diff options
author | des <des@FreeBSD.org> | 2002-05-08 00:43:46 +0000 |
---|---|---|
committer | des <des@FreeBSD.org> | 2002-05-08 00:43:46 +0000 |
commit | 6a749b9ddc465ad14d6cf3738355ac8204efc6bc (patch) | |
tree | d3b1f3d82558ff2caa5d4447f3f5af4ee458ea34 /libexec/rshd/rshd.c | |
parent | 6f8960d18d82aa2f3fceeecd66a2cdaf9f164fde (diff) | |
download | FreeBSD-src-6a749b9ddc465ad14d6cf3738355ac8204efc6bc.zip FreeBSD-src-6a749b9ddc465ad14d6cf3738355ac8204efc6bc.tar.gz |
PAMify.
Sponsored by: DARPA, NAI Labs
Diffstat (limited to 'libexec/rshd/rshd.c')
-rw-r--r-- | libexec/rshd/rshd.c | 380 |
1 files changed, 127 insertions, 253 deletions
diff --git a/libexec/rshd/rshd.c b/libexec/rshd/rshd.c index 626ed11..b6665ea 100644 --- a/libexec/rshd/rshd.c +++ b/libexec/rshd/rshd.c @@ -1,6 +1,13 @@ /*- * Copyright (c) 1988, 1989, 1992, 1993, 1994 * The Regents of the University of California. All rights reserved. + * Copyright (c) 2002 Networks Associates Technology, Inc. + * All rights reserved. + * + * Portions of this software were developed for the FreeBSD Project by + * ThinkSec AS and NAI Labs, the Security Research Division of Network + * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 + * ("CBOSS"), as part of the DARPA CHATS research program. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -48,8 +55,8 @@ static const char rcsid[] = /* * remote shell server: * [port]\0 - * remuser\0 - * locuser\0 + * ruser\0 + * luser\0 * command\0 * data */ @@ -80,30 +87,22 @@ static const char rcsid[] = #include <unistd.h> #include <login_cap.h> -#ifdef USE_PAM #include <security/pam_appl.h> +#include <security/openpam.h> #include <sys/wait.h> -static int export_pam_environment(void); -static int ok_to_export(const char *); - +static struct pam_conv pamc = { openpam_nullconv, NULL }; static pam_handle_t *pamh; -static char **environ_pam; +static int pam_err; #define PAM_END { \ - if ((retcode = pam_setcred(pamh, PAM_DELETE_CRED)) != PAM_SUCCESS) \ - syslog(LOG_ERR|LOG_AUTH, "pam_setcred: %s", pam_strerror(pamh, retcode)); \ - if ((retcode = pam_close_session(pamh,0)) != PAM_SUCCESS) \ - syslog(LOG_ERR|LOG_AUTH, "pam_close_session: %s", pam_strerror(pamh, retcode)); \ - if ((retcode = pam_end(pamh, retcode)) != PAM_SUCCESS) \ - syslog(LOG_ERR|LOG_AUTH, "pam_end: %s", pam_strerror(pamh, retcode)); \ + if ((pam_err = pam_setcred(pamh, PAM_DELETE_CRED)) != PAM_SUCCESS) \ + syslog(LOG_ERR|LOG_AUTH, "pam_setcred(): %s", pam_strerror(pamh, pam_err)); \ + if ((pam_err = pam_close_session(pamh,0)) != PAM_SUCCESS) \ + syslog(LOG_ERR|LOG_AUTH, "pam_close_session(): %s", pam_strerror(pamh, pam_err)); \ + if ((pam_err = pam_end(pamh, pam_err)) != PAM_SUCCESS) \ + syslog(LOG_ERR|LOG_AUTH, "pam_end(): %s", pam_strerror(pamh, pam_err)); \ } -#endif /* USE_PAM */ - -/* wrapper for KAME-special getnameinfo() */ -#ifndef NI_WITHSCOPEID -#define NI_WITHSCOPEID 0 -#endif int keepalive = 1; int log_success; /* If TRUE, log all successful accesses */ @@ -113,20 +112,7 @@ int no_delay; int doencrypt = 0; #endif -union sockunion { - struct sockinet { - u_char si_len; - u_char si_family; - u_short si_port; - } su_si; - struct sockaddr_in su_sin; - struct sockaddr_in6 su_sin6; -}; -#define su_len su_si.si_len -#define su_family su_si.si_family -#define su_port su_si.si_port - -void doit(union sockunion *); +void doit(struct sockaddr *); static void rshd_errx(int, const char *, ...) __printf0like(2, 3); void getstr(char *, int, const char *); int local_domain(char *); @@ -201,110 +187,86 @@ main(int argc, char *argv[]) if (no_delay && setsockopt(0, IPPROTO_TCP, TCP_NODELAY, &on, sizeof(on)) < 0) syslog(LOG_WARNING, "setsockopt (TCP_NODELAY): %m"); - doit((union sockunion *)&from); + doit((struct sockaddr *)&from); /* NOTREACHED */ return(0); } -#ifdef USE_PAM -/* - * We can't have a conversation with the client over the rsh connection. - * You must use auth methods that don't require one, like pam_rhosts. - */ - -static int -null_conv(int num_msg __unused, const struct pam_message **msg __unused, - struct pam_response **resp __unused, void *appdata_ptr __unused) -{ - syslog(LOG_ERR, "PAM conversation is not supported"); - return PAM_CONV_ERR; -} -#endif /* USE_PAM */ - -char username[20] = "USER="; -char homedir[64] = "HOME="; -char shell[64] = "SHELL="; -char path[100] = "PATH="; -char *envinit[] = - {homedir, shell, path, username, 0}; -char **environ; +extern char **environ; void -doit(union sockunion *fromp) +doit(struct sockaddr *fromp) { extern char *__rcmd_errstr; /* syslog hook from libc/net/rcmd.c. */ struct passwd *pwd; u_short port; fd_set ready, readfrom; - int cc, nfd, pv[2], pid, s; + int cc, fd, nfd, pv[2], pid, s; int one = 1; - const char *errorstr; - char *cp, sig, buf[BUFSIZ]; - char cmdbuf[NCARGS+1], locuser[16], remuser[16]; - char fromhost[2 * MAXHOSTNAMELEN + 1]; + const char *cp, *errorstr; + char sig, buf[BUFSIZ]; + char cmdbuf[NCARGS+1], luser[16], ruser[16]; + char rhost[2 * MAXHOSTNAMELEN + 1]; char numericname[INET6_ADDRSTRLEN]; - int af = fromp->su_family, error; + int af, error, srcport; #ifdef CRYPT int rc; int pv1[2], pv2[2]; #endif login_cap_t *lc; -#ifdef USE_PAM - static struct pam_conv conv = { null_conv, NULL }; - int retcode; -#endif /* USE_PAM */ (void) signal(SIGINT, SIG_DFL); (void) signal(SIGQUIT, SIG_DFL); (void) signal(SIGTERM, SIG_DFL); - fromp->su_port = ntohs((u_short)fromp->su_port); - if (af != AF_INET + af = fromp->sa_family; + srcport = ntohs(*((in_port_t *)&fromp->sa_data)); + if (af == AF_INET) { + inet_ntop(af, &((struct sockaddr_in *)fromp)->sin_addr, + numericname, sizeof numericname); #ifdef INET6 - && af != AF_INET6 + } else if (af == AF_INET6) { + inet_ntop(af, &((struct sockaddr_in6 *)fromp)->sin6_addr, + numericname, sizeof numericname); #endif - ) { + } else { syslog(LOG_ERR, "malformed \"from\" address (af %d)", af); exit(1); } - error = getnameinfo((struct sockaddr *)fromp, fromp->su_len, - numericname, sizeof(numericname), NULL, 0, - NI_NUMERICHOST|NI_WITHSCOPEID); - /* XXX: do 'error' check */ #ifdef IP_OPTIONS - if (af == AF_INET) { - u_char optbuf[BUFSIZ/3]; - int optsize = sizeof(optbuf), ipproto, i; - struct protoent *ip; + if (af == AF_INET) { + u_char optbuf[BUFSIZ/3]; + int optsize = sizeof(optbuf), ipproto, i; + struct protoent *ip; - if ((ip = getprotobyname("ip")) != NULL) - ipproto = ip->p_proto; - else - ipproto = IPPROTO_IP; - if (!getsockopt(0, ipproto, IP_OPTIONS, (char *)optbuf, &optsize) && - optsize != 0) { - for (i = 0; i < optsize; ) { - u_char c = optbuf[i]; - if (c == IPOPT_LSRR || c == IPOPT_SSRR) { - syslog(LOG_NOTICE, - "connection refused from %s with IP option %s", - numericname, - c == IPOPT_LSRR ? "LSRR" : "SSRR"); - exit(1); + if ((ip = getprotobyname("ip")) != NULL) + ipproto = ip->p_proto; + else + ipproto = IPPROTO_IP; + if (!getsockopt(0, ipproto, IP_OPTIONS, optbuf, &optsize) && + optsize != 0) { + for (i = 0; i < optsize; ) { + u_char c = optbuf[i]; + if (c == IPOPT_LSRR || c == IPOPT_SSRR) { + syslog(LOG_NOTICE, + "connection refused from %s with IP option %s", + numericname, + c == IPOPT_LSRR ? "LSRR" : "SSRR"); + exit(1); + } + if (c == IPOPT_EOL) + break; + i += (c == IPOPT_NOP) ? 1 : optbuf[i+1]; } - if (c == IPOPT_EOL) - break; - i += (c == IPOPT_NOP) ? 1 : optbuf[i+1]; } } - } #endif - if (fromp->su_port >= IPPORT_RESERVED || - fromp->su_port < IPPORT_RESERVED/2) { + if (srcport >= IPPORT_RESERVED || + srcport < IPPORT_RESERVED/2) { syslog(LOG_NOTICE|LOG_AUTH, "connection from %s on illegal port %u", numericname, - fromp->su_port); + srcport); exit(1); } @@ -340,18 +302,17 @@ doit(union sockunion *fromp) port); exit(1); } - fromp->su_port = htons(port); - if (connect(s, (struct sockaddr *)fromp, fromp->su_len) < 0) { + *((in_port_t *)&fromp->sa_data) = htons(port); + if (connect(s, fromp, fromp->sa_len) < 0) { syslog(LOG_INFO, "connect second port %d: %m", port); exit(1); } } errorstr = NULL; - realhostname_sa(fromhost, sizeof(fromhost) - 1, - (struct sockaddr *)fromp, - fromp->su_len); - fromhost[sizeof(fromhost) - 1] = '\0'; + realhostname_sa(rhost, sizeof(rhost) - 1, fromp, fromp->sa_len); + rhost[sizeof(rhost) - 1] = '\0'; + /* XXX truncation! */ #ifdef CRYPT if (doencrypt && af == AF_INET) { @@ -370,81 +331,52 @@ doit(union sockunion *fromp) des_set_key(&kdata->session, schedule); } #endif - getstr(remuser, sizeof(remuser), "remuser"); - - getstr(locuser, sizeof(locuser), "locuser"); + (void) alarm(60); + getstr(ruser, sizeof(ruser), "ruser"); + getstr(luser, sizeof(luser), "luser"); getstr(cmdbuf, sizeof(cmdbuf), "command"); + (void) alarm(0); -#ifdef USE_PAM - retcode = pam_start("rsh", locuser, &conv, &pamh); - if (retcode != PAM_SUCCESS) { - syslog(LOG_ERR|LOG_AUTH, "pam_start: %s", pam_strerror(pamh, retcode)); + pam_err = pam_start("rsh", luser, &pamc, &pamh); + if (pam_err != PAM_SUCCESS) { + syslog(LOG_ERR|LOG_AUTH, "pam_start(): %s", + pam_strerror(pamh, pam_err)); rshd_errx(1, "Login