-DLIBWRAP will enable libwrap-based filtering on UDP socket messages.

PR 13348
2001-07-01 16:23:42 +00:00 · 2001-07-01 16:23:42 +00:00 · 338aa1c650
commit 338aa1c650
parent d6a6aa8773
3 changed files with 52 additions and 8 deletions
--- a/usr.sbin/syslogd/Makefile
+++ b/usr.sbin/syslogd/Makefile
@ -1,4 +1,4 @@
-#	$NetBSD: Makefile,v 1.14 1999/12/02 16:17:29 itojun Exp $
+#	$NetBSD: Makefile,v 1.15 2001/07/01 16:23:42 itojun Exp $
 #	from: @(#)Makefile	8.1 (Berkeley) 6/6/93

 PROG=	syslogd
@ -12,4 +12,8 @@ CPPFLAGS+=-DINET6
 # KAME scopeid hack
 #CPPFLAGS+=-DKAME_SCOPEID

+CPPFLAGS+=-DLIBWRAP
+LDADD+=	-lwrap
+DPADD+=	${LIBWRAP}
+
 .include <bsd.prog.mk>
--- a/usr.sbin/syslogd/syslogd.8
+++ b/usr.sbin/syslogd/syslogd.8
@ -1,4 +1,4 @@
-.\"	$NetBSD: syslogd.8,v 1.21 2001/06/08 04:16:28 mrg Exp $
+.\"	$NetBSD: syslogd.8,v 1.22 2001/07/01 16:23:42 itojun Exp $
 .\"
 .\" Copyright (c) 1983, 1986, 1991, 1993
 .\"	The Regents of the University of California.  All rights reserved.
@ -131,6 +131,17 @@ in each chroot area to syslogd.  For example:
 .Dl syslogd -p /var/run/log -p /web/var/run/log -p /ftp/var/run/log
 .Pp
 note: the normal log socket must now also be passed to syslogd.
+.Pp
+Accesses from UDP socket can be filtered by libwrap configuration files, like
+.Pa /etc/hosts.deny .
+Specify
+.Dq Li syslogd
+in
+.Ar daemon_list
+portion of the configuration files.
+Refer to
+.Xr hosts_access 5
+for details.
 .Sh SYSLOG PROTOCOL NOTES
 .Pp
 The message sent to
@ -169,3 +180,5 @@ command appeared in
 .Bx 4.3 .
 Support for multiple log sockets appeared in
 .Nx 1.4 .
+libwrap support appeared in
+.Nx 1.6 .
--- a/usr.sbin/syslogd/syslogd.c
+++ b/usr.sbin/syslogd/syslogd.c
@ -1,4 +1,4 @@
-/*	$NetBSD: syslogd.c,v 1.45 2001/06/08 04:16:28 mrg Exp $	*/
+/*	$NetBSD: syslogd.c,v 1.46 2001/07/01 16:23:42 itojun Exp $	*/

 /*
 * Copyright (c) 1983, 1988, 1993, 1994
@ -43,7 +43,7 @@ __COPYRIGHT("@(#) Copyright (c) 1983, 1988, 1993, 1994\n\
 #if 0
 static char sccsid[] = "@(#)syslogd.c	8.3 (Berkeley) 4/4/94";
 #else
-__RCSID("$NetBSD: syslogd.c,v 1.45 2001/06/08 04:16:28 mrg Exp $");
+__RCSID("$NetBSD: syslogd.c,v 1.46 2001/07/01 16:23:42 itojun Exp $");
 #endif
 #endif /* not lint */

@ -110,6 +110,13 @@ __RCSID("$NetBSD: syslogd.c,v 1.45 2001/06/08 04:16:28 mrg Exp $");
 #define SYSLOG_NAMES
 #include <sys/syslog.h>

+#ifdef LIBWRAP
+#include <tcpd.h>
+
+int allow_severity = LOG_AUTH|LOG_INFO;
+int deny_severity = LOG_AUTH|LOG_WARNING;
+#endif
+
 char	*ConfFile = _PATH_LOGCONF;
 char	ctty[] = _PATH_CONSOLE;

@ -420,17 +427,37 @@ main(argc, argv)
 			for (j = 0; j < *finet; j++) {
 		    		if (readfds[nfinetix[j]].revents &
 				    (POLLIN | POLLPRI)) {
+#ifdef LIBWRAP
+					struct request_info req;
+#endif
+					int reject = 0;
+
 					dprintf("inet socket active\n");
+
+#ifdef LIBWRAP
+					request_init(&req, RQ_DAEMON, "syslogd",
+					    RQ_FILE, finet[j + 1], NULL);
+					fromhost(&req);
+					reject = !hosts_access(&req);
+					if (reject)
+						dprintf("access denied\n");
+#endif
+
 					len = sizeof(frominet);
 					i = recvfrom(finet[j+1], line, MAXLINE,
 					    0, (struct sockaddr *)&frominet,
 					    &len);
-					if (i > 0) {
-						line[i] = '\0';
+					if (i == 0 || (i < 0 && errno == EINTR))
+						continue;
+					else if (i < 0) {
+						logerror("recvfrom inet");
+						continue;
+					}
+
+					line[i] = '\0';
+					if (!reject)
 						printline(cvthname(&frominet),
 						    line);
-					} else if (i < 0 && errno != EINTR)
-						logerror("recvfrom inet");
 				}
 			}
 		}