diff options
Diffstat (limited to 'packages/tcp-wrappers/tcp-wrappers-7.6/11_tcpd_blacklist')
-rw-r--r-- | packages/tcp-wrappers/tcp-wrappers-7.6/11_tcpd_blacklist | 151 |
1 files changed, 0 insertions, 151 deletions
diff --git a/packages/tcp-wrappers/tcp-wrappers-7.6/11_tcpd_blacklist b/packages/tcp-wrappers/tcp-wrappers-7.6/11_tcpd_blacklist deleted file mode 100644 index 0238e35208..0000000000 --- a/packages/tcp-wrappers/tcp-wrappers-7.6/11_tcpd_blacklist +++ /dev/null @@ -1,151 +0,0 @@ -Path: news.porcupine.org!news.porcupine.org!not-for-mail -From: Wietse Venema <wietse@((no)(spam)(please))wzv.win.tue.nl> -Newsgroups: comp.mail.sendmail,comp.security.unix -Subject: TCP Wrapper Blacklist Extension -Followup-To: poster -Date: 8 Sep 1997 18:53:13 -0400 -Organization: Wietse's hangout while on sabattical in the USA -Lines: 147 -Sender: wietse@spike.porcupine.org -Message-ID: <5v1vkp$h4f$1@spike.porcupine.org> -NNTP-Posting-Host: spike.porcupine.org -Xref: news.porcupine.org comp.mail.sendmail:3541 comp.security.unix:7158 - -The patch below adds a new host pattern to the TCP Wrapper access -control language. Instead of a host name or address pattern, you -can specify an external /file/name with host name or address -patterns. The feature can be used recursively. - -The /file/name extension makes it easy to blacklist bad sites, for -example, to block unwanted electronic mail when libwrap is linked -into sendmail. Adding hosts to a simple text file is much easier -than having to edit a more complex hosts.allow/deny file. - -I developed this a year or so ago as a substitute for NIS netgroups. -At that time, I did not consider it of sufficient interest for -inclusion in the TCP Wrapper distribution. How times have changed. - -The patch is relative to TCP Wrappers version 7.6. The main archive -site is ftp://ftp.win.tue.nl/pub/security/tcp_wrappers_7.6.tar.gz - -Thanks to the Debian LINUX folks for expressing their interest in -this patch. - - Wietse - - -[diff updated by Md] - -diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5 ---- tcp_wrappers_7.6.orig/hosts_access.5 2004-04-10 19:28:09.000000000 +0200 -+++ tcp_wrappers_7.6/hosts_access.5 2004-04-10 19:28:01.000000000 +0200 -@@ -97,6 +97,13 @@ - `[3ffe:505:2:1::]/64\' matches every address in the range - `3ffe:505:2:1::\' through `3ffe:505:2:1:ffff:ffff:ffff:ffff\'. - .IP \(bu -+A string that begins with a `/\' character is treated as a file -+name. A host name or address is matched if it matches any host name -+or address pattern listed in the named file. The file format is -+zero or more lines with zero or more host name or address patterns -+separated by whitespace. A file name pattern can be used anywhere -+a host name or address pattern can be used. -+.IP \(bu - Wildcards `*\' and `?\' can be used to match hostnames or IP addresses. This - method of matching cannot be used in conjunction with `net/mask\' matching, - hostname matching beginning with `.\' or IP address matching ending with `.\'. -diff -ruN tcp_wrappers_7.6.orig/hosts_access.c tcp_wrappers_7.6/hosts_access.c ---- tcp_wrappers_7.6.orig/hosts_access.c 2004-04-10 19:28:09.000000000 +0200 -+++ tcp_wrappers_7.6/hosts_access.c 2004-04-10 19:27:05.000000000 +0200 -@@ -253,6 +253,26 @@ - } - } - -+/* hostfile_match - look up host patterns from file */ -+ -+static int hostfile_match(path, host) -+char *path; -+struct hosts_info *host; -+{ -+ char tok[BUFSIZ]; -+ int match = NO; -+ FILE *fp; -+ -+ if ((fp = fopen(path, "r")) != 0) { -+ while (fscanf(fp, "%s", tok) == 1 && !(match = host_match(tok, host))) -+ /* void */ ; -+ fclose(fp); -+ } else if (errno != ENOENT) { -+ tcpd_warn("open %s: %m", path); -+ } -+ return (match); -+} -+ - /* host_match - match host name and/or address against pattern */ - - static int host_match(tok, host) -@@ -280,6 +300,8 @@ - tcpd_warn("netgroup support is disabled"); /* not tcpd_jump() */ - return (NO); - #endif -+ } else if (tok[0] == '/') { /* /file hack */ -+ return (hostfile_match(tok, host)); - } else if (STR_EQ(tok, "KNOWN")) { /* check address and name */ - char *name = eval_hostname(host); - return (STR_NE(eval_hostaddr(host), unknown) && HOSTNAME_KNOWN(name)); -diff -ruN tcp_wrappers_7.6.orig/tcpdchk.c tcp_wrappers_7.6/tcpdchk.c ---- tcp_wrappers_7.6.orig/tcpdchk.c 2004-04-10 19:28:09.000000000 +0200 -+++ tcp_wrappers_7.6/tcpdchk.c 2004-04-10 19:27:05.000000000 +0200 -@@ -353,6 +353,8 @@ - { - if (pat[0] == '@') { - tcpd_warn("%s: daemon name begins with \"@\"", pat); -+ } else if (pat[0] == '/') { -+ tcpd_warn("%s: daemon name begins with \"/\"", pat); - } else if (pat[0] == '.') { - tcpd_warn("%s: daemon name begins with dot", pat); - } else if (pat[strlen(pat) - 1] == '.') { -@@ -385,6 +387,8 @@ - { - if (pat[0] == '@') { /* @netgroup */ - tcpd_warn("%s: user name begins with \"@\"", pat); -+ } else if (pat[0] == '/') { -+ tcpd_warn("%s: user name begins with \"/\"", pat); - } else if (pat[0] == '.') { - tcpd_warn("%s: user name begins with dot", pat); - } else if (pat[strlen(pat) - 1] == '.') { -@@ -430,8 +434,13 @@ - static int check_host(pat) - char *pat; - { -+ char buf[BUFSIZ]; - char *mask; - int addr_count = 1; -+ FILE *fp; -+ struct tcpd_context saved_context; -+ char *cp; -+ char *wsp = " \t\r\n"; - - if (pat[0] == '@') { /* @netgroup */ - #ifdef NO_NETGRENT -@@ -450,6 +459,21 @@ - tcpd_warn("netgroup support disabled"); - #endif - #endif -+ } else if (pat[0] == '/') { /* /path/name */ -+ if ((fp = fopen(pat, "r")) != 0) { -+ saved_context = tcpd_context; -+ tcpd_context.file = pat; -+ tcpd_context.line = 0; -+ while (fgets(buf, sizeof(buf), fp)) { -+ tcpd_context.line++; -+ for (cp = strtok(buf, wsp); cp; cp = strtok((char *) 0, wsp)) -+ check_host(cp); -+ } -+ tcpd_context = saved_context; -+ fclose(fp); -+ } else if (errno != ENOENT) { -+ tcpd_warn("open %s: %m", pat); -+ } - } else if (mask = split_at(pat, '/')) { /* network/netmask */ - #ifdef INET6 - int mask_len; |