Package: libwrap0
Version: 7.6.q-35
Severity: minor
Tags: patch
* What led up to the situation?
Checking for defects with a new version
test-[g|n]roff -mandoc -t -K utf8 -rF0 -rHY=0 -rCHECKSTYLE=10 -ww -z < "man
page"
[Use "groff -e ' $' -e '\\~$' <file>" to find obvious trailing spaces.]
["test-groff" is a script in the repository for "groff"; is not shipped]
(local copy and "troff" slightly changed by me).
[The fate of "test-nroff" was decided in groff bug #55941.]
* What was the outcome of this action?
an.tmac:<stdin>:1: style: .TH missing third argument; consider document
modification date in ISO 8601 format (YYYY-MM-DD)
an.tmac:<stdin>:1: style: .TH missing fourth argument; consider package/project
name and version (e.g., "groff 1.23.0")
* What outcome did you expect instead?
No output (no warnings).
-.-
General remarks and further material, if a diff-file exist, are in the
attachments.
-- System Information:
Debian Release: trixie/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 6.12.12-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=is_IS.iso88591, LC_CTYPE=is_IS.iso88591 (charmap=ISO-8859-1),
LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages libwrap0 depends on:
ii libc6 2.40-6
libwrap0 recommends no packages.
libwrap0 suggests no packages.
-- no debconf information
Input file is hosts_access.5
Output from "mandoc -T lint hosts_access.5": (shortened list)
1 fill mode already disabled, skipping: nf
1 missing date, using "": TH
8 whitespace at end of input line
-.-.
Output from "test-groff -mandoc -t -ww -z hosts_access.5": (shortened list)
9 trailing space in the line
-.-.
Remove space characters (whitespace) at the end of lines.
Use "git apply ... --whitespace=fix" to fix extra space issues, or use
global configuration "core.whitespace".
Number of lines affected is
9
-.-.
Use "\e" to print the escape character instead of "\\" (which gets
interpreted in copy mode).
353:in.tftpd: ALL: (/usr/sbin/safe_finger -l @%h | \\
-.-.
Change a HYPHEN-MINUS (code 0x2D) to a minus(-dash) (\-),
if it
is in front of a name for an option,
is a symbol for standard input,
is a single character used to indicate an option,
or is in the NAME section (man-pages(7)).
N.B. - (0x2D), processed as a UTF-8 file, is changed to a hyphen
(0x2010, groff \[u2010] or \[hy]) in the output.
138:built with -DPARANOID (default mode), it drops requests from such
140:without -DPARANOID when you want more control over such requests.
353:in.tftpd: ALL: (/usr/sbin/safe_finger -l @%h | \\
354: /usr/bin/mail -s %d-%h root) &
-.-.
Add a comma (or \&) after "e.g." and "i.e.", or use English words
(man-pages(7)).
Abbreviation points should be protected against being interpreted as
an end of sentence, if they are not, and that independent of the
current place on the line.
234:most, i.e. when the client system has been compromised. In general,
-.-.
Wrong distance between sentences in the input file.
Separate the sentences and subordinate clauses; each begins on a new
line. See man-pages(7) ("Conventions for source file layout") and
"info groff" ("Input Conventions").
The best procedure is to always start a new sentence on a new line,
at least, if you are typing on a computer.
Remember coding: Only one command ("sentence") on each (logical) line.
E-mail: Easier to quote exactly the relevant lines.
Generally: Easier to edit the sentence.
Patches: Less unaffected text.
Search for two adjacent words is easier, when they belong to the same line,
and the same phrase.
The amount of space between sentences in the output can then be
controlled with the ".ss" request.
Mark a final abbreviation point as such by suffixing it with "\&".
Some sentences (etc.) do not begin on a new line.
N.B.
The number of lines affected can be too large to be in a patch.
7:name, host name/address) patterns. Examples are given at the end. The
12:\fIhosts_options\fR(5) document. \fBNote that this language supersedes
17:a host requesting service. Network daemon process names are specified
20:The access control software consults two files. The search stops
32:file. Thus, access control can be turned off by providing no access
36:lines are processed in order of appearance. The search terminates when a
40:character. This permits you to break up long lines so that they are
72:A string that begins with a `.\' character. A host name is matched if
77:A string that ends with a `.\' character. A host address is matched if
83:(formerly YP) netgroup name. A host name is matched if it is a host
84:member of the specified netgroup. Netgroup matches are not supported
90:`net/mask\' pair. An IPv4 host address is matched if `net\' is equal to the
91:bitwise AND of the address and the `mask\'. For example, the net/mask
102:`[net]/prefixlen\' pair. An IPv6 host address is matched if
104:address. For example, the [net]/prefixlen pattern
109:name. A host name or address is matched if it matches any host name
110:or address pattern listed in the named file. The file format is
127:host names may be unavailable due to temporary name server problems. A
132:\fIand\fR address are known. This pattern should be used with care:
147:client_lists. The EXCEPT operator can be nested: if the control
204:that may even belong to different organizations. See also the `twist\'
205:option in the hosts_options(5) document. Some systems (Solaris,
211:addresses in client_list context. Usually, server endpoint information
216:additional information about the owner of a connection. Client username
221:daemon_list : ... user_pattern@host_pattern ...
234:most, i.e. when the client system has been compromised. In general,
242:lookups are blocked by a firewall. The wrapper README document
249:Selective username lookups can alleviate the last problem. For example,
271:less trustworthy. It is possible for an intruder to spoof both the
273:harder than spoofing just a client connection. It may also be that
279:policy can be expressed with a minimum of fuss. Although the language
288:The examples use host and domain names. They can be improved by
292:In this case, access is denied by default. Only explicitly authorized
327:in the deny file. For example:
341:host. The result is mailed to the superuser.
358:installed in a suitable place. It limits possible damage from data sent
370:the outer world. All other services can be "bugged" just like the above
371:tftp example. The result is an excellent early-warning system.
405:Den Dolech 2, P.O. Box 513,
-.-.
The name of a man page is typeset in bold and the section in roman
(see man-pages(7)).
205:option in the hosts_options(5) document. Some systems (Solaris,
390:hosts_options(5) extended syntax.
391:tcpd(8) tcp/ip daemon wrapper program.
392:tcpdchk(8), tcpdmatch(8), test programs.
-.-.
Put a parenthetical sentence, phrase on a separate line,
if not part of a code.
See man-pages(7), item "semantic newline".
Not considered in a patch, too many lines.
hosts_access.5:6:based on client (host name/address, user name), and server
(process
hosts_access.5:54:(argv[0] values) or server port numbers or wildcards (see
below).
hosts_access.5:138:built with -DPARANOID (default mode), it drops requests from
such
hosts_access.5:149:would parse as `(a EXCEPT (b EXCEPT c))\'.
hosts_access.5:154:command is subjected to %<letter> substitutions (see next
section).
hosts_access.5:174:The daemon process name (argv[0] value).
hosts_access.5:179:The client (server) host name (or "unknown" or "paranoid").
hosts_access.5:181:The clients (servers) port number (or "0").
hosts_access.5:188:The client user name (or "unknown").
hosts_access.5:215:descendants (TAP, IDENT, RFC 1413) the wrapper programs can
retrieve
hosts_access.5:230:same wildcards apply (netgroup membership is not supported).
One
hosts_access.5:260:via, for example, the remote shell service. The IDENT
(RFC931 etc.)
hosts_access.5:267:result (the client matches `UNKNOWN@host\') is strong
evidence of a host
hosts_access.5:270:A positive IDENT lookup result (the client matches
`KNOWN@host\') is
hosts_access.5:295:The default policy (no access) is implemented with a trivial
deny
hosts_access.5:319:\fIfoobar.edu\fP domain (notice the leading dot), with the
exception of
hosts_access.5:325:The default policy (access granted) makes the allow file
redundant so
hosts_access.5:362:The expansion of the %h (client host) and %d (service name)
sequences
hosts_access.5:397:Domain name server lookups are case insensitive; NIS
(formerly YP)
-.-.
Output from "test-groff -mandoc -t -K utf8 -rF0 -rHY=0 -rCHECKSTYLE=10 -ww -z
":
an.tmac:<stdin>:1: style: .TH missing third argument; consider document
modification date in ISO 8601 format (YYYY-MM-DD)
an.tmac:<stdin>:1: style: .TH missing fourth argument; consider package/project
name and version (e.g., "groff 1.23.0")
troff:<stdin>:54: warning: trailing space in the line
troff:<stdin>:64: warning: trailing space in the line
troff:<stdin>:227: warning: trailing space in the line
troff:<stdin>:276: warning: trailing space in the line
troff:<stdin>:293: warning: trailing space in the line
troff:<stdin>:299: warning: trailing space in the line
troff:<stdin>:310: warning: trailing space in the line
troff:<stdin>:323: warning: trailing space in the line
troff:<stdin>:405: warning: trailing space in the line
--- hosts_access.5 2025-02-10 16:20:10.326670681 +0000
+++ hosts_access.5.new 2025-02-10 16:27:11.904070924 +0000
@@ -51,7 +51,7 @@ being optional:
daemon_list : client_list [ : shell_command ]
.PP
\fIdaemon_list\fR is a list of one or more daemon process names
-(argv[0] values) or server port numbers or wildcards (see below).
+(argv[0] values) or server port numbers or wildcards (see below).
.PP
\fIclient_list\fR is a list
of one or more host names, host addresses, patterns or wildcards (see
@@ -61,7 +61,7 @@ The more complex forms \fIdaemon@host\fR
explained in the sections on server endpoint patterns and on client
username lookups, respectively.
.PP
-List elements should be separated by blanks and/or commas.
+List elements should be separated by blanks and/or commas.
.PP
With the exception of NIS (YP) netgroup lookups, all access control
checks are case insensitive.
@@ -135,9 +135,9 @@ network address will be unavailable when
what type of network it is talking to.
.IP PARANOID
Matches any host whose name does not match its address. When tcpd is
-built with -DPARANOID (default mode), it drops requests from such
+built with \-DPARANOID (default mode), it drops requests from such
clients even before looking at the access control tables. Build
-without -DPARANOID when you want more control over such requests.
+without \-DPARANOID when you want more control over such requests.
.ne 6
.SH OPERATORS
.IP EXCEPT
@@ -202,7 +202,9 @@ Patterns like these can be used when the
addresses with different internet hostnames. Service providers can use
this facility to offer FTP, GOPHER or WWW archives with internet names
that may even belong to different organizations. See also the `twist\'
-option in the hosts_options(5) document. Some systems (Solaris,
+option in the
+.BR hosts_options (5)
+document. Some systems (Solaris,
FreeBSD) can have more than one internet address on one physical
interface; with other systems you may have to resort to SLIP or PPP
pseudo interfaces that live in a dedicated network address space.
@@ -224,14 +226,14 @@ The daemon wrappers can be configured at
rule-driven username lookups (default) or to always interrogate the
client host. In the case of rule-driven username lookups, the above
rule would cause username lookup only when both the \fIdaemon_list\fR
-and the \fIhost_pattern\fR match.
+and the \fIhost_pattern\fR match.
.PP
A user pattern has the same syntax as a daemon process pattern, so the
same wildcards apply (netgroup membership is not supported). One
should not get carried away with username lookups, though.
.IP \(bu
The client username information cannot be trusted when it is needed
-most, i.e. when the client system has been compromised. In general,
+most, i.e., when the client system has been compromised. In general,
ALL and (UN)KNOWN are the only user name patterns that make sense.
.IP \(bu
Username lookups are possible only with TCP-based services, and only
@@ -273,7 +275,7 @@ client connection and the IDENT lookup,
harder than spoofing just a client connection. It may also be that
the client\'s IDENT server is lying.
.PP
-Note: IDENT lookups don\'t work with UDP services.
+Note: IDENT lookups don\'t work with UDP services.
.SH EXAMPLES
The language is flexible enough that different types of access control
policy can be expressed with a minimum of fuss. Although the language
@@ -290,13 +292,13 @@ including address and/or network/netmask
impact of temporary name server lookup failures.
.SH MOSTLY CLOSED
In this case, access is denied by default. Only explicitly authorized
-hosts are permitted access.
