From dwmalone@maths.tcd.ie Mon May 31 07:43:13 1999
Return-Path: <dwmalone@maths.tcd.ie>
Received: from salmon.maths.tcd.ie (salmon.maths.tcd.ie [134.226.81.11])
	by hub.freebsd.org (Postfix) with SMTP id 56E1914E6A
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 31 May 1999 07:43:11 -0700 (PDT)
	(envelope-from dwmalone@maths.tcd.ie)
Received: from gosset.maths.tcd.ie by salmon.maths.tcd.ie with SMTP
          id <aa22740@salmon.maths.tcd.ie>; 31 May 99 15:43:11 +0100 (BST)
Message-Id: <199905311543.aa28242@gosset.maths.tcd.ie>
Date: Mon, 31 May 1999 15:43:10 +0100 (BST)
From: dwmalone@maths.tcd.ie
Sender: dwmalone@maths.tcd.ie
Reply-To: dwmalone@maths.tcd.ie
To: FreeBSD-gnats-submit@freebsd.org
Subject: inetd built in wrapping doesn't log like tcpd does.
X-Send-Pr-Version: 3.2

>Number:         11960
>Category:       bin
>Synopsis:       inetd built in wrapping doesn't log like tcpd does.
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon May 31 07:50:01 PDT 1999
>Closed-Date:    Wed Jun 9 08:54:22 PDT 1999
>Last-Modified:  Wed Jun  9 08:54:55 PDT 1999
>Originator:     David Malone
>Release:        FreeBSD 3.2-STABLE i386
>Organization:
School of Mathematics, Trinity College, Dublin, Ireland.
>Environment:

	3.2-STABLE

>Description:

The TCP wrapping which is now built into inetd logs denied connections,
but only logs accepted connections if you give the -l flag. This doesn't
match the real tcpd's behavior, which logs allowed connections at a
much lower syslog level.

Tieing the behavior to the -l flag is incorrect, because it makes it
impossible to selectivly log successful connections by using hosts.allow
to adjust the syslog level. (The -l flag tries to log all connections).

>How-To-Repeat:

Try doing something like this in /etc/hosts.allow, which would 
log smtpd connections to localhost at a seperate level, so syslogd
can put them all in one file.

smtpd: 127.0.0.1 : rfc931 1 : severity local1.info : allow

>Fix:

Apply the following to inetd.c - seems to apply to 3.2 and current.
	
648,652c648,650
< 				if (log) {
< 				    syslog(allow_severity,
< 				        "connection from %.500s, service %s (%s)",
< 					eval_client(&req), service, sep->se_proto);
< 				}
---
> 				syslog(allow_severity,
> 				    "connection from %.500s, service %s (%s)",
> 				    eval_client(&req), service, sep->se_proto);

>Release-Note:
>Audit-Trail:

From: Sheldon Hearn <sheldonh@uunet.co.za>
To: freebsd-gnats-submit@freebsd.org
Cc: dwmalone@maths.tcd.ie
Subject: Re: bin/11960: inetd built in wrapping doesn't log like tcpd does.
Date: Tue, 08 Jun 1999 12:30:31 +0200

 Hi David,
 
 I don't understand your patch. You want to always log all connections,
 and all at allow_severity (auth.info)? What functionality does this
 offer us over what we've got now, given that this deprecates the '-l'
 option.
 
 Ciao,
 Sheldon.
 

From: David Malone <dwmalone@maths.tcd.ie>
To: Sheldon Hearn <sheldonh@uunet.co.za>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/11960: inetd built in wrapping doesn't log like tcpd does. 
Date: Tue, 08 Jun 1999 11:41:01 +0100

 > I don't understand your patch. You want to always log all connections,
 > and all at allow_severity (auth.info)? What functionality does this
 > offer us over what we've got now, given that this deprecates the '-l'
 > option.
 
 Yup - we should call syslog for every connection with allow_severity for
 the level. For a start this is what tcpd does, but for a second
 allow_severity can be changed by the call to hosts_access, to be anything
 you like, so it may or may not end up in a log file, depending on if your
 syslog.conf.
 
 For example, suppose you want to log all rlogin connections with a
 high priority, but don't want to log mail connections which are rejected
 'cos the IP address can't be resolved. Then you can have the following
 lines in /etc/hosts.allow:
 
 in.rlogind rlogind: ALL : rfc931 1 : severity local0.warning : allow
 smtpd: UNKNOWN : severity local0.info : deny
 
 Using tcpd this produces the desired effect. Using inetd wrapping you
 get none of the rlogind connections logged 'cos they were all successful.
 Using "inetd -l" we get all the connections logged, including the smtpd
 ones we don't want.
 
 	David.
 

