The implementation of rexec() missed the function ruserpass(), so the

link stage fell over for any program that attempted to use rexec().

Ruserpass() remains undocumented; i could not find any documentation
for it on other systems.

Also added a BUGS section to the man page, stating that this function
constitutes a potential security hole (as well as the underlying
"exec" service).

Submitted by:	rgrimes
Originally submitted by: agc@uts.amdahl.com (Alistair G. Crooks)
Obtained from: netbsd-bugs@NetBSD.ORG

2 files changed, 252 insertions, 3 deletions

diff --git a/lib/libcompat/4.3/rexec.3 b/lib/libcompat/4.3/rexec.3
index 2bcb5be..f6d7478 100644
--- a/lib/libcompat/4.3/rexec.3
+++ b/lib/libcompat/4.3/rexec.3
@@ -39,7 +39,7 @@
 .Nd return stream to a remote command
 .Sh SYNOPSIS
 .Ft int
-.Fn rexec ahost "int inport" "char *user" "char *passwd" "char *cmd" "int *fd2p"
+.Fn rexec "char **ahost" "int inport" "char *user" "char *passwd" "char *cmd" "int *fd2p"
 .Sh DESCRIPTION
 .Bf -symbolic
 This interface is obsoleted by krcmd(3).
@@ -120,3 +120,12 @@ The
 .Fn rexec
 function appeared in 
 .Bx 4.2 .
+.Sh BUGS
+The
+.Fn rexec
+function sends the unencrypted password across the network.
+.Pp
+The underlying service is considered a big security hole and therefore
+not enabled on many sites, see
+.Xr rexecd 8
+for explanations.
diff --git a/lib/libcompat/4.3/rexec.c b/lib/libcompat/4.3/rexec.c
index c82ffaa..a8a7b5b 100644
--- a/lib/libcompat/4.3/rexec.c
+++ b/lib/libcompat/4.3/rexec.c
@@ -38,19 +38,259 @@ static char sccsid[] = "@(#)rexec.c	8.1 (Berkeley) 6/4/93";
 #include <sys/types.h>
 #include <sys/uio.h>
 #include <sys/socket.h>
+#include <sys/param.h>
+#include <sys/stat.h>
 
 #include <netinet/in.h>
 
 #include <stdio.h>
 #include <unistd.h>
+#include <string.h>
 #include <netdb.h>
 #include <errno.h>
+#include <ctype.h>
+#include <err.h>
+#include <stdlib.h>
+#include <unistd.h>
 
-extern	errno;
-char	*index();
 int	rexecoptions;
 char	*getpass(), *getlogin();
 
+/*
+ * Options and other state info.
+ */
+struct macel {
+	char mac_name[9];	/* macro name */
+	char *mac_start;	/* start of macro in macbuf */
+	char *mac_end;		/* end of macro in macbuf */
+};
+
+int macnum;			/* number of defined macros */
+struct macel macros[16];
+char macbuf[4096];
+
+static	FILE *cfile;
+
+#define	DEFAULT	1
+#define	LOGIN	2
+#define	PASSWD	3
+#define	ACCOUNT 4
+#define MACDEF  5
+#define	ID	10
+#define	MACH	11
+
+static char tokval[100];
+
+static struct toktab {
+	char *tokstr;
+	int tval;
+} toktab[]= {
+	{ "default",	DEFAULT },
+	{ "login",	LOGIN },
+	{ "password",	PASSWD },
+	{ "passwd",	PASSWD },
+	{ "account",	ACCOUNT },
+	{ "machine",	MACH },
+	{ "macdef",	MACDEF },
+	{ NULL,		0 }
+};
+
+static int
+token()
+{
+	char *cp;
+	int c;
+	struct toktab *t;
+
+	if (feof(cfile) || ferror(cfile))
+		return (0);
+	while ((c = getc(cfile)) != EOF &&
+	    (c == '\n' || c == '\t' || c == ' ' || c == ','))
+		continue;
+	if (c == EOF)
+		return (0);
+	cp = tokval;
+	if (c == '"') {
+		while ((c = getc(cfile)) != EOF && c != '"') {
+			if (c == '\\')
+				c = getc(cfile);
+			*cp++ = c;
+		}
+	} else {
+		*cp++ = c;
+		while ((c = getc(cfile)) != EOF
+		    && c != '\n' && c != '\t' && c != ' ' && c != ',') {
+			if (c == '\\')
+				c = getc(cfile);
+			*cp++ = c;
+		}
+	}
+	*cp = 0;
+	if (tokval[0] == 0)
+		return (0);
+	for (t = toktab; t->tokstr; t++)
+		if (!strcmp(t->tokstr, tokval))
+			return (t->tval);
+	return (ID);
+}
+
+static int
+ruserpass(host, aname, apass, aacct)
+	char *host, **aname, **apass, **aacct;
+{
+	char *hdir, buf[BUFSIZ], *tmp;
+	char myname[MAXHOSTNAMELEN], *mydomain;
+	int t, i, c, usedefault = 0;
+	struct stat stb;
+
+	hdir = getenv("HOME");
+	if (hdir == NULL)
+		hdir = ".";
+	(void) sprintf(buf, "%s/.netrc", hdir);
+	cfile = fopen(buf, "r");
+	if (cfile == NULL) {
+		if (errno != ENOENT)
+			warn("%s", buf);
+		return (0);
+	}
+	if (gethostname(myname, sizeof(myname)) < 0)
+		myname[0] = '\0';
+	if ((mydomain = strchr(myname, '.')) == NULL)
+		mydomain = "";
+next:
+	while ((t = token())) switch(t) {
+
+	case DEFAULT:
+		usedefault = 1;
+		/* FALL THROUGH */
+
+	case MACH:
+		if (!usedefault) {
+			if (token() != ID)
+				continue;
+			/*
+			 * Allow match either for user's input host name
+			 * or official hostname.  Also allow match of 
+			 * incompletely-specified host in local domain.
+			 */
+			if (strcasecmp(host, tokval) == 0)
+				goto match;
+			if ((tmp = strchr(host, '.')) != NULL &&
+			    strcasecmp(tmp, mydomain) == 0 &&
+			    strncasecmp(host, tokval, tmp - host) == 0 &&
+			    tokval[tmp - host] == '\0')
+				goto match;
+			continue;
+		}
+	match:
+		while ((t = token()) && t != MACH && t != DEFAULT) switch(t) {
+
+		case LOGIN:
+			if (token())
+				if (*aname == 0) { 
+					*aname = malloc((unsigned) strlen(tokval) + 1);
+					(void) strcpy(*aname, tokval);
+				} else {
+					if (strcmp(*aname, tokval))
+						goto next;
+				}
+			break;
+		case PASSWD:
+			if ((*aname == 0 || strcmp(*aname, "anonymous")) &&
+			    fstat(fileno(cfile), &stb) >= 0 &&
+			    (stb.st_mode & 077) != 0) {
+	warnx("Error: .netrc file is readable by others.");
+	warnx("Remove password or make file unreadable by others.");
+				goto bad;
+			}
+			if (token() && *apass == 0) {
+				*apass = malloc((unsigned) strlen(tokval) + 1);
+				(void) strcpy(*apass, tokval);
+			}
+			break;
+		case ACCOUNT:
+			if (fstat(fileno(cfile), &stb) >= 0
+			    && (stb.st_mode & 077) != 0) {
+	warnx("Error: .netrc file is readable by others.");
+	warnx("Remove account or make file unreadable by others.");
+				goto bad;
+			}
+			if (token() && *aacct == 0) {
+				*aacct = malloc((unsigned) strlen(tokval) + 1);
+				(void) strcpy(*aacct, tokval);
+			}
+			break;
+		case MACDEF:
+			while ((c=getc(cfile)) != EOF &&
+						(c == ' ' || c == '\t'))
+				;
+			if (c == EOF || c == '\n') {
+				printf("Missing macdef name argument.\n");
+				goto bad;
+			}
+			if (macnum == 16) {
+				printf("Limit of 16 macros have already been defined\n");
+				goto bad;
+			}
+			tmp = macros[macnum].mac_name;
+			*tmp++ = c;
+			for (i=0; i < 8 && (c=getc(cfile)) != EOF &&
+			    !isspace(c); ++i) {
+				*tmp++ = c;
+			}
+			if (c == EOF) {
+				printf("Macro definition missing null line terminator.\n");
+				goto bad;
+			}
+			*tmp = '\0';
+			if (c != '\n') {
+				while ((c=getc(cfile)) != EOF && c != '\n');
+			}
+			if (c == EOF) {
+				printf("Macro definition missing null line terminator.\n");
+				goto bad;
+			}
+			if (macnum == 0) {
+				macros[macnum].mac_start = macbuf;
+			}
+			else {
+				macros[macnum].mac_start = macros[macnum-1].mac_end + 1;
+			}
+			tmp = macros[macnum].mac_start;
+			while (tmp != macbuf + 4096) {
+				if ((c=getc(cfile)) == EOF) {
+				printf("Macro definition missing null line terminator.\n");
+					goto bad;
+				}
+				*tmp = c;
+				if (*tmp == '\n') {
+					if (*(tmp-1) == '\0') {
+					   macros[macnum++].mac_end = tmp - 1;
+					   break;
+					}
+					*tmp = '\0';
+				}
+				tmp++;
+			}
+			if (tmp == macbuf + 4096) {
+				printf("4K macro buffer exceeded\n");
+				goto bad;
+			}
+			break;
+		default:
+			warnx("Unknown .netrc keyword %s", tokval);
+			break;
+		}
+		goto done;
+	}
+done:
+	(void) fclose(cfile);
+	return (0);
+bad:
+	(void) fclose(cfile);
+	return (-1);
+}
+
 rexec(ahost, rport, name, pass, cmd, fd2p)
 	char **ahost;
 	int rport;