1 /* $OpenBSD: authpf.c,v 1.130 2024/11/04 21:59:15 jca Exp $ */
2
3 /*
4 * Copyright (C) 1998 - 2007 Bob Beck (beck@openbsd.org).
5 *
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
19 #include <sys/types.h>
20 #include <sys/ioctl.h>
21 #include <sys/socket.h>
22 #include <sys/stat.h>
23 #include <sys/wait.h>
24
25 #include <netinet/in.h>
26 #include <arpa/inet.h>
27 #include <net/if.h>
28 #include <net/pfvar.h>
29
30 #include <err.h>
31 #include <errno.h>
32 #include <fcntl.h>
33 #include <login_cap.h>
34 #include <pwd.h>
35 #include <grp.h>
36 #include <signal.h>
37 #include <stdio.h>
38 #include <stdlib.h>
39 #include <string.h>
40 #include <syslog.h>
41 #include <time.h>
42 #include <unistd.h>
43
44 #include "pathnames.h"
45
46 static int read_config(FILE *);
47 static void print_message(char *);
48 static int allowed_luser(struct passwd *);
49 static int check_luser(char *, char *);
50 static int remove_stale_rulesets(void);
51 static int recursive_ruleset_purge(char *, char *);
52 static int change_filter(int, const char *, const char *);
53 static int change_table(int, const char *);
54 static void authpf_kill_states(void);
55
56 int dev; /* pf device */
57 char anchorname[PF_ANCHOR_NAME_SIZE] = "authpf";
58 char rulesetname[PATH_MAX - PF_ANCHOR_NAME_SIZE - 2];
59 char tablename[PF_TABLE_NAME_SIZE] = "authpf_users";
60 int user_ip = 1; /* controls whether $user_ip is set */
61
62 FILE *pidfp;
63 int pidfd = -1;
64 char luser[LOGIN_NAME_MAX]; /* username */
65 char ipsrc[256]; /* ip as a string */
66 char pidfile[PATH_MAX]; /* we save pid in this file. */
67
68 struct timespec Tstart, Tend; /* start and end times of session */
69
70 volatile sig_atomic_t want_death;
71 static void need_death(int signo);
72 static __dead void do_death(int);
73 extern char *__progname; /* program name */
74
75 /*
76 * User shell for authenticating gateways. Sole purpose is to allow
77 * a user to ssh to a gateway, and have the gateway modify packet
78 * filters to allow access, then remove access when the user finishes
79 * up. Meant to be used only from ssh(1) connections.
80 */
81 int
main(int argc,char * argv[])82 main(int argc, char *argv[])
83 {
84 int lockcnt = 0, n;
85 FILE *config;
86 struct in6_addr ina;
87 struct passwd *pw;
88 char *cp;
89 gid_t gid;
90 uid_t uid;
91 char *shell;
92 login_cap_t *lc;
93
94 if (strcmp(__progname, "-authpf-noip") == 0)
95 user_ip = 0;
96
97 config = fopen(PATH_CONFFILE, "r");
98 if (config == NULL) {
99 syslog(LOG_ERR, "cannot open %s (%m)", PATH_CONFFILE);
100 exit(1);
101 }
102
103 if ((cp = getenv("SSH_TTY")) == NULL) {
104 syslog(LOG_ERR, "non-interactive session connection for authpf");
105 exit(1);
106 }
107
108 if ((cp = getenv("SSH_CLIENT")) == NULL) {
109 syslog(LOG_ERR, "cannot determine connection source");
110 exit(1);
111 }
112
113 if (strlcpy(ipsrc, cp, sizeof(ipsrc)) >= sizeof(ipsrc)) {
114 syslog(LOG_ERR, "SSH_CLIENT variable too long");
115 exit(1);
116 }
117 cp = strchr(ipsrc, ' ');
118 if (!cp) {
119 syslog(LOG_ERR, "corrupt SSH_CLIENT variable %s", ipsrc);
120 exit(1);
121 }
122 *cp = '\0';
123 if (inet_pton(AF_INET, ipsrc, &ina) != 1 &&
124 inet_pton(AF_INET6, ipsrc, &ina) != 1) {
125 syslog(LOG_ERR,
126 "cannot determine IP from SSH_CLIENT %s", ipsrc);
127 exit(1);
128 }
129 /* open the pf device */
130 dev = open(PATH_DEVFILE, O_RDWR);
131 if (dev == -1) {
132 syslog(LOG_ERR, "cannot open packet filter device (%m)");
133 goto die;
134 }
135
136 uid = getuid();
137 pw = getpwuid(uid);
138 if (pw == NULL) {
139 syslog(LOG_ERR, "cannot find user for uid %u", uid);
140 goto die;
141 }
142
143 if ((lc = login_getclass(pw->pw_class)) != NULL)
144 shell = login_getcapstr(lc, "shell", pw->pw_shell,
145 pw->pw_shell);
146 else
147 shell = pw->pw_shell;
148
149 login_close(lc);
150
151 if (strcmp(shell, PATH_AUTHPF_SHELL) &&
152 strcmp(shell, PATH_AUTHPF_SHELL_NOIP)) {
153 syslog(LOG_ERR, "wrong shell for user %s, uid %u",
154 pw->pw_name, pw->pw_uid);
155 if (shell != pw->pw_shell)
156 free(shell);
157 goto die;
158 }
159
160 if (shell != pw->pw_shell)
161 free(shell);
162
163 /*
164 * Paranoia, but this data _does_ come from outside authpf, and
165 * truncation would be bad.
166 */
167 if (strlcpy(luser, pw->pw_name, sizeof(luser)) >= sizeof(luser)) {
168 syslog(LOG_ERR, "username too long: %s", pw->pw_name);
169 goto die;
170 }
171
172 if ((n = snprintf(rulesetname, sizeof(rulesetname), "%s(%ld)",
173 luser, (long)getpid())) < 0 || (u_int)n >= sizeof(rulesetname)) {
174 syslog(LOG_INFO, "%s(%ld) too large, ruleset name will be %ld",
175 luser, (long)getpid(), (long)getpid());
176 if ((n = snprintf(rulesetname, sizeof(rulesetname), "%ld",
177 (long)getpid())) < 0 || (u_int)n >= sizeof(rulesetname)) {
178 syslog(LOG_ERR, "pid too large for ruleset name");
179 goto die;
180 }
181 }
182
183
184 /* Make our entry in /var/authpf as ipaddr or username */
185 n = snprintf(pidfile, sizeof(pidfile), "%s/%s",
186 PATH_PIDFILE, user_ip ? ipsrc : luser);
187 if (n < 0 || (u_int)n >= sizeof(pidfile)) {
188 syslog(LOG_ERR, "path to pidfile too long");
189 goto die;
190 }
191
192 signal(SIGTERM, need_death);
193 signal(SIGINT, need_death);
194 signal(SIGALRM, need_death);
195 signal(SIGPIPE, need_death);
196 signal(SIGHUP, need_death);
197 signal(SIGQUIT, need_death);
198 signal(SIGTSTP, need_death);
199
200 /*
201 * If someone else is already using this ip, then this person
202 * wants to switch users - so kill the old process and exit
203 * as well.
204 *
205 * Note, we could print a message and tell them to log out, but the
206 * usual case of this is that someone has left themselves logged in,
207 * with the authenticated connection iconized and someone else walks
208 * up to use and automatically logs in before using. If this just
209 * gets rid of the old one silently, the new user never knows they
210 * could have used someone else's old authentication. If we
211 * tell them to log out before switching users it is an invitation
212 * for abuse.
213 */
214
215 do {
216 int save_errno, otherpid = -1;
217 char otherluser[LOGIN_NAME_MAX];
218
219 if ((pidfd = open(pidfile, O_RDWR|O_CREAT, 0644)) == -1 ||
220 (pidfp = fdopen(pidfd, "r+")) == NULL) {
221 if (pidfd != -1)
222 close(pidfd);
223 syslog(LOG_ERR, "cannot open or create %s: %s", pidfile,
224 strerror(errno));
225 goto die;
226 }
227
228 if (flock(fileno(pidfp), LOCK_EX|LOCK_NB) == 0)
229 break;
230 save_errno = errno;
231
232 /* Mark our pid, and username to our file. */
233
234 rewind(pidfp);
235 /* 31 == MAXLOGNAME - 1 */
236 if (fscanf(pidfp, "%d\n%31s\n", &otherpid, otherluser) != 2)
237 otherpid = -1;
238 syslog(LOG_DEBUG, "tried to lock %s, in use by pid %d: %s",
239 pidfile, otherpid, strerror(save_errno));
240
241 if (otherpid > 0) {
242 syslog(LOG_INFO,
243 "killing prior auth (pid %d) of %s by user %s",
244 otherpid, ipsrc, otherluser);
245 if (kill((pid_t) otherpid, SIGTERM) == -1) {
246 syslog(LOG_INFO,
247 "could not kill process %d: (%m)",
248 otherpid);
249 }
250 }
251
252 /*
253 * We try to kill the previous process and acquire the lock
254 * for 10 seconds, trying once a second. if we can't after
255 * 10 attempts we log an error and give up.
256 */
257 if (want_death || ++lockcnt > 10) {
258 if (!want_death)
259 syslog(LOG_ERR, "cannot kill previous authpf (pid %d)",
260 otherpid);
261 fclose(pidfp);
262 pidfp = NULL;
263 pidfd = -1;
264 goto dogdeath;
265 }
266 sleep(1);
267
268 /* re-open, and try again. The previous authpf process
269 * we killed above should unlink the file and release
270 * its lock, giving us a chance to get it now
271 */
272 fclose(pidfp);
273 pidfp = NULL;
274 pidfd = -1;
275 } while (1);
276
277 /* whack the group list */
278 gid = getegid();
279 if (setgroups(1, &gid) == -1) {
280 syslog(LOG_INFO, "setgroups: %s", strerror(errno));
281 do_death(0);
282 }
283
284 /* revoke privs */
285 uid = getuid();
286 if (setresuid(uid, uid, uid) == -1) {
287 syslog(LOG_INFO, "setresuid: %s", strerror(errno));
288 do_death(0);
289 }
290 openlog("authpf", LOG_PID | LOG_NDELAY, LOG_DAEMON);
291
292 if (!check_luser(PATH_BAN_DIR, luser) || !allowed_luser(pw)) {
293 syslog(LOG_INFO, "user %s prohibited", luser);
294 do_death(0);
295 }
296
297 if (read_config(config)) {
298 syslog(LOG_ERR, "invalid config file %s", PATH_CONFFILE);
299 do_death(0);
300 }
301
302 if (remove_stale_rulesets()) {
303 syslog(LOG_INFO, "error removing stale rulesets");
304 do_death(0);
305 }
306
307 /* We appear to be making headway, so actually mark our pid */
308 rewind(pidfp);
309 fprintf(pidfp, "%ld\n%s\n", (long)getpid(), luser);
310 fflush(pidfp);
311 (void) ftruncate(fileno(pidfp), ftello(pidfp));
312
313 if (change_filter(1, luser, ipsrc) == -1) {
314 printf("Unable to modify filters\r\n");
315 do_death(0);
316 }
317 if (user_ip && change_table(1, ipsrc) == -1) {
318 printf("Unable to modify table\r\n");
319 change_filter(0, luser, ipsrc);
320 do_death(0);
321 }
322
323 while (1) {
324 struct stat sb;
325 char *path_message;
326 printf("\r\nHello %s. ", luser);
327 printf("You are authenticated from host \"%s\"\r\n", ipsrc);
328 setproctitle("%s@%s", luser, ipsrc);
329 if (asprintf(&path_message, "%s/%s/authpf.message",
330 PATH_USER_DIR, luser) == -1)
331 do_death(1);
332 if (stat(path_message, &sb) == -1 || ! S_ISREG(sb.st_mode)) {
333 free(path_message);
334 if ((path_message = strdup(PATH_MESSAGE)) == NULL)
335 do_death(1);
336 }
337 print_message(path_message);
338 while (1) {
339 sleep(10);
340 if (want_death)
341 do_death(1);
342 }
343 }
344
345 dogdeath:
346 printf("\r\n\r\nSorry, this service is currently unavailable due to ");
347 printf("technical difficulties\r\n\r\n");
348 print_message(PATH_PROBLEM);
349 printf("\r\nYour authentication process (pid %ld) was unable to run\n",
350 (long)getpid());
351 sleep(180); /* them lusers read reaaaaal slow */
352 die:
353 do_death(0);
354 }
355
356 /*
357 * reads config file in PATH_CONFFILE to set optional behaviours up
358 */
359 static int
read_config(FILE * f)360 read_config(FILE *f)
361 {
362 char buf[1024];
363 int i = 0;
364
365 do {
366 char **ap;
367 char *pair[4], *cp, *tp;
368 int len;
369
370 if (fgets(buf, sizeof(buf), f) == NULL) {
371 fclose(f);
372 return (0);
373 }
374 i++;
375 len = strlen(buf);
376 if (len == 0)
377 continue;
378 if (buf[len - 1] != '\n' && !feof(f)) {
379 syslog(LOG_ERR, "line %d too long in %s", i,
380 PATH_CONFFILE);
381 return (1);
382 }
383 buf[len - 1] = '\0';
384
385 for (cp = buf; *cp == ' ' || *cp == '\t'; cp++)
386 ; /* nothing */
387
388 if (!*cp || *cp == '#' || *cp == '\n')
389 continue;
390
391 for (ap = pair; ap < &pair[3] &&
392 (*ap = strsep(&cp, "=")) != NULL; ) {
393 if (**ap != '\0')
394 ap++;
395 }
396 if (ap != &pair[2])
397 goto parse_error;
398
399 tp = pair[1] + strlen(pair[1]);
400 while ((*tp == ' ' || *tp == '\t') && tp >= pair[1])
401 *tp-- = '\0';
402
403 if (strcasecmp(pair[0], "anchor") == 0) {
404 if (!pair[1][0] || strlcpy(anchorname, pair[1],
405 sizeof(anchorname)) >= sizeof(anchorname))
406 goto parse_error;
407 }
408 if (strcasecmp(pair[0], "table") == 0) {
409 if (!pair[1][0] || strlcpy(tablename, pair[1],
410 sizeof(tablename)) >= sizeof(tablename))
411 goto parse_error;
412 }
413 } while (!feof(f) && !ferror(f));
414 fclose(f);
415 return (0);
416
417 parse_error:
418 fclose(f);
419 syslog(LOG_ERR, "parse error, line %d of %s", i, PATH_CONFFILE);
420 return (1);
421 }
422
423
424 /*
425 * splatter a file to stdout - max line length of 1024,
426 * used for spitting message files at users to tell them
427 * they've been bad or we're unavailable.
428 */
429 static void
print_message(char * filename)430 print_message(char *filename)
431 {
432 char buf[1024];
433 FILE *f;
434
435 if ((f = fopen(filename, "r")) == NULL)
436 return; /* fail silently, we don't care if it isn't there */
437
438 do {
439 if (fgets(buf, sizeof(buf), f) == NULL) {
440 fflush(stdout);
441 fclose(f);
442 return;
443 }
444 } while (fputs(buf, stdout) != EOF && !feof(f));
445 fflush(stdout);
446 fclose(f);
447 }
448
449 /*
450 * allowed_luser checks to see if user "luser" is allowed to
451 * use this gateway by virtue of being listed in an allowed
452 * users file, namely /etc/authpf/authpf.allow .
453 * Users may be listed by <username>, %<group>, or @<login_class>.
454 *
455 * If /etc/authpf/authpf.allow does not exist, then we assume that
456 * all users who are allowed in by sshd(8) are permitted to
457 * use this gateway. If /etc/authpf/authpf.allow does exist, then a
458 * user must be listed if the connection is to continue, else
459 * the session terminates in the same manner as being banned.
460 */
461 static int
allowed_luser(struct passwd * pw)462 allowed_luser(struct passwd *pw)
463 {
464 char *buf, *lbuf;
465 int matched;
466 size_t len;
467 FILE *f;
468
469 if ((f = fopen(PATH_ALLOWFILE, "r")) == NULL) {
470 if (errno == ENOENT) {
471 /*
472 * allowfile doesn't exist, thus this gateway
473 * isn't restricted to certain users...
474 */
475 return (1);
476 }
477
478 /*
479 * luser may in fact be allowed, but we can't open
480 * the file even though it's there. probably a config
481 * problem.
482 */
483 syslog(LOG_ERR, "cannot open allowed users file %s (%s)",
484 PATH_ALLOWFILE, strerror(errno));
485 return (0);
486 } else {
487 /*
488 * /etc/authpf/authpf.allow exists, thus we do a linear
489 * search to see if they are allowed.
490 * also, if username "*" exists, then this is a
491 * "public" gateway, such as it is, so let
492 * everyone use it.
493 */
494 int gl_init = 0, ngroups = NGROUPS_MAX + 1;
495 gid_t groups[NGROUPS_MAX + 1];
496
497 lbuf = NULL;
498 matched = 0;
499
500 while ((buf = fgetln(f, &len))) {
501
502 if (buf[len - 1] == '\n')
503 buf[len - 1] = '\0';
504 else {
505 if ((lbuf = malloc(len + 1)) == NULL)
506 err(1, NULL);
507 memcpy(lbuf, buf, len);
508 lbuf[len] = '\0';
509 buf = lbuf;
510 }
511
512 if (buf[0] == '@') {
513 /* check login class */
514 if (strcmp(pw->pw_class, buf + 1) == 0)
515 matched++;
516 } else if (buf[0] == '%') {
517 /* check group membership */
518 int cnt;
519 struct group *group;
520
521 if ((group = getgrnam(buf + 1)) == NULL) {
522 syslog(LOG_ERR,
523 "invalid group '%s' in %s (%s)",
524 buf + 1, PATH_ALLOWFILE,
525 strerror(errno));
526 fclose(f);
527 return (0);
528 }
529
530 if (!gl_init) {
531 int maxgroups, ret;
532
533 maxgroups = ngroups;
534 ret = getgrouplist(pw->pw_name,
535 pw->pw_gid, groups, &ngroups);
536 if (ret == -1) {
537 /*
538 * Silently truncate group list
539 */
540 ngroups = maxgroups;
541 }
542 gl_init++;
543 }
544
545 for ( cnt = 0; cnt < ngroups; cnt++) {
546 if (group->gr_gid == groups[cnt]) {
547 matched++;
548 break;
549 }
550 }
551 } else {
552 /* check username and wildcard */
553 matched = strcmp(pw->pw_name, buf) == 0 ||
554 strcmp("*", buf) == 0;
555 }
556
557 free(lbuf);
558 lbuf = NULL;
559
560 if (matched) {
561 fclose(f);
562 return (1); /* matched an allowed user/group */
563 }
564 }
565 syslog(LOG_INFO, "denied access to %s: not listed in %s",
566 pw->pw_name, PATH_ALLOWFILE);
567
568 /* reuse buf */
569 buf = "\n\nSorry, you are not allowed to use this facility!\n";
570 fputs(buf, stdout);
571 }
572 fflush(stdout);
573 fclose(f);
574 return (0);
575 }
576
577 /*
578 * check_luser checks to see if user "luser" has been banned
579 * from using us by virtue of having an file of the same name
580 * in the "luserdir" directory.
581 *
582 * If the user has been banned, we copy the contents of the file
583 * to the user's screen. (useful for telling the user what to
584 * do to get un-banned, or just to tell them they aren't
585 * going to be un-banned.)
586 */
587 static int
check_luser(char * luserdir,char * luser)588 check_luser(char *luserdir, char *luser)
589 {
590 FILE *f;
591 int n;
592 char tmp[PATH_MAX];
593
594 n = snprintf(tmp, sizeof(tmp), "%s/%s", luserdir, luser);
595 if (n < 0 || (u_int)n >= sizeof(tmp)) {
596 syslog(LOG_ERR, "provided banned directory line too long (%s)",
597 luserdir);
598 return (0);
599 }
600 if ((f = fopen(tmp, "r")) == NULL) {
601 if (errno == ENOENT) {
602 /*
603 * file or dir doesn't exist, so therefore
604 * this luser isn't banned.. all is well
605 */
606 return (1);
607 } else {
608 /*
609 * luser may in fact be banned, but we can't open the
610 * file even though it's there. probably a config
611 * problem.
612 */
613 syslog(LOG_ERR, "cannot open banned file %s (%s)",
614 tmp, strerror(errno));
615 return (0);
616 }
617 } else {
618 /*
619 * luser is banned - spit the file at them to
620 * tell what they can do and where they can go.
621 */
622 syslog(LOG_INFO, "denied access to %s: %s exists",
623 luser, tmp);
624
625 /* reuse tmp */
626 strlcpy(tmp, "\n\n-**- Sorry, you have been banned! -**-\n\n",
627 sizeof(tmp));
628 while (fputs(tmp, stdout) != EOF && !feof(f)) {
629 if (fgets(tmp, sizeof(tmp), f) == NULL) {
630 fflush(stdout);
631 fclose(f);
632 return (0);
633 }
634 }
635 fclose(f);
636 }
637 fflush(stdout);
638 return (0);
639 }
640
641 /*
642 * Search for rulesets left by other authpf processes (either because they
643 * died ungracefully or were terminated) and remove them.
644 */
645 static int
remove_stale_rulesets(void)646 remove_stale_rulesets(void)
647 {
648 struct pfioc_ruleset prs;
649 u_int32_t nr;
650
651 memset(&prs, 0, sizeof(prs));
652 strlcpy(prs.path, anchorname, sizeof(prs.path));
653 if (ioctl(dev, DIOCGETRULESETS, &prs) == -1) {
654 if (errno == EINVAL)
655 return (0);
656 else
657 return (1);
658 }
659
660 nr = prs.nr;
661 while (nr) {
662 char *s, *t;
663 pid_t pid;
664
665 prs.nr = nr - 1;
666 if (ioctl(dev, DIOCGETRULESET, &prs) == -1)
667 return (1);
668 errno = 0;
669 if ((t = strchr(prs.name, '(')) == NULL)
670 t = prs.name;
671 else
672 t++;
673 pid = strtoul(t, &s, 10);
674 if (!prs.name[0] || errno ||
675 (*s && (t == prs.name || *s != ')')))
676 return (1);
677 if ((kill(pid, 0) && errno != EPERM) || pid == getpid()) {
678 if (recursive_ruleset_purge(anchorname, prs.name))
679 return (1);
680 }
681 nr--;
682 }
683 return (0);
684 }
685
686 static int
recursive_ruleset_purge(char * an,char * rs)687 recursive_ruleset_purge(char *an, char *rs)
688 {
689 struct pfioc_trans_e *t_e = NULL;
690 struct pfioc_trans *t = NULL;
691 struct pfioc_ruleset *prs = NULL;
692
693 /* purge rules */
694 errno = 0;
695 if ((t = calloc(1, sizeof(struct pfioc_trans))) == NULL)
696 goto no_mem;
697 if ((t_e = calloc(2, sizeof(struct pfioc_trans_e))) == NULL)
698 goto no_mem;
699 t->size = 2;
700 t->esize = sizeof(struct pfioc_trans_e);
701 t->array = t_e;
702 t_e[0].type = PF_TRANS_RULESET;
703 snprintf(t_e[0].anchor, sizeof(t_e[0].anchor), "%s/%s", an, rs);
704 t_e[1].type = PF_TRANS_TABLE;
705
706 if ((ioctl(dev, DIOCXBEGIN, t) == -1||
707 ioctl(dev, DIOCXCOMMIT, t) == -1) &&
708 errno != EINVAL)
709 goto cleanup;
710
711 /* purge any children */
712 if ((prs = calloc(1, sizeof(struct pfioc_ruleset))) == NULL)
713 goto no_mem;
714 snprintf(prs->path, sizeof(prs->path), "%s/%s", an, rs);
715 if (ioctl(dev, DIOCGETRULESETS, prs) == -1) {
716 if (errno != EINVAL)
717 goto cleanup;
718 errno = 0;
719 } else {
720 int nr = prs->nr;
721
722 while (nr) {
723 prs->nr = 0;
724 if (ioctl(dev, DIOCGETRULESET, prs) == -1)
725 goto cleanup;
726
727 if (recursive_ruleset_purge(prs->path, prs->name))
728 goto cleanup;
729 nr--;
730 }
731 }
732
733 no_mem:
734 if (errno == ENOMEM)
735 syslog(LOG_ERR, "calloc failed");
736
737 cleanup:
738 free(t);
739 free(t_e);
740 free(prs);
741 return (errno);
742 }
743
744 /*
745 * Add/remove filter entries for user "luser" from ip "ipsrc"
746 */
747 static int
change_filter(int add,const char * luser,const char * ipsrc)748 change_filter(int add, const char *luser, const char *ipsrc)
749 {
750 char *fdpath = NULL, *userstr = NULL, *ipstr = NULL;
751 char *rsn = NULL, *fn = NULL;
752 pid_t pid;
753 gid_t gid;
754 int s;
755
756 if (add) {
757 struct stat sb;
758 struct group *grent;
759 char *pargv[13] = {
760 "pfctl", "-p", "/dev/pf", "-q", "-a", "anchor/ruleset",
761 "-D", "user_id=X", "-D", "user_ip=X", "-f", "file", NULL
762 };
763
764 if((grent = getgrgid(getgid())) == NULL) {
765 syslog(LOG_ERR, "Group not found user %s, gid %d",
766 luser, getgid());
767 goto error;
768 }
769
770 if (luser == NULL || !luser[0] || ipsrc == NULL || !ipsrc[0]) {
771 syslog(LOG_ERR, "invalid luser/ipsrc");
772 goto error;
773 }
774
775 if (asprintf(&rsn, "%s/%s", anchorname, rulesetname) == -1)
776 goto no_mem;
777 if (asprintf(&fdpath, "/dev/fd/%d", dev) == -1)
778 goto no_mem;
779 if (asprintf(&ipstr, "user_ip=%s", ipsrc) == -1)
780 goto no_mem;
781 if (asprintf(&userstr, "user_id=%s", luser) == -1)
782 goto no_mem;
783 if (asprintf(&fn, "%s/%s/authpf.rules",
784 PATH_USER_DIR, luser) == -1)
785 goto no_mem;
786 if (stat(fn, &sb) == -1) {
787 free(fn);
788 if(asprintf(&fn, "%s/%s/authpf.rules", PATH_GROUP_DIR,
789 grent->gr_name) == -1)
790 goto no_mem;
791 if(stat(fn, &sb) == -1) {
792 free(fn);
793 if ((fn = strdup(PATH_PFRULES)) == NULL)
794 goto no_mem;
795 }
796 }
797 pargv[2] = fdpath;
798 pargv[5] = rsn;
799 pargv[7] = userstr;
800 if (user_ip) {
801 pargv[9] = ipstr;
802 pargv[11] = fn;
803 } else {
804 pargv[8] = "-f";
805 pargv[9] = fn;
806 pargv[10] = NULL;
807 }
808
809 switch (pid = fork()) {
810 case -1:
811 syslog(LOG_ERR, "fork failed");
812 goto error;
813 case 0:
814 /* revoke group privs before exec */
815 gid = getgid();
816 if (setresgid(gid, gid, gid) == -1) {
817 err(1, "setregid");
818 }
819 execvp(PATH_PFCTL, pargv);
820 warn("exec of %s failed", PATH_PFCTL);
821 _exit(1);
822 }
823
824 /* parent */
825 waitpid(pid, &s, 0);
826 if (s != 0) {
827 syslog(LOG_ERR, "pfctl exited abnormally");
828 goto error;
829 }
830
831 clock_gettime(CLOCK_MONOTONIC, &Tstart);
832 syslog(LOG_INFO, "allowing %s, user %s", ipsrc, luser);
833 } else {
834 remove_stale_rulesets();
835
836 clock_gettime(CLOCK_MONOTONIC, &Tend);
837 syslog(LOG_INFO, "removed %s, user %s - duration %d seconds",
838 ipsrc, luser, (int)(Tend.tv_sec - Tstart.tv_sec));
839 }
840 return (0);
841 no_mem:
842 syslog(LOG_ERR, "malloc failed");
843 error:
844 free(fdpath);
845 free(rsn);
846 free(userstr);
847 free(ipstr);
848 free(fn);
849 return (-1);
850 }
851
852 /*
853 * Add/remove this IP from the "authpf_users" table.
854 */
855 static int
change_table(int add,const char * ipsrc)856 change_table(int add, const char *ipsrc)
857 {
858 struct pfioc_table io;
859 struct pfr_addr addr;
860
861 bzero(&io, sizeof(io));
862 strlcpy(io.pfrio_table.pfrt_name, tablename,
863 sizeof(io.pfrio_table.pfrt_name));
864 io.pfrio_buffer = &addr;
865 io.pfrio_esize = sizeof(addr);
866 io.pfrio_size = 1;
867
868 bzero(&addr, sizeof(addr));
869 if (ipsrc == NULL || !ipsrc[0])
870 return (-1);
871 if (inet_pton(AF_INET, ipsrc, &addr.pfra_ip4addr) == 1) {
872 addr.pfra_af = AF_INET;
873 addr.pfra_net = 32;
874 } else if (inet_pton(AF_INET6, ipsrc, &addr.pfra_ip6addr) == 1) {
875 addr.pfra_af = AF_INET6;
876 addr.pfra_net = 128;
877 } else {
878 syslog(LOG_ERR, "invalid ipsrc");
879 return (-1);
880 }
881
882 if (ioctl(dev, add ? DIOCRADDADDRS : DIOCRDELADDRS, &io) == -1 &&
883 errno != ESRCH) {
884 syslog(LOG_ERR, "cannot %s %s from table %s: %s",
885 add ? "add" : "remove", ipsrc, tablename,
886 strerror(errno));
887 return (-1);
888 }
889 return (0);
890 }
891
892 /*
893 * This is to kill off states that would otherwise be left behind stateful
894 * rules. This means we don't need to allow in more traffic than we really
895 * want to, since we don't have to worry about any luser sessions lasting
896 * longer than their ssh session. This function is based on
897 * pfctl_kill_states from pfctl.
898 */
899 static void
authpf_kill_states(void)900 authpf_kill_states(void)
901 {
902 struct pfioc_state_kill psk;
903 struct pf_addr target;
904
905 memset(&psk, 0, sizeof(psk));
906 memset(&target, 0, sizeof(target));
907
908 if (inet_pton(AF_INET, ipsrc, &target.v4) == 1)
909 psk.psk_af = AF_INET;
910 else if (inet_pton(AF_INET6, ipsrc, &target.v6) == 1)
911 psk.psk_af = AF_INET6;
912 else {
913 syslog(LOG_ERR, "inet_pton(%s) failed", ipsrc);
914 return;
915 }
916
917 /* Kill all states from ipsrc */
918 memcpy(&psk.psk_src.addr.v.a.addr, &target,
919 sizeof(psk.psk_src.addr.v.a.addr));
920 memset(&psk.psk_src.addr.v.a.mask, 0xff,
921 sizeof(psk.psk_src.addr.v.a.mask));
922 if (ioctl(dev, DIOCKILLSTATES, &psk) == -1)
923 syslog(LOG_ERR, "DIOCKILLSTATES failed (%m)");
924
925 /* Kill all states to ipsrc */
926 memset(&psk.psk_src, 0, sizeof(psk.psk_src));
927 memcpy(&psk.psk_dst.addr.v.a.addr, &target,
928 sizeof(psk.psk_dst.addr.v.a.addr));
929 memset(&psk.psk_dst.addr.v.a.mask, 0xff,
930 sizeof(psk.psk_dst.addr.v.a.mask));
931 if (ioctl(dev, DIOCKILLSTATES, &psk) == -1)
932 syslog(LOG_ERR, "DIOCKILLSTATES failed (%m)");
933 }
934
935 /* signal handler that makes us go away properly */
936 static void
need_death(int signo)937 need_death(int signo)
938 {
939 want_death = 1;
940 }
941
942 /*
943 * function that removes our stuff when we go away.
944 */
945 static __dead void
do_death(int active)946 do_death(int active)
947 {
948 int ret = 0;
949
950 if (active) {
951 change_filter(0, luser, ipsrc);
952 if (user_ip) {
953 change_table(0, ipsrc);
954 authpf_kill_states();
955 }
956 }
957 if (pidfile[0] && pidfd != -1)
958 if (unlink(pidfile) == -1)
959 syslog(LOG_ERR, "cannot unlink %s (%m)", pidfile);
960 exit(ret);
961 }
962