summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Makefile.am4
-rw-r--r--README1
-rw-r--r--TODO2
-rw-r--r--configure.ac27
-rw-r--r--m4/acx_libwrap.m419
-rw-r--r--man/systemd.exec.xml25
-rw-r--r--src/core/build.h8
-rw-r--r--src/core/dbus-execute.c1
-rw-r--r--src/core/execute.c26
-rw-r--r--src/core/execute.h2
-rw-r--r--src/core/load-fragment-gperf.gperf.m43
-rw-r--r--src/core/load-fragment.c4
-rw-r--r--src/core/tcpwrap.c68
-rw-r--r--src/core/tcpwrap.h26
-rw-r--r--src/shared/exit-status.c3
-rw-r--r--src/shared/exit-status.h2
16 files changed, 5 insertions, 216 deletions
diff --git a/Makefile.am b/Makefile.am
index 54cd1c6bdf..2cb0f2aea2 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1019,8 +1019,6 @@ libsystemd_core_la_SOURCES = \
src/core/condition.h \
src/core/namespace.c \
src/core/namespace.h \
- src/core/tcpwrap.c \
- src/core/tcpwrap.h \
src/core/build.h \
src/core/sysfs-show.h \
src/core/switch-root.h \
@@ -1046,7 +1044,6 @@ nodist_libsystemd_core_la_SOURCES = \
libsystemd_core_la_CFLAGS = \
$(AM_CFLAGS) \
- $(LIBWRAP_CFLAGS) \
$(PAM_CFLAGS) \
$(AUDIT_CFLAGS) \
$(CAP_CFLAGS) \
@@ -1062,7 +1059,6 @@ libsystemd_core_la_LIBADD = \
libudev-internal.la \
libsystemd-shared.la \
libsystemd-internal.la \
- $(LIBWRAP_LIBS) \
$(PAM_LIBS) \
$(AUDIT_LIBS) \
$(CAP_LIBS) \
diff --git a/README b/README
index 7fd5c0e5bf..fc13e10d6f 100644
--- a/README
+++ b/README
@@ -111,7 +111,6 @@ REQUIREMENTS:
libattr (optional)
libselinux (optional)
liblzma (optional)
- tcpwrappers (optional)
libgcrypt (optional)
libqrencode (optional)
libmicrohttpd (optional)
diff --git a/TODO b/TODO
index febfc3aeb2..e081fcf1e6 100644
--- a/TODO
+++ b/TODO
@@ -550,7 +550,7 @@ Features:
* for services: don't set $HOME in services unless requested
-* hide PAM/TCPWrap options in fragment parser when compile time disabled
+* hide PAM options in fragment parser when compile time disabled
* when we automatically restart a service, ensure we restart its rdeps, too.
diff --git a/configure.ac b/configure.ac
index 3ced6cf3d5..e95b682f57 100644
--- a/configure.ac
+++ b/configure.ac
@@ -431,32 +431,6 @@ fi
AM_CONDITIONAL(HAVE_XZ, [test "$have_xz" = "yes"])
# ------------------------------------------------------------------------------
-AC_ARG_ENABLE([tcpwrap],
- AS_HELP_STRING([--disable-tcpwrap],[Disable optional TCP wrappers support]),
- [case "${enableval}" in
- yes) have_tcpwrap=yes ;;
- no) have_tcpwrap=no ;;
- *) AC_MSG_ERROR(bad value ${enableval} for --disable-tcpwrap) ;;
- esac],
- [have_tcpwrap=auto])
-
-if test "x${have_tcpwrap}" != xno ; then
- ACX_LIBWRAP
- if test "x${LIBWRAP_LIBS}" = x ; then
- if test "x$have_tcpwrap" = xyes ; then
- AC_MSG_ERROR([*** TCP wrappers support not found.])
- fi
- have_tcpwrap=no
- else
- M4_DEFINES="$M4_DEFINES -DHAVE_LIBWRAP"
- have_tcpwrap=yes
- fi
-else
- LIBWRAP_LIBS=
-fi
-AC_SUBST(LIBWRAP_LIBS)
-
-# ------------------------------------------------------------------------------
AC_ARG_ENABLE([pam],
AS_HELP_STRING([--disable-pam],[Disable optional PAM support]),
[case "${enableval}" in
@@ -1130,7 +1104,6 @@ AC_MSG_RESULT([
$PACKAGE_NAME $VERSION
libcryptsetup: ${have_libcryptsetup}
- tcpwrap: ${have_tcpwrap}
PAM: ${have_pam}
AUDIT: ${have_audit}
IMA: ${have_ima}
diff --git a/m4/acx_libwrap.m4 b/m4/acx_libwrap.m4
deleted file mode 100644
index ccf8afc0aa..0000000000
--- a/m4/acx_libwrap.m4
+++ /dev/null
@@ -1,19 +0,0 @@
-AC_DEFUN([ACX_LIBWRAP], [
-LIBWRAP_LIBS=
-saved_LIBS="$LIBS"
-LIBS="$LIBS -lwrap"
-AC_MSG_CHECKING([for tcpwrap library and headers])
-AC_LINK_IFELSE(
-[AC_LANG_PROGRAM(
-[#include <tcpd.h>
-#include <syslog.h>
-int allow_severity = LOG_INFO;
-int deny_severity = LOG_WARNING;],
-[struct request_info *req;
-return hosts_access (req);])],
-[AC_DEFINE(HAVE_LIBWRAP, [], [Have tcpwrap?])
-LIBWRAP_LIBS="-lwrap"
-AC_MSG_RESULT(yes)],
-[AC_MSG_RESULT(no)])
-LIBS="$saved_LIBS"
-])
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index f47826ce4a..11ad7f6605 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -687,31 +687,6 @@
</varlistentry>
<varlistentry>
- <term><varname>TCPWrapName=</varname></term>
- <listitem><para>If this is a
- socket-activated service, this sets the
- tcpwrap service name to check the
- permission for the current connection
- with. This is only useful in
- conjunction with socket-activated
- services, and stream sockets (TCP) in
- particular. It has no effect on other
- socket types (e.g. datagram/UDP) and
- on processes unrelated to socket-based
- activation. If the tcpwrap
- verification fails, daemon start-up
- will fail and the connection is
- terminated. See
- <citerefentry><refentrytitle>tcpd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
- for details. Note that this option may
- be used to do access control checks
- only. Shell commands and commands
- described in
- <citerefentry><refentrytitle>hosts_options</refentrytitle><manvolnum>5</manvolnum></citerefentry>
- are not supported.</para></listitem>
- </varlistentry>
-
- <varlistentry>
<term><varname>CapabilityBoundingSet=</varname></term>
<listitem><para>Controls which
diff --git a/src/core/build.h b/src/core/build.h
index 3d7cd3ea39..f6faf06ae8 100644
--- a/src/core/build.h
+++ b/src/core/build.h
@@ -27,12 +27,6 @@
#define _PAM_FEATURE_ "-PAM"
#endif
-#ifdef HAVE_LIBWRAP
-#define _LIBWRAP_FEATURE_ "+LIBWRAP"
-#else
-#define _LIBWRAP_FEATURE_ "-LIBWRAP"
-#endif
-
#ifdef HAVE_AUDIT
#define _AUDIT_FEATURE_ "+AUDIT"
#else
@@ -93,4 +87,4 @@
#define _SECCOMP_FEATURE_ "-SECCOMP"
#endif
-#define SYSTEMD_FEATURES _PAM_FEATURE_ " " _LIBWRAP_FEATURE_ " " _AUDIT_FEATURE_ " " _SELINUX_FEATURE_ " " _IMA_FEATURE_ " " _SYSVINIT_FEATURE_ " " _LIBCRYPTSETUP_FEATURE_ " " _GCRYPT_FEATURE_ " " _ACL_FEATURE_ " " _XZ_FEATURE_ " " _SECCOMP_FEATURE_ " " _APPARMOR_FEATURE_
+#define SYSTEMD_FEATURES _PAM_FEATURE_ " " _AUDIT_FEATURE_ " " _SELINUX_FEATURE_ " " _IMA_FEATURE_ " " _SYSVINIT_FEATURE_ " " _LIBCRYPTSETUP_FEATURE_ " " _GCRYPT_FEATURE_ " " _ACL_FEATURE_ " " _XZ_FEATURE_ " " _SECCOMP_FEATURE_ " " _APPARMOR_FEATURE_
diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c
index bf4a682d3a..13b3d0dd14 100644
--- a/src/core/dbus-execute.c
+++ b/src/core/dbus-execute.c
@@ -618,7 +618,6 @@ const sd_bus_vtable bus_exec_vtable[] = {
SD_BUS_PROPERTY("User", "s", NULL, offsetof(ExecContext, user), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("Group", "s", NULL, offsetof(ExecContext, group), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("SupplementaryGroups", "as", NULL, offsetof(ExecContext, supplementary_groups), SD_BUS_VTABLE_PROPERTY_CONST),
- SD_BUS_PROPERTY("TCPWrapName", "s", NULL, offsetof(ExecContext, tcpwrap_name), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("PAMName", "s", NULL, offsetof(ExecContext, pam_name), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("ReadWriteDirectories", "as", NULL, offsetof(ExecContext, read_write_dirs), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("ReadOnlyDirectories", "as", NULL, offsetof(ExecContext, read_only_dirs), SD_BUS_VTABLE_PROPERTY_CONST),
diff --git a/src/core/execute.c b/src/core/execute.c
index 353f2d1297..4a3aeda3cd 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -69,7 +69,6 @@
#include "ioprio.h"
#include "securebits.h"
#include "namespace.h"
-#include "tcpwrap.h"
#include "exit-status.h"
#include "missing.h"
#include "utmp-wtmp.h"
@@ -1362,23 +1361,6 @@ int exec_spawn(ExecCommand *command,
goto fail_child;
}
- if (context->tcpwrap_name) {
- if (socket_fd >= 0)
- if (!socket_tcpwrap(socket_fd, context->tcpwrap_name)) {
- err = -EACCES;
- r = EXIT_TCPWRAP;
- goto fail_child;
- }
-
- for (i = 0; i < (int) n_fds; i++) {
- if (!socket_tcpwrap(fds[i], context->tcpwrap_name)) {
- err = -EACCES;
- r = EXIT_TCPWRAP;
- goto fail_child;
- }
- }
- }
-
exec_context_tty_reset(context);
if (confirm_spawn) {
@@ -1878,9 +1860,6 @@ void exec_context_done(ExecContext *c) {
free(c->tty_path);
c->tty_path = NULL;
- free(c->tcpwrap_name);
- c->tcpwrap_name = NULL;
-
free(c->syslog_identifier);
c->syslog_identifier = NULL;
@@ -2148,11 +2127,6 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
STRV_FOREACH(e, c->environment_files)
fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
- if (c->tcpwrap_name)
- fprintf(f,
- "%sTCPWrapName: %s\n",
- prefix, c->tcpwrap_name);
-
if (c->nice_set)
fprintf(f,
"%sNice: %i\n",
diff --git a/src/core/execute.h b/src/core/execute.h
index 9fcea121fa..c9e29ffc8a 100644
--- a/src/core/execute.h
+++ b/src/core/execute.h
@@ -113,8 +113,6 @@ struct ExecContext {
nsec_t timer_slack_nsec;
- char *tcpwrap_name;
-
char *tty_path;
bool tty_reset;
diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4
index 3a77234e97..dbb5d13b76 100644
--- a/src/core/load-fragment-gperf.gperf.m4
+++ b/src/core/load-fragment-gperf.gperf.m4
@@ -84,9 +84,6 @@ $1.MountFlags, config_parse_exec_mount_flags, 0,
$1.Personality, config_parse_personality, 0, offsetof($1, exec_context.personality)
$1.RuntimeDirectoryMode, config_parse_mode, 0, offsetof($1, exec_context.runtime_directory_mode)
$1.RuntimeDirectory, config_parse_runtime_directory, 0, offsetof($1, exec_context.runtime_directory)
-m4_ifdef(`HAVE_LIBWRAP',
-`$1.TCPWrapName, config_parse_unit_string_printf, 0, offsetof($1, exec_context.tcpwrap_name)',
-`$1.TCPWrapName, config_parse_warn_compat, 0, 0')
m4_ifdef(`HAVE_PAM',
`$1.PAMName, config_parse_unit_string_printf, 0, offsetof($1, exec_context.pam_name)',
`$1.PAMName, config_parse_warn_compat, 0, 0')
diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
index e7779d1625..c604f9096d 100644
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@@ -64,7 +64,7 @@
#include "seccomp-util.h"
#endif
-#if !defined(HAVE_SYSV_COMPAT) || !defined(HAVE_SECCOMP) || !defined(HAVE_LIBWRAP) || !defined(HAVE_PAM) || !defined(HAVE_SELINUX) || !defined(HAVE_SMACK) || !defined(HAVE_APPARMOR)
+#if !defined(HAVE_SYSV_COMPAT) || !defined(HAVE_SECCOMP) || !defined(HAVE_PAM) || !defined(HAVE_SELINUX) || !defined(HAVE_SMACK) || !defined(HAVE_APPARMOR)
int config_parse_warn_compat(
const char *unit,
const char *filename,
@@ -3328,7 +3328,7 @@ void unit_dump_config_items(FILE *f) {
const ConfigParserCallback callback;
const char *rvalue;
} table[] = {
-#if !defined(HAVE_SYSV_COMPAT) || !defined(HAVE_SECCOMP) || !defined(HAVE_LIBWRAP) || !defined(HAVE_PAM) || !defined(HAVE_SELINUX) || !defined(HAVE_SMACK) || !defined(HAVE_APPARMOR)
+#if !defined(HAVE_SYSV_COMPAT) || !defined(HAVE_SECCOMP) || !defined(HAVE_PAM) || !defined(HAVE_SELINUX) || !defined(HAVE_SMACK) || !defined(HAVE_APPARMOR)
{ config_parse_warn_compat, "NOTSUPPORTED" },
#endif
{ config_parse_int, "INTEGER" },
diff --git a/src/core/tcpwrap.c b/src/core/tcpwrap.c
deleted file mode 100644
index 6c630fac60..0000000000
--- a/src/core/tcpwrap.c
+++ /dev/null
@@ -1,68 +0,0 @@
-/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
-
-/***
- This file is part of systemd.
-
- Copyright 2010 Lennart Poettering
-
- systemd is free software; you can redistribute it and/or modify it
- under the terms of the GNU Lesser General Public License as published by
- the Free Software Foundation; either version 2.1 of the License, or
- (at your option) any later version.
-
- systemd is distributed in the hope that it will be useful, but
- WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- Lesser General Public License for more details.
-
- You should have received a copy of the GNU Lesser General Public License
- along with systemd; If not, see <http://www.gnu.org/licenses/>.
-***/
-
-#include <sys/socket.h>
-#include <sys/un.h>
-#include <arpa/inet.h>
-#include <netinet/in.h>
-
-#ifdef HAVE_LIBWRAP
-#include <tcpd.h>
-#endif
-
-#include "tcpwrap.h"
-#include "log.h"
-
-bool socket_tcpwrap(int fd, const char *name) {
-#ifdef HAVE_LIBWRAP
- struct request_info req;
- union {
- struct sockaddr sa;
- struct sockaddr_in in;
- struct sockaddr_in6 in6;
- struct sockaddr_un un;
- struct sockaddr_storage storage;
- } sa_union;
- socklen_t l = sizeof(sa_union);
-
- if (getsockname(fd, &sa_union.sa, &l) < 0)
- return true;
-
- if (sa_union.sa.sa_family != AF_INET &&
- sa_union.sa.sa_family != AF_INET6)
- return true;
-
- request_init(&req,
- RQ_DAEMON, name,
- RQ_FILE, fd,
- NULL);
-
- fromhost(&req);
-
- if (!hosts_access(&req)) {
- log_warning("Connection refused by tcpwrap.");
- return false;
- }
-
- log_debug("Connection accepted by tcpwrap.");
-#endif
- return true;
-}
diff --git a/src/core/tcpwrap.h b/src/core/tcpwrap.h
deleted file mode 100644
index 3353b6596e..0000000000
--- a/src/core/tcpwrap.h
+++ /dev/null
@@ -1,26 +0,0 @@
-/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
-
-#pragma once
-
-/***
- This file is part of systemd.
-
- Copyright 2010 Lennart Poettering
-
- systemd is free software; you can redistribute it and/or modify it
- under the terms of the GNU Lesser General Public License as published by
- the Free Software Foundation; either version 2.1 of the License, or
- (at your option) any later version.
-
- systemd is distributed in the hope that it will be useful, but
- WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- Lesser General Public License for more details.
-
- You should have received a copy of the GNU Lesser General Public License
- along with systemd; If not, see <http://www.gnu.org/licenses/>.
-***/
-
-#include <stdbool.h>
-
-bool socket_tcpwrap(int fd, const char *name);
diff --git a/src/shared/exit-status.c b/src/shared/exit-status.c
index d860b55511..208d329c1e 100644
--- a/src/shared/exit-status.c
+++ b/src/shared/exit-status.c
@@ -113,9 +113,6 @@ const char* exit_status_to_string(ExitStatus status, ExitStatusLevel level) {
case EXIT_STDERR:
return "STDERR";
- case EXIT_TCPWRAP:
- return "TCPWRAP";
-
case EXIT_PAM:
return "PAM";
diff --git a/src/shared/exit-status.h b/src/shared/exit-status.h
index 385d6def06..d6bf84c698 100644
--- a/src/shared/exit-status.h
+++ b/src/shared/exit-status.h
@@ -64,7 +64,7 @@ typedef enum ExitStatus {
EXIT_SETSID, /* 220 */
EXIT_CONFIRM,
EXIT_STDERR,
- EXIT_TCPWRAP,
+ _EXIT_RESERVED, /* used to be tcpwrap, don't reuse! */
EXIT_PAM,
EXIT_NETWORK,
EXIT_NAMESPACE,