xref: /dflybsd-src/usr.sbin/rpcbind/security.c (revision 86d7f5d305c6adaa56ff4582ece9859d73106103) 
1*86d7f5d3SJohn Marino /*	$NetBSD: security.c,v 1.5 2000/06/08 09:01:05 fvdl Exp $	*/
2*86d7f5d3SJohn Marino /*	$FreeBSD: src/usr.sbin/rpcbind/security.c,v 1.6 2002/12/16 22:24:26 mbr Exp $ */
3*86d7f5d3SJohn Marino 
4*86d7f5d3SJohn Marino #include <sys/types.h>
5*86d7f5d3SJohn Marino #include <sys/time.h>
6*86d7f5d3SJohn Marino #include <sys/socket.h>
7*86d7f5d3SJohn Marino #include <netinet/in.h>
8*86d7f5d3SJohn Marino #include <arpa/inet.h>
9*86d7f5d3SJohn Marino #include <rpc/rpc.h>
10*86d7f5d3SJohn Marino #include <rpc/rpcb_prot.h>
11*86d7f5d3SJohn Marino #include <rpc/pmap_prot.h>
12*86d7f5d3SJohn Marino #include <err.h>
13*86d7f5d3SJohn Marino #include <stdio.h>
14*86d7f5d3SJohn Marino #include <stdlib.h>
15*86d7f5d3SJohn Marino #include <string.h>
16*86d7f5d3SJohn Marino #include <unistd.h>
17*86d7f5d3SJohn Marino #include <libutil.h>
18*86d7f5d3SJohn Marino #include <syslog.h>
19*86d7f5d3SJohn Marino #include <netdb.h>
20*86d7f5d3SJohn Marino 
21*86d7f5d3SJohn Marino /*
22*86d7f5d3SJohn Marino  * XXX for special case checks in check_callit.
23*86d7f5d3SJohn Marino  */
24*86d7f5d3SJohn Marino #include <rpcsvc/mount.h>
25*86d7f5d3SJohn Marino #include <rpcsvc/rquota.h>
26*86d7f5d3SJohn Marino #include <rpcsvc/nfs_prot.h>
27*86d7f5d3SJohn Marino #include <rpcsvc/yp.h>
28*86d7f5d3SJohn Marino #include <rpcsvc/ypclnt.h>
29*86d7f5d3SJohn Marino #include <rpcsvc/yppasswd.h>
30*86d7f5d3SJohn Marino 
31*86d7f5d3SJohn Marino #include "rpcbind.h"
32*86d7f5d3SJohn Marino 
33*86d7f5d3SJohn Marino #ifdef LIBWRAP
34*86d7f5d3SJohn Marino # include <tcpd.h>
35*86d7f5d3SJohn Marino #ifndef LIBWRAP_ALLOW_FACILITY
36*86d7f5d3SJohn Marino # define LIBWRAP_ALLOW_FACILITY LOG_AUTH
37*86d7f5d3SJohn Marino #endif
38*86d7f5d3SJohn Marino #ifndef LIBWRAP_ALLOW_SEVERITY
39*86d7f5d3SJohn Marino # define LIBWRAP_ALLOW_SEVERITY LOG_INFO
40*86d7f5d3SJohn Marino #endif
41*86d7f5d3SJohn Marino #ifndef LIBWRAP_DENY_FACILITY
42*86d7f5d3SJohn Marino # define LIBWRAP_DENY_FACILITY LOG_AUTH
43*86d7f5d3SJohn Marino #endif
44*86d7f5d3SJohn Marino #ifndef LIBWRAP_DENY_SEVERITY
45*86d7f5d3SJohn Marino # define LIBWRAP_DENY_SEVERITY LOG_WARNING
46*86d7f5d3SJohn Marino #endif
47*86d7f5d3SJohn Marino int allow_severity = LIBWRAP_ALLOW_FACILITY|LIBWRAP_ALLOW_SEVERITY;
48*86d7f5d3SJohn Marino int deny_severity = LIBWRAP_DENY_FACILITY|LIBWRAP_DENY_SEVERITY;
49*86d7f5d3SJohn Marino #endif
50*86d7f5d3SJohn Marino 
51*86d7f5d3SJohn Marino #ifndef PORTMAP_LOG_FACILITY
52*86d7f5d3SJohn Marino # define PORTMAP_LOG_FACILITY LOG_AUTH
53*86d7f5d3SJohn Marino #endif
54*86d7f5d3SJohn Marino #ifndef PORTMAP_LOG_SEVERITY
55*86d7f5d3SJohn Marino # define PORTMAP_LOG_SEVERITY LOG_INFO
56*86d7f5d3SJohn Marino #endif
57*86d7f5d3SJohn Marino int log_severity = PORTMAP_LOG_FACILITY|PORTMAP_LOG_SEVERITY;
58*86d7f5d3SJohn Marino 
59*86d7f5d3SJohn Marino extern int verboselog;
60*86d7f5d3SJohn Marino 
61*86d7f5d3SJohn Marino int
check_access(SVCXPRT * xprt,rpcproc_t proc,void * args,unsigned int rpcbvers)62*86d7f5d3SJohn Marino check_access(SVCXPRT *xprt, rpcproc_t proc, void *args, unsigned int rpcbvers)
63*86d7f5d3SJohn Marino {
64*86d7f5d3SJohn Marino 	struct netbuf *caller = svc_getrpccaller(xprt);
65*86d7f5d3SJohn Marino 	struct sockaddr *addr = (struct sockaddr *)caller->buf;
66*86d7f5d3SJohn Marino #ifdef LIBWRAP
67*86d7f5d3SJohn Marino 	struct request_info req;
68*86d7f5d3SJohn Marino #endif
69*86d7f5d3SJohn Marino 	rpcprog_t prog = 0;
70*86d7f5d3SJohn Marino 	rpcb *rpcbp;
71*86d7f5d3SJohn Marino 	struct pmap *pmap;
72*86d7f5d3SJohn Marino 
73*86d7f5d3SJohn Marino 	/*
74*86d7f5d3SJohn Marino 	 * The older PMAP_* equivalents have the same numbers, so
75*86d7f5d3SJohn Marino 	 * they are accounted for here as well.
76*86d7f5d3SJohn Marino 	 */
77*86d7f5d3SJohn Marino 	switch (proc) {
78*86d7f5d3SJohn Marino 	case RPCBPROC_GETADDR:
79*86d7f5d3SJohn Marino 	case RPCBPROC_SET:
80*86d7f5d3SJohn Marino 	case RPCBPROC_UNSET:
81*86d7f5d3SJohn Marino 		if (rpcbvers > PMAPVERS) {
82*86d7f5d3SJohn Marino 			rpcbp = (rpcb *)args;
83*86d7f5d3SJohn Marino 			prog = rpcbp->r_prog;
84*86d7f5d3SJohn Marino 		} else {
85*86d7f5d3SJohn Marino 			pmap = (struct pmap *)args;
86*86d7f5d3SJohn Marino 			prog = pmap->pm_prog;
87*86d7f5d3SJohn Marino 		}
88*86d7f5d3SJohn Marino 		if (proc == RPCBPROC_GETADDR)
89*86d7f5d3SJohn Marino 			break;
90*86d7f5d3SJohn Marino 		if (!insecure && !is_loopback(caller)) {
91*86d7f5d3SJohn Marino 			if (verboselog)
92*86d7f5d3SJohn Marino 				logit(log_severity, addr, proc, prog,
93*86d7f5d3SJohn Marino 				    " declined (non-loopback sender)");
94*86d7f5d3SJohn Marino 			return 0;
95*86d7f5d3SJohn Marino 		}
96*86d7f5d3SJohn Marino 		break;
97*86d7f5d3SJohn Marino 	case RPCBPROC_CALLIT:
98*86d7f5d3SJohn Marino 	case RPCBPROC_INDIRECT:
99*86d7f5d3SJohn Marino 	case RPCBPROC_DUMP:
100*86d7f5d3SJohn Marino 	case RPCBPROC_GETTIME:
101*86d7f5d3SJohn Marino 	case RPCBPROC_UADDR2TADDR:
102*86d7f5d3SJohn Marino 	case RPCBPROC_TADDR2UADDR:
103*86d7f5d3SJohn Marino 	case RPCBPROC_GETVERSADDR:
104*86d7f5d3SJohn Marino 	case RPCBPROC_GETADDRLIST:
105*86d7f5d3SJohn Marino 	case RPCBPROC_GETSTAT:
106*86d7f5d3SJohn Marino 	default:
107*86d7f5d3SJohn Marino 		break;
108*86d7f5d3SJohn Marino 	}
109*86d7f5d3SJohn Marino 
110*86d7f5d3SJohn Marino #ifdef LIBWRAP
111*86d7f5d3SJohn Marino 	if (addr->sa_family == AF_LOCAL)
112*86d7f5d3SJohn Marino 		return 1;
113*86d7f5d3SJohn Marino 	request_init(&req, RQ_DAEMON, "rpcbind", RQ_CLIENT_SIN, addr, 0);
114*86d7f5d3SJohn Marino 	sock_methods(&req);
115*86d7f5d3SJohn Marino 	if(!hosts_access(&req)) {
116*86d7f5d3SJohn Marino 		logit(deny_severity, addr, proc, prog, ": request from unauthorized host");
117*86d7f5d3SJohn Marino 		return 0;
118*86d7f5d3SJohn Marino 	}
119*86d7f5d3SJohn Marino #endif
120*86d7f5d3SJohn Marino 	if (verboselog)
121*86d7f5d3SJohn Marino 		logit(log_severity, addr, proc, prog, "");
