Copy stable/9 to releng/9.3 as part of the 9.3-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Copy head to stable/9 as part of 9.0-RELEASE release cycle.

Approved by: re (implicit)

o inetd(8) requires wait/nowait column in inetd.conf for
ONC services as well.

PR: bin/119203
Submitted by: Peter Jeremy
MFC atfer: 1 week

Removed T/TCP bits.

Perform minor rewording and grammatical improvement. Add a missing Xr.

inetd(8) requires that /etc/netconfig be present, and contain entries
for each of udp and tcp (and their IPv6 equivalents when INET6 is
enabled). Note that dependency here.

PR: docs/90435
Submitted by: Dmitry Kazarov <kazarov at mcm dot ru>
Pointed out by: Daniel Gerzo <danger at rulez dot sk>
MFC after: 8 days

Remove rexecd(8), a server that implements a particularly insecure
method of executing commands remotely. There are no rexec clients in
the FreeBSD tree, and the client function rexec(3) is present only in
libcompat. It has been documented as "obsolete" since 4.3BSD, and its
use has been discouraged in the man page for over 10 years.

Per letter dated July 22, 1999 remove 3rd clause of Berkeley derived software
(with permission of addtional copyright holders where appropriate)

Mechanically kill hard sentence breaks.

Revert previous change. The effect of -w or -W option is described in
another paragraph.
Obtained from: David Malone <dwmalone@maths.tcd.ie>

According to source code, under certain conditions, logging goes to the
"auth" facility not "daemon".
Submitted by: "Bill Richter (7X22KEY)" <richterb@binkley.foothill.net>

The .Xr utility

mdoc(7) police: Removed redundant .Ns calls.

Add capability for limiting the maximum number of simultaneous
invocations of each service from a single IP address.

Requested by: matusita
Reviewed by: dwmalone
Tested by: matusita on snapshots.jp.FreeBSD.org
MFC after: 2 weeks

add support for rpc IPv6 (rpc/udp/46 ...)

Submitted by: Jean-Luc Richier <Jean-Luc.Richier@imag.fr>

The .Nm utility

Correct spacing.

Fix a typo.

Reported by: Jurrien Koopmans <jjkoopmans@home.nl>

mdoc(7) police: s/BSD/.Bx/ where appropriate.

Remove whitespace at EOL.

mdoc(7) police: removed HISTORY info from the .Os call.

mdoc(7) police: remove extraneous .Pp before and/or after .Sh.

mdoc(7) police: fixed markup, sorted xrefs.

mdoc(7) police: fix spacing and punctuation issues.

Remove duplicate words.

Give inetd the ability to manage unix domain sockets. Details of
how to use this feature are in the man page. This is based on work
by Lyndon Nerenberg.

(The only difficult part about this patch is the fact that you
can't fchown a unix domain socket, which means the sockets must be
put in a secure directory).

Reviewed by: dillon

Correct cross-reference:
portmap.8 --> rpcbind.8

Submitted by: .Xr testing script

This patch cleans up the ident stuff in inetd. The code which has
been patched so many times it was a bit of a mess. There are style,
code and man page cleanups. The following are the functional changes:

The RFC only permits the returning of 4 possible error
codes, make sure we only return these (PR 27636).

Use MAXLOGNAME to determine the longest usernames.

Add a -i flag, which returns the uid instead of the username
(this is from a PR 25787, which also contained alot of the
cleanups in this patch).

PR: 25787, 27636
Partially Submitted by: Arne.Dag.Fidjestol@idi.ntnu.no
Reviewed by: Arne.Dag.Fidjestol@idi.ntnu.no, green
MFC after: 3 weeks

Don't spell requester as requestor.

Eliminate mdocNG warnings caused by misplaced or extraneous macro calls.

mdoc(7) police: split punctuation characters + misc fixes.

Don't mention /etc/protocols in inetd documentation or comments, as inetd
doesn't actually use it.

PR: 24307
Submitted by: opentrax@email.com

Prepare for mdoc(7)NG.

