xref: /illumos-gate/usr/src/cmd/tcpd/Makefile (revision ab04eb8ef60d9dc9614d6cccffc474f24ca1d162)
1#
2# Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
3# Use is subject to license terms.
4#
5# ident	"%Z%%M%	%I%	%E% SMI"
6#
7
8PROG =		safe_finger tcpd tcpdchk tcpdmatch try-from
9
10include ../Makefile.cmd
11
12ERROFF =	-erroff=E_FUNC_HAS_NO_RETURN_STMT \
13		-erroff=E_IMPLICIT_DECL_FUNC_RETURN_INT \
14		-_gcc=-Wno-return-type -_gcc=-Wno-implicit
15CFLAGS +=	$(CCVERBOSE) $(ERROFF)
16CPPFLAGS +=	$(ACCESS) $(PARANOID) $(NETGROUP) $(TLI) \
17		$(UMASK) $(STYLE) $(TABLES) $(KILL_OPT) $(BUGS) \
18		-DRFC931_TIMEOUT=$(RFC931_TIMEOUT) \
19		-DFACILITY=$(FACILITY) -DSEVERITY=$(SEVERITY) \
20		-DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" \
21		-I../../lib/libwrap
22tcpd tcpdmatch try-from := \
23	LDLIBS += -lwrap
24tcpdchk := \
25	LDLIBS += -lwrap -lnsl
26
27# Various components must export interfaces, but also contain name-space
28# clashes with system libraries.
29MAPFILE.INT.D =	$(MAPFILE.NGB) mapfile-intf-tcpdchk
30MAPFILE.INT.M =	$(MAPFILE.NGB) mapfile-intf-tcpdmatch
31MAPFILE.INT.F =	$(MAPFILE.NGB) mapfile-intf-tryfrom
32
33tcpdchk :=	LDFLAGS +=$(MAPFILE.INT.D:%=-M%)
34tcpdmatch :=	LDFLAGS +=$(MAPFILE.INT.M:%=-M%)
35try-from :=	LDFLAGS +=$(MAPFILE.INT.F:%=-M%)
36
37# SRCONLY files are not used for building but are included in the source code
38# package SUNWtcpdS for consistency and completeness with respect to the
39# public tcp_wrappers distribution.
40SRCONLY =	BLURB Banners.Makefile CHANGES DISCLAIMER Makefile \
41		Makefile.dist Makefile.org README README.IRIX README.NIS \
42		README.ipv6 hosts_access.c.org misc.c.org miscd.c myvsyslog.c \
43		ncr.c printf.ck ptx.c rfc931.c.org scaffold.c.org \
44		socket.c.diff socket.c.org strcasecmp.c tags tcpd.h.org \
45		tcpdchk.c.org tcpdmatch.c.org tli-sequent.c tli-sequent.h \
46		tli.c.org update.c.org vfprintf.c
47
48MANDIRS =	man3 man4 man1m
49MANPAGES =	man3/hosts_access.3 man3/libwrap.3 man4/hosts_access.4 \
50		man4/hosts_options.4 man4/hosts.allow.4 man4/hosts.deny.4 \
51		man1m/tcpd.1m man1m/tcpdchk.1m man1m/tcpdmatch.1m
52DISTFILES =	environ.c fakelog.c hosts_access.3 hosts_access.4 \
53		hosts_options.4 inetcf.c inetcf.h safe_finger.c scaffold.c \
54		scaffold.h tcpd.1m tcpd.c tcpdchk.1m tcpdchk.c tcpdmatch.1m \
55		tcpdmatch.c try-from.c README.sfw $(SRCONLY)
56
57ROOTSRC =	$(ROOT)/usr/share/src/tcp_wrappers
58$(ROOTSRC) :=	OWNER = root
59$(ROOTSRC) :=	GROUP = bin
60ROOTMAN = $(ROOT)/usr/share/man
61ROOTMANPAGES = $(MANPAGES:%=$(ROOTMAN)/%)
62ROOTMANDIRS = $(MANDIRS:%=$(ROOTMAN)/%)
63ROOTSRCFILES = $(DISTFILES:%=$(ROOTSRC)/%)
64
65.KEEP_STATE:
66
67all: $(PROG) THIRDPARTYLICENSE
68
69install: all $(ROOTUSRSBINPROG) $(ROOTMANPAGES) $(ROOTSRCFILES)
70
71clean:
72	$(RM) *.o
73	$(RM) -r sunman
74
75lint:	lint_PROG
76
77# These Solaris-specific man page aliases are installed verbatim.