122*86d7f5d3SJohn Marino 	return 1;
123*86d7f5d3SJohn Marino }
124*86d7f5d3SJohn Marino 
125*86d7f5d3SJohn Marino int
is_loopback(struct netbuf * nbuf)126*86d7f5d3SJohn Marino is_loopback(struct netbuf *nbuf)
127*86d7f5d3SJohn Marino {
128*86d7f5d3SJohn Marino 	struct sockaddr *addr = (struct sockaddr *)nbuf->buf;
129*86d7f5d3SJohn Marino 	struct sockaddr_in *sin;
130*86d7f5d3SJohn Marino #ifdef INET6
131*86d7f5d3SJohn Marino 	struct sockaddr_in6 *sin6;
132*86d7f5d3SJohn Marino #endif
133*86d7f5d3SJohn Marino 
134*86d7f5d3SJohn Marino 	switch (addr->sa_family) {
135*86d7f5d3SJohn Marino 	case AF_INET:
136*86d7f5d3SJohn Marino 		if (!oldstyle_local)
137*86d7f5d3SJohn Marino 			return 0;
138*86d7f5d3SJohn Marino 		sin = (struct sockaddr_in *)addr;
139*86d7f5d3SJohn Marino 		return ((sin->sin_addr.s_addr == htonl(INADDR_LOOPBACK)) &&
140*86d7f5d3SJohn Marino 		    (ntohs(sin->sin_port) < IPPORT_RESERVED));
141*86d7f5d3SJohn Marino #ifdef INET6
142*86d7f5d3SJohn Marino 	case AF_INET6:
143*86d7f5d3SJohn Marino 		if (!oldstyle_local)
144*86d7f5d3SJohn Marino 			return 0;
145*86d7f5d3SJohn Marino 		sin6 = (struct sockaddr_in6 *)addr;
146*86d7f5d3SJohn Marino 		return (IN6_IS_ADDR_LOOPBACK(&sin6->sin6_addr) &&
147*86d7f5d3SJohn Marino 		    (ntohs(sin6->sin6_port) < IPV6PORT_RESERVED));
148*86d7f5d3SJohn Marino #endif
149*86d7f5d3SJohn Marino 	case AF_LOCAL:
150*86d7f5d3SJohn Marino 		return 1;
151*86d7f5d3SJohn Marino 	default:
152*86d7f5d3SJohn Marino 		break;
153*86d7f5d3SJohn Marino 	}
154*86d7f5d3SJohn Marino 
155*86d7f5d3SJohn Marino 	return 0;
156*86d7f5d3SJohn Marino }
157*86d7f5d3SJohn Marino 
158*86d7f5d3SJohn Marino 
159*86d7f5d3SJohn Marino /* logit - report events of interest via the syslog daemon */
160*86d7f5d3SJohn Marino void
logit(int severity,struct sockaddr * addr,rpcproc_t procnum,rpcprog_t prognum,const char * text)161*86d7f5d3SJohn Marino logit(int severity, struct sockaddr *addr, rpcproc_t procnum, rpcprog_t prognum,
162*86d7f5d3SJohn Marino       const char *text)
163*86d7f5d3SJohn Marino {
164*86d7f5d3SJohn Marino 	const char *procname;
165*86d7f5d3SJohn Marino 	char	procbuf[32];
166*86d7f5d3SJohn Marino 	char   *progname;
167*86d7f5d3SJohn Marino 	char	progbuf[32];
168*86d7f5d3SJohn Marino 	char fromname[NI_MAXHOST];
169*86d7f5d3SJohn Marino 	struct rpcent *rpc;
170*86d7f5d3SJohn Marino 	static const char *procmap[] = {
171*86d7f5d3SJohn Marino 	/* RPCBPROC_NULL */		"null",
172*86d7f5d3SJohn Marino 	/* RPCBPROC_SET */		"set",
173*86d7f5d3SJohn Marino 	/* RPCBPROC_UNSET */		"unset",
174*86d7f5d3SJohn Marino 	/* RPCBPROC_GETADDR */		"getport/addr",
175*86d7f5d3SJohn Marino 	/* RPCBPROC_DUMP */		"dump",
176*86d7f5d3SJohn Marino 	/* RPCBPROC_CALLIT */		"callit",
177*86d7f5d3SJohn Marino 	/* RPCBPROC_GETTIME */		"gettime",
178*86d7f5d3SJohn Marino 	/* RPCBPROC_UADDR2TADDR */	"uaddr2taddr",
179*86d7f5d3SJohn Marino 	/* RPCBPROC_TADDR2UADDR */	"taddr2uaddr",
