1 /* $NetBSD: rcmd.c,v 1.54 2003/10/13 14:22:20 agc Exp $ */ 2 3 /* 4 * Copyright (c) 1997 Matthew R. Green. 5 * Copyright (c) 1983, 1993, 1994 6 * The Regents of the University of California. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. Neither the name of the University nor the names of its contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 */ 32 33 #include <sys/cdefs.h> 34 #if defined(LIBC_SCCS) && !defined(lint) 35 #if 0 36 static char sccsid[] = "@(#)rcmd.c 8.3 (Berkeley) 3/26/94"; 37 #else 38 __RCSID("$NetBSD: rcmd.c,v 1.54 2003/10/13 14:22:20 agc Exp $"); 39 #endif 40 #endif /* LIBC_SCCS and not lint */ 41 42 #ifdef _LIBC 43 #include "namespace.h" 44 #endif 45 #include <sys/param.h> 46 #include <sys/socket.h> 47 #include <sys/stat.h> 48 #include <sys/poll.h> 49 #include <sys/wait.h> 50 51 #include <netinet/in.h> 52 #include <rpc/rpc.h> 53 #include <arpa/inet.h> 54 #include <netgroup.h> 55 56 #include <assert.h> 57 #include <ctype.h> 58 #include <err.h> 59 #include <errno.h> 60 #include <fcntl.h> 61 #include <grp.h> 62 #include <netdb.h> 63 #include <paths.h> 64 #include <pwd.h> 65 #include <signal.h> 66 #include <stdio.h> 67 #include <stdlib.h> 68 #include <string.h> 69 #include <syslog.h> 70 #include <unistd.h> 71 72 #include "pathnames.h" 73 74 int orcmd __P((char **, u_int, const char *, const char *, const char *, 75 int *)); 76 int orcmd_af __P((char **, u_int, const char *, const char *, const char *, 77 int *, int)); 78 int __ivaliduser __P((FILE *, u_int32_t, const char *, const char *)); 79 int __ivaliduser_sa __P((FILE *, struct sockaddr *, socklen_t, const char *, 80 const char *)); 81 static int rshrcmd __P((char **, u_int32_t, const char *, const char *, 82 const char *, int *, const char *)); 83 static int resrcmd __P((struct addrinfo *, char **, u_int32_t, const char *, 84 const char *, const char *, int *)); 85 static int __icheckhost __P((struct sockaddr *, socklen_t, const char *)); 86 static char *__gethostloop __P((struct sockaddr *, socklen_t)); 87 88 int 89 rcmd(ahost, rport, locuser, remuser, cmd, fd2p) 90 char **ahost; 91 u_short rport; 92 const char *locuser, *remuser, *cmd; 93 int *fd2p; 94 { 95 96 return rcmd_af(ahost, rport, locuser, remuser, cmd, fd2p, AF_INET); 97 } 98 99 int 100 rcmd_af(ahost, rport, locuser, remuser, cmd, fd2p, af) 101 char **ahost; 102 u_short rport; 103 const char *locuser, *remuser, *cmd; 104 int *fd2p; 105 int af; 106 { 107 static char hbuf[MAXHOSTNAMELEN]; 108 char pbuf[NI_MAXSERV]; 109 struct addrinfo hints, *res; 110 int error; 111 struct servent *sp; 112 113 _DIAGASSERT(ahost != NULL); 114 _DIAGASSERT(locuser != NULL); 115 _DIAGASSERT(remuser != NULL); 116 _DIAGASSERT(cmd != NULL); 117 /* fd2p may be NULL */ 118 119 snprintf(pbuf, sizeof(pbuf), "%u", ntohs(rport)); 120 memset(&hints, 0, sizeof(hints)); 121 hints.ai_family = af; 122 hints.ai_socktype = SOCK_STREAM; 123 hints.ai_flags = AI_CANONNAME; 124 error = getaddrinfo(*ahost, pbuf, &hints, &res); 125 if (error) { 126 warnx("%s: %s", *ahost, gai_strerror(error)); /*XXX*/ 127 return (-1); 128 } 129 if (res->ai_canonname) { 130 /* 131 * Canonicalise hostname. 