sync iruserok() extension API with other BSDs
Some of rcmd related function is need to be updated to
support IPv6. Some of them are already updated as standard
document. But there is also several de-facto functions and
they are not listed in standard documents.
They are,
iruserok() (used by rlogind, rshd)
ruserok() (used by kerberos, etc)
KAME package updated those functions in original way.
iruserok_af()
ruserok_af()
But recently there was discussion on IETF IPng mailing
list about how to sync those API, and it is decided,
-Those function is not standard and not documented.
-But let BSDs sync their API as de-facto.
And after some discussion, it is announced that
-add update to iruserok() as iruserok_sa()
-no ruserok() API change(it is only updated internaly)
So I sync those API before 4.0 is released.
The changes are,
-prototype changes
-ruserok() internal update (use iruserok_sa() inside)
-removal of ruserok_af()
-change iruserok_af() as static functioin, and also prefix the name with __.
-add iruserok_sa() (Just call __iruserok_af() inside)
-adding flag AI_ALL to getipnodebyaddr() called from __icheckhost().
This is necessary to support IPv4 communication via AF_INET6 socket
could be correctly authenticated via iruserok_sa()
-irusreok_af() call is replaced to iruserok_sa() call
in rlogind, and rshd.
Approved by: jkh
This commit is contained in:
Yoshinobu Inoue
parent
3411310dfb
commit
e3be4d7b7e
@ -150,7 +150,7 @@ char *getusershell __P((void));
|
||||
char *getwd __P((char *)); /* obsoleted by getcwd() */
|
||||
int initgroups __P((const char *, int));
|
||||
int iruserok __P((unsigned long, int, const char *, const char *));
|
||||
int iruserok_af __P((void *, int, const char *, const char *, int));
|
||||
int iruserok_sa __P((const void *, int, int, const char *, const char *));
|
||||
int issetugid __P((void));
|
||||
int lchown __P((const char *, uid_t, gid_t));
|
||||
int lockf __P((int, int, off_t));
|
||||
@ -177,7 +177,6 @@ pid_t rfork __P((int));
|
||||
int rresvport __P((int *));
|
||||
int rresvport_af __P((int *, int));
|
||||
int ruserok __P((const char *, int, const char *, const char *));
|
||||
int ruserok_af __P((const char *, int, const char *, const char *, int));
|
||||
char *sbrk __P((int));
|
||||
int select __P((int, fd_set *, fd_set *, fd_set *, struct timeval *));
|
||||
int setdomainname __P((const char *, int));
|
||||
|
||||
@ -68,6 +68,7 @@ extern int innetgr __P(( const char *, const char *, const char *, const char *
|
||||
|
||||
#define max(a, b) ((a > b) ? a : b)
|
||||
|
||||
static int __iruserok_af __P((void *, int, const char *, const char *, int));
|
||||
int __ivaliduser __P((FILE *, u_int32_t, const char *, const char *));
|
||||
static int __icheckhost __P((void *, char *, int, int));
|
||||
|
||||
@ -354,34 +355,25 @@ ruserok(rhost, superuser, ruser, luser)
|
||||
const char *rhost, *ruser, *luser;
|
||||
int superuser;
|
||||
{
|
||||
return ruserok_af(rhost, superuser, ruser, luser, AF_INET);
|
||||
}
|
||||
struct addrinfo hints, *res, *r;
|
||||
int error;
|
||||
|
||||
int
|
||||
ruserok_af(rhost, superuser, ruser, luser, af)
|
||||
const char *rhost, *ruser, *luser;
|
||||
int superuser, af;
|
||||
{
|
||||
struct hostent *hp;
|
||||
union {
|
||||
struct in_addr addr_in;
|
||||
struct in6_addr addr_in6;
|
||||
} addr;
|
||||
char **ap;
|
||||
int ret, h_error;
|
||||
|
||||
if ((hp = getipnodebyname(rhost, af, AI_DEFAULT, &h_error)) == NULL)
|
||||
memset(&hints, 0, sizeof(hints));
|
||||
hints.ai_family = PF_UNSPEC;
|
||||
hints.ai_socktype = SOCK_DGRAM; /*dummy*/
|
||||
error = getaddrinfo(rhost, "0", &hints, &res);
|
||||
if (error)
|
||||
return (-1);
|
||||
ret = -1;
|
||||
for (ap = hp->h_addr_list; *ap; ++ap) {
|
||||
bcopy(*ap, &addr, hp->h_length);
|
||||
if (iruserok_af(&addr, superuser, ruser, luser, af) == 0) {
|
||||
ret = 0;
|
||||
break;
|
||||
|
||||
for (r = res; r; r = r->ai_next) {
|
||||
if (iruserok_sa(r->ai_addr, r->ai_addrlen, superuser, ruser,
|
||||
luser) == 0) {
|
||||
freeaddrinfo(res);
|
||||
return (0);
|
||||
}
|
||||
}
|
||||
freehostent(hp);
|
||||
return (ret);
|
||||
freeaddrinfo(res);
|
||||
return (-1);
|
||||
}
|
||||
|
||||
/*
|
||||
@ -399,11 +391,12 @@ iruserok(raddr, superuser, ruser, luser)
|
||||
int superuser;
|
||||
const char *ruser, *luser;
|
||||
{
|
||||
return iruserok_af(&raddr, superuser, ruser, luser, AF_INET);
|
||||
return __iruserok_af(&raddr, superuser, ruser, luser, AF_INET);
|
||||
}
|
||||
|
||||
int
|
||||
iruserok_af(raddr, superuser, ruser, luser, af)
|
||||
/* Other AF support extension of iruserok. */
|
||||
static int
|
||||
__iruserok_af(raddr, superuser, ruser, luser, af)
|
||||
void *raddr;
|
||||
int superuser;
|
||||
const char *ruser, *luser;
|
||||
@ -485,6 +478,37 @@ iruserok_af(raddr, superuser, ruser, luser, af)
|
||||
return (-1);
|
||||
}
|
||||
|
||||
/*
|
||||
* AF independent extension of iruserok. We are passed an sockaddr, and
|
||||
* then call iruserok_af() as the type of sockaddr.