From: Sheldon Hearn <sheldonh@uunet.co.za>
To: David Malone <dwmalone@maths.tcd.ie>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/11960: inetd built in wrapping doesn't log like tcpd does. 
Date: Tue, 08 Jun 1999 13:16:48 +0200

 On Tue, 08 Jun 1999 11:41:01 +0100, David Malone wrote:
 
 > Yup - we should call syslog for every connection with allow_severity for
 > the level. For a start this is what tcpd does, but for a second
 > allow_severity can be changed by the call to hosts_access
 
 But that's just my point. I don't think it can, certainly not from my
 take on the allow_severity variable in inetd.c ... Where are you
 looking?
 
 Ciao,
 Sheldon.
 

From: David Malone <dwmalone@maths.tcd.ie>
To: Sheldon Hearn <sheldonh@uunet.co.za>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/11960: inetd built in wrapping doesn't log like tcpd does. 
Date: Tue, 08 Jun 1999 12:26:45 +0100

 > On Tue, 08 Jun 1999 11:41:01 +0100, David Malone wrote:
 > 
 > > Yup - we should call syslog for every connection with allow_severity for
 > > the level. For a start this is what tcpd does, but for a second
 > > allow_severity can be changed by the call to hosts_access
 > 
 > But that's just my point. I don't think it can, certainly not from my
 > take on the allow_severity variable in inetd.c ... Where are you
 > looking?
 
 contrib/tcp_wrappers/options.c about line 550. This actually means we
 should be reseting allow_severity and deny_severity before each call
 to hosts_access()?
 
 	David.
 

From: Sheldon Hearn <sheldonh@uunet.co.za>
To: David Malone <dwmalone@maths.tcd.ie>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/11960: inetd built in wrapping doesn't log like tcpd does. 
Date: Tue, 08 Jun 1999 13:32:35 +0200

 On Tue, 08 Jun 1999 12:26:45 +0100, David Malone wrote:
 
 > contrib/tcp_wrappers/options.c about line 550. This actually means we
 > should be reseting allow_severity and deny_severity before each call
 > to hosts_access()?
 
 So you wanna work on that? I foresee 6 lines of code. :-)
 
 Ciao,
 Sheldon.
 

From: David Malone <dwmalone@maths.tcd.ie>
To: Sheldon Hearn <sheldonh@uunet.co.za>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/11960: inetd built in wrapping doesn't log like tcpd does. 
Date: Tue, 08 Jun 1999 12:44:50 +0100

 > On Tue, 08 Jun 1999 12:26:45 +0100, David Malone wrote:
 > 
 > > contrib/tcp_wrappers/options.c about line 550. This actually means we
 > > should be reseting allow_severity and deny_severity before each call
 > > to hosts_access()?
 > 
 > So you wanna work on that? I foresee 6 lines of code. :-)
 
 How does the following look? It also includes the removal of the if(){}
 from around the syslog for allows.
 
 	David.
 
 
 --- inetd.c.orig	Tue Jun  8 12:34:30 1999
 +++ inetd.c	Tue Jun  8 12:41:14 1999
 @@ -629,6 +629,8 @@
  					sep->se_server_name : sep->se_service,
  					RQ_FILE, ctrl, NULL);
  				fromhost(&req);
 +				deny_severity = LIBWRAP_DENY_FACILITY|LIBWRAP_DENY_SEVERITY;
 +				allow_severity = LIBWRAP_ALLOW_FACILITY|LIBWRAP_ALLOW_SEVERITY;
  				denied = !hosts_access(&req);
  				if (denied || log) {
  				    sp = getservbyport(sep->se_ctrladdr.sin_port, sep->se_proto);
 @@ -645,11 +647,9 @@
  				        eval_client(&req), service, sep->se_proto);
  				    goto reject;
  				}
 -				if (log) {
 -				    syslog(allow_severity,
 -				        "connection from %.500s, service %s (%s)",
 -					eval_client(&req), service, sep->se_proto);
 -				}
 +				syslog(allow_severity,
 +				    "connection from %.500s, service %s (%s)",
 +				    eval_client(&req), service, sep->se_proto);
  			    }
  #endif /* LIBWRAP */
  			    if (sep->se_bi) {
 

From: Sheldon Hearn <sheldonh@uunet.co.za>
To: David Malone <dwmalone@maths.tcd.ie>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/11960: inetd built in wrapping doesn't log like tcpd does. 
Date: Tue, 08 Jun 1999 13:58:30 +0200

 The code as it stands sets the severities once. You're proposing to set
 the severities every time hosts_access() is called, but always to the
 same values that they were set to at the beginning. :-)
 
 Doesn't the tcp_wrappers library offer an interface for finding out what
 severity a particular service likes to be reported with?
 
 Ciao,
 Sheldon.
 

From: David Malone <dwmalone@maths.tcd.ie>
To: Sheldon Hearn <sheldonh@uunet.co.za>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/11960: inetd built in wrapping doesn't log like tcpd does. 
Date: Tue, 08 Jun 1999 13:07:49 +0100

 > The code as it stands sets the severities once. You're proposing to set
 > the severities every time hosts_access() is called, but always to the
 > same values that they were set to at the beginning. :-)
 > 
 > Doesn't the tcp_wrappers library offer an interface for finding out what
 > severity a particular service likes to be reported with?
 
 Calling hosts_access is the only way of finding out, 'cos the severity
 might depend on any of the things on which tcp wrappers can match on. I
 think we need to reset them each time 'cos otherwise if we don't set the
 severity in /etc/hosts.allow for the current service we'll just get the
 last used severity.
 
 I think resetting each time is the correct behavior...
 
 	David.
 

From: Sheldon Hearn <sheldonh@uunet.co.za>
To: David Malone <dwmalone@maths.tcd.ie>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/11960: inetd built in wrapping doesn't log like tcpd does. 
Date: Tue, 08 Jun 1999 14:17:53 +0200

 I'm being obtuse. Next time I'll read more carefully. This looks like
 what we want. Do your changes work with wrapped internal services (see
 PR 11651)? Looks to me like your method handles both cases of forked and
 non-forked internals nicely.
 
 Ciao,
 Sheldon.
 

From: David Malone <dwmalone@maths.tcd.ie>
To: Sheldon Hearn <sheldonh@uunet.co.za>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/11960: inetd built in wrapping doesn't log like tcpd does. 
Date: Tue, 08 Jun 1999 14:54:44 +0100

 > I'm being obtuse. Next time I'll read more carefully. This looks like
 > what we want. Do your changes work with wrapped internal services (see
 > PR 11651)? Looks to me like your method handles both cases of forked and
 > non-forked internals nicely.
 
 I think the code makes sense in both cases. I read the PR and I can't see
 how this could upset the internally wrapped case.
 
 Reading the code more carefully, I think I've discovered something else which
 should be done all the time - calculating the service name for the syslog.
 I've checked all these changes on a 3.2-stable machine and it seems to do the
 right thing.
 
 I've an interesting tail of caution for people - if you already have services
 wrapped with tcpd and wonder why:
 
 in.rshd rshd: ALL : severity dshosadh.warning : deny
 
 Is alowd by inetd's tcp wrapping, but denied by tcpd's wrapping - remember
 inetd will be calling hosts_access with a daemon name of "tcpd"! I wonder
 if we should log the daemon's name when we log the rest of the info about
 the service - as that is what people are most likely to grep for?
 
 	David.
 
 
 --- inetd.c	Tue Jun  8 13:39:35 1999
 +++ inetd.c.orig	Tue Jun  8 12:34:30 1999
 @@ -629,24 +629,25 @@
  					sep->se_server_name : sep->se_service,
  					RQ_FILE, ctrl, NULL);
  				fromhost(&req);
 -				deny_severity = LIBWRAP_DENY_FACILITY|LIBWRAP_DENY_SEVERITY;
 -				allow_severity = LIBWRAP_ALLOW_FACILITY|LIBWRAP_ALLOW_SEVERITY;
  				denied = !hosts_access(&req);
 -				sp = getservbyport(sep->se_ctrladdr.sin_port, sep->se_proto);
 -				if (sp == NULL) {
 -				    (void)snprintf(buf, sizeof buf, "%d",
 -					ntohs(sep->se_ctrladdr.sin_port));
 -				    service = buf;
 -				} else
 -				    service = sp->s_name;
 +				if (denied || log) {
 +				    sp = getservbyport(sep->se_ctrladdr.sin_port, sep->se_proto);
 +				    if (sp == NULL) {
 +					(void)snprintf(buf, sizeof buf, "%d",
 +					   ntohs(sep->se_ctrladdr.sin_port));
 +					service = buf;
 +				    } else
 +					service = sp->s_name;
 +				}
  				if (denied) {
  				    syslog(deny_severity,
  				        "refused connection from %.500s, service %s (%s)",
  				        eval_client(&req), service, sep->se_proto);
  				    goto reject;
 -				} else {
 +				}
 +				if (log) {
  				    syslog(allow_severity,
 -					"connection from %.500s, service %s (%s)",
 +				        "connection from %.500s, service %s (%s)",
  					eval_client(&req), service, sep->se_proto);
  				}
  			    }
 

From: Sheldon Hearn <sheldonh@uunet.co.za>
To: David Malone <dwmalone@maths.tcd.ie>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/11960: inetd built in wrapping doesn't log like tcpd does. 
Date: Wed, 09 Jun 1999 15:17:30 +0200

 On Tue, 08 Jun 1999 14:54:44 +0100, David Malone wrote:
 
 > I've an interesting tail of caution for people - if you already have
 > services wrapped with tcpd and wonder why:
 >
 > in.rshd rshd: ALL : severity dshosadh.warning : deny
 >
 > Is alowd by inetd's tcp wrapping
 
 dshosadh.warning? :-)
 
 I assume you meant that this breaks if inetd.conf specifies that a
 program should be launched through tcpd. That's true, but I don't think
 we want to mung inetd so that it knows about tcpd at all.
 
 I think the first patch you sent, for honouring hosts_access severity
 extensions should be committed, but I don't think your second patch is
 desireable.
 
 Ciao,
 Sheldon.
 

From: Sheldon Hearn <sheldonh@uunet.co.za>
To: David Malone <dwmalone@maths.tcd.ie>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/11960: inetd built in wrapping doesn't log like tcpd does. 
Date: Wed, 09 Jun 1999 15:21:24 +0200

 On Tue, 08 Jun 1999 14:54:44 +0100, David Malone wrote:
 
 > I wonder if we should log the daemon's name when we log the rest of
 > the info about the service - as that is what people are most likely to
 > grep for?
 
 Hmmm, wait. I was too hasty with my "I don't think your second patch is
 desireable".
 
 Rather, how does this handle the case of internal services?
 
 Ciao,
 Sheldon.
 

From: David Malone <dwmalone@maths.tcd.ie>
To: Sheldon Hearn <sheldonh@uunet.co.za>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/11960: inetd built in wrapping doesn't log like tcpd does. 
Date: Wed, 09 Jun 1999 14:25:29 +0100

 > I think the first patch you sent, for honouring hosts_access severity
 > extensions should be committed, but I don't think your second patch is
 > desireable.
 
 That is all the final patch does, only it gets the service name right
 in the log file!
 
 > Hmmm, wait. I was too hasty with my "I don't think your second patch is
 > desireable".
 
 Ahh...
 
 > Rather, how does this handle the case of internal services?
 
 It is just doing the logging it would have done in the denied case,
 only with allow_severity - so I think it should work as well as inetd
 does anyway.
 
 	David.
 

From: Sheldon Hearn <sheldonh@uunet.co.za>
To: David Malone <dwmalone@maths.tcd.ie>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/11960: inetd built in wrapping doesn't log like tcpd does. 
Date: Wed, 09 Jun 1999 15:53:57 +0200

 Okay, could you do me a favour and see if you're happy with these diffs.
 They're a compromise, in that you still have to run inetd -l to log
 successful connections.
 
 You should apply them to clean inetd sources, not whatever we've got so
 far. :-)
 
 These incorporate your stuff and mine from PR 11651 .
 
 Ciao,
 Sheldon.
 
 Index: usr.sbin/inetd/Makefile
 ===================================================================
 RCS file: /home/ncvs/src/usr.sbin/inetd/Makefile,v
 retrieving revision 1.8
 diff -u -d -r1.8 Makefile
 --- Makefile	1999/05/07 06:48:01	1.8
 +++ Makefile	1999/05/22 13:32:00
 @@ -5,7 +5,7 @@
  MAN8=	inetd.8
  MLINKS=	inetd.8 inetd.conf.5
  
 -COPTS+=	-Wall -DLOGIN_CAP -DLIBWRAP
 +COPTS+=	-Wall -DLOGIN_CAP -DLIBWRAP -DLIBWRAP_INTERNAL
  #COPTS+=	-DSANITY_CHECK
  
  DPADD+=	${LIBUTIL} ${LIBWRAP}
 Index: usr.sbin/inetd/inetd.c
 ===================================================================
 RCS file: /home/ncvs/src/usr.sbin/inetd/inetd.c,v
 retrieving revision 1.49
 diff -u -d -r1.49 inetd.c
 --- inetd.c	1999/05/11 12:50:14	1.49
 +++ inetd.c	1999/06/09 13:43:55
 @@ -146,8 +146,8 @@
  #ifndef LIBWRAP_DENY_SEVERITY
  # define LIBWRAP_DENY_SEVERITY LOG_WARNING
  #endif
 -int allow_severity = LIBWRAP_ALLOW_FACILITY|LIBWRAP_ALLOW_SEVERITY;
 -int deny_severity = LIBWRAP_DENY_FACILITY|LIBWRAP_DENY_SEVERITY;
 +int allow_severity;
 +int deny_severity;
  #endif
  
  #ifdef LOGIN_CAP
 @@ -556,11 +556,7 @@
  			    ctrl = sep->se_fd;
  		    (void) sigblock(SIGBLOCK);
  		    pid = 0;
 -#ifdef LIBWRAP_INTERNAL
 -		    dofork = 1;
 -#else
  		    dofork = (sep->se_bi == 0 || sep->se_bi->bi_fork);
 -#endif
  		    if (dofork) {
  			    if (sep->se_count++ == 0)
  				(void)gettimeofday(&sep->se_time, (struct timezone *)NULL);
 @@ -624,21 +620,13 @@
  #endif
  			    if (sep->se_accept
  				&& sep->se_socktype == SOCK_STREAM) {
 -				request_init(&req,
 -				    RQ_DAEMON, sep->se_server_name ?
 -					sep->se_server_name : sep->se_service,
 -					RQ_FILE, ctrl, NULL);
 +				service = sep->se_server_name ?
 +				    sep->se_server_name : sep->se_service;
 +				request_init(&req, RQ_DAEMON, service, RQ_FILE, ctrl, NULL);
  				fromhost(&req);
 +				deny_severity = LIBWRAP_DENY_FACILITY|LIBWRAP_DENY_SEVERITY;
 +				allow_severity = LIBWRAP_ALLOW_FACILITY|LIBWRAP_ALLOW_SEVERITY;
  				denied = !hosts_access(&req);
 -				if (denied || log) {
 -				    sp = getservbyport(sep->se_ctrladdr.sin_port, sep->se_proto);
 -				    if (sp == NULL) {
 -					(void)snprintf(buf, sizeof buf, "%d",
 -					   ntohs(sep->se_ctrladdr.sin_port));
 -					service = buf;
 -				    } else
 -					service = sp->s_name;
 -				}
  				if (denied) {
  				    syslog(deny_severity,
  				        "refused connection from %.500s, service %s (%s)",
 @@ -746,7 +734,8 @@
  #endif
  				if (sep->se_socktype != SOCK_STREAM)
  					recv(0, buf, sizeof (buf), 0);
 -				_exit(EX_OSERR);
 +				if (dofork)
 +					_exit(EX_OSERR);
  			    }
  		    }
  		    if (sep->se_accept && sep->se_socktype == SOCK_STREAM)
 

From: David Malone <dwmalone@maths.tcd.ie>
To: Sheldon Hearn <sheldonh@uunet.co.za>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/11960: inetd built in wrapping doesn't log like tcpd does. 
Date: Wed, 09 Jun 1999 15:07:12 +0100

 > Okay, could you do me a favour and see if you're happy with these diffs.
 > They're a compromise, in that you still have to run inetd -l to log
 > successful connections.
 
 Two problems. First you reset deny_severity and allow_severity after
 calling hosts_access and before calling syslog - this means you clobber
 whatever hosts_access set them to.
 
 Second, with this method all connections are logged twice if you give -l,
 once about line 541 and once after the tcp_wrapper stuff is done. We
 either need to zap this first log line, or make a flag for tcpd style
 logging (-t?).
 
 > You should apply them to clean inetd sources, not whatever we've got so
 > far. :-)
 
 You want diffs for your diffs?  ;-)
 
 	David.
 

From: Sheldon Hearn <sheldonh@uunet.co.za>
To: David Malone <dwmalone@maths.tcd.ie>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/11960: inetd built in wrapping doesn't log like tcpd does. 
Date: Wed, 09 Jun 1999 16:37:38 +0200

 On Wed, 09 Jun 1999 15:07:12 +0100, David Malone wrote:
 
 > Two problems. First you reset deny_severity and allow_severity after
 > calling hosts_access and before calling syslog
 
 Um, I'm pretty sure you've misread the diff.
 
 > Second, with this method all connections are logged twice if you give -l,
 > once about line 541 and once after the tcp_wrapper stuff is done.
 
 I've only just tried it with -l now. :-)
 
 I notice that if I _don't_ specify a severity in hosts.allow, I don't
 receive _any_ message with a stock standard syslog.conf . When I specify
 severity auth.notice in syslog.conf, I only get _one_ message, the one
 generated in the LIBWRAP code at line 637.
 
 What's up?
 
 Ciao,
 Sheldon.
 

From: David Malone <dwmalone@maths.tcd.ie>
To: Sheldon Hearn <sheldonh@uunet.co.za>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/11960: inetd built in wrapping doesn't log like tcpd does. 
Date: Wed, 09 Jun 1999 16:03:21 +0100

 > > Two problems. First you reset deny_severity and allow_severity after
 > > calling hosts_access and before calling syslog
 > 
 > Um, I'm pretty sure you've misread the diff.
 
 *doh* You're right - its fine.
 
 > > Second, with this method all connections are logged twice if you give -l,
 > > once about line 541 and once after the tcp_wrapper stuff is done.
 > 
 > I've only just tried it with -l now. :-)
 > 
 > I notice that if I _don't_ specify a severity in hosts.allow, I don't
 > receive _any_ message with a stock standard syslog.conf . When I specify
 > severity auth.notice in syslog.conf, I only get _one_ message, the one
 > generated in the LIBWRAP code at line 637.
 > 
 > What's up?
 
 The other one is logged at daemon.info.
 
 	David.
 

From: Sheldon Hearn <sheldonh@uunet.co.za>
To: David Malone <dwmalone@maths.tcd.ie>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/11960: inetd built in wrapping doesn't log like tcpd does. 
Date: Wed, 09 Jun 1999 17:08:37 +0200

 On Wed, 09 Jun 1999 15:07:12 +0100, David Malone wrote:
 
 > Second, with this method all connections are logged twice if you give -l,
 > once about line 541 and once after the tcp_wrapper stuff is done.
 
 Ah, okay I spot it. I must admit that I would have been comfortable with
 inetd spewing duplicate messages, since they're unlikely to be on the
 same faciliy.priority .
 
 > We either need to zap this first log line, or make a flag for tcpd
 > style logging (-t?).
 
 Neither, actually. One of the two should always be enabled, depending on
 whether LIBWRAP is defined. Remember, some people are going to want to
 compile out inetd _without_ libwrap support and we should be mindful of
 them.
 
 I suspect that the diff attached will make you _and_ non-wrapping users
 happy. As before, apply to clean sources. Note that this diff contains a
 fix for SIGHUP handling from PR 11860 (courtesy of Masachika ISHIZUKA).
 
 Feedback?
 
 Ciao,
 Sheldon.
 
 Index: usr.sbin/inetd/Makefile
 ===================================================================
 RCS file: /home/ncvs/src/usr.sbin/inetd/Makefile,v
 retrieving revision 1.8
 diff -u -d -r1.8 Makefile
 --- Makefile	1999/05/07 06:48:01	1.8
 +++ Makefile	1999/05/22 13:32:00
 @@ -5,7 +5,7 @@
  MAN8=	inetd.8
  MLINKS=	inetd.8 inetd.conf.5
  
 -COPTS+=	-Wall -DLOGIN_CAP -DLIBWRAP
 +COPTS+=	-Wall -DLOGIN_CAP -DLIBWRAP -DLIBWRAP_INTERNAL
  #COPTS+=	-DSANITY_CHECK
  
  DPADD+=	${LIBUTIL} ${LIBWRAP}
 Index: usr.sbin/inetd/inetd.c
 ===================================================================
 RCS file: /home/ncvs/src/usr.sbin/inetd/inetd.c,v
 retrieving revision 1.49
 diff -u -d -r1.49 inetd.c
 --- inetd.c	1999/05/11 12:50:14	1.49
 +++ inetd.c	1999/06/09 15:04:23
 @@ -146,8 +146,8 @@
  #ifndef LIBWRAP_DENY_SEVERITY
  # define LIBWRAP_DENY_SEVERITY LOG_WARNING
  #endif
 -int allow_severity = LIBWRAP_ALLOW_FACILITY|LIBWRAP_ALLOW_SEVERITY;
 -int deny_severity = LIBWRAP_DENY_FACILITY|LIBWRAP_DENY_SEVERITY;
 +int allow_severity;
 +int deny_severity;
  #endif
  
