- Copy stable/10 (r259064) to releng/10.0 as part of the
10.0-RELEASE cycle.
- Update __FreeBSD_version [1]
- Set branch name to -RC1

[1] 10.0-CURRENT __FreeBSD_version value ended at '55', so
start releng/10.0 at '100' so the branch is started with
a value ending in zero.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

- Force inetd to have listen queue size to be set to the value of
kern.ipc.somaxconn instead of hardcoded value 64.

Submitted by: Andrey Ignatov <rdna@rdna.ru>
MFC after: 2 weeks

Rework all non-contributed files that use `struct timezone'.

This structure is not part of POSIX. According to POSIX, gettimeofday()
has the following prototype:

int gettimeofday(struct timeval *restrict tp, void *restrict tzp);

Also, POSIX states that gettimeofday() shall return 0 (as long as tzp is
not used). Remove dead error handling code. Also use NULL for a
nul-pointer instead of integer 0.

While there, change all pieces of code that only use tv_sec to use
time(3), as this provides less overhead.

Replace the use of wall clock time with monotonically increasing
clock. In general, gettimeofday() is not appropriate interface
when accounting for elasped time because it can go backward, in
which case the policy code could errornously consider the limit
as exceeded.

MFC after: 1 week
Reported by: Mahesh Arumugam
Submitted by: Dorr H. Clark via gnn
Sponsored by: Citrix / NetScaler

Replace index() and rindex() calls with strchr() and strrchr().

The index() and rindex() functions were marked LEGACY in the 2001
revision of POSIX and were subsequently removed from the 2008 revision.
The strchr() and strrchr() functions are part of the C standard.

This makes the source code a lot more consistent, as most of these C
files also call into other str*() routines. In fact, about a dozen
already perform strchr() calls.

Spelling fixes for usr.sbin/

The last big commit: let usr.sbin/ use WARNS=6 by default.

ANSIfy some more tools in usr.sbin/.

Most of these tools build with WARNS=6, except for their use of K&R
function declarations.

Avoid sshd, cron, syslogd and inetd to be killed under high-pressure swap
environments.
Please note that this can't be done while such processes run in jails.

Note: in future it would be interesting to find a way to do that
selectively for any desired proccess (choosen by user himself), probabilly
via a ptrace interface or whatever.

Obtained from: Sandvine Incorporated
Reviewed by: emaste, arch@
Sponsored by: Sandvine Incorporated
MFC: 1 month

Sync comment with actual configuration format.

o inetd(8) requires wait/nowait column in inetd.conf for
ONC services as well.

PR: bin/119203
Submitted by: Peter Jeremy
MFC atfer: 1 week

Remove the -DFAST_IPSEC from Makefiles again.

This was needed during the IPSEC->FAST_IPSEC->IPSEC transition
period to not break the build after picking up netipsec header
files. Now that the FAST_IPSEC kernel option is gone and the
default is IPSEC again those defines are superfluous.

Approved by: re (rwatson)

Commit IPv6 support for FAST_IPSEC to the tree.
This commit includes all remaining changes for the time being including
user space updates.

Submitted by: bz
Approved by: re

Don't try to apply connection-per-ip rate limiting to unix domain
sockets. Instead of rejecting all unix domain connections when the
-C flag is given, allow them instead. Aragon tested an earlier
version of the patch.

PR: 109315
MFC after: 2 weeks
Tested-by: Aragon Gouveia <aragon@phat.za.net>

Removed T/TCP bits.

inetd and telnetd are not included in the standard release
crunched floppies, but they can be included as options in
src/release/picobsd (omitted by default though.) Therefore
preserve the RELEASE_CRUNCH knob in their Makefiles, but
tell its real purpose in a comment.

Obey MK_INET6_SUPPORT.

Update a couple of comments relating to RFCs.

Back out a Makefile change that accidently snook in.

Port 37 (RFC 738) style times are supposed to be a 32 bit time since
1900 in network byte order. Use a uint32_t to calculate and send
the time, so that we don't need to know how big ints or longs are.

I used uint32_t instead of int in the patch, on the off chance
someone uses our inetd source on a system that doesnt 32 bit ints.

PR: 95290
Submitted by: Bruce Becker <hostmaster@whois.gts.net>
MFC after: 2 weeks

Perform minor rewording and grammatical improvement. Add a missing Xr.

Revert previous commit for now, which seems to have (re)introduced some
old bugs, as well as some unwanted side effects. I will do more
investigation and fix these issues first.

Pointed out by: dwmalone

Improves and cleanups over inetd(8):

- Teach inetd(8) about kqueue, originally implemented by jmg@[1].
- Use new C99 style function prototypes instead of K&Rs.
- Raise WARNS from 2 to 6

Glanced at by: ru
MFC After: 2 weeks

[1] http://people.freebsd.org/~jmg/inetd.kq.patch,
http://people.freebsd.org/~jmg/inetd.kq.html

inetd(8) requires that /etc/netconfig be present, and contain entries
for each of udp and tcp (and their IPv6 equivalents when INET6 is
enabled). Note that dependency here.

PR: docs/90435
Submitted by: Dmitry Kazarov <kazarov at mcm dot ru>
Pointed out by: Daniel Gerzo <danger at rulez dot sk>
MFC after: 8 days

Pidfiles should be created with permission preventing users from opening
them for reading. When user can open file for reading, he can also
flock(2) it, which can lead to confusions.

Pointed out by: green

Use pidfile(3) in inetd(8).

Remove rexecd(8), a server that implements a particularly insecure
method of executing commands remotely. There are no rexec clients in
the FreeBSD tree, and the client function rexec(3) is present only in
libcompat. It has been documented as "obsolete" since 4.3BSD, and its
use has been discouraged in the man page for over 10 years.

NI_WITHSCOPEID cleanup. Neither RFC 2553 nor RFC 3493 defines
NI_WITHSCOPEID, and our getaddrinfo(3) does nothing special
for it, now.

Prefer C99's __func__ over GCC's __FUNCTION__.

Approved by: dwmalone

Per letter dated July 22, 1999 remove 3rd clause of Berkeley derived software
(with permission of addtional copyright holders where appropriate)

Mechanically kill hard sentence breaks.

Remove the requirement that the "discard" service be defined in the
services database. Now only services that are actually used need to be
defined.

Submitted by: ume

The list of (key,value) pairs to request_init is terminated by a 0 key,
not NULL.

Submitted by: Stefan Farfeleder <stefan@fafoe.narf.at>
MFC after: 3 days

On startup, warn if inetd's config file doesn't exist. This isn't
exactly the same as patch from the PR, which also exited if the
config file was missing. I didn't use Jeff's patch because I was
worried that some people might start inetd, create the config file
and then HUP inetd.

PR: 60806
Submitted by: Jeff Ito <jeffi@rcn.com>
MFC after: 2 weeks

Revert previous change. The effect of -w or -W option is described in
another paragraph.
Obtained from: David Malone <dwmalone@maths.tcd.ie>

According to source code, under certain conditions, logging goes to the
"auth" facility not "daemon".
Submitted by: "Bill Richter (7X22KEY)" <richterb@binkley.foothill.net>

Rather than use the gcc -fno-builtin-log flag, just rename the 'int log'
variable.

Since semantic of IPV6_PKTINFO was changed in RFC3542, we need to
use IPV6_RECVPKTINFO instead.

Reported by: someone (I had removed the mail wrongly, sorry)

Use -fno-builtin-log so gcc doesn't get ideas about using a math function
to log data. Clean up an unused variable that was hidden by the WARNS?=2
being commented out. Uncomment it now that it compiles cleanly again.

Move my inetd maintainer note to src/MAINTAINERS.

Get the connections per minute calculation right. By good fortune
(or possibly testing) the previous formula worked for the default
constants compiled into inetd, but if you recompiled with different
values of CHTSIZE and CHTGRAN the calculation might not have worked.

PR: 54354
Submitted by: Claus Assmann <ca@sendmail.org>
Submitted by: Jose Marcio Martins da Cruz <Jose-Marcio.Martins@ensmp.fr>
MFC after: 5 days

The .Xr utility

Under some unusual conditions, inetd can leak a open file discriptor
into a child process. Rather than closing the discriptors manually,
mark all discriptors as close-on-exec.

PR: 47694
Submitted by: Max Okumoto <okumoto@ucsd.edu>
Obtained from: NetBSD
MFC after: 2 weeks

After calling login_getclass, be sure to call login_close so that
we don't leak memory. Only one of these two cases (reconfig) actually
causes a leak because the other is usually followed by an exec.

PR: 46845
Reviewed by: David Wang <dsw@juniper.net>
MFC after: 2 weeks

The tcp_wrappers function `fromhost()' can fail. In such
cases, the `struct sockaddr' will not be allocated.

Reported by: nectar
MFC after: 2 days

Using LOGIN_SETALL &~LOGIN_SETMAC to avoid setting the MAC label improperly,
rather than specifically setting the process priority and resource class;
otherwise, we improperly set other aspects of the login class. We have
a bit more to do here, but the proper fix will probably involve breaking
out MAC labels from the login class at some point, as well as further
clarifying the logic here.

Pointed out by: kuriyama, max

For now, set only the resource limits and process priority associated
with a class, rather than all aspects of the class when switching
classes for an inetd service. Because we hard-code /daemon in the
current inetd implementation, using SETALL has unfortunate side-effects
involving the MAC code, and potentially other credential related
settings in the future. This change maintains the DoS-resistent
aspects of the class behavior, which is all that is promised in the
inetd man page.

A larger set of diffs providing more pluggability and configurability
was deferred for this more simple approach in the short term.

Reviewed by: ache
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

Add used #include <limits.h>.

When printing the wait status, break it down into a signal and a exit status.

PR: 41912
Submitted by: Aaron Smith <aaron@mutex.org>
MFC after: 2 weeks

Swap sense of no_v[46]bind variables and rename as v[46]bind_ok -
this avoids some double negatives which are a bit difficult to
parse.

