# macro definitions. Access control can also be turned off by providing
# no access control tables. The local system, since it runs the portmap
# daemon, is always treated as an authorized host.
+# By default, access control does not do hostname lookup as there is a risk
+# that will require portmap access, hence deadlock. If you are sure the
+# target system will never user NIS for hostname lookup, you can define
+# USE_DNS to add hostname tests in hosts.allow/deny.
ifeq ($(NO_TCP_WRAPPER),)
CPPFLAGS += -DHOSTS_ACCESS
WRAP_LIB = -lwrap
+ifdef USE_DNS
+CPPFLAGS += -DENABLE_DNS
+MAN_SED += -e 's/USE_DNS/yes/'
+endif
endif
# Comment out if your RPC library does not allocate privileged ports for
/* A handful of macros for "readability". */
-#define good_client(a) hosts_ctl("portmap", "", inet_ntoa(a->sin_addr), "")
-
#define reserved_port(p) (IPPORT_RESERVED/2 < (p) && (p) < IPPORT_RESERVED)
#define unreserved_port(p) (IPPORT_RESERVED <= (p) && (p) != NFS_PORT)
(void) signal(SIGINT, toggle_verboselog);
}
+
+#ifdef HOSTS_ACCESS
+static int
+good_client(struct sockaddr_in *addr)
+{
+ if (hosts_ctl("portmap", "", inet_ntoa(addr->sin_addr), ""))
+ return 1;
+#ifdef ENABLE_DNS
+{
+ struct hostent *hp;
+ char **sp;
+ char *tmpname;
+
+ /* Check the hostname. */
+ hp = gethostbyaddr ((const char *) &(addr->sin_addr),
+ sizeof (addr->sin_addr), AF_INET);
+
+ if (!hp)
+ return 0;
+
+ /* must make sure the hostent is authoritative. */
+ tmpname = alloca (strlen (hp->h_name) + 1);
+ strcpy (tmpname, hp->h_name);
+ hp = gethostbyname(tmpname);
+ if (hp) {
+ /* now make sure the "addr->sin_addr" is on the list */
+ for (sp = hp->h_addr_list ; *sp ; sp++) {
+ if (memcmp(*sp, &(addr->sin_addr), hp->h_length)==0)
+ break;
+ }
+ if (!*sp)
+ /* it was a FAKE. */
+ return 0;
+ } else
+ /* never heard of it. misconfigured DNS? */
+ return 0;
+
+ /* Check the official name first. */
+ if (hosts_ctl("portmap", "", hp->h_name, ""))
+ return 1;
+
+ /* Check aliases. */
+ for (sp = hp->h_aliases; *sp ; sp++) {
+ if (hosts_ctl("portmap", "", *sp, ""))
+ return 1;
+ }
+}
+#endif /* ENABLE_DNS */
+ return 0;
+}
+#endif /* HOSTS_ACCESS */
+
/* check_default - additional checks for NULL, DUMP, GETPORT and unknown */
int
.Nm tcp_wrapper
library. You have to give the clients access to
.Nm portmap
-if they should be allowed to use it. To allow connects from clients of
-the network 192.168. you could use the following line in /etc/hosts.allow:
+if they should be allowed to use it.
+.if 'USE_DNS'yes' .ig
+To allow connects from clients of the network 192.168. you could use
+the following line in /etc/hosts.allow:
portmap: 192.168.
for the daemon name (even if the binary has a different name). For the
client names you can only use the keyword ALL or IP addresses (NOT
host or domain names).
+..
+.if !'USE_DNS'yes' .ig
+To allow connects from clients of
+the .bar.com domain you could use the following line in /etc/hosts.allow:
+.Pp
+portmap: .bar.com
+.Pp
+You have to use the daemon name
+.Nm portmap
+for the daemon name (even if the binary has a different name). For the
+client names you can use the keyword ALL, IP addresses, hostnames or domain
+names. Using netgroup names will likely cause
+.Nm portmap
+to deadlock.
+Note that localhost will always be allowed access to the portmapper.
+..
For further information please have a look at the
.Xr tcpd 8 ,