Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 11 Mar 1999 11:47:48 -0800 (PST)
From:      dima@best.net (Dima Ruban)
To:        james@ehlo.com (James FitzGibbon)
Cc:        dima@best.net, jfitz@FreeBSD.org, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject:   Re: cvs commit: ports/security/portmap_tcpd - Imported sources
Message-ID:  <199903111947.LAA63240@burka.rdy.com>
In-Reply-To: <19990311143652.A60155@ehlo.com> from James FitzGibbon at "Mar 11, 1999  2:36:52 pm"
next in thread | previous in thread | raw e-mail | index | archive | help 
James FitzGibbon writes:
> * Dima Ruban (dima@best.net) [990311 13:15]:
> 
> Damn, I should have checked that before proceeding.  I read the manpage for
> portmap and found no mention of access control, but didn't think to check
> the source.
> 
> I have to wonder what the point of having it in there without any
> documentation is though.  We don't have libwrap in the main source tree, so
> to get the "protected" portmapper, you have to install, then install
> libwrap, then re-make the portmapper.  "-DHOSTS_ACCESS" is even commented
> out in the Makefile for portmap.
> 
> The problem I see with "optional" features like this is that it requires the
> user to remember to make local changes to the source tree before they make
> world.  If they forget to do that, they end up with the non-protected
> version of portmap, which left unnoticed could represent a security risk.

Why would you need to modify your local source tree?
You can modify /etc/make.conf (or /etc/make.conf.local - whichever you'd
prefer).

> Any ideas as to how best to handle this ?  I can easily remove the port
> (actually, at this point it makes more sense to just have one of the
> repository masters nuke it entirely), but it doesn't make it any easier for
> users to get a copy of portmap linked against libwrap.

You can do something like this (as an addition to make.conf.local)
.if ${.CURDIR} == /usr/src/usr.sbin/portmap && exists(/usr/local/lib/libwrap.a)
CFLAGS+=-DHOSTS_ACCESS
LDADD+= -L/usr/local/lib -lwrap
.endif

And as for a port - ask cvs maintainers to nuke it :-)

> 
> -- 
> j.
> 
> James FitzGibbon                                                james@ehlo.com
> EHLO Solutions                                         Voice/Fax (416)410-0100
> 

-- dima


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199903111947.LAA63240>