78sunman/libwrap.3: libwrap.3
79	mkdir -p sunman; cat libwrap.3 > $@
80sunman/hosts.allow.4: hosts.allow.4
81	mkdir -p sunman; cat hosts.allow.4 > $@
82sunman/hosts.deny.4: hosts.deny.4
83	mkdir -p sunman; cat hosts.deny.4 > $@
84
85# The rest of the man pages are in the form provided in the original
86# distribution, but get edited and renamed to follow Solaris man page
87# conventions.  E.g. tcpd.8 gets installed as /usr/share/man/man1m/tcpd.1m.
88# Create temporary copies in the sunman directory with modified names
89# and contents.  The sed program man.sed contains the content edits.
90
91sunman/%.1m: %.8
92	mkdir -p sunman; sed -f man.sed < $< > $@
93sunman/%.4: %.5
94	mkdir -p sunman; sed -f man.sed < $< > $@
95sunman/%.3: %.3
96	mkdir -p sunman; sed -f man.sed < $< > $@
97
98$(ROOTMANPAGES) := FILEMODE = 0444
99$(ROOTMANPAGES): $(ROOTMANDIRS) $(ROOT)/usr/share/man
100$(ROOTMANDIRS): $(ROOTMAN)
101	$(INS.dir)
102$(ROOTMAN):
103	$(INS.dir)
104$(ROOTMAN1M)/% $(ROOTMAN3)/% $(ROOTMAN)/man4/%: sunman/%
105	$(INS.file)
106
107$(ROOTSRCFILES) := FILEMODE = 0444
108$(ROOTSRCFILES): $(ROOTSRC)
109$(ROOTSRC):
110	$(INS.dir)
111$(ROOTSRC)/%: %.sfwsrc
112	$(INS.rename)
113$(ROOTSRC)/%: sunman/%
114	$(INS.file)
115$(ROOTSRC)/%: %
116	$(INS.file)
117
118$(ROOT)/usr/share: $(ROOT)/usr
119	$(INS.dir)
120$(ROOT)/usr: $(ROOT)
121	$(INS.dir)
122
123TCPDMATCH_OBJ = tcpdmatch.o fakelog.o inetcf.o scaffold.o
124
125tcpdmatch: $(TCPDMATCH_OBJ) $(LIB) $(MAPFILE.INTF.M)
126	$(LINK.c) -o $@ $(TCPDMATCH_OBJ) $(LDLIBS)
127	$(POST_PROCESS)
128
129try-from: try-from.o fakelog.o $(LIB) $(MAPFILE.INTF.F)
130	$(LINK.c) -o $@ try-from.o fakelog.o $(LDLIBS)
131	$(POST_PROCESS)
132
133TCPDCHK_OBJ = tcpdchk.o fakelog.o inetcf.o scaffold.o
134
135tcpdchk: $(TCPDCHK_OBJ) $(LIB) $(MAPFILE.INTF.C)
136	$(LINK.c) -o $@ $(TCPDCHK_OBJ) $(LDLIBS)
137	$(POST_PROCESS)
138
139THIRDPARTYLICENSE: DISCLAIMER
140	$(GREP) -v '\*\*\*\*' DISCLAIMER > $@
141
142CLOBBERFILES += THIRDPARTYLICENSE
143
144include ../Makefile.targ
145
146# The rest of this file contains definitions more-or-less directly from the
147# original Makefile of the tcp_wrappers distribution.
148
149##############################
150# System parameters appropriate for Solaris 9
151
152REAL_DAEMON_DIR	= /usr/sbin
153TLI		= -DTLI
154NETGROUP	= -DNETGROUP
155
156##############################
157# Start of the optional stuff.
158
159###########################################
160# Optional: Turning on language extensions
161#
162# Instead of the default access control language that is documented in
163# the hosts_access.5 document, the wrappers can be configured to
164# implement an extensible language documented in the hosts_options.5
165# document.  This language is implemented by the "options.c" source
166# module, which also gives hints on how to add your own extensions.
167# Uncomment the next definition to turn on the language extensions
168# (examples: allow, deny, banners, twist and spawn).
169#
170STYLE	= -DPROCESS_OPTIONS	# Enable language extensions.
