[cups.development] [RFE] STR #263: tcpwrapper support
kssingvo.suse
kssingvo at suse.de
Mon Jul 28 03:51:49 PDT 2008
Hi,
thanks for integration.
A small and maybe helpful comment? When integrating tcpwrapper patch
for cups-1.2.x we noticed that the check should only been made for
AF_INET connection, and not for e.g. domain sockets.
I didn't check the implementation of the patch, and so I don't know
if it is related here.
Regards,
Klaus.
Michael Sweet wrote:
> [STR Closed w/Resolution]
>
> Fixed in Subversion repository.
>
> Link: http://www.cups.org/str.php?L263
> Version: 1.4-feature
> Fix Version: 1.4-current (r7798)
> Index: scheduler/client.c
> ===================================================================
> --- scheduler/client.c (revision 7797)
> +++ scheduler/client.c (working copy)
> @@ -76,7 +76,11 @@
> # include <gnutls/x509.h>
> #endif /* HAVE_GNUTLS */
>
> +#ifdef HAVE_TCPD_H
> +# include <tcpd.h>
> +#endif /* HAVE_TCPD_H */
>
> +
> /*
> * Local functions...
> */
> @@ -125,6 +129,9 @@
> char *hostname; /* Hostname for address */
> http_addr_t temp; /* Temporary address variable */
> static time_t last_dos = 0; /* Time of last DoS attack */
> +#ifdef HAVE_TCPD_H
> + struct request_info wrap_req; /* TCP wrappers request information */
> +#endif /* HAVE_TCPD_H */
>
>
> cupsdLogMessage(CUPSD_LOG_DEBUG2,
> @@ -240,7 +247,9 @@
> cupsdLogMessage(CUPSD_LOG_WARN,
> "Possible DoS attack - more than %d clients connecting "
> "from %s!",
> - MaxClientsPerHost, con->http.hostname);
> + MaxClientsPerHost,
> + httpAddrString(con->http.hostaddr, con->http.hostname,
> + sizeof(con->http.hostname)));
> }
>
> #ifdef WIN32
> @@ -322,7 +331,8 @@
> * Do double lookups as needed...
> */
>
> - if ((addrlist = httpAddrGetList(con->http.hostname, AF_UNSPEC, NULL)) != NULL)
> + if ((addrlist = httpAddrGetList(con->http.hostname, AF_UNSPEC, NULL))
> + != NULL)
> {
> /*
> * See if the hostname maps to the same IP address...
> @@ -362,6 +372,34 @@
> }
> }
>
> +#ifdef HAVE_TCPD_H
> + /*
> + * See if the connection is denied by TCP wrappers...
> + */
> +
> + request_init(&wrap_req, RQ_DAEMON, "cupsd", RQ_FILE, con->http.fd, NULL);
> + fromhost(&wrap_req);
> +
> + if (!hosts_access(&wrap_req))
> + {
> + cupsdLogMessage(CUPSD_LOG_DEBUG2,
> + "cupsdAcceptClient: Closing connection %d...",
> + con->http.fd);
> +
> +#ifdef WIN32
> + closesocket(con->http.fd);
> +#else
> + close(con->http.fd);
> +#endif /* WIN32 */
> +
> + cupsdLogMessage(CUPSD_LOG_WARN,
> + "Connection from %s refused by /etc/hosts.allow and "
> + "/etc/hosts.deny rules.", con->http.hostname);
> + free(con);
> + return;
> + }
> +#endif /* HAVE_TCPD_H */
> +
> #ifdef AF_INET6
> if (con->http.hostaddr->addr.sa_family == AF_INET6)
> cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdAcceptClient: %d from %s:%d (IPv6)",
> Index: scheduler/Makefile
> ===================================================================
> --- scheduler/Makefile (revision 7797)
> +++ scheduler/Makefile (working copy)
> @@ -333,14 +333,15 @@
> $(CC) $(LDFLAGS) -o cupsd $(CUPSDOBJS) -L. -lcupsmime \
> $(LIBZ) $(SSLLIBS) $(LIBSLP) $(LIBLDAP) $(PAMLIBS) \
> $(LIBPAPER) $(LIBMALLOC) $(CUPSDLIBS) $(DNSSDLIBS) $(LIBS) \
> - $(LIBGSSAPI)
> + $(LIBGSSAPI) $(LIBWRAP)
>
> cupsd-static: $(CUPSDOBJS) libcupsmime.a ../cups/libcups.a
> echo Linking $@...
> $(CC) $(LDFLAGS) -o cupsd-static $(CUPSDOBJS) libcupsmime.a \
> $(LIBZ) $(SSLLIBS) $(LIBSLP) $(LIBLDAP) $(PAMLIBS) \
> ../cups/libcups.a $(COMMONLIBS) $(LIBZ) $(LIBPAPER) \
> - $(LIBMALLOC) $(CUPSDLIBS) $(DNSSDLIBS) $(LIBGSSAPI)
> + $(LIBMALLOC) $(CUPSDLIBS) $(DNSSDLIBS) $(LIBGSSAPI) \
> + $(LIBWRAP)
>
>
> #
--
Klaus Singvogel - Maxfeldstr. 5 - 90409 Nuernberg - Germany
Phone: +49-911-74053-0
GnuPG-Key-ID: 1024R/5068792D 1994-06-27
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
More information about the cups
mailing list