Commit c49b7f47 authored by Marco d'Itri's avatar Marco d'Itri

Imported Upstream version 7.6.q

parent 82d98ef7
@(#) BLURB 1.28 97/03/21 19:27:18
With this package you can monitor and filter incoming requests for the
network services.
The package provides tiny daemon wrapper programs that can be installed
without any changes to existing software or to existing configuration
files. The wrappers report the name of the client host and of the
requested service; the wrappers do not exchange information with the
client or server applications, and impose no overhead on the actual
conversation between the client and server applications.
This patch upgrades the tcp wrappers version 7.5 source code to
version 7.6. The source-routing protection in version 7.5 was not
as strong as it could be. And all this effort was not needed with
modern UNIX systems that can already stop source-routed traffic in
the kernel. Examples are 4.4BSD derivatives, Solaris 2.x, and Linux.
This release does not introduce new features. Do not bother applying
this patch when you built your version 7.x tcp wrapper without
enabling the KILL_IP_OPTIONS compiler switch; when you can disable
IP source routing options in the kernel; when you run a UNIX version
that pre-dates 4.4BSD, such as SunOS 4. Such systems are unable to
receive source-routed connections and are therefore not vulnerable
to IP spoofing attacks with source-routed TCP connections.
A complete change log is given in the CHANGES document. As always,
problem reports and suggestions for improvement are welcome.
Wietse Venema (,
Department of Mathematics and Computing Science,
Eindhoven University of Technology,
The Netherlands.
Currently visiting IBM T.J. Watson Research, Hawthorne NY, USA.
# @(#) Banners.Makefile 1.3 97/02/12 02:13:18
# Install this file as the Makefile in your directory with banner files.
# It will convert a prototype banner text to a form that is suitable for
# the ftp, telnet, rlogin, and other services.
# You'll have to comment out the IN definition below if your daemon
# names don't start with `in.'.
# The prototype text should live in the banners directory, as a file with
# the name "prototype". In the prototype text you can use %<character>
# sequences as described in the hosts_access.5 manual page (`nroff -man'
# format). The sequences will be expanded while the banner message is
# sent to the client. For example:
# Hello %u@%h, what brings you here?
# Expands to: Hello username@hostname, what brings you here? Note: the
# use of %u forces a client username lookup.
# In order to use banners, build the tcp wrapper with -DPROCESS_OPTIONS
# and use hosts.allow rules like this:
# daemons ... : clients ... : banners /some/directory ...
# Of course, nothing prevents you from using multiple banner directories.
# For example, one banner directory for clients that are granted service,
# one banner directory for rejected clients, and one banner directory for
# clients with a hostname problem.
SHELL = /bin/sh
IN = in.
BANNERS = $(IN)telnetd $(IN)ftpd $(IN)rlogind # $(IN)fingerd $(IN)rshd
all: $(BANNERS)
$(IN)telnetd: prototype
cp prototype $@
chmod 644 $@
$(IN)ftpd: prototype
sed 's/^/220-/' prototype > $@
chmod 644 $@
$(IN)rlogind: prototype nul
( ./nul ; cat prototype ) > $@
chmod 644 $@
# Other services: banners may interfere with normal operation
# so they should probably be used only when refusing service.
# In particular, banners don't work with standard rsh daemons.
# You would have to use an rshd that has built-in tcp wrapper
# support, for example the rshd that is part of the logdaemon
# utilities.
$(IN)fingerd: prototype
cp prototype $@
chmod 644 $@
$(IN)rshd: prototype nul
( ./nul ; cat prototype ) > $@
chmod 644 $@
# In case no /dev/zero available, let's hope they have at least
# a C compiler of some sort.
echo 'main() { write(1,"",1); return(0); }' >nul.c
$(CC) $(CFLAGS) -s -o nul nul.c
rm -f nul.c
Request: after building the programs, please run the `tcpdchk' wrapper
configuration checker. See the `tcpdchk.8' manual page (`nroff -man'
format) for instructions. `tcpdchk' automatically identifies the most
common configuration problems, and will save you and me a lot of time.
Changes per release 7.6 (Mar 1997)
- Improved the anti source-routing protection. The code in version
7.5 was not as strong as it could be, because I tried to be compatible
with Linux. That was a mistake. Sorry for the inconvenience.
- The program no longer terminates case of a source-routed connection,
making the IP-spoofing code more usable for long-running daemons.
- When syslogging DNS hostname problems, always stop after a limited
number of characters.
Changes per release 7.5 (Feb 1997)
- Optionally refuse source-routed TCP connections requests altogether.
Credits to Niels Provos of Universitaet Hamburg. File: fix_options.c.
- Support for IRIX 6 (Lael Tucker).
- Support for Amdahl UTS 2.1.5 (Richard E. Richmond).
- Support for SINIX 5.42 (Klaus Nielsen).
- SCO 5 now has vsyslog() (Bill Golden).
- Hints and tips for dealing with IRIX inetd (Niko Makila, Aaron
M Lee).
- Support for BSD/OS (Paul Borman).
- Support for Tandem (Emad Qawas).
- Support for ISC (Frederick B. Cohen).
- Workaround for UNICOS - it would choke on a setjmp() expression
(Bruce Kelly). File: hosts_access.c, tcpdchk.c.
- Increased the level of buffer overflow paranoia when printing
unwanted IP options. File: fix_options.c.
Changes per release 7.4 (Mar 1996)
- IRIX 5.3 (and possibly, earlier releases, too) library routines call
the non-reentrant strtok() routine. The result is that hosts may slip
through allow/deny filters. Workaround is to not rely on the vendor's
strtok() routine (#ifdef LIBC_CALLS_STRTOK). Credits to Th. Eifert
(Aachen University) for spotting this one. This fix supersedes the
earlier workaround for a similar problem in FreeBSD 2.0.
Changes per release 7.3 (Feb 1996)
- More tests added to tcpdchk and tcpdmatch: make sure that the
REAL_DAEMON_DIR actually is a directory and not a regular file;
detect if tcpd recursively calls itself.
- Edwin Kremer found an amusing fencepost error in the xgets()
routine: lines longer than BUFLEN characters would be garbled.
- The access control routines now refuse to execute "dangerous" actions
such as `twist' when they are called from within a resident process.
This prevents you from shooting yourself into the foot with critical
systems programs such as, e.g., portmap or rpcbind.
- Support for Unicos 8.x (Bruce Kelly). The program now closes the
syslog client socket before running the real daemon: Cray UNICOS
refuses to checkpoint processes with open network ports.
- Support for MachTen UNIX (Albert M.C Tam).
- Support for Interactive UNIX R3.2 V4.0 (Bobby D. Wright).
- Support for SCO 3.2v5.0.0 OpenServer 5 (
- Support for Unixware 1.x and Unixware 2.x. The old Unixware Makefile
rule was broken. Sorry about that.
- Some FreeBSD 2.0 libc routines call strtok() and severely mess up the
allow/deny rule processing. This is very bad. Workaround: call our own
strtok() clone (#ifdef USE_STRSEP).
- The programs now log a warning when they detect that a non-existent
banner directory is specified.
- The hosts_access.3 manual page used obsolete names for the RQ_*
Changes per release 7.2 (Jan 1995)
- Added a note to the README and manpages on using the IDENT service to
detect sequence number spoofing and other host impersonation attacks.
- Portability: ConvexOS puts RPC version numbers before the daemon path
name (Jukka Ukkonen).
- Portability: the AIX compiler disliked the strchr() declaration
in socket.c. I should have removed it when I included <string.h>.
- Backwards compatibility: some people relied on the old leading dot or
trailing dot magic in daemon process names.
- Backwards compatibility: hostname lookup remains enabled when
-DPARANOID is turned off. In order to disable hostname lookups you
must turn off -DALWAYS_HOSTNAME.
- Eliminated false complaints from the tcpdmatch/tcpdchk configuration
checking programs about process names not in inetd.conf or about KNOWN
username patterns.
Changes per release 7.1 (Jan 1995)
- Portability: HP-UX permits you to break inetd.conf entries with
- Portability: EP/IX has no putenv() and some inetd.conf entries are
spread out over two lines.
- Portability: SCO with NIS support has no *netgrent() routines.
Changes per release 7.0 (Jan 1995)
- Added a last-minute workaround for a Solaris 2.4 gethostbyname()
foulup with multi-homed hosts in DNS through NIS mode.
- Added a last-minute defense against TLI weirdness: address lookups
apparently succeed but the result netbuf is empty (ticlts transport).
- Dropped several new solutions that were in need of a problem. Beta
testers may recognize what new features were kicked out during the last
weeks before release 7.0 came out. Such is life.
- Got rid of out the environment replacement routines, at least for
most architectures. One should not have to replace working system
software when all that is needed is a 4.4BSD setenv() emulator.
- By popular request I have added an option to send banner messages to
clients. There is a Banners.Makefile that gives some aid for sites that
are going to use this feature. John C. Wingenbach did some pioneering
work here. I used to think that banners are frivolous. Now that I had
a personal need for them I know that banners can be useful.
- At last: an extensible functional interface to the pattern matching
engine. request_init() and request_set() accept a variable-length
name-value argument list. The result can be passed to hosts_access().
- When PARANOID mode is disabled (compile time), the wrapper does no
hostname lookup or hostname double checks unless required by %letter
expansions, or by access control rules that match host names. This is
useful for sites that don't care about internet hostnames anyway.
Inspired by the authors of the firewalls and internet security book.
- When PARANOID mode is disabled (compile time), hosts with a name/name
or name/address conflict can be matched with the PARANOID host wildcard
pattern, so that you can take some intelligent action instead of just
dropping clients. Like showing a banner that explains the problem.
- New percent escapes: %A expands to the server address; %H expands to
the corresponding hostname (or address if no name is available); %n and
%N expand to the client and server hostname (or "unknown"); %s expands
to everything we know about the server endpoint (the opposite of the %c
sequence for client information).
- Symmetry: server and client host information is now treated on equal
footing, so that we can reuse a lot of code.
- Lazy evaluation of host names, host addresses, usernames, and so on,
to avoid doing unnecessary work.
- Dropping #ifdefs for some archaic systems made the code simpler.
- Dropping the FAIL pattern made the pattern matcher much simpler. Run
the "tcpdchk" program to scan your access control files for any uses of
this obscure language feature.
- Moving host-specific pattern matching from string_match() to the
host_match() routine made the code more accurate. Run the "tcpdchk"
program to scan your access control files for any dependencies on
undocumented or obscure language features that are gone.
- daemon@host patterns trigger on clients that connect to a specific
internet address. This can be useful for service providers that offer
multiple ftp or www archives on different internet addresses, all
belonging to one and the same host (,, you get
the idea). Inspired by a discussion with Rop Gonggrijp, Cor Bosman,
and Casper Dik, and earlier discussions with Adrian van Bloois.
- The new "tcpdchk" program critcizes all your access control rules and
inetd.conf entries. Great for spotting obscure bugs in my own
files. This program also detects hosts with name/address conflicts and
with other DNS-related problems. See the "tcpdchk.8" manual page.
- The "tcpdmatch" program replaces the poor old "try" command. The new
program looks in your inetd.conf file and therefore produces much more
accurate predictions. In addition, it detects hosts with name/address
conflicts and with other DNS-related problems. See the "tcpdmatch.8"
manual page. The inetd.conf lookup was suggested by Everett F Batey.
- In the access control tables, the `=' between option name and value
is no longer required.
- Added 60-second timeout to the safe_finger command, to cover another
potential problem. Suggested by Peter Wemm.
- Andrew Maffei provided code that works with WIN-TCP on NCR System V.4
UNIX. It reportedly works with versions 02.02.01 and 02.03.00. The code
pops off all streams modules above the device driver, pushes the timod
module to get at the peer address, and then restores the streams stack
to the initial state.
Changes per release 6.3 (Mar 1994)
- Keepalives option, to get rid of stuck daemons when people turn off
their PC while still connected. Files: options.c, hosts_options.5.
- Nice option, to calm down network daemons that take away too much CPU
time. Files: options.c, hosts_options.5.
- Ultrix perversion: the environ global pointer may be null. The
environment replacement routines now check for this. File: environ.c.
- Fixed a few places that still assumed the socket is on standard
input. Fixed some error messages that did not provide access control
file name and line number. File: options.c.
- Just when I was going to release 6.2 I received code for Dynix/PTX.
That code is specific to PTX 2.x, so I'll keep around my generic
PTX code just in case. The difference is in the handling of UDP
services. Files: tli_sequent.[hc].
Changes per release 6.2 (Feb 1994)
- Resurrected my year-old code to reduce DNS load by appending a dot to
the gethostbyname() argument. This feature is still experimental and it
may go away if it causes more problems than it solves. File: socket.c.
- Auxiliary code for the Pyramid, BSD universe. Karl Vogel figured out
what was missing: yp_get_default_domain() and vfprintf(). Files:
workarounds.c, vfprintf.c.
- Improved support for Dynix/PTX. The wrapper should now be able to
deal with all TLI over IP services. File: ptx.c.
- The try command now uses the hostname that gethostbyaddr() would
return, instead of the hostname returned by gethostbyname(). This can
be significant on systems with NIS that have short host names in the
hosts map. For example, gethostbyname("") returns
""; gethostbyaddr( returns "wzv", and
that is what we should test with. File: try.c.
Changes per release 6.1 (Dec 1993)
- Re-implemented all environment access routines. Most systems have
putenv() but no setenv(), some systems have setenv() but no putenv(),
and there are even systems that have neither setenv() nor putenv(). The
benefit of all this is that more systems can now be treated in the same
way. File: environ.c.
- Workaround for a weird problem with DG/UX when the wrapper is run as
nobody (i.e. fingerd). For some reason the ioctl(fd, I_FIND, "sockmod")
call fails even with socket-based applications. The "fix" is to always
assume sockets when the ioctl(fd, I_FIND, "timod") call fails. File:
fromhost.c. Thanks to Paul de Vries ( for
helping me to figure out this one.
- Implemented a workaround for Dynix/PTX and other systems with TLI
that lack some essential support routines. Thanks to Bugs Brouillard
( for the hospitality to try things out.
The trick is to temporarily switch to the socket API to identify the
client, and to switch back to TLI when done. It still does not work
right for basic network services such as telnet. File: fromhost.c.
- Easy-to-build procedures for SCO UNIX, ConvexOS with UltraNet, EP/IX,
Dynix 3.2, Dynix/PTX. File: Makefile.
- Variable rfc931 timeout. Files: rfc931.c, options.c, log_tcp.h, try.c.
- Further simplification of the rfc931 code. File: rfc931.c.
- The fromhost() interface stinks: I cannot change that, but at least
the from_sock() and from_tli() functions now accept a file descriptor
- Fixed a buglet: fromhost() would pass a garbage file descriptor to
the isastream() call.
- On some systems the finger client program lives in /usr/bsd. File:
Changes per release 6.0 (Sept 1993)
- Easy build procedures for common platforms (sun, ultrix, aix, hpux
and others).
- TLI support, System V.4 style (Solaris, DG/UX).
- Username lookup integrated with the access control language.
Selective username lookups are now the default (was: no username
- A safer finger command for booby traps. This one solves a host of
possible problems with automatic reverse fingers. Thanks, Borja Marcos
( for some inspiring discussions.
- KNOWN pattern that matches hosts whose name and address are known.
- Cleanup of diagnostics. Errors in access-control files are now shown
with file name and line number.
- With AIX 3.2, hostnames longer than 32 would be truncated. This
caused hostname verification failures, so that service would be refused
when paranoid mode was enabled. Found by: Adrian van Bloois
- With some IRIX versions, remote username lookups failed because the
fgets() library function does not handle partial read()s from sockets.
Found by: Daniel O'Callaghan (
- Added a DISCLAIMER document to help you satisfy legal departments.
The extension language module has undergone major revisions and
extensions. Thanks, John P. Rouillard ( for
discussions, experiments, and for being a good guinea pig. The
extensions are documented in hosts_options.5, and are enabled by
editing the Makefile STYLE macro definition.
- (Extension language) The ":" separator may now occur within options
as long as it is protected with a backslash. A warning is issued when
a rule ends on ":".
- (Extension language) Better verification mode. When the `try' command
is run, each option function now explains what it would do.
- (Extension language) New "allow" and "deny" keywords so you can now
have all rules within a single file. See "nroff -man hosts_options.5"
for examples.
- (Extension language) "linger" keyword to set the socket linger time
(SO_LINGER). From: Marc Boucher <>.
- (Extension language) "severity" keyword to turn the logging noise up
or down. Many sites wanted a means to shut up the program; other sites
wanted to emphasize specific events. Adapted from code contributed
by Dave Mitchell <>.
Changes per release 5.1 (Mar 1993)
- The additional protection against source-routing attacks from hosts
that pretend to have someone elses network address has become optional
because it causes kernel panics with SunOS <= 4.1.3.
Changes per release 5.0 (Mar 1993)
- Additional protection against source-routing attacks from hosts that
pretend to have someone elses network address. For example, the address
of a trusted host within your own network.
- The access control language has been extended with a simple but
powerful operator that greatly simplifies the design of rule sets (ALL: EXCEPT Blank lines are permitted, and long
lines can be continued with backslash-newline.
- All configurable stuff, including path names, has been moved into the
Makefile so that you no longer have to hack source code to just
configure the programs.
- Ported to Solaris 2. TLI-based applications not yet supported.
Several workarounds for System V bugs.
- A small loophole in the netgroup lookup code was closed, and the
remote username lookup code was made more portable.
- Still more documentation. The README file now provides tutorial
sections with introductions to client, server, inetd and syslogd.
Changes per release 4.3 (Aug 1992)
- Some sites reported that connections would be rejected because
localhost != localhost.domain. The host name checking code now
special-cases localhost (problem reported by several sites).
- The programs now report an error if an existing access control file
cannot be opened (e.g. due to lack of privileges). Until now, the
programs would just pretend that the access control file does not exist
(reported by Darren Reed,
- The timeout period for remote userid lookups was upped to 30 seconds,
in order to cope with slow hosts or networks. If this is too long for
you, adjust the TIMEOUT definition in file rfc931.c (problem reported
by several sites).
- On hosts with more than one IP network interface, remote userid
lookups could use the IP address of the "wrong" local interface. The
problem and its solution were discussed on the rfc931-users mailing
list. Scott Schwartz ( folded the fix into the
rfc931.c module.
- The result of % expansion (in shell commands) is now checked for
stuff that may confuse the shell; it is replaced by underscores
(problem reported by Icarus Sparry,
- A portability problem was fixed that caused compile-time problems
on a CRAY (problem reported by Michael Barnett,
Changes per release 4.0 (Jun 1992)
1 - network daemons no longer have to live within a common directory
2 - the access control code now uses both the host address and name
3 - an access control pattern that supports netmasks
4 - additional protection against forged host names
5 - a pattern that matches hosts whose name or address lookup fails
6 - an operator that prevents hosts or services from being matched
7 - optional remote username lookup with the RFC 931 protocol
8 - an optional umask to prevent the creation of world-writable files
9 - hooks for access control language extensions
10 - last but not least, thoroughly revised documentation.
Changes per release 3.0 (Oct 1991)
Enhancements over the previous release are: support for datagram (UDP
and RPC) services, and execution of shell commands when a (remote host,
requested service) pair matches a pattern in the access control tables.
Changes per release 2.0 (May 1991)
Enhancements over the previous release are: protection against rlogin
and rsh attacks through compromised domain name servers, optional
netgroup support for systems with NIS (formerly YP), and an extension
of the wild card patterns supported by the access control files.
Release 1.0 (Jan 1991)
* Copyright 1995 by Wietse Venema. All rights reserved. Some individual
* files may be covered by other copyrights.
* This material was originally written and compiled by Wietse Venema at
* Eindhoven University of Technology, The Netherlands, in 1990, 1991,
* 1992, 1993, 1994 and 1995.
* Redistribution and use in source and binary forms are permitted
* provided that this entire copyright notice is duplicated in all such
* copies.
* This software is provided "as is" and without any expressed or implied
* warranties, including, without limitation, the implied warranties of
* merchantibility and fitness for any particular purpose.
# @(#) Makefile 1.23 97/03/21 19:27:20
@echo "Usage: edit the REAL_DAEMON_DIR definition in the Makefile then:"
@echo " make sys-type"
@echo "If you are in a hurry you can try instead:"
@echo " make REAL_DAEMON_DIR=/foo/bar sys-type"
@echo "And for a version with language extensions enabled:"
@echo " make REAL_DAEMON_DIR=/foo/bar STYLE=-DPROCESS_OPTIONS sys-type"
@echo "This Makefile knows about the following sys-types:"
@echo " generic (most bsd-ish systems with sys5 compatibility)"
@echo " 386bsd aix alpha apollo bsdos convex-ultranet dell-gcc dgux dgux543"
@echo " dynix epix esix freebsd hpux irix4 irix5 irix6 isc iunix"
@echo " linux machten mips(untested) ncrsvr4 netbsd next osf power_unix_211"
@echo " ptx-2.x ptx-generic pyramid sco sco-nis sco-od2 sco-os5 sinix sunos4"
@echo " sunos40 sunos5 sysv4 tandem ultrix unicos7 unicos8 unixware1 unixware2"
@echo " uts215 uxp"
@echo "If none of these match your environment, edit the system"
@echo "dependencies sections in the Makefile and do a 'make other'."