180*86d7f5d3SJohn Marino 	/* RPCBPROC_GETVERSADDR */	"getversaddr",
181*86d7f5d3SJohn Marino 	/* RPCBPROC_INDIRECT */		"indirect",
182*86d7f5d3SJohn Marino 	/* RPCBPROC_GETADDRLIST */	"getaddrlist",
183*86d7f5d3SJohn Marino 	/* RPCBPROC_GETSTAT */		"getstat"
184*86d7f5d3SJohn Marino 	};
185*86d7f5d3SJohn Marino 
186*86d7f5d3SJohn Marino 	/*
187*86d7f5d3SJohn Marino 	 * Fork off a process or the portmap daemon might hang while
188*86d7f5d3SJohn Marino 	 * getrpcbynumber() or syslog() does its thing.
189*86d7f5d3SJohn Marino 	 */
190*86d7f5d3SJohn Marino 
191*86d7f5d3SJohn Marino 	if (fork() == 0) {
192*86d7f5d3SJohn Marino 		setproctitle("logit");
193*86d7f5d3SJohn Marino 
194*86d7f5d3SJohn Marino 		/* Try to map program number to name. */
195*86d7f5d3SJohn Marino 
196*86d7f5d3SJohn Marino 		if (prognum == 0) {
197*86d7f5d3SJohn Marino 			progname = "";
198*86d7f5d3SJohn Marino 		} else if ((rpc = getrpcbynumber((int) prognum))) {
199*86d7f5d3SJohn Marino 			progname = rpc->r_name;
200*86d7f5d3SJohn Marino 		} else {
201*86d7f5d3SJohn Marino 			snprintf(progname = progbuf, sizeof(progbuf), "%u",
202*86d7f5d3SJohn Marino 			    (unsigned)prognum);
203*86d7f5d3SJohn Marino 		}
204*86d7f5d3SJohn Marino 
205*86d7f5d3SJohn Marino 		/* Try to map procedure number to name. */
206*86d7f5d3SJohn Marino 
207*86d7f5d3SJohn Marino 		if (procnum >= (sizeof procmap / sizeof (char *))) {
208*86d7f5d3SJohn Marino 			snprintf(procbuf, sizeof procbuf, "%u",
209*86d7f5d3SJohn Marino 			    (unsigned)procnum);
210*86d7f5d3SJohn Marino 			procname = procbuf;
211*86d7f5d3SJohn Marino 		} else
212*86d7f5d3SJohn Marino 			procname = procmap[procnum];
213*86d7f5d3SJohn Marino 
214*86d7f5d3SJohn Marino 		/* Write syslog record. */
215*86d7f5d3SJohn Marino 
216*86d7f5d3SJohn Marino 		if (addr->sa_family == AF_LOCAL)
217*86d7f5d3SJohn Marino 			strcpy(fromname, "local");
218*86d7f5d3SJohn Marino 		else
219*86d7f5d3SJohn Marino 			getnameinfo(addr, addr->sa_len, fromname,
220*86d7f5d3SJohn Marino 			    sizeof fromname, NULL, 0, NI_NUMERICHOST);
221*86d7f5d3SJohn Marino 
222*86d7f5d3SJohn Marino 		syslog(severity, "connect from %s to %s(%s)%s",
223*86d7f5d3SJohn Marino 			fromname, procname, progname, text);
224*86d7f5d3SJohn Marino 		_exit(0);
225*86d7f5d3SJohn Marino 	}
226*86d7f5d3SJohn Marino }
227*86d7f5d3SJohn Marino 
228*86d7f5d3SJohn Marino int
check_callit(SVCXPRT * xprt,struct r_rmtcall_args * args,int versnum __unused)229*86d7f5d3SJohn Marino check_callit(SVCXPRT *xprt, struct r_rmtcall_args *args, int versnum __unused)
230*86d7f5d3SJohn Marino {
231*86d7f5d3SJohn Marino 	struct sockaddr *sa = (struct sockaddr *)svc_getrpccaller(xprt)->buf;
232*86d7f5d3SJohn Marino 
233*86d7f5d3SJohn Marino 	/*
234*86d7f5d3SJohn Marino 	 * Always allow calling NULLPROC
235*86d7f5d3SJohn Marino 	 */
236*86d7f5d3SJohn Marino 	if (args->rmt_proc == 0)
237*86d7f5d3SJohn Marino 		return 1;
238*86d7f5d3SJohn Marino 
239*86d7f5d3SJohn Marino 	/*
240*86d7f5d3SJohn Marino 	 * XXX - this special casing sucks.
