picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

core: remove tcpwrap support 

tcpwrap is legacy code, that is barely maintained upstream. It's APIs
are awful, and the feature set it exposes (such as DNS and IDENT
access control) questionnable. We should not support this natively in
systemd.

Hence, let's remove the code. If people want to continue making use of
this, they can do so by plugging in "tcpd" for the processes they start.
With that scheme things are as well or badly supported as they were from
traditional inetd, hence no functionality is really lost.
This commit is contained in:
Lennart Poettering 2014-03-24 20:07:42 +01:00
parent 1cfc57e884
commit 7f8aa67131
16 changed files with 5 additions and 216 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Makefile.am
View File

@ -1019,8 +1019,6 @@ libsystemd_core_la_SOURCES = \
src/core/condition.h \
src/core/namespace.c \
src/core/namespace.h \
src/core/tcpwrap.c \
src/core/tcpwrap.h \
src/core/build.h \
src/core/sysfs-show.h \
src/core/switch-root.h \
@ -1046,7 +1044,6 @@ nodist_libsystemd_core_la_SOURCES = \
libsystemd_core_la_CFLAGS = \
$(AM_CFLAGS) \
$(LIBWRAP_CFLAGS) \
$(PAM_CFLAGS) \
$(AUDIT_CFLAGS) \
$(CAP_CFLAGS) \
@ -1062,7 +1059,6 @@ libsystemd_core_la_LIBADD = \
libudev-internal.la \
libsystemd-shared.la \
libsystemd-internal.la \
$(LIBWRAP_LIBS) \
$(PAM_LIBS) \
$(AUDIT_LIBS) \
$(CAP_LIBS) \

1
README
View File

@ -111,7 +111,6 @@ REQUIREMENTS:
libattr (optional)
libselinux (optional)
liblzma (optional)
tcpwrappers (optional)
libgcrypt (optional)
libqrencode (optional)
libmicrohttpd (optional)

2
TODO
View File

@ -550,7 +550,7 @@ Features:
* for services: don't set $HOME in services unless requested
* hide PAM/TCPWrap options in fragment parser when compile time disabled
* hide PAM options in fragment parser when compile time disabled
* when we automatically restart a service, ensure we restart its rdeps, too.

27
configure.ac
View File

@ -430,32 +430,6 @@ if test "x$enable_xz" != "xno"; then
fi
AM_CONDITIONAL(HAVE_XZ, [test "$have_xz" = "yes"])
# ------------------------------------------------------------------------------
AC_ARG_ENABLE([tcpwrap],
AS_HELP_STRING([--disable-tcpwrap],[Disable optional TCP wrappers support]),
[case "${enableval}" in
yes) have_tcpwrap=yes ;;
no) have_tcpwrap=no ;;
*) AC_MSG_ERROR(bad value ${enableval} for --disable-tcpwrap) ;;
esac],
[have_tcpwrap=auto])
if test "x${have_tcpwrap}" != xno ; then
ACX_LIBWRAP
if test "x${LIBWRAP_LIBS}" = x ; then
if test "x$have_tcpwrap" = xyes ; then
AC_MSG_ERROR([*** TCP wrappers support not found.])
fi
have_tcpwrap=no
else
M4_DEFINES="$M4_DEFINES -DHAVE_LIBWRAP"
have_tcpwrap=yes
fi
else
LIBWRAP_LIBS=
fi
AC_SUBST(LIBWRAP_LIBS)
# ------------------------------------------------------------------------------
AC_ARG_ENABLE([pam],
AS_HELP_STRING([--disable-pam],[Disable optional PAM support]),
@ -1130,7 +1104,6 @@ AC_MSG_RESULT([
$PACKAGE_NAME $VERSION
libcryptsetup: ${have_libcryptsetup}
tcpwrap: ${have_tcpwrap}
PAM: ${have_pam}
AUDIT: ${have_audit}
IMA: ${have_ima}

19
m4/acx_libwrap.m4
View File

@ -1,19 +0,0 @@
AC_DEFUN([ACX_LIBWRAP], [
LIBWRAP_LIBS=
saved_LIBS="$LIBS"
LIBS="$LIBS -lwrap"
AC_MSG_CHECKING([for tcpwrap library and headers])
AC_LINK_IFELSE(
[AC_LANG_PROGRAM(
[#include <tcpd.h>
#include <syslog.h>
int allow_severity = LOG_INFO;
int deny_severity = LOG_WARNING;],
[struct request_info *req;
return hosts_access (req);])],
[AC_DEFINE(HAVE_LIBWRAP, [], [Have tcpwrap?])
LIBWRAP_LIBS="-lwrap"
AC_MSG_RESULT(yes)],
[AC_MSG_RESULT(no)])
LIBS="$saved_LIBS"
])

25
man/systemd.exec.xml
View File

@ -686,31 +686,6 @@
for details.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>TCPWrapName=</varname></term>
<listitem><para>If this is a
socket-activated service, this sets the
tcpwrap service name to check the
permission for the current connection
with. This is only useful in
conjunction with socket-activated
services, and stream sockets (TCP) in
particular. It has no effect on other
socket types (e.g. datagram/UDP) and
on processes unrelated to socket-based
activation. If the tcpwrap
verification fails, daemon start-up
will fail and the connection is
terminated. See
<citerefentry><refentrytitle>tcpd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
for details. Note that this option may
be used to do access control checks
only. Shell commands and commands
described in
<citerefentry><refentrytitle>hosts_options</refentrytitle><manvolnum>5</manvolnum></citerefentry>
are not supported.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>CapabilityBoundingSet=</varname></term>

8
src/core/build.h
View File

@ -27,12 +27,6 @@
#define _PAM_FEATURE_ "-PAM"
#endif
#ifdef HAVE_LIBWRAP
#define _LIBWRAP_FEATURE_ "+LIBWRAP"
#else
#define _LIBWRAP_FEATURE_ "-LIBWRAP"
#endif
#ifdef HAVE_AUDIT
#define _AUDIT_FEATURE_ "+AUDIT"
#else
@ -93,4 +87,4 @@
#define _SECCOMP_FEATURE_ "-SECCOMP"
#endif
#define SYSTEMD_FEATURES _PAM_FEATURE_ " " _LIBWRAP_FEATURE_ " " _AUDIT_FEATURE_ " " _SELINUX_FEATURE_ " " _IMA_FEATURE_ " " _SYSVINIT_FEATURE_ " " _LIBCRYPTSETUP_FEATURE_ " " _GCRYPT_FEATURE_ " " _ACL_FEATURE_ " " _XZ_FEATURE_ " " _SECCOMP_FEATURE_ " " _APPARMOR_FEATURE_
#define SYSTEMD_FEATURES _PAM_FEATURE_ " " _AUDIT_FEATURE_ " " _SELINUX_FEATURE_ " " _IMA_FEATURE_ " " _SYSVINIT_FEATURE_ " " _LIBCRYPTSETUP_FEATURE_ " " _GCRYPT_FEATURE_ " " _ACL_FEATURE_ " " _XZ_FEATURE_ " " _SECCOMP_FEATURE_ " " _APPARMOR_FEATURE_

1
src/core/dbus-execute.c
View File

@ -618,7 +618,6 @@ const sd_bus_vtable bus_exec_vtable[] = {
SD_BUS_PROPERTY("User", "s", NULL, offsetof(ExecContext, user), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("Group", "s", NULL, offsetof(ExecContext, group), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("SupplementaryGroups", "as", NULL, offsetof(ExecContext, supplementary_groups), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("TCPWrapName", "s", NULL, offsetof(ExecContext, tcpwrap_name), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("PAMName", "s", NULL, offsetof(ExecContext, pam_name), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("ReadWriteDirectories", "as", NULL, offsetof(ExecContext, read_write_dirs), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("ReadOnlyDirectories", "as", NULL, offsetof(ExecContext, read_only_dirs), SD_BUS_VTABLE_PROPERTY_CONST),

26
src/core/execute.c
View File

@ -69,7 +69,6 @@
#include "ioprio.h"
#include "securebits.h"
#include "namespace.h"
#include "tcpwrap.h"
#include "exit-status.h"
#include "missing.h"
#include "utmp-wtmp.h"
@ -1362,23 +1361,6 @@ int exec_spawn(ExecCommand *command,
goto fail_child;
}
if (context->tcpwrap_name) {
if (socket_fd >= 0)
if (!socket_tcpwrap(socket_fd, context->tcpwrap_name)) {
err = -EACCES;
r = EXIT_TCPWRAP;
goto fail_child;
}
for (i = 0; i < (int) n_fds; i++) {
if (!socket_tcpwrap(fds[i], context->tcpwrap_name)) {
err = -EACCES;
r = EXIT_TCPWRAP;
goto fail_child;
}
}
}
exec_context_tty_reset(context);
if (confirm_spawn) {
@ -1878,9 +1860,6 @@ void exec_context_done(ExecContext *c) {
free(c->tty_path);
c->tty_path = NULL;
free(c->tcpwrap_name);
c->tcpwrap_name = NULL;
free(c->syslog_identifier);
c->syslog_identifier = NULL;
@ -2148,11 +2127,6 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
STRV_FOREACH(e, c->environment_files)
fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
if (c->tcpwrap_name)
fprintf(f,
"%sTCPWrapName: %s\n",
prefix, c->tcpwrap_name);
if (c->nice_set)
fprintf(f,
"%sNice: %i\n",

2
src/core/execute.h
View File

@ -113,8 +113,6 @@ struct ExecContext {
nsec_t timer_slack_nsec;
char *tcpwrap_name;
char *tty_path;
bool tty_reset;

