new file mode 100644

@@ -0,0 +1,98 @@

+Summary:	Kernel Audit Tool

+Name:		audit

+Version:	2.4.4

+Release:	1%{?dist}

+Source0:	http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz

+%define sha1 audit=ad38f3352e21716e86d73b4e06cc41a5e85882ee

+License:	GPLv2+

+Group:		System Environment/Security

+URL:		http://people.redhat.com/sgrubb/audit/

+Vendor:		VMware, Inc.

+Distribution:	Photon

+BuildRequires:	python2-devel

+BuildRequires:	python2-libs

+BuildRequires:	krb5

+BuildRequires:	openldap

+BuildRequires:	go

+BuildRequires:	tcp_wrappers-devel

+BuildRequires:	libcap-ng-devel

+BuildRequires:	swig

+Requires:	krb5

+Requires:	openldap

+Requires:	python2

+Requires:	tcp_wrappers

+Requires:	libcap-ng

+

+%description

+The audit package contains the user space utilities for

+storing and searching the audit records generate by

+the audit subsystem in the Linux 2.6 kernel.

+

+%package devel

+Summary:	The libraries and header files needed for audit development.

+Requires: 	%{name} = %{version}-%{release}

+

+%description devel

+The libraries and header files needed for audit development.

+

+%prep

+%setup -q

+

+%build

+./configure \

+	--prefix=%{_prefix} \

+	--exec_prefix=/usr \

+	--sbindir=%{_sbindir} \

+	--libdir=%{_libdir} \

+	--sysconfdir=%{_sysconfdir} \

+	--with-python=yes \

+	--without-python3 \

+        --with-libwrap \

+	--enable-gssapi-krb5=yes \

+        --with-libcap-ng=yes \

+	--with-aarch64 \

+        --enable-zos-remote \

+	--with-golang \

+	--enable-systemd

+

+make %{?_smp_mflags}

+

+%install

+make install DESTDIR=%{buildroot}

+

+%post

+/sbin/ldconfig

+%systemd_post auditd.service

+

+%preun

+%systemd_preun auditd.service

+

+%postun

+/sbin/ldconfig

+

+%files 

+%defattr(-,root,root)

+%{_bindir}/*

+%{_sbindir}/*

+%{_libdir}/*.so.*

+%{_libdir}/*.a

+%{_libdir}/*.la

+%{_libdir}/python*/*

+%{_libdir}/golang/*

+%{_libdir}/systemd/system/auditd.service

+%{_libexecdir}/*

+%{_mandir}/man3/*

+%{_mandir}/man5/*

+%{_mandir}/man7/*

+%{_mandir}/man8/*

+%{_sysconfdir}/*

+

+%files devel

+%defattr(-,root,root)

+%{_libdir}/*.so

+%{_libdir}/pkgconfig/*.pc

+%{_includedir}/*.h

+

+%changelog

+* Fri Aug 28 2015 Divya Thaluru <dthaluru@vmware.com> 2.4.4-1

+- Initial version

new file mode 100644

@@ -0,0 +1,60 @@

+Summary:	POSIX capability Library

+Name:		libcap-ng

+Version:	0.7.7

+Release:	1%{?dist}

+License: 	LGPLv2+

+Group: 		System Environment/Libraries

+URL: 		http://people.redhat.com/sgrubb/libcap-ng

+Source0: 	http://people.redhat.com/sgrubb/libcap-ng/%{name}-%{version}.tar.gz

+%define sha1 libcap-ng=de8ea2c89cb1506a578de7cb032da34c970dd035

+BuildRequires:	python2-devel

+BuildRequires:	python2-libs

+Requires:	python2

+

+%description

+The libcap-ng library is intended to make programming with posix capabilities much easier than the traditional libcap library. It includes utilities that can analyse all currently running applications and print out any capabilities and whether or not it has an open ended bounding set. An open bounding set without the securebits "NOROOT" flag will allow full capabilities escalation for apps retaining uid 0 simply by calling execve.

+

+%package devel

+Summary:	The libraries and header files needed for libcap-ng development.

+Requires: 	%{name} = %{version}-%{release}

+

+%description devel

+The libraries and header files needed for libcap_ng development.

+

+%prep

+%setup -q

+

+%build

+./configure \

+	--prefix=%{_prefix} \

+	--libdir=%{_libdir} \

+	--with-python \

+	--without-python3

+

+make %{?_smp_mflags}

+%install

+make DESTDIR=%{buildroot} install 

+

+%post	-p /sbin/ldconfig

+%postun	-p /sbin/ldconfig

+

+%files

+%defattr(-, root, root)

+%{_libdir}/*.so.*

+%{_libdir}/*.a

+%{_libdir}/*.la

+%{_bindir}/*

+%{_mandir}/man3/*

+%{_mandir}/man8/*

+%{_datadir}/aclocal/*.m4

+

+%files devel

+%defattr(-, root, root)

+%{_libdir}/*.so

+%{_libdir}/pkgconfig/*.pc

+%{_includedir}/*.h

+

+%changelog

+* 	Fri Aug 28 2015 Divya Thaluru <dthaluru@vmware.com> 0.7.7-1

+- 	Initial version

+

new file mode 100644

@@ -0,0 +1,1035 @@

+Submitted By: Tushar Teredesai <tushar@linuxfromscratch.org>

+Date: 2003-10-04

+Initial Package Version: 7.6

+Origin: http://archives.linuxfromscratch.org/mail-archives/blfs-dev/2003-January/001960.html

+Description: The patch was created from the tcp_wrappers modified package by Mark Heerdink.

+This patch provides the following improvements:

+    * Install libwrap.so along with libwrap.a.

+    * Create an install target for tcp_wrappers.

+    * Compilation and security fixes.

+    * Documentation fixes.

+diff -Naur tcp_wrappers_7.6/Makefile tcp_wrappers_7.6.gimli/Makefile

+--- tcp_wrappers_7.6/Makefile	1997-03-21 12:27:21.000000000 -0600

+@@ -1,5 +1,10 @@

++GLIBC=$(shell grep -s -c __GLIBC__ /usr/include/features.h)

++

+ # @(#) Makefile 1.23 97/03/21 19:27:20

+ 

++# unset the HOSTNAME environment variable

++HOSTNAME =

++

+ what:

+ 	@echo

+ 	@echo "Usage: edit the REAL_DAEMON_DIR definition in the Makefile then:"

+@@ -19,7 +24,7 @@

+ 	@echo "	generic (most bsd-ish systems with sys5 compatibility)"

+ 	@echo "	386bsd aix alpha apollo bsdos convex-ultranet dell-gcc dgux dgux543"

+ 	@echo "	dynix epix esix freebsd hpux irix4 irix5 irix6 isc iunix"

+-	@echo "	linux machten mips(untested) ncrsvr4 netbsd next osf power_unix_211"

++	@echo "	linux gnu machten mips(untested) ncrsvr4 netbsd next osf power_unix_211"

+ 	@echo "	ptx-2.x ptx-generic pyramid sco sco-nis sco-od2 sco-os5 sinix sunos4"

+ 	@echo "	sunos40 sunos5 sysv4 tandem ultrix unicos7 unicos8 unixware1 unixware2"

+ 	@echo "	uts215 uxp"

+@@ -43,8 +48,8 @@

+ # Ultrix 4.x SunOS 4.x ConvexOS 10.x Dynix/ptx

+ #REAL_DAEMON_DIR=/usr/etc

+ #

+-# SysV.4 Solaris 2.x OSF AIX

+-#REAL_DAEMON_DIR=/usr/sbin

++# SysV.4 Solaris 2.x OSF AIX Linux

++REAL_DAEMON_DIR=/usr/sbin

+ #

+ # BSD 4.4

+ #REAL_DAEMON_DIR=/usr/libexec

+@@ -141,10 +146,21 @@

+ 	LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \

+ 	EXTRA_CFLAGS=-DSYS_ERRLIST_DEFINED VSYSLOG= all

+ 

++ifneq ($(GLIBC),0)

++MYLIB=-lnsl

++endif

++

+ linux:

+ 	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \

+-	LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=setenv.o \

+-	NETGROUP= TLI= EXTRA_CFLAGS="-DBROKEN_SO_LINGER" all

++	LIBS=$(MYLIB) RANLIB=ranlib ARFLAGS=rv AUX_OBJ=weak_symbols.o \

++	NETGROUP=-DNETGROUP TLI= VSYSLOG= BUGS= all \

++	EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_WEAKSYMS -D_REENTRANT"

++

++gnu:

++	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \

++	LIBS=$(MYLIB) RANLIB=ranlib ARFLAGS=rv AUX_OBJ=weak_symbols.o \

++	NETGROUP=-DNETGROUP TLI= VSYSLOG= BUGS= all \

++	EXTRA_CFLAGS="-DHAVE_STRERROR -DHAVE_WEAKSYMS -D_REENTRANT"

+ 

+ # This is good for many SYSV+BSD hybrids with NIS, probably also for HP-UX 7.x.

+ hpux hpux8 hpux9 hpux10:

+@@ -391,7 +407,7 @@

+ # the ones provided with this source distribution. The environ.c module

+ # implements setenv(), getenv(), and putenv().

+ 

+-AUX_OBJ= setenv.o

++#AUX_OBJ= setenv.o

+ #AUX_OBJ= environ.o

+ #AUX_OBJ= environ.o strcasecmp.o

+ 

+@@ -454,7 +470,8 @@

+ # host name aliases. Compile with -DSOLARIS_24_GETHOSTBYNAME_BUG to work

+ # around this. The workaround does no harm on other Solaris versions.

+ 

+-BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DLIBC_CALLS_STRTOK

++BUGS =

++#BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DLIBC_CALLS_STRTOK

+ #BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DINET_ADDR_BUG

+ #BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DSOLARIS_24_GETHOSTBYNAME_BUG

+ 

+@@ -464,7 +481,7 @@

+ # If your system supports NIS or YP-style netgroups, enable the following

+ # macro definition. Netgroups are used only for host access control.

+ #

+-#NETGROUP= -DNETGROUP

++NETGROUP= -DNETGROUP

+ 

+ ###############################################################

+ # System dependencies: whether or not your system has vsyslog()

+@@ -491,7 +508,7 @@

+ # Uncomment the next definition to turn on the language extensions

+ # (examples: allow, deny, banners, twist and spawn).

+ # 

+-#STYLE	= -DPROCESS_OPTIONS	# Enable language extensions.

++STYLE	= -DPROCESS_OPTIONS	# Enable language extensions.

+ 

+ ################################################################

+ # Optional: Changing the default disposition of logfile records

+@@ -514,7 +531,7 @@

+ #

+ # The LOG_XXX names below are taken from the /usr/include/syslog.h file.

+ 

+-FACILITY= LOG_MAIL	# LOG_MAIL is what most sendmail daemons use

++FACILITY= LOG_DAEMON	# LOG_MAIL is what most sendmail daemons use

+ 

+ # The syslog priority at which successful connections are logged.

+ 

+@@ -610,7 +627,7 @@

+ # Paranoid mode implies hostname lookup. In order to disable hostname

+ # lookups altogether, see the next section.

+ 

+-PARANOID= -DPARANOID

++#PARANOID= -DPARANOID

+ 

+ ########################################

+ # Optional: turning off hostname lookups

+@@ -623,7 +640,7 @@

+ # In order to perform selective hostname lookups, disable paranoid

+ # mode (see previous section) and comment out the following definition.

+ 

+-HOSTNAME= -DALWAYS_HOSTNAME

++#HOSTNAME= -DALWAYS_HOSTNAME

+ 

+ #############################################

+ # Optional: Turning on host ADDRESS checking

+@@ -649,28 +666,46 @@

+ # source-routed traffic in the kernel. Examples: 4.4BSD derivatives,

+ # Solaris 2.x, and Linux. See your system documentation for details.

+ #

+-# KILL_OPT= -DKILL_IP_OPTIONS

++KILL_OPT= -DKILL_IP_OPTIONS

+ 

+ ## End configuration options

+ ############################

+ 

+ # Protection against weird shells or weird make programs.

+ 

++CC	= gcc

+ SHELL	= /bin/sh

+-.c.o:;	$(CC) $(CFLAGS) -c $*.c

++.c.o:;	$(CC) $(CFLAGS) -o $*.o -c $*.c

++

++SOMAJOR = 0

++SOMINOR = 7.6

++

++LIB	= libwrap.a

++SHLIB	= shared/libwrap.so.$(SOMAJOR).$(SOMINOR)

++SHLIBSOMAJ= shared/libwrap.so.$(SOMAJOR)

++SHLIBSO	= shared/libwrap.so

++SHLIBFLAGS = -Lshared -lwrap

+ 

+-CFLAGS	= -O -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \

++shared/%.o: %.c

++	$(CC) $(CFLAGS) $(SHCFLAGS) -c $< -o $@

++

++CFLAGS	= -O2 -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \

+ 	$(BUGS) $(SYSTYPE) $(AUTH) $(UMASK) \

+ 	-DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" $(STYLE) $(KILL_OPT) \

+ 	-DSEVERITY=$(SEVERITY) -DRFC931_TIMEOUT=$(RFC931_TIMEOUT) \

+ 	$(UCHAR) $(TABLES) $(STRINGS) $(TLI) $(EXTRA_CFLAGS) $(DOT) \

+ 	$(VSYSLOG) $(HOSTNAME)

+ 

++SHLINKFLAGS = -shared -Xlinker -soname -Xlinker libwrap.so.$(SOMAJOR) -lc $(LIBS)

++SHCFLAGS = -fPIC -shared -D_REENTRANT

++

+ LIB_OBJ= hosts_access.o options.o shell_cmd.o rfc931.o eval.o \

+ 	hosts_ctl.o refuse.o percent_x.o clean_exit.o $(AUX_OBJ) \

+ 	$(FROM_OBJ) fix_options.o socket.o tli.o workarounds.o \

+ 	update.o misc.o diag.o percent_m.o myvsyslog.o

+ 

++SHLIB_OBJ= $(addprefix shared/, $(LIB_OBJ));

++

+ FROM_OBJ= fromhost.o

+ 

+ KIT	= README miscd.c tcpd.c fromhost.c hosts_access.c shell_cmd.c \

+@@ -684,46 +719,80 @@

+ 	refuse.c tcpdchk.8 setenv.c inetcf.c inetcf.h scaffold.c \

+ 	scaffold.h tcpdmatch.8 README.NIS

+ 

+-LIB	= libwrap.a

+-

+-all other: config-check tcpd tcpdmatch try-from safe_finger tcpdchk

++all other: config-check tcpd tcpdmatch try-from safe_finger tcpdchk $(LIB)

+ 

+ # Invalidate all object files when the compiler options (CFLAGS) have changed.

