diff options
| -rw-r--r-- | Makefile.am | 4 | ||||
| -rw-r--r-- | README | 1 | ||||
| -rw-r--r-- | TODO | 2 | ||||
| -rw-r--r-- | configure.ac | 27 | ||||
| -rw-r--r-- | m4/acx_libwrap.m4 | 19 | ||||
| -rw-r--r-- | man/systemd.exec.xml | 25 | ||||
| -rw-r--r-- | src/core/build.h | 8 | ||||
| -rw-r--r-- | src/core/dbus-execute.c | 1 | ||||
| -rw-r--r-- | src/core/execute.c | 26 | ||||
| -rw-r--r-- | src/core/execute.h | 2 | ||||
| -rw-r--r-- | src/core/load-fragment-gperf.gperf.m4 | 3 | ||||
| -rw-r--r-- | src/core/load-fragment.c | 4 | ||||
| -rw-r--r-- | src/core/tcpwrap.c | 68 | ||||
| -rw-r--r-- | src/core/tcpwrap.h | 26 | ||||
| -rw-r--r-- | src/shared/exit-status.c | 3 | ||||
| -rw-r--r-- | src/shared/exit-status.h | 2 |
16 files changed, 5 insertions, 216 deletions
diff --git a/Makefile.am b/Makefile.am index 54cd1c6bd..2cb0f2aea 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1019,8 +1019,6 @@ libsystemd_core_la_SOURCES = \ src/core/condition.h \ src/core/namespace.c \ src/core/namespace.h \ - src/core/tcpwrap.c \ - src/core/tcpwrap.h \ src/core/build.h \ src/core/sysfs-show.h \ src/core/switch-root.h \ @@ -1046,7 +1044,6 @@ nodist_libsystemd_core_la_SOURCES = \ libsystemd_core_la_CFLAGS = \ $(AM_CFLAGS) \ - $(LIBWRAP_CFLAGS) \ $(PAM_CFLAGS) \ $(AUDIT_CFLAGS) \ $(CAP_CFLAGS) \ @@ -1062,7 +1059,6 @@ libsystemd_core_la_LIBADD = \ libudev-internal.la \ libsystemd-shared.la \ libsystemd-internal.la \ - $(LIBWRAP_LIBS) \ $(PAM_LIBS) \ $(AUDIT_LIBS) \ $(CAP_LIBS) \ @@ -111,7 +111,6 @@ REQUIREMENTS: libattr (optional) libselinux (optional) liblzma (optional) - tcpwrappers (optional) libgcrypt (optional) libqrencode (optional) libmicrohttpd (optional) @@ -550,7 +550,7 @@ Features: * for services: don't set $HOME in services unless requested -* hide PAM/TCPWrap options in fragment parser when compile time disabled +* hide PAM options in fragment parser when compile time disabled * when we automatically restart a service, ensure we restart its rdeps, too. diff --git a/configure.ac b/configure.ac index 3ced6cf3d..e95b682f5 100644 --- a/configure.ac +++ b/configure.ac @@ -431,32 +431,6 @@ fi AM_CONDITIONAL(HAVE_XZ, [test "$have_xz" = "yes"]) # ------------------------------------------------------------------------------ -AC_ARG_ENABLE([tcpwrap], - AS_HELP_STRING([--disable-tcpwrap],[Disable optional TCP wrappers support]), - [case "${enableval}" in - yes) have_tcpwrap=yes ;; - no) have_tcpwrap=no ;; - *) AC_MSG_ERROR(bad value ${enableval} for --disable-tcpwrap) ;; - esac], - [have_tcpwrap=auto]) - -if test "x${have_tcpwrap}" != xno ; then - ACX_LIBWRAP - if test "x${LIBWRAP_LIBS}" = x ; then - if test "x$have_tcpwrap" = xyes ; then - AC_MSG_ERROR([*** TCP wrappers support not found.]) - fi - have_tcpwrap=no - else - M4_DEFINES="$M4_DEFINES -DHAVE_LIBWRAP" - have_tcpwrap=yes - fi -else - LIBWRAP_LIBS= -fi -AC_SUBST(LIBWRAP_LIBS) - -# ------------------------------------------------------------------------------ AC_ARG_ENABLE([pam], AS_HELP_STRING([--disable-pam],[Disable optional PAM support]), [case "${enableval}" in @@ -1130,7 +1104,6 @@ AC_MSG_RESULT([ $PACKAGE_NAME $VERSION libcryptsetup: ${have_libcryptsetup} - tcpwrap: ${have_tcpwrap} PAM: ${have_pam} AUDIT: ${have_audit} IMA: ${have_ima} diff --git a/m4/acx_libwrap.m4 b/m4/acx_libwrap.m4 deleted file mode 100644 index ccf8afc0a..000000000 --- a/m4/acx_libwrap.m4 +++ /dev/null @@ -1,19 +0,0 @@ -AC_DEFUN([ACX_LIBWRAP], [ -LIBWRAP_LIBS= -saved_LIBS="$LIBS" -LIBS="$LIBS -lwrap" -AC_MSG_CHECKING([for tcpwrap library and headers]) -AC_LINK_IFELSE( -[AC_LANG_PROGRAM( -[#include <tcpd.h> -#include <syslog.h> -int allow_severity = LOG_INFO; -int deny_severity = LOG_WARNING;], -[struct request_info *req; -return hosts_access (req);])], -[AC_DEFINE(HAVE_LIBWRAP, [], [Have tcpwrap?]) -LIBWRAP_LIBS="-lwrap" -AC_MSG_RESULT(yes)], -[AC_MSG_RESULT(no)]) -LIBS="$saved_LIBS" -]) diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index f47826ce4..11ad7f660 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -687,31 +687,6 @@ </varlistentry> <varlistentry> - <term><varname>TCPWrapName=</varname></term> - <listitem><para>If this is a - socket-activated service, this sets the - tcpwrap service name to check the - permission for the current connection - with. This is only useful in - conjunction with socket-activated - services, and stream sockets (TCP) in - particular. It has no effect on other - socket types (e.g. datagram/UDP) and - on processes unrelated to socket-based - activation. If the tcpwrap - verification fails, daemon start-up - will fail and the connection is - terminated. See - <citerefentry><refentrytitle>tcpd</refentrytitle><manvolnum>8</manvolnum></citerefentry> - for details. Note that this option may - be used to do access control checks - only. Shell commands and commands - described in - <citerefentry><refentrytitle>hosts_options</refentrytitle><manvolnum>5</manvolnum></citerefentry> - are not supported.</para></listitem> - </varlistentry> - - <varlistentry> <term><varname>CapabilityBoundingSet=</varname></term> <listitem><para>Controls which diff --git a/src/core/build.h b/src/core/build.h index 3d7cd3ea3..f6faf06ae 100644 --- a/src/core/build.h +++ b/src/core/build.h @@ -27,12 +27,6 @@ #define _PAM_FEATURE_ "-PAM" #endif -#ifdef HAVE_LIBWRAP -#define _LIBWRAP_FEATURE_ "+LIBWRAP" -#else -#define _LIBWRAP_FEATURE_ "-LIBWRAP" -#endif - #ifdef HAVE_AUDIT #define _AUDIT_FEATURE_ "+AUDIT" #else @@ -93,4 +87,4 @@ #define _SECCOMP_FEATURE_ "-SECCOMP" #endif -#define SYSTEMD_FEATURES _PAM_FEATURE_ " " _LIBWRAP_FEATURE_ " " _AUDIT_FEATURE_ " " _SELINUX_FEATURE_ " " _IMA_FEATURE_ " " _SYSVINIT_FEATURE_ " " _LIBCRYPTSETUP_FEATURE_ " " _GCRYPT_FEATURE_ " " _ACL_FEATURE_ " " _XZ_FEATURE_ " " _SECCOMP_FEATURE_ " " _APPARMOR_FEATURE_ +#define SYSTEMD_FEATURES _PAM_FEATURE_ " " _AUDIT_FEATURE_ " " _SELINUX_FEATURE_ " " _IMA_FEATURE_ " " _SYSVINIT_FEATURE_ " " _LIBCRYPTSETUP_FEATURE_ " " _GCRYPT_FEATURE_ " " _ACL_FEATURE_ " " _XZ_FEATURE_ " " _SECCOMP_FEATURE_ " " _APPARMOR_FEATURE_ diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c index bf4a682d3..13b3d0dd1 100644 --- a/src/core/dbus-execute.c +++ b/src/core/dbus-execute.c @@ -618,7 +618,6 @@ const sd_bus_vtable bus_exec_vtable[] = { SD_BUS_PROPERTY("User", "s", NULL, offsetof(ExecContext, user), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("Group", "s", NULL, offsetof(ExecContext, group), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("SupplementaryGroups", "as", NULL, offsetof(ExecContext, supplementary_groups), SD_BUS_VTABLE_PROPERTY_CONST), - SD_BUS_PROPERTY("TCPWrapName", "s", NULL, offsetof(ExecContext, tcpwrap_name), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("PAMName", "s", NULL, offsetof(ExecContext, pam_name), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("ReadWriteDirectories", "as", NULL, offsetof(ExecContext, read_write_dirs), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("ReadOnlyDirectories", "as", NULL, offsetof(ExecContext, read_only_dirs), SD_BUS_VTABLE_PROPERTY_CONST), diff --git a/src/core/execute.c b/src/core/execute.c index 353f2d129..4a3aeda3c 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -69,7 +69,6 @@ #include "ioprio.h" #include "securebits.h" #include "namespace.h" -#include "tcpwrap.h" #include "exit-status.h" #include "missing.h" #include "utmp-wtmp.h" @@ -1362,23 +1361,6 @@ int exec_spawn(ExecCommand *command, goto fail_child; } - if (context->tcpwrap_name) { - if (socket_fd >= 0) - if (!socket_tcpwrap(socket_fd, context->tcpwrap_name)) { - err = -EACCES; - r = EXIT_TCPWRAP; - goto fail_child; - } - - for (i = 0; i < (int) n_fds; i++) { - if (!socket_tcpwrap(fds[i], context->tcpwrap_name)) { - err = -EACCES; - r = EXIT_TCPWRAP; - goto fail_child; - } - } - } - exec_context_tty_reset(context); if (confirm_spawn) { @@ -1878,9 +1860,6 @@ void exec_context_done(ExecContext *c) { free(c->tty_path); c->tty_path = NULL; - free(c->tcpwrap_name); - c->tcpwrap_name = NULL; - free(c->syslog_identifier); c->syslog_identifier = NULL; @@ -2148,11 +2127,6 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { STRV_FOREACH(e, c->environment_files) fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e); - if (c->tcpwrap_name) - fprintf(f, - "%sTCPWrapName: %s\n", - prefix, c->tcpwrap_name); - if (c->nice_set) fprintf(f, "%sNice: %i\n", diff --git a/src/core/execute.h b/src/core/execute.h index 9fcea121f..c9e29ffc8 100644 --- a/src/core/execute.h +++ b/src/core/execute.h @@ -113,8 +113,6 @@ struct ExecContext { nsec_t timer_slack_nsec; - char *tcpwrap_name; - char *tty_path; bool tty_reset; diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4 index 3a77234e9..dbb5d13b7 100644 --- a/src/core/load-fragment-gperf.gperf.m4 +++ b/src/core/load-fragment-gperf.gperf.m4 @@ -84,9 +84,6 @@ $1.MountFlags, config_parse_exec_mount_flags, 0, $1.Personality, config_parse_personality, 0, offsetof($1, exec_context.personality) $1.RuntimeDirectoryMode, config_parse_mode, 0, offsetof($1, exec_context.runtime_directory_mode) $1.RuntimeDirectory, config_parse_runtime_directory, 0, offsetof($1, exec_context.runtime_directory) -m4_ifdef(`HAVE_LIBWRAP', -`$1.TCPWrapName, config_parse_unit_string_printf, 0, offsetof($1, exec_context.tcpwrap_name)', -`$1.TCPWrapName, config_parse_warn_compat, 0, 0') m4_ifdef(`HAVE_PAM', `$1.PAMName, config_parse_unit_string_printf, 0, offsetof($1, exec_context.pam_name)', `$1.PAMName, config_parse_warn_compat, 0, 0') diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c index e7779d162..c604f9096 100644 --- a/src/core/load-fragment.c +++ b/src/core/load-fragment.c @@ -64,7 +64,7 @@ #include "seccomp-util.h" #endif -#if !defined(HAVE_SYSV_COMPAT) || !defined(HAVE_SECCOMP) || !defined(HAVE_LIBWRAP) || !defined(HAVE_PAM) || !defined(HAVE_SELINUX) || !defined(HAVE_SMACK) || !defined(HAVE_APPARMOR) +#if !defined(HAVE_SYSV_COMPAT) || !defined(HAVE_SECCOMP) || !defined(HAVE_PAM) || !defined(HAVE_SELINUX) || !defined(HAVE_SMACK) || !defined(HAVE_APPARMOR) int config_parse_warn_compat( const char *unit, const char *filename, @@ -3328,7 +3328,7 @@ void unit_dump_config_items(FILE *f) { const ConfigParserCallback callback; const char *rvalue; } table[] = { -#if !defined(HAVE_SYSV_COMPAT) || !defined(HAVE_SECCOMP) || !defined(HAVE_LIBWRAP) || !defined(HAVE_PAM) || !defined(HAVE_SELINUX) || !defined(HAVE_SMACK) || !defined(HAVE_APPARMOR) +#if !defined(HAVE_SYSV_COMPAT) || !defined(HAVE_SECCOMP) || !defined(HAVE_PAM) || !defined(HAVE_SELINUX) || !defined(HAVE_SMACK) || !defined(HAVE_APPARMOR) { config_parse_warn_compat, "NOTSUPPORTED" }, #endif { config_parse_int, "INTEGER" }, diff --git a/src/core/tcpwrap.c b/src/core/tcpwrap.c deleted file mode 100644 index 6c630fac6..000000000 --- a/src/core/tcpwrap.c +++ /dev/null @@ -1,68 +0,0 @@ -/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ - -/*** - This file is part of systemd. - - Copyright 2010 Lennart Poettering - - systemd is free software; you can redistribute it and/or modify it - under the terms of the GNU Lesser General Public License as published by - the Free Software Foundation; either version 2.1 of the License, or - (at your option) any later version. - - systemd is distributed in the hope that it will be useful, but - WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - Lesser General Public License for more details. - - You should have received a copy of the GNU Lesser General Public License - along with systemd; If not, see <http://www.gnu.org/licenses/>. -***/ - -#include <sys/socket.h> -#include <sys/un.h> -#include <arpa/inet.h> -#include <netinet/in.h> - -#ifdef HAVE_LIBWRAP -#include <tcpd.h> -#endif - -#include "tcpwrap.h" -#include "log.h" - -bool socket_tcpwrap(int fd, const char *name) { -#ifdef HAVE_LIBWRAP - struct request_info req; - union { - struct sockaddr sa; - struct sockaddr_in in; - struct sockaddr_in6 in6; - struct sockaddr_un un; - struct sockaddr_storage storage; - } sa_union; - socklen_t l = sizeof(sa_union); - - if (getsockname(fd, &sa_union.sa, &l) < 0) - return true; - - if (sa_union.sa.sa_family != AF_INET && - sa_union.sa.sa_family != AF_INET6) - return true; - - request_init(&req, - RQ_DAEMON, name, - RQ_FILE, fd, - NULL); - - fromhost(&req); - - if (!hosts_access(&req)) { - log_warning("Connection refused by tcpwrap."); - return false; - } - - log_debug("Connection accepted by tcpwrap."); -#endif - return true; -} diff --git a/src/core/tcpwrap.h b/src/core/tcpwrap.h deleted file mode 100644 index 3353b6596..000000000 --- a/src/core/tcpwrap.h +++ /dev/null @@ -1,26 +0,0 @@ -/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ - -#pragma once - -/*** - This file is part of systemd. - - Copyright 2010 Lennart Poettering - - systemd is free software; you can redistribute it and/or modify it - under the terms of the GNU Lesser General Public License as published by - the Free Software Foundation; either version 2.1 of the License, or - (at your option) any later version. - - systemd is distributed in the hope that it will be useful, but - WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - Lesser General Public License for more details. - - You should have received a copy of the GNU Lesser General Public License - along with systemd; If not, see <http://www.gnu.org/licenses/>. -***/ - -#include <stdbool.h> - -bool socket_tcpwrap(int fd, const char *name); diff --git a/src/shared/exit-status.c b/src/shared/exit-status.c index d860b5551..208d329c1 100644 --- a/src/shared/exit-status.c +++ b/src/shared/exit-status.c @@ -113,9 +113,6 @@ const char* exit_status_to_string(ExitStatus status, ExitStatusLevel level) { case EXIT_STDERR: return "STDERR"; - case EXIT_TCPWRAP: - return "TCPWRAP"; - case EXIT_PAM: return "PAM"; diff --git a/src/shared/exit-status.h b/src/shared/exit-status.h index 385d6def0..d6bf84c69 100644 --- a/src/shared/exit-status.h +++ b/src/shared/exit-status.h @@ -64,7 +64,7 @@ typedef enum ExitStatus { EXIT_SETSID, /* 220 */ EXIT_CONFIRM, EXIT_STDERR, - EXIT_TCPWRAP, + _EXIT_RESERVED, /* used to be tcpwrap, don't reuse! */ EXIT_PAM, EXIT_NETWORK, EXIT_NAMESPACE, |