xref: /illumos-gate/usr/src/cmd/tcpd/Makefile (revision 2aaafd60ec8d825f1f153557e1d1932ec79b2782)
1#
2# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
3# Use is subject to license terms.
4#
5# Copyright 2011 Nexenta Systems, Inc. All rights reserved.
6#
7# Copyright (c) 2018, Joyent, Inc.
8
9PROG=		safe_finger tcpd tcpdchk tcpdmatch try-from
10
11include		../Makefile.cmd
12
13CFLAGS +=	$(CCVERBOSE)
14CPPFLAGS +=	$(ACCESS) $(PARANOID) $(NETGROUP) $(TLI) \
15		$(UMASK) $(STYLE) $(TABLES) $(KILL_OPT) $(BUGS) \
16		-DRFC931_TIMEOUT=$(RFC931_TIMEOUT) \
17		-DFACILITY=$(FACILITY) -DSEVERITY=$(SEVERITY) \
18		-DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" \
19		-I../../lib/libwrap
20tcpd tcpdmatch try-from := \
21		LDLIBS += -lwrap
22tcpdchk :=	LDLIBS += -lwrap -lnsl
23
24CERRWARN +=	-_gcc=-Wno-unused-variable
25CERRWARN +=	-_gcc=-Wno-parentheses
26CERRWARN +=	$(CNOWARN_UNINIT)
27CERRWARN +=	-_gcc=-Wno-implicit-function-declaration
28CERRWARN +=	-_gcc=-Wno-return-type
29CERRWARN +=	-_gcc=-Wno-clobbered
30
31# not linted
32SMATCH=off
33
34# Various components must export interfaces, but also contain name-space
35# clashes with system libraries.
36MAPFILE.INT.D=	$(MAPFILE.NGB) mapfile-intf-tcpdchk
37MAPFILE.INT.M=	$(MAPFILE.NGB) mapfile-intf-tcpdmatch
38MAPFILE.INT.F=	$(MAPFILE.NGB) mapfile-intf-tryfrom
39
40tcpdchk :=	LDFLAGS +=$(MAPFILE.INT.D:%=-Wl,-M%)
41tcpdmatch :=	LDFLAGS +=$(MAPFILE.INT.M:%=-Wl,-M%)
42try-from :=	LDFLAGS +=$(MAPFILE.INT.F:%=-Wl,-M%)
43
44.KEEP_STATE:
45
46all:		$(PROG)
47
48install:	all $(ROOTUSRSBINPROG)
49
50clean:
51		$(RM) *.o
52
53TCPDMATCH_OBJ=	tcpdmatch.o fakelog.o inetcf.o scaffold.o
54
55tcpdmatch:	$(TCPDMATCH_OBJ) $(LIB) $(MAPFILE.INTF.M)
56		$(LINK.c) -o $@ $(TCPDMATCH_OBJ) $(LDLIBS)
57		$(POST_PROCESS)
58
59try-from:	try-from.o fakelog.o $(LIB) $(MAPFILE.INTF.F)
60		$(LINK.c) -o $@ try-from.o fakelog.o $(LDLIBS)
61		$(POST_PROCESS)
62
63TCPDCHK_OBJ=	tcpdchk.o fakelog.o inetcf.o scaffold.o
64
65tcpdchk:	$(TCPDCHK_OBJ) $(LIB) $(MAPFILE.INTF.C)
66		$(LINK.c) -o $@ $(TCPDCHK_OBJ) $(LDLIBS)
67		$(POST_PROCESS)
68
69include		../Makefile.targ
70
71# The rest of this file contains definitions more-or-less directly from the
72# original Makefile of the tcp_wrappers distribution.
73
74##############################
75# System parameters appropriate for Solaris 9
76
77REAL_DAEMON_DIR	= /usr/sbin
78TLI		= -DTLI
79NETGROUP	= -DNETGROUP
80
81##############################
82# Start of the optional stuff.
83
84###########################################
85# Optional: Turning on language extensions
86#
87# Instead of the default access control language that is documented in
88# the hosts_access.5 document, the wrappers can be configured to
89# implement an extensible language documented in the hosts_options.5
90# document.  This language is implemented by the "options.c" source
91# module, which also gives hints on how to add your own extensions.
92# Uncomment the next definition to turn on the language extensions
93# (examples: allow, deny, banners, twist and spawn).
94#
95STYLE	= -DPROCESS_OPTIONS	# Enable language extensions.
