[tcpwrapper] add configurations for tcpd

- Added alternative configurations for tcpd and default
  generic files for ptxdist

Signed-off-by: Carsten Schlote <c.schlote@konzeptpark.de>
[mkl: removed "default y" from tcpd]
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>

4 files changed, 50 insertions, 3 deletions

diff --git a/generic/etc/hosts.allow b/generic/etc/hosts.allow
new file mode 100644
index 000000000..c5d281f60
--- /dev/null
+++ b/generic/etc/hosts.allow
@@ -0,0 +1,12 @@
+# /etc/hosts.allow: list of hosts that are allowed to access the system.
+#                   See the manual pages hosts_access(5) and hosts_options(5).
+#
+# Example:    ALL: LOCAL @some_netgroup
+#             ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
+#
+# If you're going to protect the portmapper use the name "portmap" for the
+# daemon name. Remember that you can only use the keyword "ALL" and IP
+# addresses (NOT host or domain names) for the portmapper, as well as for
+# rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8)
+# for further information.
+#
diff --git a/generic/etc/hosts.deny b/generic/etc/hosts.deny
new file mode 100644
index 000000000..7d19ad10b
--- /dev/null
+++ b/generic/etc/hosts.deny
@@ -0,0 +1,19 @@
+# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.
+#                  See the manual pages hosts_access(5) and hosts_options(5).
+#
+# Example:    ALL: some.host.name, .some.domain
+#             ALL EXCEPT in.fingerd: other.host.name, .other.domain
+#
+# If you're going to protect the portmapper use the name "portmap" for the
+# daemon name. Remember that you can only use the keyword "ALL" and IP
+# addresses (NOT host or domain names) for the portmapper, as well as for
+# rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8)
+# for further information.
+#
+# The PARANOID wildcard matches any host whose name does not match its
+# address.
+
+# You may wish to enable this to ensure any programs that don't
+# validate looked up hostnames still leave understandable logs. In past
+# versions of Debian this has been the default.
+# ALL: PARANOID
diff --git a/rules/tcpwrapper.in b/rules/tcpwrapper.in
index 82e3c8c06..e548ee543 100644
--- a/rules/tcpwrapper.in
+++ b/rules/tcpwrapper.in
@@ -1,5 +1,6 @@
 ## SECTION=networking
-menuconfig	TCPWRAPPER
+
+menuconfig TCPWRAPPER
 	tristate
 	prompt "tcpwrapper                    "
 	help
@@ -14,12 +15,22 @@ menuconfig	TCPWRAPPER
 	  client or server applications, and impose no overhead on the actual
 	  conversation between the client and server applications.
 
+if TCPWRAPPER
+
 config	TCPWRAPPER_INSTALL_TCPD
 	bool
 	prompt "Install /usr/sbin/tcpd"
-	depends on TCPWRAPPER
 	help
 	  The tcpd program can be set up to monitor incoming requests for telnet,
 	  finger, ftp, exec, rsh, rlogin, tftp, talk, comsat and other services
 	  that have a one-to-one mapping onto executable files.
 
+config	TCPWRAPPER_INSTALL_HOSTS_ACCESS_CONFIGS
+	bool
+	select TCPWRAPPER_INSTALL_TCPD
+	prompt "Install /etc/hosts.{allow|deny}"
+	help
+	  Install the hosts.allow and hosts.deny configs from either
+	  projectroot or from ptxdist/generics.
+
+endif
diff --git a/rules/tcpwrapper.make b/rules/tcpwrapper.make
index 417953360..3e9d9427d 100644
--- a/rules/tcpwrapper.make
+++ b/rules/tcpwrapper.make
@@ -23,7 +23,6 @@ TCPWRAPPER_URL			:= ftp://ftp.porcupine.org/pub/security/$(TCPWRAPPER).tar.gz
 TCPWRAPPER_SOURCE		:= $(SRCDIR)/$(TCPWRAPPER).tar.gz
 TCPWRAPPER_DIR			:= $(BUILDDIR)/$(TCPWRAPPER)
 
-
 # ----------------------------------------------------------------------------
 # Get
 # ----------------------------------------------------------------------------
@@ -71,6 +70,12 @@ $(STATEDIR)/tcpwrapper.targetinstall:
 ifdef PTXCONF_TCPWRAPPER_INSTALL_TCPD
 	@$(call install_copy, tcpwrapper, 0, 0, 0755, $(TCPWRAPPER_DIR)/tcpd, /usr/sbin/tcpd)
 endif
+
+ifdef PTXCONF_TCPWRAPPER_INSTALL_HOSTS_ACCESS_CONFIGS
+	@$(call install_alternative, tcpwrapper, 0, 0, 0644, /etc/hosts.allow)
+	@$(call install_alternative, tcpwrapper, 0, 0, 0644, /etc/hosts.deny)
+endif
+
 	@$(call install_finish, tcpwrapper)
 	@$(call touch)