2 This file describes the changes to xinetd. The base version is 2.0.0.
9 Changes to the Makefile.
10 Trivial mods to the usage() function
13 Changes to the Makefile.
14 Fixed a bug in the usage() function
17 Distribution versions of the Makefile no longer contain any
18 references to options.opt
21 1) Clarified what an "unlisted RPC service" is in the man page
22 2) Fixed a bug in remote_address_check which caused access to be denied
23 for all hosts if no_access was set and only_from was not set.
24 3) Fixed a bug which caused arbitrary syslog levels if the log_type
25 was specified as SYSLOG in the "defaults" entry
28 bug fix in child.c: replaced strx_sprint with strx_print when naming
32 -------------------------------------------------------------------------------
35 This was mostly a clean-up of 2.0
38 A. The man page has been split into 3 parts:
39 xinetd.man : man page describing the program
40 xinetd.conf.man : man page describing the configuration file
41 This file now includes figures about the
42 overhead of interception.
43 xinetd.log.man : man page describing the log file
44 B. New service attributes
45 rpc_number : to support unlisted RPC services
46 nice : to set the nice value of forked servers
47 C. The IDONLY service flag was added
48 D. Now uses the timer library unless NO_TIMERS is defined. If NO_TIMERS
49 is not defined, the following are also available:
50 a) a new option, -cc, to do periodic consistency checks
51 b) timeout for reconfiguration
52 E. Configuration file man page now mentions that access control is
53 based on IP-address instead of domain address.
54 F. The interception code now sets the TCP_NODELAY option.
55 G. The timeout when contacting a remote identification server is
56 configurable both when the service request has been accepted and
57 when the request is rejected. In the former case it defaults to
58 infinity while in the latter it defaults to 30 sec.
59 H. The log line ids are now constants in an include file.
60 I. The fsma library is no longer used.
61 J. Most structure fields were renamed; certain functions were renamed too.
62 Access to structure fields is now via macros.
63 K. A bug in not restoring the number of descriptors to the soft limit
65 L. The -pid option works
66 M. New internal services:
67 "servers" : lists active servers
68 "services" : lists active services
71 xinetd produces more meaningful messages if it can't start logging
75 1) xinetd would request a port number for unlisted RPC services
76 One could get around this by simply specifying the port attribute
77 for the service; the specified value would be ignored anyway.
78 2) xinetd initialization might fail sometimes in function msg_init()
79 syslog logging was specified (i.e. the option -syslog was used)
80 The cause of this bug was that the
81 xlog_control( xlog, XLOG_GETFD, &fd )
82 operation will not fail for xlogs connected to syslog and
83 the value of 'fd' would be used in the subsequent fcntl(). That
84 value is arbitrary since 'fd' is a local variable.
85 If 'fd' did not happen to refer to an open descriptor, the program
86 would terminate since the fcntl() would fail (btw, the success
87 of the fcntl() call would be harmless if 'fd' happened to
88 refer to an open descriptor).
92 only_from/no_access addresses would get inverted on little-endian
93 machines when such addresses were specified using the numeric notation
94 (for example, 128.138.45.3). This bug was in the numeric_addr function
95 which did not convert the result of inet_addr to host-byte-order.
96 A work around for the bug would be to use the factorized address
97 notation (for example, 128.138.45.{3})
101 1) in dgram_echo(), sin_len was not being set before the invocation of
103 2) in finger_shutdown(), it was possible for Srdline() to return NULL
104 (if the remote end would close the socket without sending anything).
105 If the RECORD option was set in the log_on_failure flags, this
106 would cause the forked xinetd process which did the recording to
107 die since it would try to dereference a NULL pointer.
112 1) in exec_server() service descriptor might be closed when
113 execing server. This made it impossible to start servers
114 for 'nowait' services. The bug occurred only Ultrix version
115 4.3a or (probably) later (bug discovered and fix provided
116 by doug@seas.smu.edu)
118 2) for systems that supported supplementary group id's, the
119 set_credentials() function did not set those group id's
120 (they were being inherited from xinetd). Now initgroups(3)
121 is called to set the supplementary group id's properly.
122 (bug discovered and fix provided by maf+@osu.edu)
126 1) xinetd will crash after reconfiguration if there is a running
127 server for a service that was removed from the configuration and
129 2) xinetd forked process falls in infinite loop if identd server
130 sends a reply that is missing the ending CR-LF.
131 (bug discovered and fix provided by Laurent.Wacrenier@gin.obspm.fr).
