Check the "prog.deny" login.conf capability and

refuse to run if "ppp" is in the list.
Suggested by:	"Daniel O'Callaghan" <danny@panda.hilink.com.au>

1 files changed, 44 insertions, 1 deletions

diff --git a/usr.sbin/ppp/main.c b/usr.sbin/ppp/main.c
index 52af408..bdadc96 100644
--- a/usr.sbin/ppp/main.c
+++ b/usr.sbin/ppp/main.c
@@ -17,7 +17,7 @@
  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  *
- * $Id: main.c,v 1.71 1997/08/25 00:29:19 brian Exp $
+ * $Id: main.c,v 1.72 1997/08/25 01:52:11 brian Exp $
  *
  *	TODO:
  *		o Add commands for traffic summary, version display, etc.
@@ -37,6 +37,9 @@
 #include <arpa/inet.h>
 #include <netinet/in_systm.h>
 #include <netinet/ip.h>
+#include <sysexits.h>
+#include <pwd.h>
+#include <login_cap.h>
 #include "modem.h"
 #include "os.h"
 #include "hdlc.h"
@@ -317,6 +320,40 @@ Greetings()
   }
 }
 
+static int
+Runnable()
+{
+  login_cap_t *lc;
+  const struct passwd *pwd;
+  char **data;
+  int result;
+
+  result = 1;  /* return non-zero if I'm runnable */
+
+  pwd = getpwuid(getuid());
+  if (!pwd) {
+    perror("getpwuid");
+    return result;  /* Run anyway - probably spawned from inetd or the like */
+  }
+  lc = login_getpwclass(pwd);
+  if (!lc) {
+    perror("login_getpwclass");
+    return result;  /* Run anyway - We're missing login.conf ? */
+  }
+
+  data = login_getcaplist(lc, "prog.deny", NULL);
+  if (data) 
+    for (; *data; data++)
+      if (!strcmp(*data, "ppp")) {
+	result = 0;
+	break;
+      }
+
+  login_close(lc);
+
+  return result;    /* OK to run */
+}
+
 int
 main(int argc, char **argv)
 {
@@ -335,6 +372,12 @@ main(int argc, char **argv)
   ProcessArgs(argc, argv);
   if (!(mode & MODE_DIRECT))
     VarTerm = stdout;
+
+  if (!Runnable()) {
+    LogPrintf(LogERROR, "You do not have permission to execute ppp\n");
+    return EX_NOPERM;
+  }
+
   Greetings();
   GetUid();
   IpcpDefAddress();