Hello community,
here is the log from the commit of package xinetd.2703 for openSUSE:12.3:Update checked in at 2014-04-11 15:03:20
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.3:Update/xinetd.2703 (Old)
and /work/SRC/openSUSE:12.3:Update/.xinetd.2703.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "xinetd.2703"
Changes:
--------
New Changes file:
--- /dev/null 2014-02-13 01:09:38.344032506 +0100
+++ /work/SRC/openSUSE:12.3:Update/.xinetd.2703.new/xinetd.changes 2014-04-11 15:03:21.000000000 +0200
@@ -0,0 +1,487 @@
+-------------------------------------------------------------------
+Mon Mar 31 10:28:32 UTC 2014 - vcizek@suse.com
+
+- Add support for setting maximum number of open files (bnc#855685)
+ * added xinetd-2.3.14-file-limit.patch
+ * added xinetd-2.3.14-restore-nofile-limits.patch
+
+- fixes for security vulnerabilities
+ * CVE-2013-4342 (bnc#844230)
+ - xinetd ignores user and group directives for tcpmux services
+ - added xinetd-CVE-2013-4342.patch
+ * CVE-2012-0862 (bnc#762294)
+ - xinetd enables all services when tcp multiplexing is used
+ - added xinetd-CVE-2012-0862.patch
+
+-------------------------------------------------------------------
+Sat Sep 15 05:44:55 UTC 2012 - coolo@suse.com
+
+- fix typo in license string - it's SUSE-xinetd
+
+-------------------------------------------------------------------
+Tue May 29 13:11:23 UTC 2012 - cfarrell@suse.com
+
+- license update: SUSE-xinedt
+ Use this license from license.opensuse.org until upstream SPDX accepts
+ xinetd into the official list
+
+-------------------------------------------------------------------
+Wed Dec 21 13:45:09 UTC 2011 - coolo@suse.com
+
+- add autoconf as buildrequire to avoid implicit dependency
+
+-------------------------------------------------------------------
+Wed Dec 21 10:31:54 UTC 2011 - coolo@suse.com
+
+- remove call to suse_update_config (very old work around)
+
+-------------------------------------------------------------------
+Thu Nov 17 20:13:51 UTC 2011 - lchiquitto@suse.com
+
+- added xinetd-2.3.14-nodeadlock-revisited.patch: ignore SIGCONT
+ and avoid print in signal handler (bnc#726737)
+
+-------------------------------------------------------------------
+Wed Apr 21 08:55:03 UTC 2010 - mseben@novell.com
+
+- added ident-bind.patch : use right size of addresses in bind() call.
+ Also use getpeername addresses when connecting to ident service to
+ prevent address family mismatch between socket(),
+ bind() and connect() calls. (bnc#598305)
+
+-------------------------------------------------------------------
+Tue Jan 26 22:55:43 CET 2010 - jengelh@medozas.de
+
+- SPARC64 requires large PIE model
+
+-------------------------------------------------------------------
+Sun Dec 20 16:29:37 CET 2009 - jengelh@medozas.de
+
+- enable parallel build
+
+-------------------------------------------------------------------
+Tue Sep 15 15:00:38 CEST 2009 - mseben@novell.com
+
+- fixed rc.xinetd [bnc#457903]:
+ * rc-script start: check if xinetd isn't already running
+ * rc-script stop: wait until pid file has disappeared
+
+-------------------------------------------------------------------
+Sun Aug 17 08:57:22 CEST 2008 - aj@suse.de
+
+- Fix init script warnings.
+
+-------------------------------------------------------------------
+Fri Sep 14 14:09:28 CEST 2007 - ro@suse.de
+
+- add a pidfile for xinetd in rc-script (#300526)
+
+-------------------------------------------------------------------
+Fri Aug 10 08:42:30 CEST 2007 - anosek@suse.cz
+
+- added description of the previous patch to README.SuSE
+
+-------------------------------------------------------------------
+Tue Aug 7 08:45:51 CEST 2007 - anosek@suse.cz
+
+- fixed: xinetd does not honour disable line
+ [#254613] (honour_disable.patch)
+ * As soon as we realize that the service is disabled
+ we don't continue parsing its config
+
+-------------------------------------------------------------------
+Wed Apr 18 13:41:48 CEST 2007 - anosek@suse.cz
+
+- improved description for YaST (rc.xinetd)
+
+-------------------------------------------------------------------
+Tue Dec 19 15:13:26 CET 2006 - prusnak@suse.cz
+
+- added "discard" to service files (and modified ipv6-ipv4-fallback.patch) [#222777]
+
+-------------------------------------------------------------------
+Mon Feb 6 12:52:41 CET 2006 - mmarek@suse.cz
+
+- fixed logrotate file rotating rotated files
+ [#120068, #147899]
+
+-------------------------------------------------------------------
+Wed Jan 25 21:43:10 CET 2006 - mls@suse.de
+
+- converted neededforbuild to BuildRequires
+
+-------------------------------------------------------------------
+Tue Nov 22 10:36:41 CET 2005 - mmarek@suse.cz
+
+- use 'FLAGS = IPv6 IPv4' in included service files
+- document the feature in xinetd.conf(5)
+
+-------------------------------------------------------------------
+Tue Nov 01 11:27:00 CET 2005 - mmarek@suse.de
+
+- updated to version 2.3.14, removed integrated patches:
+ * xinetd-2.3.13-gcc4.diff
+ * xinetd-2.3.13-ia64.dif
+ * xinetd-2.3.13-integer-overflow.diff
+ * xinetd-2.3.13-rlimit.diff
+- added option to fallback to IPv4 if IPv6 is not available [#127784]
+
+-------------------------------------------------------------------
+Mon Oct 10 10:19:50 CEST 2005 - mmarek@suse.cz
+
+- added upstream patch to fix integer overflow in handling of rlimit_*
+ attributes [#120730]
+
+-------------------------------------------------------------------
+Tue Oct 4 13:28:56 CEST 2005 - mmarek@suse.cz
+
+- Fix endless loop in xinetd/util.c [#118878]
+
+-------------------------------------------------------------------
+Tue Aug 23 00:53:40 CEST 2005 - postadal@suse.cz
+
+- added logrotate to Requires
+
+-------------------------------------------------------------------
+Tue Aug 9 16:55:35 CEST 2005 - postadal@suse.cz
+
+- fixed logrotate file [#95214]
+
+-------------------------------------------------------------------
+Fri Jun 3 10:34:31 CEST 2005 - kukuk@suse.de
+
+- Compile with -fpie/-pie
+
+-------------------------------------------------------------------
+Fri Apr 1 15:23:42 CEST 2005 - meissner@suse.de
+
+- lvalue problems fixed
+- fixed undefined argv copying behaviour.
+
+-------------------------------------------------------------------
+Wed Jan 26 13:24:54 CET 2005 - postadal@suse.cz
+
+- added logrotate file [#46353]
+
+-------------------------------------------------------------------
+Wed Nov 10 14:59:33 CET 2004 - postadal@suse.cz
+
+- added patch to avoid deadlock (LTC#9961, SUSE#43024)
+
+-------------------------------------------------------------------
+Thu Apr 22 12:58:10 CEST 2004 - postadal@suse.cz
+
+- added one second timeout during server startup for deciding if the process
+ started without error [#36175]
+
+-------------------------------------------------------------------
+Thu Feb 12 13:43:09 CET 2004 - postadal@suse.cz
+
+- updated to version 2.3.13
+- fixed code that broke strict aliasing
+
+-------------------------------------------------------------------
+Sun Jan 11 09:43:10 CET 2004 - adrian@suse.de
+
+- build as user
+
+-------------------------------------------------------------------
+Thu Aug 07 17:29:09 CEST 2003 - postadal@suse.cz
+
+- updated to version 2.3.12
+- removed obsoleted pacthes (parse-fix, check_from_solar_designer,
+ used_valgrind_to_fix, close_listening_descriptor)
+- use new stop_on_removal/restart_on_upate macros
+
+-------------------------------------------------------------------
+Thu Jun 12 11:08:26 CEST 2003 - kukuk@suse.de
++++ 290 more lines (skipped)
++++ between /dev/null
++++ and /work/SRC/openSUSE:12.3:Update/.xinetd.2703.new/xinetd.changes
New:
----
FAQ
README.SuSE
logrotate
rc.xinetd
xinetd-2.3.14-file-limit.patch
xinetd-2.3.14-honour_disable.patch
xinetd-2.3.14-ident-bind.patch
xinetd-2.3.14-ipv6-ipv4-fallback.patch
xinetd-2.3.14-man.dif
xinetd-2.3.14-nodeadlock-revisited.patch
xinetd-2.3.14-nodeadlock.diff
xinetd-2.3.14-pie.patch
xinetd-2.3.14-restore-nofile-limits.patch
xinetd-2.3.14-server_args-fix.diff
xinetd-2.3.14-strict-aliasing-fix.diff
xinetd-2.3.14.tar.bz2
xinetd-CVE-2012-0862.patch
xinetd-CVE-2013-4342.patch
xinetd-service_files.tar.bz2
xinetd.changes
xinetd.conf
xinetd.spec
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ xinetd.spec ++++++
#
# spec file for package xinetd
#
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: xinetd
BuildRequires: autoconf
BuildRequires: tcpd-devel
PreReq: %insserv_prereq %fillup_prereq
Provides: inet-daemon
Requires: logrotate
Version: 2.3.14
Release: 0
Url: http://www.xinetd.org/
Summary: An 'inetd' with Expanded Functionality
License: SUSE-xinetd
Group: Productivity/Networking/System
Source0: %{name}-%{version}.tar.bz2
Source2: rc.xinetd
Source3: xinetd.conf
Source4: FAQ
Source5: README.SuSE
Source6: %{name}-service_files.tar.bz2
Source7: logrotate
Patch: %{name}-%{version}-man.dif
Patch4: %{name}-%{version}-server_args-fix.diff
Patch5: %{name}-%{version}-strict-aliasing-fix.diff
Patch6: %{name}-%{version}-nodeadlock.diff
Patch8: %{name}-%{version}-pie.patch
Patch9: %{name}-%{version}-ipv6-ipv4-fallback.patch
Patch10: %{name}-%{version}-honour_disable.patch
Patch11: %{name}-%{version}-ident-bind.patch
Patch12: %{name}-%{version}-nodeadlock-revisited.patch
Patch14: xinetd-CVE-2012-0862.patch
Patch15: xinetd-CVE-2013-4342.patch
Patch16: xinetd-2.3.14-file-limit.patch
Patch17: xinetd-2.3.14-restore-nofile-limits.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
xinetd takes the abilities of inetd and appends additional
functionality:
- Access Control
- Prevention of 'denial of access' attacks
- Extensive logging abilities
- Clear configuration file
Authors:
--------
Panagiotis Tsirigotis
Rob Braun
%prep
%setup -b 0 -T -D -a 6
%patch
cp %{S:4} .
cp %{S:5} .
%patch4
%patch5
%patch6
%patch8
%patch9
%patch10
%patch11 -p1
%patch12 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%build
autoconf
CFLAGS="$RPM_OPT_FLAGS -Wformat=2" ./configure --prefix=/usr \
--sysconfdir=/etc \
--mandir=%{_mandir}\
--with-loadavg \
--with-libwrap
make %{?_smp_mflags}
%install
install -d -m 755 $RPM_BUILD_ROOT/etc/{init.d,logrotate.d}
install -d -m 755 $RPM_BUILD_ROOT/%{_mandir}
make install DAEMONDIR=$RPM_BUILD_ROOT/usr/sbin MANDIR=${RPM_BUILD_ROOT}/%{_mandir}
install -m 644 %{S:3} $RPM_BUILD_ROOT/etc/xinetd.conf
cp -a etc $RPM_BUILD_ROOT
install -m 755 %{S:2} $RPM_BUILD_ROOT/etc/init.d/xinetd
ln -sf ../../etc/init.d/xinetd $RPM_BUILD_ROOT/usr/sbin/rcxinetd
install -m 644 %{S:7} $RPM_BUILD_ROOT/etc/logrotate.d/xinetd
%post
%{fillup_and_insserv xinetd}
%preun
%stop_on_removal xinetd
%postun
%restart_on_update xinetd
%{insserv_cleanup}
%clean
[ -d %{buildroot} -a "%{buildroot}" != "" ] && rm -rf %{buildroot}
%files
%defattr(-,root,root)
%doc README CHANGELOG COPYRIGHT FAQ README.SuSE
%doc %{_mandir}/*/*
%config(noreplace) /etc/logrotate.d/xinetd
/etc/xinetd.d/*
/usr/sbin/*
/etc/init.d/xinetd
%config(noreplace) /etc/xinetd.conf
%changelog
++++++ FAQ ++++++
xinetd FAQ
Q. What is xinetd ?
A. xinetd is a replacement for inetd, the internet services daemon.
Q: I am not a system administrator; what do I care about an inetd
replacement ?
A: xinetd is not just an inetd replacement. Anybody can use it to start
servers that don't require privileged ports because xinetd does not require
that the services in its configuration file be listed in /etc/services.
Q. Is it compatible with inetd ?
A. No, its configuration file has a different format than inetd's one and it
understands different signals. However the signal-to-action assignment can
be changed and a program has been included to convert inetd.conf to
xinetd.conf.
Q. Why should I use it ?
A. Because it is a lot better (IMHO) than inetd. Here are the reasons:
1) It can do access control on all services based on:
a. address of remote host
b. time of access
c. name of remote host
d. domain name of remote host
2) Access control works on all services, whether multi-threaded or
single-threaded and for both the TCP and UDP protocols. All UDP packets can
be checked as well as all TCP connections.
