1 # 2 # Copyright 2009 Sun Microsystems, Inc. All rights reserved. 3 # Use is subject to license terms. 4 # 5 # Copyright 2011 Nexenta Systems, Inc. All rights reserved. 6 # 7 # Copyright (c) 2018, Joyent, Inc. 8 9 PROG= safe_finger tcpd tcpdchk tcpdmatch try-from 10 11 include ../Makefile.cmd 12 13 CFLAGS += $(CCVERBOSE) 14 CPPFLAGS += $(ACCESS) $(PARANOID) $(NETGROUP) $(TLI) \ 15 $(UMASK) $(STYLE) $(TABLES) $(KILL_OPT) $(BUGS) \ 16 -DRFC931_TIMEOUT=$(RFC931_TIMEOUT) \ 17 -DFACILITY=$(FACILITY) -DSEVERITY=$(SEVERITY) \ 18 -DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" \ 19 -I../../lib/libwrap 20 tcpd tcpdmatch try-from := \ 21 LDLIBS += -lwrap 22 tcpdchk := LDLIBS += -lwrap -lnsl 23 24 CERRWARN += -erroff=E_FUNC_HAS_NO_RETURN_STMT 25 CERRWARN += -erroff=E_IMPLICIT_DECL_FUNC_RETURN_INT 26 CERRWARN += -_gcc=-Wno-unused-variable 27 CERRWARN += -_gcc=-Wno-parentheses 28 CERRWARN += $(CNOWARN_UNINIT) 29 CERRWARN += -_gcc=-Wno-implicit-function-declaration 30 CERRWARN += -_gcc=-Wno-return-type 31 CERRWARN += -_gcc=-Wno-clobbered 32 33 # not linted 34 SMATCH=off 35 36 # Various components must export interfaces, but also contain name-space 37 # clashes with system libraries. 38 MAPFILE.INT.D= $(MAPFILE.NGB) mapfile-intf-tcpdchk 39 MAPFILE.INT.M= $(MAPFILE.NGB) mapfile-intf-tcpdmatch 40 MAPFILE.INT.F= $(MAPFILE.NGB) mapfile-intf-tryfrom 41 42 tcpdchk := LDFLAGS +=$(MAPFILE.INT.D:%=-M%) 43 tcpdmatch := LDFLAGS +=$(MAPFILE.INT.M:%=-M%) 44 try-from := LDFLAGS +=$(MAPFILE.INT.F:%=-M%) 45 46 .KEEP_STATE: 47 48 all: $(PROG) 49 50 install: all $(ROOTUSRSBINPROG) 51 52 clean: 53 $(RM) *.o 54 55 lint: lint_PROG 56 57 TCPDMATCH_OBJ= tcpdmatch.o fakelog.o inetcf.o scaffold.o 58 59 tcpdmatch: $(TCPDMATCH_OBJ) $(LIB) $(MAPFILE.INTF.M) 60 $(LINK.c) -o $@ $(TCPDMATCH_OBJ) $(LDLIBS) 61 $(POST_PROCESS) 62 63 try-from: try-from.o fakelog.o $(LIB) $(MAPFILE.INTF.F) 64 $(LINK.c) -o $@ try-from.o fakelog.o $(LDLIBS) 65 $(POST_PROCESS) 66 67 TCPDCHK_OBJ= tcpdchk.o fakelog.o inetcf.o scaffold.o 68 69 tcpdchk: $(TCPDCHK_OBJ) $(LIB) $(MAPFILE.INTF.C) 70 $(LINK.c) -o $@ $(TCPDCHK_OBJ) $(LDLIBS) 71 $(POST_PROCESS) 72 73 include ../Makefile.targ 74 75 # The rest of this file contains definitions more-or-less directly from the 76 # original Makefile of the tcp_wrappers distribution. 77 78 ############################## 79 # System parameters appropriate for Solaris 9 80 81 REAL_DAEMON_DIR = /usr/sbin 82 TLI = -DTLI 83 NETGROUP = -DNETGROUP 84 85 ############################## 86 # Start of the optional stuff. 87 88 ########################################### 89 # Optional: Turning on language extensions 90 # 91 # Instead of the default access control language that is documented in 92 # the hosts_access.5 document, the wrappers can be configured to 93 # implement an extensible language documented in the hosts_options.5 94 # document. This language is implemented by the "options.c" source 95 # module, which also gives hints on how to add your own extensions. 96 # Uncomment the next definition to turn on the language extensions 97 # (examples: allow, deny, banners, twist and spawn). 98 # 99 STYLE = -DPROCESS_OPTIONS # Enable language extensions. 100 101 ################################################################ 102 # Optional: Changing the default disposition of logfile records 103 # 104 # By default, logfile entries are written to the same file as used for 105 # sendmail transaction logs. See your /etc/syslog.conf file for actual 106 # path names of logfiles. The tutorial section in the README file 107 # gives a brief introduction to the syslog daemon. 108 # 109 # Change the FACILITY definition below if you disagree with the default 110 # disposition. Some syslog versions (including Ultrix 4.x) do not provide 111 # this flexibility. 112 # 113 # If nothing shows up on your system, it may be that the syslog records 114 # are sent to a dedicated loghost. It may also be that no syslog daemon 115 # is running at all. The README file gives pointers to surrogate syslog 116 # implementations for systems that have no syslog library routines or 117 # no syslog daemons. When changing the syslog.conf file, remember that 118 # there must be TABs between fields. 