# Choice between easy and advanced installation recipe.
# Advanced installation: vendor-provided daemons are left alone, and the
# inetd configuration file is edited. In this case, the REAL_DAEMON_DIR
# macro should reflect the actual directory with (most of) your
# vendor-provided network daemons. These names can be found in the
# inetd.conf file. Usually, the telnet, ftp and finger daemons all live
# in the same directory.
# Uncomment the appropriate line if you are going to edit inetd.conf.
# Ultrix 4.x SunOS 4.x ConvexOS 10.x Dynix/ptx
# SysV.4 Solaris 2.x OSF AIX
# BSD 4.4
# HP-UX SCO Unicos
# Easy installation: vendor-provided network daemons are moved to "some
# other" directory, and the tcpd wrapper fills in the "holes". For this
# mode of operation, the REAL_DAEMON_DIR macro should be set to the "some
# other" directory. The "..." is here for historical reasons only; you
# should probably use some other name.
# Uncomment the appropriate line if you are going to move your daemons.
# Ultrix 4.x SunOS 4.x ConvexOS 10.x Dynix/ptx
# SysV.4 Solaris 2.x OSF AIX
# BSD 4.4
# HP-UX SCO Unicos
# End of mandatory section
# Ready-to-use system-dependent templates.
# Ready-to-use templates are available for many systems (see the "echo"
# commands at the start of this Makefile). The templates take care of
# all system dependencies: after editing the REAL_DAEMON_DIR definition
# above, do a "make sunos4" (or whatever system type is appropriate).
# If your system is not listed (or something that comes close enough), you
# have to edit the system dependencies section below and do a "make other".
# Send templates for other UNIX versions to
# This is good for many BSD+SYSV hybrids with NIS (formerly YP).
generic aix osf alpha dynix:
LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=setenv.o \
# Ditto, with vsyslog
LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=setenv.o \
# Generic with resolver library.
LIBS=-lresolv RANLIB=ranlib ARFLAGS=rv AUX_OBJ=setenv.o \
# The NeXT loader needs "-m" or it barfs on redefined library functions.
LIBS=-m RANLIB=ranlib ARFLAGS=rv AUX_OBJ=environ.o \
# SunOS for the 386 was frozen at release 4.0.x.
LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ="setenv.o strcasecmp.o" \
# Ultrix is like aix, next, etc., but has miscd and setenv().
# This works on EP/IX 1.4.3 and will likely work on Mips (
LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=environ.o \
# Freebsd and linux by default have no NIS.
386bsd netbsd bsdos:
LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=setenv.o \
# This is good for many SYSV+BSD hybrids with NIS, probably also for HP-UX 7.x.
hpux hpux8 hpux9 hpux10:
LIBS= RANLIB=echo ARFLAGS=rv AUX_OBJ=setenv.o \
# ConvexOS-10.x with UltraNet support (
LIBS=-lulsock RANLIB=ranlib ARFLAGS=rv AUX_OBJ=environ.o \
# Generic support for the Dynix/PTX version of TLI.
LIBS="-lsocket -linet -lnsl" RANLIB=echo ARFLAGS=rv \
AUX_OBJ="setenv.o strcasecmp.o ptx.o" NETGROUP= TLI=-DPTX all
# With UDP support optimized for PTX 2.x (
LIBS="-lsocket -linet -lnsl" RANLIB=echo ARFLAGS=rv \
AUX_OBJ="setenv.o strcasecmp.o tli-sequent.o" NETGROUP= \
# IRIX 4.0.x has a special ar(1) flag.
LIBS="-lc -lsun" RANLIB=echo ARFLAGS=rvs AUX_OBJ=setenv.o \
# IRIX 5.2 is SYSV4 with several broken things (such as -lsocket -lnsl).
# IRIX 6.2 ( Must find a better value than 200000.
# SunOS 5.x is another SYSV4 variant.