1 /* $NetBSD: rcmd.c,v 1.72 2022/05/22 11:27:33 andvar Exp $ */
2
3 /*
4 * Copyright (c) 1983, 1993, 1994
5 * The Regents of the University of California. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the University nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 */
31
32 #include <sys/cdefs.h>
33 #if defined(LIBC_SCCS) && !defined(lint)
34 #if 0
35 static char sccsid[] = "@(#)rcmd.c 8.3 (Berkeley) 3/26/94";
36 #else
37 __RCSID("$NetBSD: rcmd.c,v 1.72 2022/05/22 11:27:33 andvar Exp $");
38 #endif
39 #endif /* LIBC_SCCS and not lint */
40
41 #ifdef _LIBC
42 #include "namespace.h"
43 #endif
44 #include <sys/param.h>
45 #include <sys/socket.h>
46 #include <sys/stat.h>
47 #include <sys/poll.h>
48 #include <sys/wait.h>
49
50 #include <netinet/in.h>
51 #include <rpc/rpc.h>
52 #include <arpa/inet.h>
53 #include <netgroup.h>
54
55 #include <assert.h>
56 #include <ctype.h>
57 #include <err.h>
58 #include <errno.h>
59 #include <fcntl.h>
60 #include <grp.h>
61 #include <netdb.h>
62 #include <paths.h>
63 #include <pwd.h>
64 #include <signal.h>
65 #include <stdio.h>
66 #include <stdlib.h>
67 #include <string.h>
68 #include <syslog.h>
69 #include <unistd.h>
70
71 #include "pathnames.h"
72
73 int orcmd(char **, u_int, const char *, const char *, const char *, int *);
74 int orcmd_af(char **, u_int, const char *, const char *, const char *,
75 int *, int);
76 int __ivaliduser(FILE *, u_int32_t, const char *, const char *);
77 int __ivaliduser_sa(FILE *, const struct sockaddr *, socklen_t,
78 const char *, const char *);
79 static int rshrcmd(int, char **, u_int32_t, const char *,
80 const char *, const char *, int *, const char *);
81 static int resrcmd(struct addrinfo *, char **, u_int32_t, const char *,
82 const char *, const char *, int *);
83 static int __icheckhost(const struct sockaddr *, socklen_t,
84 const char *);
85 static char *__gethostloop(const struct sockaddr *, socklen_t);
86
87 int
rcmd(char ** ahost,int rport,const char * locuser,const char * remuser,const char * cmd,int * fd2p)88 rcmd(char **ahost, int rport, const char *locuser, const char *remuser,
89 const char *cmd, int *fd2p)
90 {
91
92 return rcmd_af(ahost, rport, locuser, remuser, cmd, fd2p, AF_INET);
93 }
94
95 int
rcmd_af(char ** ahost,int rport,const char * locuser,const char * remuser,const char * cmd,int * fd2p,int af)96 rcmd_af(char **ahost, int rport, const char *locuser, const char *remuser,
97 const char *cmd, int *fd2p, int af)
98 {
99 static char hbuf[MAXHOSTNAMELEN];
100 char pbuf[NI_MAXSERV];
101 struct addrinfo hints, *res;
102 int error;
103 struct servent *sp;
104
105 _DIAGASSERT(ahost != NULL);
106 _DIAGASSERT(locuser != NULL);
107 _DIAGASSERT(remuser != NULL);
108 _DIAGASSERT(cmd != NULL);
109 /* fd2p may be NULL */
110
111 snprintf(pbuf, sizeof(pbuf), "%u", ntohs(rport));
112 memset(&hints, 0, sizeof(hints));
113 hints.ai_family = af;
114 hints.ai_socktype = SOCK_STREAM;
115 hints.ai_flags = AI_CANONNAME;
116 error = getaddrinfo(*ahost, pbuf, &hints, &res);
117 if (error) {
118 warnx("%s: %s", *ahost, gai_strerror(error)); /*XXX*/
119 return -1;
120 }
121 if (res->ai_canonname) {
122 /*
123 * Canonicalise hostname.
124 * XXX: Should we really do this?
125 */
126 strlcpy(hbuf, res->ai_canonname, sizeof(hbuf));
127 *ahost = hbuf;
128 }
129
130 /*
131 * Check if rport is the same as the shell port, and that the fd2p. If
132 * it is not, the program isn't expecting 'rsh' and so we can't use the
133 * RCMD_CMD environment.
134 */
135 sp = getservbyname("shell", "tcp");
136 if (sp != NULL && sp->s_port == rport)
137 error = rshrcmd(af, ahost, (u_int32_t)rport,
138 locuser, remuser, cmd, fd2p, getenv("RCMD_CMD"));
139 else
140 error = resrcmd(res, ahost, (u_int32_t)rport,
141 locuser, remuser, cmd, fd2p);
142 freeaddrinfo(res);
143 return error;
144 }
145
146 /* this is simply a wrapper around hprcmd() that handles ahost first */
147 int
orcmd(char ** ahost,u_int rport,const char * locuser,const char * remuser,const char * cmd,int * fd2p)148 orcmd(char **ahost, u_int rport, const char *locuser, const char *remuser,
149 const char *cmd, int *fd2p)
150 {
151 return orcmd_af(ahost, rport, locuser, remuser, cmd, fd2p, AF_INET);
152 }
153
154 int
orcmd_af(char ** ahost,u_int rport,const char * locuser,const char * remuser,const char * cmd,int * fd2p,int af)155 orcmd_af(char **ahost, u_int rport, const char *locuser, const char *remuser,
156 const char *cmd, int *fd2p, int af)
157 {
158 static char hbuf[MAXHOSTNAMELEN];
159 char pbuf[NI_MAXSERV];
160 struct addrinfo hints, *res;
161 int error;
162
163 _DIAGASSERT(ahost != NULL);
164 _DIAGASSERT(locuser != NULL);
165 _DIAGASSERT(remuser != NULL);
166 _DIAGASSERT(cmd != NULL);
167 /* fd2p may be NULL */
168
169 snprintf(pbuf, sizeof(pbuf), "%u", ntohs(rport));
170 memset(&hints, 0, sizeof(hints));
171 hints.ai_family = af;
172 hints.ai_socktype = SOCK_STREAM;
173 hints.ai_flags = AI_CANONNAME;
174 error = getaddrinfo(*ahost, pbuf, &hints, &res);
175 if (error) {
176 warnx("%s: %s", *ahost, gai_strerror(error)); /*XXX*/
177 return -1;
178 }
179 if (res->ai_canonname) {
180 strlcpy(hbuf, res->ai_canonname, sizeof(hbuf));
181 *ahost = hbuf;
182 }
183
184 error = resrcmd(res, ahost, rport, locuser, remuser, cmd, fd2p);
185 freeaddrinfo(res);
186 return error;
187 }
188
189 /*ARGSUSED*/
190 static int
resrcmd(struct addrinfo * res,char ** ahost,u_int32_t rport,const char * locuser,const char * remuser,const char * cmd,int * fd2p)191 resrcmd(struct addrinfo *res, char **ahost, u_int32_t rport,
192 const char *locuser, const char *remuser, const char *cmd, int *fd2p)
193 {
194 struct addrinfo *r;
195 struct sockaddr_storage from;
196 struct pollfd reads[2];
197 sigset_t nmask, omask;
198 pid_t pid;
199 int s, lport, timo;
200 int pollr;
201 char c;
202 int refused;
203
204 _DIAGASSERT(res != NULL);
205 _DIAGASSERT(ahost != NULL);
206 _DIAGASSERT(locuser != NULL);
207 _DIAGASSERT(remuser != NULL);
208 _DIAGASSERT(cmd != NULL);
209 /* fd2p may be NULL */
210
211 r = res;
212 refused = 0;
213 pid = getpid();
214 sigemptyset(&nmask);
215 sigaddset(&nmask, SIGURG);
216 if (sigprocmask(SIG_BLOCK, &nmask, &omask) == -1)
217 return -1;
218 for (timo = 1, lport = IPPORT_RESERVED - 1;;) {
219 s = rresvport_af(&lport, r->ai_family);
220 if (s < 0) {
221 if (errno == EAGAIN)
222 warnx("rcmd: socket: All ports in use");
223 else
224 warn("rcmd: socket");
225 if (r->ai_next) {
226 r = r->ai_next;
227 continue;
228 } else {
229 (void)sigprocmask(SIG_SETMASK, &omask, NULL);
230 return -1;
231 }
232 }
233 fcntl(s, F_SETOWN, pid);
234 if (connect(s, r->ai_addr, r->ai_addrlen) >= 0)
235 break;
236 (void)close(s);
237 if (errno == EADDRINUSE) {
238 lport--;
239 continue;
240 } else if (errno == ECONNREFUSED)
241 refused++;
242 if (r->ai_next) {
243 int oerrno = errno;
244 char hbuf[NI_MAXHOST];
245 const int niflags = NI_NUMERICHOST;
246
247 hbuf[0] = '\0';
248 if (getnameinfo(r->ai_addr, r->ai_addrlen,
249 hbuf, (socklen_t)sizeof(hbuf), NULL, 0, niflags) !=
250 0)
251 strlcpy(hbuf, "(invalid)", sizeof(hbuf));
252 errno = oerrno;
253 warn("rcmd: connect to address %s", hbuf);
254 r = r->ai_next;
255 hbuf[0] = '\0';
256 if (getnameinfo(r->ai_addr, r->ai_addrlen,
257 hbuf, (socklen_t)sizeof(hbuf), NULL, 0, niflags) !=
258 0)
259 strlcpy(hbuf, "(invalid)", sizeof(hbuf));
260 (void)fprintf(stderr, "Trying %s...\n", hbuf);
261 continue;
262 }
263 if (refused && timo <= 16) {
264 (void)sleep((unsigned int)timo);
265 timo *= 2;
266 r = res;
267 refused = 0;
268 continue;
269 }
270 (void)fprintf(stderr, "%s: %s\n", res->ai_canonname,
271 strerror(errno));
272 (void)sigprocmask(SIG_SETMASK, &omask, NULL);
273 return -1;
274 }
275 lport--;
276 if (fd2p == 0) {
277 write(s, "", 1);
278 lport = 0;
279 } else {
280 char num[8];
281 int s2 = rresvport_af(&lport, r->ai_family), s3;
282 socklen_t len = sizeof(from);
283
284 if (s2 < 0)
285 goto bad;
286 listen(s2, 1);
287 (void)snprintf(num, sizeof(num), "%d", lport);
288 if (write(s, num, strlen(num) + 1) !=
289 (ssize_t) (strlen(num) + 1)) {
290 warn("rcmd: write (setting up stderr)");
291 (void)close(s2);
292 goto bad;
293 }
294 reads[0].fd = s;
295 reads[0].events = POLLIN;
296 reads[1].fd = s2;
297 reads[1].events = POLLIN;
298 errno = 0;
299 pollr = poll(reads, 2, INFTIM);
300 if (pollr < 1 || (reads[1].revents & POLLIN) == 0) {
301 if (errno != 0)
302 warn("poll: setting up stderr");
303 else
304 warnx(
305 "poll: protocol failure in circuit setup");
306 (void)close(s2);
307 goto bad;
308 }
309 s3 = accept(s2, (struct sockaddr *)(void *)&from, &len);
310 (void)close(s2);
311 if (s3 < 0) {
312 warn("rcmd: accept");
313 lport = 0;
314 goto bad;
315 }
316 *fd2p = s3;
317 switch (((struct sockaddr *)(void *)&from)->sa_family) {
318 case AF_INET:
319 #ifdef INET6
320 case AF_INET6:
321 #endif
322 if (getnameinfo((struct sockaddr *)(void *)&from, len,
323 NULL, 0, num, (socklen_t)sizeof(num),
324 NI_NUMERICSERV) != 0 ||
325 (atoi(num) >= IPPORT_RESERVED ||
326 atoi(num) < IPPORT_RESERVED / 2)) {
327 warnx(
328 "rcmd: protocol failure in circuit setup.");
329 goto bad2;
330 }
331 break;
332 default:
333 break;
334 }
335 }
336
337 (void)write(s, locuser, strlen(locuser)+1);
338 (void)write(s, remuser, strlen(remuser)+1);
339 (void)write(s, cmd, strlen(cmd)+1);
340 if (read(s, &c, 1) != 1) {
341 warn("%s", *ahost);
342 goto bad2;
343 }
344 if (c != 0) {
345 while (read(s, &c, 1) == 1) {
346 (void)write(STDERR_FILENO, &c, 1);
347 if (c == '\n')
348 break;
349 }
350 goto bad2;
351 }
352 (void)sigprocmask(SIG_SETMASK, &omask, NULL);
353 return s;
354 bad2:
355 if (lport)
356 (void)close(*fd2p);
357 bad:
358 (void)close(s);
359 (void)sigprocmask(SIG_SETMASK, &omask, NULL);
360 return -1;
361 }
362
363 /*
364 * based on code written by Chris Siebenmann <cks@utcc.utoronto.ca>
365 */
366 /* ARGSUSED */
367 static int
rshrcmd(int af,char ** ahost,u_int32_t rport,const char * locuser,const char * remuser,const char * cmd,int * fd2p,const char * rshcmd)368 rshrcmd(int af, char **ahost, u_int32_t rport, const char *locuser,
369 const char *remuser, const char *cmd, int *fd2p, const char *rshcmd)
370 {
371 pid_t pid;
372 int sp[2], ep[2];
373 char *p;
374 struct passwd *pw, pwres;
375 char pwbuf[1024];
376
377 _DIAGASSERT(ahost != NULL);
378 _DIAGASSERT(locuser != NULL);
379 _DIAGASSERT(remuser != NULL);
380 _DIAGASSERT(cmd != NULL);
381 /* fd2p may be NULL */
382
383 /* What rsh/shell to use. */
384 if (rshcmd == NULL)
385 rshcmd = _PATH_BIN_RCMD;
386
387 /* locuser must exist on this host. */
388 if (getpwnam_r(locuser, &pwres, pwbuf, sizeof(pwbuf), &pw) != 0 ||
389 pw == NULL) {
390 warnx("%s: unknown user: %s", __func__, locuser);
391 return -1;
392 }
393
394 /* get a socketpair we'll use for stdin and stdout. */
395 if (socketpair(AF_LOCAL, SOCK_STREAM, 0, sp) < 0) {
396 warn("%s: socketpair", __func__);
397 return -1;
398 }
399 /* we will use this for the fd2 pointer */
400 if (fd2p) {
401 if (socketpair(AF_LOCAL, SOCK_STREAM, 0, ep) < 0) {
402 warn("%s: socketpair", __func__);
403 return -1;
404 }
405 *fd2p = ep[0];
406 }
407
408 pid = fork();
409 if (pid < 0) {
410 warn("%s: fork", __func__);
411 return -1;
412 }
413 if (pid == 0) {
414 /*
415 * child
416 * - we use sp[1] to be stdin/stdout, and close sp[0]
417 * - with fd2p, we use ep[1] for stderr, and close ep[0]
418 */
419 (void)close(sp[0]);
420 if (dup2(sp[1], 0) < 0 || dup2(0, 1) < 0) {
421 warn("%s: dup2", __func__);
422 _exit(1);
423 }
424 (void)close(sp[1]);
425 if (fd2p) {
426 if (dup2(ep[1], 2) < 0) {
427 warn("%s: dup2", __func__);
428 _exit(1);
429 }
430 (void)close(ep[0]);
431 (void)close(ep[1]);
432 } else if (dup2(0, 2) < 0) {
433 warn("%s: dup2", __func__);
434 _exit(1);
435 }
436 /* fork again to lose parent. */
437 pid = fork();
438 if (pid < 0) {
439 warn("%s: second fork", __func__);
440 _exit(1);
441 }
442 if (pid > 0)
443 _exit(0);
444
445 /* Orphan. Become local user for rshprog. */
446 if (setuid(pw->pw_uid)) {
447 warn("%s: setuid(%lu)", __func__, (u_long)pw->pw_uid);
448 _exit(1);
449 }
450
451 /*
452 * If we are rcmd'ing to "localhost" as the same user as we
453 * are, then avoid running remote shell for efficiency.
454 */
455 if (strcmp(*ahost, "localhost") == 0 &&
456 strcmp(locuser, remuser) == 0) {
457 if (pw->pw_shell[0] == '\0')
458 rshcmd = _PATH_BSHELL;
459 else
460 rshcmd = pw->pw_shell;
461 p = strrchr(rshcmd, '/');
462 execlp(rshcmd, p ? p + 1 : rshcmd, "-c", cmd, NULL);
463 } else {
464 const char *program;
465 program = strrchr(rshcmd, '/');
466 program = program ? program + 1 : rshcmd;
467 if (fd2p)
468 /* ask rcmd to relay signal information */
469 setenv("RCMD_RELAY_SIGNAL", "YES", 1);
470 switch (af) {
471 case AF_INET:
472 execlp(rshcmd, program, "-4", "-l", remuser,
473 *ahost, cmd, NULL);
474 break;
475
476 case AF_INET6:
477 execlp(rshcmd, program, "-6", "-l", remuser,
478 *ahost, cmd, NULL);
479 break;
480
481 default:
482 /* typically AF_UNSPEC, plus whatever */
483 execlp(rshcmd, program, "-l", remuser,
484 *ahost, cmd, NULL);
485 break;
486 }
487 }
488 warn("%s: exec %s", __func__, rshcmd);
489 _exit(1);
490 }
491 /* Parent */
492 (void)close(sp[1]);
493 if (fd2p)
494 (void)close(ep[1]);
495
496 (void)waitpid(pid, NULL, 0);
497 return sp[0];
498 }
499
500 int
rresvport(int * alport)501 rresvport(int *alport)
502 {
503
504 _DIAGASSERT(alport != NULL);
505
506 return rresvport_af(alport, AF_INET);
507 }
508
509 int
rresvport_af(int * alport,int family)510 rresvport_af(int *alport, int family)
511 {
512 return rresvport_af_addr(alport, family, NULL);
513 }
514
515 int
rresvport_af_addr(int * alport,int family,void * addr)516 rresvport_af_addr(int *alport, int family, void *addr)
517 {
518 struct sockaddr_storage ss;
519 struct sockaddr *sa;
520 socklen_t salen;
521 int s;
522 u_int16_t *portp;
523
524 _DIAGASSERT(alport != NULL);
525
526 memset(&ss, 0, sizeof(ss));
527 sa = (struct sockaddr *)(void *)&ss;
528 switch (family) {
529 case AF_INET:
530 #ifdef BSD4_4
531 sa->sa_len =
532 #endif
533 salen = sizeof(struct sockaddr_in);
534 if (addr)
535 ((struct sockaddr_in *)(void *)sa)->sin_addr =
536 ((struct sockaddr_in *)addr)->sin_addr;
537 portp = &((struct sockaddr_in *)(void *)sa)->sin_port;
538 break;
539 #ifdef INET6
540 case AF_INET6:
541 #ifdef BSD4_4
542 sa->sa_len =
543 #endif
544 salen = sizeof(struct sockaddr_in6);
545 if (addr)
546 ((struct sockaddr_in6 *)(void *)sa)->sin6_addr =
547 ((struct sockaddr_in6 *)addr)->sin6_addr;
548 portp = &((struct sockaddr_in6 *)(void *)sa)->sin6_port;
549 break;
550 #endif
551 default:
552 errno = EAFNOSUPPORT;
553 return -1;
554 }
555 sa->sa_family = family;
556 s = socket(family, SOCK_STREAM, 0);
557 if (s < 0)
558 return -1;
559 #ifdef BSD4_4
560 switch (family) {
561 case AF_INET:
562 case AF_INET6:
563 *portp = 0;
564 if (bindresvport(s, (struct sockaddr_in *)(void *)sa) < 0) {
565 int sverr = errno;
566
567 (void)close(s);
568 errno = sverr;
569 return -1;
570 }
571 *alport = (int)ntohs(*portp);
572 return s;
573 default:
574 /* is it necessary to try keep code for other AFs? */
575 break;
576 }
577 #endif
578 for (;;) {
579 *portp = htons((u_short)*alport);
580 if (bind(s, sa, salen) >= 0)
581 return s;
582 if (errno != EADDRINUSE) {
583 (void)close(s);
584 return -1;
585 }
586 (*alport)--;
587 if (*alport == IPPORT_RESERVED/2) {
588 (void)close(s);
589 errno = EAGAIN; /* close */
590 return -1;
591 }
592 }
593 }
594
595 int __check_rhosts_file = 1;
596 const char *__rcmd_errstr;
597
598 int
ruserok(const char * rhost,int superuser,const char * ruser,const char * luser)599 ruserok(const char *rhost, int superuser, const char *ruser, const char *luser)
600 {
601 struct addrinfo hints, *res, *r;
602 int error;
603
604 _DIAGASSERT(rhost != NULL);
605 _DIAGASSERT(ruser != NULL);
606 _DIAGASSERT(luser != NULL);
607
608 memset(&hints, 0, sizeof(hints));
609 hints.ai_family = PF_UNSPEC;
610 hints.ai_socktype = SOCK_DGRAM; /*dummy*/
611 error = getaddrinfo(rhost, "0", &hints, &res);
612 if (error)
613 return -1;
614
615 for (r = res; r; r = r->ai_next) {
616 if (iruserok_sa(r->ai_addr, (int)r->ai_addrlen, superuser,
617 ruser, luser) == 0) {
618 freeaddrinfo(res);
619 return 0;
620 }
621 }
622 freeaddrinfo(res);
623 return -1;
624 }
625
626 /*
627 * New .rhosts strategy: We are passed an ip address. We spin through
628 * hosts.equiv and .rhosts looking for a match. When the .rhosts only
629 * has ip addresses, we don't have to trust a nameserver. When it
630 * contains hostnames, we spin through the list of addresses the nameserver
631 * gives us and look for a match.
632 *
633 * Returns 0 if ok, -1 if not ok.
634 */
635 int
iruserok(u_int32_t raddr,int superuser,const char * ruser,const char * luser)636 iruserok(u_int32_t raddr, int superuser, const char *ruser, const char *luser)
637 {
638 struct sockaddr_in irsin;
639
640 memset(&irsin, 0, sizeof(irsin));
641 irsin.sin_family = AF_INET;
642 #ifdef BSD4_4
643 irsin.sin_len = sizeof(irsin);
644 #endif
645 memcpy(&irsin.sin_addr, &raddr, sizeof(irsin.sin_addr));
646 return iruserok_sa(&irsin, (socklen_t)sizeof(irsin), superuser, ruser,
647 luser);
648 }
649
650 /*
651 * 2nd and 3rd arguments are typed like this, to avoid dependency between
652 * unistd.h and sys/socket.h. There's no better way.
653 */
654 int
iruserok_sa(const void * raddr,int rlen,int superuser,const char * ruser,const char * luser)655 iruserok_sa(const void *raddr, int rlen, int superuser, const char *ruser,
656 const char *luser)
657 {
658 const struct sockaddr *sa;
659 struct stat sbuf;
660 struct passwd *pwd, pwres;
661 FILE *hostf;
662 uid_t uid;
663 gid_t gid;
664 int isvaliduser;
665 char pbuf[MAXPATHLEN];
666 char pwbuf[1024];
667
668 _DIAGASSERT(raddr != NULL);
669 _DIAGASSERT(ruser != NULL);
670 _DIAGASSERT(luser != NULL);
671
672 sa = raddr;
673
674 __rcmd_errstr = NULL;
675
676 hostf = superuser ? NULL : fopen(_PATH_HEQUIV, "re");
677
678 if (hostf) {
679 if (__ivaliduser_sa(hostf, sa, (socklen_t)rlen, luser,
680 ruser) == 0) {
681 (void)fclose(hostf);
682 return 0;
683 }
684 (void)fclose(hostf);
685 }
686
687 isvaliduser = -1;
688 if (__check_rhosts_file || superuser) {
689
690 if (getpwnam_r(luser, &pwres, pwbuf, sizeof(pwbuf), &pwd) != 0
691 || pwd == NULL)
692 return -1;
693 (void)strlcpy(pbuf, pwd->pw_dir, sizeof(pbuf));
694 (void)strlcat(pbuf, "/.rhosts", sizeof(pbuf));
695
696 /*
697 * Change effective uid while opening and reading .rhosts.
698 * If root and reading an NFS mounted file system, can't
699 * read files that are protected read/write owner only.
700 */
701 uid = geteuid();
702 gid = getegid();
703 (void)setegid(pwd->pw_gid);
704 (void)initgroups(pwd->pw_name, pwd->pw_gid);
705 (void)seteuid(pwd->pw_uid);
706 hostf = fopen(pbuf, "re");
707
708 if (hostf != NULL) {
709 /*
710 * If not a regular file, or is owned by someone other
711 * than user or root or if writable by anyone but the
712 * owner, quit.
713 */
714 if (lstat(pbuf, &sbuf) < 0)
715 __rcmd_errstr = ".rhosts lstat failed";
716 else if (!S_ISREG(sbuf.st_mode))
717 __rcmd_errstr = ".rhosts not regular file";
718 else if (fstat(fileno(hostf), &sbuf) < 0)
719 __rcmd_errstr = ".rhosts fstat failed";
720 else if (sbuf.st_uid && sbuf.st_uid != pwd->pw_uid)
721 __rcmd_errstr = "bad .rhosts owner";
722 else if (sbuf.st_mode & (S_IWGRP|S_IWOTH))
723 __rcmd_errstr =
724 ".rhosts writable by other than owner";
725 else
726 isvaliduser =
727 __ivaliduser_sa(hostf, sa, (socklen_t)rlen,
728 luser, ruser);
729
730 (void)fclose(hostf);
731 }
732 (void)seteuid(uid);
733 (void)setegid(gid);
734
735 }
736 return isvaliduser;
737 }
738
739 /*
740 * XXX
741 * Don't make static, used by lpd(8). We will be able to change the function
742 * into static function, when we bump libc major #.
743 *
744 * Returns 0 if ok, -1 if not ok.
745 */
746 #ifdef notdef /*_LIBC*/
747 static
748 #endif
749 int
__ivaliduser(FILE * hostf,u_int32_t raddr,const char * luser,const char * ruser)750 __ivaliduser(FILE *hostf, u_int32_t raddr, const char *luser,
751 const char *ruser)
752 {
753 struct sockaddr_in ivusin;
754
755 memset(&ivusin, 0, sizeof(ivusin));
756 ivusin.sin_family = AF_INET;
757 #ifdef BSD4_4
758 ivusin.sin_len = sizeof(ivusin);
759 #endif
760 memcpy(&ivusin.sin_addr, &raddr, sizeof(ivusin.sin_addr));
761 return __ivaliduser_sa(hostf, (struct sockaddr *)(void *)&ivusin,
762 (socklen_t)sizeof(ivusin), luser, ruser);
763 }
764
765 #ifdef notdef /*_LIBC*/
766 static
767 #endif
768 int
__ivaliduser_sa(FILE * hostf,const struct sockaddr * raddr,socklen_t salen,const char * luser,const char * ruser)769 __ivaliduser_sa(FILE *hostf, const struct sockaddr *raddr, socklen_t salen,
770 const char *luser, const char *ruser)
771 {
772 char *user, *p;
773 int ch;
774 char buf[MAXHOSTNAMELEN + 128]; /* host + login */
775 const char *auser, *ahost;
776 int hostok, userok;
777 char *rhost = NULL;
778 int firsttime = 1;
779 char domain[MAXHOSTNAMELEN];
780
781 getdomainname(domain, sizeof(domain));
782
783 _DIAGASSERT(hostf != NULL);
784 _DIAGASSERT(luser != NULL);
785 _DIAGASSERT(ruser != NULL);
786
787 while (fgets(buf, (int)sizeof(buf), hostf)) {
788 p = buf;
789 /* Skip lines that are too long. */
790 if (strchr(p, '\n') == NULL) {
791 while ((ch = getc(hostf)) != '\n' && ch != EOF)
792 ;
793 continue;
794 }
795 while (*p != '\n' && *p != ' ' && *p != '\t' && *p != '\0') {
796 *p = isupper((unsigned char)*p) ?
797 tolower((unsigned char)*p) : *p;
798 p++;
799 }
800 if (*p == ' ' || *p == '\t') {
801 *p++ = '\0';
802 while (*p == ' ' || *p == '\t')
803 p++;
804 user = p;
805 while (*p != '\n' && *p != ' ' &&
806 *p != '\t' && *p != '\0')
807 p++;
808 } else
809 user = p;
810 *p = '\0';
811
812 if (p == buf)
813 continue;
814
815 auser = *user ? user : luser;
816 ahost = buf;
817
818 if (ahost[0] == '+')
819 switch (ahost[1]) {
820 case '\0':
821 hostok = 1;
822 break;
823
824 case '@':
825 if (firsttime) {
826 rhost = __gethostloop(raddr, salen);
827 firsttime = 0;
828 }
829 if (rhost)
830 hostok = innetgr(&ahost[2], rhost,
831 NULL, domain);
832 else
833 hostok = 0;
834 break;
835
836 default:
837 hostok = __icheckhost(raddr, salen, &ahost[1]);
838 break;
839 }
840 else if (ahost[0] == '-')
841 switch (ahost[1]) {
842 case '\0':
843 hostok = -1;
844 break;
845
846 case '@':
847 if (firsttime) {
848 rhost = __gethostloop(raddr, salen);
849 firsttime = 0;
850 }
851 if (rhost)
852 hostok = -innetgr(&ahost[2], rhost,
853 NULL, domain);
854 else
855 hostok = 0;
856 break;
857
858 default:
859 hostok =
860 -__icheckhost(raddr, salen, &ahost[1]);
861 break;
862 }
863 else
864 hostok = __icheckhost(raddr, salen, ahost);
865
866
867 if (auser[0] == '+')
868 switch (auser[1]) {
869 case '\0':
870 userok = 1;
871 break;
872
873 case '@':
874 userok = innetgr(&auser[2], NULL, ruser,
875 domain);
876 break;
877
878 default:
879 userok = strcmp(ruser, &auser[1]) == 0;
880 break;
881 }
882 else if (auser[0] == '-')
883 switch (auser[1]) {
884 case '\0':
885 userok = -1;
886 break;
887
888 case '@':
889 userok = -innetgr(&auser[2], NULL, ruser,
890 domain);
891 break;
892
893 default:
894 userok =
895 -(strcmp(ruser, &auser[1]) == 0 ? 1 : 0);
896 break;
897 }
898 else
899 userok = strcmp(ruser, auser) == 0;
900
901 /* Check if one component did not match */
902 if (hostok == 0 || userok == 0)
903 continue;
904
905 /* Check if we got a forbidden pair */
906 if (userok == -1 || hostok == -1)
907 return -1;
908
909 /* Check if we got a valid pair */
910 if (hostok == 1 && userok == 1)
911 return 0;
912 }
913 return -1;
914 }
915
916 /*
917 * Returns "true" if match, 0 if no match.
918 */
919 static int
__icheckhost(const struct sockaddr * raddr,socklen_t salen,const char * lhost)920 __icheckhost(const struct sockaddr *raddr, socklen_t salen, const char *lhost)
921 {
922 struct addrinfo hints, *res, *r;
923 char h1[NI_MAXHOST], h2[NI_MAXHOST];
924 int error;
925 const int niflags = NI_NUMERICHOST;
926
927 _DIAGASSERT(raddr != NULL);
928 _DIAGASSERT(lhost != NULL);
929
930 h1[0] = '\0';
931 if (getnameinfo(raddr, salen, h1, (socklen_t)sizeof(h1), NULL, 0,
932 niflags) != 0)
933 return 0;
934
935 /* Resolve laddr into sockaddr */
936 memset(&hints, 0, sizeof(hints));
937 hints.ai_family = raddr->sa_family;
938 hints.ai_socktype = SOCK_DGRAM; /*dummy*/
939 res = NULL;
940 error = getaddrinfo(lhost, "0", &hints, &res);
941 if (error)
942 return 0;
943
944 /*
945 * Try string comparisons between raddr and laddr.
946 */
947 for (r = res; r; r = r->ai_next) {
948 h2[0] = '\0';
949 if (getnameinfo(r->ai_addr, r->ai_addrlen, h2,
950 (socklen_t)sizeof(h2), NULL, 0, niflags) != 0)
951 continue;
952 if (strcmp(h1, h2) == 0) {
953 freeaddrinfo(res);
954 return 1;
955 }
956 }
957
958 /* No match. */
959 freeaddrinfo(res);
960 return 0;
961 }
962
963 /*
964 * Return the hostname associated with the supplied address.
965 * Do a reverse lookup as well for security. If a loop cannot
966 * be found, pack the numeric IP address into the string.
967 */
968 static char *
__gethostloop(const struct sockaddr * raddr,socklen_t salen)969 __gethostloop(const struct sockaddr *raddr, socklen_t salen)
970 {
971 static char remotehost[NI_MAXHOST];
972 char h1[NI_MAXHOST], h2[NI_MAXHOST];
973 struct addrinfo hints, *res, *r;
974 int error;
975 const int niflags = NI_NUMERICHOST;
976
977 _DIAGASSERT(raddr != NULL);
978
979 h1[0] = remotehost[0] = '\0';
980 if (getnameinfo(raddr, salen, remotehost, (socklen_t)sizeof(remotehost),
981 NULL, 0, NI_NAMEREQD) != 0)
982 return NULL;
983 if (getnameinfo(raddr, salen, h1, (socklen_t)sizeof(h1), NULL, 0,
984 niflags) != 0)
985 return NULL;
986
987 /*
988 * Look up the name and check that the supplied
989 * address is in the list
990 */
991 memset(&hints, 0, sizeof(hints));
992 hints.ai_family = raddr->sa_family;
993 hints.ai_socktype = SOCK_DGRAM; /*dummy*/
994 hints.ai_flags = AI_CANONNAME;
995 res = NULL;
996 error = getaddrinfo(remotehost, "0", &hints, &res);
997 if (error)
998 return NULL;
999
1000 for (r = res; r; r = r->ai_next) {
1001 h2[0] = '\0';
1002 if (getnameinfo(r->ai_addr, r->ai_addrlen, h2,
1003 (socklen_t)sizeof(h2), NULL, 0, niflags) != 0)
1004 continue;
1005 if (strcmp(h1, h2) == 0) {
1006 freeaddrinfo(res);
1007 return remotehost;
1008 }
1009 }
1010
1011 /*
1012 * either the DNS administrator has made a configuration
1013 * mistake, or someone has attempted to spoof us
1014 */
1015 syslog(LOG_NOTICE, "rcmd: address %s not listed for host %s",
1016 h1, res->ai_canonname ? res->ai_canonname : remotehost);
1017 freeaddrinfo(res);
1018 return NULL;
1019 }
1020