#################################### ### Beginning of configurable stuff. # By default, logfile entries are written to the same file as used for # sendmail transaction logs. Change the definition of the following macro # if you disagree. See `man 3 syslog' for examples. Some syslog versions # do not provide this flexibility. FACILITY=LOG_DAEMON # To disable tcp-wrapper style access control, comment out the following # macro definitions. Access control can also be turned off by providing # no access control tables. The local system, since it runs the portmap # daemon, is always treated as an authorized host. # By default, access control does not do hostname lookup as there is a risk # that will require portmap access, hence deadlock. If you are sure the # target system will never user NIS for hostname lookup, you can define # USE_DNS to add hostname tests in hosts.allow/deny. ifeq ($(NO_TCP_WRAPPER),) CPPFLAGS += -DHOSTS_ACCESS WRAP_LIB = -lwrap ifdef USE_DNS CPPFLAGS += -DENABLE_DNS MAN_SED += -e 's/USE_DNS/yes/' endif endif # For no-mmu systems, we have to disable the fork() functions. ifneq ($(NO_FORK),) CPPFLAGS += -DNO_FORK endif # For static builds, we might hit perror() symbol clashes ifneq ($(NO_PERROR),) CPPFLAGS += -DNO_PERROR endif ifeq ($(PREFIX),) PREFIX = /usr endif ifeq ($(SBINDIR),) SBINDIR = $(PREFIX)/sbin endif ifeq ($(DATADIR),) DATADIR = $(PREFIX)/share endif ifeq ($(MANDIR),) MANDIR = $(DATADIR)/man endif ifeq ($(MAN8DIR),) MAN8DIR = $(MANDIR)/man8 endif ## backwards compatibility to older distro builders ifeq ($(DESTDIR),) DESTDIR = $(BASEDIR) endif ifeq ($(INSTALL),) INSTALL = install endif ifeq ($(INSTALL_MAN),) INSTALL_MAN = $(INSTALL) -o root -g root -m 0644 endif ifeq ($(INSTALL_BIN),) INSTALL_BIN = $(INSTALL) -s -o root -g root -m 0755 endif # Comment out if your RPC library does not allocate privileged ports for # requests from processes with root privilege, or the new portmap will # always reject requests to register/unregister services on privileged # ports. You can find out by running "rpcinfo -p"; if all mountd and NIS # daemons use a port >= 1024 you should probably disable the next line. CPPFLAGS += -DCHECK_PORT # The portmap daemon runs a uid=1/gid=1 by default. You can change that # be defining DAEMON_UID and DAMEON_GID to numbers, or RPCUSER to a # name, though you must be sure that name lookup will not require use # of portmap. ifdef RPCUSER CPPFLAGS += -DRPCUSER=\"$(RPCUSER)\" MAN_SED += -e 's/RPCUSER/$(RPCUSER)/' else MAN_SED += -e 's/RPCUSER//' endif ifdef DAEMON_UID CPPFLAGS += -DDAEMON_UID=$(DAEMON_UID) -DDAEMON_GID=$(DAEMON_GID) MAN_SED += -e 's/DAEMON_UID/$(DAEMON_UID)/' -e 's/DAEMON_GID/$(DAEMON_GID)/' else MAN_SED += -e 's/DAEMON_UID/1/' -e 's/DAEMON_GID/1/' endif # Warning: troublesome feature ahead!! Enable only when you are really # desperate!! # # It is possible to prevent an attacker from manipulating your portmapper # tables from outside with requests that contain spoofed source addresses. # The countermeasure is to force all rpc servers to register and # unregister with the portmapper via the loopback network interface, # instead of via the primary network interface that every host can talk # to. For this countermeasure to work it is necessary to uncomment the # LOOPBACK definition below, and to take the following additional steps: # # (1) Modify the libc library (or librpc if you have one) and replace # get_myaddress() by a version that selects the loopback address instead # of the primary network interface address. A suitable version is # provided in the file get_myaddress.c. This forces rpc servers to send # all set/unset requests to the loopback address. # # (2) Rebuild all statically-linked rpc servers with the modified # library. # # (3) Disable IP source routing in the kernel (otherwise an outside # attacker can still send requests that appear to come from the local # machine). # # Instead of (1) it may be sufficient to run the rpc servers with a # preload shared object that implements the alternate get_myaddress() # behavior (see Makefile.shlib). You still need to disable IP source # routing, though. # # I warned you, you need to be really desperate to do this. It is # probably much easier to just block port UDP and TCP ports 111 on # your routers. # # CPPFLAGS += -DLOOPBACK_SETUNSET # When the portmapper cannot find any local interfaces (it will complain # to the syslog daemon) your system probably has variable-length socket # address structures (struct sockaddr has a sa_len component; examples: # AIX 4.1 and 4.4BSD). Uncomment next macro definition in that case. # # CPPFLAGS += -DHAS_SA_LEN # AIX 4.x, BSD 4.4, FreeBSD, NetBSD # With verbose logging on, HP-UX 9.x and AIX 4.1 leave zombies behind when # SIGCHLD is not ignored. Enable next macro for a fix. # CPPFLAGS += -DIGNORE_SIGCHLD # AIX 4.x, HP-UX 9.x # Uncomment the following macro if your system does not have u_long. # # CPPFLAGS +=-Du_long="unsigned long" # # LDLIBS += -m # CFLAGS += -arch m68k -arch i386 -arch hppa ifeq ($(NO_PIE),) CFLAGS_PIE = -fpie LDFLAGS_PIE = -pie endif # Auxiliary libraries that you may have to specify # # LDLIBS += -lrpc # Comment out if your compiler talks ANSI and understands const # # CPPFLAGS += -Dconst= ### End of configurable stuff. ############################## CPPFLAGS += -DFACILITY=$(FACILITY) CFLAGS ?= -O2 CFLAGS += -Wall -Wstrict-prototypes all: portmap pmap_dump pmap_set portmap.man CPPFLAGS += $(HOSTS_ACCESS) portmap: CFLAGS += $(CFLAGS_PIE) portmap: LDLIBS += $(WRAP_LIB) portmap: LDFLAGS += $(LDFLAGS_PIE) portmap: portmap.o pmap_check.o from_local.o from_local: CPPFLAGS += -DTEST portmap.man : portmap.8 sed $(MAN_SED) < portmap.8 > portmap.man install: all install-portmap install-pmap_dump install-pmap_set install-man install-dirs-sbin: mkdir -p $(DESTDIR)$(SBINDIR) install-dirs-man: mkdir -p $(DESTDIR)$(MAN8DIR) install-man: install-dirs-man $(INSTALL_MAN) portmap.man $(DESTDIR)$(MAN8DIR)/portmap.8 $(INSTALL_MAN) pmap_dump.8 $(DESTDIR)$(MAN8DIR)/pmap_dump.8 $(INSTALL_MAN) pmap_set.8 $(DESTDIR)$(MAN8DIR)/map_set.8 install-pmap_dump: pmap_dump install-dirs-sbin $(INSTALL_BIN) pmap_dump $(DESTDIR)$(SBINDIR) install-pmap_set: pmap_set install-dirs-sbin $(INSTALL_BIN) pmap_set $(DESTDIR)$(SBINDIR) install-portmap: portmap install-dirs-sbin $(INSTALL_BIN) portmap $(DESTDIR)$(SBINDIR) clean: rm -f *.o portmap pmap_dump pmap_set from_local \ core portmap.man -include .depend .depend: *.c $(CC) -MM $(CFLAGS) *.c > .depend .PHONY: all clean install