  #ifdef LOGIN_CAP
 @@ -538,6 +538,7 @@
  				close(ctrl);
  				continue;
  			    }
 +#ifndef LIBWRAP
  			    if (log) {
  				i = sizeof peer;
  				if (getpeername(ctrl, (struct sockaddr *)
 @@ -552,15 +553,12 @@
  					sep->se_service,
  					inet_ntoa(peer.sin_addr));
  			    }
 +#endif
  		    } else
  			    ctrl = sep->se_fd;
  		    (void) sigblock(SIGBLOCK);
  		    pid = 0;
 -#ifdef LIBWRAP_INTERNAL
 -		    dofork = 1;
 -#else
  		    dofork = (sep->se_bi == 0 || sep->se_bi->bi_fork);
 -#endif
  		    if (dofork) {
  			    if (sep->se_count++ == 0)
  				(void)gettimeofday(&sep->se_time, (struct timezone *)NULL);
 @@ -624,21 +622,13 @@
  #endif
  			    if (sep->se_accept
  				&& sep->se_socktype == SOCK_STREAM) {
 -				request_init(&req,
 -				    RQ_DAEMON, sep->se_server_name ?
 -					sep->se_server_name : sep->se_service,
 -					RQ_FILE, ctrl, NULL);
 +				service = sep->se_server_name ?
 +				    sep->se_server_name : sep->se_service;
 +				request_init(&req, RQ_DAEMON, service, RQ_FILE, ctrl, NULL);
  				fromhost(&req);
 +				deny_severity = LIBWRAP_DENY_FACILITY|LIBWRAP_DENY_SEVERITY;
 +				allow_severity = LIBWRAP_ALLOW_FACILITY|LIBWRAP_ALLOW_SEVERITY;
  				denied = !hosts_access(&req);
 -				if (denied || log) {
 -				    sp = getservbyport(sep->se_ctrladdr.sin_port, sep->se_proto);
 -				    if (sp == NULL) {
 -					(void)snprintf(buf, sizeof buf, "%d",
 -					   ntohs(sep->se_ctrladdr.sin_port));
 -					service = buf;
 -				    } else
 -					service = sp->s_name;
 -				}
  				if (denied) {
  				    syslog(deny_severity,
  				        "refused connection from %.500s, service %s (%s)",
 @@ -746,7 +736,8 @@
  #endif
  				if (sep->se_socktype != SOCK_STREAM)
  					recv(0, buf, sizeof (buf), 0);
 -				_exit(EX_OSERR);
 +				if (dofork)
 +					_exit(EX_OSERR);
  			    }
  		    }
  		    if (sep->se_accept && sep->se_socktype == SOCK_STREAM)
 @@ -911,6 +902,7 @@
  			SWAP(sep->se_class, new->se_class);
  #endif
  			SWAP(sep->se_server, new->se_server);
 +			SWAP(sep->se_server_name, new->se_server_name);
  			for (i = 0; i < MAXARGV; i++)
  				SWAP(sep->se_argv[i], new->se_argv[i]);
  			sigsetmask(omask);
 

From: Sheldon Hearn <sheldonh@uunet.co.za>
To: David Malone <dwmalone@maths.tcd.ie>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/11960: inetd built in wrapping doesn't log like tcpd does. 
Date: Wed, 09 Jun 1999 17:16:15 +0200

 On Wed, 09 Jun 1999 17:08:37 +0200, Sheldon Hearn wrote:
 
 > I suspect that the diff attached will make you _and_ non-wrapping users
 > happy.
 
 Bugger, it won't make the committers happy at all, since it spews
 warnings for the LIBWRAP case. *grumble*
 
 Sorry about that, corrected patch attached.
 
 Ciao,
 Sheldon.
 
 Index: usr.sbin/inetd/Makefile
 ===================================================================
 RCS file: /home/ncvs/src/usr.sbin/inetd/Makefile,v
 retrieving revision 1.8
 diff -u -d -r1.8 Makefile
 --- Makefile	1999/05/07 06:48:01	1.8
 +++ Makefile	1999/06/09 15:13:53
 @@ -5,7 +5,7 @@
  MAN8=	inetd.8
  MLINKS=	inetd.8 inetd.conf.5
  
 -COPTS+=	-Wall -DLOGIN_CAP -DLIBWRAP
 +COPTS+=	-Wall -DLOGIN_CAP -DLIBWRAP -DLIBWRAP_INTERNAL
  #COPTS+=	-DSANITY_CHECK
  
  DPADD+=	${LIBUTIL} ${LIBWRAP}
 Index: usr.sbin/inetd/inetd.c
 ===================================================================
 RCS file: /home/ncvs/src/usr.sbin/inetd/inetd.c,v
 retrieving revision 1.49
 diff -u -d -r1.49 inetd.c
 --- inetd.c	1999/05/11 12:50:14	1.49
 +++ inetd.c	1999/06/09 15:13:04
 @@ -146,8 +146,8 @@
  #ifndef LIBWRAP_DENY_SEVERITY
  # define LIBWRAP_DENY_SEVERITY LOG_WARNING
  #endif
 -int allow_severity = LIBWRAP_ALLOW_FACILITY|LIBWRAP_ALLOW_SEVERITY;
 -int deny_severity = LIBWRAP_DENY_FACILITY|LIBWRAP_DENY_SEVERITY;
 +int allow_severity;
 +int deny_severity;
  #endif
  
  #ifdef LOGIN_CAP
 @@ -344,8 +344,6 @@
  	int tmpint, ch, dofork;
  	pid_t pid;
  	char buf[50];
 -	struct  sockaddr_in peer;
 -	int i;
  #ifdef LOGIN_CAP
  	login_cap_t *lc = NULL;
  #endif
 @@ -353,6 +351,9 @@
  	struct request_info req;
  	int denied;
  	char *service = NULL;
 +#else
 +	struct  sockaddr_in peer;
 +	int i;
  #endif
  
