Subject: bin/13348: syslogd(8) libwrap support
To: None <gnats-bugs@gnats.netbsd.org>
From: None <itojun@itojun.org>
List: netbsd-bugs
Date: 07/01/2001 11:25:38
>Number: 13348
>Category: bin
>Synopsis: syslogd(8) libwrap support
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: bin-bug-people
>State: open
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Sat Jun 30 19:28:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator: Jun-ichiro itojun Hagino
>Release: 1.5W
>Organization:
itojun.org
>Environment:
System: NetBSD starfruit.itojun.org 1.5W NetBSD 1.5W (STARFRUIT) #513: Sat Jun 30 03:15:39 JST 2001 itojun@starfruit.itojun.org:/usr/home/itojun/NetBSD/src/sys/arch/i386/compile/STARFRUIT i386
Architecture: i386
Machine: i386
>Description:
the following patch adds libwrap (hosts.allow/deny) support to
syslogd(8).
the following line in /etc/hosts.deny will reject all syslog traffic
from outside:
syslogd: ALL
actually, it may make -s unnecessary (if we ship with default
hosts.deny that reject syslogd: ALL).
>How-To-Repeat:
asked if it is possible to drop out syslog packets, based on
source, ala FreeBSD syslogd(8) -a option.
>Fix:
Index: Makefile
===================================================================
RCS file: /cvsroot/basesrc/usr.sbin/syslogd/Makefile,v
retrieving revision 1.14
diff -u -r1.14 Makefile
--- Makefile 1999/12/02 16:17:29 1.14
+++ Makefile 2001/07/01 02:26:34
@@ -12,4 +12,8 @@
# KAME scopeid hack
#CPPFLAGS+=-DKAME_SCOPEID
+CPPFLAGS+=-DLIBWRAP
+LDADD+= -lwrap
+DPADD+= ${LIBWRAP}
+
.include <bsd.prog.mk>
Index: syslogd.c
===================================================================
RCS file: /cvsroot/basesrc/usr.sbin/syslogd/syslogd.c,v
retrieving revision 1.45
diff -u -r1.45 syslogd.c
--- syslogd.c 2001/06/08 04:16:28 1.45
+++ syslogd.c 2001/07/01 02:26:45
@@ -110,6 +110,13 @@
#define SYSLOG_NAMES
#include <sys/syslog.h>
+#ifdef LIBWRAP
+#include <tcpd.h>
+
+int allow_severity = LOG_AUTH|LOG_INFO;
+int deny_severity = LOG_AUTH|LOG_WARNING;
+#endif
+
char *ConfFile = _PATH_LOGCONF;
char ctty[] = _PATH_CONSOLE;
@@ -420,17 +427,37 @@
for (j = 0; j < *finet; j++) {
if (readfds[nfinetix[j]].revents &
(POLLIN | POLLPRI)) {
+#ifdef LIBWRAP
+ struct request_info req;
+#endif
+ int reject = 0;
+
dprintf("inet socket active\n");
+
+#ifdef LIBWRAP
+ request_init(&req, RQ_DAEMON, "syslogd",
+ RQ_FILE, finet[j + 1], NULL);
+ fromhost(&req);
+ reject = !hosts_access(&req);
+ if (reject)
+ dprintf("access denied\n");
+#endif
+
len = sizeof(frominet);
i = recvfrom(finet[j+1], line, MAXLINE,
0, (struct sockaddr *)&frominet,
&len);
- if (i > 0) {
- line[i] = '\0';
+ if (i == 0 || (i < 0 && errno == EINTR))
+ continue;
+ else if (i < 0) {
+ logerror("recvfrom inet");
+ continue;
+ }
+
+ line[i] = '\0';
+ if (!reject)
printline(cvthname(&frominet),
line);
- } else if (i < 0 && errno != EINTR)
- logerror("recvfrom inet");
}
}
}
>Release-Note:
>Audit-Trail:
>Unformatted: