1 /* $NetBSD: security.c,v 1.5 2000/06/08 09:01:05 fvdl Exp $ */ 2 /* $FreeBSD$ */ 3 4 #include <sys/types.h> 5 #include <sys/time.h> 6 #include <sys/socket.h> 7 #include <netinet/in.h> 8 #include <arpa/inet.h> 9 #include <rpc/rpc.h> 10 #include <rpc/rpcb_prot.h> 11 #include <rpc/pmap_prot.h> 12 #include <err.h> 13 #include <stdio.h> 14 #include <stdlib.h> 15 #include <string.h> 16 #include <unistd.h> 17 #include <libutil.h> 18 #include <syslog.h> 19 #include <netdb.h> 20 21 /* 22 * XXX for special case checks in check_callit. 23 */ 24 #include <rpcsvc/mount.h> 25 #include <rpcsvc/rquota.h> 26 #include <rpcsvc/nfs_prot.h> 27 #include <rpcsvc/yp.h> 28 #include <rpcsvc/ypclnt.h> 29 #include <rpcsvc/yppasswd.h> 30 31 #include "rpcbind.h" 32 33 #ifdef LIBWRAP 34 # include <tcpd.h> 35 #ifndef LIBWRAP_ALLOW_FACILITY 36 # define LIBWRAP_ALLOW_FACILITY LOG_AUTH 37 #endif 38 #ifndef LIBWRAP_ALLOW_SEVERITY 39 # define LIBWRAP_ALLOW_SEVERITY LOG_INFO 40 #endif 41 #ifndef LIBWRAP_DENY_FACILITY 42 # define LIBWRAP_DENY_FACILITY LOG_AUTH 43 #endif 44 #ifndef LIBWRAP_DENY_SEVERITY 45 # define LIBWRAP_DENY_SEVERITY LOG_WARNING 46 #endif 47 int allow_severity = LIBWRAP_ALLOW_FACILITY|LIBWRAP_ALLOW_SEVERITY; 48 int deny_severity = LIBWRAP_DENY_FACILITY|LIBWRAP_DENY_SEVERITY; 49 #endif 50 51 #ifndef PORTMAP_LOG_FACILITY 52 # define PORTMAP_LOG_FACILITY LOG_AUTH 53 #endif 54 #ifndef PORTMAP_LOG_SEVERITY 55 # define PORTMAP_LOG_SEVERITY LOG_INFO 56 #endif 57 int log_severity = PORTMAP_LOG_FACILITY|PORTMAP_LOG_SEVERITY; 58 59 extern int verboselog; 60 61 int 62 check_access(SVCXPRT *xprt, rpcproc_t proc, void *args, int rpcbvers) 63 { 64 struct netbuf *caller = svc_getrpccaller(xprt); 65 struct sockaddr *addr = (struct sockaddr *)caller->buf; 66 #ifdef LIBWRAP 67 struct request_info req; 68 #endif 69 rpcprog_t prog = 0; 70 rpcb *rpcbp; 71 struct pmap *pmap; 72 73 /* 74 * The older PMAP_* equivalents have the same numbers, so 75 * they are accounted for here as well. 76 */ 77 switch (proc) { 78 case RPCBPROC_GETADDR: 79 case RPCBPROC_SET: 80 case RPCBPROC_UNSET: 81 if (rpcbvers > PMAPVERS) { 82 rpcbp = (rpcb *)args; 83 prog = rpcbp->r_prog; 84 } else { 85 pmap = (struct pmap *)args; 86 prog = pmap->pm_prog; 87 } 88 if (proc == RPCBPROC_GETADDR) 89 break; 90 if (!insecure && !is_loopback(caller)) { 91 if (verboselog) 92 logit(log_severity, addr, proc, prog, 93 " declined (non-loopback sender)"); 94 return 0; 95 } 96 break; 97 case RPCBPROC_CALLIT: 98 case RPCBPROC_INDIRECT: 99 case RPCBPROC_DUMP: 100 case RPCBPROC_GETTIME: 101 case RPCBPROC_UADDR2TADDR: 102 case RPCBPROC_TADDR2UADDR: 103 case RPCBPROC_GETVERSADDR: 104 case RPCBPROC_GETADDRLIST: 105 case RPCBPROC_GETSTAT: 106 default: 107 } 108 109 #ifdef LIBWRAP 110 if (addr->sa_family == AF_LOCAL) 111 return 1; 112 request_init(&req, RQ_DAEMON, "rpcbind", RQ_CLIENT_SIN, addr, 0); 113 sock_methods(&req); 114 if(!hosts_access(&req)) { 115 logit(deny_severity, addr, proc, prog, ": request from unauthorized host"); 116 return 0; 117 } 118 #endif 119 if (verboselog) 120 logit(log_severity, addr, proc, prog, ""); 121 return 1; 122 } 123 124 int 125 is_loopback(struct netbuf *nbuf) 126 { 127 struct sockaddr *addr = (struct sockaddr *)nbuf->buf; 128 struct sockaddr_in *sin; 129 #ifdef INET6 130 struct sockaddr_in6 *sin6; 131 #endif 132 133 switch (addr->sa_family) { 134 case AF_INET: 135 if (!oldstyle_local) 136 return 0; 137 sin = (struct sockaddr_in *)addr; 138 return ((sin->sin_addr.s_addr == htonl(INADDR_LOOPBACK)) && 139 (ntohs(sin->sin_port) < IPPORT_RESERVED)); 140 #ifdef INET6 141 case AF_INET6: 142 if (!oldstyle_local) 143 return 0; 144 sin6 = (struct sockaddr_in6 *)addr; 145 return (IN6_IS_ADDR_LOOPBACK(&sin6->sin6_addr) && 146 (ntohs(sin6->sin6_port) < IPV6PORT_RESERVED)); 147 #endif 148 case AF_LOCAL: 149 return 1; 150 default: 151 } 152 153 return 0; 154 } 155 156 157 /* logit - report events of interest via the syslog daemon */ 158 void 159 logit(int severity, struct sockaddr *addr, rpcproc_t procnum, rpcprog_t prognum, 160 const char *text) 161 { 162 const char *procname; 163 char procbuf[32]; 164 char *progname; 165 char progbuf[32]; 166 char fromname[NI_MAXHOST]; 167 struct rpcent *rpc; 168 static const char *procmap[] = { 169 /* RPCBPROC_NULL */ "null", 170 /* RPCBPROC_SET */ "set", 171 /* RPCBPROC_UNSET */ "unset", 172 /* RPCBPROC_GETADDR */ "getport/addr", 173 /* RPCBPROC_DUMP */ "dump", 174 /* RPCBPROC_CALLIT */ "callit", 175 /* RPCBPROC_GETTIME */ "gettime", 176 /* RPCBPROC_UADDR2TADDR */ "uaddr2taddr", 177 /* RPCBPROC_TADDR2UADDR */ "taddr2uaddr", 178 /* RPCBPROC_GETVERSADDR */ "getversaddr", 179 /* RPCBPROC_INDIRECT */ "indirect", 180 /* RPCBPROC_GETADDRLIST */ "getaddrlist", 181 /* RPCBPROC_GETSTAT */ "getstat" 182 }; 183 184 /* 185 * Fork off a process or the portmap daemon might hang while 186 * getrpcbynumber() or syslog() does its thing. 187 */ 188 189 if (fork() == 0) { 190 setproctitle("logit"); 191 192 /* Try to map program number to name. */ 193 194 if (prognum == 0) { 195 progname = ""; 196 } else if ((rpc = getrpcbynumber((int) prognum))) { 197 progname = rpc->r_name; 198 } else { 199 snprintf(progname = progbuf, sizeof(progbuf), "%u", 200 (unsigned)prognum); 201 } 202 203 /* Try to map procedure number to name. */ 204 205 if (procnum >= (sizeof procmap / sizeof (char *))) { 206 snprintf(procbuf, sizeof procbuf, "%u", 207 (unsigned)procnum); 208 procname = procbuf; 209 } else 210 procname = procmap[procnum]; 211 212 /* Write syslog record. */ 213 214 if (addr->sa_family == AF_LOCAL) 215 strcpy(fromname, "unix"); 216 else 217 getnameinfo(addr, addr->sa_len, fromname, 218 sizeof fromname, NULL, 0, NI_NUMERICHOST); 219 220 syslog(severity, "connect from %s to %s(%s)%s", 221 fromname, procname, progname, text); 222 _exit(0); 223 } 224 } 225 226 int 227 check_callit(SVCXPRT *xprt, struct r_rmtcall_args *args, int versnum) 228 { 229 struct sockaddr *sa = (struct sockaddr *)svc_getrpccaller(xprt)->buf; 230 231 /* 232 * Always allow calling NULLPROC 233 */ 234 if (args->rmt_proc == 0) 235 return 1; 236 237 /* 238 * XXX - this special casing sucks. 239 */ 240 switch (args->rmt_prog) { 241 case RPCBPROG: 242 /* 243 * Allow indirect calls to ourselves in insecure mode. 244 * The is_loopback checks aren't useful then anyway. 245 */ 246 if (!insecure) 247 goto deny; 248 break; 249 case MOUNTPROG: 250 if (args->rmt_proc != MOUNTPROC_MNT && 251 args->rmt_proc != MOUNTPROC_UMNT) 252 break; 253 goto deny; 254 case YPBINDPROG: 255 if (args->rmt_proc != YPBINDPROC_SETDOM) 256 break; 257 /* FALLTHROUGH */ 258 case YPPASSWDPROG: 259 case NFS_PROGRAM: 260 case RQUOTAPROG: 261 goto deny; 262 case YPPROG: 263 switch (args->rmt_proc) { 264 case YPPROC_ALL: 265 case YPPROC_MATCH: 266 case YPPROC_FIRST: 267 case YPPROC_NEXT: 268 goto deny; 269 default: 270 } 271 default: 272 } 273 274 return 1; 275 deny: 276 #ifdef LIBWRAP 277 logit(deny_severity, sa, args->rmt_proc, args->rmt_prog, 278 ": indirect call not allowed"); 279 #else 280 logit(0, sa, args->rmt_proc, args->rmt_prog, 281 ": indirect call not allowed"); 282 #endif 283 return 0; 284 } 285