xref: /freebsd/contrib/tcp_wrappers/CHANGES (revision ae1f3df43466466a21c7da0df93ecb58a3e53d74)
1Request: after building the programs, please run the `tcpdchk' wrapper
2configuration checker. See the `tcpdchk.8' manual page (`nroff -man'
3format) for instructions. `tcpdchk' automatically identifies the most
4common configuration problems, and will save you and me a lot of time.
5
6Changes per release 7.6 (Mar 1997)
7==================================
8
9- Improved the anti source-routing protection. The code in version
107.5 was not as strong as it could be, because I tried to be compatible
11with Linux. That was a mistake. Sorry for the inconvenience.
12
13- The program no longer terminates case of a source-routed connection,
14making the IP-spoofing code more usable for long-running daemons.
15
16- When syslogging DNS hostname problems, always stop after a limited
17number of characters.
18
19Changes per release 7.5 (Feb 1997)
20==================================
21
22- Optionally refuse source-routed TCP connections requests altogether.
23Credits to Niels Provos of Universitaet Hamburg.  File: fix_options.c.
24
25- Support for IRIX 6 (Lael Tucker).
26
27- Support for Amdahl UTS 2.1.5 (Richard E. Richmond).
28
29- Support for SINIX 5.42 (Klaus Nielsen).
30
31- SCO 5 now has vsyslog() (Bill Golden).
32
33- Hints and tips for dealing with IRIX inetd (Niko Makila, Aaron
34M Lee).
35
36- Support for BSD/OS (Paul Borman).
37
38- Support for Tandem (Emad Qawas).
39
40- Support for ISC (Frederick B. Cohen).
41
42- Workaround for UNICOS - it would choke on a setjmp() expression
43(Bruce Kelly). File: hosts_access.c, tcpdchk.c.
44
45- Increased the level of buffer overflow paranoia when printing
46unwanted IP options.  File: fix_options.c.
47
48Changes per release 7.4 (Mar 1996)
49==================================
50
51- IRIX 5.3 (and possibly, earlier releases, too) library routines call
52the non-reentrant strtok() routine. The result is that hosts may slip
53through allow/deny filters. Workaround is to not rely on the vendor's
54strtok() routine (#ifdef LIBC_CALLS_STRTOK). Credits to Th. Eifert
55(Aachen University) for spotting this one. This fix supersedes the
56earlier workaround for a similar problem in FreeBSD 2.0.
57
58Changes per release 7.3 (Feb 1996)
59==================================
60
61- More tests added to tcpdchk and tcpdmatch: make sure that the
62REAL_DAEMON_DIR actually is a directory and not a regular file;
63detect if tcpd recursively calls itself.
64
65- Edwin Kremer found an amusing fencepost error in the xgets()
66routine: lines longer than BUFLEN characters would be garbled.
67
68- The access control routines now refuse to execute "dangerous" actions
69such as `twist' when they are called from within a resident process.
70This prevents you from shooting yourself into the foot with critical
71systems programs such as, e.g., portmap or rpcbind.
72
73- Support for Unicos 8.x (Bruce Kelly). The program now closes the
74syslog client socket before running the real daemon: Cray UNICOS
75refuses to checkpoint processes with open network ports.
76
77- Support for MachTen UNIX (Albert M.C Tam).
78
79- Support for Interactive UNIX R3.2 V4.0 (Bobby D. Wright).
80
81- Support for SCO 3.2v5.0.0 OpenServer 5 (bob@odt.handy.com)
82
83- Support for Unixware 1.x and Unixware 2.x.  The old Unixware Makefile
84rule was broken. Sorry about that.
85
86- Some FreeBSD 2.0 libc routines call strtok() and severely mess up the
87allow/deny rule processing. This is very bad. Workaround:  call our own
88strtok() clone (#ifdef USE_STRSEP).
89
90- The programs now log a warning when they detect that a non-existent
91banner directory is specified.
92
93- The hosts_access.3 manual page used obsolete names for the RQ_*
94constants.
95
96Changes per release 7.2 (Jan 1995)
97==================================
98
99- Added a note to the README and manpages on using the IDENT service to
100detect sequence number spoofing and other host impersonation attacks.
101
102- Portability: ConvexOS puts RPC version numbers before the daemon path
103name (Jukka Ukkonen).
104
105- Portability: the AIX compiler disliked the strchr() declaration
106in socket.c.  I should have removed it when I included <string.h>.
107
108- Backwards compatibility: some people relied on the old leading dot or
109trailing dot magic in daemon process names.
110
111- Backwards compatibility: hostname lookup remains enabled when
112-DPARANOID is turned off. In order to disable hostname lookups you
113must turn off -DALWAYS_HOSTNAME.