3) It provides hard reconfiguration:
a. kills servers for services that are no longer in the configuration
file
b. kills servers that no longer meet the access control criteria
4) It can prevent denial-of-access attacks by
a. placing limits on the number of servers for each service (avoids
process table overflows)
b. placing an upper bound on the number of processes it will fork
c. placing limits on the size of log files it creates
d. placing limits on the number of connection a single host can
initiate
e. place limits on the rate of incoming connections
f. discontinue services if the load exceeds specified limit
5) Extensive logging abilities:
a. for every server started it can log:
i) the time when the server was started
ii) the remote host address
iii) who was the remote user (if the other end runs a
RFC-931/RFC-1413 server)
iv) how long the server was running
(i, ii and iii can be logged for failed attempts too).
b. for some services, if the access control fails, it can log
information about the attempted access (for example, it can log the
user name and command for the rsh service)
6) No limit on number of server arguments
7) You can bind specifc services to specific IP's on your host machine
Q. Whom should I thank/blame for this program ?
A. panos@cs.colorado.edu originally wrote this program, but I am fielding
bug reports at this time.
Q. What's up with 2.2.1 version of xinetd?
A. The most recent original version of xinetd was 2.1.1 with patches
bringing it up to 2.1.8. Nick Hilliard created xinetd 2.2.1, based off an
unreleased xinetd 2.2.0 by Panos. The copyright included with xinetd
specified the required versioning to be the official release of xinetd
(2.1.8 in this case) and a fourth version number tacked on to indicate the
modification level. This is the versioning I have adopted. xinetd 2.1.8.X,
which is available here, is not based off xinetd 2.2.0 or higher. It was
created from the codebase of xinetd 2.1.8, although I have re-implemented
some of the features introduced in xinetd-2.2.1.
Q. Where can I find the latest-and-greatest version ?
A. The xinetd source can be obtained from http://www.synack.net/xinetd
Q. Has anyone been able to get qmail working with xinetd?
A. yes, here is the entry info
service smtp
{
flags = REUSE NAMEINARGS
socket_type = stream
protocol = tcp
wait = no
user = qmaild
server = /usr/sbin/tcpd
server_args = /var/qmail/bin/tcp-env -R /var/qmail/bin/qmail-smtpd
}
Contributed by: Anthony Abby
This method will allow you to set environment variables and whatnot in
/etc/hosts.allow. Although xinetd can be compiled with libwrap support, this
doesn't mean it can completly replace tcpd's functionality. xinetd calls
host_access(), which performs the access control documented in
host_access(5) man page. This is a subset of the features offered by tcpd.
Q. What platforms is xinetd know to work on?
A. I have run it on Solaris 2.6 (sparc and x86), Linux, BSDi, and IRIX 5.3
and 6.2. The original package ran on SunOS 4 and Ultrix.
Q. How to do setup a chrooted environment for a service?
A. Here is the config file entry:
service telnet_chroot
{
log_on_success = HOST PID DURATION USERID
log_on_failure = HOST RECORD USERID
no_access = 152.30.11.93
socket_type = stream
protocol = tcp
port = 8000
wait = no
user = root
server = /usr/sbin/chroot
server_args = /var/public/servers /usr/libexec/telnetd
}
Contributed by: lburns@sasquatch.com
Q. xinetd doesn't work well with RPC, I need RPC and I really want to run
xinetd. Can I?
A. Yes. xinetd and inetd should happily coexist. Have your RPC stuff run
from your normal inetd (removing all other services from your inetd.conf),
then have xinetd run all your other services.
Q. How do I use itox?
A. itox reads in a regular inetd.conf file from stdin and writes an
xinetd.conf file to stdout. In general, you use the command:
itox < /etc/inetd.conf > /etc/xinetd.conf
If your inetd.conf does not have explicit paths to each of the daemons, you
must use the -daemon_dir option. Suppose all your daemons live in /usr/sbin,
use the following command:
itox -daemon_dir=/usr/sbin < /etc/inetd.conf > /etc/xinetd.conf
itox is rather old and hasn't been updated for a while. xconv.pl is a perl
script that is a little better about converting modern inetd.conf files.
It's usage is similar to itox's.
Q. Does xinetd support libwrap (tcpwrappers)?
A. Yes. xinetd can be compiled with libwrap support by passing
--with-libwrap as an option to the configure script. When xinetd is compiled
with libwrap support, all services can use the /etc/hosts.allow and
/etc/hosts.deny access control. xinetd can also be configured to use tcpd in
the traditional inetd style. This requires the use of the NAMEINARGS flag,
and the name of the real daemon be passed in as server_args. Here is an
example for using telnet with tcpd:
service telnet
{
flags = REUSE NAMEINARGS
protocol = tcp
socket_type = stream
wait = no
user = telnetd
server = /usr/sbin/tcpd
server_args = /usr/sbin/in.telnetd
}
Q. Does xinetd support IPv6?
A. Yes. xinetd can be compiled with IPv6 support by adding the --with-inet6
option to the configure script. Access control is functional with IPv6. You
can use ipv4 mapped addresses, or give normal dotted quad ipv4 addresses for
access control, and xinetd will map them to ipv6 addresses.
Q. No services start with IPv6! What's the deal?
A. When you compile IPv6 support in, all sockets are IPv6 sockets. If your
kernel doesn't understand what an IPv6 socket is, all attempts to create
sockets will fail, and no services will start. Only compile xinetd with IPv6
support if your kernel supports IPv6.
Q. What's this setgroups(0, NULL) error?
A. By default, xinetd does not allow group permissions to the server
processes, and it does this by setting the groups of the child process to
nothing. Some BSD's have a problem with this. To avoid this error, put the
directive groups = yes into your services. This says to allow the server
process to have all the group privleges entitled to the user the server
process is running as.
Q. Why can't telnetd start normally on Linux?
A. On some Linux distributions, the telnet daemon starts as a nonprivleged
user, but the user belongs to groups that allow it to open new tty's, and to
update utmp. By default, xinetd does not allow group permissions to the
server process, so telnetd can fail to start properly. To get the server
process to posess the proper groups, use the groups = yes directive for the
telnet service. This will tell xinetd that it is OK for the server process
to start with all the groups the user has access to.
Q. How do I use xinetd to wrap SSL around services
A. Use the program stunnel to wrap SSL around services. This can actually be
used by an inetd.
Q. How do I setup a cvs server with xinetd?
A. A user wrote in with this suggestion:
cvspserver stream tcp nowait root /usr/bin/cvs cvs --allow-root=/home/pauljohn/cvsroot --allow-root=/home/pauljohn/cvsmisc pserver
If you want to make the same work under xinetd, you save a config file in
/etc/xinetd.d called cvspserver, (where the last line tells it the names of
your repositories):
service cvspserver
{
socket_type = stream
protocol = tcp
wait = no
user = root
passenv =
server = /usr/bin/cvs
server_args = --allow-root=/home/pauljohn/cvsroot --allow-root=/home/pauljohn/cvsmisc pserver
}
All the other cvs setup stuff is the same. This seems to work, afaik.
++++++ README.SuSE ++++++
Since 2.3.4 has xinetd merged IPv4 and IPv6 support.
It means that it is possible to use both protocols simultaneously.
xined is compiled to use IPv4 by default.
IPv6 must be enabled for each service in configuration
file, see man xinetd.conf.
Since 2.3.14 in SUSE, xinetd can create services that use either IPv6 or IPv4,
depending on the IPv6 support by the system. See man xinetd.conf as well.
