From owner-freebsd-current@FreeBSD.ORG  Wed Jul  2 18:30:08 2003
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 19B3037B433; Wed,  2 Jul 2003 18:30:08 -0700 (PDT)
Received: from oahu.WURLDLINK.NET (oahu.wurldlink.net [66.193.144.7])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 459DF44001; Wed,  2 Jul 2003 18:30:07 -0700 (PDT)
	(envelope-from vince@oahu.WURLDLINK.NET)
Received: from oahu.WURLDLINK.NET (vince@localhost.WURLDLINK.NET [127.0.0.1])
	by oahu.WURLDLINK.NET (8.12.9/8.12.9) with ESMTP id h631TIYx051073;
	Wed, 2 Jul 2003 15:29:19 -1000 (HST)
Received: from localhost (vince@localhost)h631TIa8051070;
	Wed, 2 Jul 2003 15:29:18 -1000 (HST)
Date: Wed, 2 Jul 2003 15:29:18 -1000 (HST)
From: Vincent Poy <vince@oahu.WURLDLINK.NET>
To: current@FreeBSD.ORG, <markm@FreeBSD.ORG>
Message-ID: <20030702150751.F3146-100000@oahu.WURLDLINK.NET>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Subject: src/libexec/tcpd doesn't work correctly with -DPROCESS_OPTIONS
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Jul 2003 01:30:08 -0000

Greetings:

	In -CURRENT, /usr/src/libexec/tcpd, the Makefile doesn't have
-DPROCESS_OPTIONS needed which in hosts_access(5) manpage, allows things
such as banners for the tcp_wrappers to be working.

>From hosts_access(5):
An  extended version of the access control language is described in the
hosts_options(5) document. The extensions  are  turned  on  at  program
build time by building with -DPROCESS_OPTIONS.

In hosts_options(5):
       banners /some/directory

       Look  for  a file in `/some/directory' with the same name as
       the daemon process (for example in.telnetd for the telnet service),
       and  copy  its  contents  to  the client. Newline characters
       are replaced by carriage-return newline, and %<letter> sequences
       are expanded (see the hosts_access(5) manual page).
       The  tcp  wrappers  source  code  distribution provides a
       sample makefile (Banners.Makefile) for convenient banner
       maintenance.
       Warning: banners are  supported  for  connection-oriented
       (TCP) network services only.

As a example, in /etc/hosts.allow, I have the following line:
telnet  stream  tcp     nowait  root    /usr/libexec/tcpd /usr/libexec/telnetd

	Which with the tcp_wrappers port binary from a few years ago, it
would do the following:

 Welcome [unknown@adsl-208-201-244-226.sonic.net] to ...

    ________ _____   _________ ______ _______ __________________________
    ___  __ \___  | / /___    |___  / __  __ \__  ____/____  _/__  ____/
    __  / / /__   |/ / __  /| |__  /  _  / / /_  / __   __  /  _  /
    _  /_/ / _  /|  /  _  ___ |_  /___/ /_/ / / /_/ /  __/ /   / /___
    /_____/  /_/ |_/   /_/  |_|/_____/\____/  \____/   /___/   \____/
.NET

                                [ bigbang.DNALOGIC.NET ]

                DNA Logic Corporation - http://www.DNALOGIC.NET
                        San Francisco, California USA
    For assistance or information please e-mail root@bigbang.DNALOGIC.NET

FreeBSD/i386 (bigbang.DNALOGIC.NET) (ttypb)

login:

	The binary works but anything not defined in hosts.allow, it would
completely skip the banner and give them the login prompt rather than not
allow them to make it to the telnetd daemon like before.  The tcpd built
by -CURRENT does work correctly but the banners support is not enabled by
default.

In /usr/src/libexec/tcpd/Makefile,

CFLAGS+=-DREAL_DAEMON_DIR=\"/usr/libexec\" \
	-DSEVERITY=LOG_INFO -DRFC931_TIMEOUT=10 \
	-DHOSTS_DENY=\"/etc/hosts.deny\"
        -DHOSTS_ALLOW=\"/etc/hosts.allow\" \
	-DFACILITY=LOG_DAEMON

In /usr/src/contrib/tcp_wrappers/README in section 4.5 and 4.7, it
mentions:

4.5 - Language extensions
-------------------------

The wrappers sport only a limited number of features. This is for a
good reason: programs that run at high privilege levels must be easy to
verify. And the smaller a program, the easier to verify. There is,
however, a provision to add features.

The options.c module provides a framework for language extensions.
Quite a few extensions have already been implemented; they are
documented in the hosts_options.5 document, which is in `nroff -man'
format. Examples: changing the severity level at which a request for
service is logged; "allow" and "deny" keywords; running a customized
server instead of the standard one; many others.

The language extensions are not enabled by default because they
introduce an incompatible change to the access control language
syntax.  Instructions to enable the extensions are given in the
Makefile.

4.7 - Banner messages
---------------------

Some sites are required to present an informational message to users
before they attempt to login.  Banner messages can also be useful when
denying service:  instead of simply dropping the connection a polite
explanation is given first. Finally, banners can be used to give your
system a more personal touch.

The wrapper software provides easy-to-use tools to generate pre-login
banners for ftp, telnet, rlogin etc. from a single prototype banner
textfile.  Details on banners and on-the-fly %<letter> expansions are
given in the hosts_options.5 manual page (`nroff -man' format). An
example is given in the file Banners.Makefile.

In order to support banner messages the wrappers have to be built with
language extensions enabled. See the section on language extensions.

In /usr/src/contrib/tcp_wrappers/Makefile, it mentions that the
-DPROCESS_OPTIONS is needed for language extensions:

###########################################
# Optional: Turning on language extensions
#
# Instead of the default access control language that is documented in
# the hosts_access.5 document, the wrappers can be configured to
# implement an extensible language documented in the hosts_options.5
# document.  This language is implemented by the "options.c" source
# module, which also gives hints on how to add your own extensions.
# Uncomment the next definition to turn on the language extensions
# (examples: allow, deny, banners, twist and spawn).
#
#STYLE  = -DPROCESS_OPTIONS     # Enable language extensions.

	So in the /usr/src/libexec/tcpd/Makefile, I added
-DPROCESS_OPTIONS

CFLAGS+=-DREAL_DAEMON_DIR=\"/usr/libexec\" \
        -DSEVERITY=LOG_INFO -DRFC931_TIMEOUT=10 \
        -DHOSTS_DENY=\"/etc/hosts.deny\"
        -DHOSTS_ALLOW=\"/etc/hosts.allow\" \
        -DFACILITY=LOG_DAEMON \
        -DPROCESS_OPTIONS

	However, the -DPROCESS_OPTIONS seems to have no effect after I
replaced the tcpd and restarted inetd.   When one telnets, it just goes
to telnetd directly without going through the banners even though it
denies access to those not defined in /etc/hosts.allow:

FreeBSD/i386 (bigbang.DNALOGIC.NET) (ttypb)

login:


Cheers,
Vince - vince@WURLDLINK.NET - Vice President             ________   __ ____
Unix Networking Operations - FreeBSD-Real Unix for Free / / / / |  / |[__  ]
WurldLink Corporation                                  / / / /  | /  | __] ]
San Francisco - Honolulu - Hong Kong                  / / / / / |/ / | __] ]
HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____]
Almighty1@IRC - oahu.DAL.NET Hawaii's DALnet IRC Network Server Admin