Ticket #56: tcpwrappers.patch

basicnet.ent

@@ -24 +24 @@
 <!ENTITY % cvs SYSTEM "netprogs/cvs/cvs.ent">
 <!ENTITY % wget SYSTEM "netprogs/wget/wget.ent">
 <!ENTITY % portmap SYSTEM "netprogs/portmap/portmap.ent">
+<!ENTITY % tcpwrappers SYSTEM "netprogs/tcpwrappers/tcpwrappers.ent">
 %ncftp;
 %telnet;
 %cvs;
 %wget;
 %portmap;
+%tcpwrappers;
 
 <!-- Basic Networking Utilities -->
 <!ENTITY basicnet-netutils SYSTEM "netutils/netutils.xml">

netprogs/netprogs.xml

@@ -8 +8 @@
 &cvs;
 &wget;
 &portmap;
+&tcpwrappers;
 
 </chapter>

netprogs/tcpwrappers/tcpwrappers-config.xml

@@ +1 @@
+<sect2>
+<title>Configuring tcpwrappers</title>
+
+<sect3><title>Config files</title>
+<para><userinput>/etc/hosts.allow, /etc/hosts.deny,
+</userinput></para>
+
+<para>File protections: the wrapper, all files used by the wrapper,
+and all directories in the path leading to those files, should be
+accessible but not writable for unprivileged users (mode 755 or mode
+555). Do not install the wrapper set-uid.</para>
+
+<para>
+Then perform the following edits on the
+<filename>/etc/inetd.conf</filename> configuration file :
+<screen><userinput>
+finger stream tcp nowait nobody /usr/sbin/in.fingerd in.fingerd
+</userinput></screen>
+becomes:
+<screen><userinput>
+finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd
+</userinput></screen></para>
+<note><para>The finger server is used as an example here.</para></note>
+<para>Similar changes must be made if xinted is used, with the
+emphasis being on calling /usr/sbin/tcpd instead of calling the
+service daemon directly, and passing the name of the service daemon to
+tcpd.</para>
+</sect3>
+
+</sect2>
+

netprogs/tcpwrappers/tcpwrappers-desc.xml

@@ +1 @@
+<sect2>
+<title>Contents</title>
+
+<para>The tcpwrappers package contains
+
+safe_finger tcpd tcpdchk tcpdmatch try-from
+
+<userinput>tcpd</userinput>,
+<userinput>tcpdchk</userinput>,
+<userinput>tcpdmatch</userinput>,
+<userinput>try-from</userinput> and
+<userinput>safe_finger</userinput>.</para>
+</sect2>
+
+<sect2><title>Description</title>
+
+<sect3><title>tcpd</title>
+<para>tcpd is the main access control daemon for all internet
+services, which inetd or xinetd will run instead of running the
+requested service daemon.</para></sect3>
+
+<sect3><title>tcpdchk</title>
+<para>tcpdchk is a tool to examine a tcpd wrapper configuration and
+report problems with it.</para></sect3>
+
+<sect3><title>tcpdmatch</title>
+<para>tcpdmatch is used to predict how the tcp wrapper would handle a
+specific request for a service.</para></sect3>
+
+<sect3><title>try-from</title>
+<para>try-from can be called via a remote shell command to find out if
+the host name and address are properly recognized.</para></sect3>
+
+<sect3><title>safe_finger</title>
+<para>safe_finger is a wrapper for the finger utility, to provide
+automatic reverse name lookups.</para></sect3>
+
+</sect2>
+

netprogs/tcpwrappers/tcpwrappers-exp.xml

@@ +1 @@
+<sect2>
+<title>Command explanations</title>
+
+<para><userinput>patch -Np1 -i ../tcp_wrappers_7.6.diff : </userinput>
+
+This patch alters the original path and logging facility of the
+original tcpwrappers program.</para>
+
+</sect2>
+

netprogs/tcpwrappers/tcpwrappers-inst.xml

@@ +1 @@
+<sect2>
+<title>Installation of tcpwrappers</title>
+
+<para>.</para>
+
+<para>Install tcpwrappers with the following commands:</para>
+
+<para><screen><userinput>
+patch -Np1 -i ../tcp_wrappers_7.6.diff &amp;&amp;
+make REAL_DAEMON_DIR=/usr/sbin linux &amp;&amp;
+cp libwrap.a /usr/lib &amp;&amp;
+cp tcpd.h /usr/include &amp;&amp;
+cp safe_finger /usr/sbin &amp;&amp;
+cp tcpd /usr/sbin &amp;&amp;
+cp tcpdchk /usr/sbin &amp;&amp;
+cp tcpdmatch /usr/sbin &amp;&amp;
+cp try-from /usr/sbin
+</userinput></screen></para>
+
+</sect2>
+

netprogs/tcpwrappers/tcpwrappers-intro.xml

@@ +1 @@
+<sect2>
+<title>Introduction to tcpwrappers</title>
+
+<screen>
+Download location (HTTP):        <ulink url="&tcpwrappers-download-http;"/>
+Version used:                   &tcpwrappers-version;
+Package size:                   &tcpwrappers-size;
+Estimated Disk space required:  &tcpwrappers-buildsize;</screen>
+
+<para>Required patch</para>
+
+<screen>
+Download location (HTTP):        <ulink url="&tcpwrappers-patch-http;"/>
+</screen>
+
+<para>The tcpwrappers package provides daemon wrapper programs that
+report the name of the client requesting network services and the
+requested service.</para> 
+
+</sect2>

netprogs/tcpwrappers/tcpwrappers.ent

@@ +1 @@
+<!ENTITY tcpwrappers SYSTEM "../tcpwrappers.xml">
+<!ENTITY tcpwrappers-intro SYSTEM "tcpwrappers-intro.xml">
+<!ENTITY tcpwrappers-inst SYSTEM "tcpwrappers-inst.xml">
+<!ENTITY tcpwrappers-exp SYSTEM "tcpwrappers-exp.xml">
+<!ENTITY tcpwrappers-desc SYSTEM "tcpwrappers-desc.xml">
+<!ENTITY tcpwrappers-config SYSTEM "tcpwrappers-config.xml">
+<!ENTITY tcpwrappers-buildsize "720 KB">
+<!ENTITY tcpwrappers-version "5">
+
+<!ENTITY tcpwrappers-download-http
+"http://files.ichilton.co.uk/nfs/tcp_wrappers_7.6.diff.gz">
+<!ENTITY tcpwrappers-patch-http "http://files.ichilton.co.uk/nfs/tcp_wrappers_7.6.tar.gz">
+<!ENTITY tcpwrappers-size "100 KB">

netprogs/tcpwrappers.xml

@@ +1 @@
+<sect1 id="tcpwrappers" xreflabel="tcpwrappers-&tcpwrappers-version;">
+<?dbhtml filename="tcpwrappers.html" dir="basicnet"?>
+<title>tcpwrappers-&tcpwrappers-version;</title>
+
+&tcpwrappers-intro;
+&tcpwrappers-inst;
+&tcpwrappers-exp;
+&tcpwrappers-config;
+&tcpwrappers-desc;
+
+</sect1>
+