241*86d7f5d3SJohn Marino 	 */
242*86d7f5d3SJohn Marino 	switch (args->rmt_prog) {
243*86d7f5d3SJohn Marino 	case RPCBPROG:
244*86d7f5d3SJohn Marino 		/*
245*86d7f5d3SJohn Marino 		 * Allow indirect calls to ourselves in insecure mode.
246*86d7f5d3SJohn Marino 		 * The is_loopback checks aren't useful then anyway.
247*86d7f5d3SJohn Marino 		 */
248*86d7f5d3SJohn Marino 		if (!insecure)
249*86d7f5d3SJohn Marino 			goto deny;
250*86d7f5d3SJohn Marino 		break;
251*86d7f5d3SJohn Marino 	case MOUNTPROG:
252*86d7f5d3SJohn Marino 		if (args->rmt_proc != MOUNTPROC_MNT &&
253*86d7f5d3SJohn Marino 		    args->rmt_proc != MOUNTPROC_UMNT)
254*86d7f5d3SJohn Marino 			break;
255*86d7f5d3SJohn Marino 		goto deny;
256*86d7f5d3SJohn Marino 	case YPBINDPROG:
257*86d7f5d3SJohn Marino 		if (args->rmt_proc != YPBINDPROC_SETDOM)
258*86d7f5d3SJohn Marino 			break;
259*86d7f5d3SJohn Marino 		/* FALLTHROUGH */
260*86d7f5d3SJohn Marino 	case YPPASSWDPROG:
261*86d7f5d3SJohn Marino 	case NFS_PROGRAM:
262*86d7f5d3SJohn Marino 	case RQUOTAPROG:
263*86d7f5d3SJohn Marino 		goto deny;
264*86d7f5d3SJohn Marino 	case YPPROG:
265*86d7f5d3SJohn Marino 		switch (args->rmt_proc) {
266*86d7f5d3SJohn Marino 		case YPPROC_ALL:
267*86d7f5d3SJohn Marino 		case YPPROC_MATCH:
268*86d7f5d3SJohn Marino 		case YPPROC_FIRST:
269*86d7f5d3SJohn Marino 		case YPPROC_NEXT:
270*86d7f5d3SJohn Marino 			goto deny;
271*86d7f5d3SJohn Marino 		default:
272*86d7f5d3SJohn Marino 			break;
273*86d7f5d3SJohn Marino 		}
274*86d7f5d3SJohn Marino 	default:
275*86d7f5d3SJohn Marino 		break;
276*86d7f5d3SJohn Marino 	}
277*86d7f5d3SJohn Marino 
278*86d7f5d3SJohn Marino 	return 1;
279*86d7f5d3SJohn Marino deny:
280*86d7f5d3SJohn Marino #ifdef LIBWRAP
281*86d7f5d3SJohn Marino 	logit(deny_severity, sa, args->rmt_proc, args->rmt_prog,
282*86d7f5d3SJohn Marino 	    ": indirect call not allowed");
283*86d7f5d3SJohn Marino #else
284*86d7f5d3SJohn Marino 	logit(0, sa, args->rmt_proc, args->rmt_prog,
285*86d7f5d3SJohn Marino 	    ": indirect call not allowed");
286*86d7f5d3SJohn Marino #endif
287*86d7f5d3SJohn Marino 	return 0;
288*86d7f5d3SJohn Marino }
289