Xinetd was patched to honour disable line in service configuration files
(stored in /etc/xinetd.d). Xinetd now aborts parsing of the config file
as soon as it reads the line "disable = yes". This was made to prevent Xinetd
from dropping warnings into logs which where not relevant.
Futher information can be found at:
https://bugzilla.novell.com/show_bug.cgi?id=254613
Your SuSE Team
++++++ logrotate ++++++
/var/log/xinetd.log {
compress
dateext
maxage 365
rotate 99
size=+2048k
notifempty
missingok
copytruncate
postrotate
/etc/init.d/xinetd reload
endscript
}
++++++ rc.xinetd ++++++
#! /bin/sh
# Copyright (c) 1997 - 2001 S.u.S.E. GmbH Nuernberg, Germany. All rights reserved.
# Copyright (c) 2002 SuSE Linux AG, Nuernberg, Germany.
#
# Author: Carsten Hoeger , 1997, 1998
#
# init.d/xinetd
#
# and symbolic its link
#
# /usr/sbin/rcxinetd
#
# System startup script for the inet daemon
#
### BEGIN INIT INFO
# Provides: xinetd
# Required-Start: $network $remote_fs
# Required-Stop: $network
# Should-Start: $portmap autofs
# Should-Stop: $null
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Description: Starts the xinet daemon. Be aware that xinetd doesn't start if no service is configured to run under it. To enable xinetd services go to YaST Network Services (xinetd) section.
### END INIT INFO
XINETD_BIN=/usr/sbin/xinetd
test -x $XINETD_BIN || exit 5
XINETD_PIDFILE=/var/run/xinetd.init.pid
# Shell functions sourced from /etc/rc.status:
# rc_check check and set local and overall rc status
# rc_status check and set local and overall rc status
# rc_status -v ditto but be verbose in local rc status
# rc_status -v -r ditto and clear the local rc status
# rc_failed set local and overall rc status to failed
# rc_reset clear local rc status (overall remains)
# rc_exit exit appropriate to overall rc status
. /etc/rc.status
# First reset status of this service
rc_reset
# Return values acc. to LSB for all commands but status:
# 0 - success
# 1 - misc error
# 2 - invalid or excess args
# 3 - unimplemented feature (e.g. reload)
# 4 - insufficient privilege
# 5 - program not installed
# 6 - program not configured
#
# Note that starting an already running service, stopping
# or restarting a not-running service as well as the restart
# with force-reload (in case signalling is not supported) are
# considered a success.
case "$1" in
start)
if [ -e $XINETD_PIDFILE ]; then
$0 status &>/dev/null
ret=$?
if [ $ret = 1 ]; then
echo "Warning: found stale pidfile (unclean shutdown?)"
elif [ $ret = 0 ]; then
echo "Xinetd is already running ($XINETD_PIDFILE)"
rc_failed $ret
rc_status -v1
rc_exit
fi
fi
echo -n "Starting INET services. (xinetd)"
## Start daemon with startproc(8). If this fails
## the echo return value is set appropriate.
# startproc should return 0, even if service is
# already running to match LSB spec.
startproc -p $XINETD_PIDFILE -t 1 $XINETD_BIN -pidfile $XINETD_PIDFILE
# Remember status and be verbose
rc_status -v
;;
stop)
echo -n "Shutting down xinetd: "
if ! [ -f $XINETD_PIDFILE ]; then
echo -n "(not running)"
else
pid=$(<$XINETD_PIDFILE)
kill -QUIT $pid 2>/dev/null
case $? in
1) echo -n "(not running)";;
0) # wait until the processes are gone (the parent is the last one)
echo -n "(waiting for all children to terminate) "
for ((wait=0; wait<120; wait++)); do
if test -f $XINETD_PIDFILE; then
usleep 500000
continue
fi
if ! test -f /proc/$pid/exe; then
break
fi
if test "$(readlink /proc/$pid/exe 2>/dev/null)" = $XINETD_BIN; then
usleep 500000
else
break
fi
done
;;
esac
fi
# Remember status and be verbose
rc_status -v
;;
try-restart)
## Restart the service if the service is already running
$0 status
if test $? = 0; then
$0 restart
fi
# Remember status and be quiet
rc_status
;;
restart)
## Stop the service and regardless of whether it was
## running or not, start it again.
$0 stop
$0 start
# Remember status and be quiet
rc_status
;;
force-reload)
## Signal the daemon to reload its config. Most daemons
## do this on signal 1 (SIGHUP).
## If it does not support it, restart.
echo -n "Reload service xinetd"
## if it supports it:
killproc -p $XINETD_PIDFILE -HUP $XINETD_BIN
rc_status -v
;;
reload)
## Like force-reload, but if daemon does not support
## signalling, do nothing (!)
# If it supports signalling:
echo -n "Reload INET services (xinetd)."
killproc -p $XINETD_PIDFILE -HUP $XINETD_BIN
rc_status -v
;;
status)
echo -n "Checking for service xinetd: "
## Check status with checkproc(8), if process is running
## checkproc will return with exit status 0.
# Status has a slightly different for the status command:
# 0 - service running
# 1 - service dead, but /var/run/ pid file exists
# 2 - service dead, but /var/lock/ lock file exists
# 3 - service not running
# NOTE: checkproc returns LSB compliant status values.
checkproc -p $XINETD_PIDFILE $XINETD_BIN
rc_status -v
;;
*)
echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload}"
exit 1
esac
rc_exit
++++++ xinetd-2.3.14-file-limit.patch ++++++
Index: xinetd-2.3.14/xinetd/attr.h
===================================================================
--- xinetd-2.3.14.orig/xinetd/attr.h
+++ xinetd-2.3.14/xinetd/attr.h
@@ -61,12 +61,13 @@
#define A_DISABLED 43
#define A_MDNS 44
#define A_LIBWRAP 45
+#define A_RLIMIT_FILES 46
/*
* SERVICE_ATTRIBUTES is the number of service attributes and also
* the number from which defaults-only attributes start.
*/
-#define SERVICE_ATTRIBUTES ( A_MDNS + 1 )
+#define SERVICE_ATTRIBUTES ( A_MDNS + 2 )
/*
* Mask of attributes that must be specified.
Index: xinetd-2.3.14/xinetd/child.c
===================================================================
--- xinetd-2.3.14.orig/xinetd/child.c
+++ xinetd-2.3.14/xinetd/child.c
@@ -98,6 +98,10 @@ void exec_server( const struct server *s
#ifdef RLIMIT_NOFILE
+ if ( SC_RLIM_FILES( scp ))
+ {
+ ps.ros.max_descriptors = SC_RLIM_FILES( scp );
+ }
rl.rlim_max = ps.ros.orig_max_descriptors ;
rl.rlim_cur = ps.ros.max_descriptors ;
(void) setrlimit( RLIMIT_NOFILE, &rl ) ;
Index: xinetd-2.3.14/xinetd/parse.c
===================================================================
--- xinetd-2.3.14.orig/xinetd/parse.c
+++ xinetd-2.3.14/xinetd/parse.c
@@ -92,6 +92,9 @@ static const struct attribute service_at
#ifdef RLIMIT_DATA
{ "rlimit_data", A_RLIMIT_DATA, 1, rlim_data_parser },
#endif
+#ifdef RLIMIT_NOFILE
+ { "rlimit_files", A_RLIMIT_FILES, 1, rlim_files_parser },
+#endif
#ifdef RLIMIT_RSS
{ "rlimit_rss", A_RLIMIT_RSS, 1, rlim_rss_parser },
#endif
Index: xinetd-2.3.14/xinetd/parsers.c
===================================================================
--- xinetd-2.3.14.orig/xinetd/parsers.c
+++ xinetd-2.3.14/xinetd/parsers.c
@@ -1415,9 +1415,32 @@ status_e rlim_data_parser( pset_h values
}
#endif
+#ifdef RLIMIT_NOFILE
+status_e rlim_files_parser( pset_h values,
+ struct service_config *scp,
+ enum assign_op op )
+{
+ char *mem = (char *) pset_pointer( values, 0 ) ;
+ const char *func = "rlim_files_parser" ;
+
+ if ( EQ( mem, "UNLIMITED" ) )
+ SC_RLIM_FILES(scp) = (rlim_t)RLIM_INFINITY ;
+ else
+ {
+ if ( get_limit ( mem, &SC_RLIM_FILES(scp)) )
+ {
+ parsemsg( LOG_ERR, func,
+ "Max files limit is invalid: %s", mem ) ;
+ return( FAILED ) ;
+ }
+ }
+ return( OK ) ;
+}
+#endif
+
#ifdef RLIMIT_RSS
status_e rlim_rss_parser( pset_h values,
- struct service_config *scp,
+ struct service_config *scp,
enum assign_op op )
{
char *mem = (char *) pset_pointer( values, 0 ) ;
Index: xinetd-2.3.14/xinetd/parsers.h
===================================================================
--- xinetd-2.3.14.orig/xinetd/parsers.h
+++ xinetd-2.3.14/xinetd/parsers.h
@@ -57,6 +57,9 @@ status_e rlim_cpu_parser(pset_h, struct
#ifdef RLIMIT_DATA
status_e rlim_data_parser(pset_h, struct service_config *, enum assign_op) ;
#endif
+#ifdef RLIMIT_NOFILE
+status_e rlim_files_parser(pset_h, struct service_config *, enum assign_op) ;
+#endif
#ifdef RLIMIT_RSS
status_e rlim_rss_parser(pset_h, struct service_config *, enum assign_op) ;
#endif
Index: xinetd-2.3.14/xinetd/sconf.h
===================================================================
--- xinetd-2.3.14.orig/xinetd/sconf.h
+++ xinetd-2.3.14/xinetd/sconf.h
@@ -142,6 +142,7 @@ struct service_config
rlim_t sc_rlim_as;
rlim_t sc_rlim_cpu;
rlim_t sc_rlim_data;
+ rlim_t sc_rlim_files;
rlim_t sc_rlim_rss;
rlim_t sc_rlim_stack;
mode_t sc_umask;
@@ -190,6 +191,7 @@ struct service_config
#define SC_RLIM_AS( scp ) (scp)->sc_rlim_as
#define SC_RLIM_CPU( scp ) (scp)->sc_rlim_cpu
#define SC_RLIM_DATA( scp ) (scp)->sc_rlim_data
+#define SC_RLIM_FILES( scp ) (scp)->sc_rlim_files
#define SC_RLIM_RSS( scp ) (scp)->sc_rlim_rss
#define SC_RLIM_STACK( scp ) (scp)->sc_rlim_stack
#define SC_TYPE( scp ) (scp)->sc_type
Index: xinetd-2.3.14/xinetd/xinetd.conf.man
===================================================================
--- xinetd-2.3.14.orig/xinetd/xinetd.conf.man
+++ xinetd-2.3.14/xinetd/xinetd.conf.man
@@ -568,6 +568,12 @@ is implemented, it is more useful to set
rlimit_rss and rlimit_stack. This resource limit is only implemented on
Linux systems.
.TP
+.B rlimit_files
+Sets the maximum number of open files that the service may use.
+One parameter is required, which is a positive integer representing
+the number of open file descriptors. Practical limit of this number
+is around 1024000.
+.TP
.B rlimit_cpu
Sets the maximum number of CPU seconds that the service may use.
One parameter is required, which is either a positive integer representing
++++++ xinetd-2.3.14-honour_disable.patch ++++++
--- xinetd/parse.c
+++ xinetd/parse.c
@@ -702,6 +702,13 @@
terminate_program();
}
pset_clear( attr_values ) ;
+
+ /*
+ * As soon as we realize that the service is disabled
+ * we don't continue parsing its config
+ */
+ if (EQ(attr_name, "disable") && SC_IS_DISABLED(scp))
+ return( FAILED );
}
}
++++++ xinetd-2.3.14-ident-bind.patch ++++++
448069: xinetd: socket bind: Invalid argument (errno = 22) when using USERID on ipv6
Use right size of addresses in bind() call. Also use getpeername addresses when
connecting to ident service to prevent address family mismatch between socket(),
bind() and connect() calls.
Author: Jan Safranek
Reviewed-By: Adam Tkac
Index: xinetd-2.3.14/xinetd/ident.c
===================================================================
--- xinetd-2.3.14.orig/xinetd/ident.c
+++ xinetd-2.3.14/xinetd/ident.c
@@ -97,7 +97,13 @@ idresult_e log_remote_user( const struct
}
CLEAR( sin_contact );
- sin_remote = *CONN_XADDRESS( SERVER_CONNECTION( serp ) ) ;
+
+ sin_len = sizeof( sin_remote );
+ if ( getpeername( SERVER_FD( serp ), &sin_remote.sa, &sin_len ) == -1 )
+ {
+ msg( LOG_ERR, func, "(%d) getpeername: %m", getpid() ) ;
+ return( IDR_ERROR ) ;
+ }
sin_contact = sin_remote;
memcpy( &sin_bind, &sin_local, sizeof(sin_bind) ) ;
local_port = 0;
@@ -127,7 +133,13 @@ idresult_e log_remote_user( const struct
msg( LOG_ERR, func, "socket creation: %m" ) ;
return( IDR_ERROR ) ;
}
- if ( bind(sd, &sin_bind.sa, sizeof(sin_bind.sa)) == -1 )
+
+ if ( sin_bind.sa.sa_family == AF_INET )
+ sin_len = sizeof( sin_bind.sa_in ) ;
+ else
+ sin_len = sizeof( sin_bind.sa_in6 ) ;
+
+ if ( bind(sd, &sin_bind.sa, sin_len) == -1 )
{
msg( LOG_ERR, func, "socket bind: %m" ) ;
(void) Sclose( sd ) ;
++++++ xinetd-2.3.14-ipv6-ipv4-fallback.patch ++++++
--- xinetd/confparse.c
+++ xinetd/confparse.c
@@ -544,10 +544,9 @@
}
if( SC_IPV4( scp ) && SC_IPV6( scp ) ) {
- msg( LOG_ERR, func,
- "Service %s specified as both IPv4 and IPv6 - DISABLING",
+ msg( LOG_INFO, func,
+ "Service %s will use IPv6 or fallback to IPv4",
SC_NAME(scp));
- return FAILED ;
}
/*
--- xinetd/service.c
+++ xinetd/service.c
@@ -322,12 +322,29 @@
return( OK );
}
- if( SC_IPV4( scp ) ) {
+ if( SC_IPV4( scp ) && !SC_IPV6(scp) ) {
SVC_FD(sp) = socket( AF_INET,
SC_SOCKET_TYPE( scp ), SC_PROTOVAL( scp ) ) ;
} else if( SC_IPV6( scp ) ) {
SVC_FD(sp) = socket( AF_INET6,
SC_SOCKET_TYPE( scp ), SC_PROTOVAL( scp ) ) ;
+ /* service with IPv6-IPv4 fallback
+ * - if IPv6 succeeds, use IPv6 and clear the IPv4 flag
+ * - if IPv6 fails, use IPv4 socket and clear the IPv6 flag
+ */
+ if( SVC_FD(sp) == -1 ) {
+ if( SC_IPV4(scp) ) {
+ msg( LOG_INFO, func,
+ "IPv6 socket creation failed (%m), service = %s", SC_ID( scp ) );
+ msg( LOG_INFO, func,
+ "falling back to IPv4, service = %s", SC_ID( scp ) );
+ M_CLEAR(SC_XFLAGS(scp), SF_IPV6);
+ SVC_FD(sp) = socket( AF_INET,
+ SC_SOCKET_TYPE( scp ), SC_PROTOVAL( scp ) ) ;
+ }
+ } else {
+ M_CLEAR(SC_XFLAGS(scp), SF_IPV4);
+ }
}
if ( SVC_FD(sp) == -1 )
--- etc/xinetd.d/chargen
+++ etc/xinetd.d/chargen
@@ -10,4 +10,5 @@
user = root
wait = no
disable = yes
+ FLAGS = IPv6 IPv4
}
--- etc/xinetd.d/chargen-udp
+++ etc/xinetd.d/chargen-udp
@@ -11,4 +11,5 @@
wait = yes
disable = yes
port = 19
+ FLAGS = IPv6 IPv4
}
--- etc/xinetd.d/daytime
+++ etc/xinetd.d/daytime
@@ -10,4 +10,5 @@
user = root
wait = no
disable = yes
+ FLAGS = IPv6 IPv4
}
--- etc/xinetd.d/daytime-udp
+++ etc/xinetd.d/daytime-udp
@@ -11,4 +11,5 @@
wait = yes
disable = yes
port = 13
+ FLAGS = IPv6 IPv4
}
--- etc/xinetd.d/discard
+++ etc/xinetd.d/discard
@@ -10,4 +10,5 @@
user = root
wait = no
disable = yes
+ FLAGS = IPv6 IPv4
}
--- etc/xinetd.d/discard-udp
+++ etc/xinetd.d/discard-udp
@@ -11,4 +11,5 @@
wait = yes
disable = yes
port = 9
+ FLAGS = IPv6 IPv4
}
--- etc/xinetd.d/echo
+++ etc/xinetd.d/echo
@@ -10,4 +10,5 @@
user = root
wait = no
disable = yes
+ FLAGS = IPv6 IPv4
}
--- etc/xinetd.d/echo-udp
+++ etc/xinetd.d/echo-udp
@@ -11,4 +11,5 @@
wait = yes
disable = yes
port = 7
+ FLAGS = IPv6 IPv4
}
--- etc/xinetd.d/servers
+++ etc/xinetd.d/servers
@@ -10,4 +10,5 @@
wait = no
disable = yes
only_from = 127.0.0.1
+ FLAGS = IPv6 IPv4
}
--- etc/xinetd.d/services
+++ etc/xinetd.d/services
@@ -10,4 +10,5 @@
wait = no
disable = yes
only_from = 127.0.0.1
+ FLAGS = IPv6 IPv4
}
--- etc/xinetd.d/time
+++ etc/xinetd.d/time
@@ -11,4 +11,5 @@
user = root
wait = no
disable = yes
+ FLAGS = IPv6 IPv4
}
--- etc/xinetd.d/time-udp
+++ etc/xinetd.d/time-udp
@@ -11,4 +11,5 @@
wait = yes
disable = yes
port = 37
+ FLAGS = IPv6 IPv4
}
--- xinetd/xinetd.conf.man
+++ xinetd/xinetd.conf.man
@@ -142,6 +142,10 @@
.TP
.B IPv6
Sets the service to be an IPv6 service (AF_INET6), if IPv6 is available on the system.
+If you give both the IPv4 and IPv6 flag, then xinetd will first try to create
+an IPv6 service (wich can accept IPv4 connections by default), and if that
+fails (ie. the operating system doesn't have IPv6 support), it will create an
+IPv4 service.
.TP
.B REUSE
The REUSE flag is deprecated. All services now implicitly use the REUSE flag.
++++++ xinetd-2.3.14-man.dif ++++++
--- libs/src/misc/Makefile.in
+++ libs/src/misc/Makefile.in
@@ -73,8 +73,6 @@
echo "Installed $(LIBNAME) to $(LIBDIR)" ;\
for i in $(INCLUDEFILES); do $(INSTALL) $(FMODE) $$i $(INCLUDEDIR) ; done ;\
echo Installed $(INCLUDEFILES) to $(INCLUDEDIR) ;\
- for i in $(MANFILES) ; do $(INSTALL) $(FMODE) $$i $(MANDIR) ; done ;\
- echo Installed $(MANFILES) to $(MANDIR) ;\
else \
echo "You forgot to set one of the following variables: LIBDIR,INCLUDEDIR,MANDIR" ;\
fi
--- libs/src/pset/Makefile.in
+++ libs/src/pset/Makefile.in
@@ -64,8 +64,6 @@
echo "Installed $(LIBNAME) to $(LIBDIR)" ;\
for i in $(INCLUDEFILES); do $(INSTALL) $(FMODE) $$i $(INCLUDEDIR) ; done ;\
echo Installed $(INCLUDEFILES) to $(INCLUDEDIR) ;\
- for i in $(MANFILES) ; do $(INSTALL) $(FMODE) $$i $(MANDIR) ; done ;\
- echo Installed $(MANFILES) to $(MANDIR) ;\
else \
echo "You forgot to set one of the following variables: LIBDIR,INCLUDEDIR,MANDIR" ;\
fi
--- libs/src/sio/Makefile.in
+++ libs/src/sio/Makefile.in
@@ -63,8 +63,6 @@
echo "Installed $(LIBNAME) to $(LIBDIR)" ;\
for i in $(INCLUDEFILES); do $(INSTALL) $(FMODE) $$i $(INCLUDEDIR) ; done ;\
echo Installed $(INCLUDEFILES) to $(INCLUDEDIR) ;\
- for i in $(MANFILES) ; do $(INSTALL) $(FMODE) $$i $(MANDIR) ; done ;\
- echo Installed $(MANFILES) to $(MANDIR) ;\
else \
echo "You forgot to set one of the following variables: LIBDIR,INCLUDEDIR,MANDIR" ;\
fi
--- libs/src/str/Makefile.in
+++ libs/src/str/Makefile.in
@@ -76,8 +76,6 @@
echo "Installed $(LIBNAME) to $(LIBDIR)" ;\
for i in $(INCLUDEFILES); do $(INSTALL) $(FMODE) $$i $(INCLUDEDIR) ; done ;\
echo Installed $(INCLUDEFILES) to $(INCLUDEDIR) ;\
- for i in $(MANFILES) ; do $(INSTALL) $(FMODE) $$i $(MANDIR) ; done ;\
- echo Installed $(MANFILES) to $(MANDIR) ;\
else \
echo "You forgot to set one of the following variables: LIBDIR,INCLUDEDIR,MANDIR" ;\
fi
--- libs/src/xlog/Makefile.in
+++ libs/src/xlog/Makefile.in
@@ -69,8 +69,6 @@
echo "Installed $(LIBNAME) to $(LIBDIR)" ;\
for i in $(INCLUDEFILES); do $(INSTALL) $(FMODE) $$i $(INCLUDEDIR) ; done ;\
echo Installed $(INCLUDEFILES) to $(INCLUDEDIR) ;\
- for i in $(MANFILES) ; do $(INSTALL) $(FMODE) $$i $(MANDIR) ; done ;\
- echo Installed $(MANFILES) to $(MANDIR) ;\
else \
echo "You forgot to set one of the following variables: LIBDIR,INCLUDEDIR,MANDIR" ;\
fi
++++++ xinetd-2.3.14-nodeadlock-revisited.patch ++++++
From: Leonardo Chiquitto
Subject: Prevent dead locks in the signal handler
References: bnc#726737
A signal can interrupt xinetd when it's printing / logging.
