diff options
Diffstat (limited to 'meta/packages/tcp-wrappers/tcp-wrappers-7.6/11_tcpd_blacklist.patch')
-rw-r--r-- | meta/packages/tcp-wrappers/tcp-wrappers-7.6/11_tcpd_blacklist.patch | 151 |
1 files changed, 151 insertions, 0 deletions
diff --git a/meta/packages/tcp-wrappers/tcp-wrappers-7.6/11_tcpd_blacklist.patch b/meta/packages/tcp-wrappers/tcp-wrappers-7.6/11_tcpd_blacklist.patch new file mode 100644 index 0000000000..0238e35208 --- /dev/null +++ b/meta/packages/tcp-wrappers/tcp-wrappers-7.6/11_tcpd_blacklist.patch | |||
@@ -0,0 +1,151 @@ | |||
1 | Path: news.porcupine.org!news.porcupine.org!not-for-mail | ||
2 | From: Wietse Venema <wietse@((no)(spam)(please))wzv.win.tue.nl> | ||
3 | Newsgroups: comp.mail.sendmail,comp.security.unix | ||
4 | Subject: TCP Wrapper Blacklist Extension | ||
5 | Followup-To: poster | ||
6 | Date: 8 Sep 1997 18:53:13 -0400 | ||
7 | Organization: Wietse's hangout while on sabattical in the USA | ||
8 | Lines: 147 | ||
9 | Sender: wietse@spike.porcupine.org | ||
10 | Message-ID: <5v1vkp$h4f$1@spike.porcupine.org> | ||
11 | NNTP-Posting-Host: spike.porcupine.org | ||
12 | Xref: news.porcupine.org comp.mail.sendmail:3541 comp.security.unix:7158 | ||
13 | |||
14 | The patch below adds a new host pattern to the TCP Wrapper access | ||
15 | control language. Instead of a host name or address pattern, you | ||
16 | can specify an external /file/name with host name or address | ||
17 | patterns. The feature can be used recursively. | ||
18 | |||
19 | The /file/name extension makes it easy to blacklist bad sites, for | ||
20 | example, to block unwanted electronic mail when libwrap is linked | ||
21 | into sendmail. Adding hosts to a simple text file is much easier | ||
22 | than having to edit a more complex hosts.allow/deny file. | ||
23 | |||
24 | I developed this a year or so ago as a substitute for NIS netgroups. | ||
25 | At that time, I did not consider it of sufficient interest for | ||
26 | inclusion in the TCP Wrapper distribution. How times have changed. | ||
27 | |||
28 | The patch is relative to TCP Wrappers version 7.6. The main archive | ||
29 | site is ftp://ftp.win.tue.nl/pub/security/tcp_wrappers_7.6.tar.gz | ||
30 | |||
31 | Thanks to the Debian LINUX folks for expressing their interest in | ||
32 | this patch. | ||
33 | |||
34 | Wietse | ||
35 | |||
36 | |||
37 | [diff updated by Md] | ||
38 | |||
39 | diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5 | ||
40 | --- tcp_wrappers_7.6.orig/hosts_access.5 2004-04-10 19:28:09.000000000 +0200 | ||
41 | +++ tcp_wrappers_7.6/hosts_access.5 2004-04-10 19:28:01.000000000 +0200 | ||
42 | @@ -97,6 +97,13 @@ | ||
43 | `[3ffe:505:2:1::]/64\' matches every address in the range | ||
44 | `3ffe:505:2:1::\' through `3ffe:505:2:1:ffff:ffff:ffff:ffff\'. | ||
45 | .IP \(bu | ||
46 | +A string that begins with a `/\' character is treated as a file | ||
47 | +name. A host name or address is matched if it matches any host name | ||
48 | +or address pattern listed in the named file. The file format is | ||
49 | +zero or more lines with zero or more host name or address patterns | ||
50 | +separated by whitespace. A file name pattern can be used anywhere | ||
51 | +a host name or address pattern can be used. | ||
52 | +.IP \(bu | ||
53 | Wildcards `*\' and `?\' can be used to match hostnames or IP addresses. This | ||
54 | method of matching cannot be used in conjunction with `net/mask\' matching, | ||
55 | hostname matching beginning with `.\' or IP address matching ending with `.\'. | ||
56 | diff -ruN tcp_wrappers_7.6.orig/hosts_access.c tcp_wrappers_7.6/hosts_access.c | ||
57 | --- tcp_wrappers_7.6.orig/hosts_access.c 2004-04-10 19:28:09.000000000 +0200 | ||
