1997-10-05 20:16:10 +04:00
|
|
|
# from: @(#)Makefile 8.1 (Berkeley) 6/6/93
|
2021-10-12 22:08:04 +03:00
|
|
|
# $NetBSD: Makefile,v 1.30 2021/10/12 19:08:04 christos Exp $
|
2005-01-10 05:58:58 +03:00
|
|
|
|
|
|
|
.include <bsd.own.mk>
|
1993-03-21 12:45:37 +03:00
|
|
|
|
Add new Makefile knob, USE_FORT, which extends USE_SSP by turning on the
FORTIFY_SOURCE feature of libssp, thus checking the size of arguments to
various string and memory copy and set functions (as well as a few system
calls and other miscellany) where known at function entry. RedHat has
evidently built all "core system packages" with this option for some time.
This option should be used at the top of Makefiles (or Makefile.inc where
this is used for subdirectories) but after any setting of LIB.
This is only useful for userland code, and cannot be used in libc or in
any code which includes the libc internals, because it overrides certain
libc functions with macros. Some effort has been made to make USE_FORT=yes
work correctly for a full-system build by having the bsd.sys.mk logic
disable the feature where it should not be used (libc, libssp iteself,
the kernel) but no attempt has been made to build the entire system with
USE_FORT and doing so will doubtless expose numerous bugs and misfeatures.
Adjust the system build so that all programs and libraries that are setuid,
directly handle network data (including serial comm data), perform
authentication, or appear likely to have (or have a history of having)
data-driven bugs (e.g. file(1)) are built with USE_FORT=yes by default,
with the exception of libc, which cannot use USE_FORT and thus uses
only USE_SSP by default. Tested on i386 with no ill results; USE_FORT=no
per-directory or in a system build will disable if desired.
2007-05-28 16:06:17 +04:00
|
|
|
USE_FORT?= yes # network server
|
|
|
|
|
1993-03-21 12:45:37 +03:00
|
|
|
PROG= inetd
|
2021-10-12 22:08:04 +03:00
|
|
|
SRCS= inetd.c parse.c parse_v2.c ratelimit.c
|
1994-12-22 14:32:57 +03:00
|
|
|
MAN= inetd.8
|
1996-12-04 16:32:31 +03:00
|
|
|
MLINKS= inetd.8 inetd.conf.5
|
2021-08-30 21:21:11 +03:00
|
|
|
WARNS= 6
|
2021-09-03 23:24:28 +03:00
|
|
|
#LINTFLAGS+= -T
|
1993-03-21 12:45:37 +03:00
|
|
|
|
Inetd enhancements by James Browning, Gabe Coffland, Alex Gavin, Solomon Ritzow
Described in:
https://www.mail-archive.com/tech-userlevel@netbsd.org/msg03114.html
And developed in:
https://github.com/ritzow/src/pull/1
From their notes:
All new functionality should be explained by the updated manpage.
The manpage has been refactored a bit: A new section "Directives"
has been added and the information about default hostnames and
IPsec directives has been moved there, and the new file include
directive information is also there.
getconfigent has the most major changes. A newline is no longer
read immediately, but is called only by a "goto more" (inside an
if(false) block). This allows multiple definitions or directives
to exist on a single line for anything that doesn't terminate using
a newline. This means a key-values service definition can be followed
by another key-values service definition, a positional definition,
or an ipsec, hostname, or .include directive on the same line.
memset is no longer used explicitly to clear the servtab structure,
a function init_servtab() is used instead, which uses a C struct
initializer.
The servtab se_group field is its own allocation now, and not just
a pointer into the user:group string.
Refactored some stuff out of getconfigent to separate functions
for use by parse_v2.c. These functions in inetd.c are named with
the form parse_*()
parse_v2.c only has code for parsing a key-values service definition
into a provided servtab. It should not have anything that affects
global state other than line and line_number.
Some function prototypes, structures, and #defines have been moved
from inetd.c to inetd.h.
The function config_root replaces config as the function called on
a config file load/reload. The code removed from the end of
config(void) is now called in config_root, so it is not run on each
recursive config call.
setconfig(void) was removed and its code added into config_root
because that is the only place it is called, and redundant checks
for non-null globals were removed because they are always freed by
endconfig. The fseek code was also removed because the config files
are always closed by endconfig.
Rate limiting code was updated to add a per-service per-IP rate
limiting form. Some of that code was refactored out of other places
into functions with names in the form rl_*()
We have not added any of the license or version information to the
new files parse_v2.c, parse_v2.h, and inetd.h and we have not
updated the license or version info for inetd.c.
Security related:
The behavior when reading invalid IPsec strings has changed. Inetd
no longer exits, it quits reading the current config file instead.
Could this impact program security?
We have not checked for memory leaks. Solomon tried to use dmalloc
without success. getconfigent seemed to have a memory leak at each
"goto more". It seems like inetd has never free'd allocated strings
when throwing away erroneous service definitions during parsing
(i.e. when "goto more" is called when parsing fields). OpenBSD's
version calls freeconfig on "goto more"
(https://github.com/openbsd/src/blob/c5eae130d6c937080c3d30d124e8c8b86db7d625/usr.sbin/inetd/inetd.c#L1049)
but NetBSD only calls it when service definitions are no longer
needed. This has been fixed. freeconfig is called immediately before
any "goto more". There shouldn't be any time when a servtab is in
an invalid state where freeconfig would break.
2021-08-29 12:54:18 +03:00
|
|
|
# Enables debug printouts when in debug mode
|
|
|
|
CPPFLAGS+=-DDEBUG_ENABLE
|
|
|
|
|
2005-01-10 05:58:58 +03:00
|
|
|
CPPFLAGS+=-DLIBWRAP
|
1997-03-13 21:36:35 +03:00
|
|
|
# Use LIBWRAP_INTERNAL for libwrap checking of inetd's `internal' services.
|
1997-10-25 10:57:53 +04:00
|
|
|
#CPPFLAGS+=-DLIBWRAP_INTERNAL
|
2021-03-07 18:09:12 +03:00
|
|
|
LDADD+= -lwrap -lblocklist -lutil
|
|
|
|
DPADD+= ${LIBWRAP} ${LIBBLOCKLIST} ${LIBUTIL}
|
1996-11-26 20:23:34 +03:00
|
|
|
|
2005-01-10 05:58:58 +03:00
|
|
|
.if (${USE_INET6} != "no")
|
|
|
|
CPPFLAGS+=-DINET6
|
|
|
|
.endif
|
|
|
|
|
2001-09-13 17:02:20 +04:00
|
|
|
CPPFLAGS+=-DIPSEC
|
2000-01-31 17:28:17 +03:00
|
|
|
SRCS+= ipsec.c
|
1999-07-02 08:48:19 +04:00
|
|
|
LDADD+= -lipsec
|
|
|
|
DPADD+= ${LIBIPSEC}
|
|
|
|
|
1993-03-21 12:45:37 +03:00
|
|
|
.include <bsd.prog.mk>
|