d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Finish the security improvements:

Browse Source 
o Add "allow" command:
      "allow users a b c" gives access to users a, b and c.
      "allow modes auto"  gives those users access to auto mode only.
      "allow users *" and  "allow modes *" are accepted.
      No users and all modes are allowed by default.
    UID 0 can do anything.
  o Set the current label with the "load" and "dial" commands
    so that the call to ppp.linkdown makes sense.
  o Up the verison number.
  o Don't OR MODE_AUTO for -background and -ddial.
  o Don't OR MODE_INTER when we get a diagnostic connection.
  o Allow up to 40 args per line (was 20).
  o "set ifaddr" only changes the interface in AUTO mode (with other
    modes, it happens after IPCP negotiation).
  o Sort command descriptions in the man page.
  o Support -dedicated mode where we just talk ppp forever (no login etc).
This commit is contained in:
Brian Somers 1997-11-11 22:58:14 +00:00
parent 1898febe2d
commit 12ef29a81a
15 changed files with 698 additions and 374 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
usr.sbin/ppp/auth.c
View File

@ -17,7 +17,7 @@
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*
* $Id: auth.c,v 1.20 1997/11/09 18:51:21 brian Exp $
* $Id: auth.c,v 1.21 1997/11/09 22:07:27 brian Exp $
*
* TODO:
* o Implement check against with registered IP addresses.
@ -60,8 +60,8 @@ LocalAuthInit()
*p = '\0';
}
if (!(mode&(MODE_AUTO|MODE_DEDICATED|MODE_DIRECT)))
/* We're allowed in interactive and direct */
if (!(mode&MODE_DAEMON))
/* We're allowed in interactive mode */
VarLocalAuth = LOCAL_AUTH;
else if (VarHaveLocalAuthKey)
VarLocalAuth = *VarLocalAuthKey == '\0' ? LOCAL_AUTH : LOCAL_NO_AUTH;

134
usr.sbin/ppp/command.c
View File

@ -17,7 +17,7 @@
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*
* $Id: command.c,v 1.96 1997/11/09 22:56:15 brian Exp $
* $Id: command.c,v 1.97 1997/11/09 23:40:21 brian Exp $
*
*/
#include <sys/param.h>
@ -77,6 +77,7 @@ static int QuitCommand(struct cmdtab const *, int, char **);
static int CloseCommand(struct cmdtab const *, int, char **);
static int DialCommand(struct cmdtab const *, int, char **);
static int DownCommand(struct cmdtab const *, int, char **);
static int AllowCommand(struct cmdtab const *, int, char **);
static int SetCommand(struct cmdtab const *, int, char **);
static int AddCommand(struct cmdtab const *, int, char **);
static int DeleteCommand(struct cmdtab const *, int, char **);
@ -154,13 +155,9 @@ DialCommand(struct cmdtab const * cmdlist, int argc, char **argv)
return 0;
}
if (argc > 0) {
if (SelectSystem(*argv, CONFFILE) < 0) {
if (VarTerm)
fprintf(VarTerm, "%s: not found.\n", *argv);
return -1;
}
}
if (argc > 0 && LoadCommand(cmdlist, argc, argv) == -1)
return -1;
tries = 0;
do {
if (VarTerm)
@ -227,7 +224,7 @@ ShellCommand(struct cmdtab const * cmdlist, int argc, char **argv, int bg)
* we want to stop shell commands when we've got a telnet connection to an
* auto mode ppp
*/
if ((mode & (MODE_AUTO | MODE_INTER)) == (MODE_AUTO | MODE_INTER)) {
if (VarTerm && !(mode & MODE_INTER)) {
LogPrintf(LogWARN, "Shell is not allowed interactively in auto mode\n");
return 1;
}
@ -235,17 +232,17 @@ ShellCommand(struct cmdtab const * cmdlist, int argc, char **argv, int bg)
if (argc == 0)
if (!(mode & MODE_INTER)) {
LogPrintf(LogWARN, "Can only start an interactive shell in"
" interactive mode\n");
if (VarTerm)
LogPrintf(LogWARN, "Can't start an interactive shell from"
" a telnet session\n");
else
LogPrintf(LogWARN, "Can only start an interactive shell in"
" interactive mode\n");
return 1;
} else if (bg) {
LogPrintf(LogWARN, "Can only start an interactive shell in"
" the foreground mode\n");
return 1;
} else if (mode&(MODE_AUTO|MODE_DEDICATED|MODE_DIRECT)) {
LogPrintf(LogWARN, "Can't start an interactive shell from"
" a telnet session\n");
return 1;
}
if ((shell = getenv("SHELL")) == 0)
shell = _PATH_BSHELL;
@ -324,6 +321,8 @@ static struct cmdtab const Commands[] = {
"accept option request", "accept option .."},
{"add", NULL, AddCommand, LOCAL_AUTH,
"add route", "add dest mask gateway"},
{"allow", "auth", AllowCommand, LOCAL_AUTH,
"Allow ppp access", "allow users|modes ...."},
{"bg", "!bg", BgShellCommand, LOCAL_AUTH,
"Run a command in the background", "[!]bg command"},
{"close", NULL, CloseCommand, LOCAL_AUTH,
@ -668,7 +667,7 @@ Prompt()
{
char *pconnect, *pauth;
if (!(mode & MODE_INTER) || !VarTerm || TermMode)
if (!VarTerm || TermMode)
return;
if (!aft_cmd)
@ -689,27 +688,41 @@ Prompt()
}
void
DecodeCommand(char *buff, int nb, int prompt)
InterpretCommand(char *buff, int nb, int *argc, char ***argv)
{
char *vector[20];
char **argv;
int argc;
static char *vector[40];
char *cp;
if (nb > 0) {
cp = buff + strcspn(buff, "\r\n");
if (cp)
*cp = '\0';
argc = MakeArgs(buff, vector, VECSIZE(vector));
argv = vector;
*argc = MakeArgs(buff, vector, VECSIZE(vector));
*argv = vector;
} else
*argc = 0;
}
void
RunCommand(int argc, char **argv, int prompt)
{
if (argc > 0)
FindExec(Commands, argc, argv);
if (argc > 0)
FindExec(Commands, argc, argv);
}
if (prompt)
Prompt();
}
void
DecodeCommand(char *buff, int nb, int prompt)
{
int argc;
char **argv;
InterpretCommand(buff, nb, &argc, &argv);
RunCommand(argc, argv, prompt);
}
static int
ShowCommand(struct cmdtab const * list, int argc, char **argv)
{
@ -751,26 +764,26 @@ QuitCommand(struct cmdtab const * list, int argc, char **argv)
{
FILE *oVarTerm;
if (mode & (MODE_DIRECT | MODE_DEDICATED | MODE_AUTO)) {
if (argc > 0 && !strcasecmp(*argv, "all") && (VarLocalAuth & LOCAL_AUTH)) {
mode &= ~MODE_INTER;
oVarTerm = VarTerm;
VarTerm = 0;
if (oVarTerm && oVarTerm != stdout)
fclose(oVarTerm);
Cleanup(EX_NORMAL);
} else if (VarTerm) {
LogPrintf(LogPHASE, "Client connection closed.\n");
mode &= ~MODE_INTER;
oVarTerm = VarTerm;
VarTerm = 0;
if (oVarTerm && oVarTerm != stdout)
fclose(oVarTerm);
close(netfd);
netfd = -1;
}
} else
if (mode & MODE_INTER)
Cleanup(EX_NORMAL);
else if (argc > 0 && !strcasecmp(*argv, "all") &&
(VarLocalAuth & LOCAL_AUTH)) {
oVarTerm = VarTerm;
VarTerm = 0;
if (oVarTerm && oVarTerm != stdout)
fclose(oVarTerm);
close(netfd);
netfd = -1;
Cleanup(EX_NORMAL);
} else if (VarTerm) {
LogPrintf(LogPHASE, "Client connection closed.\n");
oVarTerm = VarTerm;
VarTerm = 0;
if (oVarTerm && oVarTerm != stdout)
fclose(oVarTerm);
close(netfd);
netfd = -1;
}
return 0;
}
@ -1172,11 +1185,10 @@ SetInterfaceAddr(struct cmdtab const * list, int argc, char **argv)
IpcpInfo.want_ipaddr.s_addr = DefMyAddress.ipaddr.s_addr;
IpcpInfo.his_ipaddr.s_addr = DefHisAddress.ipaddr.s_addr;
if ((mode & MODE_AUTO) ||
((mode & MODE_DEDICATED) && dstsystem)) {
if (OsSetIpaddress(DefMyAddress.ipaddr, DefHisAddress.ipaddr, ifnetmask) < 0)
return 4;
}
if ((mode & MODE_AUTO) &&
OsSetIpaddress(DefMyAddress.ipaddr, DefHisAddress.ipaddr, ifnetmask) < 0)
return 4;
return 0;
}
@ -1548,3 +1560,27 @@ AliasOption(struct cmdtab const * list, int argc, char **argv, void *param)
}
return -1;
}
static struct cmdtab const AllowCommands[] = {
{"users", "user", AllowUsers, LOCAL_AUTH,
"Allow users access to ppp", "allow users logname..."},
{"modes", "mode", AllowModes, LOCAL_AUTH,
"Only allow certain ppp modes", "allow modes mode..."},
{"help", "?", HelpCommand, LOCAL_AUTH | LOCAL_NO_AUTH,
"Display this message", "allow help|? [command]", (void *)AllowCommands},
{NULL, NULL, NULL},
};
static int
AllowCommand(struct cmdtab const *list, int argc, char **argv)
{
if (argc > 0)
FindExec(AllowCommands, argc, argv);
else if (VarTerm)
fprintf(VarTerm, "Use `allow ?' to get a list or `allow ? <cmd>' for"
" syntax help.\n");
else
LogPrintf(LogWARN, "allow command must have arguments\n");
return 0;
}

4
usr.sbin/ppp/command.h
View File

@ -15,7 +15,7 @@
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*
* $Id: command.h,v 1.8 1997/10/26 01:02:28 brian Exp $
* $Id: command.h,v 1.9 1997/11/04 01:17:00 brian Exp $
*
* TODO:
*/
@ -48,4 +48,6 @@ extern int aft_cmd;
extern int SetVariable(struct cmdtab const *, int, char **, int);
extern void Prompt(void);
extern int IsInteractive(int);
extern void InterpretCommand(char *, int, int *, char ***);
extern void RunCommand(int, char **, int);
extern void DecodeCommand(char *, int, int);

21
usr.sbin/ppp/defs.c
View File

@ -1,8 +1,9 @@
/*
* $Id: $
* $Id: defs.c,v 1.1 1997/10/26 01:02:30 brian Exp $
*/
#include <stdlib.h>
#include <string.h>
#include "defs.h"
@ -12,7 +13,23 @@ int modem = -1;
int tun_in = -1;
int tun_out = -1;
int netfd = -1;
char *dstsystem = NULL;
static char dstsystem[50];
void
SetLabel(const char *label)
{
if (label)
strncpy(dstsystem, label, sizeof dstsystem);
else
*dstsystem = '\0';
}
const char *
GetLabel()
{
return *dstsystem ? dstsystem : NULL;
}
void
randinit()

8
usr.sbin/ppp/defs.h
View File

@ -15,7 +15,7 @@
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*
* $Id: defs.h,v 1.23 1997/10/26 12:42:10 brian Exp $
* $Id: defs.h,v 1.24 1997/11/09 14:18:37 brian Exp $
*
* TODO:
*/
@ -62,6 +62,9 @@
#define MODE_ALIAS 32 /* Packet aliasing (masquerading) */
#define MODE_BACKGROUND 64 /* Background mode. */
#define MODE_DAEMON (2|4|8|16|64)
#define MODE_OUTGOING_DAEMON (2|8|16|64)
#define EX_SIG -1
#define EX_NORMAL 0
#define EX_START 1
@ -83,6 +86,7 @@ extern int modem;
extern int tun_in;
extern int tun_out;
extern int netfd;
extern char *dstsystem;
extern void SetLabel(const char *);
extern const char *GetLabel(void);
extern void randinit(void);

4
usr.sbin/ppp/ipcp.c
View File

@ -17,7 +17,7 @@
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*
* $Id: ipcp.c,v 1.33 1997/10/29 01:19:40 brian Exp $
* $Id: ipcp.c,v 1.34 1997/11/08 00:28:07 brian Exp $
*
* TODO:
* o More RFC1772 backwoard compatibility
@ -193,7 +193,7 @@ IpcpInit()
FsmInit(&IpcpFsm);
memset(icp, '\0', sizeof(struct ipcpstate));
if ((mode & MODE_DEDICATED) && !dstsystem) {
if ((mode & MODE_DEDICATED) && !GetLabel()) {
icp->want_ipaddr.s_addr = icp->his_ipaddr.s_addr = 0;
} else {
icp->want_ipaddr.s_addr = DefMyAddress.ipaddr.s_addr;

92
usr.sbin/ppp/main.c
View File

@ -17,7 +17,7 @@
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*
* $Id: main.c,v 1.91 1997/11/09 18:51:23 brian Exp $
* $Id: main.c,v 1.92 1997/11/09 22:07:28 brian Exp $
*
* TODO:
* o Add commands for traffic summary, version display, etc.
@ -177,8 +177,7 @@ Cleanup(int excode)
OsInterfaceDown(1);
HangupModem(1);
nointr_sleep(1);
if (mode & MODE_AUTO)
DeleteIfRoutes(1);
DeleteIfRoutes(1);
ID0unlink(pid_filename);
if (mode & MODE_BACKGROUND && BGFiledes[1] != -1) {
char c = EX_ERRDEAD;
@ -200,11 +199,13 @@ static void
CloseConnection(int signo)
{
/* NOTE, these are manual, we've done a setsid() */
pending_signal(SIGINT, SIG_IGN);
LogPrintf(LogPHASE, "Caught signal %d, abort connection\n", signo);
reconnectState = RECON_FALSE;
reconnectCount = 0;
DownConnection();
dial_up = 0;
pending_signal(SIGINT, CloseConnection);
}
static void
@ -286,19 +287,25 @@ ProcessArgs(int argc, char **argv)
char *cp;
optc = 0;
mode = MODE_INTER;
while (argc > 0 && **argv == '-') {
cp = *argv + 1;
if (strcmp(cp, "auto") == 0)
if (strcmp(cp, "auto") == 0) {
mode |= MODE_AUTO;
else if (strcmp(cp, "background") == 0)
mode |= MODE_BACKGROUND | MODE_AUTO;
else if (strcmp(cp, "direct") == 0)
mode &= ~MODE_INTER;
} else if (strcmp(cp, "background") == 0) {
mode |= MODE_BACKGROUND;
mode &= ~MODE_INTER;
} else if (strcmp(cp, "direct") == 0) {
mode |= MODE_DIRECT;
else if (strcmp(cp, "dedicated") == 0)
mode &= ~MODE_INTER;
} else if (strcmp(cp, "dedicated") == 0) {
mode |= MODE_DEDICATED;
else if (strcmp(cp, "ddial") == 0)
mode |= MODE_DDIAL | MODE_AUTO;
else if (strcmp(cp, "alias") == 0) {
mode &= ~MODE_INTER;
} else if (strcmp(cp, "ddial") == 0) {
mode |= MODE_DDIAL;
mode &= ~MODE_INTER;
} else if (strcmp(cp, "alias") == 0) {
if (loadAliasHandlers(&VarAliasHandlers) == 0)
mode |= MODE_ALIAS;
else
@ -315,7 +322,7 @@ ProcessArgs(int argc, char **argv)
exit(EX_START);
}
if (argc == 1)
dstsystem = *argv;
SetLabel(*argv);
if (optc > 1) {
fprintf(stderr, "specify only one mode.\n");
@ -345,15 +352,15 @@ main(int argc, char **argv)
argc--;
argv++;
ProcessArgs(argc, argv);
if (!(mode & MODE_DIRECT)) {
if (getuid() != 0) {
fprintf(stderr, "You may only run ppp in client mode as user id 0\n");
LogClose();
return EX_NOPERM;
}
if (!(mode & MODE_DIRECT))
VarTerm = stdout;
}
ID0init();
if (!ValidSystem(GetLabel())) {
fprintf(stderr, "You may not use ppp in this mode with this label\n");
return 1;
}
Greetings();
IpcpDefAddress();
LocalAuthInit();
@ -365,20 +372,17 @@ main(int argc, char **argv)
LogPrintf(LogWARN, "open_tun: %s\n", strerror(errno));
return EX_START;
}
if (mode & (MODE_AUTO | MODE_DIRECT | MODE_DEDICATED))
mode &= ~MODE_INTER;
if (mode & MODE_INTER) {
fprintf(VarTerm, "Interactive mode\n");
netfd = STDOUT_FILENO;
} else if (mode & MODE_AUTO) {
fprintf(VarTerm, "Automatic Dialer mode\n");
if (dstsystem == NULL) {
} else if ((mode & MODE_OUTGOING_DAEMON) && !(mode & MODE_DEDICATED))
if (GetLabel() == NULL) {
if (VarTerm)
fprintf(VarTerm, "Destination system must be specified in"
" auto, background or ddial mode.\n");
return EX_START;
}
}
tcgetattr(0, &oldtio); /* Save original tty mode */
pending_signal(SIGHUP, CloseSession);
@ -402,28 +406,29 @@ main(int argc, char **argv)
pending_signal(SIGTTOU, SIG_IGN);
#endif
}
if (!(mode & MODE_INTER)) {
#ifdef SIGUSR1
if (mode != MODE_INTER)
pending_signal(SIGUSR1, SetUpServer);
#endif
#ifdef SIGUSR2
if (mode != MODE_INTER)
pending_signal(SIGUSR2, BringDownServer);
#endif
}
if (dstsystem) {
if (SelectSystem(dstsystem, CONFFILE) < 0) {
if (GetLabel()) {
if (SelectSystem(GetLabel(), CONFFILE) < 0) {
LogPrintf(LogWARN, "Destination system not found in conf file.\n");
Cleanup(EX_START);
}
if ((mode & MODE_AUTO) && DefHisAddress.ipaddr.s_addr == INADDR_ANY) {
if (mode & MODE_OUTGOING_DAEMON &&
DefHisAddress.ipaddr.s_addr == INADDR_ANY) {
LogPrintf(LogWARN, "Must specify dstaddr with"
" auto, background or ddial mode.\n");
Cleanup(EX_START);
}
}
if (!(mode & MODE_INTER)) {
if (mode & MODE_DAEMON) {
if (mode & MODE_BACKGROUND) {
if (pipe(BGFiledes)) {
LogPrintf(LogERROR, "pipe: %s\n", strerror(errno));
@ -468,13 +473,9 @@ main(int argc, char **argv)
close(1);
close(2);
#ifdef DOTTYINIT
if (mode & (MODE_DIRECT | MODE_DEDICATED))
#else
if (mode & MODE_DIRECT)
#endif
TtyInit(1);
else {
else if (mode & MODE_DAEMON) {
setsid();
close(0);
}
@ -522,12 +523,11 @@ PacketMode()
LcpUp();
LcpOpen(VarOpenMode);
if ((mode & (MODE_INTER | MODE_AUTO)) == MODE_INTER) {
if (mode & MODE_INTER)
TtyCommandMode(1);
if (VarTerm) {
fprintf(VarTerm, "Packet mode.\n");
aft_cmd = 1;
}
if (VarTerm) {
fprintf(VarTerm, "Packet mode.\n");
aft_cmd = 1;
}
}
@ -571,7 +571,6 @@ ReadTty()
Prompt();
} else {
LogPrintf(LogPHASE, "client connection closed.\n");
mode &= ~MODE_INTER;
oVarTerm = VarTerm;
VarTerm = 0;
if (oVarTerm && oVarTerm != stdout)
@ -771,7 +770,9 @@ DoLoop()
Cleanup(EX_DEAD);
}
reconnectState = RECON_ENVOKED;
}
} else if (mode & MODE_DEDICATED)
if (VarOpenMode == OPEN_ACTIVE)
PacketMode();
}
/*
@ -933,13 +934,12 @@ DoLoop()
netfd = wfd;
VarTerm = fdopen(netfd, "a+");
LocalAuthInit();
mode |= MODE_INTER;
Greetings();
IsInteractive(1);
Prompt();
}
if ((mode & MODE_INTER) && (netfd >= 0 && FD_ISSET(netfd, &rfds)) &&
((mode & MODE_AUTO) || pgroup == tcgetpgrp(0))) {
if (netfd >= 0 && FD_ISSET(netfd, &rfds) &&
((mode & MODE_OUTGOING_DAEMON) || pgroup == tcgetpgrp(0))) {
/* something to read from tty */
ReadTty();
}

15
usr.sbin/ppp/os.c
View File

@ -17,7 +17,7 @@
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*
* $Id: os.c,v 1.30 1997/11/08 00:28:10 brian Exp $
* $Id: os.c,v 1.31 1997/11/09 06:22:44 brian Exp $
*
*/
#include <sys/param.h>
@ -218,8 +218,8 @@ OsLinkup()
LogPrintf(LogLCP, "OsLinkup: %s\n", s);
if (SelectSystem(inet_ntoa(IpcpInfo.want_ipaddr), LINKUPFILE) < 0) {
if (dstsystem) {
if (SelectSystem(dstsystem, LINKUPFILE) < 0)
if (GetLabel()) {
if (SelectSystem(GetLabel(), LINKUPFILE) < 0)
SelectSystem("MYADDR", LINKUPFILE);
} else
SelectSystem("MYADDR", LINKUPFILE);
@ -248,12 +248,11 @@ OsLinkdown()
FsmDown(&IpcpFsm); /* IPCP must come down */
FsmDown(&CcpFsm); /* CCP must come down */
if (!(mode & MODE_AUTO))
DeleteIfRoutes(0);
DeleteIfRoutes(0);
linkup = 0;
if (SelectSystem(s, LINKDOWNFILE) < 0) {
if (dstsystem) {
if (SelectSystem(dstsystem, LINKDOWNFILE) < 0)
if (GetLabel()) {
if (SelectSystem(GetLabel(), LINKDOWNFILE) < 0)
SelectSystem("MYADDR", LINKDOWNFILE);
} else
SelectSystem("MYADDR", LINKDOWNFILE);
@ -268,7 +267,7 @@ OsInterfaceDown(int final)
int s;
OsLinkdown();
if (!final && (mode & MODE_AUTO)) /* We still want interface alive */
if (!final && (mode & MODE_DAEMON)) /* We still want interface alive */
return (0);
s = socket(AF_INET, SOCK_DGRAM, 0);
if (s < 0) {

325
usr.sbin/ppp/ppp.8
View File

@ -1,14 +1,20 @@
.\" $Id: ppp.8,v 1.76 1997/11/09 17:51:26 brian Exp $
.\" $Id: ppp.8,v 1.77 1997/11/09 22:07:28 brian Exp $
.Dd 20 September 1995
.Os FreeBSD
.Dt PPP 8
.Sh NAME
.Nm ppp
.Nd
Point to Point Protocol (a.k.a. iijppp)
.Nd Point to Point Protocol (a.k.a. iijppp)
.Sh SYNOPSIS
.Nm
.Op Fl auto | background | ddial | direct | dedicated
.\" SOMEONE FIX ME ! The .Op macro can't handle enough args !
[
.Fl auto |
.Fl background |
.Fl ddial |
.Fl direct |
.Fl dedicated
]
.Op Fl alias
.Op Ar system
.Sh DESCRIPTION
@ -46,19 +52,35 @@ can write a chat script to define the necessary dialing and login
procedure for later convenience.
.It Supports on-demand dialup capability.
By using auto mode,
By using
.Fl auto
mode,
.Nm
will act as a daemon and wait for a packet to be sent over the
.Em PPP
link. When this happens, the daemon automatically dials and establishes the
connection.
In almost the same manner ddial mode (dedicated or daemon dialing)
also automatically dials and establishes the connection. However, it
differs in that it will dial the remote site any time it detects the
link is down, even if there are no packets to be sent. This mode is
useful for full-time connections who worry less about line charges
and more about being connected full time.
In almost the same manner
.Fl ddial
mode (direct-dial mode) also automatically dials and establishes the
connection. However, it differs in that it will dial the remote site
any time it detects the link is down, even if there are no packets to be
sent. This mode is useful for full-time connections where we worry less
about line charges and more about being connected full time.
A third
.Fl dedicated
mode is also available. This mode is targeted at a dedicated link
between two machines.
.Nm Ppp
will never voluntarily quit from dedicated mode - you must send it the
.Dq quit all
command via its diagnostic socket. A
.Dv SIGHUP
will force an LCP renegotiation, and a
.Dv SIGTERM
will force it to exit.
.It Supports packet aliasing.
Packet aliasing (a.k.a. IP masquerading) allows computers on a
@ -144,20 +166,24 @@ and group
.Dv network ,
with permissions
.Dv 4550 .
.Nm Ppp
will not execute in client mode if the invoking user id is not zero.
.Nm Ppp
will run in
.Fl direct
mode as a normal user, but due to its execution permissions, this user
must be a member of group
.Dv network .
By default,
.Nm
will not run if the invoking user id is not zero. This may be overridden
by using the
.Dq allow users
command in
.Pa /etc/ppp/ppp.conf .
When running as a normal user,
.Nm
switches to user id 0 in order to alter the system routing table. All
switches to user id 0 in order to alter the system routing table, set up
system lock files and read the ppp configuration files. All
external commands (executed via the "shell" or "!bg" commands) are executed
as the user id that invoked
.Nm ppp .
Refer to the
.Sq ID0
logging facility if you're interested in what exactly is done as user id
zero.
.Sh GETTING STARTED
@ -1658,6 +1684,136 @@ is the next hop gateway to get to the given
.Dq dest
machine/network.
.It allow .....
This command controls access to
.Nm
and its configuration files. It is possible to allow user-level access,
depending on the configuration file label and on the mode that
.Nm
is being run in. For example, you may wish to configure
.Nm
so that only user
.Sq fred
may access label
.Sq fredlabel
in
.Fl background
mode.
.Pp
User id 0 is immune to these commands.
.Bl -tag -width 20
.It allow user|users logname...
By default, only user id 0 is allowed access. If this command is specified,
all of the listed users are allowed access to the section in which the
.Dq allow users
command is found. The
.Sq default
section is always checked first (although it is only ever automatically
loaded at startup). Each successive
.Dq allow users
command overrides the previous one, so it's possible to allow users access
to everything except a given label by specifying default users in the
.Sq default
section, and then specifying a new user list for that label.
.Pp
If user
.Sq *
is specified, access is allowed to all users.
.It allow mode|modes modelist...
By default, access using all
.Nm
modes is possible. If this command is used, it restricts the access
modes allowed to load the label under which this command is specified.
Again, as with the
.Dq allow users
command, each
.Dq allow modes
command overrides the previous, and the
.Sq default
section is always checked first.
.Pp
Possible modes are:
.Sq interactive ,
.Sq auto ,
.Sq direct ,
.Sq dedicated ,
.Sq ddial ,
.Sq background
and
.Sq * .
.El
.It alias .....
This command allows the control of the aliasing (or masquerading)
facilities that are built into
.Nm ppp .
Until this code is required, it is not loaded by
.Nm ppp ,
and it is quite possible that the alias library is not installed
on your system (some administrators consider it a security risk).
If aliasing is enabled on your system, the following commands are
possible:
.Bl -tag -width 20
.It alias enable [yes|no]
This command either switches aliasing on or turns it off.
The
.Fl alias
command line flag is synonymous with
.Dq alias enable yes .
.It alias port [proto targetIP:targetPORT [aliasIP:]aliasPORT]
This command allows us to redirect connections arriving at
.Dq aliasPORT
for machine [aliasIP] to
.Dq targetPORT
on
.Dq targetIP .
If proto is specified, only connections of the given protocol
are matched. This option is useful if you wish to run things like
Internet phone on the machines behind your gateway.
.It alias addr [addr_local addr_alias]
This command allows data for
.Dq addr_alias
to be redirected to
.Dq addr_local .
It is useful if you own a small number of real IP numbers that
you wish to map to specific machines behind your gateway.
.It alias deny_incoming [yes|no]
If set to yes, this command will refuse all incoming connections
by dropping the packets in much the same way as a firewall would.
.It alias log [yes|no]
This option causes various aliasing statistics and information to
be logged to the file
.Pa /var/log/alias.log .
.It alias same_ports [yes|no]
When enabled, this command will tell the alias library attempt to
avoid changing the port number on outgoing packets. This is useful
if you want to support protocols such as RPC and LPD which require
connections to come from a well known port.
.It alias use_sockets [yes|no]
When enabled, this option tells the alias library to create a
socket so that it can guarantee a correct incoming ftp data or
IRC connection.
.It alias unregistered_only [yes|no]
Only alter outgoing packets with an unregistered source ad-
dress. According to RFC 1918, unregistered source addresses
are 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16.
.It alias help|?
This command gives a summary of available alias commands.
.El
.It [!]bg command
The given command is executed in the background.
Any of the pseudo arguments
@ -1711,10 +1867,14 @@ values as specified under
.Dq accept|deny|enable|disable option....
above.
.It passwd pass
Specify the password required for access to the full
.Nm
command set.
.It down
Bring the link down ungracefully, as if the physical layer had become
unavailable. It's not considered polite to use this command.
.It help|? [command]
Show a list of available commands. If
.Dq command
is specified, show the usage string for that command.
.It load [remote]
Load the given
@ -1725,6 +1885,28 @@ is not given, the
.Dq default
label is assumed.
.It passwd pass
Specify the password required for access to the full
.Nm
command set.
.It quit|bye [all]
Exit
.Nm ppp .
If
.Nm
is in interactive mode or if the
.Dq all
argument is given,
.Nm
will exit, closing the connection. A simple
.Dq quit
issued from a
.Xr pppctl 8
or
.Xr telnet 1
session will not close the current connection.
.It save
This option is not (yet) implemented.
@ -2140,101 +2322,6 @@ peer is detected on the other side of the modem,
.Nm
automatically enables Packet Mode and goes back into command mode.
.It alias .....
This command allows the control of the aliasing (or masquerading)
facilities that are built into
.Nm ppp .
Until this code is required, it is not loaded by
.Nm ppp ,
and it is quite possible that the alias library is not installed
on your system (some administrators consider it a security risk).
If aliasing is enabled on your system, the following commands are
possible:
.Bl -tag -width 20
.It alias enable [yes|no]
This command either switches aliasing on or turns it off.
The
.Fl alias
command line flag is synonymous with
.Dq alias enable yes .
.It alias port [proto targetIP:targetPORT [aliasIP:]aliasPORT]
This command allows us to redirect connections arriving at
.Dq aliasPORT
for machine [aliasIP] to
.Dq targetPORT
on
.Dq targetIP .
If proto is specified, only connections of the given protocol
are matched. This option is useful if you wish to run things like
Internet phone on the machines behind your gateway.
.It alias addr [addr_local addr_alias]
This command allows data for
.Dq addr_alias
to be redirected to
.Dq addr_local .
It is useful if you own a small number of real IP numbers that
you wish to map to specific machines behind your gateway.
.It alias deny_incoming [yes|no]
If set to yes, this command will refuse all incoming connections
by dropping the packets in much the same way as a firewall would.
.It alias log [yes|no]
This option causes various aliasing statistics and information to
be logged to the file
.Pa /var/log/alias.log .
.It alias same_ports [yes|no]
When enabled, this command will tell the alias library attempt to
avoid changing the port number on outgoing packets. This is useful
if you want to support protocols such as RPC and LPD which require
connections to come from a well known port.
.It alias use_sockets [yes|no]
When enabled, this option tells the alias library to create a
socket so that it can guarantee a correct incoming ftp data or
IRC connection.
.It alias unregistered_only [yes|no]
Only alter outgoing packets with an unregistered source ad-
dress. According to RFC 1918, unregistered source addresses
are 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16.
.It alias help|?
This command gives a summary of available alias commands.
.El
.It quit|bye [all]
Exit
.Nm ppp .
If
.Nm
is in interactive mode or if the
.Dq all
argument is given,
.Nm
will exit, closing the connection. A simple
.Dq quit
issued from a
.Xr pppctl 8
or
.Xr telnet 1
session will not close the current connection.
.It help|? [command]
Show a list of available commands. If
.Dq command
is specified, show the usage string for that command.
.It down
Bring the link down ungracefully. It's not considered polite to
use this command.
.El
.Sh MORE DETAILS

325
usr.sbin/ppp/ppp.8.m4
View File

@ -1,14 +1,20 @@
.\" $Id: ppp.8,v 1.76 1997/11/09 17:51:26 brian Exp $
.\" $Id: ppp.8,v 1.77 1997/11/09 22:07:28 brian Exp $
.Dd 20 September 1995
.Os FreeBSD
.Dt PPP 8
.Sh NAME
.Nm ppp
.Nd
Point to Point Protocol (a.k.a. iijppp)
.Nd Point to Point Protocol (a.k.a. iijppp)
.Sh SYNOPSIS
.Nm
.Op Fl auto | background | ddial | direct | dedicated
.\" SOMEONE FIX ME ! The .Op macro can't handle enough args !
[
.Fl auto |
.Fl background |
.Fl ddial |
.Fl direct |
.Fl dedicated
]
.Op Fl alias
.Op Ar system
.Sh DESCRIPTION
@ -46,19 +52,35 @@ can write a chat script to define the necessary dialing and login
procedure for later convenience.
.It Supports on-demand dialup capability.
By using auto mode,
By using
.Fl auto
mode,
.Nm
will act as a daemon and wait for a packet to be sent over the
.Em PPP
link. When this happens, the daemon automatically dials and establishes the
connection.
In almost the same manner ddial mode (dedicated or daemon dialing)
also automatically dials and establishes the connection. However, it
differs in that it will dial the remote site any time it detects the
link is down, even if there are no packets to be sent. This mode is
useful for full-time connections who worry less about line charges
and more about being connected full time.
In almost the same manner
.Fl ddial
mode (direct-dial mode) also automatically dials and establishes the
connection. However, it differs in that it will dial the remote site
any time it detects the link is down, even if there are no packets to be
sent. This mode is useful for full-time connections where we worry less
about line charges and more about being connected full time.
A third
.Fl dedicated
mode is also available. This mode is targeted at a dedicated link
between two machines.
.Nm Ppp
will never voluntarily quit from dedicated mode - you must send it the
.Dq quit all
command via its diagnostic socket. A
.Dv SIGHUP
will force an LCP renegotiation, and a
.Dv SIGTERM
will force it to exit.
.It Supports packet aliasing.
Packet aliasing (a.k.a. IP masquerading) allows computers on a
@ -144,20 +166,24 @@ and group
.Dv network ,
with permissions
.Dv 4550 .
.Nm Ppp
will not execute in client mode if the invoking user id is not zero.
.Nm Ppp
will run in
.Fl direct
mode as a normal user, but due to its execution permissions, this user
must be a member of group
.Dv network .
By default,
.Nm
will not run if the invoking user id is not zero. This may be overridden
by using the
.Dq allow users
command in
.Pa /etc/ppp/ppp.conf .
When running as a normal user,
.Nm
switches to user id 0 in order to alter the system routing table. All
switches to user id 0 in order to alter the system routing table, set up
system lock files and read the ppp configuration files. All
external commands (executed via the "shell" or "!bg" commands) are executed
as the user id that invoked
.Nm ppp .
Refer to the
.Sq ID0
logging facility if you're interested in what exactly is done as user id
zero.
.Sh GETTING STARTED
@ -1658,6 +1684,136 @@ is the next hop gateway to get to the given
.Dq dest
machine/network.
.It allow .....
This command controls access to
.Nm
and its configuration files. It is possible to allow user-level access,
depending on the configuration file label and on the mode that
.Nm
is being run in. For example, you may wish to configure
.Nm
so that only user
.Sq fred
may access label
.Sq fredlabel
in
.Fl background
mode.
.Pp
User id 0 is immune to these commands.
.Bl -tag -width 20
.It allow user|users logname...
By default, only user id 0 is allowed access. If this command is specified,
all of the listed users are allowed access to the section in which the
.Dq allow users
command is found. The
.Sq default
section is always checked first (although it is only ever automatically
loaded at startup). Each successive
.Dq allow users
command overrides the previous one, so it's possible to allow users access
to everything except a given label by specifying default users in the
.Sq default
section, and then specifying a new user list for that label.
.Pp
If user
.Sq *
is specified, access is allowed to all users.
.It allow mode|modes modelist...
By default, access using all
.Nm
modes is possible. If this command is used, it restricts the access
modes allowed to load the label under which this command is specified.
Again, as with the
.Dq allow users
command, each
.Dq allow modes
command overrides the previous, and the
.Sq default
section is always checked first.
.Pp
Possible modes are:
.Sq interactive ,
.Sq auto ,
.Sq direct ,
.Sq dedicated ,
.Sq ddial ,
.Sq background
and
.Sq * .
.El
.It alias .....
This command allows the control of the aliasing (or masquerading)
facilities that are built into
.Nm ppp .
Until this code is required, it is not loaded by
.Nm ppp ,
and it is quite possible that the alias library is not installed
on your system (some administrators consider it a security risk).
If aliasing is enabled on your system, the following commands are
possible:
.Bl -tag -width 20
.It alias enable [yes|no]
This command either switches aliasing on or turns it off.
The
.Fl alias
command line flag is synonymous with
.Dq alias enable yes .
.It alias port [proto targetIP:targetPORT [aliasIP:]aliasPORT]
This command allows us to redirect connections arriving at
.Dq aliasPORT
for machine [aliasIP] to
.Dq targetPORT
on
.Dq targetIP .
If proto is specified, only connections of the given protocol
are matched. This option is useful if you wish to run things like
Internet phone on the machines behind your gateway.
.It alias addr [addr_local addr_alias]
This command allows data for
.Dq addr_alias
to be redirected to
.Dq addr_local .
It is useful if you own a small number of real IP numbers that
you wish to map to specific machines behind your gateway.
.It alias deny_incoming [yes|no]
If set to yes, this command will refuse all incoming connections
by dropping the packets in much the same way as a firewall would.
.It alias log [yes|no]
This option causes various aliasing statistics and information to
be logged to the file
.Pa /var/log/alias.log .
.It alias same_ports [yes|no]
When enabled, this command will tell the alias library attempt to
avoid changing the port number on outgoing packets. This is useful
if you want to support protocols such as RPC and LPD which require
connections to come from a well known port.
.It alias use_sockets [yes|no]
When enabled, this option tells the alias library to create a
socket so that it can guarantee a correct incoming ftp data or
IRC connection.
.It alias unregistered_only [yes|no]
Only alter outgoing packets with an unregistered source ad-
dress. According to RFC 1918, unregistered source addresses
are 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16.
.It alias help|?
This command gives a summary of available alias commands.
.El
.It [!]bg command
The given command is executed in the background.
Any of the pseudo arguments
@ -1711,10 +1867,14 @@ values as specified under
.Dq accept|deny|enable|disable option....
above.
.It passwd pass
Specify the password required for access to the full
.Nm
command set.
.It down
Bring the link down ungracefully, as if the physical layer had become
unavailable. It's not considered polite to use this command.
.It help|? [command]
Show a list of available commands. If
.Dq command
is specified, show the usage string for that command.
.It load [remote]
Load the given
@ -1725,6 +1885,28 @@ is not given, the
.Dq default
label is assumed.
.It passwd pass
Specify the password required for access to the full
.Nm
command set.
.It quit|bye [all]
Exit
.Nm ppp .
If
.Nm
is in interactive mode or if the
.Dq all
argument is given,
.Nm
will exit, closing the connection. A simple
.Dq quit
issued from a
.Xr pppctl 8
or
.Xr telnet 1
session will not close the current connection.
.It save
This option is not (yet) implemented.
@ -2140,101 +2322,6 @@ peer is detected on the other side of the modem,
.Nm
automatically enables Packet Mode and goes back into command mode.
.It alias .....
This command allows the control of the aliasing (or masquerading)
facilities that are built into
.Nm ppp .
Until this code is required, it is not loaded by
.Nm ppp ,
and it is quite possible that the alias library is not installed
on your system (some administrators consider it a security risk).
If aliasing is enabled on your system, the following commands are
possible:
.Bl -tag -width 20
.It alias enable [yes|no]
This command either switches aliasing on or turns it off.
The
.Fl alias
command line flag is synonymous with
.Dq alias enable yes .
.It alias port [proto targetIP:targetPORT [aliasIP:]aliasPORT]
This command allows us to redirect connections arriving at
.Dq aliasPORT
for machine [aliasIP] to
.Dq targetPORT
on
.Dq targetIP .
If proto is specified, only connections of the given protocol
are matched. This option is useful if you wish to run things like
Internet phone on the machines behind your gateway.
.It alias addr [addr_local addr_alias]
This command allows data for
.Dq addr_alias
to be redirected to
.Dq addr_local .
It is useful if you own a small number of real IP numbers that
you wish to map to specific machines behind your gateway.
.It alias deny_incoming [yes|no]
If set to yes, this command will refuse all incoming connections
by dropping the packets in much the same way as a firewall would.
.It alias log [yes|no]
This option causes various aliasing statistics and information to
be logged to the file
.Pa /var/log/alias.log .
.It alias same_ports [yes|no]
When enabled, this command will tell the alias library attempt to
avoid changing the port number on outgoing packets. This is useful
if you want to support protocols such as RPC and LPD which require
connections to come from a well known port.
.It alias use_sockets [yes|no]
When enabled, this option tells the alias library to create a
socket so that it can guarantee a correct incoming ftp data or
IRC connection.
.It alias unregistered_only [yes|no]
Only alter outgoing packets with an unregistered source ad-
dress. According to RFC 1918, unregistered source addresses
are 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16.
.It alias help|?
This command gives a summary of available alias commands.
.El
.It quit|bye [all]
Exit
.Nm ppp .
If
.Nm
is in interactive mode or if the
.Dq all
argument is given,
.Nm
will exit, closing the connection. A simple
.Dq quit
issued from a
.Xr pppctl 8
or
.Xr telnet 1
session will not close the current connection.
.It help|? [command]
Show a list of available commands. If
.Dq command
is specified, show the usage string for that command.
.It down
Bring the link down ungracefully. It's not considered polite to
use this command.
.El
.Sh MORE DETAILS

4
usr.sbin/ppp/route.c
View File

@ -17,7 +17,7 @@
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*
* $Id: route.c,v 1.23 1997/11/09 06:22:47 brian Exp $
* $Id: route.c,v 1.24 1997/11/09 14:18:50 brian Exp $
*
*/
@ -268,7 +268,7 @@ ShowRoute()
mask <<= 8;
}
}
fprintf(VarTerm, "%08lx ", mask);
fprintf(VarTerm, "0x%08lx ", mask);
p_flags(rtm->rtm_flags & (RTF_UP | RTF_GATEWAY | RTF_HOST), "%-6.6s ");
fprintf(VarTerm, "(%d)\n", rtm->rtm_index);
}

6
usr.sbin/ppp/server.c
View File

@ -1,5 +1,5 @@
/*
* $Id: server.c,v 1.8 1997/11/09 14:18:51 brian Exp $
* $Id: server.c,v 1.9 1997/11/09 22:07:29 brian Exp $
*/
#include <sys/param.h>
@ -42,7 +42,7 @@ ServerLocalOpen(const char *name, mode_t mask)
return 1;
}
if (!(mode&(MODE_AUTO|MODE_DEDICATED|MODE_DIRECT))) {
if (mode & MODE_INTER) {
LogPrintf(LogERROR, "Local: Can't open socket in interactive mode\n");
return 1;
}
@ -100,7 +100,7 @@ ServerTcpOpen(int port)
return 6;
}
if (!(mode&(MODE_AUTO|MODE_DEDICATED|MODE_DIRECT))) {
if (mode & MODE_INTER) {
LogPrintf(LogERROR, "Tcp: Can't open socket in interactive mode\n");
return 6;
}

115
usr.sbin/ppp/systems.c
View File

@ -17,7 +17,7 @@
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*
* $Id: systems.c,v 1.21 1997/11/09 14:18:53 brian Exp $
* $Id: systems.c,v 1.22 1997/11/09 17:51:27 brian Exp $
*
* TODO:
*/
@ -43,6 +43,7 @@
#include "pathnames.h"
#include "vars.h"
#include "server.h"
#include "chat.h"
#include "systems.h"
#define issep(ch) ((ch) == ' ' || (ch) == '\t')
@ -165,8 +166,66 @@ DecodeCtrlCommand(char *line, char *arg)
return CTRL_UNKNOWN;
}
static int userok;
int
SelectSystem(char *name, char *file)
AllowUsers(struct cmdtab const *list, int argc, char **argv)
{
int f;
char *user;
userok = 0;
user = getlogin();
if (user && *user)
for (f = 0; f < argc; f++)
if (!strcmp("*", argv[f]) || !strcmp(user, argv[f])) {
userok = 1;
break;
}
return 0;
}
static struct {
int mode;
char *name;
} modes[] = {
{ MODE_INTER, "interactive" },
{ MODE_AUTO, "auto" },
{ MODE_DIRECT, "direct" },
{ MODE_DEDICATED, "dedicated" },
{ MODE_DDIAL, "ddial" },
{ MODE_BACKGROUND, "background" },
{ ~0, "*" },
{ 0, 0 }
};
static int modeok;
int
AllowModes(struct cmdtab const *list, int argc, char **argv)
{
int f;
int m;
int allowed;
allowed = 0;
for (f = 0; f < argc; f++) {
for (m = 0; modes[m].mode; m++)
if (!strcasecmp(modes[m].name, argv[f])) {
allowed |= modes[m].mode;
break;
}
if (modes[m].mode == 0)
LogPrintf(LogWARN, "%s: Invalid mode\n", argv[f]);
}
modeok = (mode | allowed) == allowed ? 1 : 0;
return 0;
}
static int
ReadSystem(const char *name, const char *file, int doexec)
{
FILE *fp;
char *cp, *wp;
@ -175,6 +234,9 @@ SelectSystem(char *name, char *file)
char line[LINE_LEN];
char filename[200];
int linenum;
int argc;
char **argv;
int allowcmd;
if (*file == '/')
snprintf(filename, sizeof filename, "%s", file);
@ -182,10 +244,10 @@ SelectSystem(char *name, char *file)
snprintf(filename, sizeof filename, "%s/%s", _PATH_PPP, file);
fp = ID0fopen(filename, "r");
if (fp == NULL) {
LogPrintf(LogDEBUG, "SelectSystem: Can't open %s.\n", filename);
LogPrintf(LogDEBUG, "ReadSystem: Can't open %s.\n", filename);
return (-1);
}
LogPrintf(LogDEBUG, "SelectSystem: Checking %s (%s).\n", name, filename);
LogPrintf(LogDEBUG, "ReadSystem: Checking %s (%s).\n", name, filename);
linenum = 0;
while (fgets(line, sizeof(line), fp)) {
@ -211,7 +273,7 @@ SelectSystem(char *name, char *file)
switch (DecodeCtrlCommand(cp+1, arg)) {
case CTRL_INCLUDE:
LogPrintf(LogCOMMAND, "%s: Including \"%s\"\n", filename, arg);
n = SelectSystem(name, arg);
n = ReadSystem(name, arg, doexec);
LogPrintf(LogCOMMAND, "%s: Done include of \"%s\"\n", filename, arg);
if (!n)
return 0; /* got it */
@ -233,12 +295,16 @@ SelectSystem(char *name, char *file)
cp[--len] = '\0';
if (!len)
continue;
LogPrintf(LogCOMMAND, "%s: %s\n", name, cp);
olauth = VarLocalAuth;
if (VarLocalAuth == LOCAL_NO_AUTH)
VarLocalAuth = LOCAL_AUTH;
DecodeCommand(cp, len, 0);
VarLocalAuth = olauth;
InterpretCommand(cp, len, &argc, &argv);
allowcmd = argc > 0 && !strcasecmp(*argv, "allow");
if ((!doexec && allowcmd) || (doexec && !allowcmd)) {
LogPrintf(LogCOMMAND, "%s: %s\n", name, cp);
olauth = VarLocalAuth;
if (VarLocalAuth == LOCAL_NO_AUTH)
VarLocalAuth = LOCAL_AUTH;
RunCommand(argc, argv, 0);
VarLocalAuth = olauth;
}
} else if (*cp == '#') {
continue;
} else
@ -254,6 +320,26 @@ SelectSystem(char *name, char *file)
return -1;
}
int
ValidSystem(const char *name)
{
if (ID0realuid() == 0)
return userok = modeok = 1;
userok = 0;
modeok = 1;
ReadSystem("default", CONFFILE, 0);
if (name != NULL)
ReadSystem(name, CONFFILE, 0);
return userok && modeok;
}
int
SelectSystem(const char *name, const char *file)
{
userok = modeok = 1;
return ReadSystem(name, file, 1);
}
int
LoadCommand(struct cmdtab const * list, int argc, char **argv)
{
@ -264,10 +350,13 @@ LoadCommand(struct cmdtab const * list, int argc, char **argv)
else
name = "default";
if (SelectSystem(name, CONFFILE) < 0) {
if (!ValidSystem(name))
LogPrintf(LogERROR, "%s: Label not allowed\n");
else if (SelectSystem(name, CONFFILE) < 0) {
LogPrintf(LogWARN, "%s: not found.\n", name);
return -1;
}
} else
SetLabel(argc ? name : NULL);
return 0;
}

7
usr.sbin/ppp/systems.h
View File

@ -17,11 +17,14 @@
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*
* $Id: systems.h,v 1.7 1997/10/26 01:03:49 brian Exp $
* $Id: systems.h,v 1.8 1997/11/09 06:22:48 brian Exp $
*
*/
extern int SelectSystem(char *, char *);
extern int SelectSystem(const char *, const char *);
extern int ValidSystem(const char *);
extern int AllowUsers(struct cmdtab const *, int, char **);
extern int AllowModes(struct cmdtab const *, int, char **);
extern FILE *OpenSecret(char *);
extern void CloseSecret(FILE *);
extern int LoadCommand(struct cmdtab const *, int, char **);

6
usr.sbin/ppp/vars.c
View File

@ -17,7 +17,7 @@
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*
* $Id: vars.c,v 1.32 1997/10/29 01:19:51 brian Exp $
* $Id: vars.c,v 1.33 1997/11/09 22:07:29 brian Exp $
*
*/
#include <sys/param.h>
@ -39,8 +39,8 @@
#include "auth.h"
#include "defs.h"
char VarVersion[] = "PPP Version 1.3";
char VarLocalVersion[] = "$Date: 1997/10/29 01:19:51 $";
char VarVersion[] = "PPP Version 1.4";
char VarLocalVersion[] = "$Date: 1997/11/09 22:07:29 $";
int Utmp = 0;
int ipInOctets = 0;
int ipOutOctets = 0;