1 #
   2 # Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
   3 # Use is subject to license terms.
   4 #
   5 # Copyright 2011 Nexenta Systems, Inc. All rights reserved.
   6 #
   7 
   8 PROG=           safe_finger tcpd tcpdchk tcpdmatch try-from
   9 
  10 include         ../Makefile.cmd
  11 
  12 CFLAGS +=       $(CCVERBOSE)
  13 CPPFLAGS +=     $(ACCESS) $(PARANOID) $(NETGROUP) $(TLI) \
  14                 $(UMASK) $(STYLE) $(TABLES) $(KILL_OPT) $(BUGS) \
  15                 -DRFC931_TIMEOUT=$(RFC931_TIMEOUT) \
  16                 -DFACILITY=$(FACILITY) -DSEVERITY=$(SEVERITY) \
  17                 -DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" \
  18                 -I../../lib/libwrap
  19 tcpd tcpdmatch try-from := \
  20                 LDLIBS += -lwrap
  21 tcpdchk :=      LDLIBS += -lwrap -lnsl
  22 
  23 CERRWARN +=     -erroff=E_FUNC_HAS_NO_RETURN_STMT
  24 CERRWARN +=     -erroff=E_IMPLICIT_DECL_FUNC_RETURN_INT
  25 CERRWARN +=     -_gcc=-Wno-unused-variable
  26 CERRWARN +=     -_gcc=-Wno-parentheses
  27 CERRWARN +=     -_gcc=-Wno-uninitialized
  28 CERRWARN +=     -_gcc=-Wno-implicit-function-declaration
  29 CERRWARN +=     -_gcc=-Wno-return-type
  30 CERRWARN +=     -_gcc=-Wno-clobbered
  31 
  32 # Various components must export interfaces, but also contain name-space
  33 # clashes with system libraries.
  34 MAPFILE.INT.D=  $(MAPFILE.NGB) mapfile-intf-tcpdchk
  35 MAPFILE.INT.M=  $(MAPFILE.NGB) mapfile-intf-tcpdmatch
  36 MAPFILE.INT.F=  $(MAPFILE.NGB) mapfile-intf-tryfrom
  37 
  38 tcpdchk :=      LDFLAGS +=$(MAPFILE.INT.D:%=-M%)
  39 tcpdmatch :=    LDFLAGS +=$(MAPFILE.INT.M:%=-M%)
  40 try-from :=     LDFLAGS +=$(MAPFILE.INT.F:%=-M%)
  41 
  42 .KEEP_STATE:
  43 
  44 all:            $(PROG)
  45 
  46 install:        all $(ROOTUSRSBINPROG)
  47 
  48 clean:
  49                 $(RM) *.o
  50 
  51 lint:           lint_PROG
  52 
  53 TCPDMATCH_OBJ=  tcpdmatch.o fakelog.o inetcf.o scaffold.o
  54 
  55 tcpdmatch:      $(TCPDMATCH_OBJ) $(LIB) $(MAPFILE.INTF.M)
  56                 $(LINK.c) -o $@ $(TCPDMATCH_OBJ) $(LDLIBS)
  57                 $(POST_PROCESS)
  58 
  59 try-from:       try-from.o fakelog.o $(LIB) $(MAPFILE.INTF.F)
  60                 $(LINK.c) -o $@ try-from.o fakelog.o $(LDLIBS)
  61                 $(POST_PROCESS)
  62 
  63 TCPDCHK_OBJ=    tcpdchk.o fakelog.o inetcf.o scaffold.o
  64 
  65 tcpdchk:        $(TCPDCHK_OBJ) $(LIB) $(MAPFILE.INTF.C)
  66                 $(LINK.c) -o $@ $(TCPDCHK_OBJ) $(LDLIBS)
  67                 $(POST_PROCESS)
  68 
  69 include         ../Makefile.targ
  70 
  71 # The rest of this file contains definitions more-or-less directly from the
  72 # original Makefile of the tcp_wrappers distribution.
  73 
  74 ##############################
  75 # System parameters appropriate for Solaris 9
  76 
  77 REAL_DAEMON_DIR = /usr/sbin
  78 TLI             = -DTLI
  79 NETGROUP        = -DNETGROUP
  80 
  81 ##############################
  82 # Start of the optional stuff.
  83 
  84 ###########################################
  85 # Optional: Turning on language extensions
  86 #
  87 # Instead of the default access control language that is documented in
  88 # the hosts_access.5 document, the wrappers can be configured to
  89 # implement an extensible language documented in the hosts_options.5
  90 # document.  This language is implemented by the "options.c" source
  91 # module, which also gives hints on how to add your own extensions.
  92 # Uncomment the next definition to turn on the language extensions
  93 # (examples: allow, deny, banners, twist and spawn).
  94 # 
  95 STYLE   = -DPROCESS_OPTIONS     # Enable language extensions.
  96 
  97 ################################################################
  98 # Optional: Changing the default disposition of logfile records
  99 #
 100 # By default, logfile entries are written to the same file as used for
 101 # sendmail transaction logs. See your /etc/syslog.conf file for actual
 102 # path names of logfiles. The tutorial section in the README file
 103 # gives a brief introduction to the syslog daemon.
