src/libexec/tcpd doesn't work correctly with -DPROCESS_OPTIONS
Vincent Poy
vince at oahu.WURLDLINK.NET
Wed Jul 2 18:30:08 PDT 2003
Greetings:
In -CURRENT, /usr/src/libexec/tcpd, the Makefile doesn't have
-DPROCESS_OPTIONS needed which in hosts_access(5) manpage, allows things
such as banners for the tcp_wrappers to be working.
>From hosts_access(5):
An extended version of the access control language is described in the
hosts_options(5) document. The extensions are turned on at program
build time by building with -DPROCESS_OPTIONS.
In hosts_options(5):
banners /some/directory
Look for a file in `/some/directory' with the same name as
the daemon process (for example in.telnetd for the telnet service),
and copy its contents to the client. Newline characters
are replaced by carriage-return newline, and %<letter> sequences
are expanded (see the hosts_access(5) manual page).
The tcp wrappers source code distribution provides a
sample makefile (Banners.Makefile) for convenient banner
maintenance.
Warning: banners are supported for connection-oriented
(TCP) network services only.
As a example, in /etc/hosts.allow, I have the following line:
telnet stream tcp nowait root /usr/libexec/tcpd /usr/libexec/telnetd
Which with the tcp_wrappers port binary from a few years ago, it
would do the following:
Welcome [unknown at adsl-208-201-244-226.sonic.net] to ...
________ _____ _________ ______ _______ __________________________
___ __ \___ | / /___ |___ / __ __ \__ ____/____ _/__ ____/
__ / / /__ |/ / __ /| |__ / _ / / /_ / __ __ / _ /
_ /_/ / _ /| / _ ___ |_ /___/ /_/ / / /_/ / __/ / / /___
/_____/ /_/ |_/ /_/ |_|/_____/\____/ \____/ /___/ \____/
.NET
[ bigbang.DNALOGIC.NET ]
DNA Logic Corporation - http://www.DNALOGIC.NET
San Francisco, California USA
For assistance or information please e-mail root at bigbang.DNALOGIC.NET
FreeBSD/i386 (bigbang.DNALOGIC.NET) (ttypb)
login:
The binary works but anything not defined in hosts.allow, it would
completely skip the banner and give them the login prompt rather than not
allow them to make it to the telnetd daemon like before. The tcpd built
by -CURRENT does work correctly but the banners support is not enabled by
default.
In /usr/src/libexec/tcpd/Makefile,
CFLAGS+=-DREAL_DAEMON_DIR=\"/usr/libexec\" \
-DSEVERITY=LOG_INFO -DRFC931_TIMEOUT=10 \
-DHOSTS_DENY=\"/etc/hosts.deny\"
-DHOSTS_ALLOW=\"/etc/hosts.allow\" \
-DFACILITY=LOG_DAEMON
In /usr/src/contrib/tcp_wrappers/README in section 4.5 and 4.7, it
mentions:
4.5 - Language extensions
-------------------------
The wrappers sport only a limited number of features. This is for a
good reason: programs that run at high privilege levels must be easy to
verify. And the smaller a program, the easier to verify. There is,
however, a provision to add features.
The options.c module provides a framework for language extensions.
Quite a few extensions have already been implemented; they are
documented in the hosts_options.5 document, which is in `nroff -man'
format. Examples: changing the severity level at which a request for
service is logged; "allow" and "deny" keywords; running a customized
server instead of the standard one; many others.
The language extensions are not enabled by default because they
introduce an incompatible change to the access control language
syntax. Instructions to enable the extensions are given in the
Makefile.
4.7 - Banner messages
---------------------
Some sites are required to present an informational message to users
before they attempt to login. Banner messages can also be useful when
denying service: instead of simply dropping the connection a polite
explanation is given first. Finally, banners can be used to give your
system a more personal touch.
The wrapper software provides easy-to-use tools to generate pre-login
banners for ftp, telnet, rlogin etc. from a single prototype banner
textfile. Details on banners and on-the-fly %<letter> expansions are
given in the hosts_options.5 manual page (`nroff -man' format). An
example is given in the file Banners.Makefile.
In order to support banner messages the wrappers have to be built with
language extensions enabled. See the section on language extensions.
In /usr/src/contrib/tcp_wrappers/Makefile, it mentions that the
-DPROCESS_OPTIONS is needed for language extensions:
###########################################
# Optional: Turning on language extensions
#
# Instead of the default access control language that is documented in
# the hosts_access.5 document, the wrappers can be configured to
# implement an extensible language documented in the hosts_options.5
# document. This language is implemented by the "options.c" source
# module, which also gives hints on how to add your own extensions.
# Uncomment the next definition to turn on the language extensions
# (examples: allow, deny, banners, twist and spawn).
#
#STYLE = -DPROCESS_OPTIONS # Enable language extensions.
So in the /usr/src/libexec/tcpd/Makefile, I added
-DPROCESS_OPTIONS
CFLAGS+=-DREAL_DAEMON_DIR=\"/usr/libexec\" \
-DSEVERITY=LOG_INFO -DRFC931_TIMEOUT=10 \
-DHOSTS_DENY=\"/etc/hosts.deny\"
-DHOSTS_ALLOW=\"/etc/hosts.allow\" \
-DFACILITY=LOG_DAEMON \
-DPROCESS_OPTIONS
However, the -DPROCESS_OPTIONS seems to have no effect after I
replaced the tcpd and restarted inetd. When one telnets, it just goes
to telnetd directly without going through the banners even though it
denies access to those not defined in /etc/hosts.allow:
FreeBSD/i386 (bigbang.DNALOGIC.NET) (ttypb)
login:
Cheers,
Vince - vince at WURLDLINK.NET - Vice President ________ __ ____
Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ]
WurldLink Corporation / / / / | / | __] ]
San Francisco - Honolulu - Hong Kong / / / / / |/ / | __] ]
HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____]
Almighty1 at IRC - oahu.DAL.NET Hawaii's DALnet IRC Network Server Admin
More information about the freebsd-current
mailing list