chiark / gitweb /
core: remove tcpwrap support
authorLennart Poettering <lennart@poettering.net>
Mon, 24 Mar 2014 19:07:42 +0000 (20:07 +0100)
committerLennart Poettering <lennart@poettering.net>
Mon, 24 Mar 2014 19:07:42 +0000 (20:07 +0100)
tcpwrap is legacy code, that is barely maintained upstream. It's APIs
are awful, and the feature set it exposes (such as DNS and IDENT
access control) questionnable. We should not support this natively in
systemd.

Hence, let's remove the code. If people want to continue making use of
this, they can do so by plugging in "tcpd" for the processes they start.
With that scheme things are as well or badly supported as they were from
traditional inetd, hence no functionality is really lost.

16 files changed:
Makefile.am
README
TODO
configure.ac
m4/acx_libwrap.m4 [deleted file]
man/systemd.exec.xml
src/core/build.h
src/core/dbus-execute.c
src/core/execute.c
src/core/execute.h
src/core/load-fragment-gperf.gperf.m4
src/core/load-fragment.c
src/core/tcpwrap.c [deleted file]
src/core/tcpwrap.h [deleted file]
src/shared/exit-status.c
src/shared/exit-status.h

index 54cd1c6..2cb0f2a 100644 (file)
@@ -1019,8 +1019,6 @@ libsystemd_core_la_SOURCES = \
        src/core/condition.h \
        src/core/namespace.c \
        src/core/namespace.h \
-       src/core/tcpwrap.c \
-       src/core/tcpwrap.h \
        src/core/build.h \
        src/core/sysfs-show.h \
        src/core/switch-root.h \
@@ -1046,7 +1044,6 @@ nodist_libsystemd_core_la_SOURCES = \
 
 libsystemd_core_la_CFLAGS = \
        $(AM_CFLAGS) \
-       $(LIBWRAP_CFLAGS) \
        $(PAM_CFLAGS) \
        $(AUDIT_CFLAGS) \
        $(CAP_CFLAGS) \
@@ -1062,7 +1059,6 @@ libsystemd_core_la_LIBADD = \
        libudev-internal.la \
        libsystemd-shared.la \
        libsystemd-internal.la \
-       $(LIBWRAP_LIBS) \
        $(PAM_LIBS) \
        $(AUDIT_LIBS) \
        $(CAP_LIBS) \
diff --git a/README b/README
index 7fd5c0e..fc13e10 100644 (file)
--- a/README
+++ b/README
@@ -111,7 +111,6 @@ REQUIREMENTS:
         libattr (optional)
         libselinux (optional)
         liblzma (optional)
-        tcpwrappers (optional)
         libgcrypt (optional)
         libqrencode (optional)
         libmicrohttpd (optional)
diff --git a/TODO b/TODO
index febfc3a..e081fcf 100644 (file)
--- a/TODO
+++ b/TODO
@@ -550,7 +550,7 @@ Features:
 
 * for services: don't set $HOME in services unless requested
 
-* hide PAM/TCPWrap options in fragment parser when compile time disabled
+* hide PAM options in fragment parser when compile time disabled
 
 * when we automatically restart a service, ensure we restart its rdeps, too.
 
index 3ced6cf..e95b682 100644 (file)
@@ -431,32 +431,6 @@ fi
 AM_CONDITIONAL(HAVE_XZ, [test "$have_xz" = "yes"])
 
 # ------------------------------------------------------------------------------
-AC_ARG_ENABLE([tcpwrap],
-        AS_HELP_STRING([--disable-tcpwrap],[Disable optional TCP wrappers support]),
-                [case "${enableval}" in
-                        yes) have_tcpwrap=yes ;;
-                        no) have_tcpwrap=no ;;
-                        *) AC_MSG_ERROR(bad value ${enableval} for --disable-tcpwrap) ;;
-                esac],
-                [have_tcpwrap=auto])
-
-if test "x${have_tcpwrap}" != xno ; then
-        ACX_LIBWRAP
-        if test "x${LIBWRAP_LIBS}" = x ; then
-                if test "x$have_tcpwrap" = xyes ; then
-                        AC_MSG_ERROR([*** TCP wrappers support not found.])
-                fi
-                have_tcpwrap=no
-        else
-                M4_DEFINES="$M4_DEFINES -DHAVE_LIBWRAP"
-                have_tcpwrap=yes
-        fi
-else
-        LIBWRAP_LIBS=
-fi
-AC_SUBST(LIBWRAP_LIBS)
-
-# ------------------------------------------------------------------------------
 AC_ARG_ENABLE([pam],
         AS_HELP_STRING([--disable-pam],[Disable optional PAM support]),
                 [case "${enableval}" in
@@ -1130,7 +1104,6 @@ AC_MSG_RESULT([
         $PACKAGE_NAME $VERSION
 
         libcryptsetup:           ${have_libcryptsetup}
-        tcpwrap:                 ${have_tcpwrap}
         PAM:                     ${have_pam}
         AUDIT:                   ${have_audit}
         IMA:                     ${have_ima}
diff --git a/m4/acx_libwrap.m4 b/m4/acx_libwrap.m4
deleted file mode 100644 (file)
index ccf8afc..0000000
+++ /dev/null
@@ -1,19 +0,0 @@
-AC_DEFUN([ACX_LIBWRAP], [
-LIBWRAP_LIBS=
-saved_LIBS="$LIBS"
-LIBS="$LIBS -lwrap"
-AC_MSG_CHECKING([for tcpwrap library and headers])
-AC_LINK_IFELSE(
-[AC_LANG_PROGRAM(
-[#include <tcpd.h>
-#include <syslog.h>
-int allow_severity = LOG_INFO;
-int deny_severity = LOG_WARNING;],
-[struct request_info *req;
-return hosts_access (req);])],
-[AC_DEFINE(HAVE_LIBWRAP, [], [Have tcpwrap?])
-LIBWRAP_LIBS="-lwrap"
-AC_MSG_RESULT(yes)],
-[AC_MSG_RESULT(no)])
-LIBS="$saved_LIBS"
-])
index f47826c..11ad7f6 100644 (file)
                         </varlistentry>
 
                         <varlistentry>
-                                <term><varname>TCPWrapName=</varname></term>
-                                <listitem><para>If this is a
-                                socket-activated service, this sets the
-                                tcpwrap service name to check the
-                                permission for the current connection
-                                with. This is only useful in
-                                conjunction with socket-activated
-                                services, and stream sockets (TCP) in
-                                particular. It has no effect on other
-                                socket types (e.g. datagram/UDP) and
-                                on processes unrelated to socket-based
-                                activation. If the tcpwrap
-                                verification fails, daemon start-up
-                                will fail and the connection is
-                                terminated. See
-                                <citerefentry><refentrytitle>tcpd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
-                                for details. Note that this option may
-                                be used to do access control checks
-                                only. Shell commands and commands
-                                described in
-                                <citerefentry><refentrytitle>hosts_options</refentrytitle><manvolnum>5</manvolnum></citerefentry>
-                                are not supported.</para></listitem>
-                        </varlistentry>
-
-                        <varlistentry>
                                 <term><varname>CapabilityBoundingSet=</varname></term>
 
                                 <listitem><para>Controls which
index 3d7cd3e..f6faf06 100644 (file)
 #define _PAM_FEATURE_ "-PAM"
 #endif
 
-#ifdef HAVE_LIBWRAP
-#define _LIBWRAP_FEATURE_ "+LIBWRAP"
-#else
-#define _LIBWRAP_FEATURE_ "-LIBWRAP"
-#endif
-
 #ifdef HAVE_AUDIT
 #define _AUDIT_FEATURE_ "+AUDIT"
 #else
@@ -93,4 +87,4 @@
 #define _SECCOMP_FEATURE_ "-SECCOMP"
 #endif
 
-#define SYSTEMD_FEATURES _PAM_FEATURE_ " " _LIBWRAP_FEATURE_ " " _AUDIT_FEATURE_ " " _SELINUX_FEATURE_ " " _IMA_FEATURE_ " " _SYSVINIT_FEATURE_ " " _LIBCRYPTSETUP_FEATURE_ " " _GCRYPT_FEATURE_ " " _ACL_FEATURE_ " " _XZ_FEATURE_ " " _SECCOMP_FEATURE_ " " _APPARMOR_FEATURE_
+#define SYSTEMD_FEATURES _PAM_FEATURE_ " " _AUDIT_FEATURE_ " " _SELINUX_FEATURE_ " " _IMA_FEATURE_ " " _SYSVINIT_FEATURE_ " " _LIBCRYPTSETUP_FEATURE_ " " _GCRYPT_FEATURE_ " " _ACL_FEATURE_ " " _XZ_FEATURE_ " " _SECCOMP_FEATURE_ " " _APPARMOR_FEATURE_
index bf4a682..13b3d0d 100644 (file)
@@ -618,7 +618,6 @@ const sd_bus_vtable bus_exec_vtable[] = {
         SD_BUS_PROPERTY("User", "s", NULL, offsetof(ExecContext, user), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("Group", "s", NULL, offsetof(ExecContext, group), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("SupplementaryGroups", "as", NULL, offsetof(ExecContext, supplementary_groups), SD_BUS_VTABLE_PROPERTY_CONST),
-        SD_BUS_PROPERTY("TCPWrapName", "s", NULL, offsetof(ExecContext, tcpwrap_name), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("PAMName", "s", NULL, offsetof(ExecContext, pam_name), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("ReadWriteDirectories", "as", NULL, offsetof(ExecContext, read_write_dirs), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("ReadOnlyDirectories", "as", NULL, offsetof(ExecContext, read_only_dirs), SD_BUS_VTABLE_PROPERTY_CONST),
index 353f2d1..4a3aeda 100644 (file)
@@ -69,7 +69,6 @@
 #include "ioprio.h"
 #include "securebits.h"
 #include "namespace.h"
-#include "tcpwrap.h"
 #include "exit-status.h"
 #include "missing.h"
 #include "utmp-wtmp.h"
@@ -1362,23 +1361,6 @@ int exec_spawn(ExecCommand *command,
                                 goto fail_child;
                         }
 
-                if (context->tcpwrap_name) {
-                        if (socket_fd >= 0)
-                                if (!socket_tcpwrap(socket_fd, context->tcpwrap_name)) {
-                                        err = -EACCES;
-                                        r = EXIT_TCPWRAP;
-                                        goto fail_child;
-                                }
-
-                        for (i = 0; i < (int) n_fds; i++) {
-                                if (!socket_tcpwrap(fds[i], context->tcpwrap_name)) {
-                                        err = -EACCES;
-                                        r = EXIT_TCPWRAP;
-                                        goto fail_child;
-                                }
-                        }
-                }
-
                 exec_context_tty_reset(context);
 
                 if (confirm_spawn) {
@@ -1878,9 +1860,6 @@ void exec_context_done(ExecContext *c) {
         free(c->tty_path);
         c->tty_path = NULL;
 
-        free(c->tcpwrap_name);
-        c->tcpwrap_name = NULL;
-
         free(c->syslog_identifier);
         c->syslog_identifier = NULL;
 
@@ -2148,11 +2127,6 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
         STRV_FOREACH(e, c->environment_files)
                 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
 
-        if (c->tcpwrap_name)
-                fprintf(f,
-                        "%sTCPWrapName: %s\n",
-                        prefix, c->tcpwrap_name);
-
         if (c->nice_set)
                 fprintf(f,
                         "%sNice: %i\n",
index 9fcea12..c9e29ff 100644 (file)
@@ -113,8 +113,6 @@ struct ExecContext {
 
         nsec_t timer_slack_nsec;
 
-        char *tcpwrap_name;
-
         char *tty_path;
 
         bool tty_reset;
index 3a77234..dbb5d13 100644 (file)
@@ -84,9 +84,6 @@ $1.MountFlags,                   config_parse_exec_mount_flags,      0,
 $1.Personality,                  config_parse_personality,           0,                             offsetof($1, exec_context.personality)
 $1.RuntimeDirectoryMode,         config_parse_mode,                  0,                             offsetof($1, exec_context.runtime_directory_mode)
 $1.RuntimeDirectory,             config_parse_runtime_directory,     0,                             offsetof($1, exec_context.runtime_directory)
-m4_ifdef(`HAVE_LIBWRAP',
-`$1.TCPWrapName,                 config_parse_unit_string_printf,    0,                             offsetof($1, exec_context.tcpwrap_name)',
-`$1.TCPWrapName,                 config_parse_warn_compat,           0,                             0')
 m4_ifdef(`HAVE_PAM',
 `$1.PAMName,                     config_parse_unit_string_printf,    0,                             offsetof($1, exec_context.pam_name)',
 `$1.PAMName,                     config_parse_warn_compat,           0,                             0')
index e7779d1..c604f90 100644 (file)
@@ -64,7 +64,7 @@
 #include "seccomp-util.h"
 #endif
 
-#if !defined(HAVE_SYSV_COMPAT) || !defined(HAVE_SECCOMP) || !defined(HAVE_LIBWRAP) || !defined(HAVE_PAM) || !defined(HAVE_SELINUX) || !defined(HAVE_SMACK) || !defined(HAVE_APPARMOR)
+#if !defined(HAVE_SYSV_COMPAT) || !defined(HAVE_SECCOMP) || !defined(HAVE_PAM) || !defined(HAVE_SELINUX) || !defined(HAVE_SMACK) || !defined(HAVE_APPARMOR)
 int config_parse_warn_compat(
                 const char *unit,
                 const char *filename,
@@ -3328,7 +3328,7 @@ void unit_dump_config_items(FILE *f) {
                 const ConfigParserCallback callback;
                 const char *rvalue;
         } table[] = {
-#if !defined(HAVE_SYSV_COMPAT) || !defined(HAVE_SECCOMP) || !defined(HAVE_LIBWRAP) || !defined(HAVE_PAM) || !defined(HAVE_SELINUX) || !defined(HAVE_SMACK) || !defined(HAVE_APPARMOR)
+#if !defined(HAVE_SYSV_COMPAT) || !defined(HAVE_SECCOMP) || !defined(HAVE_PAM) || !defined(HAVE_SELINUX) || !defined(HAVE_SMACK) || !defined(HAVE_APPARMOR)
                 { config_parse_warn_compat,           "NOTSUPPORTED" },
 #endif
                 { config_parse_int,                   "INTEGER" },
diff --git a/src/core/tcpwrap.c b/src/core/tcpwrap.c
deleted file mode 100644 (file)
index 6c630fa..0000000
+++ /dev/null
@@ -1,68 +0,0 @@
-/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
-
-/***
-  This file is part of systemd.
-
-  Copyright 2010 Lennart Poettering
-
-  systemd is free software; you can redistribute it and/or modify it
-  under the terms of the GNU Lesser General Public License as published by
-  the Free Software Foundation; either version 2.1 of the License, or
-  (at your option) any later version.
-
-  systemd is distributed in the hope that it will be useful, but
-  WITHOUT ANY WARRANTY; without even the implied warranty of
-  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-  Lesser General Public License for more details.
-
-  You should have received a copy of the GNU Lesser General Public License
-  along with systemd; If not, see <http://www.gnu.org/licenses/>.
-***/
-
-#include <sys/socket.h>
-#include <sys/un.h>
-#include <arpa/inet.h>
-#include <netinet/in.h>
-
-#ifdef HAVE_LIBWRAP
-#include <tcpd.h>
-#endif
-
-#include "tcpwrap.h"
-#include "log.h"
-
-bool socket_tcpwrap(int fd, const char *name) {
-#ifdef HAVE_LIBWRAP
-        struct request_info req;
-        union {
-                struct sockaddr sa;
-                struct sockaddr_in in;
-                struct sockaddr_in6 in6;
-                struct sockaddr_un un;
-                struct sockaddr_storage storage;
-        } sa_union;
-        socklen_t l = sizeof(sa_union);
-
-        if (getsockname(fd, &sa_union.sa, &l) < 0)
-                return true;
-
-        if (sa_union.sa.sa_family != AF_INET &&
-            sa_union.sa.sa_family != AF_INET6)
-                return true;
-
-        request_init(&req,
-                     RQ_DAEMON, name,
-                     RQ_FILE, fd,
-                     NULL);
-
-        fromhost(&req);
-
-        if (!hosts_access(&req)) {
-                log_warning("Connection refused by tcpwrap.");
-                return false;
-        }
-
-        log_debug("Connection accepted by tcpwrap.");
-#endif
-        return true;
-}
diff --git a/src/core/tcpwrap.h b/src/core/tcpwrap.h
deleted file mode 100644 (file)
index 3353b65..0000000
+++ /dev/null
@@ -1,26 +0,0 @@
-/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
-
-#pragma once
-
-/***
-  This file is part of systemd.
-
-  Copyright 2010 Lennart Poettering
-
-  systemd is free software; you can redistribute it and/or modify it
-  under the terms of the GNU Lesser General Public License as published by
-  the Free Software Foundation; either version 2.1 of the License, or
-  (at your option) any later version.
-
-  systemd is distributed in the hope that it will be useful, but
-  WITHOUT ANY WARRANTY; without even the implied warranty of
-  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-  Lesser General Public License for more details.
-
-  You should have received a copy of the GNU Lesser General Public License
-  along with systemd; If not, see <http://www.gnu.org/licenses/>.
-***/
-
-#include <stdbool.h>
-
-bool socket_tcpwrap(int fd, const char *name);
index d860b55..208d329 100644 (file)
@@ -113,9 +113,6 @@ const char* exit_status_to_string(ExitStatus status, ExitStatusLevel level) {
                 case EXIT_STDERR:
                         return "STDERR";
 
-                case EXIT_TCPWRAP:
-                        return "TCPWRAP";
-
                 case EXIT_PAM:
                         return "PAM";
 
index 385d6de..d6bf84c 100644 (file)
@@ -64,7 +64,7 @@ typedef enum ExitStatus {
         EXIT_SETSID,   /* 220 */
         EXIT_CONFIRM,
         EXIT_STDERR,
-        EXIT_TCPWRAP,
+        _EXIT_RESERVED, /* used to be tcpwrap, don't reuse! */
         EXIT_PAM,
         EXIT_NETWORK,
         EXIT_NAMESPACE,