 104 # 
 105 # Change the FACILITY definition below if you disagree with the default
 106 # disposition. Some syslog versions (including Ultrix 4.x) do not provide
 107 # this flexibility.
 108 # 
 109 # If nothing shows up on your system, it may be that the syslog records
 110 # are sent to a dedicated loghost. It may also be that no syslog daemon
 111 # is running at all. The README file gives pointers to surrogate syslog
 112 # implementations for systems that have no syslog library routines or
 113 # no syslog daemons. When changing the syslog.conf file, remember that
 114 # there must be TABs between fields.
 115 #
 116 # The LOG_XXX names below are taken from the /usr/include/syslog.h file.
 117 
 118 FACILITY= LOG_MAIL      # LOG_MAIL is what most sendmail daemons use
 119 
 120 # The syslog priority at which successful connections are logged.
 121 
 122 SEVERITY= LOG_INFO      # LOG_INFO is normally not logged to the console
 123 
 124 ######################################################
 125 # Optional: Changing the default file protection mask
 126 #
 127 # On many systems, network daemons and other system processes are started
 128 # with a zero umask value, so that world-writable files may be produced.
 129 # It is a good idea to edit your /etc/rc* files so that they begin with
 130 # an explicit umask setting.  On our site we use `umask 022' because it
 131 # does not break anything yet gives adequate protection against tampering.
 132 # 
 133 # The following macro specifies the default umask for processes run under
 134 # control of the daemon wrappers. Comment it out only if you are certain
 135 # that inetd and its children are started with a safe umask value.
 136 
 137 UMASK   = -DDAEMON_UMASK=022
 138 
 139 #######################################
 140 # Optional: Turning off access control
 141 #
 142 # By default, host access control is enabled.  To disable host access
 143 # control, comment out the following definition.  Host access control
 144 # can also be turned off at runtime by providing no or empty access
 145 # control tables.
 146 
 147 ACCESS  = -DHOSTS_ACCESS
 148 
 149 ####################################################
 150 # Optional: dealing with host name/address conflicts
 151 #
 152 # By default, the software tries to protect against hosts that claim to
 153 # have someone elses host name. This is relevant for network services
 154 # whose authentication depends on host names, such as rsh and rlogin.
 155 #
 156 # With paranoid mode on, connections will be rejected when the host name
 157 # does not match the host address. Connections will also be rejected when
 158 # the host name is available but cannot be verified.
 159 #
 160 # Comment out the following definition if you want more control over such
 161 # requests. When paranoid mode is off and a host name double check fails,
 162 # the client can be matched with the PARANOID access control pattern.
 163 #
 164 # Paranoid mode implies hostname lookup. In order to disable hostname
 165 # lookups altogether, see the next section.
 166 
 167 PARANOID= -DPARANOID
 168 
 169 # The default username lookup timeout is 10 seconds. This may not be long
 170 # enough for slow hosts or networks, but is enough to irritate PC users.
 171 
 172 RFC931_TIMEOUT = 10
 173 
 174 ########################################################
 175 # Optional: Changing the access control table pathnames
 176 #
 177 # The HOSTS_ALLOW and HOSTS_DENY macros define where the programs will
 178 # look for access control information. Watch out for the quotes and
 179 # backslashes when you make changes.
 180 
 181 TABLES  = -DHOSTS_DENY=\"/etc/hosts.deny\" -DHOSTS_ALLOW=\"/etc/hosts.allow\"
 182 
 183 #############################################
 184 # Optional: Turning on host ADDRESS checking
 185 #
 186 # Optionally, the software tries to protect against hosts that pretend to
 187 # have someone elses host address. This is relevant for network services
 188 # whose authentication depends on host names, such as rsh and rlogin,
 189 # because the network address is used to look up the remote host name.
 190 # 
 191 # The protection is to refuse TCP connections with IP source routing
 192 # options.
 193 #
 194 # This feature cannot be used with SunOS 4.x because of a kernel bug in
 195 # the implementation of the getsockopt() system call. Kernel panics have
 196 # been observed for SunOS 4.1.[1-3]. Symptoms are "BAD TRAP" and "Data
 197 # fault" while executing the tcp_ctloutput() kernel function.
 198 #
 199 # Reportedly, Sun patch 100804-03 or 101790 fixes this for SunOS 4.1.x.
 200 #
 201 # Uncomment the following macro definition if your getsockopt() is OK.
 202 #
 203 # -DKILL_IP_OPTIONS is not needed on modern UNIX systems that can stop
 204 # source-routed traffic in the kernel. Examples: 4.4BSD derivatives,
 205 # Solaris 2.x, and Linux. See your system documentation for details.
 206 #
 207 # KILL_OPT= -DKILL_IP_OPTIONS
 208 
 209 ## End configuration options
 210 ############################