1 /*
2  * Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2005, 2008, 2009, 2010,
3  *               2011, 2012, 2013, 2019
4  *      Inferno Nettverk A/S, Norway.  All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  * 1. The above copyright notice, this list of conditions and the following
10  *    disclaimer must appear in all copies of the software, derivative works
11  *    or modified versions, and any portions thereof, aswell as in all
12  *    supporting documentation.
13  * 2. All advertising materials mentioning features or use of this software
14  *    must display the following acknowledgement:
15  *      This product includes software developed by
16  *      Inferno Nettverk A/S, Norway.
17  * 3. The name of the author may not be used to endorse or promote products
18  *    derived from this software without specific prior written permission.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
21  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
22  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
23  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
24  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
25  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
26  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
27  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
29  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30  *
31  * Inferno Nettverk A/S requests users of this software to return to
32  *
33  *  Software Distribution Coordinator  or  sdc@inet.no
34  *  Inferno Nettverk A/S
35  *  Oslo Research Park
36  *  Gaustadall�en 21
37  *  NO-0349 Oslo
38  *  Norway
39  *
40  * any improvements or extensions that they make and grant Inferno Nettverk A/S
41  * the rights to redistribute these changes.
42  *
43  */
44 
45 /* $Id: config.h,v 1.137.10.3 2020/11/11 16:11:50 karls Exp $ */
46 
47 #ifndef _CONFIG_H_
48 #define _CONFIG_H_
49 
50 /*
51  * Everything in this file is put here so you can change it to suit
52  * your particular installation. You should not need to change
53  * any other files.
54  *
55  * Several of the variables can have a big impact on performance,
56  * latency and throughput.  Tuning the server to the optimum for
57  * your particular environment might be difficult, but hopefully
58  * the defaults as set in this file will provide an adequate
59  * compromise in most cases.
60  */
61 
62 
63 
64 /*
65  * default client/server lockfile (put in $TMPDIR, or /tmp).
66  * Put this on a fast, low-latency fs.  Under /tmp is usually good.
67  * Note that if set, $TMPDIR is prefixed to this path.
68  */
69 #define SOCKS_LOCKFILE            ".sockslockXXXXXXXXXX"
70 
71 /*
72  * default server file for shared memory mappings (put in $TMPDIR, or /tmp).
73  * Put this on a fast, low-latency fs.  Under /tmp is usually good.
74  * Note that if set, $TMPDIR is prefixed to this path.
75  */
76 #define SOCKD_SHMEMFILE             ".sockdshmemXXXXXXXXXX"
77 
78 #if COVENANT
79 
80 /* max length of a http request.  XXX probably too small. */
81 #define MAXREQLEN              (2048)
82 
83 #define DEFAULT_REALMNAME          "not the Inferno Nettverk A/S realm"
84 
85 #elif SOCKS_SERVER /* !COVENANT */
86 
87 /* max length of a socks request,  excluding gssapi-stuff. */
88 #define MAXREQLEN              (sizeof(struct request_t))
89 
90 #endif /* SOCKS_SERVER */
91 
92 
93 /* if profiling is enabled, directory to store profile files in. */
94 #define SOCKS_PROFILEDIR         "./.prof"
95 
96 
97    /*
98     * stuff only related to the server.
99     */
100 
101 /* loglevel used for alarms. */
102 #define LOG_ALARM          (LOG_WARNING)
103 
104 /*
105  * If we are compiling with libwrap support, this sets the maximum
106  * line length for a libwrap line.  Should be the same or less as the
107  * one libwrap uses internally, but we don't have access to that size.
108  */
109 #if HAVE_LIBWRAP
110 #define LIBWRAPBUF         (200)
111 #endif /* HAVE_LIBWRAP */
112 
113 /*
114  * Name to give as servicename when starting pam for rules that don't
115  * set it.
116  */
117 #if SOCKS_SERVER
118 #define DEFAULT_PAMSERVICENAME   "sockd"
119 #elif BAREFOOTD
120 #define DEFAULT_PAMSERVICENAME   "barefootd"
121 #else
122 #define DEFAULT_PAMSERVICENAME   "covenantd"
123 #endif
124 
125 /*
126  * Name to give as stylename when using bsdauth for rules that don't
127  * set it.
