1 /* $NetBSD: rcmd.c,v 1.63 2005/12/02 11:33:26 yamt Exp $ */ 2 3 /* 4 * Copyright (c) 1983, 1993, 1994 5 * The Regents of the University of California. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. Neither the name of the University nor the names of its contributors 16 * may be used to endorse or promote products derived from this software 17 * without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32 #include <sys/cdefs.h> 33 #if defined(LIBC_SCCS) && !defined(lint) 34 #if 0 35 static char sccsid[] = "@(#)rcmd.c 8.3 (Berkeley) 3/26/94"; 36 #else 37 __RCSID("$NetBSD: rcmd.c,v 1.63 2005/12/02 11:33:26 yamt Exp $"); 38 #endif 39 #endif /* LIBC_SCCS and not lint */ 40 41 #ifdef _LIBC 42 #include "namespace.h" 43 #endif 44 #include <sys/param.h> 45 #include <sys/socket.h> 46 #include <sys/stat.h> 47 #include <sys/poll.h> 48 #include <sys/wait.h> 49 50 #include <netinet/in.h> 51 #include <rpc/rpc.h> 52 #include <arpa/inet.h> 53 #include <netgroup.h> 54 55 #include <assert.h> 56 #include <ctype.h> 57 #include <err.h> 58 #include <errno.h> 59 #include <fcntl.h> 60 #include <grp.h> 61 #include <netdb.h> 62 #include <paths.h> 63 #include <pwd.h> 64 #include <signal.h> 65 #include <stdio.h> 66 #include <stdlib.h> 67 #include <string.h> 68 #include <syslog.h> 69 #include <unistd.h> 70 71 #include "pathnames.h" 72 73 int orcmd __P((char **, u_int, const char *, const char *, const char *, 74 int *)); 75 int orcmd_af __P((char **, u_int, const char *, const char *, const char *, 76 int *, int)); 77 int __ivaliduser __P((FILE *, u_int32_t, const char *, const char *)); 78 int __ivaliduser_sa __P((FILE *, const struct sockaddr *, socklen_t, 79 const char *, const char *)); 80 static int rshrcmd __P((char **, u_int32_t, const char *, const char *, 81 const char *, int *, const char *)); 82 static int resrcmd __P((struct addrinfo *, char **, u_int32_t, const char *, 83 const char *, const char *, int *)); 84 static int __icheckhost __P((const struct sockaddr *, socklen_t, 85 const char *)); 86 static char *__gethostloop __P((const struct sockaddr *, socklen_t)); 87 88 int 89 rcmd(ahost, rport, locuser, remuser, cmd, fd2p) 90 char **ahost; 91 u_short rport; 92 const char *locuser, *remuser, *cmd; 93 int *fd2p; 94 { 95 96 return rcmd_af(ahost, rport, locuser, remuser, cmd, fd2p, AF_INET); 97 } 98 99 int 100 rcmd_af(ahost, rport, locuser, remuser, cmd, fd2p, af) 101 char **ahost; 102 u_short rport; 103 const char *locuser, *remuser, *cmd; 104 int *fd2p; 105 int af; 106 { 107 static char hbuf[MAXHOSTNAMELEN]; 108 char pbuf[NI_MAXSERV]; 109 struct addrinfo hints, *res; 110 int error; 111 struct servent *sp; 112 113 _DIAGASSERT(ahost != NULL); 114 _DIAGASSERT(locuser != NULL); 115 _DIAGASSERT(remuser != NULL); 116 _DIAGASSERT(cmd != NULL); 117 /* fd2p may be NULL */ 118 119 snprintf(pbuf, sizeof(pbuf), "%u", ntohs(rport)); 120 memset(&hints, 0, sizeof(hints)); 121 hints.ai_family = af; 122 hints.ai_socktype = SOCK_STREAM; 123 hints.ai_flags = AI_CANONNAME; 124 error = getaddrinfo(*ahost, pbuf, &hints, &res); 125 if (error) { 126 warnx("%s: %s", *ahost, gai_strerror(error)); /*XXX*/ 127 return (-1); 128 } 129 if (res->ai_canonname) { 130 /* 131 * Canonicalise hostname. 132 * XXX: Should we really do this? 133 */ 134 strlcpy(hbuf, res->ai_canonname, sizeof(hbuf)); 135 *ahost = hbuf; 136 } 137 138 /* 139 * Check if rport is the same as the shell port, and that the fd2p. If 140 * it is not, the program isn't expecting 'rsh' and so we can't use the 141 * RCMD_CMD environment. 142 */ 143 sp = getservbyname("shell", "tcp"); 144 if (sp != NULL && sp->s_port == rport) 145 error = rshrcmd(ahost, (u_int32_t)rport, 146 locuser, remuser, cmd, fd2p, getenv("RCMD_CMD")); 147 else 148 error = resrcmd(res, ahost, (u_int32_t)rport, 149 locuser, remuser, cmd, fd2p); 150 freeaddrinfo(res); 151 return (error); 152 } 153 154 /* this is simply a wrapper around hprcmd() that handles ahost first */ 155 int 156 orcmd(ahost, rport, locuser, remuser, cmd, fd2p) 157 char **ahost; 158 u_int rport; 159 const char *locuser, *remuser, *cmd; 160 int *fd2p; 161 { 162 return orcmd_af(ahost, rport, locuser, remuser, cmd, fd2p, AF_INET); 163 } 164 165 int 166 orcmd_af(ahost, rport, locuser, remuser, cmd, fd2p, af) 167 char **ahost; 168 u_int rport; 169 const char *locuser, *remuser, *cmd; 170 int *fd2p; 171 int af; 172 { 173 static char hbuf[MAXHOSTNAMELEN]; 174 char pbuf[NI_MAXSERV]; 175 struct addrinfo hints, *res; 176 int error; 177 178 _DIAGASSERT(ahost != NULL); 179 _DIAGASSERT(locuser != NULL); 180 _DIAGASSERT(remuser != NULL); 181 _DIAGASSERT(cmd != NULL); 182 /* fd2p may be NULL */ 183 184 snprintf(pbuf, sizeof(pbuf), "%u", ntohs(rport)); 185 memset(&hints, 0, sizeof(hints)); 186 hints.ai_family = af; 187 hints.ai_socktype = SOCK_STREAM; 188 hints.ai_flags = AI_CANONNAME; 189 error = getaddrinfo(*ahost, pbuf, &hints, &res); 190 if (error) { 191 warnx("%s: %s", *ahost, gai_strerror(error)); /*XXX*/ 192 return (-1); 193 } 194 if (res->ai_canonname) { 195 strlcpy(hbuf, res->ai_canonname, sizeof(hbuf)); 196 *ahost = hbuf; 197 } 198 199 error = resrcmd(res, ahost, rport, locuser, remuser, cmd, fd2p); 200 freeaddrinfo(res); 201 return (error); 202 } 203 204 /*ARGSUSED*/ 205 static int 206 resrcmd(res, ahost, rport, locuser, remuser, cmd, fd2p) 207 struct addrinfo *res; 208 char **ahost; 209 u_int32_t rport; 210 const char *locuser, *remuser, *cmd; 211 int *fd2p; 212 { 213 struct addrinfo *r; 214 struct sockaddr_storage from; 215 struct pollfd reads[2]; 216 sigset_t nmask, omask; 217 pid_t pid; 218 int s, lport, timo; 219 int pollr; 220 char c; 221 int refused; 222 223 _DIAGASSERT(res != NULL); 224 _DIAGASSERT(ahost != NULL); 225 _DIAGASSERT(locuser != NULL); 226 _DIAGASSERT(remuser != NULL); 227 _DIAGASSERT(cmd != NULL); 228 /* fd2p may be NULL */ 229 230 r = res; 231 refused = 0; 232 pid = getpid(); 233 sigemptyset(&nmask); 234 sigaddset(&nmask, SIGURG); 235 if (sigprocmask(SIG_BLOCK, &nmask, &omask) == -1) 236 return -1; 237 for (timo = 1, lport = IPPORT_RESERVED - 1;;) { 238 s = rresvport_af(&lport, r->ai_family); 239 if (s < 0) { 240 if (errno == EAGAIN) 241 warnx("rcmd: socket: All ports in use"); 242 else 243 warn("rcmd: socket"); 244 if (r->ai_next) { 245 r = r->ai_next; 246 continue; 247 } else { 248 (void)sigprocmask(SIG_SETMASK, &omask, NULL); 249 return (-1); 250 } 251 } 252 fcntl(s, F_SETOWN, pid); 253 if (connect(s, r->ai_addr, r->ai_addrlen) >= 0) 254 break; 255 (void)close(s); 256 if (errno == EADDRINUSE) { 257 lport--; 258 continue; 259 } else if (errno == ECONNREFUSED) 260 refused++; 261 if (r->ai_next) { 262 int oerrno = errno; 263 char hbuf[NI_MAXHOST]; 264 const int niflags = NI_NUMERICHOST; 265 266 hbuf[0] = '\0'; 267 if (getnameinfo(r->ai_addr, r->ai_addrlen, 268 hbuf, sizeof(hbuf), NULL, 0, niflags) != 0) 269 strlcpy(hbuf, "(invalid)", sizeof(hbuf)); 270 warnx("rcmd: connect to address %s", hbuf); 271 errno = oerrno; 272 perror(0); 273 r = r->ai_next; 274 hbuf[0] = '\0'; 275 if (getnameinfo(r->ai_addr, r->ai_addrlen, 276 hbuf, sizeof(hbuf), NULL, 0, niflags) != 0) 277 strlcpy(hbuf, "(invalid)", sizeof(hbuf)); 278 (void)fprintf(stderr, "Trying %s...\n", hbuf); 279 continue; 280 } 281 if (refused && timo <= 16) { 282 (void)sleep((unsigned int)timo); 283 timo *= 2; 284 r = res; 285 refused = 0; 286 continue; 287 } 288 (void)fprintf(stderr, "%s: %s\n", res->ai_canonname, 289 strerror(errno)); 290 (void)sigprocmask(SIG_SETMASK, &omask, NULL); 291 return (-1); 292 } 293 lport--; 294 if (fd2p == 0) { 295 write(s, "", 1); 296 lport = 0; 297 } else { 298 char num[8]; 299 int s2 = rresvport_af(&lport, r->ai_family), s3; 300 socklen_t len = sizeof(from); 301 302 if (s2 < 0) 303 goto bad; 304 listen(s2, 1); 305 (void)snprintf(num, sizeof(num), "%d", lport); 306 if (write(s, num, strlen(num) + 1) != 307 (ssize_t) (strlen(num) + 1)) { 308 warn("rcmd: write (setting up stderr)"); 309 (void)close(s2); 310 goto bad; 311 } 312 reads[0].fd = s; 313 reads[0].events = POLLIN; 314 reads[1].fd = s2; 315 reads[1].events = POLLIN; 316 errno = 0; 317 pollr = poll(reads, 2, INFTIM); 318 if (pollr < 1 || (reads[1].revents & POLLIN) == 0) { 319 if (errno != 0) 320 warn("poll: setting up stderr"); 321 else 322 warnx("poll: protocol failure in circuit setup"); 323 (void)close(s2); 324 goto bad; 325 } 326 s3 = accept(s2, (struct sockaddr *)(void *)&from, &len); 327 (void)close(s2); 328 if (s3 < 0) { 329 warn("rcmd: accept"); 330 lport = 0; 331 goto bad; 332 } 333 *fd2p = s3; 334 switch (((struct sockaddr *)(void *)&from)->sa_family) { 335 case AF_INET: 336 #ifdef INET6 337 case AF_INET6: 338 #endif 339 if (getnameinfo((struct sockaddr *)(void *)&from, len, 340 NULL, 0, num, sizeof(num), NI_NUMERICSERV) != 0 || 341 (atoi(num) >= IPPORT_RESERVED || 342 atoi(num) < IPPORT_RESERVED / 2)) { 343 warnx("rcmd: protocol failure in circuit setup."); 344 goto bad2; 345 } 346 break; 347 default: 348 break; 349 } 350 } 351 352 (void)write(s, locuser, strlen(locuser)+1); 353 (void)write(s, remuser, strlen(remuser)+1); 354 (void)write(s, cmd, strlen(cmd)+1); 355 if (read(s, &c, 1) != 1) { 356 warn("%s", *ahost); 357 goto bad2; 358 } 359 if (c != 0) { 360 while (read(s, &c, 1) == 1) { 361 (void)write(STDERR_FILENO, &c, 1); 362 if (c == '\n') 363 break; 364 } 365 goto bad2; 366 } 367 (void)sigprocmask(SIG_SETMASK, &omask, NULL); 368 return (s); 369 bad2: 370 if (lport) 371 (void)close(*fd2p); 372 bad: 373 (void)close(s); 374 (void)sigprocmask(SIG_SETMASK, &omask, NULL); 375 return (-1); 376 } 377 378 /* 379 * based on code written by Chris Siebenmann <cks@utcc.utoronto.ca> 380 */ 381 /* ARGSUSED */ 382 static int 383 rshrcmd(ahost, rport, locuser, remuser, cmd, fd2p, rshcmd) 384 char **ahost; 385 u_int32_t rport; 386 const char *locuser, *remuser, *cmd; 387 int *fd2p; 388 const char *rshcmd; 389 { 390 pid_t pid; 391 int sp[2], ep[2]; 392 char *p; 393 struct passwd *pw, pwres; 394 char pwbuf[1024]; 395 396 _DIAGASSERT(ahost != NULL); 397 _DIAGASSERT(locuser != NULL); 398 _DIAGASSERT(remuser != NULL); 399 _DIAGASSERT(cmd != NULL); 400 /* fd2p may be NULL */ 401 402 /* What rsh/shell to use. */ 403 if (rshcmd == NULL) 404 rshcmd = _PATH_BIN_RCMD; 405 406 /* locuser must exist on this host. */ 407 if (getpwnam_r(locuser, &pwres, pwbuf, sizeof(pwbuf), &pw) != 0 || 408 pw == NULL) { 409 warnx("rshrcmd: unknown user: %s", locuser); 410 return(-1); 411 } 412 413 /* get a socketpair we'll use for stdin and stdout. */ 414 if (socketpair(AF_LOCAL, SOCK_STREAM, 0, sp) < 0) { 415 warn("rshrcmd: socketpair"); 416 return (-1); 417 } 418 /* we will use this for the fd2 pointer */ 419 if (fd2p) { 420 if (socketpair(AF_LOCAL, SOCK_STREAM, 0, ep) < 0) { 421 warn("rshrcmd: socketpair"); 422 return (-1); 423 } 424 *fd2p = ep[0]; 425 } 426 427 pid = fork(); 428 if (pid < 0) { 429 warn("rshrcmd: fork"); 430 return (-1); 431 } 432 if (pid == 0) { 433 /* 434 * child 435 * - we use sp[1] to be stdin/stdout, and close sp[0] 436 * - with fd2p, we use ep[1] for stderr, and close ep[0] 437 */ 438 (void)close(sp[0]); 439 if (dup2(sp[1], 0) < 0 || dup2(0, 1) < 0) { 440 warn("rshrcmd: dup2"); 441 _exit(1); 442 } 443 if (fd2p) { 444 if (dup2(ep[1], 2) < 0) { 445 warn("rshrcmd: dup2"); 446 _exit(1); 447 } 448 (void)close(ep[0]); 449 (void)close(ep[1]); 450 } else if (dup2(0, 2) < 0) { 451 warn("rshrcmd: dup2"); 452 _exit(1); 453 } 454 /* fork again to lose parent. */ 455 pid = fork(); 456 if (pid < 0) { 457 warn("rshrcmd: second fork"); 458 _exit(1); 459 } 460 if (pid > 0) 461 _exit(0); 462 463 /* Orphan. Become local user for rshprog. */ 464 if (setuid(pw->pw_uid)) { 465 warn("rshrcmd: setuid(%lu)", (u_long)pw->pw_uid); 466 _exit(1); 467 } 468 469 /* 470 * If we are rcmd'ing to "localhost" as the same user as we are, 471 * then avoid running remote shell for efficiency. 472 */ 473 if (strcmp(*ahost, "localhost") == 0 && 474 strcmp(locuser, remuser) == 0) { 475 if (pw->pw_shell[0] == '\0') 476 rshcmd = _PATH_BSHELL; 477 else 478 rshcmd = pw->pw_shell; 479 p = strrchr(rshcmd, '/'); 480 execlp(rshcmd, p ? p + 1 : rshcmd, "-c", cmd, NULL); 481 } else { 482 p = strrchr(rshcmd, '/'); 483 execlp(rshcmd, p ? p + 1 : rshcmd, *ahost, "-l", 484 remuser, cmd, NULL); 485 } 486 warn("rshrcmd: exec %s", rshcmd); 487 _exit(1); 488 } 489 /* Parent */ 490 (void)close(sp[1]); 491 if (fd2p) 492 (void)close(ep[1]); 493 494 (void)waitpid(pid, NULL, 0); 495 return (sp[0]); 496 } 497 498 int 499 rresvport(alport) 500 int *alport; 501 { 502 503 _DIAGASSERT(alport != NULL); 504 505 return rresvport_af(alport, AF_INET); 506 } 507 508 int 509 rresvport_af(alport, family) 510 int *alport; 511 int family; 512 { 513 struct sockaddr_storage ss; 514 struct sockaddr *sa; 515 int salen; 516 int s; 517 u_int16_t *portp; 518 519 _DIAGASSERT(alport != NULL); 520 521 memset(&ss, 0, sizeof(ss)); 522 sa = (struct sockaddr *)(void *)&ss; 523 switch (family) { 524 case AF_INET: 525 #ifdef BSD4_4 526 sa->sa_len = 527 #endif 528 salen = sizeof(struct sockaddr_in); 529 portp = &((struct sockaddr_in *)(void *)sa)->sin_port; 530 break; 531 #ifdef INET6 532 case AF_INET6: 533 #ifdef BSD4_4 534 sa->sa_len = 535 #endif 536 salen = sizeof(struct sockaddr_in6); 537 portp = &((struct sockaddr_in6 *)(void *)sa)->sin6_port; 538 break; 539 #endif 540 default: 541 errno = EAFNOSUPPORT; 542 return (-1); 543 } 544 sa->sa_family = family; 545 s = socket(family, SOCK_STREAM, 0); 546 if (s < 0) 547 return (-1); 548 #ifdef BSD4_4 549 switch (family) { 550 case AF_INET: 551 case AF_INET6: 552 *portp = 0; 553 if (bindresvport(s, (struct sockaddr_in *)(void *)sa) < 0) { 554 int sverr = errno; 555 556 (void)close(s); 557 errno = sverr; 558 return (-1); 559 } 560 *alport = (int)ntohs(*portp); 561 return (s); 562 default: 563 /* is it necessary to try keep code for other AFs? */ 564 break; 565 } 566 #endif 567 for (;;) { 568 *portp = htons((u_short)*alport); 569 if (bind(s, sa, (socklen_t)salen) >= 0) 570 return (s); 571 if (errno != EADDRINUSE) { 572 (void)close(s); 573 return (-1); 574 } 575 (*alport)--; 576 if (*alport == IPPORT_RESERVED/2) { 577 (void)close(s); 578 errno = EAGAIN; /* close */ 579 return (-1); 580 } 581 } 582 } 583 584 int __check_rhosts_file = 1; 585 const char *__rcmd_errstr; 586 587 int 588 ruserok(rhost, superuser, ruser, luser) 589 const char *rhost, *ruser, *luser; 590 int superuser; 591 { 592 struct addrinfo hints, *res, *r; 593 int error; 594 595 _DIAGASSERT(rhost != NULL); 596 _DIAGASSERT(ruser != NULL); 597 _DIAGASSERT(luser != NULL); 598 599 memset(&hints, 0, sizeof(hints)); 600 hints.ai_family = PF_UNSPEC; 601 hints.ai_socktype = SOCK_DGRAM; /*dummy*/ 602 error = getaddrinfo(rhost, "0", &hints, &res); 603 if (error) 604 return (-1); 605 606 for (r = res; r; r = r->ai_next) { 607 if (iruserok_sa(r->ai_addr, (int)r->ai_addrlen, superuser, 608 ruser, luser) == 0) { 609 freeaddrinfo(res); 610 return (0); 611 } 612 } 613 freeaddrinfo(res); 614 return (-1); 615 } 616 617 /* 618 * New .rhosts strategy: We are passed an ip address. We spin through 619 * hosts.equiv and .rhosts looking for a match. When the .rhosts only 620 * has ip addresses, we don't have to trust a nameserver. When it 621 * contains hostnames, we spin through the list of addresses the nameserver 622 * gives us and look for a match. 623 * 624 * Returns 0 if ok, -1 if not ok. 625 */ 626 int 627 iruserok(raddr, superuser, ruser, luser) 628 u_int32_t raddr; 629 int superuser; 630 const char *ruser, *luser; 631 { 632 struct sockaddr_in irsin; 633 634 memset(&irsin, 0, sizeof(irsin)); 635 irsin.sin_family = AF_INET; 636 #ifdef BSD4_4 637 irsin.sin_len = sizeof(struct sockaddr_in); 638 #endif 639 memcpy(&irsin.sin_addr, &raddr, sizeof(irsin.sin_addr)); 640 return iruserok_sa(&irsin, sizeof(struct sockaddr_in), superuser, ruser, 641 luser); 642 } 643 644 /* 645 * 2nd and 3rd arguments are typed like this, to avoid dependency between 646 * unistd.h and sys/socket.h. There's no better way. 647 */ 648 int 649 iruserok_sa(raddr, rlen, superuser, ruser, luser) 650 const void *raddr; 651 int rlen; 652 int superuser; 653 const char *ruser, *luser; 654 { 655 const struct sockaddr *sa; 656 struct stat sbuf; 657 struct passwd *pwd, pwres; 658 FILE *hostf; 659 uid_t uid; 660 gid_t gid; 661 int isvaliduser; 662 char pbuf[MAXPATHLEN]; 663 char pwbuf[1024]; 664 665 _DIAGASSERT(raddr != NULL); 666 _DIAGASSERT(ruser != NULL); 667 _DIAGASSERT(luser != NULL); 668 669 sa = raddr; 670 671 __rcmd_errstr = NULL; 672 673 hostf = superuser ? NULL : fopen(_PATH_HEQUIV, "r"); 674 675 if (hostf) { 676 if (__ivaliduser_sa(hostf, sa, (socklen_t)rlen, luser, 677 ruser) == 0) { 678 (void)fclose(hostf); 679 return (0); 680 } 681 (void)fclose(hostf); 682 } 683 684 isvaliduser = -1; 685 if (__check_rhosts_file || superuser) { 686 687 if (getpwnam_r(luser, &pwres, pwbuf, sizeof(pwbuf), &pwd) != 0 688 || pwd == NULL) 689 return (-1); 690 (void)strlcpy(pbuf, pwd->pw_dir, sizeof(pbuf)); 691 (void)strlcat(pbuf, "/.rhosts", sizeof(pbuf)); 692 693 /* 694 * Change effective uid while opening and reading .rhosts. 695 * If root and reading an NFS mounted file system, can't 696 * read files that are protected read/write owner only. 697 */ 698 uid = geteuid(); 699 gid = getegid(); 700 (void)setegid(pwd->pw_gid); 701 initgroups(pwd->pw_name, pwd->pw_gid); 702 (void)seteuid(pwd->pw_uid); 703 hostf = fopen(pbuf, "r"); 704 705 if (hostf != NULL) { 706 /* 707 * If not a regular file, or is owned by someone other 708 * than user or root or if writable by anyone but the 709 * owner, quit. 710 */ 711 if (lstat(pbuf, &sbuf) < 0) 712 __rcmd_errstr = ".rhosts lstat failed"; 713 else if (!S_ISREG(sbuf.st_mode)) 714 __rcmd_errstr = ".rhosts not regular file"; 715 else if (fstat(fileno(hostf), &sbuf) < 0) 716 __rcmd_errstr = ".rhosts fstat failed"; 717 else if (sbuf.st_uid && sbuf.st_uid != pwd->pw_uid) 718 __rcmd_errstr = "bad .rhosts owner"; 719 else if (sbuf.st_mode & (S_IWGRP|S_IWOTH)) 720 __rcmd_errstr = 721 ".rhosts writable by other than owner"; 722 else 723 isvaliduser = 724 __ivaliduser_sa(hostf, sa, (socklen_t)rlen, 725 luser, ruser); 726 727 (void)fclose(hostf); 728 } 729 (void)seteuid(uid); 730 (void)setegid(gid); 731 732 } 733 return (isvaliduser); 734 } 735 736 /* 737 * XXX 738 * Don't make static, used by lpd(8). We will be able to change the function 739 * into static function, when we bump libc major #. 740 * 741 * Returns 0 if ok, -1 if not ok. 742 */ 743 #ifdef notdef /*_LIBC*/ 744 static 745 #endif 746 int 747 __ivaliduser(hostf, raddr, luser, ruser) 748 FILE *hostf; 749 u_int32_t raddr; 750 const char *luser, *ruser; 751 { 752 struct sockaddr_in ivusin; 753 754 memset(&ivusin, 0, sizeof(ivusin)); 755 ivusin.sin_family = AF_INET; 756 #ifdef BSD4_4 757 ivusin.sin_len = sizeof(struct sockaddr_in); 758 #endif 759 memcpy(&ivusin.sin_addr, &raddr, sizeof(ivusin.sin_addr)); 760 return __ivaliduser_sa(hostf, (struct sockaddr *)(void *)&ivusin, 761 sizeof(struct sockaddr_in), luser, ruser); 762 } 763 764 #ifdef notdef /*_LIBC*/ 765 static 766 #endif 767 int 768 __ivaliduser_sa(hostf, raddr, salen, luser, ruser) 769 FILE *hostf; 770 const struct sockaddr *raddr; 771 socklen_t salen; 772 const char *luser, *ruser; 773 { 774 register char *user, *p; 775 int ch; 776 char buf[MAXHOSTNAMELEN + 128]; /* host + login */ 777 const char *auser, *ahost; 778 int hostok, userok; 779 char *rhost = NULL; 780 int firsttime = 1; 781 char domain[MAXHOSTNAMELEN]; 782 783 getdomainname(domain, sizeof(domain)); 784 785 _DIAGASSERT(hostf != NULL); 786 _DIAGASSERT(luser != NULL); 787 _DIAGASSERT(ruser != NULL); 788 789 while (fgets(buf, sizeof(buf), hostf)) { 790 p = buf; 791 /* Skip lines that are too long. */ 792 if (strchr(p, '\n') == NULL) { 793 while ((ch = getc(hostf)) != '\n' && ch != EOF) 794 ; 795 continue; 796 } 797 while (*p != '\n' && *p != ' ' && *p != '\t' && *p != '\0') { 798 *p = isupper((unsigned char)*p) ? 799 tolower((unsigned char)*p) : *p; 800 p++; 801 } 802 if (*p == ' ' || *p == '\t') { 803 *p++ = '\0'; 804 while (*p == ' ' || *p == '\t') 805 p++; 806 user = p; 807 while (*p != '\n' && *p != ' ' && 808 *p != '\t' && *p != '\0') 809 p++; 810 } else 811 user = p; 812 *p = '\0'; 813 814 if (p == buf) 815 continue; 816 817 auser = *user ? user : luser; 818 ahost = buf; 819 820 if (ahost[0] == '+') 821 switch (ahost[1]) { 822 case '\0': 823 hostok = 1; 824 break; 825 826 case '@': 827 if (firsttime) { 828 rhost = __gethostloop(raddr, salen); 829 firsttime = 0; 830 } 831 if (rhost) 832 hostok = innetgr(&ahost[2], rhost, 833 NULL, domain); 834 else 835 hostok = 0; 836 break; 837 838 default: 839 hostok = __icheckhost(raddr, salen, &ahost[1]); 840 break; 841 } 842 else if (ahost[0] == '-') 843 switch (ahost[1]) { 844 case '\0': 845 hostok = -1; 846 break; 847 848 case '@': 849 if (firsttime) { 850 rhost = __gethostloop(raddr, salen); 851 firsttime = 0; 852 } 853 if (rhost) 854 hostok = -innetgr(&ahost[2], rhost, 855 NULL, domain); 856 else 857 hostok = 0; 858 break; 859 860 default: 861 hostok = -__icheckhost(raddr, salen, &ahost[1]); 862 break; 863 } 864 else 865 hostok = __icheckhost(raddr, salen, ahost); 866 867 868 if (auser[0] == '+') 869 switch (auser[1]) { 870 case '\0': 871 userok = 1; 872 break; 873 874 case '@': 875 userok = innetgr(&auser[2], NULL, ruser, 876 domain); 877 break; 878 879 default: 880 userok = strcmp(ruser, &auser[1]) == 0; 881 break; 882 } 883 else if (auser[0] == '-') 884 switch (auser[1]) { 885 case '\0': 886 userok = -1; 887 break; 888 889 case '@': 890 userok = -innetgr(&auser[2], NULL, ruser, 891 domain); 892 break; 893 894 default: 895 userok = 896 -(strcmp(ruser, &auser[1]) == 0 ? 1 : 0); 897 break; 898 } 899 else 900 userok = strcmp(ruser, auser) == 0; 901 902 /* Check if one component did not match */ 903 if (hostok == 0 || userok == 0) 904 continue; 905 906 /* Check if we got a forbidden pair */ 907 if (userok == -1 || hostok == -1) 908 return -1; 909 910 /* Check if we got a valid pair */ 911 if (hostok == 1 && userok == 1) 912 return 0; 913 } 914 return -1; 915 } 916 917 /* 918 * Returns "true" if match, 0 if no match. 919 */ 920 static int 921 __icheckhost(raddr, salen, lhost) 922 const struct sockaddr *raddr; 923 socklen_t salen; 924 const char *lhost; 925 { 926 struct addrinfo hints, *res, *r; 927 char h1[NI_MAXHOST], h2[NI_MAXHOST]; 928 int error; 929 const int niflags = NI_NUMERICHOST; 930 931 _DIAGASSERT(raddr != NULL); 932 _DIAGASSERT(lhost != NULL); 933 934 h1[0] = '\0'; 935 if (getnameinfo(raddr, salen, h1, sizeof(h1), NULL, 0, 936 niflags) != 0) 937 return (0); 938 939 /* Resolve laddr into sockaddr */ 940 memset(&hints, 0, sizeof(hints)); 941 hints.ai_family = raddr->sa_family; 942 hints.ai_socktype = SOCK_DGRAM; /*dummy*/ 943 res = NULL; 944 error = getaddrinfo(lhost, "0", &hints, &res); 945 if (error) 946 return (0); 947 948 /* 949 * Try string comparisons between raddr and laddr. 950 */ 951 for (r = res; r; r = r->ai_next) { 952 h2[0] = '\0'; 953 if (getnameinfo(r->ai_addr, r->ai_addrlen, h2, sizeof(h2), 954 NULL, 0, niflags) != 0) 955 continue; 956 if (strcmp(h1, h2) == 0) { 957 freeaddrinfo(res); 958 return (1); 959 } 960 } 961 962 /* No match. */ 963 freeaddrinfo(res); 964 return (0); 965 } 966 967 /* 968 * Return the hostname associated with the supplied address. 969 * Do a reverse lookup as well for security. If a loop cannot 970 * be found, pack the numeric IP address into the string. 971 */ 972 static char * 973 __gethostloop(raddr, salen) 974 const struct sockaddr *raddr; 975 socklen_t salen; 976 { 977 static char remotehost[NI_MAXHOST]; 978 char h1[NI_MAXHOST], h2[NI_MAXHOST]; 979 struct addrinfo hints, *res, *r; 980 int error; 981 const int niflags = NI_NUMERICHOST; 982 983 _DIAGASSERT(raddr != NULL); 984 985 h1[0] = remotehost[0] = '\0'; 986 if (getnameinfo(raddr, salen, remotehost, sizeof(remotehost), 987 NULL, 0, NI_NAMEREQD) != 0) 988 return (NULL); 989 if (getnameinfo(raddr, salen, h1, sizeof(h1), NULL, 0, 990 niflags) != 0) 991 return (NULL); 992 993 /* 994 * Look up the name and check that the supplied 995 * address is in the list 996 */ 997 memset(&hints, 0, sizeof(hints)); 998 hints.ai_family = raddr->sa_family; 999 hints.ai_socktype = SOCK_DGRAM; /*dummy*/ 1000 hints.ai_flags = AI_CANONNAME; 1001 res = NULL; 1002 error = getaddrinfo(remotehost, "0", &hints, &res); 1003 if (error) 1004 return (NULL); 1005 1006 for (r = res; r; r = r->ai_next) { 1007 h2[0] = '\0'; 1008 if (getnameinfo(r->ai_addr, r->ai_addrlen, h2, sizeof(h2), 1009 NULL, 0, niflags) != 0) 1010 continue; 1011 if (strcmp(h1, h2) == 0) { 1012 freeaddrinfo(res); 1013 return (remotehost); 1014 } 1015 } 1016 1017 /* 1018 * either the DNS adminstrator has made a configuration 1019 * mistake, or someone has attempted to spoof us 1020 */ 1021 syslog(LOG_NOTICE, "rcmd: address %s not listed for host %s", 1022 h1, res->ai_canonname ? res->ai_canonname : remotehost); 1023 freeaddrinfo(res); 1024 return (NULL); 1025 } 1026