Eliminate these compiler warnings: tcpwrapper.c: In function ‘logit’: tcpwrapper.c:225: warning: unused parameter ‘procnum’ tcpwrapper.c:225: warning: unused parameter ‘prognum’ Actually, @procnum is not used anywhere in our tcpwrapper.c, so let's just get rid of it. Since there is only one logit() call site in tcpwrapper.c, the macro wrapper just adds needless clutter. Let's get rid of that too. Finally, both mountd and statd now use xlog(), which adds an appropriate program name prefix to every message. Replace the open-coded syslog(2) call with an xlog() call in order to consistently identify the RPC service reporting the intrusion. Since logit() no longer references "deny_severity" and no nfs-utils caller sets either allow_severity or deny_severity, we remove them. Signed-off-by: Chuck Lever <chuck.lever@xxxxxxxxxx> --- support/include/tcpwrapper.h | 8 +----- support/misc/tcpwrapper.c | 56 ++++++++++++++++++----------------------- utils/mountd/mount_dispatch.c | 2 + utils/statd/statd.c | 2 + 4 files changed, 27 insertions(+), 41 deletions(-) diff --git a/support/include/tcpwrapper.h b/support/include/tcpwrapper.h index f1145bd..941394e 100644 --- a/support/include/tcpwrapper.h +++ b/support/include/tcpwrapper.h @@ -5,14 +5,8 @@ #include <netinet/in.h> #include <arpa/inet.h> -extern int verboselog; - -extern int allow_severity; -extern int deny_severity; - extern int good_client(char *daemon, struct sockaddr_in *addr); extern int from_local(const struct sockaddr *sap); -extern int check_default(char *daemon, struct sockaddr_in *addr, - u_long proc, u_long prog); +extern int check_default(char *daemon, struct sockaddr_in *addr, u_long prog); #endif /* TCP_WRAPPER_H */ diff --git a/support/misc/tcpwrapper.c b/support/misc/tcpwrapper.c index af626ad..b981d58 100644 --- a/support/misc/tcpwrapper.c +++ b/support/misc/tcpwrapper.c @@ -34,13 +34,12 @@ #ifdef HAVE_CONFIG_H #include <config.h> #endif + #ifdef HAVE_LIBWRAP -#include <tcpwrapper.h> #include <unistd.h> #include <string.h> #include <rpc/rpc.h> #include <rpc/pmap_prot.h> -#include <syslog.h> #include <netdb.h> #include <pwd.h> #include <sys/types.h> @@ -49,6 +48,7 @@ #include <sys/stat.h> #include <tcpd.h> +#include "tcpwrapper.h" #include "xlog.h" #ifdef SYSV40 @@ -56,21 +56,8 @@ #include <rpc/rpcent.h> #endif -static void logit(int severity, struct sockaddr_in *addr, - u_long procnum, u_long prognum, char *text); static int check_files(void); -/* - * These need to exist since they are externed - * public header files. - */ -int verboselog = 0; -int allow_severity = LOG_INFO; -int deny_severity = LOG_WARNING; - -#define log_bad_host(addr, proc, prog) \ - logit(deny_severity, addr, proc, prog, "request from unauthorized host") - #define ALLOW 1 #define DENY 0 @@ -143,6 +130,16 @@ haccess_t *haccess_lookup(struct sockaddr_in *addr, u_long prog) return NULL; } +static void +logit(const struct sockaddr_in *sin) +{ + char buf[INET_ADDRSTRLEN]; + + xlog_warn("connect from %s denied: request from unauthorized host", + inet_ntop(AF_INET, &sin->sin_addr, buf, sizeof(buf))); + +} + int good_client(daemon, addr) char *daemon; @@ -186,14 +183,17 @@ static int check_files() return changed; } -/* check_default - additional checks for NULL, DUMP, GETPORT and unknown */ - +/** + * check_default - additional checks for NULL, DUMP, GETPORT and unknown + * @daemon: pointer to '\0'-terminated ASCII string containing name of the + * daemon requesting the access check + * @addr: pointer to socket address containing address of caller + * @prog: RPC program number caller is attempting to access + * + * Returns TRUE if the caller is allowed access; otherwise FALSE is returned. + */ int -check_default(daemon, addr, proc, prog) -char *daemon; -struct sockaddr_in *addr; -u_long proc; -u_long prog; +check_default(char *daemon, struct sockaddr_in *addr, u_long prog) { haccess_t *acc = NULL; int changed = check_files(); @@ -203,7 +203,7 @@ u_long prog; return (acc->access); if (!(from_local((struct sockaddr *)addr) || good_client(daemon, addr))) { - log_bad_host(addr, proc, prog); + logit(addr); if (acc) acc->access = FALSE; else @@ -219,12 +219,4 @@ u_long prog; return (TRUE); } -/* logit - report events of interest via the syslog daemon */ - -static void logit(int severity, struct sockaddr_in *addr, - u_long procnum, u_long prognum, char *text) -{ - syslog(severity, "connect from %s denied: %s", - inet_ntoa(addr->sin_addr), text); -} -#endif +#endif /* HAVE_LIBWRAP */ diff --git a/utils/mountd/mount_dispatch.c b/utils/mountd/mount_dispatch.c index 199fcec..d2802ef 100644 --- a/utils/mountd/mount_dispatch.c +++ b/utils/mountd/mount_dispatch.c @@ -75,7 +75,7 @@ mount_dispatch(struct svc_req *rqstp, SVCXPRT *transp) /* remote host authorization check */ if (sin->sin_family == AF_INET && - !check_default("mountd", sin, rqstp->rq_proc, MOUNTPROG)) { + !check_default("mountd", sin, MOUNTPROG)) { svcerr_auth (transp, AUTH_FAILED); return; } diff --git a/utils/statd/statd.c b/utils/statd/statd.c index 7be6454..fa3c6d5 100644 --- a/utils/statd/statd.c +++ b/utils/statd/statd.c @@ -79,7 +79,7 @@ sm_prog_1_wrapper (struct svc_req *rqstp, register SVCXPRT *transp) /* remote host authorization check */ if (sin->sin_family == AF_INET && - !check_default("statd", sin, rqstp->rq_proc, SM_PROG)) { + !check_default("statd", sin, SM_PROG)) { svcerr_auth (transp, AUTH_FAILED); return; } -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html