Always tread v[46]bind{,_ok} as booleans.

Fix parsing of unix domain entries after addition of IPv6 RPC support.

PR: 40771
Submitted by: Jean-Luc Richier <Jean-Luc.Richier@imag.fr>

Don't initialise policy, v4bind and v6bind where the variables are
declared - it was bad style and caused a bug. v[46]bind need to be
reset whenever we go to the "more:" label.

Jean-Luc and I came up with this patch independently, so it had
better be right!

PR: 40771
Submitted by: Jean-Luc Richier <Jean-Luc.Richier@imag.fr>

tpc -> tcp in an error message.

PR: 40771
Submitted by: Jean-Luc Richier <Jean-Luc.Richier@imag.fr>

Clear up a few warnings (unused variable, rpc versions are usigned so use %u,
rename a parameter to avoid shadowing a global).

MFC after: 1 month

mdoc(7) police: Removed redundant .Ns calls.

Add capability for limiting the maximum number of simultaneous
invocations of each service from a single IP address.

Requested by: matusita
Reviewed by: dwmalone
Tested by: matusita on snapshots.jp.FreeBSD.org
MFC after: 2 weeks

use IPV6_V6ONLY instead of non standard IPV6_BINDV6ONLY.

MFC after: 1 week

Fix typo: corrisponds -> corresponds

add support for rpc IPv6 (rpc/udp/46 ...)

Submitted by: Jean-Luc Richier <Jean-Luc.Richier@imag.fr>

The .Nm utility

Replace the SWAP(var0,var1) macro with SWAP(type,var0,var1) and use it as
is appropriate to avoid using typeof/__typeof__. It is worth noting that
SWAP() is only ever used to swap pointer values so 'void *' assumptions would
have been acceptable, but I'd gladly pay you tuesday for a cheeseburger^W
cleaner interface today.

Poked into submission by: bde

Unused macro.

__FBSDID() strategic insertion.

Kill __P, yuck.

Mark unused variables __unused.

Built standalone, inetd(8) is WARNS=5 clean, WARNS=6 if you ignore %m fits.

Use __typeof__ instead of typeof.

Kill bad whitespace and do some style cleanups as a result of the protoize.

ANSI prototypes via protoize(1).

Log invalid config entries. Make the -d option actually log to
the terminal(-d fix from dwmalone).

Approved by: dwmalone
MFC after: 2 weeks

Make compilable without -DINET6.

Log address family of a connection.

Requested by: matusita
Reviewed by: matusita

Correct spacing.

Introduce a version field to `struct xucred' in place of one of the
spares (the size of the field was changed from u_short to u_int to
reflect what it really ends up being). Accordingly, change users of
xucred to set and check this field as appropriate. In the kernel,
this is being done inside the new cru2x() routine which takes a
`struct ucred' and fills out a `struct xucred' according to the
former. This also has the pleasant sideaffect of removing some
duplicate code.

Reviewed by: rwatson

Fix a typo.

Reported by: Jurrien Koopmans <jjkoopmans@home.nl>

Use CFLAGS, not COPTS, in the Makefile. bsd.prog.mk conveniently adds
COPTS towards the end of final CFLAGS so that it can be used to
override Makefile and other defaults. Using it in Makefiles risks
having options set using it clobbered when somebody uses it on the
command line.

Approved by: bde

mdoc(7) police: s/BSD/.Bx/ where appropriate.

Perform a major cleanup of the usr.sbin Makefiles.
These are not perfectly in agreement with each other style-wise, but they
are orders of orders of magnitude more consistent style-wise than before.

Turn off WARNS stuff. When combined with -nostdinc and system header
files that aren't WARNS clean it causes trouble.

o Remove old setproctitle.
o Mark unused variables.
o Set WARNS?=2
o Results in no code changes.

Submitted by: Mike Barcroft <mike@q9media.com>

Remove whitespace at EOL.

mdoc(7) police: removed HISTORY info from the .Os call.

mdoc(7) police: remove extraneous .Pp before and/or after .Sh.

mdoc(7) police: fixed markup, sorted xrefs.

mdoc(7) police: fix spacing and punctuation issues.

Don't add -Wall, as it's a compiler specific flag.

Fix most of the warnings given by WARNS=2.

Remove duplicate words.

Give inetd the ability to manage unix domain sockets. Details of
how to use this feature are in the man page. This is based on work
by Lyndon Nerenberg.

(The only difficult part about this patch is the fact that you
can't fchown a unix domain socket, which means the sockets must be
put in a secure directory).

Reviewed by: dillon

Correct cross-reference:
portmap.8 --> rpcbind.8

Submitted by: .Xr testing script

Get rid of se_ctladdrinitok, which doesn't do anything and seemes
to have been accidently imported when ipv6 support was added to
inetd.

Approved by: ume

Correct a comment - the time service returns seconds since 1900 not 1970.

Submitted by: ru

This patch cleans up the ident stuff in inetd. The code which has
been patched so many times it was a bit of a mess. There are style,
code and man page cleanups. The following are the functional changes:

The RFC only permits the returning of 4 possible error
codes, make sure we only return these (PR 27636).

Use MAXLOGNAME to determine the longest usernames.

Add a -i flag, which returns the uid instead of the username
(this is from a PR 25787, which also contained alot of the
cleanups in this patch).

PR: 25787, 27636
Partially Submitted by: Arne.Dag.Fidjestol@idi.ntnu.no
Reviewed by: Arne.Dag.Fidjestol@idi.ntnu.no, green
MFC after: 3 weeks

Recently, other BSDs had faith support in inetd. Though our inetd has
it already, their syntax is not compatible with ours. It will confuse
users. So, we have compatibility with their syntex.

Approved by: dwmalone
Obtained from: NetBSD

Make dg_echo return up to the first 65536 bytes of a datagram.
The patch I used isn't quite the one Lars suggested, but the size
of the largest datagram you can recv isn't #defined anywhere, and
probably isn't even bounded for some protocols.

PR: 25050
Submitted by: Lars Eggert <larse@isi.edu>

Don't spell requester as requestor.

Allow ident requests with trailing junk following the terminating "\n".

Reviewed by: ben
Approved by: green

- Backout botched attempt to introduce MANSECT feature.
- MAN[1-9] -> MAN.

Set the default manual section for usr.sbin/ to 8.

Eliminate mdocNG warnings caused by misplaced or extraneous macro calls.

Switch to using a struct xucred instead of a struct xucred when not
actually in the kernel. This structure is a different size than
what is currently in -CURRENT, but should hopefully be the last time
any application breakage is caused there. As soon as any major
inconveniences are removed, the definition of the in-kernel struct
ucred should be conditionalized upon defined(_KERNEL).

This also changes struct export_args to remove dependency on the
constantly-changing struct ucred, as well as limiting the bounds
of the size fields to the correct size. This means: a) mountd and
friends won't break all the time, b) mountd and friends won't crash
the kernel all the time if they don't know what they're doing wrt
actual struct export_args layout.

Reviewed by: bde

mdoc(7) police: split punctuation characters + misc fixes.

Various cleanups of inetd: Avoid shadowing variables, use socklen_t
instead of ints, don't cast to char *, clear up some remote name
handling code which had become a little odd.

Should result in no functional changes.

Don't mention /etc/protocols in inetd documentation or comments, as inetd
doesn't actually use it.

PR: 24307
Submitted by: opentrax@email.com

Prepare for mdoc(7)NG.

Add a -F option to the builtin ident service, which allows .fakeid files
to contain the name of other valid users.

PR: 22837
Submitted by: Andreas Gerstenberg <andy@andy.de>
Reviewed by: green
Reviewed by: sheldonh

Tidy up some prototypes:
make sure there is exactly one prototype for each function,
use K&R style definitions everywhere to match dominant style,
make flag_signal take an int to avoid problems if we have
ANSI prototypes and K&R definitions.

Make some style changes to the ident_stream() code.

Partially submitted by: alfred
Reviewed by: alfred

Security fix: correctly set groups according to the user. Previously,
root's groups' permissions were being used, so a user could read up to
16 (excluding initial whitespace) bytes of e.g. a wheel-accessible file.

Also, don't allow blocking on the opening of ~/.fakeid, so replace a fopen()
with open() and fdopen(). I knew I'd be going to hell for using C file
streams instead of POSIX syscalls...

mdoc(7) police: use the new features of the Nm macro.

Be explicit about the fact that you can only specify one IP address/hostname

Fix two typos in comments.

PR: 22268
Submitted by: Daniel S. Lewart <d-lewart@uiuc.edu>

Claim maintainership of inetd.

Don't leak a file discriptor if a service we've called accept() for
loops.

Submitted by: Ian Dowse <iedowse@maths.tcd.ie>

Make reconfiguring an external service as builtin service work.

PR: 21650
Submitted by: ben
Tested by: dan@ducky.nz.freebsd.org

Stop internal ident service spinning until the timeout if the
connection goes away. Spotted by people on -STABLE about 2 weeks
ago.

Submitted by: Based on a patch by alfred and Maxime Henrion <mux@qualys.com>

Explain "-c" option more exactly and state the default in the man
page.

Add ability to run "inetd -R 0" to disable the default connection
per minute limit of 256 connections. Document this in man page.

Don't use maxchild as a boolean - instead check if it is greater
than zero.

Reviewed by: sheldonh
Based on a patch by: Alexander Langer <alex@big.endian.de>

specifer -> specifier

Sleep for a second after tcp wrappers rejects a connection, so we
don't traumatise the parent inetd.

Requested by: wietse@porcupine.org
Approved by: markm

Make builtin ident service work if the request arrives in more than
one packet. Also check that the whole request has been recieved
before processing it.

The patch isn't the exact one from the PR, but a slight varient
suggested by Brian.

