xref: /illumos-gate/usr/src/cmd/tcpd/Makefile (revision 09a48d4ca0ddda4ad26cc885769745870d989baf)
1#
2# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
3# Use is subject to license terms.
4#
5# Copyright 2011 Nexenta Systems, Inc. All rights reserved.
6#
7
8PROG=		safe_finger tcpd tcpdchk tcpdmatch try-from
9
10include		../Makefile.cmd
11
12ERROFF=		-erroff=E_FUNC_HAS_NO_RETURN_STMT \
13		-erroff=E_IMPLICIT_DECL_FUNC_RETURN_INT \
14		-_gcc=-Wno-return-type -_gcc=-Wno-implicit
15CFLAGS +=	$(CCVERBOSE) $(ERROFF)
16CPPFLAGS +=	$(ACCESS) $(PARANOID) $(NETGROUP) $(TLI) \
17		$(UMASK) $(STYLE) $(TABLES) $(KILL_OPT) $(BUGS) \
18		-DRFC931_TIMEOUT=$(RFC931_TIMEOUT) \
19		-DFACILITY=$(FACILITY) -DSEVERITY=$(SEVERITY) \
20		-DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" \
21		-I../../lib/libwrap
22tcpd tcpdmatch try-from := \
23		LDLIBS += -lwrap
24tcpdchk :=	LDLIBS += -lwrap -lnsl
25
26# Various components must export interfaces, but also contain name-space
27# clashes with system libraries.
28MAPFILE.INT.D=	$(MAPFILE.NGB) mapfile-intf-tcpdchk
29MAPFILE.INT.M=	$(MAPFILE.NGB) mapfile-intf-tcpdmatch
30MAPFILE.INT.F=	$(MAPFILE.NGB) mapfile-intf-tryfrom
31
32tcpdchk :=	LDFLAGS +=$(MAPFILE.INT.D:%=-M%)
33tcpdmatch :=	LDFLAGS +=$(MAPFILE.INT.M:%=-M%)
34try-from :=	LDFLAGS +=$(MAPFILE.INT.F:%=-M%)
35
36.KEEP_STATE:
37
38all:		$(PROG)
39
40install:	all $(ROOTUSRSBINPROG)
41
42clean:
43		$(RM) *.o
44
45lint:		lint_PROG
46
47TCPDMATCH_OBJ=	tcpdmatch.o fakelog.o inetcf.o scaffold.o
48
49tcpdmatch:	$(TCPDMATCH_OBJ) $(LIB) $(MAPFILE.INTF.M)
50		$(LINK.c) -o $@ $(TCPDMATCH_OBJ) $(LDLIBS)
51		$(POST_PROCESS)
52
53try-from:	try-from.o fakelog.o $(LIB) $(MAPFILE.INTF.F)
54		$(LINK.c) -o $@ try-from.o fakelog.o $(LDLIBS)
55		$(POST_PROCESS)
56
57TCPDCHK_OBJ=	tcpdchk.o fakelog.o inetcf.o scaffold.o
58
59tcpdchk:	$(TCPDCHK_OBJ) $(LIB) $(MAPFILE.INTF.C)
60		$(LINK.c) -o $@ $(TCPDCHK_OBJ) $(LDLIBS)
61		$(POST_PROCESS)
62
63include		../Makefile.targ
64
65# The rest of this file contains definitions more-or-less directly from the
66# original Makefile of the tcp_wrappers distribution.
67
68##############################
69# System parameters appropriate for Solaris 9
70
71REAL_DAEMON_DIR	= /usr/sbin
72TLI		= -DTLI
73NETGROUP	= -DNETGROUP
74
75##############################
76# Start of the optional stuff.
77
78###########################################
79# Optional: Turning on language extensions
80#
81# Instead of the default access control language that is documented in
82# the hosts_access.5 document, the wrappers can be configured to
83# implement an extensible language documented in the hosts_options.5
84# document.  This language is implemented by the "options.c" source
85# module, which also gives hints on how to add your own extensions.
86# Uncomment the next definition to turn on the language extensions
87# (examples: allow, deny, banners, twist and spawn).
88#
89STYLE	= -DPROCESS_OPTIONS	# Enable language extensions.
90
91################################################################
92# Optional: Changing the default disposition of logfile records
93#
94# By default, logfile entries are written to the same file as used for
95# sendmail transaction logs. See your /etc/syslog.conf file for actual
96# path names of logfiles. The tutorial section in the README file
97# gives a brief introduction to the syslog daemon.