132 * XXX: Should we really do this? 133 */ 134 strlcpy(hbuf, res->ai_canonname, sizeof(hbuf)); 135 *ahost = hbuf; 136 } 137 138 /* 139 * Check if rport is the same as the shell port, and that the fd2p. If 140 * it is not, the program isn't expecting 'rsh' and so we can't use the 141 * RCMD_CMD environment. 142 */ 143 sp = getservbyname("shell", "tcp"); 144 if (sp != NULL && sp->s_port == rport) 145 error = rshrcmd(ahost, (u_int32_t)rport, 146 locuser, remuser, cmd, fd2p, getenv("RCMD_CMD")); 147 else 148 error = resrcmd(res, ahost, (u_int32_t)rport, 149 locuser, remuser, cmd, fd2p); 150 freeaddrinfo(res); 151 return (error); 152 } 153 154 /* this is simply a wrapper around hprcmd() that handles ahost first */ 155 int 156 orcmd(ahost, rport, locuser, remuser, cmd, fd2p) 157 char **ahost; 158 u_int rport; 159 const char *locuser, *remuser, *cmd; 160 int *fd2p; 161 { 162 return orcmd_af(ahost, rport, locuser, remuser, cmd, fd2p, AF_INET); 163 } 164 165 int 166 orcmd_af(ahost, rport, locuser, remuser, cmd, fd2p, af) 167 char **ahost; 168 u_int rport; 169 const char *locuser, *remuser, *cmd; 170 int *fd2p; 171 int af; 172 { 173 static char hbuf[MAXHOSTNAMELEN]; 174 char pbuf[NI_MAXSERV]; 175 struct addrinfo hints, *res; 176 int error; 177 178 _DIAGASSERT(ahost != NULL); 179 _DIAGASSERT(locuser != NULL); 180 _DIAGASSERT(remuser != NULL); 181 _DIAGASSERT(cmd != NULL); 182 /* fd2p may be NULL */ 183 184 snprintf(pbuf, sizeof(pbuf), "%u", ntohs(rport)); 185 memset(&hints, 0, sizeof(hints)); 186 hints.ai_family = af; 187 hints.ai_socktype = SOCK_STREAM; 188 hints.ai_flags = AI_CANONNAME; 189 error = getaddrinfo(*ahost, pbuf, &hints, &res); 190 if (error) { 191 warnx("%s: %s", *ahost, gai_strerror(error)); /*XXX*/ 192 return (-1); 193 } 194 if (res->ai_canonname) { 195 strlcpy(hbuf, res->ai_canonname, sizeof(hbuf)); 196 *ahost = hbuf; 197 } 198 199 error = resrcmd(res, ahost, rport, locuser, remuser, cmd, fd2p); 200 freeaddrinfo(res); 201 return (error); 202 } 203 204 /*ARGSUSED*/ 205 static int 206 resrcmd(res, ahost, rport, locuser, remuser, cmd, fd2p) 207 struct addrinfo *res; 208 char **ahost; 209 u_int32_t rport; 210 const char *locuser, *remuser, *cmd; 211 int *fd2p; 212 { 213 struct addrinfo *r; 214 struct sockaddr_storage from; 215 struct pollfd reads[2]; 216 sigset_t nmask, omask; 217 pid_t pid; 218 int s, lport, timo; 219 int pollr; 220 char c; 221 int refused; 222 223 _DIAGASSERT(res != NULL); 224 _DIAGASSERT(ahost != NULL); 225 _DIAGASSERT(locuser != NULL); 226 _DIAGASSERT(remuser != NULL); 227 _DIAGASSERT(cmd != NULL); 228 /* fd2p may be NULL */ 229 230 r = res; 231 refused = 0; 232 pid = getpid(); 233 sigemptyset(&nmask); 234 sigaddset(&nmask, SIGURG); 235 if (sigprocmask(SIG_BLOCK, &nmask, &omask) == -1) 236 return -1; 237 for (timo = 1, lport = IPPORT_RESERVED - 1;;) { 238 s = rresvport_af(&lport, r->ai_family); 239 if (s < 0) { 240 if (errno == EAGAIN) 241 warnx("rcmd: socket: All ports in use"); 242 else 243 warn("rcmd: socket"); 244 if (r->ai_next) { 245 r = r->ai_next; 246 continue; 247 } else { 248 (void)sigprocmask(SIG_SETMASK, &omask, NULL); 249 return (-1); 250 } 251 } 252 fcntl(s, F_SETOWN, pid); 253 if (connect(s, r->ai_addr, r->ai_addrlen) >= 0) 254 break; 255 (void)close(s); 256 if (errno == EADDRINUSE) { 257 lport--; 258 continue; 259 } else if (errno == ECONNREFUSED) 260 refused++; 261 if (r->ai_next) { 262 int oerrno = errno; 263 char hbuf[NI_MAXHOST]; 264 #ifdef NI_WITHSCOPEID 265 const int niflags = NI_NUMERICHOST | NI_WITHSCOPEID; 266 #else 267 const int niflags = NI_NUMERICHOST; 268 #endif 269 270 hbuf[0] = '\0'; 271 if (getnameinfo(r->ai_addr, r->ai_addrlen, 272 hbuf, sizeof(hbuf), NULL, 0, niflags) != 0) 273 strlcpy(hbuf, "(invalid)", sizeof(hbuf)); 274 warnx("rcmd: connect to address %s", hbuf); 275 errno = oerrno; 276 perror(0); 277 r = r->ai_next; 278 hbuf[0] = '\0'; 279 if (getnameinfo(r->ai_addr, r->ai_addrlen, 280 hbuf, sizeof(hbuf), NULL, 0, niflags) != 0) 281 strlcpy(hbuf, "(invalid)", sizeof(hbuf)); 282 (void)fprintf(stderr, "Trying %s...\n", hbuf); 283 continue; 284 } 285 if (refused && timo <= 16) { 286 (void)sleep((unsigned int)timo); 287 timo *= 2; 288 r = res; 289 refused = 0; 290 continue; 291 } 292 (void)fprintf(stderr, "%s: %s\n", res->ai_canonname, 293 strerror(errno)); 294 (void)sigprocmask(SIG_SETMASK, &omask, NULL); 295 return (-1); 296 } 297 lport--; 298 if (fd2p == 0) { 299 write(s, "", 1); 300 lport = 0; 301 } else { 302 char num[8]; 303 int s2 = rresvport_af(&lport, r->ai_family), s3; 304 socklen_t len = sizeof(from); 305 306 if (s2 < 0) 307 goto bad; 308 listen(s2, 1); 309 (void)snprintf(num, sizeof(num), "%d", lport); 310 if (write(s, num, strlen(num) + 1) != 311 (ssize_t) (strlen(num) + 1)) { 312 warn("rcmd: write (setting up stderr)"); 313 (void)close(s2); 314 goto bad; 315 } 316 reads[0].fd = s; 317 reads[0].events = POLLIN; 318 reads[1].fd = s2; 319 reads[1].events = POLLIN; 320 errno = 0; 321 pollr = poll(reads, 2, INFTIM); 322 if (pollr < 1 || (reads[1].revents & POLLIN) == 0) { 323 if (errno != 0) 324 warn("poll: setting up stderr"); 325 else 326 warnx("poll: protocol failure in circuit setup"); 327 (void)close(s2); 328 goto bad; 329 } 330 s3 = accept(s2, (struct sockaddr *)(void *)&from, &len); 331 (void)close(s2); 332 if (s3 < 0) { 333 warn("rcmd: accept"); 334 lport = 0; 335 goto bad; 336 } 337 *fd2p = s3; 338 switch (((struct sockaddr *)(void *)&from)->sa_family) { 339 case AF_INET: 340 #ifdef INET6 341 case AF_INET6: 342 #endif 343 if (getnameinfo((struct sockaddr *)(void *)&from, len, 344 NULL, 0, num, sizeof(num), NI_NUMERICSERV) != 0 || 345 (atoi(num) >= IPPORT_RESERVED || 346 atoi(num) < IPPORT_RESERVED / 2)) { 347 warnx("rcmd: protocol failure in circuit setup."); 348 goto bad2; 349 } 350 break; 351 default: 352 break; 353 } 354 } 355 356 (void)write(s, locuser, strlen(locuser)+1); 357 (void)write(s, remuser, strlen(remuser)+1); 358 (void)write(s, cmd, strlen(cmd)+1); 359 if (read(s, &c, 1) != 1) { 360 warn("%s", *ahost); 361 goto bad2; 362 } 363 if (c != 0) { 364 while (read(s, &c, 1) == 1) { 365 (void)write(STDERR_FILENO, &c, 1); 366 if (c == '\n') 367 break; 368 } 369 goto bad2; 370 } 371 (void)sigprocmask(SIG_SETMASK, &omask, NULL); 372 return (s); 373 bad2: 374 if (lport) 375 (void)close(*fd2p); 376 bad: 377 (void)close(s); 378 (void)sigprocmask(SIG_SETMASK, &omask, NULL); 379 return (-1); 380 } 381 382 /* 383 * based on code written by Chris Siebenmann <cks@utcc.utoronto.ca> 384 */ 385 /* ARGSUSED */ 386 static int 387 rshrcmd(ahost, rport, locuser, remuser, cmd, fd2p, rshcmd) 388 char **ahost; 389 u_int32_t rport; 390 const char *locuser, *remuser, *cmd; 391 int *fd2p; 392 const char *rshcmd; 393 { 394 pid_t pid; 395 int sp[2], ep[2]; 396 char *p; 397 struct passwd *pw; 398 399 _DIAGASSERT(ahost != NULL); 400 _DIAGASSERT(locuser != NULL); 401 _DIAGASSERT(remuser != NULL); 402 _DIAGASSERT(cmd != NULL); 403 /* fd2p may be NULL */ 404 405 /* What rsh/shell to use. */ 406 if (rshcmd == NULL) 407 rshcmd = _PATH_BIN_RCMD; 408 409 /* locuser must exist on this host. */ 410 if ((pw = getpwnam(locuser)) == NULL) { 411 warnx("rshrcmd: unknown user: %s", locuser); 412 return(-1); 413 } 414 415 /* get a socketpair we'll use for stdin and stdout. */ 416 if (socketpair(AF_LOCAL, SOCK_STREAM, 0, sp) < 0) { 417 warn("rshrcmd: socketpair"); 418 return (-1); 419 } 420 /* we will use this for the fd2 pointer */ 421 if (fd2p) { 422 if (socketpair(AF_LOCAL, SOCK_STREAM, 0, ep) < 0) { 423 warn("rshrcmd: socketpair"); 424 return (-1); 425 } 426 *fd2p = ep[0]; 427 } 428 429 pid = fork(); 430 if (pid < 0) { 431 warn("rshrcmd: fork"); 432 return (-1); 433 } 434 if (pid == 0) { 435 /* 436 * child 437 * - we use sp[1] to be stdin/stdout, and close sp[0] 438 * - with fd2p, we use ep[1] for stderr, and close ep[0] 439 */ 440 (void)close(sp[0]); 441 if (dup2(sp[1], 0) < 0 || dup2(0, 1) < 0) { 442 warn("rshrcmd: dup2"); 443 _exit(1); 444 } 445 if (fd2p) { 446 if (dup2(ep[1], 2) < 0) { 447 warn("rshrcmd: dup2"); 448 _exit(1); 449 } 450 (void)close(ep[0]); 451 (void)close(ep[1]); 452 } else if (dup2(0, 2) < 0) { 453 warn("rshrcmd: dup2"); 454 _exit(1); 455 } 456 /* fork again to lose parent. */ 457 pid = fork(); 458 if (pid < 0) { 459 warn("rshrcmd: second fork"); 460 _exit(1); 461 } 462 if (pid > 0) 463 _exit(0); 464 465 /* Orphan. Become local user for rshprog. */ 466 if (setuid(pw->pw_uid)) { 467 warn("rshrcmd: setuid(%lu)", (u_long)pw->pw_uid); 468 _exit(1); 469 } 470 471 /* 472 * If we are rcmd'ing to "localhost" as the same user as we are, 473 * then avoid running remote shell for efficiency. 474 */ 475 if (strcmp(*ahost, "localhost") == 0 && 476 strcmp(locuser, remuser) == 0) { 477 if (pw->pw_shell[0] == '\0') 478 rshcmd = _PATH_BSHELL; 479 else 480 rshcmd = pw->pw_shell; 481 p = strrchr(rshcmd, '/'); 482 execlp(rshcmd, p ? p + 1 : rshcmd, "-c", cmd, NULL); 483 } else { 484 p = strrchr(rshcmd, '/'); 485 execlp(rshcmd, p ? p + 1 : rshcmd, *ahost, "-l", 486 remuser, cmd, NULL); 487 } 488 warn("rshrcmd: exec %s", rshcmd); 489 _exit(1); 490 } 491 /* Parent */ 492 (void)close(sp[1]); 493 if (fd2p) 494 (void)close(ep[1]); 495 496 (void)waitpid(pid, NULL, 0); 497 return (sp[0]); 498 } 499 500 int 501 rresvport(alport) 502 int *alport; 503 { 504 505 _DIAGASSERT(alport != NULL); 506 507 return rresvport_af(alport, AF_INET); 508 } 509 510 int 511 rresvport_af(alport, family) 512 int *alport; 513 int family; 514 { 515 struct sockaddr_storage ss; 516 struct sockaddr *sa; 517 int salen; 518 int s; 519 u_int16_t *portp; 520 521 _DIAGASSERT(alport != NULL); 522 523 memset(&ss, 0, sizeof(ss)); 524 sa = (struct sockaddr *)(void *)&ss; 525 switch (family) { 526 case AF_INET: 527 #ifdef BSD4_4 528 sa->sa_len = 529 #endif 530 salen = sizeof(struct sockaddr_in); 531 portp = &((struct sockaddr_in *)(void *)sa)->sin_port; 532 break; 533 #ifdef INET6 534 case AF_INET6: 535 #ifdef BSD4_4 536 sa->sa_len = 537 #endif 538 salen = sizeof(struct sockaddr_in6); 539 portp = &((struct sockaddr_in6 *)(void *)sa)->sin6_port; 540 break; 541 #endif 542 default: 543 portp = NULL; 544 return EAFNOSUPPORT; 545 } 546 sa->sa_family = family; 547 s = socket(family, SOCK_STREAM, 0); 548 if (s < 0) 549 return (-1); 550 #ifdef BSD4_4 551 switch (family) { 552 case AF_INET: 553 case AF_INET6: 554 *portp = 0; 555 if (bindresvport(s, (struct sockaddr_in *)(void *)sa) < 0) { 556 int sverr = errno; 557 558 (void)close(s); 559 errno = sverr; 560 return (-1); 561 } 562 *alport = (int)ntohs(*portp); 563 return (s); 564 default: 565 /* is it necessary to try keep code for other AFs? */ 566 break; 567 } 568 #endif 569 for (;;) { 570 *portp = htons((u_short)*alport); 571 if (bind(s, sa, (socklen_t)salen) >= 0) 572 return (s); 573 if (errno != EADDRINUSE) { 574 (void)close(s); 575 return (-1); 576 } 577 (*alport)--; 578 if (*alport == IPPORT_RESERVED/2) { 579 (void)close(s); 580 errno = EAGAIN; /* close */ 581 return (-1); 582 } 583 } 584 } 585 586 int __check_rhosts_file = 1; 587 char *__rcmd_errstr; 588 589 int 590 ruserok(rhost, superuser, ruser, luser) 591 const char *rhost, *ruser, *luser; 592 int superuser; 593 { 594 struct addrinfo hints, *res, *r; 595 int error; 596 597 _DIAGASSERT(rhost != NULL); 598 _DIAGASSERT(ruser != NULL); 599 _DIAGASSERT(luser != NULL); 600 601 memset(&hints, 0, sizeof(hints)); 602 hints.ai_family = PF_UNSPEC; 603 hints.ai_socktype = SOCK_DGRAM; /*dummy*/ 604 error = getaddrinfo(rhost, "0", &hints, &res); 605 if (error) 606 return (-1); 607 608 for (r = res; r; r = r->ai_next) { 609 if (iruserok_sa(r->ai_addr, (int)r->ai_addrlen, superuser, 610 ruser, luser) == 0) { 611 freeaddrinfo(res); 612 return (0); 613 } 614 } 615 freeaddrinfo(res); 616 return (-1); 617 } 618 619 /* 620 * New .rhosts strategy: We are passed an ip address. We spin through 621 * hosts.equiv and .rhosts looking for a match. When the .rhosts only 622 * has ip addresses, we don't have to trust a nameserver. When it 623 * contains hostnames, we spin through the list of addresses the nameserver 624 * gives us and look for a match. 625 * 626 * Returns 0 if ok, -1 if not ok. 627 */ 628 int 629 iruserok(raddr, superuser, ruser, luser) 630 u_int32_t raddr; 631 int superuser; 632 const char *ruser, *luser; 633 { 634 struct sockaddr_in irsin; 635 636 memset(&irsin, 0, sizeof(irsin)); 637 irsin.sin_family = AF_INET; 638 #ifdef BSD4_4 639 irsin.sin_len = sizeof(struct sockaddr_in); 640 #endif 641 memcpy(&irsin.sin_addr, &raddr, sizeof(irsin.sin_addr)); 642 return iruserok_sa(&irsin, sizeof(struct sockaddr_in), superuser, ruser, 643 luser); 644 } 645 646 /* 647 * 2nd and 3rd arguments are typed like this, to avoid dependency between 648 * unistd.h and sys/socket.h. There's no better way. 649 */ 650 int 651 iruserok_sa(raddr, rlen, superuser, ruser, luser) 652 const void *raddr; 653 int rlen; 654 int superuser; 655 const char *ruser, *luser; 656 { 657 struct sockaddr *sa; 658 register char *cp; 659 struct stat sbuf; 660 struct passwd *pwd; 661 FILE *hostf; 662 uid_t uid; 663 gid_t gid; 664 int first; 665 char pbuf[MAXPATHLEN]; 666 667 _DIAGASSERT(raddr != NULL); 668 _DIAGASSERT(ruser != NULL); 669 _DIAGASSERT(luser != NULL); 670 671 /*LINTED const castaway*/ 672 sa = (struct sockaddr *)(void *)raddr; 673 674 first = 1; 675 hostf = superuser ? NULL : fopen(_PATH_HEQUIV, "r"); 676 again: 677 if (hostf) { 678 if (__ivaliduser_sa(hostf, sa, (socklen_t)rlen, luser, 679 ruser) == 0) { 680 (void)fclose(hostf); 681 return (0); 682 } 683 (void)fclose(hostf); 684 } 685 if (first == 1 && (__check_rhosts_file || superuser)) { 686 first = 0; 687 if ((pwd = getpwnam(luser)) == NULL) 688 return (-1); 689 (void)strlcpy(pbuf, pwd->pw_dir, sizeof(pbuf)); 690 (void)strlcat(pbuf, "/.rhosts", sizeof(pbuf)); 691 692 /* 693 * Change effective uid while opening .rhosts. If root and 694 * reading an NFS mounted file system, can't read files that 695 * are protected read/write owner only. 696 */ 697 uid = geteuid(); 698 gid = getegid(); 699 (void)setegid(pwd->pw_gid); 700 initgroups(pwd->pw_name, pwd->pw_gid); 701 (void)seteuid(pwd->pw_uid); 702 hostf = fopen(pbuf, "r"); 703 (void)seteuid(uid); 704 (void)setegid(gid); 705 706 if (hostf == NULL) 707 return (-1); 708 /* 709 * If not a regular file, or is owned by someone other than 710 * user or root or if writable by anyone but the owner, quit. 711 */ 712 cp = NULL; 713 if (lstat(pbuf, &sbuf) < 0) 714 cp = ".rhosts lstat failed"; 715 else if (!S_ISREG(sbuf.st_mode)) 716 cp = ".rhosts not regular file"; 717 else if (fstat(fileno(hostf), &sbuf) < 0) 718 cp = ".rhosts fstat failed"; 719 else if (sbuf.st_uid && sbuf.st_uid != pwd->pw_uid) 720 cp = "bad .rhosts owner"; 721 else if (sbuf.st_mode & (S_IWGRP|S_IWOTH)) 722 cp = ".rhosts writable by other than owner"; 723 /* If there were any problems, quit. */ 724 if (cp) { 725 __rcmd_errstr = cp; 726 (void)fclose(hostf); 727 return (-1); 728 } 729 goto again; 730 } 731 return (-1); 732 } 733 734 /* 735 * XXX 736 * Don't make static, used by lpd(8). We will be able to change the function 737 * into static function, when we bump libc major #. 738 * 739 * Returns 0 if ok, -1 if not ok. 740 */ 741 #ifdef notdef /*_LIBC*/ 742 static 743 #endif 744 int 745 __ivaliduser(hostf, raddr, luser, ruser) 746 FILE *hostf; 747 u_int32_t raddr; 748 const char *luser, *ruser; 749 { 750 struct sockaddr_in ivusin; 751 752 memset(&ivusin, 0, sizeof(ivusin)); 753 ivusin.sin_family = AF_INET; 754 #ifdef BSD4_4 755 ivusin.sin_len = sizeof(struct sockaddr_in); 756 #endif 757 memcpy(&ivusin.sin_addr, &raddr, sizeof(ivusin.sin_addr)); 758 return __ivaliduser_sa(hostf, (struct sockaddr *)(void *)&ivusin, 759 sizeof(struct sockaddr_in), luser, ruser); 760 } 761 762 #ifdef notdef /*_LIBC*/ 763 static 764 #endif 765 int 766 __ivaliduser_sa(hostf, raddr, salen, luser, ruser) 767 FILE *hostf; 768 struct sockaddr *raddr; 769 socklen_t salen; 770 const char *luser, *ruser; 771 { 772 register char *user, *p; 773 int ch; 774 char buf[MAXHOSTNAMELEN + 128]; /* host + login */ 775 const char *auser, *ahost; 776 int hostok, userok; 777 char *rhost = NULL; 778 int firsttime = 1; 779 char domain[MAXHOSTNAMELEN]; 780 781 getdomainname(domain, sizeof(domain)); 782 783 _DIAGASSERT(hostf != NULL); 784 _DIAGASSERT(luser != NULL); 785 _DIAGASSERT(ruser != NULL); 786 787 while (fgets(buf, sizeof(buf), hostf)) { 788 p = buf; 789 /* Skip lines that are too long. */ 790 if (strchr(p, '\n') == NULL) { 791 while ((ch = getc(hostf)) != '\n' && ch != EOF) 792 ; 793 continue; 794 } 795 while (*p != '\n' && *p != ' ' && *p != '\t' && *p != '\0') { 796 *p = isupper((unsigned char)*p) ? 797 tolower((unsigned char)*p) : *p; 798 p++; 799 } 800 if (*p == ' ' || *p == '\t') { 801 *p++ = '\0'; 802 while (*p == ' ' || *p == '\t') 803 p++; 804 user = p; 805 while (*p != '\n' && *p != ' ' && 806 *p != '\t' && *p != '\0') 807 p++; 808 } else 809 user = p; 810 *p = '\0'; 811 812 if (p == buf) 813 continue; 814 815 auser = *user ? user : luser; 816 ahost = buf; 817 818 if (ahost[0] == '+') 819 switch (ahost[1]) { 820 case '\0': 821 hostok = 1; 822 break; 823 824 case '@': 825 if (firsttime) { 826 rhost = __gethostloop(raddr, salen); 827 firsttime = 0; 828 } 829 if (rhost) 830 hostok = innetgr(&ahost[2], rhost, 831 NULL, domain); 832 else 833 hostok = 0; 834 break; 835 836 default: 837 hostok = __icheckhost(raddr, salen, &ahost[1]); 838 break; 839 } 840 else if (ahost[0] == '-') 841 switch (ahost[1]) { 842 case '\0': 843 hostok = -1; 844 break; 845 846 case '@': 847 if (firsttime) { 848 rhost = __gethostloop(raddr, salen); 849 firsttime = 0; 850 } 851 if (rhost) 852 hostok = -innetgr(&ahost[2], rhost, 853 NULL, domain); 854 else 855 hostok = 0; 856 break; 857 858 default: 859 hostok = -__icheckhost(raddr, salen, &ahost[1]); 860 break; 861 } 862 else 863 hostok = __icheckhost(raddr, salen, ahost); 864 865 866 if (auser[0] == '+') 867 switch (auser[1]) { 868 case '\0': 869 userok = 1; 870 break; 871 872 case '@': 873 userok = innetgr(&auser[2], NULL, ruser, 874 domain); 875 break; 876 877 default: 878 userok = strcmp(ruser, &auser[1]) == 0; 879 break; 880 } 881 else if (auser[0] == '-') 882 switch (auser[1]) { 883 case '\0': 884 userok = -1; 885 break; 886 887 case '@': 888 userok = -innetgr(&auser[2], NULL, ruser, 889 domain); 890 break; 891 892 default: 893 userok = 894 -(strcmp(ruser, &auser[1]) == 0 ? 1 : 0); 895 break; 896 } 897 else 898 userok = strcmp(ruser, auser) == 0; 899 900 /* Check if one component did not match */ 901 if (hostok == 0 || userok == 0) 902 continue; 903 904 /* Check if we got a forbidden pair */ 905 if (userok == -1 || hostok == -1) 906 return -1; 907 908 /* Check if we got a valid pair */ 909 if (hostok == 1 && userok == 1) 910 return 0; 911 } 912 return -1; 913 } 914 915 /* 916 * Returns "true" if match, 0 if no match. 917 * 918 * NI_WITHSCOPEID is useful for comparing sin6_scope_id portion 919 * if af == AF_INET6. 