+ 

+ config-check:

+ 	@set +e; test -n "$(REAL_DAEMON_DIR)" || { make; exit 1; }

+-	@set +e; echo $(CFLAGS) >/tmp/cflags.$$$$ ; \

+-	if cmp cflags /tmp/cflags.$$$$ ; \

+-	then rm /tmp/cflags.$$$$ ; \

+-	else mv /tmp/cflags.$$$$ cflags ; \

++	@set +e; echo $(CFLAGS) >cflags.new ; \

++	if cmp cflags cflags.new ; \

++	then rm cflags.new ; \

++	else mv cflags.new cflags ; \

+ 	fi >/dev/null 2>/dev/null

++	@if [ ! -d shared ]; then mkdir shared; fi

+ 

+ $(LIB):	$(LIB_OBJ)

+ 	rm -f $(LIB)

+ 	$(AR) $(ARFLAGS) $(LIB) $(LIB_OBJ)

+ 	-$(RANLIB) $(LIB)

+ 

+-tcpd:	tcpd.o $(LIB)

+-	$(CC) $(CFLAGS) -o $@ tcpd.o $(LIB) $(LIBS)

++$(SHLIB): $(SHLIB_OBJ)

++	rm -f $(SHLIB)

++	$(CC) -o $(SHLIB) $(SHLINKFLAGS) $(SHLIB_OBJ)

++	ln -s $(notdir $(SHLIB)) $(SHLIBSOMAJ)

++	ln -s $(notdir $(SHLIBSOMAJ)) $(SHLIBSO)

++

++tcpd:	tcpd.o $(SHLIB)

++	$(CC) $(CFLAGS) -o $@ tcpd.o $(SHLIBFLAGS)

+ 

+-miscd:	miscd.o $(LIB)

+-	$(CC) $(CFLAGS) -o $@ miscd.o $(LIB) $(LIBS)

++miscd:	miscd.o $(SHLIB)

++	$(CC) $(CFLAGS) -o $@ miscd.o $(SHLIBFLAGS)

+ 

+-safe_finger: safe_finger.o $(LIB)

+-	$(CC) $(CFLAGS) -o $@ safe_finger.o $(LIB) $(LIBS)

++safe_finger: safe_finger.o $(SHLIB)

++	$(CC) $(CFLAGS) -o $@ safe_finger.o $(SHLIBFLAGS)

+ 

+ TCPDMATCH_OBJ = tcpdmatch.o fakelog.o inetcf.o scaffold.o

+ 

+-tcpdmatch: $(TCPDMATCH_OBJ) $(LIB)

+-	$(CC) $(CFLAGS) -o $@ $(TCPDMATCH_OBJ) $(LIB) $(LIBS)

++tcpdmatch: $(TCPDMATCH_OBJ) $(SHLIB)

++	$(CC) $(CFLAGS) -o $@ $(TCPDMATCH_OBJ) $(SHLIBFLAGS)

+ 

+-try-from: try-from.o fakelog.o $(LIB)

+-	$(CC) $(CFLAGS) -o $@ try-from.o fakelog.o $(LIB) $(LIBS)

++try-from: try-from.o fakelog.o $(SHLIB)

++	$(CC) $(CFLAGS) -o $@ try-from.o fakelog.o $(SHLIBFLAGS)

+ 

+ TCPDCHK_OBJ = tcpdchk.o fakelog.o inetcf.o scaffold.o

+ 

+-tcpdchk: $(TCPDCHK_OBJ) $(LIB)

+-	$(CC) $(CFLAGS) -o $@ $(TCPDCHK_OBJ) $(LIB) $(LIBS)

++tcpdchk: $(TCPDCHK_OBJ) $(SHLIB)

++	$(CC) $(CFLAGS) -o $@ $(TCPDCHK_OBJ) $(SHLIBFLAGS)

++

++install: install-lib install-bin install-dev

++

++install-lib:

++	install -o root -g root -m 0755 $(SHLIB) ${DESTDIR}/usr/lib/

++	ln -sf $(notdir $(SHLIB)) ${DESTDIR}/usr/lib/$(notdir $(SHLIBSOMAJ))

++	ln -sf $(notdir $(SHLIBSOMAJ)) ${DESTDIR}/usr/lib/$(notdir $(SHLIBSO))

++

++install-bin:

++	install -o root -g root -m 0755 tcpd ${DESTDIR}/usr/sbin/

++	install -o root -g root -m 0755 tcpdchk ${DESTDIR}/usr/sbin/

++	install -o root -g root -m 0755 tcpdmatch ${DESTDIR}/usr/sbin/

++	install -o root -g root -m 0755 try-from ${DESTDIR}/usr/sbin/

++	install -o root -g root -m 0755 safe_finger ${DESTDIR}/usr/sbin/

++	install -o root -g root -m 0644 tcpd.8 ${DESTDIR}/usr/share/man/man8/

++	install -o root -g root -m 0644 tcpdchk.8 ${DESTDIR}/usr/share/man/man8/

++	install -o root -g root -m 0644 try-from.8 ${DESTDIR}/usr/share/man/man8/

++	install -o root -g root -m 0644 tcpdmatch.8 ${DESTDIR}/usr/share/man/man8/

++	install -o root -g root -m 0644 safe_finger.8 ${DESTDIR}/usr/share/man/man8/

++	install -o root -g root -m 0644 hosts_access.5 ${DESTDIR}/usr/share/man/man5/

++	install -o root -g root -m 0644 hosts_options.5 ${DESTDIR}/usr/share/man/man5/

++

++install-dev:

++	install -o root -g root -m 0644 hosts_access.3 ${DESTDIR}/usr/share/man/man3/

++	install -o root -g root -m 0644 tcpd.h ${DESTDIR}/usr/include/

++	install -o root -g root -m 0644 $(LIB) ${DESTDIR}/usr/lib/

++	ln -sf hosts_access.3 ${DESTDIR}/usr/share/man/man3/hosts_ctl.3

++	ln -sf hosts_access.3 ${DESTDIR}/usr/share/man/man3/request_init.3

++	ln -sf hosts_access.3 ${DESTDIR}/usr/share/man/man3/request_set.3

+ 

+ shar:	$(KIT)

+ 	@shar $(KIT)

+@@ -739,7 +808,8 @@

+ 

+ clean:

+ 	rm -f tcpd miscd safe_finger tcpdmatch tcpdchk try-from *.[oa] core \

+-	cflags

++	cflags libwrap*.so*

++	rm -rf shared

+ 

+ tidy:	clean

+ 	chmod -R a+r .

+@@ -885,5 +955,6 @@

+ update.o: mystdarg.h

+ update.o: tcpd.h

+ vfprintf.o: cflags

++weak_symbols.o: tcpd.h

+ workarounds.o: cflags

+ workarounds.o: tcpd.h

+diff -Naur tcp_wrappers_7.6/fix_options.c tcp_wrappers_7.6.gimli/fix_options.c

+--- tcp_wrappers_7.6/fix_options.c	1997-04-07 19:29:19.000000000 -0500

+@@ -35,7 +35,12 @@

+ #ifdef IP_OPTIONS

+     unsigned char optbuf[BUFFER_SIZE / 3], *cp;

+     char    lbuf[BUFFER_SIZE], *lp;

++#if !defined(__GLIBC__)

+     int     optsize = sizeof(optbuf), ipproto;

++#else /* __GLIBC__ */

++    size_t  optsize = sizeof(optbuf);

++    int     ipproto;

++#endif /* __GLIBC__ */

+     struct protoent *ip;

+     int     fd = request->fd;

+     unsigned int opt;

+diff -Naur tcp_wrappers_7.6/hosts_access.3 tcp_wrappers_7.6.gimli/hosts_access.3

+--- tcp_wrappers_7.6/hosts_access.3	1996-02-11 10:01:27.000000000 -0600

+@@ -3,7 +3,7 @@

+ hosts_access, hosts_ctl, request_init, request_set \- access control library

+ .SH SYNOPSIS

+ .nf

+-#include "tcpd.h"

++#include <tcpd.h>

+ 

+ extern int allow_severity;

+ extern int deny_severity;

+diff -Naur tcp_wrappers_7.6/hosts_access.5 tcp_wrappers_7.6.gimli/hosts_access.5

+--- tcp_wrappers_7.6/hosts_access.5	1995-01-30 12:51:47.000000000 -0600

+@@ -8,9 +8,9 @@

+ impatient reader is encouraged to skip to the EXAMPLES section for a

+ quick introduction.

+ .PP

+-An extended version of the access control language is described in the

+-\fIhosts_options\fR(5) document. The extensions are turned on at

+-program build time by building with -DPROCESS_OPTIONS.

++The extended version of the access control language is described in the

++\fIhosts_options\fR(5) document. \fBNote that this language supersedes

++the meaning of \fIshell_command\fB as documented below.\fR

+ .PP

+ In the following text, \fIdaemon\fR is the the process name of a

+ network daemon process, and \fIclient\fR is the name and/or address of

+@@ -40,7 +40,7 @@

+ character. This permits you to break up long lines so that they are

+ easier to edit.

+ .IP \(bu

+-Blank lines or lines that begin with a `#\' character are ignored.

++Blank lines or lines that begin with a `#' character are ignored.

+ This permits you to insert comments and whitespace so that the tables

+ are easier to read.

+ .IP \(bu

+@@ -69,26 +69,33 @@

+ .SH PATTERNS

+ The access control language implements the following patterns:

+ .IP \(bu

+-A string that begins with a `.\' character. A host name is matched if

++A string that begins with a `.' character. A host name is matched if

+ the last components of its name match the specified pattern.  For

+-example, the pattern `.tue.nl\' matches the host name

+-`wzv.win.tue.nl\'.

++example, the pattern `.tue.nl' matches the host name

++`wzv.win.tue.nl'.

+ .IP \(bu

+-A string that ends with a `.\' character. A host address is matched if

++A string that ends with a `.' character. A host address is matched if

+ its first numeric fields match the given string.  For example, the

+-pattern `131.155.\' matches the address of (almost) every host on the

++pattern `131.155.' matches the address of (almost) every host on the

+ Eind\%hoven University network (131.155.x.x).

+ .IP \(bu

+-A string that begins with an `@\' character is treated as an NIS

++A string that begins with an `@' character is treated as an NIS

+ (formerly YP) netgroup name. A host name is matched if it is a host

+ member of the specified netgroup. Netgroup matches are not supported

+ for daemon process names or for client user names.

+ .IP \(bu

+-An expression of the form `n.n.n.n/m.m.m.m\' is interpreted as a

+-`net/mask\' pair. A host address is matched if `net\' is equal to the

+-bitwise AND of the address and the `mask\'. For example, the net/mask

+-pattern `131.155.72.0/255.255.254.0\' matches every address in the

+-range `131.155.72.0\' through `131.155.73.255\'.

++An expression of the form `n.n.n.n/m.m.m.m' is interpreted as a

++`net/mask' pair. A host address is matched if `net' is equal to the

++bitwise AND of the address and the `mask'. For example, the net/mask

++pattern `131.155.72.0/255.255.254.0' matches every address in the

++range `131.155.72.0' through `131.155.73.255'.

++.IP \(bu

++A string that begins with a `/' character is treated as a file

++name. A host name or address is matched if it matches any host name

++or address pattern listed in the named file. The file format is

++zero or more lines with zero or more host name or address patterns

++separated by whitespace.  A file name pattern can be used anywhere

++a host name or address pattern can be used.

+ .SH WILDCARDS

+ The access control language supports explicit wildcards:

+ .IP ALL

+@@ -115,19 +122,19 @@

+ .ne 6

+ .SH OPERATORS

+ .IP EXCEPT

+-Intended use is of the form: `list_1 EXCEPT list_2\'; this construct

++Intended use is of the form: `list_1 EXCEPT list_2'; this construct

+ matches anything that matches \fIlist_1\fR unless it matches

+ \fIlist_2\fR.  The EXCEPT operator can be used in daemon_lists and in

+ client_lists. The EXCEPT operator can be nested: if the control

+-language would permit the use of parentheses, `a EXCEPT b EXCEPT c\'

+-would parse as `(a EXCEPT (b EXCEPT c))\'.

++language would permit the use of parentheses, `a EXCEPT b EXCEPT c'

++would parse as `(a EXCEPT (b EXCEPT c))'.

+ .br

+ .ne 6

+ .SH SHELL COMMANDS

+ If the first-matched access control rule contains a shell command, that

+ command is subjected to %<letter> substitutions (see next section).

+ The result is executed by a \fI/bin/sh\fR child process with standard

+-input, output and error connected to \fI/dev/null\fR.  Specify an `&\'

++input, output and error connected to \fI/dev/null\fR.  Specify an `&'

+ at the end of the command if you do not want to wait until it has

+ completed.

+ .PP

+@@ -159,7 +166,7 @@

+ .IP %u

+ The client user name (or "unknown").

+ .IP %%

+-Expands to a single `%\' character.

++Expands to a single `%' character.

+ .PP

+ Characters in % expansions that may confuse the shell are replaced by

+ underscores.

+@@ -243,9 +250,9 @@

+ less trustworthy. It is possible for an intruder to spoof both the

+ client connection and the IDENT lookup, although doing so is much

+ harder than spoofing just a client connection. It may also be that

+-the client\'s IDENT server is lying.

++the client's IDENT server is lying.

+ .PP

+-Note: IDENT lookups don\'t work with UDP services. 

++Note: IDENT lookups don't work with UDP services. 

+ .SH EXAMPLES

+ The language is flexible enough that different types of access control

+ policy can be expressed with a minimum of fuss. Although the language

+@@ -285,7 +292,7 @@

+ .br

+ ALL: .foobar.edu EXCEPT terminalserver.foobar.edu

+ .PP

+-The first rule permits access from hosts in the local domain (no `.\'

++The first rule permits access from hosts in the local domain (no `.'

+ in the host name) and from members of the \fIsome_netgroup\fP

+ netgroup.  The second rule permits access from all hosts in the

+ \fIfoobar.edu\fP domain (notice the leading dot), with the exception of

+@@ -322,8 +329,8 @@

+ /etc/hosts.deny:

+ .in +3

+ .nf

+-in.tftpd: ALL: (/some/where/safe_finger -l @%h | \\

+-	/usr/ucb/mail -s %d-%h root) &

++in.tftpd: ALL: (/usr/sbin/safe_finger -l @%h | \\

++	/usr/bin/mail -s %d-%h root) &

+ .fi

+ .PP

+ The safe_finger command comes with the tcpd wrapper and should be

+@@ -349,7 +356,7 @@

+ capacity of an internal buffer; when an access control rule is not

+ terminated by a newline character; when the result of %<letter>

+ expansion would overflow an internal buffer; when a system call fails

+-that shouldn\'t.  All problems are reported via the syslog daemon.

++that shouldn't.  All problems are reported via the syslog daemon.