114
115- Eliminated false complaints from the tcpdmatch/tcpdchk configuration
116checking programs about process names not in inetd.conf or about KNOWN
117username patterns.
118
119Changes per release 7.1 (Jan 1995)
120==================================
121
122- Portability: HP-UX permits you to break inetd.conf entries with
123backslash-newline.
124
125- Portability: EP/IX has no putenv() and some inetd.conf entries are
126spread out over two lines.
127
128- Portability: SCO with NIS support has no *netgrent() routines.
129
130Changes per release 7.0 (Jan 1995)
131==================================
132
133- Added a last-minute workaround for a Solaris 2.4 gethostbyname()
134foulup with multi-homed hosts in DNS through NIS mode.
135
136- Added a last-minute defense against TLI weirdness: address lookups
137apparently succeed but the result netbuf is empty (ticlts transport).
138
139- Dropped several new solutions that were in need of a problem. Beta
140testers may recognize what new features were kicked out during the last
141weeks before release 7.0 came out. Such is life.
142
143- Got rid of out the environment replacement routines, at least for
144most architectures. One should not have to replace working system
145software when all that is needed is a 4.4BSD setenv() emulator.
146
147- By popular request I have added an option to send banner messages to
148clients. There is a Banners.Makefile that gives some aid for sites that
149are going to use this feature. John C. Wingenbach did some pioneering
150work here. I used to think that banners are frivolous. Now that I had
151a personal need for them I know that banners can be useful.
152
153- At last: an extensible functional interface to the pattern matching
154engine. request_init() and request_set() accept a variable-length
155name-value argument list.  The result can be passed to hosts_access().
156
157- When PARANOID mode is disabled (compile time), the wrapper does no
158hostname lookup or hostname double checks unless required by %letter
159expansions, or by access control rules that match host names.  This is
160useful for sites that don't care about internet hostnames anyway.
161Inspired by the authors of the firewalls and internet security book.
162
163- When PARANOID mode is disabled (compile time), hosts with a name/name
164or name/address conflict can be matched with the PARANOID host wildcard
165pattern, so that you can take some intelligent action instead of just
166dropping clients. Like showing a banner that explains the problem.
167
168- New percent escapes: %A expands to the server address; %H expands to
169the corresponding hostname (or address if no name is available); %n and
170%N expand to the client and server hostname (or "unknown"); %s expands
171to everything we know about the server endpoint (the opposite of the %c
172sequence for client information).
173
174- Symmetry: server and client host information is now treated on equal
175footing, so that we can reuse a lot of code.
176
177- Lazy evaluation of host names, host addresses, usernames, and so on,
178to avoid doing unnecessary work.
179
180- Dropping #ifdefs for some archaic systems made the code simpler.
181
182- Dropping the FAIL pattern made the pattern matcher much simpler.  Run
183the "tcpdchk" program to scan your access control files for any uses of
184this obscure language feature.
185
186- Moving host-specific pattern matching from string_match() to the
187host_match() routine made the code more accurate.  Run the "tcpdchk"
188program to scan your access control files for any dependencies on
189undocumented or obscure language features that are gone.
190
191- daemon@host patterns trigger on clients that connect to a specific
192internet address.  This can be useful for service providers that offer
193multiple ftp or www archives on different internet addresses, all
194belonging to one and the same host (www.foo.com, ftp.bar.com, you get
195the idea).  Inspired by a discussion with Rop Gonggrijp, Cor Bosman,
196and Casper Dik, and earlier discussions with Adrian van Bloois.
197
198- The new "tcpdchk" program critcizes all your access control rules and
199inetd.conf entries. Great for spotting obscure bugs in my own hosts.xxx
200files. This program also detects hosts with name/address conflicts and
201with other DNS-related problems. See the "tcpdchk.8" manual page.
202
203- The "tcpdmatch" program replaces the poor old "try" command. The new
204program looks in your inetd.conf file and therefore produces much more
205accurate predictions. In addition, it detects hosts with name/address
206conflicts and with other DNS-related problems. See the "tcpdmatch.8"
207manual page.  The inetd.conf lookup was suggested by Everett F Batey.
208
209- In the access control tables, the `=' between option name and value
210is no longer required.
211
212- Added 60-second timeout to the safe_finger command, to cover another
213potential problem. Suggested by Peter Wemm.
214
215- Andrew Maffei provided code that works with WIN-TCP on NCR System V.4
216UNIX. It reportedly works with versions 02.02.01 and 02.03.00. The code
217pops off all streams modules above the device driver, pushes the timod
218module to get at the peer address, and then restores the streams stack
219to the initial state.
220
221Changes per release 6.3 (Mar 1994)
222==================================
223
224- Keepalives option, to get rid of stuck daemons when people turn off
225their PC while still connected. Files: options.c, hosts_options.5.
226
227- Nice option, to calm down network daemons that take away too much CPU
228time. Files: options.c, hosts_options.5.
229
230- Ultrix perversion: the environ global pointer may be null. The
231environment replacement routines now check for this. File: environ.c.
232
233- Fixed a few places that still assumed the socket is on standard
234input. Fixed some error messages that did not provide access control
235file name and line number.  File: options.c.
236
237- Just when I was going to release 6.2 I received code for Dynix/PTX.
238That code is specific to PTX 2.x, so I'll keep around my generic
239PTX code just in case. The difference is in the handling of UDP
240services.  Files:  tli_sequent.[hc].
241
242Changes per release 6.2 (Feb 1994)
243==================================
244
245- Resurrected my year-old code to reduce DNS load by appending a dot to
246the gethostbyname() argument. This feature is still experimental and it
247may go away if it causes more problems than it solves. File: socket.c.
248
249- Auxiliary code for the Pyramid, BSD universe. Karl Vogel figured out
250what was missing: yp_get_default_domain() and vfprintf(). Files:
251workarounds.c, vfprintf.c.
252
253- Improved support for Dynix/PTX. The wrapper should now be able to
254deal with all TLI over IP services. File: ptx.c.
255
256- The try command now uses the hostname that gethostbyaddr() would
257return, instead of the hostname returned by gethostbyname(). This can
258be significant on systems with NIS that have short host names in the
259hosts map. For example, gethostbyname("wzv.win.tue.nl") returns
260"wzv.win.tue.nl"; gethostbyaddr(131.155.210.17) returns "wzv", and
261that is what we should test with. File: try.c.
262
263Changes per release 6.1 (Dec 1993)
264==================================
265
266- Re-implemented all environment access routines. Most systems have
267putenv() but no setenv(), some systems have setenv() but no putenv(),
268and there are even systems that have neither setenv() nor putenv(). The
269benefit of all this is that more systems can now be treated in the same
270way. File:  environ.c.
271
272- Workaround for a weird problem with DG/UX when the wrapper is run as
273nobody (i.e. fingerd). For some reason the ioctl(fd, I_FIND, "sockmod")
274call fails even with socket-based applications. The "fix" is to always
275assume sockets when the ioctl(fd, I_FIND, "timod") call fails. File:
276fromhost.c. Thanks to Paul de Vries (vries@dutentb.et.tudelft.nl) for
277helping me to figure out this one.
278
279- Implemented a workaround for Dynix/PTX and other systems with TLI
280that lack some essential support routines. Thanks to Bugs Brouillard
281(brouill@hsuseq.humboldt.edu) for the hospitality to try things out.
282The trick is to temporarily switch to the socket API to identify the
283client, and to switch back to TLI when done.  It still does not work
284right for basic network services such as telnet. File: fromhost.c.
285
286- Easy-to-build procedures for SCO UNIX, ConvexOS with UltraNet, EP/IX,
287Dynix 3.2, Dynix/PTX. File: Makefile.
288
289- Variable rfc931 timeout. Files: rfc931.c, options.c, log_tcp.h, try.c.
290
291- Further simplification of the rfc931 code. File: rfc931.c.
292
293- The fromhost() interface stinks: I cannot change that, but at least
294the from_sock() and from_tli() functions now accept a file descriptor
295argument.
296
297- Fixed a buglet: fromhost() would pass a garbage file descriptor to
298the isastream() call.
299
300- On some systems the finger client program lives in /usr/bsd. File:
301safe_finger.c.
302
303Changes per release 6.0 (Sept 1993)
304===================================
305
306- Easy build procedures for common platforms (sun, ultrix, aix, hpux
307and others).
308
309- TLI support, System V.4 style (Solaris, DG/UX).
310
311- Username lookup integrated with the access control language.
312Selective username lookups are now the default (was: no username
313lookups).
314
315- A safer finger command for booby traps. This one solves a host of
316possible problems with automatic reverse fingers. Thanks, Borja Marcos
317(borjam@we.lc.ehu.es) for some inspiring discussions.
318
319- KNOWN pattern that matches hosts whose name and address are known.
320
321- Cleanup of diagnostics. Errors in access-control files are now shown
322with file name and line number.
323
324- With AIX 3.2, hostnames longer than 32 would be truncated.  This
325caused hostname verification failures, so that service would be refused
326when paranoid mode was enabled.  Found by:  Adrian van Bloois
327(A.vanBloois@info.nic.surfnet.nl).
328
329- With some IRIX versions, remote username lookups failed because the
330fgets() library function does not handle partial read()s from sockets.
331Found by:  Daniel O'Callaghan (danny@austin.unimelb.edu.au).
332
333- Added a DISCLAIMER document to help you satisfy legal departments.