133 We also change the LOGUSER_SUCCESS_TIMEOUT constant in config.h from
134 0 seconds (i.e. infinite timeout) to 30 seconds. This avoids infinite
135 waits in case the remote host does not send a RST reply when we attempt
136 to connect to the IDENTD port, and there is no server listening at
141 Bug fix: the HOST flag in the 'log_on_success' attribute was ignored;
142 the code was incorrectly checking if the HOST flag was
143 set in the log_on_failure attribute
144 (bug discovered by frolich@corrine.cpc.cs.ucf.edu)
147 Added support for TCP redirect to a remote host.
151 Added support for binding to specific interface.
155 Changed redirect so that a remote port can be specified as well.
159 Changed use of varargs to be more modern (and actually work on IRIX 6.5)
160 Added use of 1.2.3.4/24 style address ranges for access control
163 Fixed stupid error with logging of ip addresses.
164 Pointed out by Todd R. Eigenschink
166 Fixed to compile correctly under HPUX
167 Includes fixes from Pavel Roskin <pavel_roskin@geocities.com>
169 Fixed to compile correctly under BSDi
171 Fixed Linux libc5 to work with RPC.
172 Pointed out by Frodo Looijaard <frodol@dds.nl>
174 Minor jump because I went through many revisions of testing things
175 - Fixed littleendian bug with 1.2.3.4/26 style access control
176 - Added support for inet_addr instead of inet_aton, as Solaris 2.5.1
177 does not support inet_aton.
178 Both the previous bugs were found with the help of
179 Thomas E. (tht@inlink.com)
180 - Went entirely to stdarg.h version of variable arguement handling,
181 since some newer platforms doen't handle varargs.h style very
182 gracefully. If this breaks too many older architectures I'll
183 ifdef all the old stuff back in...
185 Fixed /tmp/xinetd.dump symlink problem pointed out on
186 BugTraq by Balazs Nagy <julian7@KVA.HU>
188 Fixed compilation problems on BSD systems.
190 Fixed compilation problems on AIX 4.1.x/powerpc
192 Fixed compilation problems on FreeBSD
193 Thanks to Sascha Schumann <schumann@schell.de>
194 Fixed a bug in sio/sprint.c
195 Thanks to Steven Stanfield <sstanf@reston.wcom.net>
197 Rudimentary administrative interface added (use the service name
199 Supports the "banner" directive, which is the name of the file
200 that will be splatted when a connection is denied.
201 Has a fixed open() on the dump file that is much better.
202 Thanks to Steven Stanfield <sstanf@reston.wcom.net>
203 $REMOTE_HOST environment variable is set to the name of the
204 remote host. Currently, if no name is available, it is set to NULL.
206 Fixed a problem with shells that don't define $PWD
208 Fixed a problem I introduced with automagic port selection
209 If both a port and a protocol are specified, no checks are done.
210 xinetd will believe the config, even if /etc/services says
212 xadmin service is an internal service now, just like tcp echo, etc.
213 Use the INTERNAL flag.
214 xadmin service now just calls server_dump when a "show run" command
216 Added a NAMEINARGS flag, so that you can use tcpd with xinetd.
217 Normally, xinetd takes argv[0] from the "server" directive.
218 This prevents tcpd from working properly. Now, you can use
219 tcp wrappers like this:
227 server = /usr/libexec/tcpd
228 server_args = /usr/libexec/telnetd
231 Added support for libwrap. Compile with --with-libwrap. Access
232 checking is done with libwrap (if compiled in) first, then with
233 xinetd's internal access control.
235 Some versions of libwrap needed allow_severity. Added it.
236 Changed severity to INFO from WARNING.
238 Added ability to use names for the bind and redirect
239 functions. They lookup the name, and use the
240 first address it returns. They only do the
242 Added "interface" as an alias to "bind"
243 Fixed potential bug with redirection losing data.
244 Pointed out by Solar Designer
245 Fixed potential bug in the parsing of xadmin commands.
246 Pointed out by Solar Designer
247 Changed default location of the dump file to /var/run/xinetd.dump
248 configurable in config.h
249 Added Solar Designer's per_source feature. Allows you to limit
250 the number of services spawned per source address.
251 Added Solar Designer's supplementary groups fix.
253 Updated the make files to not require absolute paths. This
254 will help with people having problems with the LOCATION
256 Updated configure to compile properly with Debian's version
257 of libwrap and glibc (look for yp_get_default_domain in nsl)
258 If banner directive is used, banner is printed regardless of access
259 control. It is actually printed before access control check
260 take place. banner_success and banner_fail are added to
261 explicitly give a message depending on access control.
262 Added banner_success option. This is a banner that is printed when
263 access to the service is granted. This is before any attempt
264 to execute the server has been made. The service may still fail
265 but it will not be for access control reasons.
266 Added banner_fail option. This is a banner that is printed when
267 access to the service has been denied. This allows you to
268 inform your users that they are doing something bad and they
269 shouldn't be doing it anymore.
270 Added max_load option. This option allows the operator to specify
271 the max load at which to run the service. If the machine
272 reaches the specified max load level, connections are denied to
273 that service. Each service can have a different max_load, and
274 it can be listed in the default service. Linux is working,
275 Solaris is kind of wierd. Solaris people should try it, but
276 don't use it as a real security mechanism yet. 2.6 and 2.7
277 should be fine. I'm not sure about 2.5.1 and earlier.
279 Fixed per_source to actually work properly.
280 Added the NODELAY flag. This will set the TCP_NODELAY sockopt
281 on the socket. If the service is not a TCP service, then
282 this flag has no effect.
283 Updated the man page with more explicit definition of the "groups"
285 Includes xconv.pl to replace itox. xconv.pl handles most of the
286 inetd.conf files I've seen, including the use of tcpd,
287 even though it is recommended that you compile with
288 libwrap instead of using tcpd.
289 Includes a man page to itox donated by Norbert Veber of Debian.
290 Updates to configure and Makefile to better handle the configuration
291 of install directories. Again, changes donated by Debian group.
292 Updates to itox to handle user.group syntax and checking on "wait".
294 Fixed a problem with the banner_fail parser.
295 Added IPv6 support to xinetd.
297 Added the option "cps". This allows you to disable a service if
298 the rate of incoming connections is too great. This number
299 may be set higher than the instances or per_source number.
300 This is used as a last ditch measure, if someone is bombarding
301 a service, and either 1) logs are piling up because of failed
302 attempts, or 2) way too much is happening, ditch the service.
303 This actually does a close() on the socket, so nothing is
304 listening to that port anymore. All connections will fail.
306 Made the options mask_t an unsigned long long (64bits on x86)
307 instead of an unsigned. xinetd was running out of bits
308 to store options in. Eventually, a real solution will
309 need to be implemented, but this works for the short term.
310 This may break on compilers that don't understand
311 long long's. Be aware. Most modern compilers are ok.
312 Added the option "enabled", similar to the "disabled" function.
313 If "enabled" is used, only the services listed in the
314 enabled line are available, regardless of what other
315 services are configured.
316 Changed the behavior of only_from and no_access. First, if you
317 specify a host by _name_ in only_from or no_access, a lookup
318 happens when a client connects. The _canonical_ name that
319 is returned is compared to the name specified in the access
320 control option. If the _names_ match, access is granted
321 or denied. See the readme for more information.
322 Added the ability to specify .domain.com to the access control
323 options. This is very similar to tcp wrapper's method
324 of specifying domain access. If the connecting client's
325 reverse lookup returns a name that ends in .domain.com
326 then access is granted or denied. See the readme for
329 The enable function didn't work. It worked for one entry, but
330 more than 1 entry would not be recognized and xinetd
331 would exit with no services available. I believe this
333 limits.h is included in parsers.c now, because of LONG_MIN and
334 LONG_MAX. Some setups would automagically include limits.h
335 through the other include files, and some wouldn't. This
336 should fix compile problems on those that don't.
337 Added a check for sys_siglist in the configuration script. This
338 is better than statically defining #ifdef's in signals.c.
340 Fixed numeric addresses being entered in the only_from field.
341 host_addr parser was identifying them and marking them as
342 HOST_ADDRs instead of NUMERIC_ADDRS.
344 Fixed year formatting in log to print 00 instead of 100.
346 Fixed the TIMEOFFSET macro in builtins.c so the 'time' service printed
349 Fixed a problem where banners would not work saying "could not find
350 banner: bannername<garbage here>".
352 The dump file was logging the ip address incorrectly for only_from
353 addresses. For some reason xntoa() was reporting the wrong
354 address. Changed to inet_ntoa, and works fine.
355 BSDI 4.1 was not compiling correctly, "inet_ntoa" not found.
356 This is because BSDI4.x switched to using bind 8 resolver
357 libraries, so you have to include <arpa/inet.h> to #define
358 all these functions to __func_name.
359 Some BSD's don't let you set the group permissions of a process to NULL,
360 so you get the setgroups(0,NULL) error whenever a connection
361 is made. To avoid this, set 'groups = yes' and be aware of the
362 extra group permissions the server may be running with. A message
363 to this effect has been added to the syslog error, so confusion is
366 Fixed a syntax error when compiling IPv6 support.
368 Always call no_control_tty(). This calls setsid() and fixes a problem
371 Bumped version number.
373 Added the "include" directive. You can now include other files
374 into your .conf file. "include filename"
375 Added preliminary an inetd compatibility mode. Start xinetd
376 with -inetd-compat and specify /etc/inetd.conf as your
381 Incorporated patches for Mac OS X and Tru64 support.
382 Also incorporated a patch for the includedir directive.
384 Incorporated a patch to allow logging to the AUTHPRIV level.
385 patch from Trond Eivind Glomsr.
386 Numerous cleanups. Mostly superficial, but gets rid of *lots*
387 of compile warnings when using -Wall. These cleanups
388 may have affected portability issues...
389 Support for Darwin! Now compiles and runs fine. Note that
390 xinetd doing mmap didn't work right (always lost the
391 first byte of the file). Workaround is to disable
392 mmapped io for Darwin.
393 Added a DISABLE flag for services, that will prevent a service
395 Added a "disable" boolean for services that does the same thing
397 "groups" can now be specified in the defaults section.
399 Implemented better error checking in redirect.c, so hopefully
400 it will detect error conditions more reliably and
401 prevent lots of child xinetd's running unecisarily.
402 Ramon Krikken sent a redirector implementation that replaced
403 the two process redirection with a single process using
404 select. Modifications to his patch were integrated.
405 includedir parses only regular files, or symlinks to regular
406 files, that do not begin with '.'.
407 Added includedir to the xinetd.conf man page.
409 Fixed a bug in the access lists. If you specified a host by
410 name in only_from, any connection from a host without
411 a reverse dns entry would be accepted.
413 Now allows you to specify multiple instances of the same service
414 as long as all but one is disabled.
415 Fixed a documentation issue in the xinetd.conf man page.
416 The user attribute can be specified for an unlisted
417 service, just not an internal service.
418 When including files with "includedir", it parses the files
419 in alphabetical order, as determined by strcmp().
420 Under Solaris, I've removed the no_control_tty() call in
421 child.c. This was causing some confusion. xinetd
422 its self still calls no_control_tty().
423 Fixed a compile error with --with-inet6
424 Changed the exiting behavior: xinetd now kills only the
425 RPC services and internal services (like redir) when
426 it exits (or does a hard reconfigure). This keeps things
427 like telnet sessions open across restarts of xinetd
428 (assuming you are using REUSE).
430 Fixed a potential bug in parsing of filenames from includedir.
431 Possibly fixed tcp wait=yes handling.
432 Fixed man pages so they say they're installed in the sections
433 they are really installed into.
434 Added .cvsignore to empty directories
436 Hopefully fixed a few compile errors on architectures such
438 When compiled with libwrap support, xinetd passes the server
439 name to be checked in hosts.{allow,deny} instead of
440 the service name. Behavior should now match tcpd.
441 Incorporated Trond's pidfile patch. You can now specify -pidfile
442 on the command line, and xinetd will make a
443 /var/run/xinetd.pid file. Note that this _replaces_ the
446 Removed '\n's from syslog messages. Also moved some of the
447 syslog()'s to pasemsg()'s.
448 Added a patch from mob@de.uu.net to make the bind attribute
449 specifiable in the default section.
450 Added the KEEPALIVE flag, which sets the SO_KEEPALIVE socketopt
452 Added a patch from Trond at RedHat that will hopefully fix some
453 of the remaining tcp wait=yes problems.
454 More paranoid handling of access control in addr.c
455 Always allow access to the internal pseudo services.
456 For internal services and libwrap, access control is performed
457 by the service name (instead of the server, since there
459 The last two entries together fix problems with segfaults when
460 doing access control.
461 If a hostname is specified in only_from, xinetd will try to
462 match the connecting address to any of the IP addresses
463 associated with the hostname in only_from.
464 For redirection services with libwrap support, the service name
465 is used for access control rather than the server name, since
466 the server name makes no sense.
468 Remove the pidfile when exiting.
469 Added a -stayalive option to keep xinetd running even when there are
470 no services available.
472 Added paranoid access control for the udp internal servers.
473 Do not reply to udp packets on dangerous ports
474 (avoid looping echo services).
475 For libwrap, if the server isn't specified use the service
476 _id_ instead of the service name (this usually is the
477 service name). This makes more sense for things like
478 the internal servers (echo-stream instead of using echo,
479 which will get echo-stream and echo-dgram)
480 Included an rlimit patch from Nick Burrett, which should help
481 keep some nasty users at bay. He's even updated the
482 man page. This patch brings a tear to my eye.
485 Moved the libwrap and address checking to the child process.
486 The purpose of this is to move the expensive checking
487 into the child process (such as name resolution, exec()'ing,
488 etc), but leave some of the lighter weigh checking in the
489 parent in an attempt to prevent DoS'.
490 Incorporated Charles Levert's NOLIBWRAP patch. This adds a flag,
491 NOLIBWRAP, which will turn off libwrap access control for
492 a single service. This is a good thing when you're wanting
493 to use tcpd with a service. It's also useful when wanting
494 libwrap for some lesser used services, but the high volume
495 ones need higher performance.
496 Included Motonobu Ichimura's patches for v6. The first one sets
497 v6 services with incoming v4mapped or compatible addresses
498 to AF_INET instead of AF_INET6. This should make incoming
499 v4 connections to v4 servers work correctly.
500 Motonobu Ichimura's second patch adds the service attribute
501 v6config, which allows a v6 service to only accept v6
503 Moved most of the configured defines into a config.h.
504 This involved renaming xinetd/config.h to xinetd/xconfig.h
505 The configure system actually works with --srcdir now.
506 You can build xinetd from a directory other than the source
508 Minor cleanups to remove warnings with -Wall
510 2.1.8.9pre15 5/20/2001
511 Added Steve Grubb's SENSOR patch which provides a SENSOR flag and
512 deny_time attribute. These will help to stop script kiddies
513 doing port scans by turning off all access to all services
514 on all IP addresses until the timeout expires.