+ .SH FILES

+ .na

+ .nf

+diff -Naur tcp_wrappers_7.6/hosts_access.c tcp_wrappers_7.6.gimli/hosts_access.c

+--- tcp_wrappers_7.6/hosts_access.c	1997-02-11 19:13:23.000000000 -0600

+@@ -240,6 +240,26 @@

+     }

+ }

+ 

++/* hostfile_match - look up host patterns from file */

++

++static int hostfile_match(path, host)

++char   *path;

++struct hosts_info *host;

++{

++    char    tok[BUFSIZ];

++    int     match = NO;

++    FILE   *fp;

++

++    if ((fp = fopen(path, "r")) != 0) {

++        while (fscanf(fp, "%s", tok) == 1 && !(match = host_match(tok, host)))

++            /* void */ ;

++        fclose(fp);

++    } else if (errno != ENOENT) {

++        tcpd_warn("open %s: %m", path);

++    }

++    return (match);

++}

++

+ /* host_match - match host name and/or address against pattern */

+ 

+ static int host_match(tok, host)

+@@ -267,6 +287,8 @@

+ 	tcpd_warn("netgroup support is disabled");	/* not tcpd_jump() */

+ 	return (NO);

+ #endif

++    } else if (tok[0] == '/') {                         /* /file hack */

++        return (hostfile_match(tok, host));

+     } else if (STR_EQ(tok, "KNOWN")) {		/* check address and name */

+ 	char   *name = eval_hostname(host);

+ 	return (STR_NE(eval_hostaddr(host), unknown) && HOSTNAME_KNOWN(name));

+diff -Naur tcp_wrappers_7.6/hosts_options.5 tcp_wrappers_7.6.gimli/hosts_options.5

+--- tcp_wrappers_7.6/hosts_options.5	1994-12-28 10:42:29.000000000 -0600

+@@ -58,12 +58,12 @@

+ Execute, in a child process, the specified shell command, after

+ performing the %<letter> expansions described in the hosts_access(5)

+ manual page.  The command is executed with stdin, stdout and stderr

+-connected to the null device, so that it won\'t mess up the

++connected to the null device, so that it won't mess up the

+ conversation with the client host. Example:

+ .sp

+ .nf

+ .ti +3

+-spawn (/some/where/safe_finger -l @%h | /usr/ucb/mail root) &

++spawn (/usr/sbin/safe_finger -l @%h | /usr/bin/mail root) &

+ .fi

+ .sp

+ executes, in a background child process, the shell command "safe_finger

+diff -Naur tcp_wrappers_7.6/options.c tcp_wrappers_7.6.gimli/options.c

+--- tcp_wrappers_7.6/options.c	1996-02-11 10:01:32.000000000 -0600

+@@ -473,6 +473,9 @@

+ #ifdef LOG_CRON

+     "cron", LOG_CRON,

+ #endif

++#ifdef LOG_FTP

++    "ftp", LOG_FTP,

++#endif

+ #ifdef LOG_LOCAL0

+     "local0", LOG_LOCAL0,

+ #endif

+diff -Naur tcp_wrappers_7.6/percent_m.c tcp_wrappers_7.6.gimli/percent_m.c

+--- tcp_wrappers_7.6/percent_m.c	1994-12-28 10:42:37.000000000 -0600

+@@ -13,7 +13,7 @@

+ #include <string.h>

+ 

+ extern int errno;

+-#ifndef SYS_ERRLIST_DEFINED

++#if !defined(SYS_ERRLIST_DEFINED) && !defined(HAVE_STRERROR)

+ extern char *sys_errlist[];

+ extern int sys_nerr;

+ #endif

+@@ -29,11 +29,15 @@

+ 

+     while (*bp = *cp)

+ 	if (*cp == '%' && cp[1] == 'm') {

++#ifdef HAVE_STRERROR

++            strcpy(bp, strerror(errno));

++#else

+ 	    if (errno < sys_nerr && errno > 0) {

+ 		strcpy(bp, sys_errlist[errno]);

+ 	    } else {

+ 		sprintf(bp, "Unknown error %d", errno);

+ 	    }

++#endif

+ 	    bp += strlen(bp);

+ 	    cp += 2;

+ 	} else {

+diff -Naur tcp_wrappers_7.6/rfc931.c tcp_wrappers_7.6.gimli/rfc931.c

+--- tcp_wrappers_7.6/rfc931.c	1995-01-02 09:11:34.000000000 -0600

+@@ -33,7 +33,7 @@

+ 

+ int     rfc931_timeout = RFC931_TIMEOUT;/* Global so it can be changed */

+ 

+-static jmp_buf timebuf;

++static sigjmp_buf timebuf;

+ 

+ /* fsocket - open stdio stream on top of socket */

+ 

+@@ -62,7 +62,7 @@

+ static void timeout(sig)

+ int     sig;

+ {

+-    longjmp(timebuf, sig);

++    siglongjmp(timebuf, sig);

+ }

+ 

+ /* rfc931 - return remote user name, given socket structures */

+@@ -99,7 +99,7 @@

+ 	 * Set up a timer so we won't get stuck while waiting for the server.

+ 	 */

+ 

+-	if (setjmp(timebuf) == 0) {

++	if (sigsetjmp(timebuf,1) == 0) {

+ 	    signal(SIGALRM, timeout);

+ 	    alarm(rfc931_timeout);

+ 

+diff -Naur tcp_wrappers_7.6/safe_finger.8 tcp_wrappers_7.6.gimli/safe_finger.8

+--- tcp_wrappers_7.6/safe_finger.8	1969-12-31 18:00:00.000000000 -0600

+@@ -0,0 +1,34 @@

++.TH SAFE_FINGER 8 "21th June 1997" Linux "Linux Programmer's Manual"

++.SH NAME

++safe_finger \- finger client wrapper that protects against nasty stuff

++from finger servers

++.SH SYNOPSIS

++.B safe_finger [finger_options]

++.SH DESCRIPTION

++The

++.B safe_finger

++command protects against nasty stuff from finger servers. Use this

++program for automatic reverse finger probes from the

++.B tcp_wrapper

++.B (tcpd)

++, not the raw finger command. The

++.B safe_finger

++command makes sure that the finger client is not run with root

++privileges. It also runs the finger client with a defined PATH

++environment.

