diff --git a/usr.sbin/ppp/auth.c b/usr.sbin/ppp/auth.c index 89e4894f319e..a2f328bad9d7 100644 --- a/usr.sbin/ppp/auth.c +++ b/usr.sbin/ppp/auth.c @@ -17,7 +17,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: auth.c,v 1.20 1997/11/09 18:51:21 brian Exp $ + * $Id: auth.c,v 1.21 1997/11/09 22:07:27 brian Exp $ * * TODO: * o Implement check against with registered IP addresses. @@ -60,8 +60,8 @@ LocalAuthInit() *p = '\0'; } - if (!(mode&(MODE_AUTO|MODE_DEDICATED|MODE_DIRECT))) - /* We're allowed in interactive and direct */ + if (!(mode&MODE_DAEMON)) + /* We're allowed in interactive mode */ VarLocalAuth = LOCAL_AUTH; else if (VarHaveLocalAuthKey) VarLocalAuth = *VarLocalAuthKey == '\0' ? LOCAL_AUTH : LOCAL_NO_AUTH; diff --git a/usr.sbin/ppp/command.c b/usr.sbin/ppp/command.c index 1c527da24a1b..3c10e2484111 100644 --- a/usr.sbin/ppp/command.c +++ b/usr.sbin/ppp/command.c @@ -17,7 +17,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: command.c,v 1.96 1997/11/09 22:56:15 brian Exp $ + * $Id: command.c,v 1.97 1997/11/09 23:40:21 brian Exp $ * */ #include @@ -77,6 +77,7 @@ static int QuitCommand(struct cmdtab const *, int, char **); static int CloseCommand(struct cmdtab const *, int, char **); static int DialCommand(struct cmdtab const *, int, char **); static int DownCommand(struct cmdtab const *, int, char **); +static int AllowCommand(struct cmdtab const *, int, char **); static int SetCommand(struct cmdtab const *, int, char **); static int AddCommand(struct cmdtab const *, int, char **); static int DeleteCommand(struct cmdtab const *, int, char **); @@ -154,13 +155,9 @@ DialCommand(struct cmdtab const * cmdlist, int argc, char **argv) return 0; } - if (argc > 0) { - if (SelectSystem(*argv, CONFFILE) < 0) { - if (VarTerm) - fprintf(VarTerm, "%s: not found.\n", *argv); - return -1; - } - } + if (argc > 0 && LoadCommand(cmdlist, argc, argv) == -1) + return -1; + tries = 0; do { if (VarTerm) @@ -227,7 +224,7 @@ ShellCommand(struct cmdtab const * cmdlist, int argc, char **argv, int bg) * we want to stop shell commands when we've got a telnet connection to an * auto mode ppp */ - if ((mode & (MODE_AUTO | MODE_INTER)) == (MODE_AUTO | MODE_INTER)) { + if (VarTerm && !(mode & MODE_INTER)) { LogPrintf(LogWARN, "Shell is not allowed interactively in auto mode\n"); return 1; } @@ -235,17 +232,17 @@ ShellCommand(struct cmdtab const * cmdlist, int argc, char **argv, int bg) if (argc == 0) if (!(mode & MODE_INTER)) { - LogPrintf(LogWARN, "Can only start an interactive shell in" - " interactive mode\n"); + if (VarTerm) + LogPrintf(LogWARN, "Can't start an interactive shell from" + " a telnet session\n"); + else + LogPrintf(LogWARN, "Can only start an interactive shell in" + " interactive mode\n"); return 1; } else if (bg) { LogPrintf(LogWARN, "Can only start an interactive shell in" " the foreground mode\n"); return 1; - } else if (mode&(MODE_AUTO|MODE_DEDICATED|MODE_DIRECT)) { - LogPrintf(LogWARN, "Can't start an interactive shell from" - " a telnet session\n"); - return 1; } if ((shell = getenv("SHELL")) == 0) shell = _PATH_BSHELL; @@ -324,6 +321,8 @@ static struct cmdtab const Commands[] = { "accept option request", "accept option .."}, {"add", NULL, AddCommand, LOCAL_AUTH, "add route", "add dest mask gateway"}, + {"allow", "auth", AllowCommand, LOCAL_AUTH, + "Allow ppp access", "allow users|modes ...."}, {"bg", "!bg", BgShellCommand, LOCAL_AUTH, "Run a command in the background", "[!]bg command"}, {"close", NULL, CloseCommand, LOCAL_AUTH, @@ -668,7 +667,7 @@ Prompt() { char *pconnect, *pauth; - if (!(mode & MODE_INTER) || !VarTerm || TermMode) + if (!VarTerm || TermMode) return; if (!aft_cmd) @@ -689,27 +688,41 @@ Prompt() } void -DecodeCommand(char *buff, int nb, int prompt) +InterpretCommand(char *buff, int nb, int *argc, char ***argv) { - char *vector[20]; - char **argv; - int argc; + static char *vector[40]; char *cp; if (nb > 0) { cp = buff + strcspn(buff, "\r\n"); if (cp) *cp = '\0'; - argc = MakeArgs(buff, vector, VECSIZE(vector)); - argv = vector; + *argc = MakeArgs(buff, vector, VECSIZE(vector)); + *argv = vector; + } else + *argc = 0; +} + +void +RunCommand(int argc, char **argv, int prompt) +{ + if (argc > 0) + FindExec(Commands, argc, argv); - if (argc > 0) - FindExec(Commands, argc, argv); - } if (prompt) Prompt(); } +void +DecodeCommand(char *buff, int nb, int prompt) +{ + int argc; + char **argv; + + InterpretCommand(buff, nb, &argc, &argv); + RunCommand(argc, argv, prompt); +} + static int ShowCommand(struct cmdtab const * list, int argc, char **argv) { @@ -751,26 +764,26 @@ QuitCommand(struct cmdtab const * list, int argc, char **argv) { FILE *oVarTerm; - if (mode & (MODE_DIRECT | MODE_DEDICATED | MODE_AUTO)) { - if (argc > 0 && !strcasecmp(*argv, "all") && (VarLocalAuth & LOCAL_AUTH)) { - mode &= ~MODE_INTER; - oVarTerm = VarTerm; - VarTerm = 0; - if (oVarTerm && oVarTerm != stdout) - fclose(oVarTerm); - Cleanup(EX_NORMAL); - } else if (VarTerm) { - LogPrintf(LogPHASE, "Client connection closed.\n"); - mode &= ~MODE_INTER; - oVarTerm = VarTerm; - VarTerm = 0; - if (oVarTerm && oVarTerm != stdout) - fclose(oVarTerm); - close(netfd); - netfd = -1; - } - } else + if (mode & MODE_INTER) Cleanup(EX_NORMAL); + else if (argc > 0 && !strcasecmp(*argv, "all") && + (VarLocalAuth & LOCAL_AUTH)) { + oVarTerm = VarTerm; + VarTerm = 0; + if (oVarTerm && oVarTerm != stdout) + fclose(oVarTerm); + close(netfd); + netfd = -1; + Cleanup(EX_NORMAL); + } else if (VarTerm) { + LogPrintf(LogPHASE, "Client connection closed.\n"); + oVarTerm = VarTerm; + VarTerm = 0; + if (oVarTerm && oVarTerm != stdout) + fclose(oVarTerm); + close(netfd); + netfd = -1; + } return 0; } @@ -1172,11 +1185,10 @@ SetInterfaceAddr(struct cmdtab const * list, int argc, char **argv) IpcpInfo.want_ipaddr.s_addr = DefMyAddress.ipaddr.s_addr; IpcpInfo.his_ipaddr.s_addr = DefHisAddress.ipaddr.s_addr; - if ((mode & MODE_AUTO) || - ((mode & MODE_DEDICATED) && dstsystem)) { - if (OsSetIpaddress(DefMyAddress.ipaddr, DefHisAddress.ipaddr, ifnetmask) < 0) - return 4; - } + if ((mode & MODE_AUTO) && + OsSetIpaddress(DefMyAddress.ipaddr, DefHisAddress.ipaddr, ifnetmask) < 0) + return 4; + return 0; } @@ -1548,3 +1560,27 @@ AliasOption(struct cmdtab const * list, int argc, char **argv, void *param) } return -1; } + +static struct cmdtab const AllowCommands[] = { + {"users", "user", AllowUsers, LOCAL_AUTH, + "Allow users access to ppp", "allow users logname..."}, + {"modes", "mode", AllowModes, LOCAL_AUTH, + "Only allow certain ppp modes", "allow modes mode..."}, + {"help", "?", HelpCommand, LOCAL_AUTH | LOCAL_NO_AUTH, + "Display this message", "allow help|? [command]", (void *)AllowCommands}, + {NULL, NULL, NULL}, +}; + +static int +AllowCommand(struct cmdtab const *list, int argc, char **argv) +{ + if (argc > 0) + FindExec(AllowCommands, argc, argv); + else if (VarTerm) + fprintf(VarTerm, "Use `allow ?' to get a list or `allow ? ' for" + " syntax help.\n"); + else + LogPrintf(LogWARN, "allow command must have arguments\n"); + + return 0; +} diff --git a/usr.sbin/ppp/command.h b/usr.sbin/ppp/command.h index f4282d00c5d2..37eddc440b3d 100644 --- a/usr.sbin/ppp/command.h +++ b/usr.sbin/ppp/command.h @@ -15,7 +15,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: command.h,v 1.8 1997/10/26 01:02:28 brian Exp $ + * $Id: command.h,v 1.9 1997/11/04 01:17:00 brian Exp $ * * TODO: */ @@ -48,4 +48,6 @@ extern int aft_cmd; extern int SetVariable(struct cmdtab const *, int, char **, int); extern void Prompt(void); extern int IsInteractive(int); +extern void InterpretCommand(char *, int, int *, char ***); +extern void RunCommand(int, char **, int); extern void DecodeCommand(char *, int, int); diff --git a/usr.sbin/ppp/defs.c b/usr.sbin/ppp/defs.c index be9134a942c8..3b4142fe6ac3 100644 --- a/usr.sbin/ppp/defs.c +++ b/usr.sbin/ppp/defs.c @@ -1,8 +1,9 @@ /* - * $Id: $ + * $Id: defs.c,v 1.1 1997/10/26 01:02:30 brian Exp $ */ #include +#include #include "defs.h" @@ -12,7 +13,23 @@ int modem = -1; int tun_in = -1; int tun_out = -1; int netfd = -1; -char *dstsystem = NULL; + +static char dstsystem[50]; + +void +SetLabel(const char *label) +{ + if (label) + strncpy(dstsystem, label, sizeof dstsystem); + else + *dstsystem = '\0'; +} + +const char * +GetLabel() +{ + return *dstsystem ? dstsystem : NULL; +} void randinit() diff --git a/usr.sbin/ppp/defs.h b/usr.sbin/ppp/defs.h index ca20d4551e8f..b5eaf47f4b28 100644 --- a/usr.sbin/ppp/defs.h +++ b/usr.sbin/ppp/defs.h @@ -15,7 +15,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: defs.h,v 1.23 1997/10/26 12:42:10 brian Exp $ + * $Id: defs.h,v 1.24 1997/11/09 14:18:37 brian Exp $ * * TODO: */ @@ -62,6 +62,9 @@ #define MODE_ALIAS 32 /* Packet aliasing (masquerading) */ #define MODE_BACKGROUND 64 /* Background mode. */ +#define MODE_DAEMON (2|4|8|16|64) +#define MODE_OUTGOING_DAEMON (2|8|16|64) + #define EX_SIG -1 #define EX_NORMAL 0 #define EX_START 1 @@ -83,6 +86,7 @@ extern int modem; extern int tun_in; extern int tun_out; extern int netfd; -extern char *dstsystem; +extern void SetLabel(const char *); +extern const char *GetLabel(void); extern void randinit(void); diff --git a/usr.sbin/ppp/ipcp.c b/usr.sbin/ppp/ipcp.c index c362184b031e..43d60be9073e 100644 --- a/usr.sbin/ppp/ipcp.c +++ b/usr.sbin/ppp/ipcp.c @@ -17,7 +17,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: ipcp.c,v 1.33 1997/10/29 01:19:40 brian Exp $ + * $Id: ipcp.c,v 1.34 1997/11/08 00:28:07 brian Exp $ * * TODO: * o More RFC1772 backwoard compatibility @@ -193,7 +193,7 @@ IpcpInit() FsmInit(&IpcpFsm); memset(icp, '\0', sizeof(struct ipcpstate)); - if ((mode & MODE_DEDICATED) && !dstsystem) { + if ((mode & MODE_DEDICATED) && !GetLabel()) { icp->want_ipaddr.s_addr = icp->his_ipaddr.s_addr = 0; } else { icp->want_ipaddr.s_addr = DefMyAddress.ipaddr.s_addr; diff --git a/usr.sbin/ppp/main.c b/usr.sbin/ppp/main.c index 7224eb046ba8..975171ef2869 100644 --- a/usr.sbin/ppp/main.c +++ b/usr.sbin/ppp/main.c @@ -17,7 +17,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: main.c,v 1.91 1997/11/09 18:51:23 brian Exp $ + * $Id: main.c,v 1.92 1997/11/09 22:07:28 brian Exp $ * * TODO: * o Add commands for traffic summary, version display, etc. @@ -177,8 +177,7 @@ Cleanup(int excode) OsInterfaceDown(1); HangupModem(1); nointr_sleep(1); - if (mode & MODE_AUTO) - DeleteIfRoutes(1); + DeleteIfRoutes(1); ID0unlink(pid_filename); if (mode & MODE_BACKGROUND && BGFiledes[1] != -1) { char c = EX_ERRDEAD; @@ -200,11 +199,13 @@ static void CloseConnection(int signo) { /* NOTE, these are manual, we've done a setsid() */ + pending_signal(SIGINT, SIG_IGN); LogPrintf(LogPHASE, "Caught signal %d, abort connection\n", signo); reconnectState = RECON_FALSE; reconnectCount = 0; DownConnection(); dial_up = 0; + pending_signal(SIGINT, CloseConnection); } static void @@ -286,19 +287,25 @@ ProcessArgs(int argc, char **argv) char *cp; optc = 0; + mode = MODE_INTER; while (argc > 0 && **argv == '-') { cp = *argv + 1; - if (strcmp(cp, "auto") == 0) + if (strcmp(cp, "auto") == 0) { mode |= MODE_AUTO; - else if (strcmp(cp, "background") == 0) - mode |= MODE_BACKGROUND | MODE_AUTO; - else if (strcmp(cp, "direct") == 0) + mode &= ~MODE_INTER; + } else if (strcmp(cp, "background") == 0) { + mode |= MODE_BACKGROUND; + mode &= ~MODE_INTER; + } else if (strcmp(cp, "direct") == 0) { mode |= MODE_DIRECT; - else if (strcmp(cp, "dedicated") == 0) + mode &= ~MODE_INTER; + } else if (strcmp(cp, "dedicated") == 0) { mode |= MODE_DEDICATED; - else if (strcmp(cp, "ddial") == 0) - mode |= MODE_DDIAL | MODE_AUTO; - else if (strcmp(cp, "alias") == 0) { + mode &= ~MODE_INTER; + } else if (strcmp(cp, "ddial") == 0) { + mode |= MODE_DDIAL; + mode &= ~MODE_INTER; + } else if (strcmp(cp, "alias") == 0) { if (loadAliasHandlers(&VarAliasHandlers) == 0) mode |= MODE_ALIAS; else @@ -315,7 +322,7 @@ ProcessArgs(int argc, char **argv) exit(EX_START); } if (argc == 1) - dstsystem = *argv; + SetLabel(*argv); if (optc > 1) { fprintf(stderr, "specify only one mode.\n"); @@ -345,15 +352,15 @@ main(int argc, char **argv) argc--; argv++; ProcessArgs(argc, argv); - if (!(mode & MODE_DIRECT)) { - if (getuid() != 0) { - fprintf(stderr, "You may only run ppp in client mode as user id 0\n"); - LogClose(); - return EX_NOPERM; - } + if (!(mode & MODE_DIRECT)) VarTerm = stdout; - } + ID0init(); + if (!ValidSystem(GetLabel())) { + fprintf(stderr, "You may not use ppp in this mode with this label\n"); + return 1; + } + Greetings(); IpcpDefAddress(); LocalAuthInit(); @@ -365,20 +372,17 @@ main(int argc, char **argv) LogPrintf(LogWARN, "open_tun: %s\n", strerror(errno)); return EX_START; } - if (mode & (MODE_AUTO | MODE_DIRECT | MODE_DEDICATED)) - mode &= ~MODE_INTER; if (mode & MODE_INTER) { fprintf(VarTerm, "Interactive mode\n"); netfd = STDOUT_FILENO; - } else if (mode & MODE_AUTO) { - fprintf(VarTerm, "Automatic Dialer mode\n"); - if (dstsystem == NULL) { + } else if ((mode & MODE_OUTGOING_DAEMON) && !(mode & MODE_DEDICATED)) + if (GetLabel() == NULL) { if (VarTerm) fprintf(VarTerm, "Destination system must be specified in" " auto, background or ddial mode.\n"); return EX_START; } - } + tcgetattr(0, &oldtio); /* Save original tty mode */ pending_signal(SIGHUP, CloseSession); @@ -402,28 +406,29 @@ main(int argc, char **argv) pending_signal(SIGTTOU, SIG_IGN); #endif } + if (!(mode & MODE_INTER)) { #ifdef SIGUSR1 - if (mode != MODE_INTER) pending_signal(SIGUSR1, SetUpServer); #endif #ifdef SIGUSR2 - if (mode != MODE_INTER) pending_signal(SIGUSR2, BringDownServer); #endif + } - if (dstsystem) { - if (SelectSystem(dstsystem, CONFFILE) < 0) { + if (GetLabel()) { + if (SelectSystem(GetLabel(), CONFFILE) < 0) { LogPrintf(LogWARN, "Destination system not found in conf file.\n"); Cleanup(EX_START); } - if ((mode & MODE_AUTO) && DefHisAddress.ipaddr.s_addr == INADDR_ANY) { + if (mode & MODE_OUTGOING_DAEMON && + DefHisAddress.ipaddr.s_addr == INADDR_ANY) { LogPrintf(LogWARN, "Must specify dstaddr with" " auto, background or ddial mode.\n"); Cleanup(EX_START); } } - if (!(mode & MODE_INTER)) { + if (mode & MODE_DAEMON) { if (mode & MODE_BACKGROUND) { if (pipe(BGFiledes)) { LogPrintf(LogERROR, "pipe: %s\n", strerror(errno)); @@ -468,13 +473,9 @@ main(int argc, char **argv) close(1); close(2); -#ifdef DOTTYINIT - if (mode & (MODE_DIRECT | MODE_DEDICATED)) -#else if (mode & MODE_DIRECT) -#endif TtyInit(1); - else { + else if (mode & MODE_DAEMON) { setsid(); close(0); } @@ -522,12 +523,11 @@ PacketMode() LcpUp(); LcpOpen(VarOpenMode); - if ((mode & (MODE_INTER | MODE_AUTO)) == MODE_INTER) { + if (mode & MODE_INTER) TtyCommandMode(1); - if (VarTerm) { - fprintf(VarTerm, "Packet mode.\n"); - aft_cmd = 1; - } + if (VarTerm) { + fprintf(VarTerm, "Packet mode.\n"); + aft_cmd = 1; } } @@ -571,7 +571,6 @@ ReadTty() Prompt(); } else { LogPrintf(LogPHASE, "client connection closed.\n"); - mode &= ~MODE_INTER; oVarTerm = VarTerm; VarTerm = 0; if (oVarTerm && oVarTerm != stdout) @@ -771,7 +770,9 @@ DoLoop() Cleanup(EX_DEAD); } reconnectState = RECON_ENVOKED; - } + } else if (mode & MODE_DEDICATED) + if (VarOpenMode == OPEN_ACTIVE) + PacketMode(); } /* @@ -933,13 +934,12 @@ DoLoop() netfd = wfd; VarTerm = fdopen(netfd, "a+"); LocalAuthInit(); - mode |= MODE_INTER; Greetings(); IsInteractive(1); Prompt(); } - if ((mode & MODE_INTER) && (netfd >= 0 && FD_ISSET(netfd, &rfds)) && - ((mode & MODE_AUTO) || pgroup == tcgetpgrp(0))) { + if (netfd >= 0 && FD_ISSET(netfd, &rfds) && + ((mode & MODE_OUTGOING_DAEMON) || pgroup == tcgetpgrp(0))) { /* something to read from tty */ ReadTty(); } diff --git a/usr.sbin/ppp/os.c b/usr.sbin/ppp/os.c index 91d74353276e..dfe183145450 100644 --- a/usr.sbin/ppp/os.c +++ b/usr.sbin/ppp/os.c @@ -17,7 +17,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: os.c,v 1.30 1997/11/08 00:28:10 brian Exp $ + * $Id: os.c,v 1.31 1997/11/09 06:22:44 brian Exp $ * */ #include @@ -218,8 +218,8 @@ OsLinkup() LogPrintf(LogLCP, "OsLinkup: %s\n", s); if (SelectSystem(inet_ntoa(IpcpInfo.want_ipaddr), LINKUPFILE) < 0) { - if (dstsystem) { - if (SelectSystem(dstsystem, LINKUPFILE) < 0) + if (GetLabel()) { + if (SelectSystem(GetLabel(), LINKUPFILE) < 0) SelectSystem("MYADDR", LINKUPFILE); } else SelectSystem("MYADDR", LINKUPFILE); @@ -248,12 +248,11 @@ OsLinkdown() FsmDown(&IpcpFsm); /* IPCP must come down */ FsmDown(&CcpFsm); /* CCP must come down */ - if (!(mode & MODE_AUTO)) - DeleteIfRoutes(0); + DeleteIfRoutes(0); linkup = 0; if (SelectSystem(s, LINKDOWNFILE) < 0) { - if (dstsystem) { - if (SelectSystem(dstsystem, LINKDOWNFILE) < 0) + if (GetLabel()) { + if (SelectSystem(GetLabel(), LINKDOWNFILE) < 0) SelectSystem("MYADDR", LINKDOWNFILE); } else SelectSystem("MYADDR", LINKDOWNFILE); @@ -268,7 +267,7 @@ OsInterfaceDown(int final) int s; OsLinkdown(); - if (!final && (mode & MODE_AUTO)) /* We still want interface alive */ + if (!final && (mode & MODE_DAEMON)) /* We still want interface alive */ return (0); s = socket(AF_INET, SOCK_DGRAM, 0); if (s < 0) { diff --git a/usr.sbin/ppp/ppp.8 b/usr.sbin/ppp/ppp.8 index 6eb42cd270b9..8b0726bdbcec 100644 --- a/usr.sbin/ppp/ppp.8 +++ b/usr.sbin/ppp/ppp.8 @@ -1,14 +1,20 @@ -.\" $Id: ppp.8,v 1.76 1997/11/09 17:51:26 brian Exp $ +.\" $Id: ppp.8,v 1.77 1997/11/09 22:07:28 brian Exp $ .Dd 20 September 1995 .Os FreeBSD .Dt PPP 8 .Sh NAME .Nm ppp -.Nd -Point to Point Protocol (a.k.a. iijppp) +.Nd Point to Point Protocol (a.k.a. iijppp) .Sh SYNOPSIS .Nm -.Op Fl auto | background | ddial | direct | dedicated +.\" SOMEONE FIX ME ! The .Op macro can't handle enough args ! +[ +.Fl auto | +.Fl background | +.Fl ddial | +.Fl direct | +.Fl dedicated +] .Op Fl alias .Op Ar system .Sh DESCRIPTION @@ -46,19 +52,35 @@ can write a chat script to define the necessary dialing and login procedure for later convenience. .It Supports on-demand dialup capability. -By using auto mode, +By using +.Fl auto +mode, .Nm will act as a daemon and wait for a packet to be sent over the .Em PPP link. When this happens, the daemon automatically dials and establishes the connection. -In almost the same manner ddial mode (dedicated or daemon dialing) -also automatically dials and establishes the connection. However, it -differs in that it will dial the remote site any time it detects the -link is down, even if there are no packets to be sent. This mode is -useful for full-time connections who worry less about line charges -and more about being connected full time. +In almost the same manner +.Fl ddial +mode (direct-dial mode) also automatically dials and establishes the +connection. However, it differs in that it will dial the remote site +any time it detects the link is down, even if there are no packets to be +sent. This mode is useful for full-time connections where we worry less +about line charges and more about being connected full time. + +A third +.Fl dedicated +mode is also available. This mode is targeted at a dedicated link +between two machines. +.Nm Ppp +will never voluntarily quit from dedicated mode - you must send it the +.Dq quit all +command via its diagnostic socket. A +.Dv SIGHUP +will force an LCP renegotiation, and a +.Dv SIGTERM +will force it to exit. .It Supports packet aliasing. Packet aliasing (a.k.a. IP masquerading) allows computers on a @@ -144,20 +166,24 @@ and group .Dv network , with permissions .Dv 4550 . -.Nm Ppp -will not execute in client mode if the invoking user id is not zero. -.Nm Ppp -will run in -.Fl direct -mode as a normal user, but due to its execution permissions, this user -must be a member of group -.Dv network . +By default, +.Nm +will not run if the invoking user id is not zero. This may be overridden +by using the +.Dq allow users +command in +.Pa /etc/ppp/ppp.conf . When running as a normal user, .Nm -switches to user id 0 in order to alter the system routing table. All +switches to user id 0 in order to alter the system routing table, set up +system lock files and read the ppp configuration files. All external commands (executed via the "shell" or "!bg" commands) are executed as the user id that invoked .Nm ppp . +Refer to the +.Sq ID0 +logging facility if you're interested in what exactly is done as user id +zero. .Sh GETTING STARTED @@ -1658,6 +1684,136 @@ is the next hop gateway to get to the given .Dq dest machine/network. +.It allow ..... +This command controls access to +.Nm +and its configuration files. It is possible to allow user-level access, +depending on the configuration file label and on the mode that +.Nm +is being run in. For example, you may wish to configure +.Nm +so that only user +.Sq fred +may access label +.Sq fredlabel +in +.Fl background +mode. +.Pp +User id 0 is immune to these commands. + +.Bl -tag -width 20 +.It allow user|users logname... +By default, only user id 0 is allowed access. If this command is specified, +all of the listed users are allowed access to the section in which the +.Dq allow users +command is found. The +.Sq default +section is always checked first (although it is only ever automatically +loaded at startup). Each successive +.Dq allow users +command overrides the previous one, so it's possible to allow users access +to everything except a given label by specifying default users in the +.Sq default +section, and then specifying a new user list for that label. +.Pp +If user +.Sq * +is specified, access is allowed to all users. + +.It allow mode|modes modelist... +By default, access using all +.Nm +modes is possible. If this command is used, it restricts the access +modes allowed to load the label under which this command is specified. +Again, as with the +.Dq allow users +command, each +.Dq allow modes +command overrides the previous, and the +.Sq default +section is always checked first. +.Pp +Possible modes are: +.Sq interactive , +.Sq auto , +.Sq direct , +.Sq dedicated , +.Sq ddial , +.Sq background +and +.Sq * . +.El + +.It alias ..... +This command allows the control of the aliasing (or masquerading) +facilities that are built into +.Nm ppp . +Until this code is required, it is not loaded by +.Nm ppp , +and it is quite possible that the alias library is not installed +on your system (some administrators consider it a security risk). + +If aliasing is enabled on your system, the following commands are +possible: + +.Bl -tag -width 20 +.It alias enable [yes|no] +This command either switches aliasing on or turns it off. +The +.Fl alias +command line flag is synonymous with +.Dq alias enable yes . + +.It alias port [proto targetIP:targetPORT [aliasIP:]aliasPORT] +This command allows us to redirect connections arriving at +.Dq aliasPORT +for machine [aliasIP] to +.Dq targetPORT +on +.Dq targetIP . +If proto is specified, only connections of the given protocol +are matched. This option is useful if you wish to run things like +Internet phone on the machines behind your gateway. + +.It alias addr [addr_local addr_alias] +This command allows data for +.Dq addr_alias +to be redirected to +.Dq addr_local . +It is useful if you own a small number of real IP numbers that +you wish to map to specific machines behind your gateway. + +.It alias deny_incoming [yes|no] +If set to yes, this command will refuse all incoming connections +by dropping the packets in much the same way as a firewall would. + +.It alias log [yes|no] +This option causes various aliasing statistics and information to +be logged to the file +.Pa /var/log/alias.log . + +.It alias same_ports [yes|no] +When enabled, this command will tell the alias library attempt to +avoid changing the port number on outgoing packets. This is useful +if you want to support protocols such as RPC and LPD which require +connections to come from a well known port. + +.It alias use_sockets [yes|no] +When enabled, this option tells the alias library to create a +socket so that it can guarantee a correct incoming ftp data or +IRC connection. + +.It alias unregistered_only [yes|no] +Only alter outgoing packets with an unregistered source ad- +dress. According to RFC 1918, unregistered source addresses +are 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16. + +.It alias help|? +This command gives a summary of available alias commands. + +.El + .It [!]bg command The given command is executed in the background. Any of the pseudo arguments @@ -1711,10 +1867,14 @@ values as specified under .Dq accept|deny|enable|disable option.... above. -.It passwd pass -Specify the password required for access to the full -.Nm -command set. +.It down +Bring the link down ungracefully, as if the physical layer had become +unavailable. It's not considered polite to use this command. + +.It help|? [command] +Show a list of available commands. If +.Dq command +is specified, show the usage string for that command. .It load [remote] Load the given @@ -1725,6 +1885,28 @@ is not given, the .Dq default label is assumed. +.It passwd pass +Specify the password required for access to the full +.Nm +command set. + +.It quit|bye [all] +Exit +.Nm ppp . +If +.Nm +is in interactive mode or if the +.Dq all +argument is given, +.Nm +will exit, closing the connection. A simple +.Dq quit +issued from a +.Xr pppctl 8 +or +.Xr telnet 1 +session will not close the current connection. + .It save This option is not (yet) implemented. @@ -2140,101 +2322,6 @@ peer is detected on the other side of the modem, .Nm automatically enables Packet Mode and goes back into command mode. -.It alias ..... -This command allows the control of the aliasing (or masquerading) -facilities that are built into -.Nm ppp . -Until this code is required, it is not loaded by -.Nm ppp , -and it is quite possible that the alias library is not installed -on your system (some administrators consider it a security risk). - -If aliasing is enabled on your system, the following commands are -possible: - -.Bl -tag -width 20 -.It alias enable [yes|no] -This command either switches aliasing on or turns it off. -The -.Fl alias -command line flag is synonymous with -.Dq alias enable yes . - -.It alias port [proto targetIP:targetPORT [aliasIP:]aliasPORT] -This command allows us to redirect connections arriving at -.Dq aliasPORT -for machine [aliasIP] to -.Dq targetPORT -on -.Dq targetIP . -If proto is specified, only connections of the given protocol -are matched. This option is useful if you wish to run things like -Internet phone on the machines behind your gateway. - -.It alias addr [addr_local addr_alias] -This command allows data for -.Dq addr_alias -to be redirected to -.Dq addr_local . -It is useful if you own a small number of real IP numbers that -you wish to map to specific machines behind your gateway. - -.It alias deny_incoming [yes|no] -If set to yes, this command will refuse all incoming connections -by dropping the packets in much the same way as a firewall would. - -.It alias log [yes|no] -This option causes various aliasing statistics and information to -be logged to the file -.Pa /var/log/alias.log . - -.It alias same_ports [yes|no] -When enabled, this command will tell the alias library attempt to -avoid changing the port number on outgoing packets. This is useful -if you want to support protocols such as RPC and LPD which require -connections to come from a well known port. - -.It alias use_sockets [yes|no] -When enabled, this option tells the alias library to create a -socket so that it can guarantee a correct incoming ftp data or -IRC connection. - -.It alias unregistered_only [yes|no] -Only alter outgoing packets with an unregistered source ad- -dress. According to RFC 1918, unregistered source addresses -are 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16. - -.It alias help|? -This command gives a summary of available alias commands. - -.El - -.It quit|bye [all] -Exit -.Nm ppp . -If -.Nm -is in interactive mode or if the -.Dq all -argument is given, -.Nm -will exit, closing the connection. A simple -.Dq quit -issued from a -.Xr pppctl 8 -or -.Xr telnet 1 -session will not close the current connection. - -.It help|? [command] -Show a list of available commands. If -.Dq command -is specified, show the usage string for that command. - -.It down -Bring the link down ungracefully. It's not considered polite to -use this command. - .El .Sh MORE DETAILS diff --git a/usr.sbin/ppp/ppp.8.m4 b/usr.sbin/ppp/ppp.8.m4 index 6eb42cd270b9..8b0726bdbcec 100644 --- a/usr.sbin/ppp/ppp.8.m4 +++ b/usr.sbin/ppp/ppp.8.m4 @@ -1,14 +1,20 @@ -.\" $Id: ppp.8,v 1.76 1997/11/09 17:51:26 brian Exp $ +.\" $Id: ppp.8,v 1.77 1997/11/09 22:07:28 brian Exp $ .Dd 20 September 1995 .Os FreeBSD .Dt PPP 8 .Sh NAME .Nm ppp -.Nd -Point to Point Protocol (a.k.a. iijppp) +.Nd Point to Point Protocol (a.k.a. iijppp) .Sh SYNOPSIS .Nm -.Op Fl auto | background | ddial | direct | dedicated +.\" SOMEONE FIX ME ! The .Op macro can't handle enough args ! +[ +.Fl auto | +.Fl background | +.Fl ddial | +.Fl direct | +.Fl dedicated +] .Op Fl alias .Op Ar system .Sh DESCRIPTION @@ -46,19 +52,35 @@ can write a chat script to define the necessary dialing and login procedure for later convenience. .It Supports on-demand dialup capability. -By using auto mode, +By using +.Fl auto +mode, .Nm will act as a daemon and wait for a packet to be sent over the .Em PPP link. When this happens, the daemon automatically dials and establishes the connection. -In almost the same manner ddial mode (dedicated or daemon dialing) -also automatically dials and establishes the connection. However, it -differs in that it will dial the remote site any time it detects the -link is down, even if there are no packets to be sent. This mode is -useful for full-time connections who worry less about line charges -and more about being connected full time. +In almost the same manner +.Fl ddial +mode (direct-dial mode) also automatically dials and establishes the +connection. However, it differs in that it will dial the remote site +any time it detects the link is down, even if there are no packets to be +sent. This mode is useful for full-time connections where we worry less +about line charges and more about being connected full time. + +A third +.Fl dedicated +mode is also available. This mode is targeted at a dedicated link +between two machines. +.Nm Ppp +will never voluntarily quit from dedicated mode - you must send it the +.Dq quit all +command via its diagnostic socket. A +.Dv SIGHUP +will force an LCP renegotiation, and a +.Dv SIGTERM +will force it to exit. .It Supports packet aliasing. Packet aliasing (a.k.a. IP masquerading) allows computers on a @@ -144,20 +166,24 @@ and group .Dv network , with permissions .Dv 4550 . -.Nm Ppp -will not execute in client mode if the invoking user id is not zero. -.Nm Ppp -will run in -.Fl direct -mode as a normal user, but due to its execution permissions, this user -must be a member of group -.Dv network . +By default, +.Nm +will not run if the invoking user id is not zero. This may be overridden +by using the +.Dq allow users +command in +.Pa /etc/ppp/ppp.conf . When running as a normal user, .Nm -switches to user id 0 in order to alter the system routing table. All +switches to user id 0 in order to alter the system routing table, set up +system lock files and read the ppp configuration files. All external commands (executed via the "shell" or "!bg" commands) are executed as the user id that invoked .Nm ppp . +Refer to the +.Sq ID0 +logging facility if you're interested in what exactly is done as user id +zero. .Sh GETTING STARTED @@ -1658,6 +1684,136 @@ is the next hop gateway to get to the given .Dq dest machine/network. +.It allow ..... +This command controls access to +.Nm +and its configuration files. It is possible to allow user-level access, +depending on the configuration file label and on the mode that +.Nm +is being run in. For example, you may wish to configure +.Nm +so that only user +.Sq fred +may access label +.Sq fredlabel +in +.Fl background +mode. +.Pp +User id 0 is immune to these commands. + +.Bl -tag -width 20 +.It allow user|users logname... +By default, only user id 0 is allowed access. If this command is specified, +all of the listed users are allowed access to the section in which the +.Dq allow users +command is found. The +.Sq default +section is always checked first (although it is only ever automatically +loaded at startup). Each successive +.Dq allow users +command overrides the previous one, so it's possible to allow users access +to everything except a given label by specifying default users in the +.Sq default +section, and then specifying a new user list for that label. +.Pp +If user +.Sq * +is specified, access is allowed to all users. + +.It allow mode|modes modelist... +By default, access using all +.Nm +modes is possible. If this command is used, it restricts the access +modes allowed to load the label under which this command is specified. +Again, as with the +.Dq allow users +command, each +.Dq allow modes +command overrides the previous, and the +.Sq default +section is always checked first. +.Pp +Possible modes are: +.Sq interactive , +.Sq auto , +.Sq direct , +.Sq dedicated , +.Sq ddial , +.Sq background +and +.Sq * . +.El + +.It alias ..... +This command allows the control of the aliasing (or masquerading) +facilities that are built into +.Nm ppp . +Until this code is required, it is not loaded by +.Nm ppp , +and it is quite possible that the alias library is not installed +on your system (some administrators consider it a security risk). + +If aliasing is enabled on your system, the following commands are +possible: + +.Bl -tag -width 20 +.It alias enable [yes|no] +This command either switches aliasing on or turns it off. +The +.Fl alias +command line flag is synonymous with +.Dq alias enable yes . + +.It alias port [proto targetIP:targetPORT [aliasIP:]aliasPORT] +This command allows us to redirect connections arriving at +.Dq aliasPORT +for machine [aliasIP] to +.Dq targetPORT +on +.Dq targetIP . +If proto is specified, only connections of the given protocol +are matched. This option is useful if you wish to run things like +Internet phone on the machines behind your gateway. + +.It alias addr [addr_local addr_alias] +This command allows data for +.Dq addr_alias +to be redirected to +.Dq addr_local . +It is useful if you own a small number of real IP numbers that +you wish to map to specific machines behind your gateway. + +.It alias deny_incoming [yes|no] +If set to yes, this command will refuse all incoming connections +by dropping the packets in much the same way as a firewall would. + +.It alias log [yes|no] +This option causes various aliasing statistics and information to +be logged to the file +.Pa /var/log/alias.log . + +.It alias same_ports [yes|no] +When enabled, this command will tell the alias library attempt to +avoid changing the port number on outgoing packets. This is useful +if you want to support protocols such as RPC and LPD which require +connections to come from a well known port. + +.It alias use_sockets [yes|no] +When enabled, this option tells the alias library to create a +socket so that it can guarantee a correct incoming ftp data or +IRC connection. + +.It alias unregistered_only [yes|no] +Only alter outgoing packets with an unregistered source ad- +dress. According to RFC 1918, unregistered source addresses +are 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16. + +.It alias help|? +This command gives a summary of available alias commands. + +.El + .It [!]bg command The given command is executed in the background. Any of the pseudo arguments @@ -1711,10 +1867,14 @@ values as specified under .Dq accept|deny|enable|disable option.... above. -.It passwd pass -Specify the password required for access to the full -.Nm -command set. +.It down +Bring the link down ungracefully, as if the physical layer had become +unavailable. It's not considered polite to use this command. + +.It help|? [command] +Show a list of available commands. If +.Dq command +is specified, show the usage string for that command. .It load [remote] Load the given @@ -1725,6 +1885,28 @@ is not given, the .Dq default label is assumed. +.It passwd pass +Specify the password required for access to the full +.Nm +command set. + +.It quit|bye [all] +Exit +.Nm ppp . +If +.Nm +is in interactive mode or if the +.Dq all +argument is given, +.Nm +will exit, closing the connection. A simple +.Dq quit +issued from a +.Xr pppctl 8 +or +.Xr telnet 1 +session will not close the current connection. + .It save This option is not (yet) implemented. @@ -2140,101 +2322,6 @@ peer is detected on the other side of the modem, .Nm automatically enables Packet Mode and goes back into command mode. -.It alias ..... -This command allows the control of the aliasing (or masquerading) -facilities that are built into -.Nm ppp . -Until this code is required, it is not loaded by -.Nm ppp , -and it is quite possible that the alias library is not installed -on your system (some administrators consider it a security risk). - -If aliasing is enabled on your system, the following commands are -possible: - -.Bl -tag -width 20 -.It alias enable [yes|no] -This command either switches aliasing on or turns it off. -The -.Fl alias -command line flag is synonymous with -.Dq alias enable yes . - -.It alias port [proto targetIP:targetPORT [aliasIP:]aliasPORT] -This command allows us to redirect connections arriving at -.Dq aliasPORT -for machine [aliasIP] to -.Dq targetPORT -on -.Dq targetIP . -If proto is specified, only connections of the given protocol -are matched. This option is useful if you wish to run things like -Internet phone on the machines behind your gateway. - -.It alias addr [addr_local addr_alias] -This command allows data for -.Dq addr_alias -to be redirected to -.Dq addr_local . -It is useful if you own a small number of real IP numbers that -you wish to map to specific machines behind your gateway. - -.It alias deny_incoming [yes|no] -If set to yes, this command will refuse all incoming connections -by dropping the packets in much the same way as a firewall would. - -.It alias log [yes|no] -This option causes various aliasing statistics and information to -be logged to the file -.Pa /var/log/alias.log . - -.It alias same_ports [yes|no] -When enabled, this command will tell the alias library attempt to -avoid changing the port number on outgoing packets. This is useful -if you want to support protocols such as RPC and LPD which require -connections to come from a well known port. - -.It alias use_sockets [yes|no] -When enabled, this option tells the alias library to create a -socket so that it can guarantee a correct incoming ftp data or -IRC connection. - -.It alias unregistered_only [yes|no] -Only alter outgoing packets with an unregistered source ad- -dress. According to RFC 1918, unregistered source addresses -are 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16. - -.It alias help|? -This command gives a summary of available alias commands. - -.El - -.It quit|bye [all] -Exit -.Nm ppp . -If -.Nm -is in interactive mode or if the -.Dq all -argument is given, -.Nm -will exit, closing the connection. A simple -.Dq quit -issued from a -.Xr pppctl 8 -or -.Xr telnet 1 -session will not close the current connection. - -.It help|? [command] -Show a list of available commands. If -.Dq command -is specified, show the usage string for that command. - -.It down -Bring the link down ungracefully. It's not considered polite to -use this command. - .El .Sh MORE DETAILS diff --git a/usr.sbin/ppp/route.c b/usr.sbin/ppp/route.c index 8ecb5c8b547f..8520e95fc97b 100644 --- a/usr.sbin/ppp/route.c +++ b/usr.sbin/ppp/route.c @@ -17,7 +17,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: route.c,v 1.23 1997/11/09 06:22:47 brian Exp $ + * $Id: route.c,v 1.24 1997/11/09 14:18:50 brian Exp $ * */ @@ -268,7 +268,7 @@ ShowRoute() mask <<= 8; } } - fprintf(VarTerm, "%08lx ", mask); + fprintf(VarTerm, "0x%08lx ", mask); p_flags(rtm->rtm_flags & (RTF_UP | RTF_GATEWAY | RTF_HOST), "%-6.6s "); fprintf(VarTerm, "(%d)\n", rtm->rtm_index); } diff --git a/usr.sbin/ppp/server.c b/usr.sbin/ppp/server.c index b6869b8a102d..d4bb2a197546 100644 --- a/usr.sbin/ppp/server.c +++ b/usr.sbin/ppp/server.c @@ -1,5 +1,5 @@ /* - * $Id: server.c,v 1.8 1997/11/09 14:18:51 brian Exp $ + * $Id: server.c,v 1.9 1997/11/09 22:07:29 brian Exp $ */ #include @@ -42,7 +42,7 @@ ServerLocalOpen(const char *name, mode_t mask) return 1; } - if (!(mode&(MODE_AUTO|MODE_DEDICATED|MODE_DIRECT))) { + if (mode & MODE_INTER) { LogPrintf(LogERROR, "Local: Can't open socket in interactive mode\n"); return 1; } @@ -100,7 +100,7 @@ ServerTcpOpen(int port) return 6; } - if (!(mode&(MODE_AUTO|MODE_DEDICATED|MODE_DIRECT))) { + if (mode & MODE_INTER) { LogPrintf(LogERROR, "Tcp: Can't open socket in interactive mode\n"); return 6; } diff --git a/usr.sbin/ppp/systems.c b/usr.sbin/ppp/systems.c index 715cb11ebbd4..62cd642a42cd 100644 --- a/usr.sbin/ppp/systems.c +++ b/usr.sbin/ppp/systems.c @@ -17,7 +17,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: systems.c,v 1.21 1997/11/09 14:18:53 brian Exp $ + * $Id: systems.c,v 1.22 1997/11/09 17:51:27 brian Exp $ * * TODO: */ @@ -43,6 +43,7 @@ #include "pathnames.h" #include "vars.h" #include "server.h" +#include "chat.h" #include "systems.h" #define issep(ch) ((ch) == ' ' || (ch) == '\t') @@ -165,8 +166,66 @@ DecodeCtrlCommand(char *line, char *arg) return CTRL_UNKNOWN; } +static int userok; + int -SelectSystem(char *name, char *file) +AllowUsers(struct cmdtab const *list, int argc, char **argv) +{ + int f; + char *user; + + userok = 0; + user = getlogin(); + if (user && *user) + for (f = 0; f < argc; f++) + if (!strcmp("*", argv[f]) || !strcmp(user, argv[f])) { + userok = 1; + break; + } + + return 0; +} + +static struct { + int mode; + char *name; +} modes[] = { + { MODE_INTER, "interactive" }, + { MODE_AUTO, "auto" }, + { MODE_DIRECT, "direct" }, + { MODE_DEDICATED, "dedicated" }, + { MODE_DDIAL, "ddial" }, + { MODE_BACKGROUND, "background" }, + { ~0, "*" }, + { 0, 0 } +}; + +static int modeok; + +int +AllowModes(struct cmdtab const *list, int argc, char **argv) +{ + int f; + int m; + int allowed; + + allowed = 0; + for (f = 0; f < argc; f++) { + for (m = 0; modes[m].mode; m++) + if (!strcasecmp(modes[m].name, argv[f])) { + allowed |= modes[m].mode; + break; + } + if (modes[m].mode == 0) + LogPrintf(LogWARN, "%s: Invalid mode\n", argv[f]); + } + + modeok = (mode | allowed) == allowed ? 1 : 0; + return 0; +} + +static int +ReadSystem(const char *name, const char *file, int doexec) { FILE *fp; char *cp, *wp; @@ -175,6 +234,9 @@ SelectSystem(char *name, char *file) char line[LINE_LEN]; char filename[200]; int linenum; + int argc; + char **argv; + int allowcmd; if (*file == '/') snprintf(filename, sizeof filename, "%s", file); @@ -182,10 +244,10 @@ SelectSystem(char *name, char *file) snprintf(filename, sizeof filename, "%s/%s", _PATH_PPP, file); fp = ID0fopen(filename, "r"); if (fp == NULL) { - LogPrintf(LogDEBUG, "SelectSystem: Can't open %s.\n", filename); + LogPrintf(LogDEBUG, "ReadSystem: Can't open %s.\n", filename); return (-1); } - LogPrintf(LogDEBUG, "SelectSystem: Checking %s (%s).\n", name, filename); + LogPrintf(LogDEBUG, "ReadSystem: Checking %s (%s).\n", name, filename); linenum = 0; while (fgets(line, sizeof(line), fp)) { @@ -211,7 +273,7 @@ SelectSystem(char *name, char *file) switch (DecodeCtrlCommand(cp+1, arg)) { case CTRL_INCLUDE: LogPrintf(LogCOMMAND, "%s: Including \"%s\"\n", filename, arg); - n = SelectSystem(name, arg); + n = ReadSystem(name, arg, doexec); LogPrintf(LogCOMMAND, "%s: Done include of \"%s\"\n", filename, arg); if (!n) return 0; /* got it */ @@ -233,12 +295,16 @@ SelectSystem(char *name, char *file) cp[--len] = '\0'; if (!len) continue; - LogPrintf(LogCOMMAND, "%s: %s\n", name, cp); - olauth = VarLocalAuth; - if (VarLocalAuth == LOCAL_NO_AUTH) - VarLocalAuth = LOCAL_AUTH; - DecodeCommand(cp, len, 0); - VarLocalAuth = olauth; + InterpretCommand(cp, len, &argc, &argv); + allowcmd = argc > 0 && !strcasecmp(*argv, "allow"); + if ((!doexec && allowcmd) || (doexec && !allowcmd)) { + LogPrintf(LogCOMMAND, "%s: %s\n", name, cp); + olauth = VarLocalAuth; + if (VarLocalAuth == LOCAL_NO_AUTH) + VarLocalAuth = LOCAL_AUTH; + RunCommand(argc, argv, 0); + VarLocalAuth = olauth; + } } else if (*cp == '#') { continue; } else @@ -254,6 +320,26 @@ SelectSystem(char *name, char *file) return -1; } +int +ValidSystem(const char *name) +{ + if (ID0realuid() == 0) + return userok = modeok = 1; + userok = 0; + modeok = 1; + ReadSystem("default", CONFFILE, 0); + if (name != NULL) + ReadSystem(name, CONFFILE, 0); + return userok && modeok; +} + +int +SelectSystem(const char *name, const char *file) +{ + userok = modeok = 1; + return ReadSystem(name, file, 1); +} + int LoadCommand(struct cmdtab const * list, int argc, char **argv) { @@ -264,10 +350,13 @@ LoadCommand(struct cmdtab const * list, int argc, char **argv) else name = "default"; - if (SelectSystem(name, CONFFILE) < 0) { + if (!ValidSystem(name)) + LogPrintf(LogERROR, "%s: Label not allowed\n"); + else if (SelectSystem(name, CONFFILE) < 0) { LogPrintf(LogWARN, "%s: not found.\n", name); return -1; - } + } else + SetLabel(argc ? name : NULL); return 0; } diff --git a/usr.sbin/ppp/systems.h b/usr.sbin/ppp/systems.h index 00f1748cc219..a491bd301a37 100644 --- a/usr.sbin/ppp/systems.h +++ b/usr.sbin/ppp/systems.h @@ -17,11 +17,14 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: systems.h,v 1.7 1997/10/26 01:03:49 brian Exp $ + * $Id: systems.h,v 1.8 1997/11/09 06:22:48 brian Exp $ * */ -extern int SelectSystem(char *, char *); +extern int SelectSystem(const char *, const char *); +extern int ValidSystem(const char *); +extern int AllowUsers(struct cmdtab const *, int, char **); +extern int AllowModes(struct cmdtab const *, int, char **); extern FILE *OpenSecret(char *); extern void CloseSecret(FILE *); extern int LoadCommand(struct cmdtab const *, int, char **); diff --git a/usr.sbin/ppp/vars.c b/usr.sbin/ppp/vars.c index 1a47b3765ff6..35c528744997 100644 --- a/usr.sbin/ppp/vars.c +++ b/usr.sbin/ppp/vars.c @@ -17,7 +17,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: vars.c,v 1.32 1997/10/29 01:19:51 brian Exp $ + * $Id: vars.c,v 1.33 1997/11/09 22:07:29 brian Exp $ * */ #include @@ -39,8 +39,8 @@ #include "auth.h" #include "defs.h" -char VarVersion[] = "PPP Version 1.3"; -char VarLocalVersion[] = "$Date: 1997/10/29 01:19:51 $"; +char VarVersion[] = "PPP Version 1.4"; +char VarLocalVersion[] = "$Date: 1997/11/09 22:07:29 $"; int Utmp = 0; int ipInOctets = 0; int ipOutOctets = 0;