1 /* $NetBSD: security.c,v 1.14 2021/03/07 00:23:06 christos Exp $ */
2 /* $FreeBSD: head/usr.sbin/rpcbind/security.c 262860 2014-03-06 17:33:27Z mav $ */
3
4 #include <sys/types.h>
5 #include <sys/time.h>
6 #include <sys/socket.h>
7 #include <netinet/in.h>
8 #include <arpa/inet.h>
9 #include <rpc/rpc.h>
10 #include <rpc/rpcb_prot.h>
11 #include <rpc/pmap_prot.h>
12 #include <err.h>
13 #include <stdio.h>
14 #include <stdlib.h>
15 #include <string.h>
16 #include <unistd.h>
17 #include <util.h>
18 #include <syslog.h>
19 #include <netdb.h>
20
21 /*
22 * XXX for special case checks in check_callit.
23 */
24 #include <rpcsvc/mount.h>
25 #include <rpcsvc/rquota.h>
26 #include <rpcsvc/nfs_prot.h>
27
28 #ifdef YP
29 #include <rpcsvc/yp.h>
30 #include <rpcsvc/ypclnt.h>
31 #include <rpcsvc/yppasswd.h>
32 #else
33 /* Define enough to compile. */
34 #define YPBINDPROG ((unsigned long)100007)
35 #define YPBINDPROC_SETDOM ((unsigned long)2)
36 #define YPPROG ((unsigned long)100004)
37 #define YPPROC_FIRST ((unsigned long)4)
38 #define YPPROC_NEXT ((unsigned long)5)
39 #define YPPROC_MATCH ((unsigned long)3)
40 #define YPPROC_ALL ((unsigned long)8)
41 #define YPPASSWDPROG ((unsigned long)100009)
42 #endif
43
44 #include "rpcbind.h"
45
46 #ifdef LIBWRAP
47 # include <tcpd.h>
48 #ifndef LIBWRAP_ALLOW_FACILITY
49 # define LIBWRAP_ALLOW_FACILITY LOG_AUTH
50 #endif
51 #ifndef LIBWRAP_ALLOW_SEVERITY
52 # define LIBWRAP_ALLOW_SEVERITY LOG_INFO
53 #endif
54 #ifndef LIBWRAP_DENY_FACILITY
55 # define LIBWRAP_DENY_FACILITY LOG_AUTH
56 #endif
57 #ifndef LIBWRAP_DENY_SEVERITY
58 # define LIBWRAP_DENY_SEVERITY LOG_WARNING
59 #endif
60 int allow_severity = LIBWRAP_ALLOW_FACILITY|LIBWRAP_ALLOW_SEVERITY;
61 int deny_severity = LIBWRAP_DENY_FACILITY|LIBWRAP_DENY_SEVERITY;
62 #endif
63
64 #ifndef PORTMAP_LOG_FACILITY
65 # define PORTMAP_LOG_FACILITY LOG_AUTH
66 #endif
67 #ifndef PORTMAP_LOG_SEVERITY
68 # define PORTMAP_LOG_SEVERITY LOG_INFO
69 #endif
70 int log_severity = PORTMAP_LOG_FACILITY|PORTMAP_LOG_SEVERITY;
71
72 extern int verboselog;
73
74 int
check_access(SVCXPRT * xprt,rpcproc_t proc,void * args,unsigned int rpcbvers)75 check_access(SVCXPRT *xprt, rpcproc_t proc, void *args, unsigned int rpcbvers)
76 {
77 struct netbuf *caller = svc_getrpccaller(xprt);
78 struct sockaddr *addr = (struct sockaddr *)caller->buf;
79 #ifdef LIBWRAP
80 struct request_info req;
81 #endif
82 rpcprog_t prog = 0;
83 rpcb *rpcbp;
84 struct pmap *pmap;
85
86 /*
87 * The older PMAP_* equivalents have the same numbers, so
88 * they are accounted for here as well.
89 */
90 switch (proc) {
91 case RPCBPROC_GETADDR:
92 case RPCBPROC_SET:
93 case RPCBPROC_UNSET:
94 if (rpcbvers > PMAPVERS) {
95 rpcbp = (rpcb *)args;
96 prog = rpcbp->r_prog;
97 } else {
98 pmap = (struct pmap *)args;
99 prog = pmap->pm_prog;
100 }
101 if (proc == RPCBPROC_GETADDR)
102 break;
103 if (!insecure && !is_loopback(caller)) {
104 if (verboselog)
105 logit(log_severity, addr, proc, prog,
106 " declined (non-loopback sender)");
107 return 0;
108 }
109 break;
110 case RPCBPROC_CALLIT:
111 case RPCBPROC_INDIRECT:
112 case RPCBPROC_DUMP:
113 case RPCBPROC_GETTIME:
114 case RPCBPROC_UADDR2TADDR:
115 case RPCBPROC_TADDR2UADDR:
116 case RPCBPROC_GETVERSADDR:
117 case RPCBPROC_GETADDRLIST:
118 case RPCBPROC_GETSTAT:
119 default:
120 break;
121 }
122
123 #ifdef LIBWRAP
124 if (libwrap && addr->sa_family != AF_LOCAL) {
125 request_init(&req, RQ_DAEMON, "rpcbind", RQ_CLIENT_SIN, addr,
126 RQ_FILE, xprt->xp_fd, NULL);
127 sock_methods(&req);
128 if(!hosts_access(&req)) {
129 logit(deny_severity, addr, proc, prog,
130 ": request from unauthorized host");
131 return 0;
132 }
133 }
134 #endif
135 if (verboselog)
136 logit(log_severity, addr, proc, prog, "");
137 return 1;
138 }
139
140 int
is_loopback(struct netbuf * nbuf)141 is_loopback(struct netbuf *nbuf)
142 {
143 struct sockaddr *addr = (struct sockaddr *)nbuf->buf;
144 struct sockaddr_in *sin;
145 #ifdef INET6
146 struct sockaddr_in6 *sin6;
147 #endif
148
149 switch (addr->sa_family) {
150 case AF_INET:
151 if (!oldstyle_local)
152 return 0;
153 sin = (struct sockaddr_in *)addr;
154 return ((sin->sin_addr.s_addr == htonl(INADDR_LOOPBACK)) &&
155 (ntohs(sin->sin_port) < IPPORT_RESERVED));
156 #ifdef INET6
157 case AF_INET6:
158 if (!oldstyle_local)
159 return 0;
160 sin6 = (struct sockaddr_in6 *)addr;
161 return (IN6_IS_ADDR_LOOPBACK(&sin6->sin6_addr) &&
162 (ntohs(sin6->sin6_port) < IPV6PORT_RESERVED));
163 #endif
164 case AF_LOCAL:
165 return 1;
166 default:
167 break;
168 }
169
170 return 0;
171 }
172
173
174 /* logit - report events of interest via the syslog daemon */
175 void
logit(int severity,struct sockaddr * addr,rpcproc_t procnum,rpcprog_t prognum,const char * text)176 logit(int severity, struct sockaddr *addr, rpcproc_t procnum, rpcprog_t prognum,
177 const char *text)
178 {
179 const char *procname;
180 char procbuf[32];
181 char *progname;
182 char progbuf[32];
183 char fromname[NI_MAXHOST];
184 struct rpcent *rpc;
185 static const char *procmap[] = {
186 /* RPCBPROC_NULL */ "null",
187 /* RPCBPROC_SET */ "set",
188 /* RPCBPROC_UNSET */ "unset",
189 /* RPCBPROC_GETADDR */ "getport/addr",
190 /* RPCBPROC_DUMP */ "dump",
191 /* RPCBPROC_CALLIT */ "callit",
192 /* RPCBPROC_GETTIME */ "gettime",
193 /* RPCBPROC_UADDR2TADDR */ "uaddr2taddr",
194 /* RPCBPROC_TADDR2UADDR */ "taddr2uaddr",
195 /* RPCBPROC_GETVERSADDR */ "getversaddr",
196 /* RPCBPROC_INDIRECT */ "indirect",
197 /* RPCBPROC_GETADDRLIST */ "getaddrlist",
198 /* RPCBPROC_GETSTAT */ "getstat"
199 };
200
201 /*
202 * Fork off a process or the portmap daemon might hang while
203 * getrpcbynumber() or syslog() does its thing.
204 */
205
206 if (fork() == 0) {
207 setproctitle("logit");
208
209 /* Try to map program number to name. */
210
211 if (prognum == 0) {
212 progname = __UNCONST("");
213 } else if ((rpc = getrpcbynumber((int) prognum))) {
214 progname = rpc->r_name;
215 } else {
216 snprintf(progname = progbuf, sizeof(progbuf), "%u",
217 (unsigned)prognum);
218 }
219
220 /* Try to map procedure number to name. */
221
222 if (procnum >= (sizeof procmap / sizeof (char *))) {
223 snprintf(procbuf, sizeof procbuf, "%u",
224 (unsigned)procnum);
225 procname = procbuf;
226 } else
227 procname = procmap[procnum];
228
229 /* Write syslog record. */
230
231 if (addr->sa_family == AF_LOCAL)
232 strlcpy(fromname, "local", sizeof(fromname));
233 else
234 getnameinfo(addr, addr->sa_len, fromname,
235 sizeof fromname, NULL, 0, NI_NUMERICHOST);
236
237 syslog(severity, "connect from %s to %s(%s)%s",
238 fromname, procname, progname, text);
239 _exit(0);
240 }
241 }
242
243 int
check_callit(SVCXPRT * xprt,struct r_rmtcall_args * args,int versnum __unused)244 check_callit(SVCXPRT *xprt, struct r_rmtcall_args *args, int versnum __unused)
245 {
246 struct sockaddr *sa = (struct sockaddr *)svc_getrpccaller(xprt)->buf;
247
248 /*
249 * Always allow calling NULLPROC
250 */
251 if (args->rmt_proc == 0)
252 return 1;
253
254 /*
255 * XXX - this special casing sucks.
256 */
257 switch (args->rmt_prog) {
258 case RPCBPROG:
259 /*
260 * Allow indirect calls to ourselves in insecure mode.
261 * The is_loopback checks aren't useful then anyway.
262 */
263 if (!insecure)
264 goto deny;
265 break;
266 case MOUNTPROG:
267 if (args->rmt_proc != MOUNTPROC_MNT &&
268 args->rmt_proc != MOUNTPROC_UMNT)
269 break;
270 goto deny;
271 case YPBINDPROG:
272 if (args->rmt_proc != YPBINDPROC_SETDOM)
273 break;
274 /* FALLTHROUGH */
275 case YPPASSWDPROG:
276 case NFS_PROGRAM:
277 case RQUOTAPROG:
278 goto deny;
279 case YPPROG:
280 switch (args->rmt_proc) {
281 case YPPROC_ALL:
282 case YPPROC_MATCH:
283 case YPPROC_FIRST:
284 case YPPROC_NEXT:
285 goto deny;
286 default:
287 break;
288 }
289 default:
290 break;
291 }
292
293 return 1;
294 deny:
295 #ifdef LIBWRAP
296 logit(deny_severity, sa, args->rmt_proc, args->rmt_prog,
297 ": indirect call not allowed");
298 #else
299 logit(0, sa, args->rmt_proc, args->rmt_prog,
300 ": indirect call not allowed");
301 #endif
302 return 0;
303 }
304