98#
99# Change the FACILITY definition below if you disagree with the default
100# disposition. Some syslog versions (including Ultrix 4.x) do not provide
101# this flexibility.
102#
103# If nothing shows up on your system, it may be that the syslog records
104# are sent to a dedicated loghost. It may also be that no syslog daemon
105# is running at all. The README file gives pointers to surrogate syslog
106# implementations for systems that have no syslog library routines or
107# no syslog daemons. When changing the syslog.conf file, remember that
108# there must be TABs between fields.
109#
110# The LOG_XXX names below are taken from the /usr/include/syslog.h file.
111
112FACILITY= LOG_MAIL	# LOG_MAIL is what most sendmail daemons use
113
114# The syslog priority at which successful connections are logged.
115
116SEVERITY= LOG_INFO	# LOG_INFO is normally not logged to the console
117
118######################################################
119# Optional: Changing the default file protection mask
120#
121# On many systems, network daemons and other system processes are started
122# with a zero umask value, so that world-writable files may be produced.
123# It is a good idea to edit your /etc/rc* files so that they begin with
124# an explicit umask setting.  On our site we use `umask 022' because it
125# does not break anything yet gives adequate protection against tampering.
126#
127# The following macro specifies the default umask for processes run under
128# control of the daemon wrappers. Comment it out only if you are certain
129# that inetd and its children are started with a safe umask value.
130
131UMASK	= -DDAEMON_UMASK=022
132
133#######################################
134# Optional: Turning off access control
135#
136# By default, host access control is enabled.  To disable host access
137# control, comment out the following definition.  Host access control
138# can also be turned off at runtime by providing no or empty access
139# control tables.
140
141ACCESS	= -DHOSTS_ACCESS
142
143####################################################
144# Optional: dealing with host name/address conflicts
145#
146# By default, the software tries to protect against hosts that claim to
147# have someone elses host name. This is relevant for network services
148# whose authentication depends on host names, such as rsh and rlogin.
149#
150# With paranoid mode on, connections will be rejected when the host name
151# does not match the host address. Connections will also be rejected when
152# the host name is available but cannot be verified.
153#
154# Comment out the following definition if you want more control over such
155# requests. When paranoid mode is off and a host name double check fails,
156# the client can be matched with the PARANOID access control pattern.
157#
158# Paranoid mode implies hostname lookup. In order to disable hostname
159# lookups altogether, see the next section.
160
161PARANOID= -DPARANOID
162
163# The default username lookup timeout is 10 seconds. This may not be long
164# enough for slow hosts or networks, but is enough to irritate PC users.
165
166RFC931_TIMEOUT = 10
167
168########################################################
169# Optional: Changing the access control table pathnames
170#
171# The HOSTS_ALLOW and HOSTS_DENY macros define where the programs will
172# look for access control information. Watch out for the quotes and
173# backslashes when you make changes.
174
175TABLES	= -DHOSTS_DENY=\"/etc/hosts.deny\" -DHOSTS_ALLOW=\"/etc/hosts.allow\"
176
177#############################################
178# Optional: Turning on host ADDRESS checking
179#
180# Optionally, the software tries to protect against hosts that pretend to
181# have someone elses host address. This is relevant for network services
182# whose authentication depends on host names, such as rsh and rlogin,
183# because the network address is used to look up the remote host name.
184#
185# The protection is to refuse TCP connections with IP source routing
186# options.
187#
188# This feature cannot be used with SunOS 4.x because of a kernel bug in
189# the implementation of the getsockopt() system call. Kernel panics have
190# been observed for SunOS 4.1.[1-3]. Symptoms are "BAD TRAP" and "Data
191# fault" while executing the tcp_ctloutput() kernel function.
192#
193# Reportedly, Sun patch 100804-03 or 101790 fixes this for SunOS 4.1.x.
194#
195# Uncomment the following macro definition if your getsockopt() is OK.
196#
197# -DKILL_IP_OPTIONS is not needed on modern UNIX systems that can stop
198# source-routed traffic in the kernel. Examples: 4.4BSD derivatives,
199# Solaris 2.x, and Linux. See your system documentation for details.
200#
201# KILL_OPT= -DKILL_IP_OPTIONS
202
203## End configuration options
204############################
205