nfs-utils/nfs-utils-1.1.4-tcpwrap-cleanup.patch

Author: Steve Dickson <steved@redhat.com>
Date:   Sat Jan 31 06:17:18 2009 -0500

    General clean up. Removed unused routines. Reworked syslog
    message to (hopefully) make it more sensible. Move
    "#ifdef HAVE_LIBWRAP" around so nothing will be defined
    when tcp wrapper is not configured.
    
    Signed-off-by: Steve Dickson <steved@redhat.com>

diff -up nfs-utils-1.1.4/support/misc/tcpwrapper.c.orig nfs-utils-1.1.4/support/misc/tcpwrapper.c
--- nfs-utils-1.1.4/support/misc/tcpwrapper.c.orig	2009-01-31 06:27:54.000000000 -0500
+++ nfs-utils-1.1.4/support/misc/tcpwrapper.c	2009-01-31 06:31:32.000000000 -0500
@@ -34,6 +34,7 @@
 #ifdef HAVE_CONFIG_H
 #include <config.h>
 #endif
+#ifdef HAVE_LIBWRAP
 #include <tcpwrapper.h>
 #include <unistd.h>
 #include <string.h>
@@ -57,40 +58,10 @@
 
 static void logit(int severity, struct sockaddr_in *addr,
 		  u_long procnum, u_long prognum, char *text);
-static void toggle_verboselog(int sig);
-int     verboselog = 0;
-int     allow_severity = LOG_INFO;
-int     deny_severity = LOG_WARNING;
-
-/* A handful of macros for "readability". */
-
-#ifdef HAVE_LIBWRAP
-/* coming from libwrap.a (tcp_wrappers) */
-extern int hosts_ctl(char *daemon, char *name, char *addr, char *user);
-#else
-int hosts_ctl(char *daemon, char *name, char *addr, char *user)
-{
-	return 0;
-}
-#endif
-
-#define	legal_port(a,p) \
-  (ntohs((a)->sin_port) < IPPORT_RESERVED || (p) >= IPPORT_RESERVED)
-
-#define log_bad_port(addr, proc, prog) \
-  logit(deny_severity, addr, proc, prog, ": request from unprivileged port")
+static int check_files(void);
 
 #define log_bad_host(addr, proc, prog) \
-  logit(deny_severity, addr, proc, prog, ": request from unauthorized host")
-
-#define log_bad_owner(addr, proc, prog) \
-  logit(deny_severity, addr, proc, prog, ": request from non-local host")
-
-#define	log_no_forward(addr, proc, prog) \
-  logit(deny_severity, addr, proc, prog, ": request not forwarded")
-
-#define log_client(addr, proc, prog) \
-  logit(allow_severity, addr, proc, prog, "")
+  logit(LOG_WARNING, addr, proc, prog, "request from unauthorized host")
 
 #define ALLOW 1
 #define DENY 0
@@ -180,46 +151,9 @@ struct sockaddr_in *addr;
 	return DENY;
 }
 
-/* check_startup - additional startup code */
-
-void    check_startup(void)
-{
-
-    /*
-     * Give up root privileges so that we can never allocate a privileged
-     * port when forwarding an rpc request.
-     *
-     * Fix 8/3/00 Philipp Knirsch: First lookup our rpc user. If we find it,
-     * switch to that uid, otherwise simply resue the old bin user and print
-     * out a warning in syslog.
-     */
-
-    struct passwd *pwent;
-
-    pwent = getpwnam("rpc");
-    if (pwent == NULL) {
-        syslog(LOG_WARNING, "user rpc not found, reverting to user bin");
-        if (setuid(1) == -1) {
-            syslog(LOG_ERR, "setuid(1) failed: %m");
-            exit(1);
-        }
-    }
-    else {
-        if (setuid(pwent->pw_uid) == -1) {
-            syslog(LOG_WARNING, "setuid() to rpc user failed: %m");
-            if (setuid(1) == -1) {
-                syslog(LOG_ERR, "setuid(1) failed: %m");
-                exit(1);
-            }
-        }
-    }
-
-    (void) signal(SIGINT, toggle_verboselog);
-}
-
 /* check_files - check to see if either access files have changed */
 
-int check_files()
+static int check_files()
 {
 	static time_t allow_mtime, deny_mtime;
 	struct stat astat, dstat;
@@ -268,78 +202,21 @@ u_long  prog;
 			haccess_add(addr, prog, FALSE);
 		return (FALSE);
 	}
-	if (verboselog)
-		log_client(addr, proc, prog);
 
 	if (acc)
 		acc->access = TRUE;
 	else 
 		haccess_add(addr, prog, TRUE);
-    return (TRUE);
-}
 