515 Cleaned up pset stuff in the lib section.
516 Continued fixing warnings produced by -Wall
517 Added "child" security check for internal services.
518 Fixed some possible memory leaks.
519 Changed snprintf to the internal strx_nprint() function, standardizing
520 on that. Removed the need for the snprintf() implementation
521 for systems lacking snprintf().
522 Another attempt to fix the tcp wait condition.
523 TCP wait services were being accept()'d when they shouldn't
524 This caused services such as linuxconf, which accept()
525 their own connections, to fail.
526 Fixed a problem with displaying bound and redirected addresses in
528 Don't print banner always and banner success twice.
529 Converted to ANSI C style prototypes instead of K&R.
530 Use spaces instead of 3 character tabs.
531 Use POSIX types for network, time, and other length specific purposes.
532 Make the initial log message of compile time options atomic.
533 When grow()'ing the environment variables, initialize things to
534 prevent bad pointers.
535 Mitigated consequences of possible SIGCHLD race with intercepted
537 Removed all remnants of varargs syntax, and have completely moved
538 to the stdarg style syntax.
539 Added BSD/OS loadavg support from Robert Brewer at LavaNet.
540 Fixed a potential buffer overflow when using USERID.
542 Added permissions to the pidfile's open call.
543 Suggested by zen-parse.
544 Changed xinetd's umask to 022 from 0.
545 2.1.8.9pre16 6/13/2001
546 Attempted to fix IPv6 support broken in the pre15 release. -Steve Grubb
547 Moved remote_address_check ahead of the libwrap checks. This is needed
548 so that SENSORS work without modifying the hosts.allow file if
549 tcp_wrappers is compiled in. -Steve Grubb
550 Added missing includes to several library files
551 Fixed bug where DISABLE flag was being set/cleared in xflags rather
552 than types. -Matthias Andree
553 Fixed memory leak in attr_check. -Steve Grubb
554 Continued converting to ANSI C prototypes. -Steve Grubb
555 Fixed reads in service.c to continue through interupts. -Steve Grubb
556 Corrected Includedir directive. -Solar Designer
557 Changed umask to OR 022 with the current umask. -Solar Designer
558 Cleaned up the address list dump to format the different addresses
559 types correctly. -Steve Grubb
560 Cleaned up parsing of address lists. -Steve Grubb
561 Integrated support for building on OS X.
562 Added wait/nowait support to "small services".
563 Fixed IPv6 support for "small services".
564 Added "umask" keyword to specify service's umask in octal.
565 Umask situation is described in the umask section of xinetd.conf.man
566 Inspect all configuration files. Will now emit warnings if any are
567 world writeable, symlinks, or not owned by root.-Steve Grubb
569 Fixed a bounds checking case in strx* functions.
570 Pointed out by Sebastian Krahmer.
572 Reworked all headers in xinetd directory. -Steve Grubb
573 Fixed redirect & shutdown to read & write through signal
574 interrupts. -Steve Grubb
575 Inspect all servers. Prints warnings for things that look funny.
576 Applied _many_ security and reliability fixes,
577 see AUDIT. -Solar Designer
578 Removed the Soft Reconfigure capability. Soft Reconfigure is now
579 the same as Hard Reconfigure (SIGUSR1 = SIGUSR2).
581 Attempt to fix segfaulting seen since 2.3.0.
583 Moved the re-enable service after cps violation to run off of the
584 flags system to avoid re-entrancy issues. -Steve Grubb
585 Only call drain if service is active. Deactivated services close
586 the descriptor. -Steve Grubb
587 Reorganized flags to process terminating children first, -Steve Grubb
589 more K&R -> ANSI prototype -Steve Grubb
590 Stop using C++ keywords (even though this is really C...) -Steve Grubb
591 Fix a heap overrun in grow(). -teg@redhat.com
592 Fix a parse error with multiple explict masks.
593 If protocol is not specified, but socket type is, infer protocol
594 from socket type. -Ahmon Dancy
595 Added a check to the return value of env_addstr() in child.c to
596 make sure we aren't exec()ing with an invalid environment.
597 Wrap the remaining <stdint.h> includes with autoconf macros.
598 Removed all unused functions. -Steve Grubb
599 Don't use SIGALRM for the cps directive. Instead, do a generic
600 timer routine that evolves around the main event loop.
602 Fixed the filelog problem of printing garbage.
603 Fixed the RPC parser to correctly handle RPC version ranges again.
606 Removed the old flags construct and replaced it with the timers
607 added in 2.3.2. This will handle multiple of the same
608 signals occuring before the event loop cycles.
609 Removed all the old timer code that uses SIGALRM, and replace it
610 with the timer code from 2.3.2. The conf timer bit the
611 dust along the way, since the event loop hasn't started
612 by the time the conf parser started. It was never built
613 anyway, so not a big loss.