|
||||
*
|
||||
* Returns 0 if ok, -1 if not ok.
|
||||
*/
|
||||
int
|
||||
iruserok_sa(addr, addrlen, superuser, ruser, luser)
|
||||
const void *addr;
|
||||
int addrlen;
|
||||
int superuser;
|
||||
const char *ruser, *luser;
|
||||
{
|
||||
struct sockaddr *sa;
|
||||
void *raddr = NULL;
|
||||
|
||||
sa = (struct sockaddr *)addr;
|
||||
switch (sa->sa_family) {
|
||||
case AF_INET:
|
||||
raddr = &((struct sockaddr_in *)sa)->sin_addr;
|
||||
break;
|
||||
#ifdef INET6
|
||||
case AF_INET6:
|
||||
raddr = &((struct sockaddr_in6 *)sa)->sin6_addr;
|
||||
break;
|
||||
#endif
|
||||
}
|
||||
|
||||
__iruserok_af(raddr, superuser, ruser, luser, sa->sa_family);
|
||||
}
|
||||
|
||||
/*
|
||||
* XXX
|
||||
* Don't make static, used by lpd(8).
|
||||
@ -648,7 +672,8 @@ __icheckhost(raddr, lhost, af, len)
|
||||
}
|
||||
|
||||
/* Better be a hostname. */
|
||||
if ((hp = getipnodebyname(lhost, af, AI_DEFAULT, &h_error)) == NULL)
|
||||
if ((hp = getipnodebyname(lhost, af, AI_ALL|AI_DEFAULT, &h_error))
|
||||
== NULL)
|
||||
return (0);
|
||||
|
||||
/* Spin through ip addresses. */
|
||||
|
||||
@ -597,21 +597,8 @@ do_rlogin(dest)
|
||||
return (-1);
|
||||
/* XXX why don't we syslog() failure? */
|
||||
|
||||
af = dest->su_family;
|
||||
switch (af) {
|
||||
case AF_INET:
|
||||
addr = (char *)&dest->su_sin.sin_addr;
|
||||
break;
|
||||
#ifdef INET6
|
||||
case AF_INET6:
|
||||
addr = (char *)&dest->su_sin6.sin6_addr;
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
return -1; /*EAFNOSUPPORT*/
|
||||
}
|
||||
|
||||
return (iruserok_af(addr, pwd->pw_uid == 0, rusername, lusername, af));
|
||||
return (iruserok_sa(dest, dest->su_len, pwd->pw_uid == 0, rusername,
|
||||
lusername));
|
||||
}
|
||||
|
||||
void
|
||||
|
||||
@ -408,14 +408,8 @@ doit(fromp)
|
||||
if (errorstr ||
|
||||
(pwd->pw_expire && time(NULL) >= pwd->pw_expire) ||
|
||||
(pwd->pw_passwd != 0 && *pwd->pw_passwd != '\0' &&
|
||||
iruserok_af(
|
||||
#ifdef INET6
|
||||
(af == AF_INET6)
|
||||
? (void *)&fromp->su_sin6.sin6_addr :
|
||||
#endif
|
||||
(void *)&fromp->su_sin.sin_addr,
|
||||
pwd->pw_uid == 0,
|
||||
remuser, locuser, af) < 0)) {
|
||||
iruserok_sa(fromp, fromp->su_len, pwd->pw_uid == 0,
|
||||
remuser, locuser) < 0)) {
|
||||
if (__rcmd_errstr)
|
||||
syslog(LOG_INFO|LOG_AUTH,
|
||||
"%s@%s as %s: permission denied (%s). cmd='%.80s'",
|
||||
|
||||
Loading…
Reference in New Issue
Block a user