Add a -F option to the builtin ident service, which allows .fakeid files
to contain the name of other valid users.

PR: 22837
Submitted by: Andreas Gerstenberg <andy@andy.de>
Reviewed by: green
Reviewed by: sheldonh

mdoc(7) police: use the new features of the Nm macro.

Be explicit about the fact that you can only specify one IP address/hostname

Explain "-c" option more exactly and state the default in the man
page.

Add ability to run "inetd -R 0" to disable the default connection
per minute limit of 256 connections. Document this in man page.

Don't use maxchild as a boolean - instead check if it is greater
than zero.

Reviewed by: sheldonh
Based on a patch by: Alexander Langer <alex@big.endian.de>

specifer -> specifier

Clarify the use of the auth service's -d option for specifying
a fallback username.

Reviewed by: green

Allow using "-d username" without "-r". Example:
auth stream tcp nowait root internal auth -d "Only fools trust ident"

"can received" -> "can receive".

Clarify the facility used for logging with and without the wrapping
options.

PR: 17017
Submitted by: Doug Barton <Doug@gorean.org>

Remove broken hard sentence breaks, which mess up the typeset output.

Fix English, mdoc and layout of the previous commit, as requested by
the committer (shin). While I don't have permission for this change
from the inetd maintainer (des), I assume that shin has permission
and I'm just fixing his contribution up for him.

Okay, I couldn't resist, I made some extra changes:

* Replace ".Tn FreeBSD" with .Fx
* Make the illegal TCPMUX and IPSEC sections legal subsections
of the IMPLEMENTATION NOTES section.

Requested by: shin

several tcp apps IPv6 update
-inetd
-rshd
-rlogind
-telnetd
-rsh
-rlogin

Reviewed by: freebsd-arch, cvs-committers
Obtained from: KAME project

Do not dot terminate sentences inside FILES section. Lowercase
inside error messages.

Implement -g and -d options in my ident code. The -g flag uses a random
garbage value for the username (hex garbage, that is), and the -d flag
provides a default username for fallback purposes if the user cannot be
looked up. That is very useful for the case where inetd auth is
running on a NAT box.

While I'm here updating the manpage, clean up an English error and a
few small nits.

$Id$ -> $FreeBSD$

Correct a groff error in macro usage ("foo : bar" becomes "``foo: bar''").
Document the auth -n flag.

Document the -o and -t options to the internal auth service and give an
example of their usage in the sample config. Merge the two examples
for the green internal auth service.

This commit failed the first time around because Brian beat me to the
punch on inetd.8 . I like my descriptions better and I'm pretty sure
Brian won't mind.

As per DES's prodding, document _all_ the arguments to inetd's auth
service. This includes the -o "operating system" argument and the -t
"timeout" argument.

Document the new {auth,ident,tap} service and provide examples in the
configuration file.

Requested by: green

Fix ``:''.

PR: 12589

Allow internal and external wrapping to be enabled independantly of
each other. Instead of allowing the -w option to be specified twice,
we now take -w (wrap external) and -W (wrap internal).

Discussed with: markm

Allow service alias names from /etc/services to be used when specifying
internal services in inetd.conf .

The inetd(8) manpage used to say that the official name of a service
_must_ be used, yet inetd itself was hardcoded to used a service alias for
the auth service, namely ident!

Rather than change inetd.conf and break existing configurations on next
upgrade, we now allow service aliases as well as official names. This
allows the software to work as expected and still support existing
configurations.

This should not breaking existing wrapped configurations either and the
inetd(8) manpage already states that it is the service name specified in
inetd.conf that is used for calls to hosts_access(3).

PR: 11796
Reported by: Alex Charalabidis <alex@wnm.net>
Approved by: des

Clarify that the services name, as specified in inetd.conf, for an
internal service should be used as the daemon name when constructing
hosts_access(5) rules.

Ommitted in previous commit message:

Submitted by: David Malone <dwmalone@maths.tcd.ie>

Enable wrapping for dgram services and fix logging so that -l really
does log all connections.