334
335The extension language module has undergone major revisions and
336extensions.  Thanks, John P. Rouillard (rouilj@ra.cs.umb.edu) for
337discussions, experiments, and for being a good guinea pig. The
338extensions are documented in hosts_options.5, and are enabled by
339editing the Makefile STYLE macro definition.
340
341- (Extension language) The ":" separator may now occur within options
342as long as it is protected with a backslash. A warning is issued when
343a rule ends on ":".
344
345- (Extension language) Better verification mode. When the `try' command
346is run, each option function now explains what it would do.
347
348- (Extension language) New "allow" and "deny" keywords so you can now
349have all rules within a single file. See "nroff -man hosts_options.5"
350for examples.
351
352- (Extension language) "linger" keyword to set the socket linger time
353(SO_LINGER). From:  Marc Boucher <marc@cam.org>.
354
355- (Extension language) "severity" keyword to turn the logging noise up
356or down. Many sites wanted a means to shut up the program; other sites
357wanted to emphasize specific events.  Adapted from code contributed
358by Dave Mitchell <D.Mitchell@dcs.shef.ac.uk>.
359
360Changes per release 5.1 (Mar 1993)
361==================================
362
363- The additional protection against source-routing attacks from hosts
364that pretend to have someone elses network address has become optional
365because it causes kernel panics with SunOS <= 4.1.3.
366
367Changes per release 5.0 (Mar 1993)
368==================================
369
370- Additional protection against source-routing attacks from hosts that
371pretend to have someone elses network address. For example, the address
372of a trusted host within your own network.
373
374- The access control language has been extended with a simple but
375powerful operator that greatly simplifies the design of rule sets (ALL:
376.foo.edu EXCEPT dialup.foo.edu). Blank lines are permitted, and long
377lines can be continued with backslash-newline.
378
379- All configurable stuff, including path names, has been moved into the
380Makefile so that you no longer have to hack source code to just
381configure the programs.
382
383- Ported to Solaris 2. TLI-based applications not yet supported.
384Several workarounds for System V bugs.
385
386- A small loophole in the netgroup lookup code was closed, and the
387remote username lookup code was made more portable.
388
389- Still more documentation. The README file now provides tutorial
390sections with introductions to client, server, inetd and syslogd.
391
392Changes per release 4.3 (Aug 1992)
393==================================
394
395- Some sites reported that connections would be rejected because
396localhost != localhost.domain. The host name checking code now
397special-cases localhost (problem reported by several sites).
398
399- The programs now report an error if an existing access control file
400cannot be opened (e.g. due to lack of privileges).  Until now, the
401programs would just pretend that the access control file does not exist
402(reported by Darren Reed, avalon@coombs.anu.edu.au).
403
404- The timeout period for remote userid lookups was upped to 30 seconds,
405in order to cope with slow hosts or networks.  If this is too long for
406you, adjust the TIMEOUT definition in file rfc931.c (problem reported
407by several sites).
408
409- On hosts with more than one IP network interface, remote userid
410lookups could use the IP address of the "wrong" local interface.  The
411problem and its solution were discussed on the rfc931-users mailing
412list.  Scott Schwartz (schwartz@cs.psu.edu) folded the fix into the
413rfc931.c module.
414
415- The result of % expansion (in shell commands) is now checked for
416stuff that may confuse the shell; it is replaced by underscores
417(problem reported by Icarus Sparry, I.Sparry@gdr.bath.ac.uk).
418
419- A portability problem was fixed that caused compile-time problems
420on a CRAY (problem reported by Michael Barnett, mikeb@rmit.edu.au).
421
422Changes per release 4.0 (Jun 1992)
423==================================
424
4251 - network daemons no longer have to live within a common directory
4262 - the access control code now uses both the host address and name
4273 - an access control pattern that supports netmasks
4284 - additional protection against forged host names
4295 - a pattern that matches hosts whose name or address lookup fails
4306 - an operator that prevents hosts or services from being matched
4317 - optional remote username lookup with the RFC 931 protocol
4328 - an optional umask to prevent the creation of world-writable files
4339 - hooks for access control language extensions
43410 - last but not least, thoroughly revised documentation.
435
436Changes per release 3.0 (Oct 1991)
437==================================
438
439Enhancements over the previous release are: support for datagram (UDP
440and RPC) services, and execution of shell commands when a (remote host,
441requested service) pair matches a pattern in the access control tables.
442
443Changes per release 2.0 (May 1991)
444==================================
445
446Enhancements over the previous release are: protection against rlogin
447and rsh attacks through compromised domain name servers, optional
448netgroup support for systems with NIS (formerly YP), and an extension
449of the wild card patterns supported by the access control files.
450
451Release 1.0 (Jan 1991)
452