1/* $NetBSD: rcmd.c,v 1.73 2024/01/20 14:52:48 christos Exp $ */ 2 3/* 4 * Copyright (c) 1983, 1993, 1994 5 * The Regents of the University of California. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. Neither the name of the University nor the names of its contributors 16 * may be used to endorse or promote products derived from this software 17 * without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32#include <sys/cdefs.h> 33#if defined(LIBC_SCCS) && !defined(lint) 34#if 0 35static char sccsid[] = "@(#)rcmd.c 8.3 (Berkeley) 3/26/94"; 36#else 37__RCSID("$NetBSD: rcmd.c,v 1.73 2024/01/20 14:52:48 christos Exp $"); 38#endif 39#endif /* LIBC_SCCS and not lint */ 40 41#ifdef _LIBC 42#include "namespace.h" 43#endif 44#include <sys/param.h> 45#include <sys/socket.h> 46#include <sys/stat.h> 47#include <sys/poll.h> 48#include <sys/wait.h> 49 50#include <netinet/in.h> 51#include <rpc/rpc.h> 52#include <arpa/inet.h> 53#include <netgroup.h> 54 55#include <assert.h> 56#include <ctype.h> 57#include <err.h> 58#include <errno.h> 59#include <fcntl.h> 60#include <grp.h> 61#include <netdb.h> 62#include <paths.h> 63#include <pwd.h> 64#include <signal.h> 65#include <stdio.h> 66#include <stdlib.h> 67#include <string.h> 68#include <syslog.h> 69#include <unistd.h> 70 71#include "pathnames.h" 72 73int orcmd(char **, u_int, const char *, const char *, const char *, int *); 74int orcmd_af(char **, u_int, const char *, const char *, const char *, 75 int *, int); 76int __ivaliduser(FILE *, u_int32_t, const char *, const char *); 77int __ivaliduser_sa(FILE *, const struct sockaddr *, socklen_t, 78 const char *, const char *); 79static int rshrcmd(int, char **, u_int32_t, const char *, 80 const char *, const char *, int *, const char *); 81static int resrcmd(struct addrinfo *, char **, u_int32_t, const char *, 82 const char *, const char *, int *); 83static int __icheckhost(const struct sockaddr *, socklen_t, 84 const char *); 85static char *__gethostloop(const struct sockaddr *, socklen_t); 86 87int 88rcmd(char **ahost, int rport, const char *locuser, const char *remuser, 89 const char *cmd, int *fd2p) 90{ 91 92 return rcmd_af(ahost, rport, locuser, remuser, cmd, fd2p, AF_INET); 93} 94 95int 96rcmd_af(char **ahost, int rport, const char *locuser, const char *remuser, 97 const char *cmd, int *fd2p, int af) 98{ 99 static char hbuf[MAXHOSTNAMELEN]; 100 char pbuf[NI_MAXSERV]; 101 struct addrinfo hints, *res; 102 int error; 103 struct servent *sp; 104 105 _DIAGASSERT(ahost != NULL); 106 _DIAGASSERT(locuser != NULL); 107 _DIAGASSERT(remuser != NULL); 108 _DIAGASSERT(cmd != NULL); 109 /* fd2p may be NULL */ 110 111 snprintf(pbuf, sizeof(pbuf), "%u", ntohs(rport)); 112 memset(&hints, 0, sizeof(hints)); 113 hints.ai_family = af; 114 hints.ai_socktype = SOCK_STREAM; 115 hints.ai_flags = AI_CANONNAME; 116 error = getaddrinfo(*ahost, pbuf, &hints, &res); 117 if (error) { 118 warnx("%s: %s", *ahost, gai_strerror(error)); /*XXX*/ 119 return -1; 120 } 121 if (res->ai_canonname) { 122 /* 123 * Canonicalise hostname. 124 * XXX: Should we really do this? 125 */ 126 strlcpy(hbuf, res->ai_canonname, sizeof(hbuf)); 127 *ahost = hbuf; 128 } 129 130 /* 131 * Check if rport is the same as the shell port, and that the fd2p. If 132 * it is not, the program isn't expecting 'rsh' and so we can't use the 133 * RCMD_CMD environment. 134 */ 135 sp = getservbyname("shell", "tcp"); 136 if (sp != NULL && sp->s_port == rport) 137 error = rshrcmd(af, ahost, (u_int32_t)rport, 138 locuser, remuser, cmd, fd2p, getenv("RCMD_CMD")); 139 else 140 error = resrcmd(res, ahost, (u_int32_t)rport, 141 locuser, remuser, cmd, fd2p); 142 freeaddrinfo(res); 143 return error; 144} 145 146/* this is simply a wrapper around hprcmd() that handles ahost first */ 147int 148orcmd(char **ahost, u_int rport, const char *locuser, const char *remuser, 149 const char *cmd, int *fd2p) 150{ 151 return orcmd_af(ahost, rport, locuser, remuser, cmd, fd2p, AF_INET); 152} 153 154int 155orcmd_af(char **ahost, u_int rport, const char *locuser, const char *remuser, 156 const char *cmd, int *fd2p, int af) 157{ 158 static char hbuf[MAXHOSTNAMELEN]; 159 char pbuf[NI_MAXSERV]; 160 struct addrinfo hints, *res; 161 int error; 162 163 _DIAGASSERT(ahost != NULL); 164 _DIAGASSERT(locuser != NULL); 165 _DIAGASSERT(remuser != NULL); 166 _DIAGASSERT(cmd != NULL); 167 /* fd2p may be NULL */ 168 169 snprintf(pbuf, sizeof(pbuf), "%u", ntohs(rport)); 170 memset(&hints, 0, sizeof(hints)); 171 hints.ai_family = af; 172 hints.ai_socktype = SOCK_STREAM; 173 hints.ai_flags = AI_CANONNAME; 174 error = getaddrinfo(*ahost, pbuf, &hints, &res); 175 if (error) { 176 warnx("%s: %s", *ahost, gai_strerror(error)); /*XXX*/ 177 return -1; 178 } 179 if (res->ai_canonname) { 180 strlcpy(hbuf, res->ai_canonname, sizeof(hbuf)); 181 *ahost = hbuf; 182 } 183 184 error = resrcmd(res, ahost, rport, locuser, remuser, cmd, fd2p); 185 freeaddrinfo(res); 186 return error; 187} 188 189/*ARGSUSED*/ 190static int 191resrcmd(struct addrinfo *res, char **ahost, u_int32_t rport, 192 const char *locuser, const char *remuser, const char *cmd, int *fd2p) 193{ 194 struct addrinfo *r; 195 struct sockaddr_storage from; 196 struct pollfd reads[2]; 197 sigset_t nmask, omask; 198 pid_t pid; 199 int s, lport, timo; 200 int pollr; 201 char c; 202 int refused; 203 204 _DIAGASSERT(res != NULL); 205 _DIAGASSERT(ahost != NULL); 206 _DIAGASSERT(locuser != NULL); 207 _DIAGASSERT(remuser != NULL); 208 _DIAGASSERT(cmd != NULL); 209 /* fd2p may be NULL */ 210 211 r = res; 212 refused = 0; 213 pid = getpid(); 214 sigemptyset(&nmask); 215 sigaddset(&nmask, SIGURG); 216 if (sigprocmask(SIG_BLOCK, &nmask, &omask) == -1) 217 return -1; 218 for (timo = 1, lport = IPPORT_RESERVED - 1;;) { 219 s = rresvport_af(&lport, r->ai_family); 220 if (s < 0) { 221 if (errno == EAGAIN) 222 warnx("rcmd: socket: All ports in use"); 223 else 224 warn("rcmd: socket"); 225 if (r->ai_next) { 226 r = r->ai_next; 227 continue; 228 } else { 229 (void)sigprocmask(SIG_SETMASK, &omask, NULL); 230 return -1; 231 } 232 } 233 fcntl(s, F_SETOWN, pid); 234 if (connect(s, r->ai_addr, r->ai_addrlen) >= 0) 235 break; 236 (void)close(s); 237 if (errno == EADDRINUSE) { 238 lport--; 239 continue; 240 } else if (errno == ECONNREFUSED) 241 refused++; 242 if (r->ai_next) { 243 int oerrno = errno; 244 char hbuf[NI_MAXHOST]; 245 const int niflags = NI_NUMERICHOST; 246 247 hbuf[0] = '\0'; 248 if (getnameinfo(r->ai_addr, r->ai_addrlen, 249 hbuf, (socklen_t)sizeof(hbuf), NULL, 0, niflags) != 250 0) 251 strlcpy(hbuf, "(invalid)", sizeof(hbuf)); 252 errno = oerrno; 253 warn("rcmd: connect to address %s", hbuf); 254 r = r->ai_next; 255 hbuf[0] = '\0'; 256 if (getnameinfo(r->ai_addr, r->ai_addrlen, 257 hbuf, (socklen_t)sizeof(hbuf), NULL, 0, niflags) != 258 0) 259 strlcpy(hbuf, "(invalid)", sizeof(hbuf)); 260 (void)fprintf(stderr, "Trying %s...\n", hbuf); 261 continue; 262 } 263 if (refused && timo <= 16) { 264 (void)sleep((unsigned int)timo); 265 timo *= 2; 266 r = res; 267 refused = 0; 268 continue; 269 } 270 (void)fprintf(stderr, "%s: %s\n", res->ai_canonname, 271 strerror(errno)); 272 (void)sigprocmask(SIG_SETMASK, &omask, NULL); 273 return -1; 274 } 275 lport--; 276 if (fd2p == 0) { 277 write(s, "", 1); 278 lport = 0; 279 } else { 280 char num[8]; 281 int s2 = rresvport_af(&lport, r->ai_family), s3; 282 socklen_t len = sizeof(from); 283 284 if (s2 < 0) 285 goto bad; 286 listen(s2, 1); 287 (void)snprintf(num, sizeof(num), "%d", lport); 288 if (write(s, num, strlen(num) + 1) != 289 (ssize_t) (strlen(num) + 1)) { 290 warn("rcmd: write (setting up stderr)"); 291 (void)close(s2); 292 goto bad; 293 } 294 reads[0].fd = s; 295 reads[0].events = POLLIN; 296 reads[1].fd = s2; 297 reads[1].events = POLLIN; 298 errno = 0; 299 pollr = poll(reads, 2, INFTIM); 300 if (pollr < 1 || (reads[1].revents & POLLIN) == 0) { 301 if (errno != 0) 302 warn("poll: setting up stderr"); 303 else 304 warnx( 305 "poll: protocol failure in circuit setup"); 306 (void)close(s2); 307 goto bad; 308 } 309 s3 = accept(s2, (struct sockaddr *)(void *)&from, &len); 310 (void)close(s2); 311 if (s3 < 0) { 312 warn("rcmd: accept"); 313 lport = 0; 314 goto bad; 315 } 316 *fd2p = s3; 317 switch (((struct sockaddr *)(void *)&from)->sa_family) { 318 case AF_INET: 319#ifdef INET6 320 case AF_INET6: 321#endif 322 if (getnameinfo((struct sockaddr *)(void *)&from, len, 323 NULL, 0, num, (socklen_t)sizeof(num), 324 NI_NUMERICSERV) != 0 || 325 (atoi(num) >= IPPORT_RESERVED || 326 atoi(num) < IPPORT_RESERVED / 2)) { 327 warnx( 328 "rcmd: protocol failure in circuit setup."); 329 goto bad2; 330 } 331 break; 332 default: 333 break; 334 } 335 } 336 337 (void)write(s, locuser, strlen(locuser)+1); 338 (void)write(s, remuser, strlen(remuser)+1); 339 (void)write(s, cmd, strlen(cmd)+1); 340 if (read(s, &c, 1) != 1) { 341 warn("%s", *ahost); 342 goto bad2; 343 } 344 if (c != 0) { 345 while (read(s, &c, 1) == 1) { 346 (void)write(STDERR_FILENO, &c, 1); 347 if (c == '\n') 348 break; 349 } 350 goto bad2; 351 } 352 (void)sigprocmask(SIG_SETMASK, &omask, NULL); 353 return s; 354bad2: 355 if (lport) 356 (void)close(*fd2p); 357bad: 358 (void)close(s); 359 (void)sigprocmask(SIG_SETMASK, &omask, NULL); 360 return -1; 361} 362 363/* 364 * based on code written by Chris Siebenmann <cks@utcc.utoronto.ca> 365 */ 366/* ARGSUSED */ 367static int 368rshrcmd(int af, char **ahost, u_int32_t rport, const char *locuser, 369 const char *remuser, const char *cmd, int *fd2p, const char *rshcmd) 370{ 371 pid_t pid; 372 int sp[2], ep[2]; 373 const char *p; 374 struct passwd *pw, pwres; 375 char pwbuf[1024]; 376 377 _DIAGASSERT(ahost != NULL); 378 _DIAGASSERT(locuser != NULL); 379 _DIAGASSERT(remuser != NULL); 380 _DIAGASSERT(cmd != NULL); 381 /* fd2p may be NULL */ 382 383 /* What rsh/shell to use. */ 384 if (rshcmd == NULL) 385 rshcmd = _PATH_BIN_RCMD; 386 387 /* locuser must exist on this host. */ 388 if (getpwnam_r(locuser, &pwres, pwbuf, sizeof(pwbuf), &pw) != 0 || 389 pw == NULL) { 390 warnx("%s: unknown user: %s", __func__, locuser); 391 return -1; 392 } 393 394 /* get a socketpair we'll use for stdin and stdout. */ 395 if (socketpair(AF_LOCAL, SOCK_STREAM, 0, sp) < 0) { 396 warn("%s: socketpair", __func__); 397 return -1; 398 } 399 /* we will use this for the fd2 pointer */ 400 if (fd2p) { 401 if (socketpair(AF_LOCAL, SOCK_STREAM, 0, ep) < 0) { 402 warn("%s: socketpair", __func__); 403 return -1; 404 } 405 *fd2p = ep[0]; 406 } 407 408 pid = fork(); 409 if (pid < 0) { 410 warn("%s: fork", __func__); 411 return -1; 412 } 413 if (pid == 0) { 414 /* 415 * child 416 * - we use sp[1] to be stdin/stdout, and close sp[0] 417 * - with fd2p, we use ep[1] for stderr, and close ep[0] 418 */ 419 (void)close(sp[0]); 420 if (dup2(sp[1], 0) < 0 || dup2(0, 1) < 0) { 421 warn("%s: dup2", __func__); 422 _exit(1); 423 } 424 (void)close(sp[1]); 425 if (fd2p) { 426 if (dup2(ep[1], 2) < 0) { 427 warn("%s: dup2", __func__); 428 _exit(1); 429 } 430 (void)close(ep[0]); 431 (void)close(ep[1]); 432 } else if (dup2(0, 2) < 0) { 433 warn("%s: dup2", __func__); 434 _exit(1); 435 } 436 /* fork again to lose parent. */ 437 pid = fork(); 438 if (pid < 0) { 439 warn("%s: second fork", __func__); 440 _exit(1); 441 } 442 if (pid > 0) 443 _exit(0); 444 445 /* Orphan. Become local user for rshprog. */ 446 if (setuid(pw->pw_uid)) { 447 warn("%s: setuid(%lu)", __func__, (u_long)pw->pw_uid); 448 _exit(1); 449 } 450 451 /* 452 * If we are rcmd'ing to "localhost" as the same user as we 453 * are, then avoid running remote shell for efficiency. 454 */ 455 if (strcmp(*ahost, "localhost") == 0 && 456 strcmp(locuser, remuser) == 0) { 457 if (pw->pw_shell[0] == '\0') 458 rshcmd = _PATH_BSHELL; 459 else 460 rshcmd = pw->pw_shell; 461 p = strrchr(rshcmd, '/'); 462 execlp(rshcmd, p ? p + 1 : rshcmd, "-c", cmd, NULL); 463 } else { 464 const char *program; 465 program = strrchr(rshcmd, '/'); 466 program = program ? program + 1 : rshcmd; 467 if (fd2p) 468 /* ask rcmd to relay signal information */ 469 setenv("RCMD_RELAY_SIGNAL", "YES", 1); 470 switch (af) { 471 case AF_INET: 472 execlp(rshcmd, program, "-4", "-l", remuser, 473 *ahost, cmd, NULL); 474 break; 475 476 case AF_INET6: 477 execlp(rshcmd, program, "-6", "-l", remuser, 478 *ahost, cmd, NULL); 479 break; 480 481 default: 482 /* typically AF_UNSPEC, plus whatever */ 483 execlp(rshcmd, program, "-l", remuser, 484 *ahost, cmd, NULL); 485 break; 486 } 487 } 488 warn("%s: exec %s", __func__, rshcmd); 489 _exit(1); 490 } 491 /* Parent */ 492 (void)close(sp[1]); 493 if (fd2p) 494 (void)close(ep[1]); 495 496 (void)waitpid(pid, NULL, 0); 497 return sp[0]; 498} 499 500int 501rresvport(int *alport) 502{ 503 504 _DIAGASSERT(alport != NULL); 505 506 return rresvport_af(alport, AF_INET); 507} 508 509int 510rresvport_af(int *alport, int family) 511{ 512 return rresvport_af_addr(alport, family, NULL); 513} 514 515int 516rresvport_af_addr(int *alport, int family, void *addr) 517{ 518 struct sockaddr_storage ss; 519 struct sockaddr *sa; 520 socklen_t salen; 521 int s; 522 u_int16_t *portp; 523 524 _DIAGASSERT(alport != NULL); 525 526 memset(&ss, 0, sizeof(ss)); 527 sa = (struct sockaddr *)(void *)&ss; 528 switch (family) { 529 case AF_INET: 530#ifdef BSD4_4 531 sa->sa_len = 532#endif 533 salen = sizeof(struct sockaddr_in); 534 if (addr) 535 ((struct sockaddr_in *)(void *)sa)->sin_addr = 536 ((struct sockaddr_in *)addr)->sin_addr; 537 portp = &((struct sockaddr_in *)(void *)sa)->sin_port; 538 break; 539#ifdef INET6 540 case AF_INET6: 541#ifdef BSD4_4 542 sa->sa_len = 543#endif 544 salen = sizeof(struct sockaddr_in6); 545 if (addr) 546 ((struct sockaddr_in6 *)(void *)sa)->sin6_addr = 547 ((struct sockaddr_in6 *)addr)->sin6_addr; 548 portp = &((struct sockaddr_in6 *)(void *)sa)->sin6_port; 549 break; 550#endif 551 default: 552 errno = EAFNOSUPPORT; 553 return -1; 554 } 555 sa->sa_family = family; 556 s = socket(family, SOCK_STREAM, 0); 557 if (s < 0) 558 return -1; 559#ifdef BSD4_4 560 switch (family) { 561 case AF_INET: 562 case AF_INET6: 563 *portp = 0; 564 if (bindresvport(s, (struct sockaddr_in *)(void *)sa) < 0) { 565 int sverr = errno; 566 567 (void)close(s); 568 errno = sverr; 569 return -1; 570 } 571 *alport = (int)ntohs(*portp); 572 return s; 573 default: 574 /* is it necessary to try keep code for other AFs? */ 575 break; 576 } 577#endif 578 for (;;) { 579 *portp = htons((u_short)*alport); 580 if (bind(s, sa, salen) >= 0) 581 return s; 582 if (errno != EADDRINUSE) { 583 (void)close(s); 584 return -1; 585 } 586 (*alport)--; 587 if (*alport == IPPORT_RESERVED/2) { 588 (void)close(s); 589 errno = EAGAIN; /* close */ 590 return -1; 591 } 592 } 593} 594 595int __check_rhosts_file = 1; 596const char *__rcmd_errstr; 597 598int 599ruserok(const char *rhost, int superuser, const char *ruser, const char *luser) 600{ 601 struct addrinfo hints, *res, *r; 602 int error; 603 604 _DIAGASSERT(rhost != NULL); 605 _DIAGASSERT(ruser != NULL); 606 _DIAGASSERT(luser != NULL); 607 608 memset(&hints, 0, sizeof(hints)); 609 hints.ai_family = PF_UNSPEC; 610 hints.ai_socktype = SOCK_DGRAM; /*dummy*/ 611 error = getaddrinfo(rhost, "0", &hints, &res); 612 if (error) 613 return -1; 614 615 for (r = res; r; r = r->ai_next) { 616 if (iruserok_sa(r->ai_addr, (int)r->ai_addrlen, superuser, 617 ruser, luser) == 0) { 618 freeaddrinfo(res); 619 return 0; 620 } 621 } 622 freeaddrinfo(res); 623 return -1; 624} 625 626/* 627 * New .rhosts strategy: We are passed an ip address. We spin through 628 * hosts.equiv and .rhosts looking for a match. When the .rhosts only 629 * has ip addresses, we don't have to trust a nameserver. When it 630 * contains hostnames, we spin through the list of addresses the nameserver 631 * gives us and look for a match. 632 * 633 * Returns 0 if ok, -1 if not ok. 634 */ 635int 636iruserok(u_int32_t raddr, int superuser, const char *ruser, const char *luser) 637{ 638 struct sockaddr_in irsin; 639 640 memset(&irsin, 0, sizeof(irsin)); 641 irsin.sin_family = AF_INET; 642#ifdef BSD4_4 643 irsin.sin_len = sizeof(irsin); 644#endif 645 memcpy(&irsin.sin_addr, &raddr, sizeof(irsin.sin_addr)); 646 return iruserok_sa(&irsin, (socklen_t)sizeof(irsin), superuser, ruser, 647 luser); 648} 649 650/* 651 * 2nd and 3rd arguments are typed like this, to avoid dependency between 652 * unistd.h and sys/socket.h. There's no better way. 653 */ 654int 655iruserok_sa(const void *raddr, int rlen, int superuser, const char *ruser, 656 const char *luser) 657{ 658 const struct sockaddr *sa; 659 struct stat sbuf; 660 struct passwd *pwd, pwres; 661 FILE *hostf; 662 uid_t uid; 663 gid_t gid; 664 int isvaliduser; 665 char pbuf[MAXPATHLEN]; 666 char pwbuf[1024]; 667 668 _DIAGASSERT(raddr != NULL); 669 _DIAGASSERT(ruser != NULL); 670 _DIAGASSERT(luser != NULL); 671 672 sa = raddr; 673 674 __rcmd_errstr = NULL; 675 676 hostf = superuser ? NULL : fopen(_PATH_HEQUIV, "re"); 677 678 if (hostf) { 679 if (__ivaliduser_sa(hostf, sa, (socklen_t)rlen, luser, 680 ruser) == 0) { 681 (void)fclose(hostf); 682 return 0; 683 } 684 (void)fclose(hostf); 685 } 686 687 isvaliduser = -1; 688 if (__check_rhosts_file || superuser) { 689 690 if (getpwnam_r(luser, &pwres, pwbuf, sizeof(pwbuf), &pwd) != 0 691 || pwd == NULL) 692 return -1; 693 (void)strlcpy(pbuf, pwd->pw_dir, sizeof(pbuf)); 694 (void)strlcat(pbuf, "/.rhosts", sizeof(pbuf)); 695 696 /* 697 * Change effective uid while opening and reading .rhosts. 698 * If root and reading an NFS mounted file system, can't 699 * read files that are protected read/write owner only. 700 */ 701 uid = geteuid(); 702 gid = getegid(); 703 (void)setegid(pwd->pw_gid); 704 (void)initgroups(pwd->pw_name, pwd->pw_gid); 705 (void)seteuid(pwd->pw_uid); 706 hostf = fopen(pbuf, "re"); 707 708 if (hostf != NULL) { 709 /* 710 * If not a regular file, or is owned by someone other 711 * than user or root or if writable by anyone but the 712 * owner, quit. 713 */ 714 if (lstat(pbuf, &sbuf) < 0) 715 __rcmd_errstr = ".rhosts lstat failed"; 716 else if (!S_ISREG(sbuf.st_mode)) 717 __rcmd_errstr = ".rhosts not regular file"; 718 else if (fstat(fileno(hostf), &sbuf) < 0) 719 __rcmd_errstr = ".rhosts fstat failed"; 720 else if (sbuf.st_uid && sbuf.st_uid != pwd->pw_uid) 721 __rcmd_errstr = "bad .rhosts owner"; 722 else if (sbuf.st_mode & (S_IWGRP|S_IWOTH)) 723 __rcmd_errstr = 724 ".rhosts writable by other than owner"; 725 else 726 isvaliduser = 727 __ivaliduser_sa(hostf, sa, (socklen_t)rlen, 728 luser, ruser); 729 730 (void)fclose(hostf); 731 } 732 (void)seteuid(uid); 733 (void)setegid(gid); 734 735 } 736 return isvaliduser; 737} 738 739/* 740 * XXX 741 * Don't make static, used by lpd(8). We will be able to change the function 742 * into static function, when we bump libc major #. 743 * 744 * Returns 0 if ok, -1 if not ok. 745 */ 746#ifdef notdef /*_LIBC*/ 747static 748#endif 749int 750__ivaliduser(FILE *hostf, u_int32_t raddr, const char *luser, 751 const char *ruser) 752{ 753 struct sockaddr_in ivusin; 754 755 memset(&ivusin, 0, sizeof(ivusin)); 756 ivusin.sin_family = AF_INET; 757#ifdef BSD4_4 758 ivusin.sin_len = sizeof(ivusin); 759#endif 760 memcpy(&ivusin.sin_addr, &raddr, sizeof(ivusin.sin_addr)); 761 return __ivaliduser_sa(hostf, (struct sockaddr *)(void *)&ivusin, 762 (socklen_t)sizeof(ivusin), luser, ruser); 763} 764 765#ifdef notdef /*_LIBC*/ 766static 767#endif 768int 769__ivaliduser_sa(FILE *hostf, const struct sockaddr *raddr, socklen_t salen, 770 const char *luser, const char *ruser) 771{ 772 char *user, *p; 773 int ch; 774 char buf[MAXHOSTNAMELEN + 128]; /* host + login */ 775 const char *auser, *ahost; 776 int hostok, userok; 777 char *rhost = NULL; 778 int firsttime = 1; 779 char domain[MAXHOSTNAMELEN]; 780 781 getdomainname(domain, sizeof(domain)); 782 783 _DIAGASSERT(hostf != NULL); 784 _DIAGASSERT(luser != NULL); 785 _DIAGASSERT(ruser != NULL); 786 787 while (fgets(buf, (int)sizeof(buf), hostf)) { 788 p = buf; 789 /* Skip lines that are too long. */ 790 if (strchr(p, '\n') == NULL) { 791 while ((ch = getc(hostf)) != '\n' && ch != EOF) 792 ; 793 continue; 794 } 795 while (*p != '\n' && *p != ' ' && *p != '\t' && *p != '\0') { 796 *p = isupper((unsigned char)*p) ? 797 tolower((unsigned char)*p) : *p; 798 p++; 799 } 800 if (*p == ' ' || *p == '\t') { 801 *p++ = '\0'; 802 while (*p == ' ' || *p == '\t') 803 p++; 804 user = p; 805 while (*p != '\n' && *p != ' ' && 806 *p != '\t' && *p != '\0') 807 p++; 808 } else 809 user = p; 810 *p = '\0'; 811 812 if (p == buf) 813 continue; 814 815 auser = *user ? user : luser; 816 ahost = buf; 817 818 if (ahost[0] == '+') 819 switch (ahost[1]) { 820 case '\0': 821 hostok = 1; 822 break; 823 824 case '@': 825 if (firsttime) { 826 rhost = __gethostloop(raddr, salen); 827 firsttime = 0; 828 } 829 if (rhost) 830 hostok = innetgr(&ahost[2], rhost, 831 NULL, domain); 832 else 833 hostok = 0; 834 break; 835 836 default: 837 hostok = __icheckhost(raddr, salen, &ahost[1]); 838 break; 839 } 840 else if (ahost[0] == '-') 841 switch (ahost[1]) { 842 case '\0': 843 hostok = -1; 844 break; 845 846 case '@': 847 if (firsttime) { 848 rhost = __gethostloop(raddr, salen); 849 firsttime = 0; 850 } 851 if (rhost) 852 hostok = -innetgr(&ahost[2], rhost, 853 NULL, domain); 854 else 855 hostok = 0; 856 break; 857 858 default: 859 hostok = 860 -__icheckhost(raddr, salen, &ahost[1]); 861 break; 862 } 863 else 864 hostok = __icheckhost(raddr, salen, ahost); 865 866 867 if (auser[0] == '+') 868 switch (auser[1]) { 869 case '\0': 870 userok = 1; 871 break; 872 873 case '@': 874 userok = innetgr(&auser[2], NULL, ruser, 875 domain); 876 break; 877 878 default: 879 userok = strcmp(ruser, &auser[1]) == 0; 880 break; 881 } 882 else if (auser[0] == '-') 883 switch (auser[1]) { 884 case '\0': 885 userok = -1; 886 break; 887 888 case '@': 889 userok = -innetgr(&auser[2], NULL, ruser, 890 domain); 891 break; 892 893 default: 894 userok = 895 -(strcmp(ruser, &auser[1]) == 0 ? 