PR: 16086
Submitted by: Hajimu UMEMOTO <ume@mahoroba.org>
Reviewed by: green

Fix the ident server up more: use ssize_t/size_t/socklen_t/int all in the
proper places and make the fakeid parsing code a bit less stupid. Also,
remove an "Rflag" that snuck in there (-R wouldn't be accepted by it,
anyway).

Fix a 64-bit'ism in the handling of the ident service. sysctlbyname() takes
a size_t as its 3rd argument, which is 64-bits on the alpha. The 'len'
variable used was a int, which is only 32-bits. Use size_t as the type
for 'len' to work-around this.

Clarify the use of the auth service's -d option for specifying
a fallback username.

Reviewed by: green

Make sure to use IPv4 mapped IPv6 address when mapped address is
requested in /etc/inetd.conf.

Reviewed by: shin

Optimize those services that send only one block of data: use send(2)
with the MSG_EOF flag set instead of write(2).

Submitted by: David Malone <dwmalone@maths.tcd.ie>
Reviewed by: wollman

Allow using "-d username" without "-r". Example:
auth stream tcp nowait root internal auth -d "Only fools trust ident"

"can received" -> "can receive".

Make inetd compilable without INET6.

Approved by: jkh

Submitted by: jhb

Fix addr length argument value passed to sendto().
Some inetd internal udp servers didn't worked with problem.
Also fix recvfrom() "fromlen" arg type from int * to socklen_t *.

Approved by: jkh

Submitted by: bde

Clarify the facility used for logging with and without the wrapping
options.

PR: 17017
Submitted by: Doug Barton <Doug@gorean.org>

Remove broken hard sentence breaks, which mess up the typeset output.

Fix broken inet logging when wrapping options are not specified.

Approved by: jkh

Submitted by: Ben Smithurst <ben@scientia.demon.co.uk>

Make inetd picobsd friendly, dont use ipsec when RELEASE_CRUNCH
is defined

Approved-by: jordan

Fix inetd wrong AF check for RPC services

Incorrect Address Family check is done for RPC services, and
fail to initialize it.
The error check is replaced to new one, which checks if IPv4
bind is enabled or not. (It is disabled when IPv6 numeric
addr is specified for -a bind address option.)

An review reqeust is once sent to des, but he quit MAINTAINER.

Approved by: jkh

Drop maintainership of inetd, since nobody respects it anyway.

Fix inconsistent debug output. (syslog -> warnx)

Specified by: sheldonh

Reviewed by: des

Fix English, mdoc and layout of the previous commit, as requested by
the committer (shin). While I don't have permission for this change
from the inetd maintainer (des), I assume that shin has permission
and I'm just fixing his contribution up for him.

Okay, I couldn't resist, I made some extra changes:

* Replace ".Tn FreeBSD" with .Fx
* Make the illegal TCPMUX and IPSEC sections legal subsections
of the IMPLEMENTATION NOTES section.

Requested by: shin

Avoid verbose error messages when ipsec initialization for sockets failed
usually, and print it only when debug is enabled.
(This always happens when kernel is configured without IPSEC option.)

several tcp apps IPv6 update
-inetd
-rshd
-rlogind
-telnetd
-rsh
-rlogin

Reviewed by: freebsd-arch, cvs-committers
Obtained from: KAME project

Do not dot terminate sentences inside FILES section. Lowercase
inside error messages.

I like base-36 better.

Implement -g and -d options in my ident code. The -g flag uses a random
garbage value for the username (hex garbage, that is), and the -d flag
provides a default username for fallback purposes if the user cannot be
looked up. That is very useful for the case where inetd auth is
running on a NAT box.

While I'm here updating the manpage, clean up an English error and a
few small nits.

Put the listening socket into non-blocking mode before doing an
accept(2). This is a not really problem on -current as the accept race
is fixed, however it is a MFC candidate for -stable.

This could possibly be slightly more efficient and leave the listening
socket permanently in non-blocking mode, but I wasn't certain that I
could catch all the stream/wait (not nowait) mode implications.

Do not dot or \n terminate syslog string.

$Id$ -> $FreeBSD$

Pull on my asbestos undies and claim ownership of inetd to prevent further
flamage between our beloved messrs Hearn and Feldman. Further commits go
through me. I urge the contestants to direct their energies at cleaning
up main() in inetd.c, which has over time become a crawling horror.

Here goes, the "clear up any possible confusion" commit.
I've taken time to write up comments for the ident code tonight,
so there should no longer be any confusion about the purpouse of
whatever is in there. Wow, me commenting code... who'd have thought
that would happen?

Reviewed by: DES

Bring two wayward memory allocation failure messages in line with
those featured in the rest of the code.

More cleanups to ident_stream. Variables moved around, changed.
Got rid of an extra variable or two, while making corrections to
problems (that would probably not be a problem anyway, and worked.)

Partially Obtained from: David Malone <dwmalone@maths.tcd.ie>

Correct a groff error in macro usage ("foo : bar" becomes "``foo: bar''").
Document the auth -n flag.

More cleanups, asprintf() usage (proper, as opposed to using snprintf()),
and addition of a -n .noident-checking flag.