-/* check_privileged_port - additional checks for privileged-port updates */
-int
-check_privileged_port(struct sockaddr_in *addr,	
-		      u_long proc, u_long prog, u_long port)
-{
-#ifdef CHECK_PORT
-    if (!legal_port(addr, port)) {
-	log_bad_port(addr, proc, prog);
-	return (FALSE);
-    }
-#endif
     return (TRUE);
 }
 
-/* toggle_verboselog - toggle verbose logging flag */
-
-static void toggle_verboselog(int sig)
-{
-    (void) signal(sig, toggle_verboselog);
-    verboselog = !verboselog;
-}
-
 /* logit - report events of interest via the syslog daemon */
 
 static void logit(int severity, struct sockaddr_in *addr,
 		  u_long procnum, u_long prognum, char *text)
 {
-    char   *procname;
-    char    procbuf[16 + 4 * sizeof(u_long)];
-    char   *progname;
-    char    progbuf[16 + 4 * sizeof(u_long)];
-    struct rpcent *rpc;
-
-    /*
-     * Fork off a process or the portmap daemon might hang while
-     * getrpcbynumber() or syslog() does its thing.
-     *
-     * Don't forget to wait for the children, too...
-     */
-
-    if (fork() == 0) {
-
-	/* Try to map program number to name. */
-
-	if (prognum == 0) {
-	    progname = "";
-	} else if ((rpc = getrpcbynumber((int) prognum))) {
-	    progname = rpc->r_name;
-	} else {
-	    snprintf(progname = progbuf, sizeof (progbuf),
-		     "prog (%lu)", prognum);
-	}
-
-	/* Try to map procedure number to name. */
-
-	snprintf(procname = procbuf, sizeof (procbuf),
-		 "proc (%lu)", (u_long) procnum);
-
-	/* Write syslog record. */
-
-	syslog(severity, "connect from %s to %s in %s%s",
-	       inet_ntoa(addr->sin_addr), procname, progname, text);
-	exit(0);
-    }
+	syslog(severity, "connect from %s denied: %s",
+	       inet_ntoa(addr->sin_addr), text);
 }
+#endif
- Reworked tcp wrapper code to correctly use API (bz 480223) - General clean up of tcp wrapper code. 2009-01-31 11:42:01 +00:00			`Author: Steve Dickson <steved@redhat.com>`
			`Date: Sat Jan 31 06:17:18 2009 -0500`

			`General clean up. Removed unused routines. Reworked syslog`
			`message to (hopefully) make it more sensible. Move`
			`"#ifdef HAVE_LIBWRAP" around so nothing will be defined`
			`when tcp wrapper is not configured.`

			`Signed-off-by: Steve Dickson <steved@redhat.com>`

			`diff -up nfs-utils-1.1.4/support/misc/tcpwrapper.c.orig nfs-utils-1.1.4/support/misc/tcpwrapper.c`
			`--- nfs-utils-1.1.4/support/misc/tcpwrapper.c.orig 2009-01-31 06:27:54.000000000 -0500`
			`+++ nfs-utils-1.1.4/support/misc/tcpwrapper.c 2009-01-31 06:31:32.000000000 -0500`
			`@@ -34,6 +34,7 @@`
			`#ifdef HAVE_CONFIG_H`
			`#include <config.h>`
			`#endif`
			`+#ifdef HAVE_LIBWRAP`
			`#include <tcpwrapper.h>`
			`#include <unistd.h>`
			`#include <string.h>`
			`@@ -57,40 +58,10 @@`

			`static void logit(int severity, struct sockaddr_in *addr,`
			`u_long procnum, u_long prognum, char *text);`
			`-static void toggle_verboselog(int sig);`
			`-int verboselog = 0;`
			`-int allow_severity = LOG_INFO;`
			`-int deny_severity = LOG_WARNING;`
			`-`
			`-/* A handful of macros for "readability". */`
			`-`
			`-#ifdef HAVE_LIBWRAP`
			`-/* coming from libwrap.a (tcp_wrappers) */`
			`-extern int hosts_ctl(char daemon, char name, char addr, char user);`
			`-#else`
			`-int hosts_ctl(char daemon, char name, char addr, char user)`
			`-{`
			`- return 0;`
			`-}`
			`-#endif`
			`-`
			`-#define legal_port(a,p) \`
			`- (ntohs((a)->sin_port) < IPPORT_RESERVED \|\| (p) >= IPPORT_RESERVED)`
			`-`
			`-#define log_bad_port(addr, proc, prog) \`
			`- logit(deny_severity, addr, proc, prog, ": request from unprivileged port")`
			`+static int check_files(void);`

			`#define log_bad_host(addr, proc, prog) \`
			`- logit(deny_severity, addr, proc, prog, ": request from unauthorized host")`
			`-`
			`-#define log_bad_owner(addr, proc, prog) \`
			`- logit(deny_severity, addr, proc, prog, ": request from non-local host")`
			`-`
			`-#define log_no_forward(addr, proc, prog) \`
			`- logit(deny_severity, addr, proc, prog, ": request not forwarded")`
			`-`
			`-#define log_client(addr, proc, prog) \`
			`- logit(allow_severity, addr, proc, prog, "")`
			`+ logit(LOG_WARNING, addr, proc, prog, "request from unauthorized host")`

