SHA256
3
0
forked from pool/tcpd

Accepting request 1009748 from home:dspinella:branches:network:utilities

- Add hosts.allow and hosts.deny config files from the netcfg package,
  as they are tcpd specific, bsc#1099755

OBS-URL: https://build.opensuse.org/request/show/1009748
OBS-URL: https://build.opensuse.org/package/show/network:utilities/tcpd?expand=0&rev=39
This commit is contained in:
Dirk Mueller 2022-10-13 07:00:32 +00:00 committed by Git OBS Bridge
parent c6feee8000
commit 181e1dee8b
4 changed files with 85 additions and 0 deletions

64
hosts.allow Normal file
View File

@ -0,0 +1,64 @@
# /etc/hosts.allow
# Make sure package tcpd is installed on your system for this to work.
# See 'man tcpd' and 'man 5 hosts_access' for a detailed description
# of /etc/hosts.allow and /etc/hosts.deny.
#
# short overview about daemons and servers that are built with
# tcp_wrappers support:
#
# package name | daemon path | token
# ----------------------------------------------------------------------------
# ssh, openssh | /usr/sbin/sshd | sshd, sshd-fwd-x11, sshd-fwd-<port>
# quota | /usr/sbin/rpc.rquotad | rquotad
# tftpd | /usr/sbin/in.tftpd | in.tftpd
# portmap | /sbin/portmap | portmap
# The portmapper does not verify against hostnames
# to prevent hangs. It only checks non-local addresses.
#
# (kernel nfs server)
# nfs-utils | /usr/sbin/rpc.mountd | mountd
# nfs-utils | /sbin/rpc.statd | statd
#
# (unfsd, userspace nfs server)
# nfs-server | /usr/sbin/rpc.mountd | rpc.mountd
# nfs-server | /usr/sbin/rpc.ugidd | rpc.ugidd
#
# (printing services)
# lprng | /usr/sbin/lpd | lpd
# cups | /usr/sbin/cupsd | cupsd
# The cupsd server daemon reports to the cups
# error logs, not to the syslog(3) facility.
#
# (Uniterrupted Power Supply Software)
# apcupsd | /sbin/apcupsd | apcupsd
# apcupsd | /sbin/apcnisd | apcnisd
#
# All of the other network servers such as samba, apache or X, have their own
# access control scheme that should be used instead.
#
# In addition to the services above, the services that are started on request
# by inetd or xinetd use tcpd to "wrap" the network connection. tcpd uses
# the last component of the server pathname as a token to match a service in
# /etc/hosts.{allow,deny}. See the file /etc/inetd.conf for the token names.
# The following examples work when uncommented:
#
#
# Example 1: Fire up a mail to the admin if a connection to the printer daemon
# has been made from host foo.bar.com, but simply deny all others:
# lpd : foo.bar.com : spawn /bin/echo "%h printer access" | \
# mail -s "tcp_wrappers on %H" root
#
#
# Example 2: grant access from local net, reject with message from elsewhere.
# in.telnetd : ALL EXCEPT LOCAL : ALLOW
# in.telnetd : ALL : \
# twist /bin/echo -e "\n\raccess from %h declined.\n\rGo away.";sleep 2
#
#
# Example 3: run a different instance of rsyncd if the connection comes
# from network 172.20.0.0/24, but regular for others:
# rsyncd : 172.20.0.0/255.255.255.0 : twist /usr/local/sbin/my_rsyncd-script
# rsyncd : ALL : ALLOW
#

7
hosts.deny Normal file
View File

@ -0,0 +1,7 @@
# /etc/hosts.deny
# Make sure package tcpd is installed on your system for this to work.
# See 'man tcpd' and 'man 5 hosts_access' as well as /etc/hosts.allow
# for a detailed description.
http-rman : ALL EXCEPT LOCAL

View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Tue Oct 11 09:34:37 UTC 2022 - Danilo Spinella <danilo.spinella@suse.com>
- Add hosts.allow and hosts.deny config files from the netcfg package,
as they are tcpd specific, bsc#1099755
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Sep 5 14:42:10 UTC 2022 - Ludwig Nussel <lnussel@suse.de> Mon Sep 5 14:42:10 UTC 2022 - Ludwig Nussel <lnussel@suse.de>

View File

@ -27,6 +27,8 @@ Group: Productivity/Networking/System
URL: ftp://ftp.porcupine.org/pub/security/index.html URL: ftp://ftp.porcupine.org/pub/security/index.html
Source: ftp://ftp.porcupine.org/pub/security/tcp_wrappers_%{version}.tar.gz Source: ftp://ftp.porcupine.org/pub/security/tcp_wrappers_%{version}.tar.gz
Source2: baselibs.conf Source2: baselibs.conf
Source3: hosts.allow
Source4: hosts.deny
Patch0: tcp_wrappers_%{version}.diff Patch0: tcp_wrappers_%{version}.diff
Patch1: tcp_wrappers_%{version}-ipv6-1.6.diff Patch1: tcp_wrappers_%{version}-ipv6-1.6.diff
Patch2: tcp_wrappers_%{version}-ipv6-fix.diff Patch2: tcp_wrappers_%{version}-ipv6-fix.diff
@ -155,6 +157,10 @@ install -m 644 tcpd.8 tcpdchk.8 tcpdmatch.8 %{buildroot}%{_mandir}/man8
install -m 644 shared/libwrap.so.0.%{version} %{buildroot}/%{_libdir} install -m 644 shared/libwrap.so.0.%{version} %{buildroot}/%{_libdir}
ln -sf libwrap.so.0.%{version} %{buildroot}/%{_libdir}/libwrap.so.0 ln -sf libwrap.so.0.%{version} %{buildroot}/%{_libdir}/libwrap.so.0
ln -sf libwrap.so.0.%{version} %{buildroot}/%{_libdir}/libwrap.so ln -sf libwrap.so.0.%{version} %{buildroot}/%{_libdir}/libwrap.so
mkdir -p %{buildroot}%{_sysconfdir}
for i in hosts.allow hosts.deny; do
install $RPM_SOURCE_DIR/$i %{buildroot}/%{_sysconfdir}
done
%post -n %{lname} -p /sbin/ldconfig %post -n %{lname} -p /sbin/ldconfig
@ -170,6 +176,8 @@ ln -sf libwrap.so.0.%{version} %{buildroot}/%{_libdir}/libwrap.so
%defattr(-,root,root) %defattr(-,root,root)
%doc DISCLAIMER %doc DISCLAIMER
%attr(755,root,root) %{_libdir}/libwrap.so.0* %attr(755,root,root) %{_libdir}/libwrap.so.0*
%verify(not md5 size mtime) %config(noreplace) %{_sysconfdir}/hosts.allow
%verify(not md5 size mtime) %config(noreplace) %{_sysconfdir}/hosts.deny
%files devel %files devel
%defattr(644,root,root,755) %defattr(644,root,root,755)