  
 @@ -538,6 +539,7 @@
  				close(ctrl);
  				continue;
  			    }
 +#ifndef LIBWRAP
  			    if (log) {
  				i = sizeof peer;
  				if (getpeername(ctrl, (struct sockaddr *)
 @@ -552,15 +554,12 @@
  					sep->se_service,
  					inet_ntoa(peer.sin_addr));
  			    }
 +#endif
  		    } else
  			    ctrl = sep->se_fd;
  		    (void) sigblock(SIGBLOCK);
  		    pid = 0;
 -#ifdef LIBWRAP_INTERNAL
 -		    dofork = 1;
 -#else
  		    dofork = (sep->se_bi == 0 || sep->se_bi->bi_fork);
 -#endif
  		    if (dofork) {
  			    if (sep->se_count++ == 0)
  				(void)gettimeofday(&sep->se_time, (struct timezone *)NULL);
 @@ -624,21 +623,13 @@
  #endif
  			    if (sep->se_accept
  				&& sep->se_socktype == SOCK_STREAM) {
 -				request_init(&req,
 -				    RQ_DAEMON, sep->se_server_name ?
 -					sep->se_server_name : sep->se_service,
 -					RQ_FILE, ctrl, NULL);
 +				service = sep->se_server_name ?
 +				    sep->se_server_name : sep->se_service;
 +				request_init(&req, RQ_DAEMON, service, RQ_FILE, ctrl, NULL);
  				fromhost(&req);
 +				deny_severity = LIBWRAP_DENY_FACILITY|LIBWRAP_DENY_SEVERITY;
 +				allow_severity = LIBWRAP_ALLOW_FACILITY|LIBWRAP_ALLOW_SEVERITY;
  				denied = !hosts_access(&req);
 -				if (denied || log) {
 -				    sp = getservbyport(sep->se_ctrladdr.sin_port, sep->se_proto);
 -				    if (sp == NULL) {
 -					(void)snprintf(buf, sizeof buf, "%d",
 -					   ntohs(sep->se_ctrladdr.sin_port));
 -					service = buf;
 -				    } else
 -					service = sp->s_name;
 -				}
  				if (denied) {
  				    syslog(deny_severity,
  				        "refused connection from %.500s, service %s (%s)",
 @@ -746,7 +737,8 @@
  #endif
  				if (sep->se_socktype != SOCK_STREAM)
  					recv(0, buf, sizeof (buf), 0);
 -				_exit(EX_OSERR);
 +				if (dofork)
 +					_exit(EX_OSERR);
  			    }
  		    }
  		    if (sep->se_accept && sep->se_socktype == SOCK_STREAM)
 @@ -911,6 +903,7 @@
  			SWAP(sep->se_class, new->se_class);
  #endif
  			SWAP(sep->se_server, new->se_server);
 +			SWAP(sep->se_server_name, new->se_server_name);
  			for (i = 0; i < MAXARGV; i++)
  				SWAP(sep->se_argv[i], new->se_argv[i]);
  			sigsetmask(omask);
 

From: David Malone <dwmalone@maths.tcd.ie>
To: Sheldon Hearn <sheldonh@uunet.co.za>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/11960: inetd built in wrapping doesn't log like tcpd does. 
Date: Wed, 09 Jun 1999 16:16:56 +0100

 > I suspect that the diff attached will make you _and_ non-wrapping users
 > happy. As before, apply to clean sources. Note that this diff contains a
 > fix for SIGHUP handling from PR 11860 (courtesy of Masachika ISHIZUKA).
 > 
 > Feedback?
 
 Looks good to me.
 
 	David.
 

From: Sheldon Hearn <sheldonh@uunet.co.za>
To: David Malone <dwmalone@maths.tcd.ie>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/11960: inetd built in wrapping doesn't log like tcpd does. 
Date: Wed, 09 Jun 1999 17:21:16 +0200

 On Wed, 09 Jun 1999 16:16:56 +0100, David Malone wrote:
 
 > Looks good to me.
 
 Cool. I'm going to create a new PR with this patch on it and close
 your PR along with PR 11860 and PR 11651, pointing to the new PR as
 superseding them.
 
 I'll be sure to mention your name and Masachika ISHIZUKA's in the new
 PR, so don't worry about that. It's just that the man likely to do the
 commit is markm and he'd appreciate a single PR.
 
 Ciao,
 Sheldon.
 
State-Changed-From-To: open->closed 
State-Changed-By: sheldonh 
State-Changed-When: Wed Jun 9 08:54:22 PDT 1999 
State-Changed-Why:  
Superseded by PR 12097 . 
>Unformatted:
