xref: /illumos-gate/usr/src/cmd/tcpd/Makefile (revision 4eaa471005973e11a6110b69fe990530b3b95a38)
1#
2# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
3# Use is subject to license terms.
4#
5
6PROG =		safe_finger tcpd tcpdchk tcpdmatch try-from
7
8include ../Makefile.cmd
9
10ERROFF =	-erroff=E_FUNC_HAS_NO_RETURN_STMT \
11		-erroff=E_IMPLICIT_DECL_FUNC_RETURN_INT \
12		-_gcc=-Wno-return-type -_gcc=-Wno-implicit
13CFLAGS +=	$(CCVERBOSE) $(ERROFF)
14CPPFLAGS +=	$(ACCESS) $(PARANOID) $(NETGROUP) $(TLI) \
15		$(UMASK) $(STYLE) $(TABLES) $(KILL_OPT) $(BUGS) \
16		-DRFC931_TIMEOUT=$(RFC931_TIMEOUT) \
17		-DFACILITY=$(FACILITY) -DSEVERITY=$(SEVERITY) \
18		-DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" \
19		-I../../lib/libwrap
20tcpd tcpdmatch try-from := \
21	LDLIBS += -lwrap
22tcpdchk := \
23	LDLIBS += -lwrap -lnsl
24
25# Various components must export interfaces, but also contain name-space
26# clashes with system libraries.
27MAPFILE.INT.D =	$(MAPFILE.NGB) mapfile-intf-tcpdchk
28MAPFILE.INT.M =	$(MAPFILE.NGB) mapfile-intf-tcpdmatch
29MAPFILE.INT.F =	$(MAPFILE.NGB) mapfile-intf-tryfrom
30
31tcpdchk :=	LDFLAGS +=$(MAPFILE.INT.D:%=-M%)
32tcpdmatch :=	LDFLAGS +=$(MAPFILE.INT.M:%=-M%)
33try-from :=	LDFLAGS +=$(MAPFILE.INT.F:%=-M%)
34
35# SRCONLY files are not used for building but are included in the source code
36# package SUNWtcpdS for consistency and completeness with respect to the
37# public tcp_wrappers distribution.
38SRCONLY =	BLURB Banners.Makefile CHANGES DISCLAIMER Makefile \
39		Makefile.dist Makefile.org README README.IRIX README.NIS \
40		README.ipv6 hosts_access.c.org misc.c.org miscd.c myvsyslog.c \
41		ncr.c printf.ck ptx.c rfc931.c.org scaffold.c.org \
42		socket.c.diff socket.c.org strcasecmp.c tags tcpd.h.org \
43		tcpdchk.c.org tcpdmatch.c.org tli-sequent.c tli-sequent.h \
44		tli.c.org update.c.org vfprintf.c
45
46MANDIRS =	man3 man4 man1m
47MANPAGES =	man3/hosts_access.3 man3/libwrap.3 man4/hosts_access.4 \
48		man4/hosts_options.4 man4/hosts.allow.4 man4/hosts.deny.4 \
49		man1m/tcpd.1m man1m/tcpdchk.1m man1m/tcpdmatch.1m
50DISTFILES =	environ.c fakelog.c hosts_access.3 hosts_access.4 \
51		hosts_options.4 inetcf.c inetcf.h safe_finger.c scaffold.c \
52		scaffold.h tcpd.1m tcpd.c tcpdchk.1m tcpdchk.c tcpdmatch.1m \
53		tcpdmatch.c try-from.c README.sfw $(SRCONLY)
54
55ROOTSRC =	$(ROOT)/usr/share/src/tcp_wrappers
56ROOTMAN = $(ROOT)/usr/share/man
57ROOTMANPAGES = $(MANPAGES:%=$(ROOTMAN)/%)
58ROOTMANDIRS = $(MANDIRS:%=$(ROOTMAN)/%)
59ROOTSRCFILES = $(DISTFILES:%=$(ROOTSRC)/%)
60
61.KEEP_STATE:
62
63all: $(PROG) THIRDPARTYLICENSE
64
65install: all $(ROOTUSRSBINPROG) $(ROOTMANPAGES) $(ROOTSRCFILES)
66
67clean:
68	$(RM) *.o
69	$(RM) -r sunman
70
71lint:	lint_PROG
72
73# These Solaris-specific man page aliases are installed verbatim.