614 Made xinetd unlink its pidfile properly.
616 Enabled loadavg support for Darwin.
617 Remove the exit when user or group is specified and xinetd is not root.
618 Enables running xinetd as non-root again.
619 Fixed various portability issues:
620 - strerror for SunOS 4
621 - difftime for SunOS 4
622 - inet_aton for Solaris 2.5.1
623 - uint{16,32,64}_t for systems without them
624 - rlim_t for systems without them.
625 Moved compat.c into the portable library, where it belonged.
626 Added finer testing of the {e,f,g}cvt functions in autoconf.
627 Begin transition to combined IPv4/IPv6 support. Add compatibility
628 code from OpenSSH into the portable library.
629 Made socket_type or protocol optional (only need to specify one)
630 Removed syslog()'s, replaced with internal msg().
631 Fixed a parsing bug when specified server is invalid.
632 Change the signal handling. Signal handlers write their signal
633 to a pipe, which wakes up the main select(), and the
634 signal is then dealt with.
635 Removed the looping option. The cps directive duplicated much
636 of the functionality.
637 Fixed a bug re-enabling internal wait services.
638 Continue syncing IPv4 and IPv6 code.
639 Made a flag to specify IPv4 or IPv6 based service.
640 Redirect currently only redirects between IPv4<->IPv4 or
641 IPv6<->IPv6. It should handle IPv4<->IPv6 and
643 Fixed the reconfig case where a bind directive changes.
644 SIGHUP now reconfigures xinetd.
645 SIGUSR1 now dumps the internal state.
646 SIGUSR2 still reconfigures xinetd, but will be deprecated in
648 Fixed a warning of redefined SA macro with some tcp wrapper
650 Make the configuration keyword comparisons case insensitive.
651 This allows things like Service foo { blah } instead
652 of just service foo { blah }.
653 Merged IPv4 and IPv6 support. The only difference between
654 compiling with IPv6 support is that services default to
655 being IPv6. Manually set the service to IPv6 (or IPv4)
656 with the IPv{4,6} service flags.
657 The only_from numeric address specification works for IPv6 addresses,
658 and mixing IPv4 style address specifications will now match
659 for IPv4 mapped addresses on IPv6 services.
660 Fixed an environment variable setting problem.
661 Fixed a misuse of the sio routines in the banner routines. This
662 will probably fix a variety of bugs related to banners.
663 More code cleanups. -Steve Grubb.
664 Pass the expected size of the address structure used to bind()
665 calls rather than the total memory allocated.
666 Fix some compile errors and warnings on BSD/OS.
667 Prevent some possible unnecissary DNS lookups.
668 Makefiles now accept make -j. This is only mildly useful at the
669 moment, since the main chunk of xinetd blocks on all the
670 libraries being built first, and the libraries are small
671 but somewhat serialized.
672 Fixed a problem with the access control on builtin services.
673 (Introduced in the development cycle)
674 Removed libpq. It is no longer needed. -Steve Grubb
675 Removed the %n processing from __sio_converter(). It is not used and
676 would cause a core dump if it was. -Steve Grubb
677 Make the man page match the new signal change. - Steve Grubb
678 Fix some potential problems with only_from access.
679 Start using "const". Go const happy.
680 All services now essentially default to having the REUSE flag.
681 The -reuse option and the REUSE flag are now silently ignored.
682 When dumping service configs, print out the redir config information,
683 also fixes a hostname lookup problem when using systems
684 that have a too strict getnameinfo().
685 Also print the CPS directive information.
686 Print out symbolic system names that don't have strsignal(), but do
688 Fix a potential crasher in xtimer_add().
689 Add %q and %ll modifiers to the sio library for displaying quad_t's or
691 Restructure the argument parsing a little to reduce global memory usage.
692 Fixed bug in service parameter verification. Prior versions did not
693 verify that all require attributes were specified.
694 Disable the service when a parse error is detected for its
695 configuration. (Steve Grubb)
