbose matching mode */
extern int rfc931_timeout; /* user lookup timeout */
extern int resident; /* > 0 if resident process */
/*
* Routines for controlled initialization and update of request structure
* attributes. Each attribute has its own key.
*/
#ifdef __STDC__
extern struct request_info *request_init(struct request_info *,...);
extern struct request_info *request_set(struct request_info *,...);
extern int hosts_ctl(char *daemon, char *client_name, char *client_addr,
char *client_user);
#else
extern struct request_info *request_init(); /* initialize request */
extern struct request_info *request_set(); /* update request structure */
#endif
#define RQ_FILE 1 /* file descriptor */
#define RQ_DAEMON 2 /* server process (argv[0]) */
#define RQ_USER 3 /* client user name */
#define RQ_CLIENT_NAME 4 /* client host name */
#define RQ_CLIENT_ADDR 5 /* client host address */
#define RQ_CLIENT_SIN 6 /* client endpoint (internal) */
#define RQ_SERVER_NAME 7 /* server host name */
#define RQ_SERVER_ADDR 8 /* server host address */
#define RQ_SERVER_SIN 9 /* server endpoint (internal) */
/*
* Routines for delayed evaluation of request attributes. Each attribute
* type has its own access method. The trivial ones are implemented by
* macros. The other ones are wrappers around the transport-specific host
* name, address, and client user lookup methods. The request_info and
* host_info structures serve as caches for the lookup results.
*/
extern char *eval_user(struct request_info *); /* client user */
extern char *eval_hostname(struct host_info *); /* printable hostname */
extern char *eval_hostaddr(struct host_info *); /* printable host address */
extern char *eval_hostinfo(struct host_info *); /* host name or address */
extern char *eval_client(struct request_info *);/* whatever is available */
extern char *eval_server(struct request_info *);/* whatever is available */
#ifdef INET6
extern char *eval_port(struct sockaddr *);
#else
extern char *eval_port(struct sockaddr_in *);
#endif
#define eval_daemon(r) ((r)->daemon) /* daemon process name */
#define eval_pid(r) ((r)->pid) /* process id */
/* Socket-specific methods, including DNS hostname lookups. */
/* look up endpoint addresses */
extern void sock_host(struct request_info *);
/* translate address to hostname */
extern void sock_hostname(struct host_info *);
/* address to printable address */
extern void sock_hostaddr(struct host_info *);
#define sock_methods(r) \
{ (r)->hostname = sock_hostname; (r)->hostaddr = sock_hostaddr; }
/* The System V Transport-Level Interface (TLI) interface. */
#if defined(TLI) || defined(PTX) || defined(TLI_SEQUENT)
extern void tli_host(); /* look up endpoint addresses etc. */
#endif
/*
* Problem reporting interface. Additional file/line context is reported
* when available. The jump buffer (tcpd_buf) is not declared here, or
* everyone would have to include <setjmp.h>.
*/
#ifdef __STDC__
extern void tcpd_warn(char *, ...); /* report problem and proceed */
extern void tcpd_jump(char *, ...); /* report problem and jump */
#else
extern void tcpd_warn();
extern void tcpd_jump();
#endif
struct tcpd_context {
char *file; /* current file */
int line; /* current line */
};
extern struct tcpd_context tcpd_context;
/*
* While processing access control rules, error conditions are handled by
* jumping back into the hosts_access() routine. This is cleaner than
* checking the return value of each and every silly little function. The
* (-1) returns are here because zero is already taken by longjmp().
*/
#define AC_PERMIT 1 /* permit access */
#define AC_DENY (-1) /* deny_access */
#define AC_ERROR AC_DENY /* XXX */
/*
* In verification mode an option function should just say what it would do,
* instead of really doing it. An option function that would not return
* should clear the dry_run flag to inform the caller of this unusual
* behavior.
*/
extern void process_options(char *, struct request_info *);/* execute options */
extern int dry_run; /* verification flag */
/* Bug workarounds. */
#ifdef INET_ADDR_BUG /* inet_addr() returns struct */
#define inet_addr fix_inet_addr
extern long fix_inet_addr();
#endif
#ifdef BROKEN_FGETS /* partial reads from sockets */
#define fgets fix_fgets
extern char *fix_fgets();
#endif
#ifdef RECVFROM_BUG /* no address family info */
#define recvfrom fix_recvfrom
extern int fix_recvfrom();
#endif
#ifdef GETPEERNAME_BUG /* claims success with UDP */
#define getpeername fix_getpeername
extern int fix_getpeername();
#endif
#ifdef SOLARIS_24_GETHOSTBYNAME_BUG /* lists addresses as aliases */
#define gethostbyname fix_gethostbyname
extern struct hostent *fix_gethostbyname();
#endif
#ifdef USE_STRSEP /* libc calls strtok() */
#define strtok fix_strtok
extern char *fix_strtok();
#endif
#ifdef LIBC_CALLS_STRTOK /* libc calls strtok() */
#define strtok my_strtok
extern char *my_strtok();
#endif
__END_DECLS
#endif
|