74sunman/libwrap.3: libwrap.3
75	mkdir -p sunman; cat libwrap.3 > $@
76sunman/hosts.allow.4: hosts.allow.4
77	mkdir -p sunman; cat hosts.allow.4 > $@
78sunman/hosts.deny.4: hosts.deny.4
79	mkdir -p sunman; cat hosts.deny.4 > $@
80
81# The rest of the man pages are in the form provided in the original
82# distribution, but get edited and renamed to follow Solaris man page
83# conventions.  E.g. tcpd.8 gets installed as /usr/share/man/man1m/tcpd.1m.
84# Create temporary copies in the sunman directory with modified names
85# and contents.  The sed program man.sed contains the content edits.
86
87sunman/%.1m: %.8
88	mkdir -p sunman; sed -f man.sed < $< > $@
89sunman/%.4: %.5
90	mkdir -p sunman; sed -f man.sed < $< > $@
91sunman/%.3: %.3
92	mkdir -p sunman; sed -f man.sed < $< > $@
93
94$(ROOTMANPAGES) := FILEMODE = 0444
95$(ROOTMANPAGES): $(ROOTMANDIRS) $(ROOT)/usr/share/man
96$(ROOTMANDIRS): $(ROOTMAN)
97	$(INS.dir)
98$(ROOTMAN):
99	$(INS.dir)
100$(ROOTMAN1M)/% $(ROOTMAN3)/% $(ROOTMAN)/man4/%: sunman/%
101	$(INS.file)
102
103$(ROOTSRCFILES) := FILEMODE = 0444
104$(ROOTSRCFILES): $(ROOTSRC)
105$(ROOTSRC):
106	$(INS.dir)
107$(ROOTSRC)/%: %.sfwsrc
108	$(INS.rename)
109$(ROOTSRC)/%: sunman/%
110	$(INS.file)
111$(ROOTSRC)/%: %
112	$(INS.file)
113
114$(ROOT)/usr/share: $(ROOT)/usr
115	$(INS.dir)
116$(ROOT)/usr: $(ROOT)
117	$(INS.dir)
118
119TCPDMATCH_OBJ = tcpdmatch.o fakelog.o inetcf.o scaffold.o
120
121tcpdmatch: $(TCPDMATCH_OBJ) $(LIB) $(MAPFILE.INTF.M)
122	$(LINK.c) -o $@ $(TCPDMATCH_OBJ) $(LDLIBS)
123	$(POST_PROCESS)
124
125try-from: try-from.o fakelog.o $(LIB) $(MAPFILE.INTF.F)
126	$(LINK.c) -o $@ try-from.o fakelog.o $(LDLIBS)
127	$(POST_PROCESS)
128
129TCPDCHK_OBJ = tcpdchk.o fakelog.o inetcf.o scaffold.o
130
131tcpdchk: $(TCPDCHK_OBJ) $(LIB) $(MAPFILE.INTF.C)
132	$(LINK.c) -o $@ $(TCPDCHK_OBJ) $(LDLIBS)
133	$(POST_PROCESS)
134
135THIRDPARTYLICENSE: DISCLAIMER
136	$(GREP) -v '\*\*\*\*' DISCLAIMER > $@
137
138CLOBBERFILES += THIRDPARTYLICENSE
139
140include ../Makefile.targ
141
142# The rest of this file contains definitions more-or-less directly from the
143# original Makefile of the tcp_wrappers distribution.
144
145##############################
146# System parameters appropriate for Solaris 9
147
148REAL_DAEMON_DIR	= /usr/sbin
149TLI		= -DTLI
150NETGROUP	= -DNETGROUP
151
152##############################
153# Start of the optional stuff.
154
155###########################################
156# Optional: Turning on language extensions
157#
158# Instead of the default access control language that is documented in
159# the hosts_access.5 document, the wrappers can be configured to
160# implement an extensible language documented in the hosts_options.5
161# document.  This language is implemented by the "options.c" source
162# module, which also gives hints on how to add your own extensions.
163# Uncomment the next definition to turn on the language extensions
164# (examples: allow, deny, banners, twist and spawn).
165#
166STYLE	= -DPROCESS_OPTIONS	# Enable language extensions.
167
168################################################################
169# Optional: Changing the default disposition of logfile records
170#
171# By default, logfile entries are written to the same file as used for
172# sendmail transaction logs. See your /etc/syslog.conf file for actual
173# path names of logfiles. The tutorial section in the README file
174# gives a brief introduction to the syslog daemon.