171
172################################################################
173# Optional: Changing the default disposition of logfile records
174#
175# By default, logfile entries are written to the same file as used for
176# sendmail transaction logs. See your /etc/syslog.conf file for actual
177# path names of logfiles. The tutorial section in the README file
178# gives a brief introduction to the syslog daemon.
179#
180# Change the FACILITY definition below if you disagree with the default
181# disposition. Some syslog versions (including Ultrix 4.x) do not provide
182# this flexibility.
183#
184# If nothing shows up on your system, it may be that the syslog records
185# are sent to a dedicated loghost. It may also be that no syslog daemon
186# is running at all. The README file gives pointers to surrogate syslog
187# implementations for systems that have no syslog library routines or
188# no syslog daemons. When changing the syslog.conf file, remember that
189# there must be TABs between fields.
190#
191# The LOG_XXX names below are taken from the /usr/include/syslog.h file.
192
193FACILITY= LOG_MAIL	# LOG_MAIL is what most sendmail daemons use
194
195# The syslog priority at which successful connections are logged.
196
197SEVERITY= LOG_INFO	# LOG_INFO is normally not logged to the console
198
199######################################################
200# Optional: Changing the default file protection mask
201#
202# On many systems, network daemons and other system processes are started
203# with a zero umask value, so that world-writable files may be produced.
204# It is a good idea to edit your /etc/rc* files so that they begin with
205# an explicit umask setting.  On our site we use `umask 022' because it
206# does not break anything yet gives adequate protection against tampering.
207#
208# The following macro specifies the default umask for processes run under
209# control of the daemon wrappers. Comment it out only if you are certain
210# that inetd and its children are started with a safe umask value.
211
212UMASK	= -DDAEMON_UMASK=022
213
214#######################################
215# Optional: Turning off access control
216#
217# By default, host access control is enabled.  To disable host access
218# control, comment out the following definition.  Host access control
219# can also be turned off at runtime by providing no or empty access
220# control tables.
221
222ACCESS	= -DHOSTS_ACCESS
223
224####################################################
225# Optional: dealing with host name/address conflicts
226#
227# By default, the software tries to protect against hosts that claim to
228# have someone elses host name. This is relevant for network services
229# whose authentication depends on host names, such as rsh and rlogin.
230#
231# With paranoid mode on, connections will be rejected when the host name
232# does not match the host address. Connections will also be rejected when
233# the host name is available but cannot be verified.
234#
235# Comment out the following definition if you want more control over such
236# requests. When paranoid mode is off and a host name double check fails,
237# the client can be matched with the PARANOID access control pattern.
238#
239# Paranoid mode implies hostname lookup. In order to disable hostname
240# lookups altogether, see the next section.
241
242PARANOID= -DPARANOID
243
244# The default username lookup timeout is 10 seconds. This may not be long
245# enough for slow hosts or networks, but is enough to irritate PC users.
246
247RFC931_TIMEOUT = 10
248
249########################################################
250# Optional: Changing the access control table pathnames
251#
252# The HOSTS_ALLOW and HOSTS_DENY macros define where the programs will
253# look for access control information. Watch out for the quotes and
254# backslashes when you make changes.
255
256TABLES	= -DHOSTS_DENY=\"/etc/hosts.deny\" -DHOSTS_ALLOW=\"/etc/hosts.allow\"
257
258#############################################
259# Optional: Turning on host ADDRESS checking
260#
261# Optionally, the software tries to protect against hosts that pretend to
262# have someone elses host address. This is relevant for network services
263# whose authentication depends on host names, such as rsh and rlogin,
264# because the network address is used to look up the remote host name.
265#
266# The protection is to refuse TCP connections with IP source routing
267# options.
268#
269# This feature cannot be used with SunOS 4.x because of a kernel bug in
270# the implementation of the getsockopt() system call. Kernel panics have
271# been observed for SunOS 4.1.[1-3]. Symptoms are "BAD TRAP" and "Data
272# fault" while executing the tcp_ctloutput() kernel function.
273#
274# Reportedly, Sun patch 100804-03 or 101790 fixes this for SunOS 4.1.x.
275#
276# Uncomment the following macro definition if your getsockopt() is OK.
277#
278# -DKILL_IP_OPTIONS is not needed on modern UNIX systems that can stop
279# source-routed traffic in the kernel. Examples: 4.4BSD derivatives,
280# Solaris 2.x, and Linux. See your system documentation for details.
281#
282# KILL_OPT= -DKILL_IP_OPTIONS
283
284## End configuration options
285############################
286