1 : 0); 896 break; 897 } 898 else 899 userok = strcmp(ruser, auser) == 0; 900 901 /* Check if one component did not match */ 902 if (hostok == 0 || userok == 0) 903 continue; 904 905 /* Check if we got a forbidden pair */ 906 if (userok == -1 || hostok == -1) 907 return -1; 908 909 /* Check if we got a valid pair */ 910 if (hostok == 1 && userok == 1) 911 return 0; 912 } 913 return -1; 914} 915 916/* 917 * Returns "true" if match, 0 if no match. 918 */ 919static int 920__icheckhost(const struct sockaddr *raddr, socklen_t salen, const char *lhost) 921{ 922 struct addrinfo hints, *res, *r; 923 char h1[NI_MAXHOST], h2[NI_MAXHOST]; 924 int error; 925 const int niflags = NI_NUMERICHOST; 926 927 _DIAGASSERT(raddr != NULL); 928 _DIAGASSERT(lhost != NULL); 929 930 h1[0] = '\0'; 931 if (getnameinfo(raddr, salen, h1, (socklen_t)sizeof(h1), NULL, 0, 932 niflags) != 0) 933 return 0; 934 935 /* Resolve laddr into sockaddr */ 936 memset(&hints, 0, sizeof(hints)); 937 hints.ai_family = raddr->sa_family; 938 hints.ai_socktype = SOCK_DGRAM; /*dummy*/ 939 res = NULL; 940 error = getaddrinfo(lhost, "0", &hints, &res); 941 if (error) 942 return 0; 943 944 /* 945 * Try string comparisons between raddr and laddr. 946 */ 947 for (r = res; r; r = r->ai_next) { 948 h2[0] = '\0'; 949 if (getnameinfo(r->ai_addr, r->ai_addrlen, h2, 950 (socklen_t)sizeof(h2), NULL, 0, niflags) != 0) 951 continue; 952 if (strcmp(h1, h2) == 0) { 953 freeaddrinfo(res); 954 return 1; 955 } 956 } 957 958 /* No match. */ 959 freeaddrinfo(res); 960 return 0; 961} 962 963/* 964 * Return the hostname associated with the supplied address. 965 * Do a reverse lookup as well for security. If a loop cannot 966 * be found, pack the numeric IP address into the string. 967 */ 968static char * 969__gethostloop(const struct sockaddr *raddr, socklen_t salen) 970{ 971 static char remotehost[NI_MAXHOST]; 972 char h1[NI_MAXHOST], h2[NI_MAXHOST]; 973 struct addrinfo hints, *res, *r; 974 int error; 975 const int niflags = NI_NUMERICHOST; 976 977 _DIAGASSERT(raddr != NULL); 978 979 h1[0] = remotehost[0] = '\0'; 980 if (getnameinfo(raddr, salen, remotehost, (socklen_t)sizeof(remotehost), 981 NULL, 0, NI_NAMEREQD) != 0) 982 return NULL; 983 if (getnameinfo(raddr, salen, h1, (socklen_t)sizeof(h1), NULL, 0, 984 niflags) != 0) 985 return NULL; 986 987 /* 988 * Look up the name and check that the supplied 989 * address is in the list 990 */ 991 memset(&hints, 0, sizeof(hints)); 992 hints.ai_family = raddr->sa_family; 993 hints.ai_socktype = SOCK_DGRAM; /*dummy*/ 994 hints.ai_flags = AI_CANONNAME; 995 res = NULL; 996 error = getaddrinfo(remotehost, "0", &hints, &res); 997 if (error) 998 return NULL; 999 1000 for (r = res; r; r = r->ai_next) { 1001 h2[0] = '\0'; 1002 if (getnameinfo(r->ai_addr, r->ai_addrlen, h2, 1003 (socklen_t)sizeof(h2), NULL, 0, niflags) != 0) 1004 continue; 1005 if (strcmp(h1, h2) == 0) { 1006 freeaddrinfo(res); 1007 return remotehost; 1008 } 1009 } 1010 1011 /* 1012 * either the DNS administrator has made a configuration 1013 * mistake, or someone has attempted to spoof us 1014 */ 1015 syslog(LOG_NOTICE, "rcmd: address %s not listed for host %s", 1016 h1, res->ai_canonname ? res->ai_canonname : remotehost); 1017 freeaddrinfo(res); 1018 return NULL; 1019} 1020