697 Included patch from Trond at RedHat to check signal pipe if there are
699 Update the access_times parser to disable service if there is a parse
700 error. Also corrected ti_add too. -Steve Grubb
701 Updated all parsers to propagate errors so service will be
702 disabled. -Steve Grubb
703 Updated internal services to check the signal pipe
704 periodically. -Steve Grubb
705 Updated sendsig to wait for termed children so zombies aren't created
706 and ports are clear to rebind to on hard_reconfig. -Steve Grubb
707 Included a patch from Hendrik Visage for a problem with ident.
709 Updated only_from to 'and' both the remote address and the specified
710 portion if a network mask type address is used. -Steve Grubb
711 Updated explicit_mask to chose NUMERIC_ADDR if mask is 32. -Steve Grubb
712 Many parser updates. -Steve Grubb
713 Propogate default attributes even if not specified. log_on_success,
714 log_on_failure, passenv were the main items affected by this
715 problem. only_from and no_access now conform to this new
716 propogation technique. -Steve Grubb
717 Xremove now uses domain names in addition to ip addresses. -Steve Grubb
718 Moved sensor code into its own file and changed it to use timer
719 facility. -Steve Grubb
720 Reworked remote_addr check & addrlist_match to not cache IP addresses
721 and corrected several algorithmic problems. -Steve Grubb
722 Off-by-one error corrected in pset_delete. -Steve Grubb
723 Updated attrfill to use IPv4 addresses if bind specified. -Steve Grubb
724 Fixed bug in libwrap code to check server better for NULL -Steve Grubb
725 Added better testing of configuration if NAMEINARGS flag
727 Updated config.guess & config.sub. -Thomas Seyrat
728 Added an rpm spec file. -Steve Grubb
729 Removed sio/suite directory. It appears that key files have been
730 deleted in the past so it no longer works. -Steve Grubb
731 Make the file descriptor buffer allocation dynamic. This substantially
732 reduces xinetd's normal memory footprint (~760KB). -Rob Braun
733 Work around bugs in Mac OS X's getrlimit/setrlimit which causes them
734 to be almost unusable. -Rob Braun
736 Added fixes or workarounds for issues introduced after 2.3.3
737 including the signal pipe leak into child processes (a
738 security hole). -Solar Designer
739 Made xinetd unlink its pidfile when there turns out to be no
740 services configured on reload. -Solar Designer
742 Reworked redirect to better detect problems in its configuration. Also,
743 redirect now allows service names for port numbers. -Steve Grubb
744 Reworked attribute checking in confparse & updated attr.h. -Steve Grubb
745 Ensure that children have the default signal handlers installed.
746 Added support for DNS service registration ala Rendezvous.
747 Fixed some compile errors on Mac OS X, FreeBSD, and OpenBSD.
748 Added preliminary support for tcpmux -Philip Armstrong
749 Update the xinetd man page to document the -version option.
750 Now ignores the --with-inet6 compile option.
751 Services will default to IPv4 unless configured otherwise.
752 Bring back the inetd.conf parser in a different form. Parse all
753 the xinetd config files first, then parse /etc/inetd.conf,
754 and add services from there (if it exists).
755 Use the -inetd_compat option to read inetd.conf.
756 IPv6 updates for bind_parser, only_from, and no_access. -Steve Grubb
758 Fixed bug uncovered by IPv6 updates for bind parser. In the id_parser,
759 a test was being performed for uniqueness. It relied on the
760 address already being given. However, the address may not be
761 known if more than one record came back from the getaddrinfo
762 function call. -Steve Grubb
763 Added code to service_fill to resolve port if unspecified. -Steve Grubb
764 Consolidated duplicate services tests into check_entry. -Steve Grubb
765 Fixed a bug with access control & internal services.
766 Make sure we byteswap the value returned by time services.
767 Fix an omission with the tcpmux integration.
768 Fixed a race when there's 1 service configured and it is a wait service.
770 Close the service descriptors on fork. This only matters for internal
771 forking services, since anything that calls exec() will get
772 those closed automagically. This will help reduce the file
773 discriptors used by the daemon when using some internal services
774 Fix a numbering bug with xinetd's internal flag representation that
775 was manifesting its self as all services being disabled upon
776 recieving a SIGUSR2 (hard reconfig)
777 Don't pass a hostname to dns registration calls, it'll pick a hostname
779 Remove CLEANUP and other dead code.
780 Make sure tcp internal non-forking services close their filedescriptors.
781 Added syslog facilities for the xinetd log configuration to match SUS.
783 Start reporting the Per Source value when dumping debugging output
785 Correct the fake-getnameinfo.h to include appropriate macros.
787 Up the default CPS value to 50 from 10.
788 Document the default CPS values in the xinetd.conf man page.
789 Fix a closing of the connection when there's an error handling the
790 service. - Steve Grubb
791 Fixed a bug in the includedir path where a reference was kept to
793 Fixed a bug in the consistency check mechanism where it would
794 report the signal pipe as a problem.
795 Clear memory before freeing it. This isn't strictly necessary,
796 but aids in debugging.
797 Add the pid to debugging messages.
798 Remove access control calls for special services. The access control
799 functions must always allow these services anyway.
800 Fixed a bug with reconfiguring services using the interface attribute.
802 Fixed a bug with deallocating dns registrations.
803 Fixed a bug where tcp_wrappers would not identify an internal service
804 since the internal service has no executable. -Steve Grubb
805 Sclose was being used on the config file descriptor. Since sio
806 never touches the descriptor, it failed to close it.
