From owner-cvs-all Thu Mar 11 11:48:27 1999 Delivered-To: cvs-all@freebsd.org Received: from burka.rdy.com (burka.rdy.com [205.149.163.30]) by hub.freebsd.org (Postfix) with ESMTP id 9CEDA15248; Thu, 11 Mar 1999 11:48:23 -0800 (PST) (envelope-from dima@burka.rdy.com) Received: (from dima@localhost) by burka.rdy.com (8.9.2/RDY&DVV) id LAA63240; Thu, 11 Mar 1999 11:47:48 -0800 (PST) Message-Id: <199903111947.LAA63240@burka.rdy.com> Subject: Re: cvs commit: ports/security/portmap_tcpd - Imported sources In-Reply-To: <19990311143652.A60155@ehlo.com> from James FitzGibbon at "Mar 11, 1999 2:36:52 pm" To: james@ehlo.com (James FitzGibbon) Date: Thu, 11 Mar 1999 11:47:48 -0800 (PST) Cc: dima@best.net, jfitz@FreeBSD.org, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk James FitzGibbon writes: > * Dima Ruban (dima@best.net) [990311 13:15]: > > Damn, I should have checked that before proceeding. I read the manpage for > portmap and found no mention of access control, but didn't think to check > the source. > > I have to wonder what the point of having it in there without any > documentation is though. We don't have libwrap in the main source tree, so > to get the "protected" portmapper, you have to install, then install > libwrap, then re-make the portmapper. "-DHOSTS_ACCESS" is even commented > out in the Makefile for portmap. > > The problem I see with "optional" features like this is that it requires the > user to remember to make local changes to the source tree before they make > world. If they forget to do that, they end up with the non-protected > version of portmap, which left unnoticed could represent a security risk. Why would you need to modify your local source tree? You can modify /etc/make.conf (or /etc/make.conf.local - whichever you'd prefer). > Any ideas as to how best to handle this ? I can easily remove the port > (actually, at this point it makes more sense to just have one of the > repository masters nuke it entirely), but it doesn't make it any easier for > users to get a copy of portmap linked against libwrap. You can do something like this (as an addition to make.conf.local) .if ${.CURDIR} == /usr/src/usr.sbin/portmap && exists(/usr/local/lib/libwrap.a) CFLAGS+=-DHOSTS_ACCESS LDADD+= -L/usr/local/lib -lwrap .endif And as for a port - ask cvs maintainers to nuke it :-) > > -- > j. > > James FitzGibbon james@ehlo.com > EHLO Solutions Voice/Fax (416)410-0100 > -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message