Index: trunk/docs/Changelog =================================================================== --- trunk/docs/Changelog (revision 327) +++ trunk/docs/Changelog (revision 328) @@ -4,4 +4,6 @@ * Add support for X-Forwarded-For in apache logfile parser, add option 'RE{regex}' to insert arbitrary regex + * New options PortcheckMinPort, PortcheckMaxPort for the open ports + check 2.8.3a: @@ -14,5 +16,5 @@ * sh_entropy.c: move pthread usage out of child * sh_hash.c, sh_pthread.c, sh_pthread.h: sh_hash_hashdelete() - needs deadlock detection, may be called from within sh_hash_init() + needs deadlock detection, may be called from within sh_hash_init() via atexit handler on error condition * sh_suidchk.c, sh_calls.c, sh_calls.h: need a nosub version of lstat() @@ -24,5 +26,5 @@ * fix spurious warnings about unsupported address family (reported by N Silverman) - * option to run lstat/stat in subprocess to avoid hanging on NFS mounts + * option to run lstat/stat in subprocess to avoid hanging on NFS mounts (off by default) * fix Windows/Cygwin compile error (reported by A. Schmidt) Index: trunk/src/sh_portcheck.c =================================================================== --- trunk/src/sh_portcheck.c (revision 327) +++ trunk/src/sh_portcheck.c (revision 328) @@ -129,4 +129,7 @@ static int sh_portchk_interval = SH_PORTCHK_INTERVAL; +static int sh_portchk_minport = -1; +static int sh_portchk_maxport = -1; + struct sh_port { int port; @@ -195,4 +198,34 @@ } +static int sh_portchk_set_port_minmax (const char * c, int * setthis) +{ + int retval = 0; + long val; + + SL_ENTER(_("sh_portchk_set_port_minmax")); + val = strtol (c, (char **)NULL, 10); + if (val < 0 || val > 65535) + { + SH_MUTEX_LOCK(mutex_thread_nolog); + sh_error_handle ((-1), FIL__, __LINE__, EINVAL, MSG_EINVALS, + _("port check port minmax"), c); + SH_MUTEX_UNLOCK(mutex_thread_nolog); + retval = -1; + } + + *setthis = (int) val; + SL_RETURN(0, _("sh_portchk_set_port_minmax")); +} + + +static int sh_portchk_set_minport (const char * str) +{ + return sh_portchk_set_port_minmax (str, &sh_portchk_minport); +} + +static int sh_portchk_set_maxport (const char * str) +{ + return sh_portchk_set_port_minmax (str, &sh_portchk_maxport); +} static int sh_portchk_set_active (const char * str) @@ -246,4 +279,12 @@ N_("portcheckinterval"), sh_portchk_set_interval, + }, + { + N_("portcheckminport"), + sh_portchk_set_minport, + }, + { + N_("portcheckmaxport"), + sh_portchk_set_maxport, }, { @@ -1166,4 +1207,7 @@ sh_portchk_interval = SH_PORTCHK_INTERVAL; + sh_portchk_minport = -1; + sh_portchk_maxport = -1; + portlist_udp = sh_portchk_kill_list (portlist_udp); portlist_tcp = sh_portchk_kill_list (portlist_tcp); @@ -1724,5 +1768,5 @@ SH_MUTEX_LOCK(mutex_port_check); - min_port = 0; + min_port = (sh_portchk_minport == -1) ? 0 : sh_portchk_minport; if (sh_portchk_active != S_FALSE) @@ -1733,5 +1777,5 @@ sh_portchk_reset_lists(); - if (0 != geteuid()) + if ((0 != geteuid()) && (min_port < 1024)) { min_port = 1024; @@ -1749,7 +1793,9 @@ sh_port2proc_prepare(); + min_port = (sh_portchk_minport == -1) ? min_port : sh_portchk_minport; + if (sh_portchk_check_udp == 1) - sh_portchk_scan_ports_udp(min_port, -1); - sh_portchk_scan_ports_tcp(min_port, -1); + sh_portchk_scan_ports_udp(min_port, sh_portchk_maxport); + sh_portchk_scan_ports_tcp(min_port, sh_portchk_maxport);