+hosts are permitted access.
.PP
The default policy (no access) is implemented with a trivial deny
file:
.PP
.ne 2
-/etc/hosts.deny:
+/etc/hosts.deny:
.in +3
ALL: ALL
.PP
@@ -307,7 +309,7 @@ The explicitly authorized hosts are list
For example:
.PP
.ne 2
-/etc/hosts.allow:
+/etc/hosts.allow:
.in +3
ALL: LOCAL @some_netgroup
.br
@@ -320,7 +322,7 @@ netgroup. The second rule permits acces
\fIterminalserver.foobar.edu\fP.
.SH MOSTLY OPEN
Here, access is granted by default; only explicitly specified hosts are
-refused service.
+refused service.
.PP
The default policy (access granted) makes the allow file redundant so
that it can be omitted. The explicitly non-authorized hosts are listed
@@ -349,9 +351,8 @@ in.tftpd: LOCAL, .my.domain
.ne 2
/etc/hosts.deny:
.in +3
-.nf
-in.tftpd: ALL: (/usr/sbin/safe_finger -l @%h | \\
- /usr/bin/mail -s %d-%h root) &
+in.tftpd: ALL: (/usr/sbin/safe_finger \-l @%h | \e
+ /usr/bin/mail \-s %d-%h root) &
.fi
.PP
The safe_finger command comes with the tcpd wrapper and should be
@@ -387,9 +388,9 @@ that shouldn\'t. All problems are repor
.fi
.SH SEE ALSO
.nf
-hosts_options(5) extended syntax.
-tcpd(8) tcp/ip daemon wrapper program.
-tcpdchk(8), tcpdmatch(8), test programs.
+.BR hosts_options "(5) extended syntax."
+.BR tcpd "(8) tcp/ip daemon wrapper program."
+.BR tcpdchk "(8), " tcpdmatch "(8), test programs."
.SH BUGS
If a name server lookup times out, the host name will not be available
to the access control software, even though the host is registered.
@@ -402,6 +403,6 @@ netgroup lookups are case sensitive.
Wietse Venema (wie...@wzv.win.tue.nl)
Department of Mathematics and Computing Science
Eindhoven University of Technology
-Den Dolech 2, P.O. Box 513,
+Den Dolech 2, P.O. Box 513,
5600 MB Eindhoven, The Netherlands
\" @(#) hosts_access.5 1.20 95/01/30 19:51:46
Any program (person), that produces man pages, should check the output
for defects by using (both groff and nroff)
[gn]roff -mandoc -t -ww -b -z -K utf8 <man page>
The same goes for man pages that are used as an input.
For a style guide use
mandoc -T lint
-.-
Any "autogenerator" should check its products with the above mentioned
'groff', 'mandoc', and additionally with 'nroff ...'.
It should also check its input files for too long (> 80) lines.
This is just a simple quality control measure.
The "autogenerator" may have to be corrected to get a better man page,
the source file may, and any additional file may.
Common defects:
Not removing trailing spaces (in in- and output).
The reason for these trailing spaces should be found and eliminated.
Not beginning each input sentence on a new line.
Line length should thus be reduced.
The script "reportbug" uses 'quoted-printable' encoding when a line is
longer than 1024 characters in an 'ascii' file.
See man-pages(7), item "semantic newline".
-.-
The difference between the formatted output of the original and patched file
can be seen with:
nroff -mandoc <file1> > <out1>
nroff -mandoc <file2> > <out2>
diff -d -u <out1> <out2>
and for groff, using
\"printf '%s\n%s\n' '.kern 0' '.ss 12 0' | groff -mandoc -Z - \"
instead of 'nroff -mandoc'
Add the option '-t', if the file contains a table.
Read the output from 'diff -d -u ...' with 'less -R' or similar.
-.-.
If 'man' (man-db) is used to check the manual for warnings,
the following must be set:
The option \"-warnings=w\"
The environmental variable:
export MAN_KEEP_STDERR=yes (or any non-empty value)
or
(produce only warnings):
export MANROFFOPT=\"-ww -b -z\"
export MAN_KEEP_STDERR=yes (or any non-empty value)
-.-
