diff -u -r ffingerd-1.26/Makefile.in ffingerd-1.26-drt/Makefile.in --- ffingerd-1.26/Makefile.in Mon Jan 24 18:08:54 2000 +++ ffingerd-1.26-drt/Makefile.in Thu Mar 16 11:06:22 2000 @@ -21,7 +21,7 @@ all: ffingerd -ffingerd: ffingerd.o +ffingerd: ffingerd.o config.h $(CC) $(CFLAGS) -o ffingerd ffingerd.o $(LDFLAGS) @echo Ok, do a 'make install' or 'make install.all' now. diff -u -r ffingerd-1.26/README ffingerd-1.26-drt/README --- ffingerd-1.26/README Tue Oct 5 16:24:29 1999 +++ ffingerd-1.26-drt/README Thu Mar 16 15:07:59 2000 @@ -35,7 +35,7 @@ Login: luser Name: J. Random Luser No project. No plan. - No PGP public key. + No public key. evil.com$ finger root@poor.victim.com [poor.victim.com] That user does not want to be fingered @@ -51,6 +51,34 @@ Nov 3 19:14:12 xorn fingerd[1052]: empty finger attempt from 127.0.0.1 Nov 3 19:15:53 xorn fingerd[1077]: indirect finger attempt at root@localhost from 127.0.0.1 Aug 26 00:51:11 xorn syslog: file "/home/leitner/.plan" is a symbolic link to "/etc/shadow"! + + +tcpserver/daemontools: + If you configure with "--enable-daemontools" ffingerd will be + compiled for use with daemontools and tcpserver. See + http://cr.yp.to/ucspi-tcp.html and http://cr.yp.to/daemontools.html + This means it will rely on tcpserver for doing hostname lookup and + so on and will log to stderr for use with multilog instead of using syslog. + + You will start ffingerd quick and dirty with something like + + /usr/local/bin/tcpserver 0.0.0.0 finger \ + softlimit -d 100000 -s 100000 setuidgid nobody /usr/local/libexec/ffingerd \ + 2>&1 | multilog t /var/log/finger/ + + This will bind at all your Interfaces to the finger port and run + at an incomming connection ffingerd as user nobody and a limit of + 100 kb for it's data ans stack segment. Logging will be done to + /var/log/finger/. tcpserver will restrict paralell incomming + connections to 40 and multilog will keep 10 logfiles of 1 MB + each. + + To watch ffingerd at work try + + tail -f /var/log/finger/current | tai64nlocal + + If you want extra savety and coolness create a special user for + ffingerd and run tcpserver under supervise. Credits: diff -u -r ffingerd-1.26/acconfig.h ffingerd-1.26-drt/acconfig.h --- ffingerd-1.26/acconfig.h Mon Dec 20 22:28:11 1999 +++ ffingerd-1.26-drt/acconfig.h Thu Mar 16 09:51:07 2000 @@ -10,3 +10,7 @@ /* Define it if you want IPv6 support */ #undef INET6 + +/* Define this if you like to use ffingerd in a daemontools like + enviroment */ +#undef DAEMONTOOLS diff -u -r ffingerd-1.26/config.h.in ffingerd-1.26-drt/config.h.in --- ffingerd-1.26/config.h.in Mon Dec 20 22:28:11 1999 +++ ffingerd-1.26-drt/config.h.in Thu Mar 16 09:50:10 2000 @@ -67,3 +67,7 @@ /* Define it if you want IPv6 support */ #undef INET6 + +/* Define this if you like to use ffingerd in a daemontools like + enviroment */ +#undef DAEMONTOOLS diff -u -r ffingerd-1.26/configure ffingerd-1.26-drt/configure --- ffingerd-1.26/configure