Change the error reporting pattern throughout the tree when unveil
fails to report the path that the failure occured on. Suggested by
deraadt@ after some tech discussion.

Work done and verified by Ashton Fagg <ashton@fagg.id.au>

ok deraadt@ semarie@ claudio@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

Move pledge to after getopt, when the finger program becomes known
(defaults to /usr/bin/finger, but can be redefined with -P option).
Then unveil that program for "x" (execution), and pledge as before.
No other filesystem accesses occur after that point.

4-step pledge in a program noone really uses anymore.
pledge "stdio inet dns proc exec" at startup.
In the logging codepath, "stdio dns proc exec" after getpeername()
drop to stdio proc exec(), before fork / execve
Parent moving data out of the pipe only needs "stdio"

_exit() in the child; as a result, must use syslog() directly.

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

remove some unnecessary sys/param.h inclusions

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

Prevent a buffer underrun if a line is received which only contains
(multiple) @.

ok millert, otto

Don't shadow err(3).
Store strlen() results in a size_t.
Add __dead to both usage() and logerr().
Get rid of /* NOTREACHED */.
Get rid of extraneous _exit().
Calls err(3) on getpeername failure.

``reads well to me!'' avsm@

Incllude <sys/param.h> to get MAXHOSTNAMELEN

slight update for fingerd; sort options;

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

use socklen_t more; henning ok

KNF

minor KNF

We live in an ANSI C world. Remove lots of gratuitous #ifdef __STDC__ cruft.

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

kill more registers;

millert@ ok

When copying command line arguments to out new argument vector,
don't go past the end of the buffer. Not a security issue since
root controls the fingerd arguments. Noticed by Brian Poole.

strlcpy invades the tree

-Wall

KNF

check error result from getnameinfo.

Change fingerd back to using fgets(3), not fgetln(3). Using fgetln(3)
was a mistake since it allows an attacker to trivially drive up the
load on a machine. Of course, this can still be done with multiple
connections but there's no reason to make it easier than it needs
to be. This also simplifies the logging a bit.

logging getpeername() failures is a waste of time

typo

bad arguments? usage() should syslog()

use getnameinfo()

fowarding -> forwarding

Remove LOG_CONS from openlog() call so every darned finger connect message
doesn't go to console. Change discussed and checked with millert.

1) use fgetln for arbitrary sized lines
2) do puts("foo\r") not puts("foo\r\n") as puts adds a \n itself
3) log the command given when -l is specified, replacing \r, \n, NULL with ' '
4) with -l, log possible probes (ie: EOF) that were previously ignored

<string.h> not <strings.h>

OpenBSD tags and document assumption about finger(1) arg parsing.

#if __STDC__ --> #ifdef __STDC__

tabify

getopt(3) returns -1 when out of args, not EOF, whee!

Add -M.

Updated to 4.4BSD fingerd + Theo's @@@@ optimization and some
added options to further restrict the info given out.

add -s flag; if specified in inetd, does not allow forwarding @ requests

optimize something like "finger @@@@@@@@@@@@@cvs@@@@@@cvs@@@@@@cvs' to hit
fewer hosts. Basically, chew @ signs when possible.

branches: 1.1.1;
Initial revision

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

Move pledge to after getopt, when the finger program becomes known
(defaults to /usr/bin/finger, but can be redefined with -P option).
Then unveil that program for "x" (execution), and pledge as before.
No other filesystem accesses occur after that point.

4-step pledge in a program noone really uses anymore.
pledge "stdio inet dns proc exec" at startup.
In the logging codepath, "stdio dns proc exec" after getpeername()
drop to stdio proc exec(), before fork / execve
Parent moving data out of the pipe only needs "stdio"

_exit() in the child; as a result, must use syslog() directly.

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

remove some unnecessary sys/param.h inclusions

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

Prevent a buffer underrun if a line is received which only contains
(multiple) @.

ok millert, otto

Don't shadow err(3).
Store strlen() results in a size_t.
Add __dead to both usage() and logerr().
Get rid of /* NOTREACHED */.
Get rid of extraneous _exit().
Calls err(3) on getpeername failure.

``reads well to me!'' avsm@

Incllude <sys/param.h> to get MAXHOSTNAMELEN

slight update for fingerd; sort options;

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

use socklen_t more; henning ok

KNF

minor KNF

We live in an ANSI C world. Remove lots of gratuitous #ifdef __STDC__ cruft.

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

kill more registers;

millert@ ok

When copying command line arguments to out new argument vector,
don't go past the end of the buffer. Not a security issue since
root controls the fingerd arguments. Noticed by Brian Poole.

strlcpy invades the tree

-Wall

KNF

check error result from getnameinfo.

Change fingerd back to using fgets(3), not fgetln(3). Using fgetln(3)
was a mistake since it allows an attacker to trivially drive up the
load on a machine. Of course, this can still be done with multiple
connections but there's no reason to make it easier than it needs
to be. This also simplifies the logging a bit.

logging getpeername() failures is a waste of time

typo

bad arguments? usage() should syslog()

use getnameinfo()

fowarding -> forwarding

Remove LOG_CONS from openlog() call so every darned finger connect message
doesn't go to console. Change discussed and checked with millert.

1) use fgetln for arbitrary sized lines
2) do puts("foo\r") not puts("foo\r\n") as puts adds a \n itself
3) log the command given when -l is specified, replacing \r, \n, NULL with ' '
4) with -l, log possible probes (ie: EOF) that were previously ignored

<string.h> not <strings.h>

OpenBSD tags and document assumption about finger(1) arg parsing.

#if __STDC__ --> #ifdef __STDC__

tabify

getopt(3) returns -1 when out of args, not EOF, whee!

Add -M.

Updated to 4.4BSD fingerd + Theo's @@@@ optimization and some
added options to further restrict the info given out.

add -s flag; if specified in inetd, does not allow forwarding @ requests

optimize something like "finger @@@@@@@@@@@@@cvs@@@@@@cvs@@@@@@cvs' to hit
fewer hosts. Basically, chew @ signs when possible.

branches: 1.1.1;
Initial revision

Move pledge to after getopt, when the finger program becomes known
(defaults to /usr/bin/finger, but can be redefined with -P option).
Then unveil that program for "x" (execution), and pledge as before.
No other filesystem accesses occur after that point.

4-step pledge in a program noone really uses anymore.
pledge "stdio inet dns proc exec" at startup.
In the logging codepath, "stdio dns proc exec" after getpeername()
drop to stdio proc exec(), before fork / execve
Parent moving data out of the pipe only needs "stdio"

_exit() in the child; as a result, must use syslog() directly.

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

remove some unnecessary sys/param.h inclusions

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

Prevent a buffer underrun if a line is received which only contains
(multiple) @.

ok millert, otto

Don't shadow err(3).
Store strlen() results in a size_t.
Add __dead to both usage() and logerr().
Get rid of /* NOTREACHED */.
Get rid of extraneous _exit().
Calls err(3) on getpeername failure.

``reads well to me!'' avsm@

Incllude <sys/param.h> to get MAXHOSTNAMELEN

slight update for fingerd; sort options;

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

use socklen_t more; henning ok

KNF

minor KNF

We live in an ANSI C world. Remove lots of gratuitous #ifdef __STDC__ cruft.

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

kill more registers;

millert@ ok

When copying command line arguments to out new argument vector,
don't go past the end of the buffer. Not a security issue since
root controls the fingerd arguments. Noticed by Brian Poole.

strlcpy invades the tree

-Wall

KNF

check error result from getnameinfo.

