xref: /dragonfly/usr.sbin/rpcbind/security.c (revision ed5d5720) 
1 /*	$NetBSD: security.c,v 1.5 2000/06/08 09:01:05 fvdl Exp $	*/
2 /*	$FreeBSD: src/usr.sbin/rpcbind/security.c,v 1.6 2002/12/16 22:24:26 mbr Exp $ */
3 /* $DragonFly$ */
4 
5 #include <sys/types.h>
6 #include <sys/time.h>
7 #include <sys/socket.h>
8 #include <netinet/in.h>
9 #include <arpa/inet.h>
10 #include <rpc/rpc.h>
11 #include <rpc/rpcb_prot.h>
12 #include <rpc/pmap_prot.h>
13 #include <err.h>
14 #include <stdio.h>
15 #include <stdlib.h>
16 #include <string.h>
17 #include <unistd.h>
18 #include <libutil.h>
19 #include <syslog.h>
20 #include <netdb.h>
21 
22 /*
23  * XXX for special case checks in check_callit.
24  */
25 #include <rpcsvc/mount.h>
26 #include <rpcsvc/rquota.h>
27 #include <rpcsvc/nfs_prot.h>
28 #include <rpcsvc/yp.h>
29 #include <rpcsvc/ypclnt.h>
30 #include <rpcsvc/yppasswd.h>
31 
32 #include "rpcbind.h"
33 
34 #ifdef LIBWRAP
35 # include <tcpd.h>
36 #ifndef LIBWRAP_ALLOW_FACILITY
37 # define LIBWRAP_ALLOW_FACILITY LOG_AUTH
38 #endif
39 #ifndef LIBWRAP_ALLOW_SEVERITY
40 # define LIBWRAP_ALLOW_SEVERITY LOG_INFO
41 #endif
42 #ifndef LIBWRAP_DENY_FACILITY
43 # define LIBWRAP_DENY_FACILITY LOG_AUTH
44 #endif
45 #ifndef LIBWRAP_DENY_SEVERITY
46 # define LIBWRAP_DENY_SEVERITY LOG_WARNING
47 #endif
48 int allow_severity = LIBWRAP_ALLOW_FACILITY|LIBWRAP_ALLOW_SEVERITY;
49 int deny_severity = LIBWRAP_DENY_FACILITY|LIBWRAP_DENY_SEVERITY;
50 #endif
51 
52 #ifndef PORTMAP_LOG_FACILITY
53 # define PORTMAP_LOG_FACILITY LOG_AUTH
54 #endif
55 #ifndef PORTMAP_LOG_SEVERITY
56 # define PORTMAP_LOG_SEVERITY LOG_INFO
57 #endif
58 int log_severity = PORTMAP_LOG_FACILITY|PORTMAP_LOG_SEVERITY;
59 
60 extern int verboselog;
61 
62 int
63 check_access(SVCXPRT *xprt, rpcproc_t proc, void *args, unsigned int rpcbvers)
64 {
65 	struct netbuf *caller = svc_getrpccaller(xprt);
66 	struct sockaddr *addr = (struct sockaddr *)caller->buf;
67 #ifdef LIBWRAP
68 	struct request_info req;
69 #endif
70 	rpcprog_t prog = 0;
71 	rpcb *rpcbp;
72 	struct pmap *pmap;
73 
74 	/*
75 	 * The older PMAP_* equivalents have the same numbers, so
76 	 * they are accounted for here as well.
77 	 */
78 	switch (proc) {
79 	case RPCBPROC_GETADDR:
80 	case RPCBPROC_SET:
81 	case RPCBPROC_UNSET:
82 		if (rpcbvers > PMAPVERS) {
83 			rpcbp = (rpcb *)args;
84 			prog = rpcbp->r_prog;
85 		} else {
86 			pmap = (struct pmap *)args;
87 			prog = pmap->pm_prog;
88 		}
89 		if (proc == RPCBPROC_GETADDR)
90 			break;
91 		if (!insecure && !is_loopback(caller)) {
92 			if (verboselog)
93 				logit(log_severity, addr, proc, prog,
94 				    " declined (non-loopback sender)");
95 			return 0;
96 		}
97 		break;
98 	case RPCBPROC_CALLIT:
99 	case RPCBPROC_INDIRECT:
100 	case RPCBPROC_DUMP:
101 	case RPCBPROC_GETTIME:
102 	case RPCBPROC_UADDR2TADDR:
103 	case RPCBPROC_TADDR2UADDR:
104 	case RPCBPROC_GETVERSADDR:
105 	case RPCBPROC_GETADDRLIST:
106 	case RPCBPROC_GETSTAT:
107 	default:
108 		break;
109 	}
110 
111 #ifdef LIBWRAP
112 	if (addr->sa_family == AF_LOCAL)
113 		return 1;
114 	request_init(&req, RQ_DAEMON, "rpcbind", RQ_CLIENT_SIN, addr, 0);
115 	sock_methods(&req);
116 	if(!hosts_access(&req)) {
117 		logit(deny_severity, addr, proc, prog, ": request from unauthorized host");
118 		return 0;
119 	}
120 #endif
121 	if (verboselog)
122 		logit(log_severity, addr, proc, prog, "");
123 	return 1;
124 }
125 
126 int
127 is_loopback(struct netbuf *nbuf)
128 {
129 	struct sockaddr *addr = (struct sockaddr *)nbuf->buf;
130 	struct sockaddr_in *sin;
131 #ifdef INET6
132 	struct sockaddr_in6 *sin6;
133 #endif
134 
135 	switch (addr->sa_family) {
136 	case AF_INET:
137 		if (!oldstyle_local)
138 			return 0;
139 		sin = (struct sockaddr_in *)addr;
140 		return ((sin->sin_addr.s_addr == htonl(INADDR_LOOPBACK)) &&
141 		    (ntohs(sin->sin_port) < IPPORT_RESERVED));
142 #ifdef INET6
143 	case AF_INET6:
144 		if (!oldstyle_local)
145 			return 0;
146 		sin6 = (struct sockaddr_in6 *)addr;
147 		return (IN6_IS_ADDR_LOOPBACK(&sin6->sin6_addr) &&
148 		    (ntohs(sin6->sin6_port) < IPV6PORT_RESERVED));
149 #endif
150 	case AF_LOCAL:
151 		return 1;
152 	default:
153 		break;
154 	}
155 
156 	return 0;
157 }
158 
159 
160 /* logit - report events of interest via the syslog daemon */
161 void
162 logit(int severity, struct sockaddr *addr, rpcproc_t procnum, rpcprog_t prognum,
163       const char *text)
164 {
165 	const char *procname;
166 	char	procbuf[32];
167 	char   *progname;
168 	char	progbuf[32];
169 	char fromname[NI_MAXHOST];
170 	struct rpcent *rpc;
171 	static const char *procmap[] = {
172 	/* RPCBPROC_NULL */		"null",
173 	/* RPCBPROC_SET */		"set",
174 	/* RPCBPROC_UNSET */		"unset",
175 	/* RPCBPROC_GETADDR */		"getport/addr",
176 	/* RPCBPROC_DUMP */		"dump",
177 	/* RPCBPROC_CALLIT */		"callit",
178 	/* RPCBPROC_GETTIME */		"gettime",
179 	/* RPCBPROC_UADDR2TADDR */	"uaddr2taddr",
180 	/* RPCBPROC_TADDR2UADDR */	"taddr2uaddr",
181 	/* RPCBPROC_GETVERSADDR */	"getversaddr",
182 	/* RPCBPROC_INDIRECT */		"indirect",
183 	/* RPCBPROC_GETADDRLIST */	"getaddrlist",
184 	/* RPCBPROC_GETSTAT */		"getstat"
185 	};
186 
187 	/*
188 	 * Fork off a process or the portmap daemon might hang while
189 	 * getrpcbynumber() or syslog() does its thing.
190 	 */
191 
192 	if (fork() == 0) {
193 		setproctitle("logit");
194 
195 		/* Try to map program number to name. */
196 
197 		if (prognum == 0) {
198 			progname = "";
199 		} else if ((rpc = getrpcbynumber((int) prognum))) {
200 			progname = rpc->r_name;
201 		} else {
202 			snprintf(progname = progbuf, sizeof(progbuf), "%u",
203 			    (unsigned)prognum);
204 		}
205 
206 		/* Try to map procedure number to name. */
207 
208 		if (procnum >= (sizeof procmap / sizeof (char *))) {
209 			snprintf(procbuf, sizeof procbuf, "%u",
210 			    (unsigned)procnum);
211 			procname = procbuf;
212 		} else
213 			procname = procmap[procnum];
214 
215 		/* Write syslog record. */
216 
217 		if (addr->sa_family == AF_LOCAL)
218 			strcpy(fromname, "local");
219 		else
220 			getnameinfo(addr, addr->sa_len, fromname,
221 			    sizeof fromname, NULL, 0, NI_NUMERICHOST);
222 
223 		syslog(severity, "connect from %s to %s(%s)%s",
224 			fromname, procname, progname, text);
225 		_exit(0);
226 	}
227 }
228 
229 int
230 check_callit(SVCXPRT *xprt, struct r_rmtcall_args *args, int versnum __unused)
231 {
232 	struct sockaddr *sa = (struct sockaddr *)svc_getrpccaller(xprt)->buf;
233 
234 	/*
235 	 * Always allow calling NULLPROC
236 	 */
237 	if (args->rmt_proc == 0)
238 		return 1;
239 
240 	/*
241 	 * XXX - this special casing sucks.
242 	 */
243 	switch (args->rmt_prog) {
244 	case RPCBPROG:
245 		/*
246 		 * Allow indirect calls to ourselves in insecure mode.
247 		 * The is_loopback checks aren't useful then anyway.
248 		 */
249 		if (!insecure)
250 			goto deny;
251 		break;
252 	case MOUNTPROG:
253 		if (args->rmt_proc != MOUNTPROC_MNT &&
254 		    args->rmt_proc != MOUNTPROC_UMNT)
255 			break;
256 		goto deny;
257 	case YPBINDPROG:
258 		if (args->rmt_proc != YPBINDPROC_SETDOM)
259 			break;
260 		/* FALLTHROUGH */
261 	case YPPASSWDPROG:
262 	case NFS_PROGRAM:
263 	case RQUOTAPROG:
264 		goto deny;
265 	case YPPROG:
266 		switch (args->rmt_proc) {
267 		case YPPROC_ALL:
268 		case YPPROC_MATCH:
269 		case YPPROC_FIRST:
270 		case YPPROC_NEXT:
271 			goto deny;
272 		default:
273 			break;
274 		}
275 	default:
276 		break;
277 	}
278 
279 	return 1;
280 deny:
281 #ifdef LIBWRAP
282 	logit(deny_severity, sa, args->rmt_proc, args->rmt_prog,
283 	    ": indirect call not allowed");
284 #else
285 	logit(0, sa, args->rmt_proc, args->rmt_prog,
286 	    ": indirect call not allowed");
287 #endif
288 	return 0;
289 }
290