96
97################################################################
98# Optional: Changing the default disposition of logfile records
99#
100# By default, logfile entries are written to the same file as used for
101# sendmail transaction logs. See your /etc/syslog.conf file for actual
102# path names of logfiles. The tutorial section in the README file
103# gives a brief introduction to the syslog daemon.
104#
105# Change the FACILITY definition below if you disagree with the default
106# disposition. Some syslog versions (including Ultrix 4.x) do not provide
107# this flexibility.
108#
109# If nothing shows up on your system, it may be that the syslog records
110# are sent to a dedicated loghost. It may also be that no syslog daemon
111# is running at all. The README file gives pointers to surrogate syslog
112# implementations for systems that have no syslog library routines or
113# no syslog daemons. When changing the syslog.conf file, remember that
114# there must be TABs between fields.
115#
116# The LOG_XXX names below are taken from the /usr/include/syslog.h file.
117
118FACILITY= LOG_MAIL	# LOG_MAIL is what most sendmail daemons use
119
120# The syslog priority at which successful connections are logged.
121
122SEVERITY= LOG_INFO	# LOG_INFO is normally not logged to the console
123
124######################################################
125# Optional: Changing the default file protection mask
126#
127# On many systems, network daemons and other system processes are started
128# with a zero umask value, so that world-writable files may be produced.
129# It is a good idea to edit your /etc/rc* files so that they begin with
130# an explicit umask setting.  On our site we use `umask 022' because it
131# does not break anything yet gives adequate protection against tampering.
132#
133# The following macro specifies the default umask for processes run under
134# control of the daemon wrappers. Comment it out only if you are certain
135# that inetd and its children are started with a safe umask value.
136
137UMASK	= -DDAEMON_UMASK=022
138
139#######################################
140# Optional: Turning off access control
141#
142# By default, host access control is enabled.  To disable host access
143# control, comment out the following definition.  Host access control
144# can also be turned off at runtime by providing no or empty access
145# control tables.
146
147ACCESS	= -DHOSTS_ACCESS
148
149####################################################
150# Optional: dealing with host name/address conflicts
151#
152# By default, the software tries to protect against hosts that claim to
153# have someone elses host name. This is relevant for network services
154# whose authentication depends on host names, such as rsh and rlogin.
155#
156# With paranoid mode on, connections will be rejected when the host name
157# does not match the host address. Connections will also be rejected when
158# the host name is available but cannot be verified.
159#
160# Comment out the following definition if you want more control over such
161# requests. When paranoid mode is off and a host name double check fails,
162# the client can be matched with the PARANOID access control pattern.
163#
164# Paranoid mode implies hostname lookup. In order to disable hostname
165# lookups altogether, see the next section.
166
167PARANOID= -DPARANOID
168
169# The default username lookup timeout is 10 seconds. This may not be long
170# enough for slow hosts or networks, but is enough to irritate PC users.
171
172RFC931_TIMEOUT = 10
173
174########################################################
175# Optional: Changing the access control table pathnames
176#
177# The HOSTS_ALLOW and HOSTS_DENY macros define where the programs will
178# look for access control information. Watch out for the quotes and
179# backslashes when you make changes.
180
181TABLES	= -DHOSTS_DENY=\"/etc/hosts.deny\" -DHOSTS_ALLOW=\"/etc/hosts.allow\"
182
183#############################################
184# Optional: Turning on host ADDRESS checking
185#
186# Optionally, the software tries to protect against hosts that pretend to
187# have someone elses host address. This is relevant for network services
188# whose authentication depends on host names, such as rsh and rlogin,
189# because the network address is used to look up the remote host name.
190#
191# The protection is to refuse TCP connections with IP source routing
192# options.
193#
194# This feature cannot be used with SunOS 4.x because of a kernel bug in
195# the implementation of the getsockopt() system call. Kernel panics have
196# been observed for SunOS 4.1.[1-3]. Symptoms are "BAD TRAP" and "Data
197# fault" while executing the tcp_ctloutput() kernel function.
198#
199# Reportedly, Sun patch 100804-03 or 101790 fixes this for SunOS 4.1.x.
200#
201# Uncomment the following macro definition if your getsockopt() is OK.
202#
203# -DKILL_IP_OPTIONS is not needed on modern UNIX systems that can stop
204# source-routed traffic in the kernel. Examples: 4.4BSD derivatives,
205# Solaris 2.x, and Linux. See your system documentation for details.
206#
207# KILL_OPT= -DKILL_IP_OPTIONS
208
209## End configuration options
210############################
211