175#
176# Change the FACILITY definition below if you disagree with the default
177# disposition. Some syslog versions (including Ultrix 4.x) do not provide
178# this flexibility.
179#
180# If nothing shows up on your system, it may be that the syslog records
181# are sent to a dedicated loghost. It may also be that no syslog daemon
182# is running at all. The README file gives pointers to surrogate syslog
183# implementations for systems that have no syslog library routines or
184# no syslog daemons. When changing the syslog.conf file, remember that
185# there must be TABs between fields.
186#
187# The LOG_XXX names below are taken from the /usr/include/syslog.h file.
188
189FACILITY= LOG_MAIL	# LOG_MAIL is what most sendmail daemons use
190
191# The syslog priority at which successful connections are logged.
192
193SEVERITY= LOG_INFO	# LOG_INFO is normally not logged to the console
194
195######################################################
196# Optional: Changing the default file protection mask
197#
198# On many systems, network daemons and other system processes are started
199# with a zero umask value, so that world-writable files may be produced.
200# It is a good idea to edit your /etc/rc* files so that they begin with
201# an explicit umask setting.  On our site we use `umask 022' because it
202# does not break anything yet gives adequate protection against tampering.
203#
204# The following macro specifies the default umask for processes run under
205# control of the daemon wrappers. Comment it out only if you are certain
206# that inetd and its children are started with a safe umask value.
207
208UMASK	= -DDAEMON_UMASK=022
209
210#######################################
211# Optional: Turning off access control
212#
213# By default, host access control is enabled.  To disable host access
214# control, comment out the following definition.  Host access control
215# can also be turned off at runtime by providing no or empty access
216# control tables.
217
218ACCESS	= -DHOSTS_ACCESS
219
220####################################################
221# Optional: dealing with host name/address conflicts
222#
223# By default, the software tries to protect against hosts that claim to
224# have someone elses host name. This is relevant for network services
225# whose authentication depends on host names, such as rsh and rlogin.
226#
227# With paranoid mode on, connections will be rejected when the host name
228# does not match the host address. Connections will also be rejected when
229# the host name is available but cannot be verified.
230#
231# Comment out the following definition if you want more control over such
232# requests. When paranoid mode is off and a host name double check fails,
233# the client can be matched with the PARANOID access control pattern.
234#
235# Paranoid mode implies hostname lookup. In order to disable hostname
236# lookups altogether, see the next section.
237
238PARANOID= -DPARANOID
239
240# The default username lookup timeout is 10 seconds. This may not be long
241# enough for slow hosts or networks, but is enough to irritate PC users.
242
243RFC931_TIMEOUT = 10
244
245########################################################
246# Optional: Changing the access control table pathnames
247#
248# The HOSTS_ALLOW and HOSTS_DENY macros define where the programs will
249# look for access control information. Watch out for the quotes and
250# backslashes when you make changes.
251
252TABLES	= -DHOSTS_DENY=\"/etc/hosts.deny\" -DHOSTS_ALLOW=\"/etc/hosts.allow\"
253
254#############################################
255# Optional: Turning on host ADDRESS checking
256#
257# Optionally, the software tries to protect against hosts that pretend to
258# have someone elses host address. This is relevant for network services
259# whose authentication depends on host names, such as rsh and rlogin,
260# because the network address is used to look up the remote host name.
261#
262# The protection is to refuse TCP connections with IP source routing
263# options.
264#
265# This feature cannot be used with SunOS 4.x because of a kernel bug in
266# the implementation of the getsockopt() system call. Kernel panics have
267# been observed for SunOS 4.1.[1-3]. Symptoms are "BAD TRAP" and "Data
268# fault" while executing the tcp_ctloutput() kernel function.
269#
270# Reportedly, Sun patch 100804-03 or 101790 fixes this for SunOS 4.1.x.
271#
272# Uncomment the following macro definition if your getsockopt() is OK.
273#
274# -DKILL_IP_OPTIONS is not needed on modern UNIX systems that can stop
275# source-routed traffic in the kernel. Examples: 4.4BSD derivatives,
276# Solaris 2.x, and Linux. See your system documentation for details.
277#
278# KILL_OPT= -DKILL_IP_OPTIONS
279
280## End configuration options
281############################
282