Clean up to match style(9) more closely. This should fix the problem of
people having ants in their pants ;)

Use comments to group functions by service more clearly. I've used the
excuse of providing the RFC numbers for the associated services.

Style nits:
* Bring memory allocation failure handling in line with that of
the rest of the code.
* Nestle block curlies between case statements correctly.

I've left the in-block declarations alone, since style(9) says we should
conform to the existing style within the code, and inetd already does
this. I've left the asprintf()'s in there because that's how Brian wants
it.

Document the -o and -t options to the internal auth service and give an
example of their usage in the sample config. Merge the two examples
for the green internal auth service.

This commit failed the first time around because Brian beat me to the
punch on inetd.8 . I like my descriptions better and I'm pretty sure
Brian won't mind.

Ahem. Put things back a bit. I declare variables in the scope they're
used! I don't declare every variable at the top of a function because
that wastes stack space. I've clarified the error a bit (for if asprintf()
filas.)

As per DES's prodding, document _all_ the arguments to inetd's auth
service. This includes the -o "operating system" argument and the -t
"timeout" argument.

Style cleanups for iderror() and ident_stream(). Looks like c++ hang-over.
;-)

Fix auth -t argument handling. It was broken for the "sec.usec" case.
Add a warning for bogus -t arguments for the (debug) case.

Don't match up TCP services with UDP sockets.

Fixed a braino: lack of spaces in sscanf caused ident parsing to fail.
Sorry, guys.

"knobs are cheap". Here's a -t timeout option for the internal ident
service. It takes a number (w/ or w/out .usec) as an argument.

This commit encompasses the following changes to inetd:
1. Cleanups of ident_stream. "Evil" stdio is less used.
2. The BSD Copyright was added to the top of builtins.c.
3. As suggested, a timeout is now implemented in the ident
service. It defaults to 10 seconds. If enough people want
it, I'll make it configurable.

Suggested by: msmith

Relegate the diagnostic descriptor counter to the -DSANITY_CHECK case.

Remove unnecessary macro introduced in previous commit.

Also, the previous commit failed to reference:

PR: 12731
Submitted by: dwmalone@maths.tcd.ie (David "Inetd" Malone)

Don't leak pipe descriptor to daemons on execv().

Signal handlers should use _exit(2) and not exit(3).

Move code for all builtin services from inetd.c to builtins.c, including
the Green Piece. :-)

In future, new builtin services are less likely to need to touch the
already tangled inetd.c .

Fix for the hosts_options(5) spawn option.

Restore default SIGHUP, SIGCHLD and SIGALRM handlers in forked inetd
processes. This happens to work around the fact that hosts_access()
doesn't (but should) set SIG_IGN as the handler for SIGCHLD while it
handles the spawn option, but it would make sense even if that were
not true.

This does not address the leaking descriptors issue discussed on the
same PR.

PR: 12731
Reviewed by: des
Submitted by: David Malone <dwmalone@maths.tcd.ie>

Fix horribly broken comment. The submitter of the associated code sent
me the right comment and I bastardized it. :-(

Document the new {auth,ident,tap} service and provide examples in the
configuration file.

Requested by: green

By popular demand, ident_stream now takes arguments. Ex:
# This enables the old, fake ident service.
auth stream tcp nowait root internal
# This enables the new, real ident service.
auth stream tcp nowait root internal auth -r
# This enables ~/.fakeid support, too.
auth stream tcp nowait root internal auth -r -f

This is the working internal ident service. Turn it on by setting
the make variable REAL_IDENT, and ~/.fakeid support can be added
with FAKEID set. Note that the default behavior is the same as
the old behavior.

Fix ``:''.

PR: 12589

Use the proctitle to indicate that we're busy wrapping a request for a
service. Inetd already uses the process title to indicate that a request
for an internal service is being serviced, so this addition is fairly
orthogonal.

Submitted by: David Malone <dwmalone@maths.tcd.ie>

Allow internal and external wrapping to be enabled independantly of
each other. Instead of allowing the -w option to be specified twice,
we now take -w (wrap external) and -W (wrap internal).

Discussed with: markm

Allow service alias names from /etc/services to be used when specifying
internal services in inetd.conf .

The inetd(8) manpage used to say that the official name of a service
_must_ be used, yet inetd itself was hardcoded to used a service alias for
the auth service, namely ident!

Rather than change inetd.conf and break existing configurations on next
upgrade, we now allow service aliases as well as official names. This
allows the software to work as expected and still support existing
configurations.

This should not breaking existing wrapped configurations either and the
inetd(8) manpage already states that it is the service name specified in
inetd.conf that is used for calls to hosts_access(3).

PR: 11796
Reported by: Alex Charalabidis <alex@wnm.net>
Approved by: des

Clarify that the services name, as specified in inetd.conf, for an
internal service should be used as the daemon name when constructing
hosts_access(5) rules.

Ommitted in previous commit message:

Submitted by: David Malone <dwmalone@maths.tcd.ie>

Enable wrapping for dgram services and fix logging so that -l really
does log all connections.

Sync usage() with the manpage.

Approved by: mpp

Fix broken logic: (!wrap || log) -> (!wrap && log) .

Reported by: David Malone <dwmalone@maths.tcd.ie>

Fix the SYNOPSIS to reflect that the -w option can be specified twice.

Requested by: obrien
Approved by: mpp

Add command-line option (-w), specified once to enable wrapping and
twice to enable wrapping for internal wrapping as well. If the option is
not specified wrapping is turned off so that inetd will behave exactly
as it used to before TCP Wrappers was imported.

Change etc/defaults/rc.conf so as to encourage wrapping on new systems.

Clarify the use of TCP Wrappers in the IMPLEMENTATION NOTES of the
manual page.

Approved by: jkh

Use Dq mdoc tag for double-quoted words.

Fix handling of maximum children and connections per minute.

Submitted by: David Malone <dwmalone@maths.tcd.ie>

Various fixes for inetd's TCP Wrappers support:

1) Handle forking and non-forking internal services correctly.
Turn on wrapping for internal services because it works now.
2) Preserve server names for each service on HUP.
3) Honour hosts_options(5) severity option.
4) Add IMPLEMENTATION NOTES section to clarify TCP Wrappers
usage and limitations.

This change may cause previously allowed builtin services (e.g. daytime)
to be denied in existing configurations.

PR: 12097
Reviewed by: markm
1)
Reported by: Pierre Beyssac <pb@fasterix.freenix.org>
2)
Submitted by: Masachika ISHIZUKA <ishizuka@ish.org>
3)
Submitted by: David Malone <dwmalone@maths.tcd.ie>

Don't stop listening to the signal pipe just because you don't have
anything else to do.

PR: 10468, 11594

There seems to be a problem (most likely when there is no hosts.allow)
with wrapping the internal services, so do not wrap them for now.

MFS: sort reference list and embelish history.

Fix the "internal" wrapping as well as a nasty bug involving
the daemon name vs the path. Also fix some warnings and improve
the wrapper section of the man page.

Nice debugging work by: Sheldon Hearn

Now inetd(8) has direct support for tcp_wrappers! Not working at the
moment is support for the internal serfvices, so these are not
enabled. Volunteers welcome!

Make machtime() function unsigned long instead of long.
Reviewed by: phk

Style cleanups.

Requested by: bde

Back out rev. 1.42 and 1.43. Apply Graham Wheeler's signal handling patch.

Reviewed by: jkh & eivind
Submitted by: Graham Wheeler <gram@cdsec.com>
PR: bin/8183

Remove signal mask prior to calling exec

Reviewed by: freebsd-current

Fix signal/library corruption by blocking all signals except during
select(). The reported corruption was with reentrancy in the malloc lib.

Add an "internal" driver for the "ident" protocol (tcp/113).

It will return "ERROR:HIDDEN-USER" for all requests.

To use it add:
ident stream tcp nowait root internal
to inetd.conf

Bruce says that %p is intended to format void pointers only. So use a void *
cast. There are pointers and then there are _pointers_. One day I'll
figure out which are which. 8-)

Remove a cast and print the pointer value with %p instead of %x.

Add (struct timezone *) cast to NULL for K&R

Use NULL as gettimeofday arg instead of 0 cast
Add missing arg to error diagnostic
Print yet one arg of error diagnostic

last patch misapplied.

This may apply to all known versions of inetd.

For a tcp/nowait connection, inetd invokes accept(2) for
each pending connection; this call returns a file descriptor
associated with the new connection.

Twelve years ago, code was added to inetd to detect "failing
servers". The heuristic that identifies a failing server is
one that has been invoked a large number of times over some
specified interval (e.g., more than 128 ftp services started
in 60 seconds may flag the ftp service as "failing"). These
compile-time constants vary depending on vendor.

The problem is that, when a failing server is detected, the
code neglects to close the file descriptor returned by the
accept(2).

Security-Implications:
I suppose someone with ample free time could orchestrate an
attack buy pummeling services until the inetd process finally
runs out of file descriptors thus rendering inetd useless to
any new connections that require a new descriptor.

PR: 7286
Reviewed by: phk
Submitted by: Jeff Forys <jeff@forys.cranbury.nj.us>

Spelling fixes.

PR: 6903
Reviewed by: phk
Submitted by: Josh Gilliam <josh@quick.net>

Small typo in T/TCP patch ("speicfy" -> "specify").

On request of Garrett, ad a way to specify that a service should be
reachable via T/TCP
Reviewed by: Garrett Wollman

Fixed gross errors in previous commit. `sapipe' was used uninitialized
to attempt to unblock SIGCHLD, but we actually want to unignore SIGPIPE.

Obtained from: OpenBSD

Finished conversion from sigvec to sigaction (don't assume that sa_mask
is a scalar...). Didn't convert from sigblock to sigprocmask. Didn't
fix missing error checking for sigaction...

Unblock SIGPIPE before execv(); convert from sigvec to sigaction
Obtained from: OpenBSD

Redo tcpmux stuff. tcpmux handling is now performed after inetd
forks. Furthermore, invalid input for tcpmux does not lead to
an exiting inetd.
This patch is recommended for people running tcpmux (which is NOT
enabled by default)

Document the requirement for TCPMUX to also be enabled as an internal
service if any external TCPMUX servers are desired.

PR: 826

Make maxchild and max child-per-minute default values configurable from
the command line or Makefile.

Add possibility to specify maximum number of connections per minute
for a given IP address.
This should be very effective against DoS attacks.

Implement group part now, final syntax is:
user[:group][/login-class]

Implement login classes sepcification as user[/loginclass]

By default inetd run things with the same limits as from /etc/rc
(daemon class) to not break anything as in good old days.

Use err(3).

Remove and odd sleep found by David Holland and posted to -security.
Reviewed by: Theo de Raadt (who put it into OpenBSD)
Submitted by: David Holland <dholland@eecs.harvard.edu>

login_getclass() -> login_getpwclass().

Condition SO_PRIVSTATE twiddling on the definedness of SO_PRIVSTATE.
(This was done as a #ifdef to keep source compatibility between 2.2 and 3.0.)

compare return value from getopt against -1 rather than EOF, per the final
posix standard on the topic.

Revert $FreeBSD$ to $Id$

The "-a" option for inetd specifies a specific IP address for the
server to bind to. This works until you send it a SIGHUP with a
new service defined ... the new service is bound to INADDR_ANY.

This patch fixes this bug (in both RELENG_2_2 and -current).

This is a 2.2 candidate..(i.e. pure bug fix)

Submitted by: Archie Cobbs (archie@whistle.com)

Sort cross references.

Make the long-awaited change from $Id$ to $FreeBSD$

This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.

Boy, I'm glad we're not using sup anymore. This update would have been
insane otherwise.

Implement minimal login class support (ie: does a setusercontext()).
Enabled by defining LOGIN_CAP in Makefile, on by default.

Reviewed by: Bill fenner
Submitted by: Archie Cobbs (Archie@whistle.com)

Changes to allow inted to control the number of servers to
start on each service. This is a defence against a denial of service attack
in which the system is made unusable by
an external party. It also allows the behaviour of
small memory systems to be more accuratly predicted, by
bounding the extent to which processes can multiply.

Reviewed by: Bill fenner
Submitted by: Archie Cobbs (archie@whistle.com)

changes to make inetd compile cleaner under -Wall

Fix incorrect length argument to memset() function. Closes PR#1937.

Submitted by: Archie Cobbs <archie@whistle.com>

Do not modify a malloc()ed pointer; instead, use memmove().

Detected by: phkmalloc - AJ :)

Reviewed by: various
Submitted by: archie@whistle.com

changes to allow inetd to bind to a single interface
for more complicated options see xinetd in ports.

Obtained from: whistle.com

Increased listen() queue-depth limit to 64.

Add $Id$

Call setsockopt(SO_PRIVSTATE) to renounce SS_PRIV on all the sockets
we create. (Nothing being called from inetd should use it anyway,
but you can never be too careful.)

Translate the man page back into -mdoc.

Fix a bunch of spelling errors in a bunch of man pages.

Make inetd use setproctitle from libutil instead of it's own version.

The old code can probably still be compiled with #define OLD_SETPROCTITLE

Workaround for the setlogin()-in-same-session-as-inetd bug.

This causes:
1: inetd to clear it's getlogin() name at startup (in case the sysadmin
logged in and su'ed to root and restarted inetd)
2: inetd to start each spawned process in it's own session.
3: inetd to call setlogin() on non-root processes (eg: uucp for uucico)
4: log failures more extensively

This means that root spawned processes from inetd remain responsible for
setting their login name if they change their uid. (eg: rshd, login, etc).

If they do not do so, it is safer for them to have no "login name" than a
wrong one (like "root") because the getlogin() system call is documented
as "secure" on 4.4BSD. inetd when started from /etc/rc would have no login
name anyway, so this isn't really a change - it's making it consistant with
the bootup state...

The setsid() change *may* cause something to break that is doing a setsid()
itself and checking the result - it will fail now because it's already been
done. The consensis seems to be that this is unlikely. David G. thinks
this is acceptable as it is cleaner from an architectural point of view.

Implement simple quoting for command args.
Previously "abc xyz" became 2 args split at the space.

Record PID in /var/run/inetd.pid and document same.

Correct the "default rate" - it's 256/minute not 1000/minute.

Merge RELENG_2_0_5 into HEAD

Remove trailing whitespace.

Disable UDP service looping attack.

- increase TOOMANY, in line with 1.x
- add logging option from 1.x

Bring in handling of RPC services from 1.x
(Guess who forgot to replace his inetd until today ;-)

Get rid of update. Make man page installation work with our scheme
(and rename a few in the process).

This commit was generated by cvs2svn to compensate for changes in r1553,
which included commits to RCS files with non-trunk default branches.