diff options
author | lidl <lidl@FreeBSD.org> | 2016-06-03 06:58:20 +0000 |
---|---|---|
committer | lidl <lidl@FreeBSD.org> | 2016-06-03 06:58:20 +0000 |
commit | 52b1d47596621575c6aa62c549fb6582623364c5 (patch) | |
tree | c75f76f9c4eb21cfb0ad0b2fa33c885d737920d6 | |
parent | a9d9ad7238cfeb2e22d3703a810d2234d89b8f5d (diff) | |
download | FreeBSD-src-52b1d47596621575c6aa62c549fb6582623364c5.zip FreeBSD-src-52b1d47596621575c6aa62c549fb6582623364c5.tar.gz |
Add blacklist support to rshd
Reviewed by: rpaulo
Approved by: rpaulo
Relnotes: YES
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D6594
-rw-r--r-- | libexec/rshd/Makefile | 9 | ||||
-rw-r--r-- | libexec/rshd/rshd.c | 34 |
2 files changed, 42 insertions, 1 deletions
diff --git a/libexec/rshd/Makefile b/libexec/rshd/Makefile index 498b699..924f2ef 100644 --- a/libexec/rshd/Makefile +++ b/libexec/rshd/Makefile @@ -2,6 +2,9 @@ # $FreeBSD$ PACKAGE=rcmds + +.include <src.opts.mk> + PROG= rshd MAN= rshd.8 @@ -12,4 +15,10 @@ WFORMAT=0 LIBADD= util pam +.if ${MK_BLACKLIST_SUPPORT} != "no" +CFLAGS+= -DUSE_BLACKLIST -I${SRCTOP}/contrib/blacklist/include +LIBADD+= blacklist +LDFLAGS+=-L${LIBBLACKLISTDIR} +.endif + .include <bsd.prog.mk> diff --git a/libexec/rshd/rshd.c b/libexec/rshd/rshd.c index b315040..1ab8a54 100644 --- a/libexec/rshd/rshd.c +++ b/libexec/rshd/rshd.c @@ -88,6 +88,10 @@ __FBSDID("$FreeBSD$"); #include <security/openpam.h> #include <sys/wait.h> +#ifdef USE_BLACKLIST +#include <blacklist.h> +#endif + static struct pam_conv pamc = { openpam_nullconv, NULL }; static pam_handle_t *pamh; static int pam_err; @@ -252,6 +256,9 @@ doit(struct sockaddr *fromp) "connection from %s on illegal port %u", numericname, srcport); +#ifdef USE_BLACKLIST + blacklist(1, STDIN_FILENO, "illegal port"); +#endif exit(1); } @@ -285,6 +292,9 @@ doit(struct sockaddr *fromp) "2nd socket from %s on unreserved port %u", numericname, port); +#ifdef USE_BLACKLIST + blacklist(1, STDIN_FILENO, "unreserved port"); +#endif exit(1); } *((in_port_t *)&fromp->sa_data) = htons(port); @@ -309,6 +319,9 @@ doit(struct sockaddr *fromp) if (pam_err != PAM_SUCCESS) { syslog(LOG_ERR|LOG_AUTH, "pam_start(): %s", pam_strerror(pamh, pam_err)); +#ifdef USE_BLACKLIST + blacklist(1, STDIN_FILENO, "login incorrect"); +#endif rshd_errx(1, "Login incorrect."); } @@ -316,6 +329,9 @@ doit(struct sockaddr *fromp) (pam_err = pam_set_item(pamh, PAM_RHOST, rhost)) != PAM_SUCCESS) { syslog(LOG_ERR|LOG_AUTH, "pam_set_item(): %s", pam_strerror(pamh, pam_err)); +#ifdef USE_BLACKLIST + blacklist(1, STDIN_FILENO, "login incorrect"); +#endif rshd_errx(1, "Login incorrect."); } @@ -332,6 +348,9 @@ doit(struct sockaddr *fromp) syslog(LOG_INFO|LOG_AUTH, "%s@%s as %s: permission denied (%s). cmd='%.80s'", ruser, rhost, luser, pam_strerror(pamh, pam_err), cmdbuf); +#ifdef USE_BLACKLIST + blacklist(1, STDIN_FILENO, "permission denied"); +#endif rshd_errx(1, "Login incorrect."); } @@ -341,6 +360,9 @@ doit(struct sockaddr *fromp) syslog(LOG_INFO|LOG_AUTH, "%s@%s as %s: unknown login. cmd='%.80s'", ruser, rhost, luser, cmdbuf); +#ifdef USE_BLACKLIST + blacklist(1, STDIN_FILENO, "unknown login"); +#endif if (errorstr == NULL) errorstr = "Login incorrect."; rshd_errx(1, errorstr, rhost); @@ -373,6 +395,9 @@ doit(struct sockaddr *fromp) "%s@%s as %s: permission denied (%s). cmd='%.80s'", ruser, rhost, luser, __rcmd_errstr, cmdbuf); +#ifdef USE_BLACKLIST + blacklist(1, STDIN_FILENO, "permission denied"); +#endif rshd_errx(1, "Login incorrect."); } if (!auth_timeok(lc, time(NULL))) @@ -468,6 +493,9 @@ doit(struct sockaddr *fromp) } } +#ifdef USE_BLACKLIST + blacklist(0, STDIN_FILENO, "success"); +#endif for (fd = getdtablesize(); fd > 2; fd--) (void) close(fd); if (setsid() == -1) @@ -534,8 +562,12 @@ getstr(char *buf, int cnt, const char *error) if (read(STDIN_FILENO, &c, 1) != 1) exit(1); *buf++ = c; - if (--cnt == 0) + if (--cnt == 0) { +#ifdef USE_BLACKLIST + blacklist(1, STDIN_FILENO, "buffer overflow"); +#endif rshd_errx(1, "%s too long", error); + } } while (c != 0); } |