Fix the SYNOPSIS to reflect that the -w option can be specified twice.

Requested by: obrien
Approved by: mpp

Add command-line option (-w), specified once to enable wrapping and
twice to enable wrapping for internal wrapping as well. If the option is
not specified wrapping is turned off so that inetd will behave exactly
as it used to before TCP Wrappers was imported.

Change etc/defaults/rc.conf so as to encourage wrapping on new systems.

Clarify the use of TCP Wrappers in the IMPLEMENTATION NOTES of the
manual page.

Approved by: jkh

Use Dq mdoc tag for double-quoted words.

Various fixes for inetd's TCP Wrappers support:

1) Handle forking and non-forking internal services correctly.
Turn on wrapping for internal services because it works now.
2) Preserve server names for each service on HUP.
3) Honour hosts_options(5) severity option.
4) Add IMPLEMENTATION NOTES section to clarify TCP Wrappers
usage and limitations.

This change may cause previously allowed builtin services (e.g. daytime)
to be denied in existing configurations.

PR: 12097
Reviewed by: markm
1)
Reported by: Pierre Beyssac <pb@fasterix.freenix.org>
2)
Submitted by: Masachika ISHIZUKA <ishizuka@ish.org>
3)
Submitted by: David Malone <dwmalone@maths.tcd.ie>

MFS: sort reference list and embelish history.

Fix the "internal" wrapping as well as a nasty bug involving
the daemon name vs the path. Also fix some warnings and improve
the wrapper section of the man page.

Nice debugging work by: Sheldon Hearn

Now inetd(8) has direct support for tcp_wrappers! Not working at the
moment is support for the internal serfvices, so these are not
enabled. Volunteers welcome!

Spelling fixes.

PR: 6903
Reviewed by: phk
Submitted by: Josh Gilliam <josh@quick.net>

Small typo in T/TCP patch ("speicfy" -> "specify").

On request of Garrett, ad a way to specify that a service should be
reachable via T/TCP
Reviewed by: Garrett Wollman

Document the requirement for TCPMUX to also be enabled as an internal
service if any external TCPMUX servers are desired.

PR: 826

Make maxchild and max child-per-minute default values configurable from
the command line or Makefile.

Add possibility to specify maximum number of connections per minute
for a given IP address.
This should be very effective against DoS attacks.

Implement group part now, final syntax is:
user[:group][/login-class]

Implement login classes sepcification as user[/loginclass]

By default inetd run things with the same limits as from /etc/rc
(daemon class) to not break anything as in good old days.

Use err(3).

Revert $FreeBSD$ to $Id$

Sort cross references.

Make the long-awaited change from $Id$ to $FreeBSD$

This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.

Boy, I'm glad we're not using sup anymore. This update would have been
insane otherwise.

Reviewed by: Bill fenner
Submitted by: Archie Cobbs (Archie@whistle.com)

Changes to allow inted to control the number of servers to
start on each service. This is a defence against a denial of service attack
in which the system is made unusable by
an external party. It also allows the behaviour of
small memory systems to be more accuratly predicted, by
bounding the extent to which processes can multiply.

Reviewed by: various
Submitted by: archie@whistle.com

changes to allow inetd to bind to a single interface
for more complicated options see xinetd in ports.

Obtained from: whistle.com

Call setsockopt(SO_PRIVSTATE) to renounce SS_PRIV on all the sockets
we create. (Nothing being called from inetd should use it anyway,
but you can never be too careful.)

Translate the man page back into -mdoc.

Fix a bunch of spelling errors in a bunch of man pages.

Record PID in /var/run/inetd.pid and document same.

Correct the "default rate" - it's 256/minute not 1000/minute.

Disable UDP service looping attack.

- increase TOOMANY, in line with 1.x
- add logging option from 1.x

Bring in handling of RPC services from 1.x
(Guess who forgot to replace his inetd until today ;-)

This commit was generated by cvs2svn to compensate for changes in r1553,
which included commits to RCS files with non-trunk default branches.

BSD 4.4 Lite usr.sbin Sources