Currently, the generic signal handler tries to print something as
well (the "Unexpected signal" message), but to do that it needs a
lock that xinetd already holds, deadlocking.
We really can't print anything in the signal handler if the process
is supposed to continue running.
This patch is not perfect but it avoids the most common cases by
no longer catching SIGCONT and no longer printing the "Unexpected
signal" message in the generic signal handler.
---
xinetd/signals.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
Index: xinetd-2.3.14/xinetd/signals.c
===================================================================
--- xinetd-2.3.14.orig/xinetd/signals.c
+++ xinetd-2.3.14/xinetd/signals.c
@@ -186,6 +186,8 @@ static status_e handle_signal( int sig )
return( OK ) ;
/* FALL THROUGH */
+ case SIGCONT:
+ /* FALL THROUGH */
/*
* We may receive a SIGPIPE when handling an internal stream
* service and the other end closes the connection.
@@ -395,7 +397,11 @@ static void general_handler( int sig )
break ;
default:
- msg( LOG_NOTICE, func, "Unexpected signal %s", sig_name( sig ) ) ;
+ /* This will cause a dead lock if the signal happens when the
+ * daemon is writing / logging something. The message is not
+ * important, so comment it out.
+ */
+ // msg( LOG_NOTICE, func, "Unexpected signal %s", sig_name( sig ) ) ;
if ( debug.on && sig == SIGINT )
exit( 1 ) ;
}
++++++ xinetd-2.3.14-nodeadlock.diff ++++++
--- xinetd/signals.c
+++ xinetd/signals.c
@@ -365,12 +365,18 @@
sigset_t badsigs ;
const char *func = "general_handler" ;
+ sigset_t sigset;
+ /* msg() is not thread safe, so make sure we don't
+ * receive another signal while we're in that function. */
+ sigfillset(&sigset);
+ sigprocmask(SIG_SETMASK, &sigset, &sigset);
+
/*
* Do this here to catch problems like SIGSEGV in msg()
*/
- sigemptyset( &badsigs ) ;
- sigaddset( &badsigs, sig ) ;
- (void) sigprocmask( SIG_UNBLOCK, &badsigs, SIGSET_NULL ) ;
+ // sigemptyset( &badsigs ) ;
+ // sigaddset( &badsigs, sig ) ;
+ // (void) sigprocmask( SIG_UNBLOCK, &badsigs, SIGSET_NULL ) ;
switch ( sig )
{
@@ -393,6 +399,7 @@
if ( debug.on && sig == SIGINT )
exit( 1 ) ;
}
+ sigprocmask(SIG_SETMASK, &sigset, NULL);
}
++++++ xinetd-2.3.14-pie.patch ++++++
--- xinetd/Makefile.in.pie 2003-06-07 09:47:24.000000000 -0700
+++ xinetd/Makefile.in 2003-10-28 10:59:55.000000000 -0800
@@ -119,7 +119,7 @@
$(CC) $(CFLAGS) $(DEBUG) $(SRCDIR)/itox.c -o $@ $(LDFLAGS) $(LIBS)
xinetd: $(OBJS)
- $(CC) $(CFLAGS) $(DEBUG) -o $@ $(OBJS) $(LDFLAGS) $(LIBS) || rm -f $@
+ $(CC) $(CFLAGS) $(DEBUG) -o $@ -pie $(OBJS) $(LDFLAGS) $(LIBS) || rm -f $@
clean:
rm -f $(OBJS) $(NAME) core itox
--- Makefile.in.pie 2003-10-28 10:54:39.000000000 -0800
+++ Makefile.in 2003-10-28 10:54:39.000000000 -0800
@@ -14,7 +14,7 @@
LIBS = -lsio -lstr -lmisc -lxlog -lportable -lpset @LIBS@
-CFLAGS += @CFLAGS@
+CFLAGS += @CFLAGS@ -fPIE
DCFLAGS = -Wall -Wredundant-decls -W -Wfloat-equal -Wundef -Wcast-qual -Wwrite-strings -Wconversion -Wmissing-noreturn -Wmissing-format-attribute -Wshadow -Wpointer-arith -g
++++++ xinetd-2.3.14-restore-nofile-limits.patch ++++++
Index: xinetd-2.3.14/xinetd/child.c
===================================================================
--- xinetd-2.3.14.orig/xinetd/child.c
+++ xinetd-2.3.14/xinetd/child.c
@@ -205,6 +205,24 @@ static void set_credentials( const struc
const char *func = "set_credentials" ;
if ( SC_SPECIFIED( scp, A_GROUP ) || SC_SPECIFIED( scp, A_USER ) ) {
+#ifdef RLIMIT_NOFILE
+ /*
+ * init.c/set_fd_limit changes hard limit for nofile to FD_SETSIZE to
+ * prevent fd_set overflow. This must be restored before setgid/setuid,
+ * because non-root process will be limited to FD_SETSIZE and not
+ * properly inherited
+ *
+ * value of rlim_cur is not important as subsequent code in exec_server
+ * will use proper values
+ *
+ * https://bugzilla.novell.com/show_bug.cgi?id=855685
+ */
+ struct rlimit rl ;
+ rl.rlim_max = ps.ros.orig_max_descriptors ;
+ rl.rlim_cur = ps.ros.max_descriptors ;
+ (void) setrlimit( RLIMIT_NOFILE, &rl ) ;
+#endif
+
if ( ps.ros.is_superuser )
{
gid_t gid = SC_GETGID( scp ) ;
++++++ xinetd-2.3.14-server_args-fix.diff ++++++
--- xinetd/confparse.c
+++ xinetd/confparse.c
@@ -54,6 +54,7 @@
{
char *server_name ;
const char *func = "fix_server_argv" ;
+ char** argv;
if( SC_SERVER(scp) == NULL )
{
@@ -69,6 +70,18 @@
return( FAILED );
}
+ /* Fixing problem when NAMEINARG was specified after set server_args */
+ argv = scp->sc_server_argv;
+ if (argv != NULL && *argv == NULL) {
+
+ while (argv[1] != NULL) {
+ argv[0] = argv[1];
+ argv++;
+ }
+ *argv = NULL;
+ }
+
+
return ( OK );
}
++++++ xinetd-2.3.14-strict-aliasing-fix.diff ++++++
--- xinetd/sensor.c
+++ xinetd/sensor.c
@@ -4,10 +4,14 @@
* and conditions for redistribution.
