Accepting request 1009748 from home:dspinella:branches:network:utilities

- Add hosts.allow and hosts.deny config files from the netcfg package, as they are tcpd specific, bsc#1099755 OBS-URL: https://build.opensuse.org/request/show/1009748 OBS-URL: https://build.opensuse.org/package/show/network:utilities/tcpd?expand=0&rev=39
2022-10-13 07:00:32 +00:00 · 2022-10-13 07:00:32 +00:00 · 181e1dee8b
commit 181e1dee8b
parent c6feee8000
4 changed files with 85 additions and 0 deletions
--- a/hosts.allow
+++ b/hosts.allow
@ -0,0 +1,64 @@
+# /etc/hosts.allow
+# Make sure package tcpd is installed on your system for this to work.
+# See 'man tcpd' and 'man 5 hosts_access' for a detailed description
+# of /etc/hosts.allow and /etc/hosts.deny.
+#
+# short overview about daemons and servers that are built with
+# tcp_wrappers support:
+# 
+# package name  |       daemon path     |       token
+# ----------------------------------------------------------------------------
+# ssh, openssh  |  /usr/sbin/sshd       |  sshd, sshd-fwd-x11, sshd-fwd-<port>
+# quota         | /usr/sbin/rpc.rquotad |  rquotad
+# tftpd         | /usr/sbin/in.tftpd    |  in.tftpd
+# portmap       |  /sbin/portmap        |  portmap
+#                       The portmapper does not verify against hostnames
+#                       to prevent hangs. It only checks non-local addresses.
+# 
+# (kernel nfs server)
+# nfs-utils     |  /usr/sbin/rpc.mountd |  mountd
+# nfs-utils     |  /sbin/rpc.statd      |  statd
+#
+# (unfsd, userspace nfs server)
+# nfs-server    |  /usr/sbin/rpc.mountd |  rpc.mountd
+# nfs-server    |  /usr/sbin/rpc.ugidd  |  rpc.ugidd
+#
+# (printing services)
+# lprng         |  /usr/sbin/lpd        |  lpd
+# cups          |  /usr/sbin/cupsd      |  cupsd
+#                       The cupsd server daemon reports to the cups
+#                       error logs, not to the syslog(3) facility.
+#
+# (Uniterrupted Power Supply Software)
+# apcupsd       |  /sbin/apcupsd        |  apcupsd
+# apcupsd       |  /sbin/apcnisd        |  apcnisd
+# 
+# All of the other network servers such as samba, apache or X, have their own
+# access control scheme that should be used instead.
+#
+# In addition to the services above, the services that are started on request 
+# by inetd or xinetd use tcpd to "wrap" the network connection. tcpd uses
+# the last component of the server pathname as a token to match a service in
+# /etc/hosts.{allow,deny}. See the file /etc/inetd.conf for the token names.
+# The following examples work when uncommented:
+#
+#
+# Example 1: Fire up a mail to the admin if a connection to the printer daemon
+# has been made from host foo.bar.com, but simply deny all others:
+# lpd : foo.bar.com : spawn /bin/echo "%h printer access" | \
+#                               mail -s "tcp_wrappers on %H" root
+# 
+#
+# Example 2: grant access from local net, reject with message from elsewhere.
+# in.telnetd : ALL EXCEPT LOCAL : ALLOW
+# in.telnetd : ALL : \
+#    twist /bin/echo -e "\n\raccess from %h declined.\n\rGo away.";sleep 2
+#
+#
+# Example 3: run a different instance of rsyncd if the connection comes 
+#            from network 172.20.0.0/24, but regular for others:
+# rsyncd : 172.20.0.0/255.255.255.0 : twist /usr/local/sbin/my_rsyncd-script
+# rsyncd : ALL : ALLOW
+#
+
+
--- a/hosts.deny
+++ b/hosts.deny
@ -0,0 +1,7 @@
+# /etc/hosts.deny
+# Make sure package tcpd is installed on your system for this to work.
+# See 'man tcpd' and 'man 5 hosts_access' as well as /etc/hosts.allow
+# for a detailed description.
+
+http-rman : ALL EXCEPT LOCAL
+
--- a/tcpd.changes
+++ b/tcpd.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Oct 11 09:34:37 UTC 2022 - Danilo Spinella <danilo.spinella@suse.com>
+
+- Add hosts.allow and hosts.deny config files from the netcfg package,
+  as they are tcpd specific, bsc#1099755
+
 -------------------------------------------------------------------
 Mon Sep  5 14:42:10 UTC 2022 - Ludwig Nussel <lnussel@suse.de>

--- a/tcpd.spec
+++ b/tcpd.spec
@ -27,6 +27,8 @@ Group:          Productivity/Networking/System
 URL:            ftp://ftp.porcupine.org/pub/security/index.html
 Source:         ftp://ftp.porcupine.org/pub/security/tcp_wrappers_%{version}.tar.gz
 Source2:        baselibs.conf
+Source3:        hosts.allow
+Source4:        hosts.deny
 Patch0:         tcp_wrappers_%{version}.diff
 Patch1:         tcp_wrappers_%{version}-ipv6-1.6.diff
 Patch2:         tcp_wrappers_%{version}-ipv6-fix.diff
@ -155,6 +157,10 @@ install -m 644 tcpd.8 tcpdchk.8 tcpdmatch.8 %{buildroot}%{_mandir}/man8
 install -m 644 shared/libwrap.so.0.%{version} %{buildroot}/%{_libdir}
 ln -sf libwrap.so.0.%{version} %{buildroot}/%{_libdir}/libwrap.so.0
 ln -sf libwrap.so.0.%{version} %{buildroot}/%{_libdir}/libwrap.so
+mkdir -p %{buildroot}%{_sysconfdir}
+for i in hosts.allow hosts.deny; do
+  install $RPM_SOURCE_DIR/$i %{buildroot}/%{_sysconfdir}
+done

 %post -n %{lname} -p /sbin/ldconfig

@ -170,6 +176,8 @@ ln -sf libwrap.so.0.%{version} %{buildroot}/%{_libdir}/libwrap.so
 %defattr(-,root,root)
 %doc DISCLAIMER
 %attr(755,root,root) %{_libdir}/libwrap.so.0*
+%verify(not md5 size mtime) %config(noreplace) %{_sysconfdir}/hosts.allow
+%verify(not md5 size mtime) %config(noreplace) %{_sysconfdir}/hosts.deny

 %files devel
 %defattr(644,root,root,755)