Mon Jan 24 17:29:14 2000 +++ ffingerd-1.26-drt/configure Thu Mar 16 09:58:33 2000 @@ -186,6 +186,7 @@ --with-logfac=LOG_FAC Log facility (def: LOG_INFO). --enable-ipv6 Enable IPv6 (with IPv4) support. --enable-fascist Enable fascist logging (everything is logged). + --enable-daemontools Work in a daemontools-like enviroment. EOF exit 0 ;; @@ -1733,6 +1734,18 @@ if test "x$enable_fascist" = "xyes"; then cat >> confdefs.h <<\EOF #define FASCIST_LOGGING 1 +EOF + + fi +fi + + +# Check whether --enable-daemontools or --disable-daemontools was given. +if test "${enable_daemontools+set}" = set; then + enableval="$enable_fascist" + if test "x$enable_daemontools" = "xyes"; then + cat >> confdefs.h <<\EOF +#define DAEMONTOOLS 1 EOF fi diff -u -r ffingerd-1.26/configure.in ffingerd-1.26-drt/configure.in --- ffingerd-1.26/configure.in Mon Dec 20 22:28:11 1999 +++ ffingerd-1.26-drt/configure.in Thu Mar 16 09:56:23 2000 @@ -72,7 +72,11 @@ if test "x$enable_fascist" = "xyes"; then AC_DEFINE(FASCIST_LOGGING) fi) - +AC_ARG_ENABLE(daemontools, + [ --enable-daemontools Enable fascist logging (everything is logged).], + if test "x$enable_daemontools" = "xyes"; then + AC_DEFINE(DAEMONTOOLS) + fi) AC_OUTPUT(Makefile) Only in ffingerd-1.26-drt/: current diff -u -r ffingerd-1.26/ffingerd.c ffingerd-1.26-drt/ffingerd.c --- ffingerd-1.26/ffingerd.c Mon Dec 20 22:49:25 1999 +++ ffingerd-1.26-drt/ffingerd.c Thu Mar 16 14:02:10 2000 @@ -57,6 +57,10 @@ # endif #endif +#ifdef DAEMONTOLS +#define NO_SYSLOG +#endif + #ifdef HAVE_ERRNO_H #include #endif @@ -85,7 +89,6 @@ puts(not_found_message); } else { if (S_ISLNK(stat_buf.st_mode)) { -#ifndef NO_SYSLOG char message[512],linkdest[255]; int i; if ((i=readlink(filename,linkdest,254)) != -1) { @@ -93,9 +96,13 @@ } else { linkdest[0]='\0'; } - sprintf(message,"file \"%.200s\" is a symbolic link to \"%.200s\"!\n",filename,linkdest); +#ifndef NO_SYSLOG + sprintf(message,"file \"%.512s\" is a symbolic link to \"%.512s\"!\n",filename,linkdest); syslog(LOG_FACILITY,"%s",message); #endif +#ifdef DAEMONTOOLS + fprintf(stderr,"file \"%s\" is a symbolic link to \"%s\"!\n",filename,linkdest); +#endif /* DAEMONTOOLS */ puts(not_found_message); } else if (S_ISREG(stat_buf.st_mode)) { puts(found_message); @@ -132,42 +139,50 @@ setgid(pwd->pw_gid); setuid(pwd->pw_uid); - sprintf(filename,"%.200s/.nofinger",pwd->pw_dir); + sprintf(filename,"%.256s/.nofinger",pwd->pw_dir); if (lstat(filename,&stat_buf) && (errno==ENOENT)) { #ifndef NO_SYSLOG #ifdef FASCIST_LOGGING - char message[512]; - sprintf(message,"finger \"%.200s\" from %.200s\n",pwd->pw_name,remote); + char message[1024]; + sprintf(message,"finger \"%.256s\" from %.1076s\n",pwd->pw_name,remote); syslog(LOG_FACILITY,"%s",message); #endif #endif - sprintf(filename,"%.200s",pwd->pw_gecos); +#ifdef DAEMONTOOLS +#ifdef FASCIST_LOGGING + fprintf(stderr, "finger \"%s\" from %s\n",pwd->pw_name,remote); +#endif /* FASCIST_LOGGING */ +#endif /* DAEMONTOOLS */ + sprintf(filename,"%.256s",pwd->pw_gecos); if (strchr(filename,',')) { *(char *)strchr(filename,',')=0; } printf("Login: %-30s Name: %-40s\n",pwd->pw_name,filename); - sprintf(filename,"%.200s/.project",pwd->pw_dir); + sprintf(filename,"%.256s/.project",pwd->pw_dir); dump_file(filename,"Project:","No project."); - sprintf(filename,"%.200s/.plan",pwd->pw_dir); + sprintf(filename,"%.256s/.plan",pwd->pw_dir); dump_file(filename,"Plan:","No plan."); - sprintf(filename,"%.200s/.pubkey",pwd->pw_dir); + sprintf(filename,"%.256s/.pubkey",pwd->pw_dir); dump_file(filename,"Public key:","No public key."); } else { - char message[512]; - puts("That user does not want to be fingered."); #ifndef NO_SYSLOG - sprintf(message,"attempt to finger \"%.200s\" from %.200s\n",pwd->pw_name,remote); + char message[512]; + sprintf(message,"attempt to finger \"%.256s\" from %.1076s\n",pwd->pw_name,remote); syslog(LOG_FACILITY,"%s",message); #endif +#ifdef DAEMONTOOLS + fprintf(stderr,"attempt to finger \"%s\" from %s\n",pwd->pw_name,remote); +#endif /* DAEMONTOOLS */ + puts("That user does not want to be fingered."); } } int main() { - char message[512]; + char message[1435]; unsigned char query[256]; unsigned char *qptr; #ifdef INET6 struct sockaddr_storage name; - char RemoteH[1025], Remote_IP[1025]; + char RemoteH[513], *Remote_IP[40]; #else /* INET6 */ struct sockaddr_in name; char *Remote_IP; @@ -175,9 +190,23 @@ #endif /* INET6 */ int len; unsigned long remote; - char Remote[256]; + char Remote[1077]; struct passwd *pwd; +#ifdef DAEMONTOOLS + char RemoteInfo[516]; + char *c; +#endif + + if(geteuid() == 0) { +#ifndef NO_SYSLOG + syslog(LOG_FACILITY,"ffingerd refuses to run as root"); +#endif + fprintf(stderr, "ffingerd refuses to run as root\n"); + printf("Temporary out of service\n"); + exit(1); + } +#ifndef DAEMONTOOLS openlog("ffingerd",LOG_PID,LOG_DAEMON); len=sizeof(name); if (getpeername(0, (struct sockaddr *)&name,&len) == -1) { @@ -203,17 +232,16 @@ remote=ntohl(name.sin_addr.s_addr); #ifdef HAVE_INET_NTOA Remote_IP=inet_ntoa(name.sin_addr); -#else - Remote_IP=malloc(40); - sprintf(Remote_IP,"%ld.%ld.%ld.%ld", - remote>>24 & 255,remote>>16 & 255, +#else + sprintf(Remote_IP, "%.3ld.%.3ld.%.3ld.%.3ld", + remote>>24 & 255,remote>>16 & 255, remote>>8 & 255,remote & 255); #endif if ((host=gethostbyaddr((char *)&name.sin_addr,sizeof(struct in_addr),AF_INET))) { - sprintf(Remote,"%.200s [%.40s]",host->h_name,Remote_IP); + sprintf(Remote, "%.512s [%.15s]",host->h_name,Remote_IP); } else { -/* herror("gethostbyaddr");*/ - sprintf(Remote,"%.40s [%.40s]",Remote_IP,Remote_IP); + /* perror("gethostbyaddr");*/ + sprintf(Remote, "%.15s [%.15s]",Remote_IP,Remote_IP); #else /* INET6 */ getnameinfo((struct sockaddr *)&name, #ifdef SIN6_LEN @@ -222,55 +250,98 @@ SA_LEN((struct sockaddr *)&name), #endif Remote_IP, sizeof(Remote_IP), NULL, 0, NI_NUMERICHOST); - if (getnameinfo((struct sockaddr *)&name, + if (getnameinfo((struct sockaddr *)&name, #ifdef SIN6_LEN name->ss_len, #else SA_LEN((struct sockaddr *)&name), #endif - RemoteH, sizeof(RemoteH), NULL, 0, 0) == 0) { - sprintf(Remote,"%.200s [%.80s]",RemoteH,Remote_IP); + RemoteH, sizeof(RemoteH), NULL, 0, 0) == 0) { + sprintf(Remote,"%.512s [%.39s]",RemoteH,Remote_IP); } else { - sprintf(Remote,"%.80s [%.80s]",Remote_IP,Remote_IP); + sprintf(Remote,"%.39s [%.39s]",Remote_IP,Remote_IP); #endif /* INET6 */ } } - if (!fgets(query,255,stdin)) exit(1); +#else /* DAEMONTOOLS */ + if((c = getenv("TCPREMOTEHOST")) != NULL) { + sprintf(Remote, "%.512s [%.39s:%.5s]", c, + getenv("TCPREMOTEIP"), + getenv("TCPREMOTEPORT")); + } else { + sprintf(Remote,"%.39s [%.39s:%.5s]", + getenv("TCPREMOTEIP"), + getenv("TCPREMOTEIP"), + getenv("TCPREMOTEPORT")); + } + + if((c = getenv("TCPREMOTEINFO")) != NULL) { + sprintf(RemoteInfo," (%.512s)", c); + strncat(Remote, RemoteInfo, sizeof(Remote)-strlen(Remote)-1); + } +#endif /* DAEMONTOOLS */ + + if (!fgets(query,255,stdin)) { +#ifndef NO_SYSLOG + syslog(LOG_FACILITY,"fgets failed"); + closelog(); +#endif +#ifdef DAEMONTOOLS + perror("fgets failed"); +#endif /* DAEMONTOOLS */ + exit(1); + } + for (len = 0; query[len]; len++) { if (query[len] == '\r' || query[len] == '\n') { query[len] = '\0'; break; } - if (query[len] == '@') { + } + + if (strchr(query, '@') != NULL) { #ifndef NO_SYSLOG - sprintf(message,"indirect finger attempt at %.200s from %.200s\n",query,Remote); - syslog(LOG_FACILITY,"%s",message); - closelog(); + sprintf(message,"indirect finger attempt at %.255s from %.1076s\n",query,Remote); + syslog(LOG_FACILITY,"%s",message); + closelog(); #endif - puts("Sorry, we do not support indirect finger queries."); - exit(0); - } +#ifdef DAEMONTOOLS + fprintf( stderr, "indirect finger attempt at %s from %s\n",query,Remote); +#endif /* DAEMONTOOLS */ + puts("Sorry, we do not support indirect finger queries."); + exit(0); } + qptr=query; if (*qptr==' ') qptr++; if (*qptr=='/' && (*(qptr+1)=='W' || *(qptr+1)=='w')) qptr+=2; if (*qptr==' ') qptr++; if (*qptr==0) { #ifndef NO_SYSLOG - sprintf(message,"empty finger attempt from %s\n",Remote); + sprintf(message,"empty finger attempt from %.1076s\n",Remote); syslog(LOG_FACILITY,"%s",message); closelog(); #endif +#ifdef DAEMONTOOLS + fprintf(stderr, "empty finger attempt from %s\n",Remote); +#endif /* DAEMONTOOLS */ puts("Sorry, we do not support empty finger queries."); exit(0); } if ((pwd=getpwnam(qptr))) { dump_user(pwd,(unsigned char*)Remote); } else { - sprintf(message,"attempt to finger \"%.200s\" from %.200s\n",qptr,Remote); +#ifndef NO_SYSLOG + sprintf(message,"attempt to finger \"%.255s\" from %.1076s\n",qptr,Remote); syslog(LOG_FACILITY,"%s",message); +#endif +#ifdef DAEMONTOOLS + fprintf(stderr,"attempt to finger \"%s\" from %s\n",qptr,Remote); +#endif /* DAEMONTOOLS */ puts("That user does not want to be fingered."); } +#ifndef NO_SYSLOG closelog(); +#endif return 0; }