808 Fix a potential memory leak with bind_addr and service reconfig.
810 Fix a reconfig timing issue.
813 Fix some compile time errors on Solaris
814 Fixed a bounds check in Sdone(). Patch from Dmitry V. Levin
815 Added FreeBSD loadavg support. Patch from Vanilla I. Shu
816 TCPMUX parser updates. -Steve Grubb
817 TCPMUX was causing core dumps due to changes made in 2.3.10's
818 child_process(), reverted changes. -Philip Armstrong
819 Remove RECORD logging option. -Steve Grubb
820 Change Sclose to make sure it always closes the fd. -Steve Grubb
821 Added better error handling to filelog.c. -Steve Grubb
822 Error messages now go to syslog instead of stderr in
823 strparse.c. -Steve Grubb
824 Fixed memory leaks found with valgrind. -Steve Grubb
825 Correct problems with bind specified in the default
826 section. -Steve Grubb
827 Use Sclose to close banner commands. -Jay Fenlason
828 Correct banner to match man pages. -Jay Fenlason
830 Cleanup some signal handling if not defined. -MARUYAMA Shinichi
831 Make ident protocol work properly for multi-homed hosts. -Alan Sundell
832 Code cleanup for const warnings. -Steve Grubb
833 Make redirect protocol independent. -Cougar
834 Make reconfig iterate over all services. Some may be in "not started"
835 state and were being missed. -Steve Grubb
836 Make redirected, forking builtins, & tcpmux close all listening
837 descriptors so reconfig works. -Jay Fenlason
838 Add support for the IPV6_V6ONLY socket option. Don't assume
839 a default setting, as the default seems to be in flux.
840 Address compare in readjust was wrong. Its now corrected to handle
841 each address family separately. -Steve Grubb
842 Add command line option to not fork. This will allow xinetd to be
843 started by init or daemontools. -Matthias Andree
844 Fixed a leak in reconfig. If log_type = file is used for a service and
845 SIGHUP is sent to xinetd, it leaked a file descriptor and
846 44 bytes of memory per service using FILE. -Steve Grubb
847 Change all close() calls to Sclose() to prevent future
848 problems. -Steve Grubb
849 Fixed bug if service name is unparsable and in an included directory
850 that caused xinetd to core dump. -Steve Grubb
851 Fixed bug where address lists had "version" uninitialized when the
852 list used hostnames with no dots in the name. -Steve Grubb
853 Numerous memory leaks when parsing errors occurred. -Steve Grubb
854 Remove the servers and xadmin internal services.
855 Update addrlist_match to use the address part of the IPv6 address
856 structure. -Christof Meerwald
857 Correct looping problems for udp connections rejected by the child
858 access controls. -Steve Grubb
859 Added TRAFFIC logging option to report total bytes in and out for a
860 redirected service. -Christof Meerwald
861 Correct a double-free condition if a retry was scheduled. -Steve Grubb
862 Add filename to parse messages. -Steve Grubb
863 Improve port error messages after parsing. -Steve Grubb
864 Sclose dump_fd if SIO error causes dump abort. -Steve Grubb
865 Smorefds wasn't allocating the proper amount of sio descriptor space
866 if the fd was > 5 over its last known fd. -Steve Grubb
868 Add NULL entry to success_log_options to properly end the
870 Portability updates to libportable.h. -Matthias Andree
871 Occasionally Smorefds didn't allocate more fds as
872 expected. -Jay Fenlason
873 Address list parsing considered the comma in factorized addresses to be
874 an error. Updated test to allow factorized address. -Steve Grubb
875 When parsing inet.conf, the filename wasn't being set for subsequent
876 messages. -Steve Grubb
877 Fix addrlist_match to correctly handle IPv4 mapped IPv6 addresses.
879 Fixed a bug where reloading configuration would core dump if file
880 logging was enabled in defaults and a connection existed when
881 SIGHUP was received. -Steve Grubb
882 If too many connections hit and exhausts the file descriptors
883 such that accept fails, deactivate the service like the
884 cps access control does. This problem was reported
885 by David Cook. -Steve Grubb
886 Updated rpm.spec file and added default config files to contrib
887 directory. -Steve Grubb
888 Allow group & user to be specified by numeric value. -Steve Grubb
891 Applied patch from Art Haas for gcc 3.5 compat.
892 Flush the descriptor after writing a banner. -Jay Fenlason
893 Don't assume char is signed in the udp drain() function -Don Provan
894 If log remote user is on, a descriptor between 0-2 is likely to
895 be opened. Call msg_suspend before dup'ing socket to
896 avoid this bug. -Glen Johnson
897 Added confparse() RPC patch from RedHat's RHEL4 srpm.
898 Fixed some service release bugs with accesses to dangling pointers.
899 Updated BACKLOG to 64 from 7
900 Updated xconv.pl to understand ":" in inetd.conf files from
902 Added howl support for mdns advertising.
903 Added a libwrap service attribute to specify the service name
904 to check access via libwrap.
905 Make some type cleanups to fix some warnings.
906 Parse things as unsigned instead of signed where it makes sense.
907 Based on a patch from Tony Ernst.
908 Remove the <1024 port check for UDP builtin services.
909 This check has been rather antiquated for years.
projects / packages / xinetd.git / blob