Subject: bin/13348: syslogd(8) libwrap support
To: None <gnats-bugs@gnats.netbsd.org>
From: None <itojun@itojun.org>
List: netbsd-bugs
Date: 07/01/2001 11:25:38
>Number:         13348
>Category:       bin
>Synopsis:       syslogd(8) libwrap support
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Sat Jun 30 19:28:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     Jun-ichiro itojun Hagino
>Release:        1.5W
>Organization:
	itojun.org
>Environment:
System: NetBSD starfruit.itojun.org 1.5W NetBSD 1.5W (STARFRUIT) #513: Sat Jun 30 03:15:39 JST 2001 itojun@starfruit.itojun.org:/usr/home/itojun/NetBSD/src/sys/arch/i386/compile/STARFRUIT i386
Architecture: i386
Machine: i386
>Description:
	the following patch adds libwrap (hosts.allow/deny) support to
	syslogd(8).
	the following line in /etc/hosts.deny will reject all syslog traffic
	from outside:
		syslogd: ALL

	actually, it may make -s unnecessary (if we ship with default
	hosts.deny that reject syslogd: ALL).
>How-To-Repeat:
	asked if it is possible to drop out syslog packets, based on
	source, ala FreeBSD syslogd(8) -a option.
>Fix:

Index: Makefile
===================================================================
RCS file: /cvsroot/basesrc/usr.sbin/syslogd/Makefile,v
retrieving revision 1.14
diff -u -r1.14 Makefile
--- Makefile	1999/12/02 16:17:29	1.14
+++ Makefile	2001/07/01 02:26:34
@@ -12,4 +12,8 @@
 # KAME scopeid hack
 #CPPFLAGS+=-DKAME_SCOPEID
 
+CPPFLAGS+=-DLIBWRAP
+LDADD+=	-lwrap
+DPADD+=	${LIBWRAP}
+
 .include <bsd.prog.mk>
Index: syslogd.c
===================================================================
RCS file: /cvsroot/basesrc/usr.sbin/syslogd/syslogd.c,v
retrieving revision 1.45
diff -u -r1.45 syslogd.c
--- syslogd.c	2001/06/08 04:16:28	1.45
+++ syslogd.c	2001/07/01 02:26:45
@@ -110,6 +110,13 @@
 #define SYSLOG_NAMES
 #include <sys/syslog.h>
 
+#ifdef LIBWRAP
+#include <tcpd.h>
+
+int allow_severity = LOG_AUTH|LOG_INFO;
+int deny_severity = LOG_AUTH|LOG_WARNING;
+#endif
+
 char	*ConfFile = _PATH_LOGCONF;
 char	ctty[] = _PATH_CONSOLE;
 
@@ -420,17 +427,37 @@
 			for (j = 0; j < *finet; j++) {
 		    		if (readfds[nfinetix[j]].revents &
 				    (POLLIN | POLLPRI)) {
+#ifdef LIBWRAP
+					struct request_info req;
+#endif
+					int reject = 0;
+
 					dprintf("inet socket active\n");
+
+#ifdef LIBWRAP
+					request_init(&req, RQ_DAEMON, "syslogd",
+					    RQ_FILE, finet[j + 1], NULL);
+					fromhost(&req);
+					reject = !hosts_access(&req);
+					if (reject)
+						dprintf("access denied\n");
+#endif
+
 					len = sizeof(frominet);
 					i = recvfrom(finet[j+1], line, MAXLINE,
 					    0, (struct sockaddr *)&frominet,
 					    &len);
-					if (i > 0) {
-						line[i] = '\0';
+					if (i == 0 || (i < 0 && errno == EINTR))
+						continue;
+					else if (i < 0) {
+						logerror("recvfrom inet");
+						continue;
+					}
+
+					line[i] = '\0';
+					if (!reject)
 						printline(cvthname(&frominet),
 						    line);
-					} else if (i < 0 && errno != EINTR)
-						logerror("recvfrom inet");
 				}
 			}
 		}
>Release-Note:
>Audit-Trail:
>Unformatted: