1 /* $NetBSD: rcmd.c,v 1.68 2012/07/14 15:06:26 darrenr Exp $ */ 2 3 /* 4 * Copyright (c) 1983, 1993, 1994 5 * The Regents of the University of California. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. Neither the name of the University nor the names of its contributors 16 * may be used to endorse or promote products derived from this software 17 * without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32 #include <sys/cdefs.h> 33 #if defined(LIBC_SCCS) && !defined(lint) 34 #if 0 35 static char sccsid[] = "@(#)rcmd.c 8.3 (Berkeley) 3/26/94"; 36 #else 37 __RCSID("$NetBSD: rcmd.c,v 1.68 2012/07/14 15:06:26 darrenr Exp $"); 38 #endif 39 #endif /* LIBC_SCCS and not lint */ 40 41 #ifdef _LIBC 42 #include "namespace.h" 43 #endif 44 #include <sys/param.h> 45 #include <sys/socket.h> 46 #include <sys/stat.h> 47 #include <sys/poll.h> 48 #include <sys/wait.h> 49 50 #include <netinet/in.h> 51 #if !defined(__minix) 52 #include <rpc/rpc.h> 53 #endif /* !defined(__minix) */ 54 #include <arpa/inet.h> 55 #include <netgroup.h> 56 57 #include <assert.h> 58 #include <ctype.h> 59 #include <err.h> 60 #include <errno.h> 61 #include <fcntl.h> 62 #include <grp.h> 63 #include <netdb.h> 64 #include <paths.h> 65 #include <pwd.h> 66 #include <signal.h> 67 #include <stdio.h> 68 #include <stdlib.h> 69 #include <string.h> 70 #include <syslog.h> 71 #include <unistd.h> 72 73 #include "pathnames.h" 74 75 int orcmd(char **, u_int, const char *, const char *, const char *, int *); 76 int orcmd_af(char **, u_int, const char *, const char *, const char *, 77 int *, int); 78 int __ivaliduser(FILE *, u_int32_t, const char *, const char *); 79 int __ivaliduser_sa(FILE *, const struct sockaddr *, socklen_t, 80 const char *, const char *); 81 static int rshrcmd(int, char **, u_int32_t, const char *, 82 const char *, const char *, int *, const char *); 83 static int resrcmd(struct addrinfo *, char **, u_int32_t, const char *, 84 const char *, const char *, int *); 85 static int __icheckhost(const struct sockaddr *, socklen_t, 86 const char *); 87 static char *__gethostloop(const struct sockaddr *, socklen_t); 88 89 int 90 rcmd(char **ahost, int rport, const char *locuser, const char *remuser, 91 const char *cmd, int *fd2p) 92 { 93 94 return rcmd_af(ahost, rport, locuser, remuser, cmd, fd2p, AF_INET); 95 } 96 97 int 98 rcmd_af(char **ahost, int rport, const char *locuser, const char *remuser, 99 const char *cmd, int *fd2p, int af) 100 { 101 static char hbuf[MAXHOSTNAMELEN]; 102 char pbuf[NI_MAXSERV]; 103 struct addrinfo hints, *res; 104 int error; 105 struct servent *sp; 106 107 _DIAGASSERT(ahost != NULL); 108 _DIAGASSERT(locuser != NULL); 109 _DIAGASSERT(remuser != NULL); 110 _DIAGASSERT(cmd != NULL); 111 /* fd2p may be NULL */ 112 113 snprintf(pbuf, sizeof(pbuf), "%u", ntohs(rport)); 114 memset(&hints, 0, sizeof(hints)); 115 hints.ai_family = af; 116 hints.ai_socktype = SOCK_STREAM; 117 hints.ai_flags = AI_CANONNAME; 118 error = getaddrinfo(*ahost, pbuf, &hints, &res); 119 if (error) { 120 warnx("%s: %s", *ahost, gai_strerror(error)); /*XXX*/ 121 return -1; 122 } 123 if (res->ai_canonname) { 124 /* 125 * Canonicalise hostname. 126 * XXX: Should we really do this? 127 */ 128 strlcpy(hbuf, res->ai_canonname, sizeof(hbuf)); 129 *ahost = hbuf; 130 } 131 132 /* 133 * Check if rport is the same as the shell port, and that the fd2p. If 134 * it is not, the program isn't expecting 'rsh' and so we can't use the 135 * RCMD_CMD environment. 136 */ 137 sp = getservbyname("shell", "tcp"); 138 if (sp != NULL && sp->s_port == rport) 139 error = rshrcmd(af, ahost, (u_int32_t)rport, 140 locuser, remuser, cmd, fd2p, getenv("RCMD_CMD")); 141 else 142 error = resrcmd(res, ahost, (u_int32_t)rport, 143 locuser, remuser, cmd, fd2p); 144 freeaddrinfo(res); 145 return error; 146 } 147 148 /* this is simply a wrapper around hprcmd() that handles ahost first */ 149 int 150 orcmd(char **ahost, u_int rport, const char *locuser, const char *remuser, 151 const char *cmd, int *fd2p) 152 { 153 return orcmd_af(ahost, rport, locuser, remuser, cmd, fd2p, AF_INET); 154 } 155 156 int 157 orcmd_af(char **ahost, u_int rport, const char *locuser, const char *remuser, 158 const char *cmd, int *fd2p, int af) 159 { 160 static char hbuf[MAXHOSTNAMELEN]; 161 char pbuf[NI_MAXSERV]; 162 struct addrinfo hints, *res; 163 int error; 164 165 _DIAGASSERT(ahost != NULL); 166 _DIAGASSERT(locuser != NULL); 167 _DIAGASSERT(remuser != NULL); 168 _DIAGASSERT(cmd != NULL); 169 /* fd2p may be NULL */ 170 171 snprintf(pbuf, sizeof(pbuf), "%u", ntohs(rport)); 172 memset(&hints, 0, sizeof(hints)); 173 hints.ai_family = af; 174 hints.ai_socktype = SOCK_STREAM; 175 hints.ai_flags = AI_CANONNAME; 176 error = getaddrinfo(*ahost, pbuf, &hints, &res); 177 if (error) { 178 warnx("%s: %s", *ahost, gai_strerror(error)); /*XXX*/ 179 return -1; 180 } 181 if (res->ai_canonname) { 182 strlcpy(hbuf, res->ai_canonname, sizeof(hbuf)); 183 *ahost = hbuf; 184 } 185 186 error = resrcmd(res, ahost, rport, locuser, remuser, cmd, fd2p); 187 freeaddrinfo(res); 188 return error; 189 } 190 191 /*ARGSUSED*/ 192 static int 193 resrcmd(struct addrinfo *res, char **ahost, u_int32_t rport, 194 const char *locuser, const char *remuser, const char *cmd, int *fd2p) 195 { 196 struct addrinfo *r; 197 struct sockaddr_storage from; 198 struct pollfd reads[2]; 199 #if defined(__minix) 200 /* No support for OOB data in Minix. */ 201 #else 202 sigset_t nmask, omask; 203 #endif /* defined(__minix) */ 204 pid_t pid; 205 int s, lport, timo; 206 int pollr; 207 char c; 208 int refused; 209 210 _DIAGASSERT(res != NULL); 211 _DIAGASSERT(ahost != NULL); 212 _DIAGASSERT(locuser != NULL); 213 _DIAGASSERT(remuser != NULL); 214 _DIAGASSERT(cmd != NULL); 215 /* fd2p may be NULL */ 216 217 r = res; 218 refused = 0; 219 pid = getpid(); 220 #if !defined(__minix) 221 /* Minix has no support for OOB data, 222 no need to block SIGURG. */ 223 sigemptyset(&nmask); 224 sigaddset(&nmask, SIGURG); 225 if (sigprocmask(SIG_BLOCK, &nmask, &omask) == -1) 226 return -1; 227 #endif /* !defined(__minix) */ 228 for (timo = 1, lport = IPPORT_RESERVED - 1;;) { 229 s = rresvport_af(&lport, r->ai_family); 230 if (s < 0) { 231 if (errno == EAGAIN) 232 warnx("rcmd: socket: All ports in use"); 233 else 234 warn("rcmd: socket"); 235 if (r->ai_next) { 236 r = r->ai_next; 237 continue; 238 } else { 239 #if !defined(__minix) 240 (void)sigprocmask(SIG_SETMASK, &omask, NULL); 241 #endif /* !defined(__minix) */ 242 return -1; 243 } 244 } 245 #if !defined(__minix) 246 /* No OOB support in Minix. */ 247 fcntl(s, F_SETOWN, pid); 248 #endif /* !defined(__minix) */ 249 if (connect(s, r->ai_addr, r->ai_addrlen) >= 0) 250 break; 251 (void)close(s); 252 if (errno == EADDRINUSE) { 253 lport--; 254 continue; 255 } else if (errno == ECONNREFUSED) 256 refused++; 257 if (r->ai_next) { 258 int oerrno = errno; 259 char hbuf[NI_MAXHOST]; 260 const int niflags = NI_NUMERICHOST; 261 262 hbuf[0] = '\0'; 263 if (getnameinfo(r->ai_addr, r->ai_addrlen, 264 hbuf, (socklen_t)sizeof(hbuf), NULL, 0, niflags) != 265 0) 266 strlcpy(hbuf, "(invalid)", sizeof(hbuf)); 267 errno = oerrno; 268 warn("rcmd: connect to address %s", hbuf); 269 r = r->ai_next; 270 hbuf[0] = '\0'; 271 if (getnameinfo(r->ai_addr, r->ai_addrlen, 272 hbuf, (socklen_t)sizeof(hbuf), NULL, 0, niflags) != 273 0) 274 strlcpy(hbuf, "(invalid)", sizeof(hbuf)); 275 (void)fprintf(stderr, "Trying %s...\n", hbuf); 276 continue; 277 } 278 if (refused && timo <= 16) { 279 (void)sleep((unsigned int)timo); 280 timo *= 2; 281 r = res; 282 refused = 0; 283 continue; 284 } 285 (void)fprintf(stderr, "%s: %s\n", res->ai_canonname, 286 strerror(errno)); 287 #if !defined(__minix) 288 /* No OOB support in Minix. */ 289 (void)sigprocmask(SIG_SETMASK, &omask, NULL); 290 #endif /* !defined(__minix) */ 291 return -1; 292 } 293 lport--; 294 if (fd2p == 0) { 295 write(s, "", 1); 296 lport = 0; 297 } else { 298 char num[8]; 299 int s2 = rresvport_af(&lport, r->ai_family), s3; 300 socklen_t len = sizeof(from); 301 302 if (s2 < 0) 303 goto bad; 304 listen(s2, 1); 305 (void)snprintf(num, sizeof(num), "%d", lport); 306 if (write(s, num, strlen(num) + 1) != 307 (ssize_t) (strlen(num) + 1)) { 308 warn("rcmd: write (setting up stderr)"); 309 (void)close(s2); 310 goto bad; 311 } 312 reads[0].fd = s; 313 reads[0].events = POLLIN; 314 reads[1].fd = s2; 315 reads[1].events = POLLIN; 316 errno = 0; 317 pollr = poll(reads, 2, INFTIM); 318 if (pollr < 1 || (reads[1].revents & POLLIN) == 0) { 319 if (errno != 0) 320 warn("poll: setting up stderr"); 321 else 322 warnx( 323 "poll: protocol failure in circuit setup"); 324 (void)close(s2); 325 goto bad; 326 } 327 s3 = accept(s2, (struct sockaddr *)(void *)&from, &len); 328 (void)close(s2); 329 if (s3 < 0) { 330 warn("rcmd: accept"); 331 lport = 0; 332 goto bad; 333 } 334 *fd2p = s3; 335 switch (((struct sockaddr *)(void *)&from)->sa_family) { 336 case AF_INET: 337 #ifdef INET6 338 case AF_INET6: 339 #endif 340 if (getnameinfo((struct sockaddr *)(void *)&from, len, 341 NULL, 0, num, (socklen_t)sizeof(num), 342 NI_NUMERICSERV) != 0 || 343 (atoi(num) >= IPPORT_RESERVED || 344 atoi(num) < IPPORT_RESERVED / 2)) { 345 warnx( 346 "rcmd: protocol failure in circuit setup."); 347 goto bad2; 348 } 349 break; 350 default: 351 break; 352 } 353 } 354 355 (void)write(s, locuser, strlen(locuser)+1); 356 (void)write(s, remuser, strlen(remuser)+1); 357 (void)write(s, cmd, strlen(cmd)+1); 358 if (read(s, &c, 1) != 1) { 359 warn("%s", *ahost); 360 goto bad2; 361 } 362 if (c != 0) { 363 while (read(s, &c, 1) == 1) { 364 (void)write(STDERR_FILENO, &c, 1); 365 if (c == '\n') 366 break; 367 } 368 goto bad2; 369 } 370 #if !defined(__minix) 371 (void)sigprocmask(SIG_SETMASK, &omask, NULL); 372 #endif /* !defined(__minix) */ 373 return s; 374 bad2: 375 if (lport) 376 (void)close(*fd2p); 377 bad: 378 (void)close(s); 379 #if !defined(__minix) 380 (void)sigprocmask(SIG_SETMASK, &omask, NULL); 381 #endif /* !defined(__minix) */ 382 return -1; 383 } 384 385 /* 386 * based on code written by Chris Siebenmann <cks@utcc.utoronto.ca> 387 */ 388 /* ARGSUSED */ 389 static int 390 rshrcmd(int af, char **ahost, u_int32_t rport, const char *locuser, 391 const char *remuser, const char *cmd, int *fd2p, const char *rshcmd) 392 { 393 pid_t pid; 394 int sp[2], ep[2]; 395 char *p; 396 struct passwd *pw, pwres; 397 char pwbuf[1024]; 398 399 _DIAGASSERT(ahost != NULL); 400 _DIAGASSERT(locuser != NULL); 401 _DIAGASSERT(remuser != NULL); 402 _DIAGASSERT(cmd != NULL); 403 /* fd2p may be NULL */ 404 405 /* What rsh/shell to use. */ 406 if (rshcmd == NULL) 407 rshcmd = _PATH_BIN_RCMD; 408 409 /* locuser must exist on this host. */ 410 if (getpwnam_r(locuser, &pwres, pwbuf, sizeof(pwbuf), &pw) != 0 || 411 pw == NULL) { 412 warnx("%s: unknown user: %s", __func__, locuser); 413 return -1; 414 } 415 416 /* get a socketpair we'll use for stdin and stdout. */ 417 if (socketpair(AF_LOCAL, SOCK_STREAM, 0, sp) < 0) { 418 warn("%s: socketpair", __func__); 419 return -1; 420 } 421 /* we will use this for the fd2 pointer */ 422 if (fd2p) { 423 if (socketpair(AF_LOCAL, SOCK_STREAM, 0, ep) < 0) { 424 warn("%s: socketpair", __func__); 425 return -1; 426 } 427 *fd2p = ep[0]; 428 } 429 430 pid = fork(); 431 if (pid < 0) { 432 warn("%s: fork", __func__); 433 return -1; 434 } 435 if (pid == 0) { 436 /* 437 * child 438 * - we use sp[1] to be stdin/stdout, and close sp[0] 439 * - with fd2p, we use ep[1] for stderr, and close ep[0] 440 */ 441 (void)close(sp[0]); 442 if (dup2(sp[1], 0) < 0 || dup2(0, 1) < 0) { 443 warn("%s: dup2", __func__); 444 _exit(1); 445 } 446 (void)close(sp[1]); 447 if (fd2p) { 448 if (dup2(ep[1], 2) < 0) { 449 warn("%s: dup2", __func__); 450 _exit(1); 451 } 452 (void)close(ep[0]); 453 (void)close(ep[1]); 454 } else if (dup2(0, 2) < 0) { 455 warn("%s: dup2", __func__); 456 _exit(1); 457 } 458 /* fork again to lose parent. */ 459 pid = fork(); 460 if (pid < 0) { 461 warn("%s: second fork", __func__); 462 _exit(1); 463 } 464 if (pid > 0) 465 _exit(0); 466 467 /* Orphan. Become local user for rshprog. */ 468 if (setuid(pw->pw_uid)) { 469 warn("%s: setuid(%lu)", __func__, (u_long)pw->pw_uid); 470 _exit(1); 471 } 472 473 /* 474 * If we are rcmd'ing to "localhost" as the same user as we 475 * are, then avoid running remote shell for efficiency. 476 */ 477 if (strcmp(*ahost, "localhost") == 0 && 478 strcmp(locuser, remuser) == 0) { 479 if (pw->pw_shell[0] == '\0') 480 rshcmd = _PATH_BSHELL; 481 else 482 rshcmd = pw->pw_shell; 483 p = strrchr(rshcmd, '/'); 484 execlp(rshcmd, p ? p + 1 : rshcmd, "-c", cmd, NULL); 485 } else { 486 const char *program; 487 program = strrchr(rshcmd, '/'); 488 program = program ? program + 1 : rshcmd; 489 switch (af) { 490 case AF_INET: 491 execlp(rshcmd, program, "-4", "-l", remuser, 492 *ahost, cmd, NULL); 493 break; 494 495 case AF_INET6: 496 execlp(rshcmd, program, "-6", "-l", remuser, 497 *ahost, cmd, NULL); 498 break; 499 500 default: 501 /* typically