++.B safe_finger

++will also protect you from problems caused by the output of some

++finger servers. The problem: some programs may react to stuff in

++the first column. Other programs may get upset by thrash anywhere

++on a line. File systems may fill up as the finger server keeps

++sending data. Text editors may bomb out on extremely long lines.

++The finger server may take forever because it is somehow wedged.

++.B safe_finger

++takes care of all this badness.

++.SH SEE ALSO

++.BR hosts_access (5),

++.BR hosts_options (5),

++.BR tcpd (8)

++.SH AUTHOR

++Wietse Venema, Eindhoven University of Technology, The Netherlands.

++

+diff -Naur tcp_wrappers_7.6/safe_finger.c tcp_wrappers_7.6.gimli/safe_finger.c

+--- tcp_wrappers_7.6/safe_finger.c	1994-12-28 10:42:42.000000000 -0600

+@@ -26,21 +26,24 @@

+ #include <stdio.h>

+ #include <ctype.h>

+ #include <pwd.h>

++#include <syslog.h>

+ 

+ extern void exit();

+ 

+ /* Local stuff */

+ 

+-char    path[] = "PATH=/bin:/usr/bin:/usr/ucb:/usr/bsd:/etc:/usr/etc:/usr/sbin";

++char    path[] = "PATH=/bin:/usr/bin:/sbin:/usr/sbin";

+ 

+ #define	TIME_LIMIT	60		/* Do not keep listinging forever */

+ #define	INPUT_LENGTH	100000		/* Do not keep listinging forever */

+ #define	LINE_LENGTH	128		/* Editors can choke on long lines */

+ #define	FINGER_PROGRAM	"finger"	/* Most, if not all, UNIX systems */

+ #define	UNPRIV_NAME	"nobody"	/* Preferred privilege level */

+-#define	UNPRIV_UGID	32767		/* Default uid and gid */

++#define	UNPRIV_UGID	65534		/* Default uid and gid */

+ 

+ int     finger_pid;

++int	allow_severity = SEVERITY;

++int	deny_severity = LOG_WARNING;

+ 

+ void    cleanup(sig)

+ int     sig;

+diff -Naur tcp_wrappers_7.6/scaffold.c tcp_wrappers_7.6.gimli/scaffold.c

+--- tcp_wrappers_7.6/scaffold.c	1997-03-21 12:27:24.000000000 -0600

+@@ -180,10 +180,12 @@

+ 

+ /* ARGSUSED */

+ 

+-void    rfc931(request)

+-struct request_info *request;

++void    rfc931(rmt_sin, our_sin, dest)

++struct sockaddr_in *rmt_sin;

++struct sockaddr_in *our_sin;

++char   *dest;

+ {

+-    strcpy(request->user, unknown);

++    strcpy(dest, unknown);

+ }

+ 

+ /* check_path - examine accessibility */

+diff -Naur tcp_wrappers_7.6/socket.c tcp_wrappers_7.6.gimli/socket.c

+--- tcp_wrappers_7.6/socket.c	1997-03-21 12:27:25.000000000 -0600

+@@ -76,7 +76,11 @@

+ {

+     static struct sockaddr_in client;

+     static struct sockaddr_in server;

++#if !defined (__GLIBC__)

+     int     len;

++#else /* __GLIBC__ */

++    size_t  len;

++#endif /* __GLIBC__ */

+     char    buf[BUFSIZ];

+     int     fd = request->fd;

+ 

+@@ -224,7 +228,11 @@

+ {

+     char    buf[BUFSIZ];

+     struct sockaddr_in sin;

++#if !defined(__GLIBC__)

+     int     size = sizeof(sin);

++#else /* __GLIBC__ */

++    size_t  size = sizeof(sin);

++#endif /* __GLIBC__ */

+ 

+     /*

+      * Eat up the not-yet received datagram. Some systems insist on a

+diff -Naur tcp_wrappers_7.6/tcpd.8 tcp_wrappers_7.6.gimli/tcpd.8

+--- tcp_wrappers_7.6/tcpd.8	1996-02-21 09:39:16.000000000 -0600

+@@ -94,7 +94,7 @@

+ .PP

+ The example assumes that the network daemons live in /usr/etc. On some

+ systems, network daemons live in /usr/sbin or in /usr/libexec, or have

+-no `in.\' prefix to their name.

++no `in.' prefix to their name.

+ .SH EXAMPLE 2

+ This example applies when \fItcpd\fR expects that the network daemons

+ are left in their original place.

+@@ -110,26 +110,26 @@

+ becomes:

+ .sp

+ .ti +5