d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Close a potential security hole: if yp_access() is passed a map name,

Browse Source 
have it check to see that it doesn't contain any '/' characters. This
prevents possible silliness like ypcat "../../../kernel". We already
test the domain name for this in yp_validdomain(), and ypserv itself
tests the map name in yp_open_db(), but it doesn't hurt to be paranoid
and test for it in the generic access routine too. rpc.ypxfrd does not
test the map name for slashes, but it does call yp_access() with the
map name, so this removes a potential vulnerability from there.

Also make the tests for IPPORT_RESERVED a little more selective: make
sure it trips when map == master.passwd.*, prog == YPPROC and proc ==
YPPROC_XFR, and prog == YPXFRD_FREEBSD_PROG and proc == YPXFRD_GETMAP.
Also use IPPORT_RESERVED instead of hard-coded value.
This commit is contained in:
Bill Paul 1996-09-30 22:27:00 +00:00
parent fe3a5bd458
commit 42c703633d
1 changed files with 15 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
usr.sbin/ypserv/yp_access.c
View File

@ -35,6 +35,7 @@
#include <rpc/rpc.h>
#include <rpcsvc/yp.h>
#include <rpcsvc/yppasswd.h>
#include <rpcsvc/ypxfrd.h>
#include <sys/types.h>
#include <limits.h>
#include <db.h>
@ -52,7 +53,7 @@
#endif
#ifndef lint
static const char rcsid[] = "$Id: yp_access.c,v 1.2 1996/05/01 02:39:54 wpaul Exp $";
static const char rcsid[] = "$Id: yp_access.c,v 1.9 1996/06/05 02:01:29 wpaul Exp $";
#endif
extern int debug;
@ -242,10 +243,20 @@ int yp_access(map, rqstp)
/* Check the map name if one was supplied. */
if (map != NULL) {
if (strchr(map, '/')) {
yp_error("embedded slash in map name \"%s\" -- \
possible spoof attempt from %s:%d",
map, inet_ntoa(rqhost->sin_addr),
ntohs(rqhost->sin_port));
}
if ((strstr(map, "master.passwd.") ||
rqstp->rq_proc == YPPROC_XFR) &&
ntohs(rqhost->sin_port) > 1023) {
yp_error("Access to %s denied -- client not privileged", map);
(rqstp->rq_prog == YPPROG &&
rqstp->rq_proc == YPPROC_XFR) ||
(rqstp->rq_prog == YPXFRD_FREEBSD_PROG &&
rqstp->rq_proc == YPXFRD_GETMAP)) &&
ntohs(rqhost->sin_port) >= IPPORT_RESERVED) {
yp_error("Access to %s denied -- client %s:%d \
not privileged", map, inet_ntoa(rqhost->sin_addr), ntohs(rqhost->sin_port));
return(1);
}
}