[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU Inetutils branch, master, updated. inetutils-1_9_1-159-gb5d9f
|
From: |
Mats Erik Andersson |
|
Subject: |
[SCM] GNU Inetutils branch, master, updated. inetutils-1_9_1-159-gb5d9f38 |
|
Date: |
Thu, 06 Sep 2012 15:04:20 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU Inetutils ".
The branch, master has been updated
via b5d9f38a3510e181a50bd82ab5103621c87a5df9 (commit)
from 3841619d01f81d265c9cec7c37a1388bda465a1b (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=b5d9f38a3510e181a50bd82ab5103621c87a5df9
commit b5d9f38a3510e181a50bd82ab5103621c87a5df9
Author: Mats Erik Andersson <address@hidden>
Date: Thu Sep 6 16:06:21 2012 +0200
talkd: Nominally functional ACL checking.
diff --git a/ChangeLog b/ChangeLog
index 1c8c87f..81ce3d4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,46 @@
+2012-09-06 Mats Erik Andersson <address@hidden>
+
+ talkd: Partial activation of ACL features.
+ Upstream Gnulib has repaired read_utmp() call.
+
+ * talkd/acl.c (ACT_ALLOW, ACT_DENY): Removed macros.
+ (read_acl): Add parameter `int silent'. Report missing
+ file only if `!silent'. Partially decrease syslog severity.
+ New return values ACL_ALLOW and ACL_DENY.
+ (open_users_acl): Call read_acl() with silent flag, a file
+ is not mandatory for users.
+ (acl_match): Return ACL_ALLOW as default result.
+ * talkd/announce.c (print_msg, announce): Lower severity
+ LOG_CRIT to LOG_ERR.
+ * talkd/intalkd.h (ACL_ALLOW, ACL_DENY): New macros.
+ (logging): New variable.
+ (read_acl): Update prototype.
+ * talkd/process.c (process_request): Delay ACL matching
+ until protocol and address have been checked. Send answer
+ FAILED in reply whenever acl_match() returns ACL_DENY.
+ Give syslog messages lower severity and condition on
+ `logging || debug'.
+ * talkd/table.c (insert_table): Change LOG_CRIT to LOG_ERR.
+ * talkd/talkd.c (logging): New variable.
+ (doc): Mention service `ntalk'.
+ (argp_options): New option `-l/--logging'.
+ (parse_opt) <'l'>: New case.
+ (main): Call read_acl() with non-silent flag. Explicitly
+ use STDIN_FILENO as descriptor for talkd_run().
+ (alarm_handler): New variable OERRNO. Protect and recover
+ errno across handler actions.
+ (talkd_run): Commit syslog messages for `logging || debug'.
+ Lower severity to LOG_NOTICE.
+
+ * doc/inetutils.texi <talkd invokation>: Expose the
+ distinguishing features of the present implementation.
+
+ * talk/init_disp.c (init_display): Catch SIGQUIT.
+
+ * configure.ac: Include <sys/socket.h> when checking
+ for `sockaddr_in6.sin6_len' and `sockaddr_storage.ss_len'.
+ Check talk_BUILD and LIBCURSES in summary message.
+
2012-08-31 Mats Erik Andersson <address@hidden>
ping, ping6: Support IDN named hosts.
diff --git a/configure.ac b/configure.ac
index e313b59..5d9bccd 100644
--- a/configure.ac
+++ b/configure.ac
@@ -655,9 +655,11 @@ IU_CHECK_MEMBERS([struct sockaddr_in.sin_len], , ,
#include <netinet/in.h> ])
IU_CHECK_MEMBERS([struct sockaddr_in6.sin6_len], , ,
[ #include <sys/types.h>
+ #include <sys/socket.h>
#include <netinet/in.h> ])
IU_CHECK_MEMBERS([struct sockaddr_storage.ss_len], , ,
[ #include <sys/types.h>
+ #include <sys/socket.h>
#include <netinet/in.h> ])
if test "$ac_cv_header_utmp_h" = yes; then
@@ -1003,7 +1005,8 @@ ${rcp_BUILD:+$KERBEROS_VERSION}
${rlogin_BUILD:+$KERBEROS_VERSION}
rsh ${enable_rsh} \
${rshd_BUILD:+$KERBEROS_VERSION}
- talk ${enable_talk}
+ talk ${enable_talk} \
+${talk_BUILD:+$LIBCURSES}
telnet ${enable_telnet} \
${telnet_BUILD:+${KERBEROS_VERSION:+$KERBEROS_VERSION }$LIBTERMCAP}
tftp ${enable_tftp}
diff --git a/doc/inetutils.texi b/doc/inetutils.texi
index bce878d..457c2bc 100644
--- a/doc/inetutils.texi
+++ b/doc/inetutils.texi
@@ -1518,7 +1518,7 @@ transfer parameters: @code{mode}, @code{form}, and
@code{struct}.
@node The .netrc File
@section The @file{.netrc} File
-The @code{.netrc} file contains login and initialization information
+The @file{.netrc} file contains login and initialization information
used by the auto-login process. It resides in the user's home
directory. The following tokens are recognized; they may be separated
by spaces, tabs, or new-lines:
@@ -2424,8 +2424,8 @@ from the socket and create a new socket connected to the
peer. It
should fork, and the parent should then exit to allow inetd to check
for new service requests to spawn new servers. Datagram servers which
process all incoming datagrams on a socket and eventually time out are
-said to be ``single-threaded''. @command{comsat} and talkd are both
-examples of the latter type of datagram server. @command{tftpd} is an
+said to be ``single-threaded''. @command{comsat} and @command{talkd} are
+both examples of the latter type of datagram server. @command{tftpd} is an
example of a multi-threaded datagram server.
Servers using stream sockets generally are multi-threaded and use the
@@ -3639,6 +3639,7 @@ on the connection associated with the stderr, and is not
...
@samp{Password incorrect} is a security breach which allows people to
probe a system for users with null passwords.
+
@node talkd invocation
@chapter @command{talkd}: a server for communication between users
@cindex talkd
@@ -3646,11 +3647,12 @@ probe a system for users with null passwords.
@command{talkd} is the server that notifies a user that someone else
wants to initiate a conversation. It acts as a repository of
invitations, responding to requests by clients wishing to rendezvous
-to hold a conversation.
+in order to hold a conversation.
address@hidden
-talkd address@hidden@dots{}
address@hidden example
address@hidden Invoking
+This implementation uses the newer protocol specification @samp{ntalk},
+and is intended to be invoked by a super-server @command{inetd} at that
+datagram port. The following switches and options are available.
@table @option
@item -a @var{file}
@@ -3660,7 +3662,7 @@ talkd address@hidden@dots{}
Read site-wide ACLs from @var{file}.
@item -d
address@hidden --debug
address@hidden --debug
@opindex --debug
@opindex --d
Enable debugging.
@@ -3669,26 +3671,35 @@ Enable debugging.
@itemx address@hidden
@opindex -i
@opindex --idle-timeout
-Set idle timeout value.
+Set idle timeout length
+
address@hidden -l
address@hidden --logging
address@hidden -i
address@hidden --logging
+Enable a somewhat enhanced logging verbosity, reporting
+some more unexpected events that might arise.
@item -r @var{seconds}
@itemx address@hidden
@opindex -r
@opindex --request-ttl
-Set request time-to-live value.
+Set time-to-live length for requests.
@item -t @var{seconds}
address@hidden address@hidden
address@hidden address@hidden
@opindex -t
@opindex --timeout
-Set timeout value.
+Set timeout length.
@end table
address@hidden Modus operandi
+
In normal operation, a client, the caller, initiates a rendezvous by
-sending a @code{CTL_MSG} to the server of type @samp{LOOK_UP} (see
+sending a @code{CTL_MSG} of type @samp{LOOK_UP} to the server (see
@file{protocols/talkd.h}). This causes the server to search its
-invitation tables to check if an invitation currently exists for the
-caller (to speak to the callee specified in the message). If the
+invitation tables to check whether an invitation currently exists for the
+caller (wanting to talk to the callee specified in the message). If the
lookup fails, the caller then sends an @samp{ANNOUNCE} message causing
the server to broadcast an announcement on the callee's login ports
requesting contact. When the callee responds, the local server uses
@@ -3696,6 +3707,41 @@ the recorded invitation to respond with the appropriate
rendezvous
address and the caller and callee client programs establish a stream
connection through which the conversation takes place.
+This implementation inserts an additional preparation where a site-wide
+access control list can be used to limit service access in general, and
+for any local user, i.e., present on the server's system, a further user
+owned file @file{.talkd} is parsed if at all present, in order to even
+further fine tune access to this particular user.
+
address@hidden Access control in talkd
+
+The server can be run in a mode with additional access control,
+beyond the legacy capabilities of @command{ntalkd}. This is done
+using the option @option{-a}, or equivalently @option{--acl}.
+The format of this access control is shared with the user specific
+file @file{.talkrc}.
+
+As is usual, indentation, empty lines, and lines whose first printable
+character is the hash character, are all ignored. Each active line
+must contain at least two fields, an @code{action} and a @code{user-exp},
+where the only acceptable action types are @samp{allow} and @samp{deny}.
+The second field @code{user-exp} is a POSIX regular expression crafted
+to match user names of callers, i.e., the remote participant, for which
+the action applies.
+
address@hidden
+action user-exp [net-exp @dots{}]
address@hidden example
+
+Each line may be augmented by a net list, containing one or more
+expressions @code{net-exp}. Each of these is either the simple
+word @samp{any}, a full IPv4 address, or a full IPv4 address with
+an appended netmask. The effect is to restrict the applicability
+of the rule to the specified address ranges, or to set an explicit
+wildcard match. The absence of a net list is equivalent to specifying
+a single @samp{any}.
+
+
@node telnetd invocation
@chapter @command{telnetd}: Telnet server
@cindex telnetd
diff --git a/talk/init_disp.c b/talk/init_disp.c
index 1611e13..dc58226 100644
--- a/talk/init_disp.c
+++ b/talk/init_disp.c
@@ -107,6 +107,7 @@ init_display (void)
noecho ();
crmode ();
+ signal (SIGQUIT, sig_sent);
signal (SIGINT, sig_sent);
signal (SIGPIPE, sig_sent);
diff --git a/talkd/acl.c b/talkd/acl.c
index 168d5ea..501239e 100644
--- a/talkd/acl.c
+++ b/talkd/acl.c
@@ -34,9 +34,6 @@ struct netdef
unsigned int netmask;
};
-#define ACT_ALLOW 0
-#define ACT_DENY 1
-
typedef struct acl acl_t;
struct acl
@@ -119,7 +116,7 @@ netdef_parse (char *str)
netdef = malloc (sizeof *netdef);
if (!netdef)
{
- syslog (LOG_ERR, "out of memory");
+ syslog (LOG_ERR, "Out of memory");
exit (EXIT_FAILURE);
}
@@ -131,7 +128,7 @@ netdef_parse (char *str)
}
void
-read_acl (char *config_file)
+read_acl (char *config_file, int silent)
{
FILE *fp;
int line;
@@ -144,7 +141,8 @@ read_acl (char *config_file)
fp = fopen (config_file, "r");
if (!fp)
{
- syslog (LOG_ERR, "can't open config file %s: %m", config_file);
+ if (!silent)
+ syslog (LOG_ERR, "Cannot open config file %s: %m", config_file);
return;
}
@@ -178,19 +176,19 @@ read_acl (char *config_file)
}
if (strcmp (argv[0], "allow") == 0)
- action = ACT_ALLOW;
+ action = ACL_ALLOW;
else if (strcmp (argv[0], "deny") == 0)
- action = ACT_DENY;
+ action = ACL_DENY;
else
{
- syslog (LOG_ERR, "%s:%d: unknown keyword", config_file, line);
+ syslog (LOG_WARNING, "%s:%d: unknown keyword", config_file, line);
argcv_free (argc, argv);
continue;
}
if (regcomp (&re, argv[1], 0) != 0)
{
- syslog (LOG_ERR, "%s:%d: bad regexp", config_file, line);
+ syslog (LOG_WARNING, "%s:%d: bad regexp", config_file, line);
argcv_free (argc, argv);
continue;
}
@@ -217,7 +215,7 @@ read_acl (char *config_file)
acl = malloc (sizeof *acl);
if (!acl)
{
- syslog (LOG_CRIT, "out of memory");
+ syslog (LOG_ERR, "Out of memory");
exit (EXIT_FAILURE);
}
acl->next = NULL;
@@ -251,14 +249,14 @@ open_users_acl (char *name)
2 /* Null and separator. */ );
if (!filename)
{
- syslog (LOG_ERR, "out of memory");
+ syslog (LOG_ERR, "Out of memory");
return NULL;
}
sprintf (filename, "%s/%s", pw->pw_dir, USER_ACL_NAME);
mark = acl_tail;
- read_acl (filename);
+ read_acl (filename, 1);
free (filename);
return mark;
}
@@ -329,5 +327,5 @@ acl_match (CTL_MSG * msg, struct sockaddr_in *sa_in)
}
}
discard_acl (mark);
- return ACT_ALLOW;
+ return ACL_ALLOW;
}
diff --git a/talkd/announce.c b/talkd/announce.c
index 5fce5c3..7bf1818 100644
--- a/talkd/announce.c
+++ b/talkd/announce.c
@@ -116,7 +116,7 @@ print_mesg (char *tty, CTL_MSG * request, char
*remote_machine)
if ((cp = ttymsg (&iovec, 1, tty, RING_WAIT - 5)) != NULL)
{
- syslog (LOG_CRIT, "%s", cp);
+ syslog (LOG_ERR, "%s", cp);
return FAILED;
}
return SUCCESS;
@@ -136,7 +136,7 @@ announce (CTL_MSG * request, char *remote_machine)
ttypath = malloc (len);
if (!ttypath)
{
- syslog (LOG_CRIT, "out of memory");
+ syslog (LOG_ERR, "Out of memory");
exit (EXIT_FAILURE);
}
sprintf (ttypath, "%s/%s", PATH_DEV, request->r_tty);
diff --git a/talkd/intalkd.h b/talkd/intalkd.h
index 338e7f8..30b8b95 100644
--- a/talkd/intalkd.h
+++ b/talkd/intalkd.h
@@ -39,7 +39,11 @@
#define USER_ACL_NAME ".talkrc"
+#define ACL_ALLOW 0
+#define ACL_DENY 1
+
extern int debug;
+extern int logging;
extern unsigned int timeout;
extern time_t max_idle_time;
extern time_t max_request_ttl;
@@ -58,6 +62,6 @@ extern int print_response (const char *cp, CTL_RESPONSE * rp);
extern int insert_table (CTL_MSG * request, CTL_RESPONSE * response);
extern int delete_invite (unsigned long id_num);
extern int new_id (void);
-extern void read_acl (char *config_file);
+extern void read_acl (char *config_file, int silent);
extern int acl_match (CTL_MSG * msg, struct sockaddr_in *sa_in);
extern int announce (CTL_MSG * request, char *remote_machine);
diff --git a/talkd/process.c b/talkd/process.c
index f291599..4b180f0 100644
--- a/talkd/process.c
+++ b/talkd/process.c
@@ -31,24 +31,13 @@ process_request (CTL_MSG * msg, struct sockaddr_in *sa_in,
CTL_RESPONSE * rp)
{
CTL_MSG *ptr;
- if (debug)
- {
- print_request ("process_request", msg);
- }
-
- if (acl_match (msg, sa_in))
- {
- syslog (LOG_NOTICE, "dropping request: address@hidden",
- msg->l_name, inet_ntoa (sa_in->sin_addr));
- return 1;
- }
-
rp->vers = TALK_VERSION;
rp->type = msg->type;
rp->id_num = htonl (0);
if (msg->vers != TALK_VERSION)
{
- syslog (LOG_ERR, "Bad protocol version %d", msg->vers);
+ if (logging || debug)
+ syslog (LOG_NOTICE, "Bad protocol version %d", msg->vers);
rp->answer = BADVERSION;
return 0;
}
@@ -57,20 +46,38 @@ process_request (CTL_MSG * msg, struct sockaddr_in *sa_in,
CTL_RESPONSE * rp)
msg->addr.sa_family = ntohs (msg->addr.sa_family);
if (msg->addr.sa_family != AF_INET)
{
- syslog (LOG_ERR, "Bad address, family %d", msg->addr.sa_family);
+ if (logging || debug)
+ syslog (LOG_NOTICE, "Bad address, family %d", msg->addr.sa_family);
rp->answer = BADADDR;
return 0;
}
msg->ctl_addr.sa_family = ntohs (msg->ctl_addr.sa_family);
if (msg->ctl_addr.sa_family != AF_INET)
{
- syslog (LOG_WARNING, "Bad control address, family %d",
- msg->ctl_addr.sa_family);
+ if (logging || debug)
+ syslog (LOG_NOTICE, "Bad control address, family %d",
+ msg->ctl_addr.sa_family);
rp->answer = BADCTLADDR;
return 0;
}
/* FIXME: compare address and sa_in? */
+ if (acl_match (msg, sa_in) == ACL_DENY)
+ {
+ if (logging || debug)
+ syslog (LOG_NOTICE, "dropping request: address@hidden",
+ msg->l_name, inet_ntoa (sa_in->sin_addr));
+ /* Answer FAILED to minimise information leakage,
+ * since ACL has denied access. */
+ rp->answer = FAILED;
+ return 0;
+ }
+
+ if (debug)
+ {
+ print_request ("process_request", msg);
+ }
+
msg->pid = ntohl (msg->pid);
switch (msg->type)
diff --git a/talkd/table.c b/talkd/table.c
index b3e9363..24f6829 100644
--- a/talkd/table.c
+++ b/talkd/table.c
@@ -156,7 +156,7 @@ insert_table (CTL_MSG * request, CTL_RESPONSE * response)
ptr = malloc (sizeof *ptr);
if (!ptr)
{
- syslog (LOG_CRIT, "out of memory");
+ syslog (LOG_ERR, "Out of memory");
exit (EXIT_FAILURE);
}
diff --git a/talkd/talkd.c b/talkd/talkd.c
index 436414b..227149d 100644
--- a/talkd/talkd.c
+++ b/talkd/talkd.c
@@ -35,6 +35,7 @@ void talkd_run (int fd);
/* Configurable parameters: */
int debug;
+int logging;
unsigned int timeout = 30;
time_t max_idle_time = 120;
time_t max_request_ttl = MAX_LIFE;
@@ -43,7 +44,7 @@ char *acl_file;
char *hostname;
const char args_doc[] = "";
-const char doc[] = "Talk daemon.";
+const char doc[] = "Talk daemon, using service `ntalk'.";
const char *program_authors[] = {
"Sergey Poznyakoff",
NULL
@@ -54,6 +55,7 @@ static struct argp_option argp_options[] = {
{"debug", 'd', NULL, 0, "enable debugging", GRP+1},
{"idle-timeout", 'i', "SECONDS", 0, "set idle timeout value to SECONDS",
GRP+1},
+ {"logging", 'l', NULL, 0, "enable more syslog reporting", GRP+1},
{"request-ttl", 'r', "SECONDS", 0, "set request time-to-live value to "
"SECONDS", GRP+1},
{"timeout", 't', "SECONDS", 0, "set timeout value to SECONDS", GRP+1},
@@ -74,6 +76,10 @@ parse_opt (int key, char *arg, struct argp_state *state)
debug++;
break;
+ case 'l':
+ logging++;
+ break;
+
case 't':
timeout = strtoul (arg, NULL, 0);
break;
@@ -103,9 +109,9 @@ main (int argc, char *argv[])
iu_argp_init ("talkd", program_authors);
argp_parse (&argp, argc, argv, 0, NULL, NULL);
- read_acl (acl_file);
+ read_acl (acl_file, 0);
talkd_init ();
- talkd_run (0);
+ talkd_run (STDIN_FILENO);
return 0;
}
@@ -116,7 +122,7 @@ talkd_init (void)
hostname = localhost ();
if (!hostname)
{
- syslog (LOG_ERR, "can't determine my hostname: %m");
+ syslog (LOG_ERR, "Cannot determine my hostname: %m");
exit (EXIT_FAILURE);
}
}
@@ -126,9 +132,12 @@ time_t last_msg_time;
static void
alarm_handler (int err _GL_UNUSED_PARAMETER)
{
+ int oerrno = errno;
+
if ((time (NULL) - last_msg_time) >= max_idle_time)
exit (EXIT_SUCCESS);
alarm (timeout);
+ errno = oerrno;
}
void
@@ -149,8 +158,8 @@ talkd_run (int fd)
recvfrom (fd, &msg, sizeof msg, 0, (struct sockaddr *) &sa_in, &len);
if (rc != sizeof msg)
{
- if (rc < 0 && errno != EINTR)
- syslog (LOG_WARNING, "recvfrom: %m");
+ if (rc < 0 && errno != EINTR && (logging || debug))
+ syslog (LOG_NOTICE, "recvfrom: %m");
continue;
}
last_msg_time = time (NULL);
@@ -159,8 +168,8 @@ talkd_run (int fd)
rc = sendto (fd, &resp, sizeof resp, 0,
(struct sockaddr *) &msg.ctl_addr,
sizeof (msg.ctl_addr));
- if (rc != sizeof resp)
- syslog (LOG_WARNING, "sendto: %m");
+ if (rc != sizeof resp && (logging || debug))
+ syslog (LOG_NOTICE, "sendto: %m");
}
}
}
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 43 +++++++++++++++++++++++++++++
configure.ac | 5 +++-
doc/inetutils.texi | 76 +++++++++++++++++++++++++++++++++++++++++----------
talk/init_disp.c | 1 +
talkd/acl.c | 26 ++++++++---------
talkd/announce.c | 4 +-
talkd/intalkd.h | 6 +++-
talkd/process.c | 39 +++++++++++++++-----------
talkd/table.c | 2 +-
talkd/talkd.c | 25 +++++++++++-----
10 files changed, 169 insertions(+), 58 deletions(-)
hooks/post-receive
--
GNU Inetutils
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU Inetutils branch, master, updated. inetutils-1_9_1-159-gb5d9f38,
Mats Erik Andersson <=