incorrect."); } - retcode = pam_set_item (pamh, PAM_RUSER, remuser); - if (retcode != PAM_SUCCESS) { - syslog(LOG_ERR|LOG_AUTH, "pam_set_item(PAM_RUSER): %s", pam_strerror(pamh, retcode)); - rshd_errx(1, "Login incorrect."); - } - retcode = pam_set_item (pamh, PAM_RHOST, fromhost); - if (retcode != PAM_SUCCESS) { - syslog(LOG_ERR|LOG_AUTH, "pam_set_item(PAM_RHOST): %s", pam_strerror(pamh, retcode)); - rshd_errx(1, "Login incorrect."); - } - retcode = pam_set_item (pamh, PAM_TTY, "tty"); - if (retcode != PAM_SUCCESS) { - syslog(LOG_ERR|LOG_AUTH, "pam_set_item(PAM_TTY): %s", pam_strerror(pamh, retcode)); + if ((pam_err = pam_set_item(pamh, PAM_RUSER, ruser)) != PAM_SUCCESS || + (pam_err = pam_set_item(pamh, PAM_RHOST, rhost) != PAM_SUCCESS)) { + syslog(LOG_ERR|LOG_AUTH, "pam_set_item(): %s", + pam_strerror(pamh, pam_err)); rshd_errx(1, "Login incorrect."); } - retcode = pam_authenticate(pamh, 0); - if (retcode == PAM_SUCCESS) { - if ((retcode = pam_get_item(pamh, PAM_USER, (const void **) &cp)) == PAM_SUCCESS) { - strncpy(locuser, cp, sizeof(locuser)); - locuser[sizeof(locuser) - 1] = '\0'; - } else - syslog(LOG_ERR|LOG_AUTH, "pam_get_item(PAM_USER): %s", - pam_strerror(pamh, retcode)); - retcode = pam_acct_mgmt(pamh, 0); + pam_err = pam_authenticate(pamh, 0); + if (pam_err == PAM_SUCCESS) { + if ((pam_err = pam_get_user(pamh, &cp, NULL)) == PAM_SUCCESS) { + strncpy(luser, cp, sizeof(luser)); + luser[sizeof(luser) - 1] = '\0'; + /* XXX truncation! */ + } + pam_err = pam_acct_mgmt(pamh, 0); } - if (retcode != PAM_SUCCESS) { - syslog(LOG_INFO|LOG_AUTH, "%s@%s as %s: permission denied (%s). cmd='%.80s'", - remuser, fromhost, locuser, pam_strerror(pamh, retcode), cmdbuf); + if (pam_err != PAM_SUCCESS) { + syslog(LOG_INFO|LOG_AUTH, + "%s@%s as %s: permission denied (%s). cmd='%.80s'", + ruser, rhost, luser, pam_strerror(pamh, pam_err), cmdbuf); rshd_errx(1, "Login incorrect."); } -#endif /* USE_PAM */ setpwent(); - pwd = getpwnam(locuser); + pwd = getpwnam(luser); if (pwd == NULL) { syslog(LOG_INFO|LOG_AUTH, "%s@%s as %s: unknown login. cmd='%.80s'", - remuser, fromhost, locuser, cmdbuf); - if (errorstr == NULL) - errorstr = "Login incorrect."; - rshd_errx(1, errorstr, fromhost); - } - -#ifndef USE_PAM - if (errorstr || - (pwd->pw_expire && time(NULL) >= pwd->pw_expire) || - iruserok_sa(fromp, fromp->su_len, pwd->pw_uid == 0, - remuser, locuser) < 0) { - if (__rcmd_errstr) - syslog(LOG_INFO|LOG_AUTH, - "%s@%s as %s: permission denied (%s). cmd='%.80s'", - remuser, fromhost, locuser, __rcmd_errstr, - cmdbuf); - else - syslog(LOG_INFO|LOG_AUTH, - "%s@%s as %s: permission denied. cmd='%.80s'", - remuser, fromhost, locuser, cmdbuf); + ruser, rhost, luser, cmdbuf); if (errorstr == NULL) errorstr = "Login incorrect."; - rshd_errx(1, errorstr, fromhost); + rshd_errx(1, errorstr, rhost); } -#endif /* USE_PAM */ lc = login_getpwclass(pwd); if (pwd->pw_uid) @@ -455,33 +387,29 @@ doit(union sockunion *fromp) login_getcapbool(lc, "requirehome", !!pwd->pw_uid)) { syslog(LOG_INFO|LOG_AUTH, "%s@%s as %s: no home directory. cmd='%.80s'", - remuser, fromhost, locuser, cmdbuf); + ruser, rhost, luser, cmdbuf); rshd_errx(0, "No remote home directory."); } pwd->pw_dir = "/"; } - if (lc != NULL && fromp->su_family == AF_INET) { /*XXX*/ + if (lc != NULL && fromp->sa_family == AF_INET) { /*XXX*/ char remote_ip[MAXHOSTNAMELEN]; strncpy(remote_ip, numericname, sizeof(remote_ip) - 1); remote_ip[sizeof(remote_ip) - 1] = 0; - if (!auth_hostok(lc, fromhost, remote_ip)) { + /* XXX truncation! */ + if (!auth_hostok(lc, rhost, remote_ip)) { syslog(LOG_INFO|LOG_AUTH, "%s@%s as %s: permission denied (%s). cmd='%.80s'", - remuser, fromhost, locuser, __rcmd_errstr, + ruser, rhost, luser, __rcmd_errstr, cmdbuf); rshd_errx(1, "Login incorrect."); } if (!auth_timeok(lc, time(NULL))) rshd_errx(1, "Logins not available right now"); } -#if BSD > 43 - /* before fork, while we're session leader */ - if (setlogin(pwd->pw_name) < 0) - syslog(LOG_ERR, "setlogin() failed: %m"); -#endif /* * PAM modules might add supplementary groups in @@ -489,17 +417,15 @@ doit(union sockunion *fromp) * But we need to open the session as root. */ if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETGROUP) != 0) { - syslog(LOG_ERR, "setusercontext: %m"); + syslog(LOG_ERR, "setusercontext: %m"); exit(1); } -#ifdef USE_PAM - if ((retcode = pam_open_session(pamh, 0)) != PAM_SUCCESS) { - syslog(LOG_ERR, "pam_open_session: %s", pam_strerror(pamh, retcode)); - } else if ((retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) { - syslog(LOG_ERR, "pam_setcred: %s", pam_strerror(pamh, retcode)); + if ((pam_err = pam_open_session(pamh, 0)) != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_open_session: %s", pam_strerror(pamh, pam_err)); + } else if ((pam_err = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_setcred: %s", pam_strerror(pamh, pam_err)); } -#endif /* USE_PAM */ (void) write(STDERR_FILENO, "\0", 1); sent_null = 1; @@ -524,7 +450,7 @@ doit(union sockunion *fromp) static char msg[] = SECURE_MESSAGE; (void) close(pv1[1]); (void) close(pv2[1]); - des_enc_write(s, msg, sizeof(msg) - 1, + des_enc_write(s, msg, sizeof(msg) - 1, schedule, &kdata->session); } else @@ -634,12 +560,9 @@ doit(union sockunion *fromp) (doencrypt && FD_ISSET(pv1[0], &readfrom)) || #endif FD_ISSET(pv[0], &readfrom)); -#ifdef USE_PAM PAM_END; -#endif /* USE_PAM */ exit(0); } - setpgrp(0, getpid()); (void) close(s); (void) close(pv[0]); #ifdef CRYPT @@ -654,59 +577,53 @@ doit(union sockunion *fromp) dup2(pv[1], 2); close(pv[1]); } -#ifdef USE_PAM else { pid = fork(); if (pid == -1) rshd_errx(1, "Can't fork; try again."); if (pid) { /* Parent. */ - wait(NULL); + while (wait(NULL) > 0 || errno == EINTR) + /* nothing */ ; PAM_END; exit(0); } } -#endif /* USE_PAM */ + + for (fd = getdtablesize(); fd > 2; fd--) + (void) close(fd); + if (setsid() == -1) + syslog(LOG_ERR, "setsid() failed: %m"); + if (setlogin(pwd->pw_name) < 0) + syslog(LOG_ERR, "setlogin() failed: %m"); if (*pwd->pw_shell == '\0') pwd->pw_shell = _PATH_BSHELL; - environ = envinit; - -#ifdef USE_PAM - /* - * Add any environmental variables that the - * PAM modules may have set. - */ - environ_pam = pam_getenvlist(pamh); - if (environ_pam) - export_pam_environment(); - if ((retcode = pam_end(pamh, 0)) != PAM_SUCCESS) - syslog(LOG_ERR|LOG_AUTH, "pam_end: %s", pam_strerror(pamh, retcode)); -#endif /* USE_PAM */ - - strncat(homedir, pwd->pw_dir, sizeof(homedir)-6); - strcat(path, _PATH_DEFPATH); - strncat(shell, pwd->pw_shell, sizeof(shell)-7); - strncat(username, pwd->pw_name, sizeof(username)-6); + (void) pam_setenv(pamh, "HOME", pwd->pw_dir, 1); + (void) pam_setenv(pamh, "SHELL", pwd->pw_shell, 1); + (void) pam_setenv(pamh, "USER", pwd->pw_name, 1); + (void) pam_setenv(pamh, "PATH", _PATH_DEFPATH, 1); + environ = pam_getenvlist(pamh); + (void) pam_end(pamh, pam_err); cp = strrchr(pwd->pw_shell, '/'); if (cp) cp++; else cp = pwd->pw_shell; - if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETALL & ~LOGIN_SETGROUP) != 0) { - syslog(LOG_ERR, "setusercontext: %m"); + if (setusercontext(lc, pwd, pwd->pw_uid, + LOGIN_SETALL & ~LOGIN_SETGROUP) < 0) { + syslog(LOG_ERR, "setusercontext(): %m"); exit(1); } login_close(lc); - endpwent(); if (log_success || pwd->pw_uid == 0) { syslog(LOG_INFO|LOG_AUTH, "%s@%s as %s: cmd='%.80s'", - remuser, fromhost, locuser, cmdbuf); + ruser, rhost, luser, cmdbuf); } - execl(pwd->pw_shell, cp, "-c", cmdbuf, (char *)0); - perror(pwd->pw_shell); + execl(pwd->pw_shell, cp, "-c", cmdbuf, NULL); + err(1, "%s", pwd->pw_shell); exit(1); } @@ -761,6 +678,7 @@ local_domain(char *h) localhost[0] = 0; (void) gethostname(localhost, sizeof(localhost) - 1); localhost[sizeof(localhost) - 1] = '\0'; + /* XXX truncation! */ p1 = topdomain(localhost); p2 = topdomain(h); if (p1 == NULL || p2 == NULL || !strcasecmp(p1, p2)) @@ -784,50 +702,6 @@ topdomain(char *h) return (maybe); } -#ifdef USE_PAM -static int -export_pam_environment(void) -{ - char **pp; - - for (pp = environ_pam; *pp != NULL; pp++) { - if (ok_to_export(*pp)) - (void) putenv(*pp); - free(*pp); - } - return PAM_SUCCESS; -} - -/* - * Sanity checks on PAM environmental variables: - * - Make sure there is an '=' in the string. - * - Make sure the string doesn't run on too long. - * - Do not export certain variables. This list was taken from the - * Solaris pam_putenv(3) man page. - */ -static int -ok_to_export(const char *s) -{ - static const char *noexport[] = { - "SHELL", "HOME", "LOGNAME", "MAIL", "CDPATH", - "IFS", "PATH", NULL - }; - const char **pp; - size_t n; - - if (strlen(s) > 1024 || strchr(s, '=') == NULL) - return 0; - if (strncmp(s, "LD_", 3) == 0) - return 0; - for (pp = noexport; *pp != NULL; pp++) { - n = strlen(*pp); - if (s[n] == '=' && strncmp(s, *pp, n) == 0) - return 0; - } - return 1; -} -#endif /* USE_PAM */ - void usage(void) { |