58 | +++ tcp_wrappers_7.6/hosts_access.c 2004-04-10 19:27:05.000000000 +0200 | ||
59 | @@ -253,6 +253,26 @@ | ||
60 | } | ||
61 | } | ||
62 | |||
63 | +/* hostfile_match - look up host patterns from file */ | ||
64 | + | ||
65 | +static int hostfile_match(path, host) | ||
66 | +char *path; | ||
67 | +struct hosts_info *host; | ||
68 | +{ | ||
69 | + char tok[BUFSIZ]; | ||
70 | + int match = NO; | ||
71 | + FILE *fp; | ||
72 | + | ||
73 | + if ((fp = fopen(path, "r")) != 0) { | ||
74 | + while (fscanf(fp, "%s", tok) == 1 && !(match = host_match(tok, host))) | ||
75 | + /* void */ ; | ||
76 | + fclose(fp); | ||
77 | + } else if (errno != ENOENT) { | ||
78 | + tcpd_warn("open %s: %m", path); | ||
79 | + } | ||
80 | + return (match); | ||
81 | +} | ||
82 | + | ||
83 | /* host_match - match host name and/or address against pattern */ | ||
84 | |||
85 | static int host_match(tok, host) | ||
86 | @@ -280,6 +300,8 @@ | ||
87 | tcpd_warn("netgroup support is disabled"); /* not tcpd_jump() */ | ||
88 | return (NO); | ||
89 | #endif | ||
90 | + } else if (tok[0] == '/') { /* /file hack */ | ||
91 | + return (hostfile_match(tok, host)); | ||
92 | } else if (STR_EQ(tok, "KNOWN")) { /* check address and name */ | ||
93 | char *name = eval_hostname(host); | ||
94 | return (STR_NE(eval_hostaddr(host), unknown) && HOSTNAME_KNOWN(name)); | ||
95 | diff -ruN tcp_wrappers_7.6.orig/tcpdchk.c tcp_wrappers_7.6/tcpdchk.c | ||
96 | --- tcp_wrappers_7.6.orig/tcpdchk.c 2004-04-10 19:28:09.000000000 +0200 | ||
97 | +++ tcp_wrappers_7.6/tcpdchk.c 2004-04-10 19:27:05.000000000 +0200 | ||
98 | @@ -353,6 +353,8 @@ | ||
99 | { | ||
100 | if (pat[0] == '@') { | ||
101 | tcpd_warn("%s: daemon name begins with \"@\"", pat); | ||
102 | + } else if (pat[0] == '/') { | ||
103 | + tcpd_warn("%s: daemon name begins with \"/\"", pat); | ||
104 | } else if (pat[0] == '.') { | ||
105 | tcpd_warn("%s: daemon name begins with dot", pat); | ||
106 | } else if (pat[strlen(pat) - 1] == '.') { | ||
107 | @@ -385,6 +387,8 @@ | ||
108 | { | ||
109 | if (pat[0] == '@') { /* @netgroup */ | ||
110 | tcpd_warn("%s: user name begins with \"@\"", pat); | ||
111 | + } else if (pat[0] == '/') { | ||
112 | + tcpd_warn("%s: user name begins with \"/\"", pat); | ||
113 | } else if (pat[0] == '.') { | ||
114 | tcpd_warn("%s: user name begins with dot", pat); | ||
115 | } else if (pat[strlen(pat) - 1] == '.') { | ||
116 | @@ -430,8 +434,13 @@ | ||
117 | static int check_host(pat) | ||
118 | char *pat; | ||
119 | { | ||
120 | + char buf[BUFSIZ]; | ||
121 | char *mask; | ||
122 | int addr_count = 1; | ||
123 | + FILE *fp; | ||
124 | + struct tcpd_context saved_context; | ||
125 | + char *cp; | ||
126 | + char *wsp = " \t\r\n"; | ||
127 | |||
128 | if (pat[0] == '@') { /* @netgroup */ | ||
129 | #ifdef NO_NETGRENT | ||
130 | @@ -450,6 +459,21 @@ | ||
131 | tcpd_warn("netgroup support disabled"); | ||
132 | #endif | ||
133 | #endif | ||
134 | + } else if (pat[0] == '/') { /* /path/name */ | ||
135 | + if ((fp = fopen(pat, "r")) != 0) { | ||
136 | + saved_context = tcpd_context; | ||
137 | + tcpd_context.file = pat; | ||
138 | + tcpd_context.line = 0; | ||
139 | + while (fgets(buf, sizeof(buf), fp)) { | ||
140 | + tcpd_context.line++; | ||
141 | + for (cp = strtok(buf, wsp); cp; cp = strtok((char *) 0, wsp)) | ||
142 | + check_host(cp); | ||
143 | + } | ||
144 | + tcpd_context = saved_context; | ||
145 | + fclose(fp); | ||
146 | + } else if (errno != ENOENT) { | ||
147 | + tcpd_warn("open %s: %m", pat); | ||
148 | + } | ||
149 | } else if (mask = split_at(pat, '/')) { /* network/netmask */ | ||
150 | #ifdef INET6 | ||
151 | int mask_len; | ||