3
src/core/load-fragment-gperf.gperf.m4
View File

@ -84,9 +84,6 @@ $1.MountFlags, config_parse_exec_mount_flags, 0,
$1.Personality, config_parse_personality, 0, offsetof($1, exec_context.personality)
$1.RuntimeDirectoryMode, config_parse_mode, 0, offsetof($1, exec_context.runtime_directory_mode)
$1.RuntimeDirectory, config_parse_runtime_directory, 0, offsetof($1, exec_context.runtime_directory)
m4_ifdef(`HAVE_LIBWRAP',
`$1.TCPWrapName, config_parse_unit_string_printf, 0, offsetof($1, exec_context.tcpwrap_name)',
`$1.TCPWrapName, config_parse_warn_compat, 0, 0')
m4_ifdef(`HAVE_PAM',
`$1.PAMName, config_parse_unit_string_printf, 0, offsetof($1, exec_context.pam_name)',
`$1.PAMName, config_parse_warn_compat, 0, 0')

4
src/core/load-fragment.c
View File

@ -64,7 +64,7 @@
#include "seccomp-util.h"
#endif
#if !defined(HAVE_SYSV_COMPAT) || !defined(HAVE_SECCOMP) || !defined(HAVE_LIBWRAP) || !defined(HAVE_PAM) || !defined(HAVE_SELINUX) || !defined(HAVE_SMACK) || !defined(HAVE_APPARMOR)
#if !defined(HAVE_SYSV_COMPAT) || !defined(HAVE_SECCOMP) || !defined(HAVE_PAM) || !defined(HAVE_SELINUX) || !defined(HAVE_SMACK) || !defined(HAVE_APPARMOR)
int config_parse_warn_compat(
const char *unit,
const char *filename,
@ -3328,7 +3328,7 @@ void unit_dump_config_items(FILE *f) {
const ConfigParserCallback callback;
const char *rvalue;
} table[] = {
#if !defined(HAVE_SYSV_COMPAT) || !defined(HAVE_SECCOMP) || !defined(HAVE_LIBWRAP) || !defined(HAVE_PAM) || !defined(HAVE_SELINUX) || !defined(HAVE_SMACK) || !defined(HAVE_APPARMOR)
#if !defined(HAVE_SYSV_COMPAT) || !defined(HAVE_SECCOMP) || !defined(HAVE_PAM) || !defined(HAVE_SELINUX) || !defined(HAVE_SMACK) || !defined(HAVE_APPARMOR)
{ config_parse_warn_compat, "NOTSUPPORTED" },
#endif
{ config_parse_int, "INTEGER" },

68
src/core/tcpwrap.c
View File

@ -1,68 +0,0 @@
/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
/***
This file is part of systemd.
Copyright 2010 Lennart Poettering
systemd is free software; you can redistribute it and/or modify it
under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2.1 of the License, or
(at your option) any later version.
systemd is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public License
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
#include <sys/socket.h>
#include <sys/un.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#ifdef HAVE_LIBWRAP
#include <tcpd.h>
#endif
#include "tcpwrap.h"
#include "log.h"
bool socket_tcpwrap(int fd, const char *name) {
#ifdef HAVE_LIBWRAP
struct request_info req;
union {
struct sockaddr sa;
struct sockaddr_in in;
struct sockaddr_in6 in6;
struct sockaddr_un un;
struct sockaddr_storage storage;
} sa_union;
socklen_t l = sizeof(sa_union);
if (getsockname(fd, &sa_union.sa, &l) < 0)
return true;
if (sa_union.sa.sa_family != AF_INET &&
sa_union.sa.sa_family != AF_INET6)
return true;
request_init(&req,
RQ_DAEMON, name,
RQ_FILE, fd,
NULL);
fromhost(&req);
if (!hosts_access(&req)) {
log_warning("Connection refused by tcpwrap.");
return false;
}
log_debug("Connection accepted by tcpwrap.");
#endif
return true;
}

26
src/core/tcpwrap.h
View File

@ -1,26 +0,0 @@
/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
#pragma once
/***
This file is part of systemd.
Copyright 2010 Lennart Poettering
systemd is free software; you can redistribute it and/or modify it
under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2.1 of the License, or
(at your option) any later version.
systemd is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public License
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
#include <stdbool.h>
bool socket_tcpwrap(int fd, const char *name);

3
src/shared/exit-status.c
View File

@ -113,9 +113,6 @@ const char* exit_status_to_string(ExitStatus status, ExitStatusLevel level) {
case EXIT_STDERR:
return "STDERR";
case EXIT_TCPWRAP:
return "TCPWRAP";
case EXIT_PAM:
return "PAM";

2
src/shared/exit-status.h
View File

@ -64,7 +64,7 @@ typedef enum ExitStatus {
EXIT_SETSID, /* 220 */
EXIT_CONFIRM,
EXIT_STDERR,
EXIT_TCPWRAP,
_EXIT_RESERVED, /* used to be tcpwrap, don't reuse! */
EXIT_PAM,
EXIT_NETWORK,
EXIT_NAMESPACE,