*/
+#define _XOPEN_SOURCE 1
+#include
+#undef _XOPEN_SOURCE
+#include
+
#include
#include
#include
-#include
#include "config.h"
#include "pset.h"
@@ -101,15 +105,20 @@
/* Here again, eh?...update time stamp. */
char *exp_time;
time_t stored_time;
+ struct tm tm_stored_time;
+ char *parsed_str;
item_matched--; /* Is # plus 1, to even get here must be >= 1 */
exp_time = pset_pointer( global_no_access_time, item_matched ) ;
if (exp_time == NULL)
- return ;
+ return ;
- if ( parse_base10(exp_time, (int *)&stored_time) )
- { /* if never let them off, bypass */
- if (stored_time != -1)
+ if ((parsed_str = strptime(exp_time, "%s", &tm_stored_time)) != NULL)
+ {
+ while (*parsed_str != '\0' && isspace(*parsed_str))
+ parsed_str++;
+ stored_time = mktime(&tm_stored_time);
+ if (*parsed_str == '\0')
{
time_t nowtime, new_time;
++++++ xinetd-CVE-2012-0862.patch ++++++
From 13d159a0ef6f2ffcaa11d376cf0fa51a596618b7 Mon Sep 17 00:00:00 2001
From: Rob Braun
Date: Wed, 9 May 2012 15:40:24 +0000
Subject: [PATCH] Merge patch from RedHat regarding CVE-2012-0862
---
CHANGELOG | 1 +
xinetd/builtins.c | 20 ++++++++++++++++----
xinetd/service.h | 1 +
3 files changed, 18 insertions(+), 4 deletions(-)
Index: xinetd-2.3.14/xinetd/builtins.c
===================================================================
--- xinetd-2.3.14.orig/xinetd/builtins.c 2014-02-25 14:37:48.653298362 +0100
+++ xinetd-2.3.14/xinetd/builtins.c 2014-02-25 14:37:49.706310580 +0100
@@ -554,17 +554,16 @@ static void tcpmux_handler( const struct
/* Found the pointer. Validate its type.
*/
scp = SVC_CONF( sp );
-/*
- if ( ! SVC_IS_MUXCLIENT( sp ) )
+
+ if ( ! SVC_IS_MUXCLIENT( sp ) && ! SVC_IS_MUXPLUSCLIENT( sp ) )
{
if ( debug.on )
{
msg(LOG_DEBUG, "tcpmux_handler", "Non-tcpmux service name: %s.",
svc_name);
}
- exit(0);
+ continue;
}
-*/
/* Send the accept string if we're a PLUS (+) client.
*/
@@ -591,6 +590,19 @@ static void tcpmux_handler( const struct
msg(LOG_DEBUG, "tcpmux_handler", "Service name %s not found.",
svc_name);
}
+
+ /* If a service was not found, we should say so. */
+ if ( Swrite( descriptor, TCPMUX_NOT_FOUND, sizeof( TCPMUX_NOT_FOUND ) ) !=
+ sizeof ( TCPMUX_NOT_FOUND ) )
+ {
+ msg(LOG_ERR, "tcpmux_handler", "Not found write failed for %s.",
+ svc_name);
+ exit(0);
+ }
+
+ /* Flush and exit, nothing to do */
+ Sflush( descriptor );
+ Sclose( descriptor );
exit(0);
}
Index: xinetd-2.3.14/xinetd/service.h
===================================================================
--- xinetd-2.3.14.orig/xinetd/service.h 2014-02-25 14:37:48.653298362 +0100
+++ xinetd-2.3.14/xinetd/service.h 2014-02-25 14:37:49.706310580 +0100
@@ -92,6 +92,7 @@ struct service
#define SVC_IS_TCPMUX( sp ) ( SC_IS_TCPMUX( SVC_CONF ( sp ) ) )
#define TCPMUX_ACK "+Go\r\n"
+#define TCPMUX_NOT_FOUND "-Service name not found\r\n"
/*
* Predicate checking macros
*/
++++++ xinetd-CVE-2013-4342.patch ++++++
From 91e2401a219121eae15244a6b25d2e79c1af5864 Mon Sep 17 00:00:00 2001
From: Thomas Swan
Date: Wed, 2 Oct 2013 23:17:17 -0500
Subject: [PATCH] CVE-2013-4342: xinetd: ignores user and group directives for
TCPMUX services
Originally reported to Debian in 2005 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=324678 and rediscovered https://bugzilla.redhat.com/show_bug.cgi?id=1006100, xinetd would execute TCPMUX services without dropping privilege to match the service configuration allowing the service to run with same privilege as the xinetd process (root).
---
xinetd/builtins.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: xinetd-2.3.14/xinetd/builtins.c
===================================================================
--- xinetd-2.3.14.orig/xinetd/builtins.c 2014-02-25 14:38:03.754473556 +0100
+++ xinetd-2.3.14/xinetd/builtins.c 2014-02-25 14:38:03.760473625 +0100
@@ -615,7 +615,7 @@ static void tcpmux_handler( const struct
if( SC_IS_INTERNAL( scp ) ) {
SC_INTERNAL(scp, nserp);
} else {
- exec_server(nserp);
+ child_process(nserp);
}
}
++++++ xinetd.conf ++++++
#
# xinetd.conf
#
# Copyright (c) 1998-2001 SuSE GmbH Nuernberg, Germany.
# Copyright (c) 2002 SuSE Linux AG, Nuernberg, Germany.
#
defaults
{
log_type = FILE /var/log/xinetd.log
log_on_success = HOST EXIT DURATION
log_on_failure = HOST ATTEMPT
# only_from = localhost
instances = 30
cps = 50 10
#
# The specification of an interface is interesting, if we are on a firewall.
# For example, if you only want to provide services from an internal
# network interface, you may specify your internal interfaces IP-Address.
#
# interface = 127.0.0.1
}
includedir /etc/xinetd.d
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org