920 */ 921 static int 922 __icheckhost(raddr, salen, lhost) 923 struct sockaddr *raddr; 924 socklen_t salen; 925 const char *lhost; 926 { 927 struct addrinfo hints, *res, *r; 928 char h1[NI_MAXHOST], h2[NI_MAXHOST]; 929 int error; 930 #ifdef NI_WITHSCOPEID 931 const int niflags = NI_NUMERICHOST | NI_WITHSCOPEID; 932 #else 933 const int niflags = NI_NUMERICHOST; 934 #endif 935 936 _DIAGASSERT(raddr != NULL); 937 _DIAGASSERT(lhost != NULL); 938 939 h1[0] = '\0'; 940 if (getnameinfo(raddr, salen, h1, sizeof(h1), NULL, 0, 941 niflags) != 0) 942 return (0); 943 944 /* Resolve laddr into sockaddr */ 945 memset(&hints, 0, sizeof(hints)); 946 hints.ai_family = raddr->sa_family; 947 hints.ai_socktype = SOCK_DGRAM; /*dummy*/ 948 res = NULL; 949 error = getaddrinfo(lhost, "0", &hints, &res); 950 if (error) 951 return (0); 952 953 /* 954 * Try string comparisons between raddr and laddr. 955 */ 956 for (r = res; r; r = r->ai_next) { 957 h2[0] = '\0'; 958 if (getnameinfo(r->ai_addr, r->ai_addrlen, h2, sizeof(h2), 959 NULL, 0, niflags) != 0) 960 continue; 961 if (strcmp(h1, h2) == 0) { 962 freeaddrinfo(res); 963 return (1); 964 } 965 } 966 967 /* No match. */ 968 freeaddrinfo(res); 969 return (0); 970 } 971 972 /* 973 * Return the hostname associated with the supplied address. 974 * Do a reverse lookup as well for security. If a loop cannot 975 * be found, pack the numeric IP address into the string. 976 * 977 * NI_WITHSCOPEID is useful for comparing sin6_scope_id portion 978 * if af == AF_INET6. 979 */ 980 static char * 981 __gethostloop(raddr, salen) 982 struct sockaddr *raddr; 983 socklen_t salen; 984 { 985 static char remotehost[NI_MAXHOST]; 986 char h1[NI_MAXHOST], h2[NI_MAXHOST]; 987 struct addrinfo hints, *res, *r; 988 int error; 989 #ifdef NI_WITHSCOPEID 990 const int niflags = NI_NUMERICHOST | NI_WITHSCOPEID; 991 #else 992 const int niflags = NI_NUMERICHOST; 993 #endif 994 995 _DIAGASSERT(raddr != NULL); 996 997 h1[0] = remotehost[0] = '\0'; 998 if (getnameinfo(raddr, salen, remotehost, sizeof(remotehost), 999 NULL, 0, NI_NAMEREQD) != 0) 1000 return (NULL); 1001 if (getnameinfo(raddr, salen, h1, sizeof(h1), NULL, 0, 1002 niflags) != 0) 1003 return (NULL); 1004 1005 /* 1006 * Look up the name and check that the supplied 1007 * address is in the list 1008 */ 1009 memset(&hints, 0, sizeof(hints)); 1010 hints.ai_family = raddr->sa_family; 1011 hints.ai_socktype = SOCK_DGRAM; /*dummy*/ 1012 hints.ai_flags = AI_CANONNAME; 1013 res = NULL; 1014 error = getaddrinfo(remotehost, "0", &hints, &res); 1015 if (error) 1016 return (NULL); 1017 1018 for (r = res; r; r = r->ai_next) { 1019 h2[0] = '\0'; 1020 if (getnameinfo(r->ai_addr, r->ai_addrlen, h2, sizeof(h2), 1021 NULL, 0, niflags) != 0) 1022 continue; 1023 if (strcmp(h1, h2) == 0) { 1024 freeaddrinfo(res); 1025 return (remotehost); 1026 } 1027 } 1028 1029 /* 1030 * either the DNS adminstrator has made a configuration 1031 * mistake, or someone has attempted to spoof us 1032 */ 1033 syslog(LOG_NOTICE, "rcmd: address %s not listed for host %s", 1034 h1, res->ai_canonname ? res->ai_canonname : remotehost); 1035 freeaddrinfo(res); 1036 return (NULL); 1037 } 1038