AF_UNSPEC, plus whatever */ 502 execlp(rshcmd, program, "-l", remuser, 503 *ahost, cmd, NULL); 504 break; 505 } 506 } 507 warn("%s: exec %s", __func__, rshcmd); 508 _exit(1); 509 } 510 /* Parent */ 511 (void)close(sp[1]); 512 if (fd2p) 513 (void)close(ep[1]); 514 515 (void)waitpid(pid, NULL, 0); 516 return sp[0]; 517 } 518 519 int 520 rresvport(int *alport) 521 { 522 523 _DIAGASSERT(alport != NULL); 524 525 return rresvport_af(alport, AF_INET); 526 } 527 528 int 529 rresvport_af(int *alport, int family) 530 { 531 return rresvport_af_addr(alport, family, NULL); 532 } 533 534 int 535 rresvport_af_addr(int *alport, int family, void *addr) 536 { 537 struct sockaddr_storage ss; 538 struct sockaddr *sa; 539 socklen_t salen; 540 int s; 541 u_int16_t *portp; 542 543 _DIAGASSERT(alport != NULL); 544 545 memset(&ss, 0, sizeof(ss)); 546 sa = (struct sockaddr *)(void *)&ss; 547 switch (family) { 548 case AF_INET: 549 #ifdef BSD4_4 550 sa->sa_len = 551 #endif 552 salen = sizeof(struct sockaddr_in); 553 if (addr) 554 ((struct sockaddr_in *)(void *)sa)->sin_addr = 555 ((struct sockaddr_in *)addr)->sin_addr; 556 portp = &((struct sockaddr_in *)(void *)sa)->sin_port; 557 break; 558 #ifdef INET6 559 case AF_INET6: 560 #ifdef BSD4_4 561 sa->sa_len = 562 #endif 563 salen = sizeof(struct sockaddr_in6); 564 if (addr) 565 ((struct sockaddr_in6 *)(void *)sa)->sin6_addr = 566 ((struct sockaddr_in6 *)addr)->sin6_addr; 567 portp = &((struct sockaddr_in6 *)(void *)sa)->sin6_port; 568 break; 569 #endif 570 default: 571 errno = EAFNOSUPPORT; 572 return -1; 573 } 574 sa->sa_family = family; 575 s = socket(family, SOCK_STREAM, 0); 576 if (s < 0) 577 return -1; 578 #if defined(BSD4_4) && !defined(__minix) 579 switch (family) { 580 case AF_INET: 581 case AF_INET6: 582 *portp = 0; 583 if (bindresvport(s, (struct sockaddr_in *)(void *)sa) < 0) { 584 int sverr = errno; 585 586 (void)close(s); 587 errno = sverr; 588 return -1; 589 } 590 *alport = (int)ntohs(*portp); 591 return s; 592 default: 593 /* is it necessary to try keep code for other AFs? */ 594 break; 595 } 596 #endif 597 for (;;) { 598 *portp = htons((u_short)*alport); 599 if (bind(s, sa, salen) >= 0) 600 return s; 601 if (errno != EADDRINUSE) { 602 (void)close(s); 603 return -1; 604 } 605 (*alport)--; 606 if (*alport == IPPORT_RESERVED/2) { 607 (void)close(s); 608 errno = EAGAIN; /* close */ 609 return -1; 610 } 611 } 612 } 613 614 int __check_rhosts_file = 1; 615 const char *__rcmd_errstr; 616 617 int 618 ruserok(const char *rhost, int superuser, const char *ruser, const char *luser) 619 { 620 struct addrinfo hints, *res, *r; 621 int error; 622 623 _DIAGASSERT(rhost != NULL); 624 _DIAGASSERT(ruser != NULL); 625 _DIAGASSERT(luser != NULL); 626 627 memset(&hints, 0, sizeof(hints)); 628 hints.ai_family = PF_UNSPEC; 629 hints.ai_socktype = SOCK_DGRAM; /*dummy*/ 630 error = getaddrinfo(rhost, "0", &hints, &res); 631 if (error) 632 return -1; 633 634 for (r = res; r; r = r->ai_next) { 635 if (iruserok_sa(r->ai_addr, (int)r->ai_addrlen, superuser, 636 ruser, luser) == 0) { 637 freeaddrinfo(res); 638 return 0; 639 } 640 } 641 freeaddrinfo(res); 642 return -1; 643 } 644 645 /* 646 * New .rhosts strategy: We are passed an ip address. We spin through 647 * hosts.equiv and .rhosts looking for a match. When the .rhosts only 648 * has ip addresses, we don't have to trust a nameserver. When it 649 * contains hostnames, we spin through the list of addresses the nameserver 650 * gives us and look for a match. 651 * 652 * Returns 0 if ok, -1 if not ok. 653 */ 654 int 655 iruserok(u_int32_t raddr, int superuser, const char *ruser, const char *luser) 656 { 657 struct sockaddr_in irsin; 658 659 memset(&irsin, 0, sizeof(irsin)); 660 irsin.sin_family = AF_INET; 661 #ifdef BSD4_4 662 irsin.sin_len = sizeof(irsin); 663 #endif 664 memcpy(&irsin.sin_addr, &raddr, sizeof(irsin.sin_addr)); 665 return iruserok_sa(&irsin, (socklen_t)sizeof(irsin), superuser, ruser, 666 luser); 667 } 668 669 /* 670 * 2nd and 3rd arguments are typed like this, to avoid dependency between 671 * unistd.h and sys/socket.h. There's no better way. 672 */ 673 int 674 iruserok_sa(const void *raddr, int rlen, int superuser, const char *ruser, 675 const char *luser) 676 { 677 const struct sockaddr *sa; 678 struct stat sbuf; 679 struct passwd *pwd, pwres; 680 FILE *hostf; 681 uid_t uid; 682 gid_t gid; 683 int isvaliduser; 684 char pbuf[MAXPATHLEN]; 685 char pwbuf[1024]; 686 687 _DIAGASSERT(raddr != NULL); 688 _DIAGASSERT(ruser != NULL); 689 _DIAGASSERT(luser != NULL); 690 691 sa = raddr; 692 693 __rcmd_errstr = NULL; 694 695 hostf = superuser ? NULL : fopen(_PATH_HEQUIV, "r"); 696 697 if (hostf) { 698 if (__ivaliduser_sa(hostf, sa, (socklen_t)rlen, luser, 699 ruser) == 0) { 700 (void)fclose(hostf); 701 return 0; 702 } 703 (void)fclose(hostf); 704 } 705 706 isvaliduser = -1; 707 if (__check_rhosts_file || superuser) { 708 709 if (getpwnam_r(luser, &pwres, pwbuf, sizeof(pwbuf), &pwd) != 0 710 || pwd == NULL) 711 return -1; 712 (void)strlcpy(pbuf, pwd->pw_dir, sizeof(pbuf)); 713 (void)strlcat(pbuf, "/.rhosts", sizeof(pbuf)); 714 715 /* 716 * Change effective uid while opening and reading .rhosts. 717 * If root and reading an NFS mounted file system, can't 718 * read files that are protected read/write owner only. 719 */ 720 uid = geteuid(); 721 gid = getegid(); 722 (void)setegid(pwd->pw_gid); 723 initgroups(pwd->pw_name, pwd->pw_gid); 724 (void)seteuid(pwd->pw_uid); 725 hostf = fopen(pbuf, "r"); 726 727 if (hostf != NULL) { 728 /* 729 * If not a regular file, or is owned by someone other 730 * than user or root or if writable by anyone but the 731 * owner, quit. 732 */ 733 if (lstat(pbuf, &sbuf) < 0) 734 __rcmd_errstr = ".rhosts lstat failed"; 735 else if (!S_ISREG(sbuf.st_mode)) 736 __rcmd_errstr = ".rhosts not regular file"; 737 else if (fstat(fileno(hostf), &sbuf) < 0) 738 __rcmd_errstr = ".rhosts fstat failed"; 739 else if (sbuf.st_uid && sbuf.st_uid != pwd->pw_uid) 740 __rcmd_errstr = "bad .rhosts owner"; 741 else if (sbuf.st_mode & (S_IWGRP|S_IWOTH)) 742 __rcmd_errstr = 743 ".rhosts writable by other than owner"; 744 else 745 isvaliduser = 746 __ivaliduser_sa(hostf, sa, (socklen_t)rlen, 747 luser, ruser); 748 749 (void)fclose(hostf); 750 } 751 (void)seteuid(uid); 752 (void)setegid(gid); 753 754 } 755 return isvaliduser; 756 } 757 758 /* 759 * XXX 760 * Don't make static, used by lpd(8). We will be able to change the function 761 * into static function, when we bump libc major #. 762 * 763 * Returns 0 if ok, -1 if not ok. 764 */ 765 #ifdef notdef /*_LIBC*/ 766 static 767 #endif 768 int 769 __ivaliduser(FILE *hostf, u_int32_t raddr, const char *luser, 770 const char *ruser) 771 { 772 struct sockaddr_in ivusin; 773 774 memset(&ivusin, 0, sizeof(ivusin)); 775 ivusin.sin_family = AF_INET; 776 #ifdef BSD4_4 777 ivusin.sin_len = sizeof(ivusin); 778 #endif 779 memcpy(&ivusin.sin_addr, &raddr, sizeof(ivusin.sin_addr)); 780 return __ivaliduser_sa(hostf, (struct sockaddr *)(void *)&ivusin, 781 (socklen_t)sizeof(ivusin), luser, ruser); 782 } 783 784 #ifdef notdef /*_LIBC*/ 785 static 786 #endif 787 int 788 __ivaliduser_sa(FILE *hostf, const struct sockaddr *raddr, socklen_t salen, 789 const char *luser, const char *ruser) 790 { 791 char *user, *p; 792 int ch; 793 char buf[MAXHOSTNAMELEN + 128]; /* host + login */ 794 const char *auser, *ahost; 795 int hostok, userok; 796 char *rhost = NULL; 797 int firsttime = 1; 798 char domain[MAXHOSTNAMELEN]; 799 800 getdomainname(domain, sizeof(domain)); 801 802 _DIAGASSERT(hostf != NULL); 803 _DIAGASSERT(luser != NULL); 804 _DIAGASSERT(ruser != NULL); 805 806 while (fgets(buf, (int)sizeof(buf), hostf)) { 807 p = buf; 808 /* Skip lines that are too long. */ 809 if (strchr(p, '\n') == NULL) { 810 while ((ch = getc(hostf)) != '\n' && ch != EOF) 811 ; 812 continue; 813 } 814 while (*p != '\n' && *p != ' ' && *p != '\t' && *p != '\0') { 815 *p = isupper((unsigned char)*p) ? 816 tolower((unsigned char)*p) : *p; 817 p++; 818 } 819 if (*p == ' ' || *p == '\t') { 820 *p++ = '\0'; 821 while (*p == ' ' || *p == '\t') 822 p++; 823 user = p; 824 while (*p != '\n' && *p != ' ' && 825 *p != '\t' && *p != '\0') 826 p++; 827 } else 828 user = p; 829 *p = '\0'; 830 831 if (p == buf) 832 continue; 833 834 auser = *user ? user : luser; 835 ahost = buf; 836 837 if (ahost[0] == '+') 838 switch (ahost[1]) { 839 case '\0': 840 hostok = 1; 841 break; 842 843 case '@': 844 if (firsttime) { 845 rhost = __gethostloop(raddr, salen); 846 firsttime = 0; 847 } 848 if (rhost) 849 hostok = innetgr(&ahost[2], rhost, 850 NULL, domain); 851 else 852 hostok = 0; 853 break; 854 855 default: 856 hostok = __icheckhost(raddr, salen, &ahost[1]); 857 break; 858 } 859 else if (ahost[0] == '-') 860 switch (ahost[1]) { 861 case '\0': 862 hostok = -1; 863 break; 864 865 case '@': 866 if (firsttime) { 867 rhost = __gethostloop(raddr, salen); 868 firsttime = 0; 869 } 870 if (rhost) 871 hostok = -innetgr(&ahost[2], rhost, 872 NULL, domain); 873 else 874 hostok = 0; 875 break; 876 877 default: 878 hostok = 879 -__icheckhost(raddr, salen, &ahost[1]); 880 break; 881 } 882 else 883 hostok = __icheckhost(raddr, salen, ahost); 884 885 886 if (auser[0] == '+') 887 switch (auser[1]) { 888 case '\0': 889 userok = 1; 890 break; 891 892 case '@': 893 userok = innetgr(&auser[2], NULL, ruser, 894 domain); 895 break; 896 897 default: 898 userok = strcmp(ruser, &auser[1]) == 0; 899 break; 900 } 901 else if (auser[0] == '-') 902 switch (auser[1]) { 903 case '\0': 904 userok = -1; 905 break; 906 907 case '@': 908 userok = -innetgr(&auser[2], NULL, ruser, 909 domain); 910 break; 911 912 default: 913 userok = 914 -(strcmp(ruser, &auser[1]) == 0 ? 