Change fingerd back to using fgets(3), not fgetln(3). Using fgetln(3)
was a mistake since it allows an attacker to trivially drive up the
load on a machine. Of course, this can still be done with multiple
connections but there's no reason to make it easier than it needs
to be. This also simplifies the logging a bit.

logging getpeername() failures is a waste of time

typo

bad arguments? usage() should syslog()

use getnameinfo()

fowarding -> forwarding

Remove LOG_CONS from openlog() call so every darned finger connect message
doesn't go to console. Change discussed and checked with millert.

1) use fgetln for arbitrary sized lines
2) do puts("foo\r") not puts("foo\r\n") as puts adds a \n itself
3) log the command given when -l is specified, replacing \r, \n, NULL with ' '
4) with -l, log possible probes (ie: EOF) that were previously ignored

<string.h> not <strings.h>

OpenBSD tags and document assumption about finger(1) arg parsing.

#if __STDC__ --> #ifdef __STDC__

tabify

getopt(3) returns -1 when out of args, not EOF, whee!

Add -M.

Updated to 4.4BSD fingerd + Theo's @@@@ optimization and some
added options to further restrict the info given out.

add -s flag; if specified in inetd, does not allow forwarding @ requests

optimize something like "finger @@@@@@@@@@@@@cvs@@@@@@cvs@@@@@@cvs' to hit
fewer hosts. Basically, chew @ signs when possible.

branches: 1.1.1;
Initial revision

4-step pledge in a program noone really uses anymore.
pledge "stdio inet dns proc exec" at startup.
In the logging codepath, "stdio dns proc exec" after getpeername()
drop to stdio proc exec(), before fork / execve
Parent moving data out of the pipe only needs "stdio"

_exit() in the child; as a result, must use syslog() directly.

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

remove some unnecessary sys/param.h inclusions

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

Prevent a buffer underrun if a line is received which only contains
(multiple) @.

ok millert, otto

Don't shadow err(3).
Store strlen() results in a size_t.
Add __dead to both usage() and logerr().
Get rid of /* NOTREACHED */.
Get rid of extraneous _exit().
Calls err(3) on getpeername failure.

``reads well to me!'' avsm@

Incllude <sys/param.h> to get MAXHOSTNAMELEN

slight update for fingerd; sort options;

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

use socklen_t more; henning ok

KNF

minor KNF

We live in an ANSI C world. Remove lots of gratuitous #ifdef __STDC__ cruft.

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

kill more registers;

millert@ ok

When copying command line arguments to out new argument vector,
don't go past the end of the buffer. Not a security issue since
root controls the fingerd arguments. Noticed by Brian Poole.

strlcpy invades the tree

-Wall

KNF

check error result from getnameinfo.

Change fingerd back to using fgets(3), not fgetln(3). Using fgetln(3)
was a mistake since it allows an attacker to trivially drive up the
load on a machine. Of course, this can still be done with multiple
connections but there's no reason to make it easier than it needs
to be. This also simplifies the logging a bit.

logging getpeername() failures is a waste of time

typo

bad arguments? usage() should syslog()

use getnameinfo()

fowarding -> forwarding

Remove LOG_CONS from openlog() call so every darned finger connect message
doesn't go to console. Change discussed and checked with millert.

1) use fgetln for arbitrary sized lines
2) do puts("foo\r") not puts("foo\r\n") as puts adds a \n itself
3) log the command given when -l is specified, replacing \r, \n, NULL with ' '
4) with -l, log possible probes (ie: EOF) that were previously ignored

<string.h> not <strings.h>

OpenBSD tags and document assumption about finger(1) arg parsing.

#if __STDC__ --> #ifdef __STDC__

tabify

getopt(3) returns -1 when out of args, not EOF, whee!

Add -M.

Updated to 4.4BSD fingerd + Theo's @@@@ optimization and some
added options to further restrict the info given out.

add -s flag; if specified in inetd, does not allow forwarding @ requests

optimize something like "finger @@@@@@@@@@@@@cvs@@@@@@cvs@@@@@@cvs' to hit
fewer hosts. Basically, chew @ signs when possible.

branches: 1.1.1;
Initial revision