128  */
129 #define DEFAULT_BSDAUTHSTYLENAME ""    /* use ""; NULL is the default value. */
130 
131 /*
132  * Name to give as servicename when starting gssapi for rules that don't
133  * set it.
134  */
135 #define DEFAULT_GSSAPISERVICENAME      "rcmd"
136 #define DEFAULT_GSSAPIKEYTAB           "FILE:/etc/sockd.keytab"
137 
138 
139 #define DEFAULT_PAM_USER "rhostusr"
140 
141 /*
142  * Name to give as RUSER when using PAM (corresponds to username of client).
143  */
144 
145 #define DEFAULT_PAM_RUSER "rhostusr"
146 
147 /* default port for server to listen on. */
148 #define SOCKD_PORT               (1080)
149 
150 /*
151  * Internal buffer size for network i/o.  This is the amount of
152  * buffer space set aside internally by the server for each socket.
153  * It is *not* the socket buffer size.
154  */
155 
156 #ifndef SOCKD_BUFSIZE
157 #if HAVE_GSSAPI
158 /*
159  * Warning: this size needs to be at least big enough to hold two max-size
160  * gssapi encoded tokens, or two max-size gssapi decoded tokens.
161  * Assuming a decoded token will never be bigger than an encoded token.
162  */
163 #define SOCKD_BUFSIZE         (2 * (MAXGSSAPITOKENLEN + GSSAPI_HLEN))
164 #else /* !HAVE_GSSAPI */
165 /*
166  * Warning: this size needs to be at least big enough to hold one max-size
167  * udp packet.
168  */
169 #define SOCKD_BUFSIZE         (1024 * 64 * 1)
170 #endif /* !HAVE_GSSAPI */
171 #endif /* SOCKD_BUFSIZE */
172 
173 /* max number of clients pending to server (argument to listen()).
174  * The Apache people say:
175  *   It defaults to 511 instead of 512 because some systems store it
176  *   as an 8-bit data type; 512 truncated to 8-bits is 0, while 511 is
177  *   255 when truncated.
178  */
179 #define SOCKD_MAXCLIENTQUEUE       (511)
180 
181 /* how long a route blacklist should last. */
182 #define ROUTEBLACKLIST_SECONDS     (60 * 5)
183 
184 /*
185  * We try to cache resolved hostnames and addresses.  The following
186  * values affect this.
187  */
188 
189 /* cache entries we should allocate for caching hostnames/addresses. */
190 #define SOCKD_HOSTCACHE            (512)
191 
192 /* seconds a cache entry is to be considered valid.  Don't set below 1. */
193 #define SOCKD_CACHETIMEOUT         (60 * 5)
194 
195 /* print some statistics for every SOCKD_CACHESTAT lookup.  0 to disable. */
196 #define SOCKD_LDAPCACHE_STAT       (0)
197 
198 
199 /*
200  * Dante supports one process handling N clients, where the max value for
201  * 'N' is limited by your system.
202  *
203  * There are two defines that govern this; SOCKD_NEGOTIATEMAX and SOCKD_IOMAX.
204  * Note that these only govern how many clients a process can handle,
205  * Dante will automatically create as many processes as it needs as
206  * the need arises.
207  */
208 
209 /*
210  * max number of clients each negotiate process will handle at a time.
211  * You can probably set this to a big number.
212  * Each client will occupy one file descriptor.
213  */
214 #ifndef SOCKD_NEGOTIATEMAX
215 #if PRERELEASE
216 #define SOCKD_NEGOTIATEMAX         (2)
217 #else
218 #define SOCKD_NEGOTIATEMAX         (96)
219 #endif /* !PRERELEASE */
220 #endif /* SOCKD_NEGOTIATEMAX */
221 
222 /*
223  * max number of clients each i/o process will handle.
224  * Each client will occupy up to three file descriptors.
225  * While shortage of slots in the other processes will create a
226  * delay for the client, shortage of i/o slots will prevent the client
227  * from doing any i/o until a i/o slot has become available.  It is
228  * therefore important that enough i/o slots are available at all times.
229  */
230 
231 #ifndef SOCKD_IOMAX
232 #if PRERELEASE
233 #define SOCKD_IOMAX               (2)
234 #else
235 #define SOCKD_IOMAX               (32)
236 #endif /* !PRERELEASE */
237 #endif /* SOCKD_IOMAX */
238 
239 #if SOCKD_NEGOTIATEMAX < 1 ||  SOCKD_IOMAX < 1
240 #error "SOCKD_NEGOTIATEMAX and SOCKD_IOMAX can not be less than 1"
241 #endif
242 
243 /*
244  * Number of slots to try and keep available for new clients at any given time.