1 : 0); 915 break; 916 } 917 else 918 userok = strcmp(ruser, auser) == 0; 919 920 /* Check if one component did not match */ 921 if (hostok == 0 || userok == 0) 922 continue; 923 924 /* Check if we got a forbidden pair */ 925 if (userok == -1 || hostok == -1) 926 return -1; 927 928 /* Check if we got a valid pair */ 929 if (hostok == 1 && userok == 1) 930 return 0; 931 } 932 return -1; 933 } 934 935 /* 936 * Returns "true" if match, 0 if no match. 937 */ 938 static int 939 __icheckhost(const struct sockaddr *raddr, socklen_t salen, const char *lhost) 940 { 941 struct addrinfo hints, *res, *r; 942 char h1[NI_MAXHOST], h2[NI_MAXHOST]; 943 int error; 944 const int niflags = NI_NUMERICHOST; 945 946 _DIAGASSERT(raddr != NULL); 947 _DIAGASSERT(lhost != NULL); 948 949 h1[0] = '\0'; 950 if (getnameinfo(raddr, salen, h1, (socklen_t)sizeof(h1), NULL, 0, 951 niflags) != 0) 952 return 0; 953 954 /* Resolve laddr into sockaddr */ 955 memset(&hints, 0, sizeof(hints)); 956 hints.ai_family = raddr->sa_family; 957 hints.ai_socktype = SOCK_DGRAM; /*dummy*/ 958 res = NULL; 959 error = getaddrinfo(lhost, "0", &hints, &res); 960 if (error) 961 return 0; 962 963 /* 964 * Try string comparisons between raddr and laddr. 965 */ 966 for (r = res; r; r = r->ai_next) { 967 h2[0] = '\0'; 968 if (getnameinfo(r->ai_addr, r->ai_addrlen, h2, 969 (socklen_t)sizeof(h2), NULL, 0, niflags) != 0) 970 continue; 971 if (strcmp(h1, h2) == 0) { 972 freeaddrinfo(res); 973 return 1; 974 } 975 } 976 977 /* No match. */ 978 freeaddrinfo(res); 979 return 0; 980 } 981 982 /* 983 * Return the hostname associated with the supplied address. 984 * Do a reverse lookup as well for security. If a loop cannot 985 * be found, pack the numeric IP address into the string. 986 */ 987 static char * 988 __gethostloop(const struct sockaddr *raddr, socklen_t salen) 989 { 990 static char remotehost[NI_MAXHOST]; 991 char h1[NI_MAXHOST], h2[NI_MAXHOST]; 992 struct addrinfo hints, *res, *r; 993 int error; 994 const int niflags = NI_NUMERICHOST; 995 996 _DIAGASSERT(raddr != NULL); 997 998 h1[0] = remotehost[0] = '\0'; 999 if (getnameinfo(raddr, salen, remotehost, (socklen_t)sizeof(remotehost), 1000 NULL, 0, NI_NAMEREQD) != 0) 1001 return NULL; 1002 if (getnameinfo(raddr, salen, h1, (socklen_t)sizeof(h1), NULL, 0, 1003 niflags) != 0) 1004 return NULL; 1005 1006 /* 1007 * Look up the name and check that the supplied 1008 * address is in the list 1009 */ 1010 memset(&hints, 0, sizeof(hints)); 1011 hints.ai_family = raddr->sa_family; 1012 hints.ai_socktype = SOCK_DGRAM; /*dummy*/ 1013 hints.ai_flags = AI_CANONNAME; 1014 res = NULL; 1015 error = getaddrinfo(remotehost, "0", &hints, &res); 1016 if (error) 1017 return NULL; 1018 1019 for (r = res; r; r = r->ai_next) { 1020 h2[0] = '\0'; 1021 if (getnameinfo(r->ai_addr, r->ai_addrlen, h2, 1022 (socklen_t)sizeof(h2), NULL, 0, niflags) != 0) 1023 continue; 1024 if (strcmp(h1, h2) == 0) { 1025 freeaddrinfo(res); 1026 return remotehost; 1027 } 1028 } 1029 1030 /* 1031 * either the DNS adminstrator has made a configuration 1032 * mistake, or someone has attempted to spoof us 1033 */ 1034 syslog(LOG_NOTICE, "rcmd: address %s not listed for host %s", 1035 h1, res->ai_canonname ? res->ai_canonname : remotehost); 1036 freeaddrinfo(res); 1037 return NULL; 1038 } 1039