[Nagios-devel] nsca libwrap support
Posted: Sat Oct 25, 2003 7:50 pm
--+pHx0qQiF2pBVqBT
Content-Type: multipart/mixed; boundary="IJpNTDwzlM2Ie8A6"
Content-Disposition: inline
--IJpNTDwzlM2Ie8A6
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Attached is a patch for nsca.c (as of CVS this morning), that fixed the
recently added TCP wrappers support. Tested in both --single and --daemon
modes.
I moved the libwrap check up to just after the accept() and prior to the fork()
in MULTI_PROCESS mode so that rejected attempts don't cause process creation
(trivial DoS attack). I also fixed the reject logic; the reject() function
calls exit(), which broke single mode.
Let me know if the patch requires cleanup.
M
--IJpNTDwzlM2Ie8A6
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="nsca.c.libwrap.patch"
Content-Transfer-Encoding: quoted-printable
Index: nsca.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /cvsroot/nagios/nsca/src/nsca.c,v
retrieving revision 1.16
diff -u -r1.16 nsca.c
--- nsca.c 24 Oct 2003 01:31:08 -0000 1.16
+++ nsca.c 24 Oct 2003 15:55:48 -0000
@@ -725,6 +725,21 @@
return;
}
=20
+#ifdef HAVE_LIBWRAP
+
+ /* Check whether or not connections are allowed from this host */
+ request_init(&req,RQ_DAEMON,"nsca",RQ_FILE,new_sd,0);
+ fromhost(&req);
+
+ if(!hosts_access(&req)){
+ /* refuse the connection */
+ syslog(LOG_ERR, "refused connect from %s", eval_client(&req));
+ close(new_sd);
+ return;
+ }
+#endif
+
+
/* fork() if we have to... */
if(mode=3D=3DMULTI_PROCESS_DAEMON){
=20
@@ -760,29 +775,6 @@
/* log info to syslog facility */
if(debug=3D=3DTRUE)
syslog(LOG_DEBUG,"Connection from %s port %d",inet_ntoa(np=
tr->sin_addr),nptr->sin_port);
-
-#ifdef HAVE_LIBWRAP
-
- /* Check whether or not connections are allowed from this host */
- request_init(&req,RQ_DAEMON,"nsca",RQ_FILE,new_sd,0);
- fromhost(&req);
-
- if(!hosts_access(&req)){
-
- syslog(LOG_DEBUG,"Connection refused by TCP wrapper");
-
- /* cleanup */
- do_cleanup();
-
- /* refuse the connection */
- refuse(&req);
- close(new_sd);
-
- /* should not be reached */
- syslog(LOG_ERR,"libwrap refuse() returns!");
- exit(STATE_CRITICAL);
- }
-#endif
=20
/* handle the connection */
if(mode=3D=3DSINGLE_PROCESS_DAEMON)
--IJpNTDwzlM2Ie8A6--
--+pHx0qQiF2pBVqBT
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)
iD8DBQE/mUx0OtZWu2tc1lARAnfRAJ4ncKNbPyvc8LQi0sgwzAA3kY3QbwCfesbf
W4Y1zlO/cs597HDKxBMh548=
=w7zj
-----END PGP SIGNATURE-----
--+pHx0qQiF2pBVqBT--
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
Content-Type: multipart/mixed; boundary="IJpNTDwzlM2Ie8A6"
Content-Disposition: inline
--IJpNTDwzlM2Ie8A6
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Attached is a patch for nsca.c (as of CVS this morning), that fixed the
recently added TCP wrappers support. Tested in both --single and --daemon
modes.
I moved the libwrap check up to just after the accept() and prior to the fork()
in MULTI_PROCESS mode so that rejected attempts don't cause process creation
(trivial DoS attack). I also fixed the reject logic; the reject() function
calls exit(), which broke single mode.
Let me know if the patch requires cleanup.
M
--IJpNTDwzlM2Ie8A6
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="nsca.c.libwrap.patch"
Content-Transfer-Encoding: quoted-printable
Index: nsca.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /cvsroot/nagios/nsca/src/nsca.c,v
retrieving revision 1.16
diff -u -r1.16 nsca.c
--- nsca.c 24 Oct 2003 01:31:08 -0000 1.16
+++ nsca.c 24 Oct 2003 15:55:48 -0000
@@ -725,6 +725,21 @@
return;
}
=20
+#ifdef HAVE_LIBWRAP
+
+ /* Check whether or not connections are allowed from this host */
+ request_init(&req,RQ_DAEMON,"nsca",RQ_FILE,new_sd,0);
+ fromhost(&req);
+
+ if(!hosts_access(&req)){
+ /* refuse the connection */
+ syslog(LOG_ERR, "refused connect from %s", eval_client(&req));
+ close(new_sd);
+ return;
+ }
+#endif
+
+
/* fork() if we have to... */
if(mode=3D=3DMULTI_PROCESS_DAEMON){
=20
@@ -760,29 +775,6 @@
/* log info to syslog facility */
if(debug=3D=3DTRUE)
syslog(LOG_DEBUG,"Connection from %s port %d",inet_ntoa(np=
tr->sin_addr),nptr->sin_port);
-
-#ifdef HAVE_LIBWRAP
-
- /* Check whether or not connections are allowed from this host */
- request_init(&req,RQ_DAEMON,"nsca",RQ_FILE,new_sd,0);
- fromhost(&req);
-
- if(!hosts_access(&req)){
-
- syslog(LOG_DEBUG,"Connection refused by TCP wrapper");
-
- /* cleanup */
- do_cleanup();
-
- /* refuse the connection */
- refuse(&req);
- close(new_sd);
-
- /* should not be reached */
- syslog(LOG_ERR,"libwrap refuse() returns!");
- exit(STATE_CRITICAL);
- }
-#endif
=20
/* handle the connection */
if(mode=3D=3DSINGLE_PROCESS_DAEMON)
--IJpNTDwzlM2Ie8A6--
--+pHx0qQiF2pBVqBT
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)
iD8DBQE/mUx0OtZWu2tc1lARAnfRAJ4ncKNbPyvc8LQi0sgwzAA3kY3QbwCfesbf
W4Y1zlO/cs597HDKxBMh548=
=w7zj
-----END PGP SIGNATURE-----
--+pHx0qQiF2pBVqBT--
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]