245  * The server tries to be a little more intelligent about this, but not much.
246  */
247 #define SOCKD_FREESLOTS_NEGOTIATE     (MAX(SOCKD_NEGOTIATEMAX, 8))
248 #define SOCKD_FREESLOTS_REQUEST       (MAX(SOCKD_REQUESTMAX,   16))
249 #define SOCKD_FREESLOTS_IO            (MAX(SOCKD_IOMAX,        32))
250 
251 #if SOCKD_FREESLOTS_NEGOTIATE < 1
252 ||  SOCKD_FREESLOTS_REQUEST < 1
253 ||  SOCKD_FREESLOTS_IO < 1
254 #error "SOCKD_FREESLOTS_* can not be less than 1"
255 #endif /* SOCKD_FREESLOTS < 1 */
256 
257    /*
258     * LDAP variables.
259     */
260 
261 /*
262  * Cache for LDAP stuff.
263  */
264 
265 /* number of entries in cache. */
266 #ifndef SOCKD_LDAPCACHE
267 #if PRERELEASE
268 #define SOCKD_LDAPCACHE            (1)
269 #else
270 #define SOCKD_LDAPCACHE            (512)
271 #endif /* PRERELEASE */
272 #endif /* SOCKD_LDAPCACHE */
273 
274 /*
275  * Seconds a (user) cache entry is to be considered valid.
276  *  Don't set below 1.
277  */
278 #ifndef SOCKD_LDAPCACHE_TIMEOUT
279 #if PRERELEASE
280 #define SOCKD_LDAPCACHE_TIMEOUT    (5)
281 #else
282 #define SOCKD_LDAPCACHE_TIMEOUT    (60 * 15)
283 #endif /* PRERELEASE */
284 #endif /* SOCKD_LDAPCACHE_TIMEOUT */
285 
286 /*
287  * Seconds a (sid) cache entry is to be considered valid.
288  */
289 #ifndef SOCKD_LDAP_SID_CACHE_TIMEOUT
290 #if PRERELEASE
291 #define SOCKD_LDAP_SID_CACHE_TIMEOUT (15)
292 #else
293 #define SOCKD_LDAP_SID_CACHE_TIMEOUT (24 * 60 * 60)
294 #endif /* PRERELEASE */
295 #endif /* SOCKD_LDAP_SID_CACHE_TIMEOUT */
296 
297 /*
298  * Name to give as filter and attribute name for ldap server
299  */
300 #define DEFAULT_LDAP_FILTER        "(memberuid=%s)"
301 #define DEFAULT_LDAP_ATTRIBUTE     "cn"
302 
303 /*
304  * Name to give as filter and attribute name for Active Directory server
305  */
306 #define DEFAULT_LDAP_FILTER_AD     "(samaccountname=%s)"
307 #define DEFAULT_LDAP_ATTRIBUTE_AD  "memberof"
308 
309 /*
310  * Name to give as filter for user to DN mapping for ldap authentication
311  */
312 #define DEFAULT_LDAP_AUTH_FILTER    "(uid=%s)"
313 #define DEFAULT_LDAP_AUTH_FILTER_AD "(samaccountname=%s)"
314 
315 /*
316  * Name to give as ca cert file or cert db path
317  */
318 #define DEFAULT_LDAP_CACERTFILE    "/etc/ssl/certs/cert.pem"
319 #define DEFAULT_LDAP_CERTDBPATH    "/etc/certs"
320 
321 /*
322  * Name to give as USER when using PAM and username is not available
323  * (such as when pam is used as a clientmethod).
324  */
325 
326 
327 #if BAREFOOTD
328 /*
329  * each i/o process should attempt to handle at least this many udp clients.
330  * Note that there is no hardcoded bound on this in Barefoot, this is only
331  * limited by system resources.  If the system resources are too low for
332  * this value, we will complain when starting up though.
333  */
334 #define MIN_UDPCLIENTS           (512)
335 #endif /* BAREFOOTD */
336 
337 #endif /* !_CONFIG_H_ */
338