			`#define ALLOW 1`
			`#define DENY 0`
			`@@ -180,46 +151,9 @@ struct sockaddr_in *addr;`
			`return DENY;`
			`}`

			`-/* check_startup - additional startup code */`
			`-`
			`-void check_startup(void)`
			`-{`
			`-`
			`- /*`
			`- * Give up root privileges so that we can never allocate a privileged`
			`- * port when forwarding an rpc request.`
			`- *`
			`- * Fix 8/3/00 Philipp Knirsch: First lookup our rpc user. If we find it,`
			`- * switch to that uid, otherwise simply resue the old bin user and print`
			`- * out a warning in syslog.`
			`- */`
			`-`
			`- struct passwd *pwent;`
			`-`
			`- pwent = getpwnam("rpc");`
			`- if (pwent == NULL) {`
			`- syslog(LOG_WARNING, "user rpc not found, reverting to user bin");`
			`- if (setuid(1) == -1) {`
			`- syslog(LOG_ERR, "setuid(1) failed: %m");`
			`- exit(1);`
			`- }`
			`- }`
			`- else {`
			`- if (setuid(pwent->pw_uid) == -1) {`
			`- syslog(LOG_WARNING, "setuid() to rpc user failed: %m");`
			`- if (setuid(1) == -1) {`
			`- syslog(LOG_ERR, "setuid(1) failed: %m");`
			`- exit(1);`
			`- }`
			`- }`
			`- }`
			`-`
			`- (void) signal(SIGINT, toggle_verboselog);`
			`-}`
			`-`
			`/* check_files - check to see if either access files have changed */`

			`-int check_files()`
			`+static int check_files()`
			`{`
			`static time_t allow_mtime, deny_mtime;`
			`struct stat astat, dstat;`
			`@@ -268,78 +202,21 @@ u_long prog;`
			`haccess_add(addr, prog, FALSE);`
			`return (FALSE);`
			`}`
			`- if (verboselog)`
			`- log_client(addr, proc, prog);`

			`if (acc)`
			`acc->access = TRUE;`
			`else`
			`haccess_add(addr, prog, TRUE);`
			`- return (TRUE);`
			`-}`

			`-/* check_privileged_port - additional checks for privileged-port updates */`
			`-int`
			`-check_privileged_port(struct sockaddr_in *addr,`
			`- u_long proc, u_long prog, u_long port)`
			`-{`
			`-#ifdef CHECK_PORT`
			`- if (!legal_port(addr, port)) {`
			`- log_bad_port(addr, proc, prog);`
			`- return (FALSE);`
			`- }`
			`-#endif`
			`return (TRUE);`
			`}`

			`-/* toggle_verboselog - toggle verbose logging flag */`
			`-`
			`-static void toggle_verboselog(int sig)`
			`-{`
			`- (void) signal(sig, toggle_verboselog);`
			`- verboselog = !verboselog;`
			`-}`
			`-`
			`/* logit - report events of interest via the syslog daemon */`

			`static void logit(int severity, struct sockaddr_in *addr,`
			`u_long procnum, u_long prognum, char *text)`
			`{`
			`- char *procname;`
			`- char procbuf[16 + 4 * sizeof(u_long)];`
			`- char *progname;`
			`- char progbuf[16 + 4 * sizeof(u_long)];`
			`- struct rpcent *rpc;`
			`-`
			`- /*`
			`- * Fork off a process or the portmap daemon might hang while`
			`- * getrpcbynumber() or syslog() does its thing.`
			`- *`
			`- * Don't forget to wait for the children, too...`
			`- */`
			`-`
			`- if (fork() == 0) {`
			`-`
			`- /* Try to map program number to name. */`
			`-`
			`- if (prognum == 0) {`
			`- progname = "";`
			`- } else if ((rpc = getrpcbynumber((int) prognum))) {`
			`- progname = rpc->r_name;`
			`- } else {`
			`- snprintf(progname = progbuf, sizeof (progbuf),`
			`- "prog (%lu)", prognum);`
			`- }`
			`-`
			`- /* Try to map procedure number to name. */`
			`-`
			`- snprintf(procname = procbuf, sizeof (procbuf),`
			`- "proc (%lu)", (u_long) procnum);`
			`-`
			`- /* Write syslog record. */`
			`-`
			`- syslog(severity, "connect from %s to %s in %s%s",`
			`- inet_ntoa(addr->sin_addr), procname, progname, text);`
			`- exit(0);`
			`- }`
			`+ syslog(severity, "connect from %s denied: %s",`
			`+ inet_ntoa(addr->sin_addr), text);`
			`}`
			`+#endif`