119 # 120 # The LOG_XXX names below are taken from the /usr/include/syslog.h file. 121 122 FACILITY= LOG_MAIL # LOG_MAIL is what most sendmail daemons use 123 124 # The syslog priority at which successful connections are logged. 125 126 SEVERITY= LOG_INFO # LOG_INFO is normally not logged to the console 127 128 ###################################################### 129 # Optional: Changing the default file protection mask 130 # 131 # On many systems, network daemons and other system processes are started 132 # with a zero umask value, so that world-writable files may be produced. 133 # It is a good idea to edit your /etc/rc* files so that they begin with 134 # an explicit umask setting. On our site we use `umask 022' because it 135 # does not break anything yet gives adequate protection against tampering. 136 # 137 # The following macro specifies the default umask for processes run under 138 # control of the daemon wrappers. Comment it out only if you are certain 139 # that inetd and its children are started with a safe umask value. 140 141 UMASK = -DDAEMON_UMASK=022 142 143 ####################################### 144 # Optional: Turning off access control 145 # 146 # By default, host access control is enabled. To disable host access 147 # control, comment out the following definition. Host access control 148 # can also be turned off at runtime by providing no or empty access 149 # control tables. 150 151 ACCESS = -DHOSTS_ACCESS 152 153 #################################################### 154 # Optional: dealing with host name/address conflicts 155 # 156 # By default, the software tries to protect against hosts that claim to 157 # have someone elses host name. This is relevant for network services 158 # whose authentication depends on host names, such as rsh and rlogin. 159 # 160 # With paranoid mode on, connections will be rejected when the host name 161 # does not match the host address. Connections will also be rejected when 162 # the host name is available but cannot be verified. 163 # 164 # Comment out the following definition if you want more control over such 165 # requests. When paranoid mode is off and a host name double check fails, 166 # the client can be matched with the PARANOID access control pattern. 167 # 168 # Paranoid mode implies hostname lookup. In order to disable hostname 169 # lookups altogether, see the next section. 170 171 PARANOID= -DPARANOID 172 173 # The default username lookup timeout is 10 seconds. This may not be long 174 # enough for slow hosts or networks, but is enough to irritate PC users. 175 176 RFC931_TIMEOUT = 10 177 178 ######################################################## 179 # Optional: Changing the access control table pathnames 180 # 181 # The HOSTS_ALLOW and HOSTS_DENY macros define where the programs will 182 # look for access control information. Watch out for the quotes and 183 # backslashes when you make changes. 184 185 TABLES = -DHOSTS_DENY=\"/etc/hosts.deny\" -DHOSTS_ALLOW=\"/etc/hosts.allow\" 186 187 ############################################# 188 # Optional: Turning on host ADDRESS checking 189 # 190 # Optionally, the software tries to protect against hosts that pretend to 191 # have someone elses host address. This is relevant for network services 192 # whose authentication depends on host names, such as rsh and rlogin, 193 # because the network address is used to look up the remote host name. 194 # 195 # The protection is to refuse TCP connections with IP source routing 196 # options. 197 # 198 # This feature cannot be used with SunOS 4.x because of a kernel bug in 199 # the implementation of the getsockopt() system call. Kernel panics have 200 # been observed for SunOS 4.1.[1-3]. Symptoms are "BAD TRAP" and "Data 201 # fault" while executing the tcp_ctloutput() kernel function. 202 # 203 # Reportedly, Sun patch 100804-03 or 101790 fixes this for SunOS 4.1.x. 204 # 205 # Uncomment the following macro definition if your getsockopt() is OK. 206 # 207 # -DKILL_IP_OPTIONS is not needed on modern UNIX systems that can stop 208 # source-routed traffic in the kernel. Examples: 4.4BSD derivatives, 209 # Solaris 2.x, and Linux. See your system documentation for details. 210 # 211 # KILL_OPT= -DKILL_IP_OPTIONS 212 213 ## End configuration options 214 ############################