karasz
/
package-update
1
0
Fork 0
Code Issues Releases Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9445 Commits
46 Branches
0 Tags
0 B
 
 
 
 
 
 
Tree: a3676d769f
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'a3676d769f'
${ noResults }
package-update/network/tcp_wrappers/0007-tcp_wrappers-7.6-tcpd-...

167 lines
6.1 KiB
Raw Blame History

# --- SDE-COPYRIGHT-NOTE-BEGIN ---
# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
#
# Filename: package/.../tcp_wrappers/0007-tcp_wrappers-7.6-tcpd-blacklist.patch
# Copyright (C) 2011 The OpenSDE Project
#
# More information can be found in the files COPYING and README.
#
# This patch file is dual-licensed. It is available under the license the
# patched project is licensed under, as long as it is an OpenSource license
# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
# of the GNU General Public License as published by the Free Software
# Foundation; either version 2 of the License, or (at your option) any later
# version.
# --- SDE-COPYRIGHT-NOTE-END ---
Path: news.porcupine.org!news.porcupine.org!not-for-mail
From: Wietse Venema <wietse@((no)(spam)(please))wzv.win.tue.nl>
Newsgroups: comp.mail.sendmail,comp.security.unix
Subject: TCP Wrapper Blacklist Extension
Followup-To: poster
Date: 8 Sep 1997 18:53:13 -0400
Organization: Wietse's hangout while on sabattical in the USA
Lines: 147
Sender: [email protected]
Message-ID: <[email protected]>
NNTP-Posting-Host: spike.porcupine.org
Xref: news.porcupine.org comp.mail.sendmail:3541 comp.security.unix:7158
The patch below adds a new host pattern to the TCP Wrapper access
control language. Instead of a host name or address pattern, you
can specify an external /file/name with host name or address
patterns. The feature can be used recursively.
The /file/name extension makes it easy to blacklist bad sites, for
example, to block unwanted electronic mail when libwrap is linked
into sendmail. Adding hosts to a simple text file is much easier
than having to edit a more complex hosts.allow/deny file.
I developed this a year or so ago as a substitute for NIS netgroups.
At that time, I did not consider it of sufficient interest for
inclusion in the TCP Wrapper distribution. How times have changed.
The patch is relative to TCP Wrappers version 7.6. The main archive
site is ftp://ftp.win.tue.nl/pub/security/tcp_wrappers_7.6.tar.gz
Thanks to the Debian LINUX folks for expressing their interest in
this patch.
Wietse
[diff updated by Md]
diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5
--- tcp_wrappers_7.6.orig/hosts_access.5 2004-04-10 19:28:09.000000000 +0200
+++ tcp_wrappers_7.6/hosts_access.5 2004-04-10 19:28:01.000000000 +0200
@@ -97,6 +97,13 @@
`[3ffe:505:2:1::]/64\' matches every address in the range
`3ffe:505:2:1::\' through `3ffe:505:2:1:ffff:ffff:ffff:ffff\'.
.IP \(bu
+A string that begins with a `/\' character is treated as a file
+name. A host name or address is matched if it matches any host name
+or address pattern listed in the named file. The file format is
+zero or more lines with zero or more host name or address patterns
+separated by whitespace. A file name pattern can be used anywhere
+a host name or address pattern can be used.
+.IP \(bu
Wildcards `*\' and `?\' can be used to match hostnames or IP addresses. This
method of matching cannot be used in conjunction with `net/mask\' matching,
hostname matching beginning with `.\' or IP address matching ending with `.\'.
diff -ruN tcp_wrappers_7.6.orig/hosts_access.c tcp_wrappers_7.6/hosts_access.c
--- tcp_wrappers_7.6.orig/hosts_access.c 2004-04-10 19:28:09.000000000 +0200
+++ tcp_wrappers_7.6/hosts_access.c 2004-04-10 19:27:05.000000000 +0200
@@ -253,6 +253,26 @@
}
}
+/* hostfile_match - look up host patterns from file */
+
+static int hostfile_match(path, host)
+char *path;
+struct hosts_info *host;
+{
+ char tok[BUFSIZ];
+ int match = NO;
+ FILE *fp;
+
+ if ((fp = fopen(path, "r")) != 0) {
+ while (fscanf(fp, "%s", tok) == 1 && !(match = host_match(tok, host)))
+ /* void */ ;
+ fclose(fp);
+ } else if (errno != ENOENT) {
+ tcpd_warn("open %s: %m", path);
+ }
+ return (match);
+}
+
/* host_match - match host name and/or address against pattern */
static int host_match(tok, host)
@@ -280,6 +300,8 @@
tcpd_warn("netgroup support is disabled"); /* not tcpd_jump() */
return (NO);
#endif
+ } else if (tok[0] == '/') { /* /file hack */
+ return (hostfile_match(tok, host));
} else if (STR_EQ(tok, "KNOWN")) { /* check address and name */
char *name = eval_hostname(host);
return (STR_NE(eval_hostaddr(host), unknown) && HOSTNAME_KNOWN(name));
diff -ruN tcp_wrappers_7.6.orig/tcpdchk.c tcp_wrappers_7.6/tcpdchk.c
--- tcp_wrappers_7.6.orig/tcpdchk.c 2004-04-10 19:28:09.000000000 +0200
+++ tcp_wrappers_7.6/tcpdchk.c 2004-04-10 19:27:05.000000000 +0200
@@ -353,6 +353,8 @@
{
if (pat[0] == '@') {
tcpd_warn("%s: daemon name begins with \"@\"", pat);
+ } else if (pat[0] == '/') {
+ tcpd_warn("%s: daemon name begins with \"/\"", pat);
} else if (pat[0] == '.') {
tcpd_warn("%s: daemon name begins with dot", pat);
} else if (pat[strlen(pat) - 1] == '.') {
@@ -385,6 +387,8 @@
{
if (pat[0] == '@') { /* @netgroup */
tcpd_warn("%s: user name begins with \"@\"", pat);
+ } else if (pat[0] == '/') {
+ tcpd_warn("%s: user name begins with \"/\"", pat);
} else if (pat[0] == '.') {
tcpd_warn("%s: user name begins with dot", pat);
} else if (pat[strlen(pat) - 1] == '.') {
@@ -430,8 +434,13 @@
static int check_host(pat)
char *pat;
{
+ char buf[BUFSIZ];
char *mask;
int addr_count = 1;
+ FILE *fp;
+ struct tcpd_context saved_context;
+ char *cp;
+ char *wsp = " \t\r\n";
if (pat[0] == '@') { /* @netgroup */
#ifdef NO_NETGRENT
@@ -450,6 +459,21 @@
tcpd_warn("netgroup support disabled");
#endif
#endif
+ } else if (pat[0] == '/') { /* /path/name */
+ if ((fp = fopen(pat, "r")) != 0) {
+ saved_context = tcpd_context;
+ tcpd_context.file = pat;
+ tcpd_context.line = 0;
+ while (fgets(buf, sizeof(buf), fp)) {
+ tcpd_context.line++;
+ for (cp = strtok(buf, wsp); cp; cp = strtok((char *) 0, wsp))
+ check_host(cp);
+ }
+ tcpd_context = saved_context;
+ fclose(fp);
+ } else if (errno != ENOENT) {
+ tcpd_warn("open %s: %m", pat);
+ }
} else if (mask = split_at(pat, '/')) { /* network/netmask */
#ifdef INET6
int mask_len;