1 #
   2 # Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
   3 # Use is subject to license terms.
   4 #
   5 # Copyright 2011 Nexenta Systems, Inc. All rights reserved.
   6 #
   7 # Copyright (c) 2018, Joyent, Inc.
   8 
   9 PROG=           safe_finger tcpd tcpdchk tcpdmatch try-from
  10 
  11 include         ../Makefile.cmd
  12 
  13 CFLAGS +=       $(CCVERBOSE)
  14 CPPFLAGS +=     $(ACCESS) $(PARANOID) $(NETGROUP) $(TLI) \
  15                 $(UMASK) $(STYLE) $(TABLES) $(KILL_OPT) $(BUGS) \
  16                 -DRFC931_TIMEOUT=$(RFC931_TIMEOUT) \
  17                 -DFACILITY=$(FACILITY) -DSEVERITY=$(SEVERITY) \
  18                 -DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" \
  19                 -I../../lib/libwrap
  20 tcpd tcpdmatch try-from := \
  21                 LDLIBS += -lwrap
  22 tcpdchk :=      LDLIBS += -lwrap -lnsl
  23 
  24 CERRWARN +=     -erroff=E_FUNC_HAS_NO_RETURN_STMT
  25 CERRWARN +=     -erroff=E_IMPLICIT_DECL_FUNC_RETURN_INT
  26 CERRWARN +=     -_gcc=-Wno-unused-variable
  27 CERRWARN +=     -_gcc=-Wno-parentheses
  28 CERRWARN +=     $(CNOWARN_UNINIT)
  29 CERRWARN +=     -_gcc=-Wno-implicit-function-declaration
  30 CERRWARN +=     -_gcc=-Wno-return-type
  31 CERRWARN +=     -_gcc=-Wno-clobbered
  32 
  33 # not linted
  34 SMATCH=off
  35 
  36 # Various components must export interfaces, but also contain name-space
  37 # clashes with system libraries.
  38 MAPFILE.INT.D=  $(MAPFILE.NGB) mapfile-intf-tcpdchk
  39 MAPFILE.INT.M=  $(MAPFILE.NGB) mapfile-intf-tcpdmatch
  40 MAPFILE.INT.F=  $(MAPFILE.NGB) mapfile-intf-tryfrom
  41 
  42 tcpdchk :=      LDFLAGS +=$(MAPFILE.INT.D:%=-M%)
  43 tcpdmatch :=    LDFLAGS +=$(MAPFILE.INT.M:%=-M%)
  44 try-from :=     LDFLAGS +=$(MAPFILE.INT.F:%=-M%)
  45 
  46 .KEEP_STATE:
  47 
  48 all:            $(PROG)
  49 
  50 install:        all $(ROOTUSRSBINPROG)
  51 
  52 clean:
  53                 $(RM) *.o
  54 
  55 lint:           lint_PROG
  56 
  57 TCPDMATCH_OBJ=  tcpdmatch.o fakelog.o inetcf.o scaffold.o
  58 
  59 tcpdmatch:      $(TCPDMATCH_OBJ) $(LIB) $(MAPFILE.INTF.M)
  60                 $(LINK.c) -o $@ $(TCPDMATCH_OBJ) $(LDLIBS)
  61                 $(POST_PROCESS)
  62 
  63 try-from:       try-from.o fakelog.o $(LIB) $(MAPFILE.INTF.F)
  64                 $(LINK.c) -o $@ try-from.o fakelog.o $(LDLIBS)
  65                 $(POST_PROCESS)
  66 
  67 TCPDCHK_OBJ=    tcpdchk.o fakelog.o inetcf.o scaffold.o
  68 
  69 tcpdchk:        $(TCPDCHK_OBJ) $(LIB) $(MAPFILE.INTF.C)
  70                 $(LINK.c) -o $@ $(TCPDCHK_OBJ) $(LDLIBS)
  71                 $(POST_PROCESS)
  72 
  73 include         ../Makefile.targ
  74 
  75 # The rest of this file contains definitions more-or-less directly from the
  76 # original Makefile of the tcp_wrappers distribution.
  77 
  78 ##############################
  79 # System parameters appropriate for Solaris 9
  80 
  81 REAL_DAEMON_DIR = /usr/sbin
  82 TLI             = -DTLI
  83 NETGROUP        = -DNETGROUP
  84 
  85 ##############################
  86 # Start of the optional stuff.
  87 
  88 ###########################################
  89 # Optional: Turning on language extensions
  90 #
  91 # Instead of the default access control language that is documented in
  92 # the hosts_access.5 document, the wrappers can be configured to
  93 # implement an extensible language documented in the hosts_options.5
  94 # document.  This language is implemented by the "options.c" source
  95 # module, which also gives hints on how to add your own extensions.
  96 # Uncomment the next definition to turn on the language extensions
  97 # (examples: allow, deny, banners, twist and spawn).
  98 # 
  99 STYLE   = -DPROCESS_OPTIONS     # Enable language extensions.
 100 
 101 ################################################################
 102 # Optional: Changing the default disposition of logfile records
 103 #
 104 # By default, logfile entries are written to the same file as used for
 105 # sendmail transaction logs. See your /etc/syslog.conf file for actual
 106 # path names of logfiles. The tutorial section in the README file
 107 # gives a brief introduction to the syslog daemon.
 108 # 
 109 # Change the FACILITY definition below if you disagree with the default
 110 # disposition. Some syslog versions (including Ultrix 4.x) do not provide
 111 # this flexibility.
 112 # 
 113 # If nothing shows up on your system, it may be that the syslog records
 114 # are sent to a dedicated loghost. It may also be that no syslog daemon
 115 # is running at all. The README file gives pointers to surrogate syslog
 116 # implementations for systems that have no syslog library routines or
 117 # no syslog daemons. When changing the syslog.conf file, remember that
 118 # there must be TABs between fields.
 119 #
 120 # The LOG_XXX names below are taken from the /usr/include/syslog.h file.
 121 
 122 FACILITY= LOG_MAIL      # LOG_MAIL is what most sendmail daemons use
 123 
 124 # The syslog priority at which successful connections are logged.
 125 
 126 SEVERITY= LOG_INFO      # LOG_INFO is normally not logged to the console
 127 
 128 ######################################################
 129 # Optional: Changing the default file protection mask
 130 #
 131 # On many systems, network daemons and other system processes are started
 132 # with a zero umask value, so that world-writable files may be produced.
 133 # It is a good idea to edit your /etc/rc* files so that they begin with
 134 # an explicit umask setting.  On our site we use `umask 022' because it
 135 # does not break anything yet gives adequate protection against tampering.
 136 # 
 137 # The following macro specifies the default umask for processes run under
 138 # control of the daemon wrappers. Comment it out only if you are certain
 139 # that inetd and its children are started with a safe umask value.
 140 
 141 UMASK   = -DDAEMON_UMASK=022
 142 
 143 #######################################
 144 # Optional: Turning off access control
 145 #
 146 # By default, host access control is enabled.  To disable host access
 147 # control, comment out the following definition.  Host access control
 148 # can also be turned off at runtime by providing no or empty access
 149 # control tables.
 150 
 151 ACCESS  = -DHOSTS_ACCESS
 152 
 153 ####################################################
 154 # Optional: dealing with host name/address conflicts
 155 #
 156 # By default, the software tries to protect against hosts that claim to
 157 # have someone elses host name. This is relevant for network services
 158 # whose authentication depends on host names, such as rsh and rlogin.
 159 #
 160 # With paranoid mode on, connections will be rejected when the host name
 161 # does not match the host address. Connections will also be rejected when
 162 # the host name is available but cannot be verified.
 163 #
 164 # Comment out the following definition if you want more control over such
 165 # requests. When paranoid mode is off and a host name double check fails,
 166 # the client can be matched with the PARANOID access control pattern.
 167 #
 168 # Paranoid mode implies hostname lookup. In order to disable hostname
 169 # lookups altogether, see the next section.
 170 
 171 PARANOID= -DPARANOID
 172 
 173 # The default username lookup timeout is 10 seconds. This may not be long
 174 # enough for slow hosts or networks, but is enough to irritate PC users.
 175 
 176 RFC931_TIMEOUT = 10
 177 
 178 ########################################################
 179 # Optional: Changing the access control table pathnames
 180 #
 181 # The HOSTS_ALLOW and HOSTS_DENY macros define where the programs will
 182 # look for access control information. Watch out for the quotes and
 183 # backslashes when you make changes.
 184 
 185 TABLES  = -DHOSTS_DENY=\"/etc/hosts.deny\" -DHOSTS_ALLOW=\"/etc/hosts.allow\"
 186 
 187 #############################################
 188 # Optional: Turning on host ADDRESS checking
 189 #
 190 # Optionally, the software tries to protect against hosts that pretend to
 191 # have someone elses host address. This is relevant for network services
 192 # whose authentication depends on host names, such as rsh and rlogin,
 193 # because the network address is used to look up the remote host name.
 194 # 
 195 # The protection is to refuse TCP connections with IP source routing
 196 # options.
 197 #
 198 # This feature cannot be used with SunOS 4.x because of a kernel bug in
 199 # the implementation of the getsockopt() system call. Kernel panics have
 200 # been observed for SunOS 4.1.[1-3]. Symptoms are "BAD TRAP" and "Data
 201 # fault" while executing the tcp_ctloutput() kernel function.
 202 #
 203 # Reportedly, Sun patch 100804-03 or 101790 fixes this for SunOS 4.1.x.
 204 #
 205 # Uncomment the following macro definition if your getsockopt() is OK.
 206 #
 207 # -DKILL_IP_OPTIONS is not needed on modern UNIX systems that can stop
 208 # source-routed traffic in the kernel. Examples: 4.4BSD derivatives,
 209 # Solaris 2.x, and Linux. See your system documentation for details.
 210 #
 211 # KILL_OPT= -DKILL_IP_OPTIONS
 212 
 213 ## End configuration options
 214 ############################