Commit 128a2c17 authored by Leigh Stoller's avatar Leigh Stoller

Add libwrap to bootinfo, and a bootinfo section to hosts.allow.

This will prevent bootinfo contact from off-network, as on geni racks.
parent 61cbc138
#
# Copyright (c) 2000-2014 University of Utah and the Flux Group.
# Copyright (c) 2000-2016 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -55,9 +55,9 @@ CFLAGS += -Wall \
-DCONFPATH='"$(INSTALL_ETCDIR)/"' -DTBDBNAME='"$(TBDBNAME)"' \
-DFALLBACK_HOST='"$(BOSSNODE)"' -DBOSSNODE='"$(BOSSNODE)"' \
-DDEFAULT_PATH='"/tftpboot/pxeboot.newnode"' \
-DLOG_TESTBED=$(LOG_TESTBED)
-DLOG_TESTBED=$(LOG_TESTBED) -DLIBWRAP
LFLAGS = ${TESTBED_LIBOBJDIR}/libtb/libtb.a
LFLAGS = -lwrap ${TESTBED_LIBOBJDIR}/libtb/libtb.a
ifeq ($(EVENTSYS),1)
BI_DBSRC += event-support.c
......
......@@ -40,6 +40,13 @@
#include "bootwhat.h"
#include "bootinfo.h"
#ifdef LIBWRAP
#include <syslog.h>
#include <tcpd.h>
int allow_severity = LOG_TESTBED|LOG_INFO;
int deny_severity = LOG_TESTBED|LOG_WARNING;
#endif
/*
* Minimum number of seconds that must pass before we send another
* event for a node. This is to decrease the number of spurious events
......@@ -165,13 +172,25 @@ main(int argc, char **argv)
signal(SIGHUP, onhup);
while (1) {
int esent = 0;
#ifdef LIBWRAP
struct request_info req;
#endif
if ((mlen = recvfrom(sock, &boot_info, sizeof(boot_info),
0, (struct sockaddr *)&client, &length))
< 0) {
errorc("receiving datagram packet");
exit(1);
}
#ifdef LIBWRAP
request_init(&req, RQ_DAEMON, "bootinfo",
RQ_CLIENT_SIN, (struct sockaddr *)&client, 0);
sock_methods(&req);
if (!hosts_access(&req)) {
info("%s: request denied by tcp wrappers\n",
inet_ntoa(client.sin_addr));
continue;
}
#endif
err = bootinfo(client.sin_addr, (char *) NULL,
&boot_info, (void *) NULL, noevents, &esent);
if (err < 0)
......
......@@ -7,4 +7,9 @@ rpcbind : @CONTROL_NETWORK@/@CONTROL_NETMASK@ : allow
rpcbind : 172.16.0.0/255.240.0.0 : allow
rpcbind : ALL : deny
bootinfo : 127.0.0.1 : allow
bootinfo : @CONTROL_NETWORK@/@CONTROL_NETMASK@ : allow
bootinfo : 172.16.0.0/255.240.0.0 : allow
bootinfo : ALL : deny
ALL : ALL : allow
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment