Install as group ``network''

Insist that uid == 0 for client ppp Disallow client sockets if no password is specified Don't exit on failure to open client socket for listening Allow specification of null local password Use reasonable size (smaller) ``vector''s in auth.c Fix "passwd ..." usage message Insist on "all" as arg to "quit" (if any) Drop client socket connection before Cleanup() when "quit all"
1997-09-04 00:38:22 +00:00 · 1997-09-04 00:38:22 +00:00 · 01052674bd
commit 01052674bd
parent a69830cd9a
11 changed files with 116 additions and 75 deletions
--- a/usr.sbin/ppp/Makefile
+++ b/usr.sbin/ppp/Makefile
@ -1,4 +1,4 @@
-#	$Id: Makefile,v 1.22 1997/06/25 19:29:58 brian Exp $
+#	$Id: Makefile,v 1.23 1997/08/31 20:18:03 brian Exp $
 PROG=	ppp
 SRCS=	alias_cmd.c arp.c async.c auth.c ccp.c chap.c chat.c command.c \
@ -11,6 +11,6 @@ DPADD+= ${LIBMD} ${LIBCRYPT} ${LIBUTIL}
 MAN8=	ppp.8
 BINMODE=4550
 BINOWN=	root
-BINGRP=	ppp
+BINGRP=	network
 .include <bsd.prog.mk>
--- a/usr.sbin/ppp/auth.c
+++ b/usr.sbin/ppp/auth.c
@ -17,7 +17,7 @@
 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
 *
- * $Id: auth.c,v 1.14 1997/06/09 03:27:13 brian Exp $
+ * $Id: auth.c,v 1.15 1997/08/25 00:29:05 brian Exp $
 *
 *	TODO:
 *		o Implement check against with registered IP addresses.
@ -34,22 +34,22 @@
 extern FILE *OpenSecret();
 extern void CloseSecret();
-LOCAL_AUTH_VALID
+void
 LocalAuthInit()
 {
  char *p;
  if (gethostname(VarShortHost, sizeof(VarShortHost))) {
-    return (NOT_FOUND);
+    VarLocalAuth = LOCAL_DENY;
    return;
  }
  p = strchr(VarShortHost, '.');
  if (p)
    *p = '\0';
-  VarLocalAuth = LOCAL_NO_AUTH;
+  VarLocalAuth = LocalAuthValidate(SECRETFILE, VarShortHost, "") == NOT_FOUND ?
-  return LocalAuthValidate(SECRETFILE, VarShortHost, "");
+    LOCAL_DENY : LOCAL_NO_AUTH;
 }
 LOCAL_AUTH_VALID
@ -57,8 +57,8 @@ LocalAuthValidate(char *fname, char *system, char *key)
 {
  FILE *fp;
  int n;
-  char *vector[20];		/* XXX */
+  char *vector[3];
-  char buff[200];		/* XXX */
+  char buff[200];
  LOCAL_AUTH_VALID rc;
  rc = NOT_FOUND;		/* No system entry */
@ -74,7 +74,8 @@ LocalAuthValidate(char *fname, char *system, char *key)
    if (n < 1)
      continue;
    if (strcmp(vector[0], system) == 0) {
-      if (vector[1] != (char *) NULL && strcmp(vector[1], key) == 0) {
+      if ((vector[1] == (char *) NULL && (key == NULL || *key == '\0')) ||
          (vector[1] != (char *) NULL && strcmp(vector[1], key) == 0)) {
 	rc = VALID;		/* Valid   */
      } else {
 	rc = INVALID;		/* Invalid */
@ -91,7 +92,7 @@ AuthValidate(char *fname, char *system, char *key)
 {
  FILE *fp;
  int n;
-  char *vector[20];
+  char *vector[4];
  char buff[200];
  char passwd[100];
@ -134,7 +135,7 @@ AuthGetSecret(char *fname, char *system, int len, int setaddr)
 {
  FILE *fp;
  int n;
-  char *vector[20];
+  char *vector[4];
  char buff[200];
  static char passwd[100];
--- a/usr.sbin/ppp/auth.h
+++ b/usr.sbin/ppp/auth.h
@ -15,7 +15,7 @@
 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
 *
- * $Id: auth.h,v 1.6 1997/06/09 03:27:13 brian Exp $
+ * $Id: auth.h,v 1.7 1997/08/25 00:29:05 brian Exp $
 *
 *	TODO:
 */
@ -41,7 +41,7 @@ extern void SendPapChallenge(int);
 extern void SendChapChallenge(int);
 extern void StopAuthTimer(struct authinfo *);
 extern void StartAuthChallenge(struct authinfo *);
-extern LOCAL_AUTH_VALID LocalAuthInit(void);
+extern void LocalAuthInit(void);
 extern int AuthValidate(char *, char *, char *);
 #endif
--- a/usr.sbin/ppp/command.c
+++ b/usr.sbin/ppp/command.c
@ -17,7 +17,7 @@
 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
 *
- * $Id: command.c,v 1.75 1997/08/25 00:29:08 brian Exp $
+ * $Id: command.c,v 1.76 1997/08/31 22:59:20 brian Exp $
 *
 */
 #include <sys/types.h>
@ -342,7 +342,7 @@ struct cmdtab const Commands[] = {
  {"enable", NULL, EnableCommand, LOCAL_AUTH,
  "Enable option", "enable option .."},
  {"passwd", NULL, LocalAuthCommand, LOCAL_NO_AUTH,
-  "Password for manipulation", "passwd option .."},
+  "Password for manipulation", "passwd LocalPassword"},
  {"load", NULL, LoadCommand, LOCAL_AUTH,
  "Load settings", "load [remote]"},
  {"save", NULL, SaveCommand, LOCAL_AUTH,
@ -765,14 +765,14 @@ QuitCommand(struct cmdtab const * list, int argc, char **argv)
  FILE *oVarTerm;
  if (mode & (MODE_DIRECT | MODE_DEDICATED | MODE_AUTO)) {
-    if (argc > 0 && (VarLocalAuth & LOCAL_AUTH)) {
+    if (argc > 0 && !strcasecmp(*argv, "all") && (VarLocalAuth & LOCAL_AUTH)) {
      Cleanup(EX_NORMAL);
      mode &= ~MODE_INTER;
      oVarTerm = VarTerm;
      VarTerm = 0;
      if (oVarTerm && oVarTerm != stdout)
 	fclose(oVarTerm);
-    } else {
+      Cleanup(EX_NORMAL);
    } else if (VarTerm) {
      LogPrintf(LogPHASE, "Client connection closed.\n");
      VarLocalAuth = LOCAL_NO_AUTH;
      mode &= ~MODE_INTER;
--- a/usr.sbin/ppp/main.c
+++ b/usr.sbin/ppp/main.c
@ -17,7 +17,7 @@
 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
 *
- * $Id: main.c,v 1.75 1997/08/31 20:07:02 brian Exp $
+ * $Id: main.c,v 1.76 1997/08/31 22:59:39 brian Exp $
 *
 *	TODO:
 *		o Add commands for traffic summary, version display, etc.
@ -37,6 +37,7 @@
 #include <arpa/inet.h>
 #include <netinet/in_systm.h>
 #include <netinet/ip.h>
 #include <sysexits.h>
 #include "modem.h"
 #include "os.h"
 #include "hdlc.h"
@ -53,9 +54,6 @@
 #include "server.h"
 #include "lcpproto.h"
 #define LAUTH_M1 "Warning: No password entry for this host in ppp.secret\n"
 #define LAUTH_M2 "Warning: Manipulation is allowed by anyone\n"
 #ifndef O_NONBLOCK
 #ifdef O_NDELAY
 #define	O_NONBLOCK O_NDELAY
@ -166,7 +164,6 @@ TtyOldMode()
 void
 Cleanup(int excode)
 {
  OsLinkdown();
  OsCloseLink(1);
  sleep(1);
@ -239,7 +236,8 @@ SetUpServer(int signo)
  int res;
  if ((res = ServerTcpOpen(SERVER_PORT + tunno)) != 0)
-    LogPrintf(LogERROR, "Failed %d to open port %d\n", res, SERVER_PORT + tunno);
+    LogPrintf(LogERROR, "SIGUSR1: Failed %d to open port %d\n",
 	      res, SERVER_PORT + tunno);
 }
 static char *
@ -333,11 +331,18 @@ main(int argc, char **argv)
  netfd = modem = tun_in = -1;
  server = -2;
  ProcessArgs(argc, argv);
-  if (!(mode & MODE_DIRECT))
+  if (!(mode & MODE_DIRECT)) {
    if (getuid() != 0) {
      fprintf(stderr, "You may only run ppp in client mode as user id 0\n");
      LogClose();
      return EX_NOPERM;
    }
    VarTerm = stdout;
  }
  Greetings();
  GetUid();
  IpcpDefAddress();
  LocalAuthInit();
  if (SelectSystem("default", CONFFILE) < 0 && VarTerm)
    fprintf(VarTerm, "Warning: No default entry is given in config file.\n");
@ -399,21 +404,6 @@ main(int argc, char **argv)
      Cleanup(EX_START);
    }
  }
  if (ServerType() != NO_SERVER)
    switch (LocalAuthInit()) {
    case NOT_FOUND:
      if (VarTerm) {
 	fprintf(VarTerm, LAUTH_M1);
 	fprintf(VarTerm, LAUTH_M2);
 	fflush(VarTerm);
      }
      /* Fall down */
    case VALID:
      VarLocalAuth = LOCAL_AUTH;
      break;
    default:
      break;
    }
  if (!(mode & MODE_INTER)) {
    if (mode & MODE_BACKGROUND) {
@ -423,8 +413,8 @@ main(int argc, char **argv)
      }
    }
    /* Create server socket and listen. */
-    if (server == -2 && ServerTcpOpen(SERVER_PORT + tunno) != 0)
+    if (server == -2)
-      Cleanup(EX_SOCK);
+      ServerTcpOpen(SERVER_PORT + tunno);
    if (!(mode & MODE_DIRECT)) {
      pid_t bgpid;
@ -933,20 +923,6 @@ DoLoop()
      VarTerm = fdopen(netfd, "a+");
      mode |= MODE_INTER;
      Greetings();
      switch (LocalAuthInit()) {
      case NOT_FOUND:
 	if (VarTerm) {
 	  fprintf(VarTerm, LAUTH_M1);
 	  fprintf(VarTerm, LAUTH_M2);
 	  fflush(VarTerm);
 	}
 	/* Fall down */
      case VALID:
 	VarLocalAuth = LOCAL_AUTH;
 	break;
      default:
 	break;
      }
      (void) IsInteractive();
      Prompt();
    }
--- a/usr.sbin/ppp/ppp.8
+++ b/usr.sbin/ppp/ppp.8
@ -1,4 +1,4 @@
-.\" $Id: ppp.8,v 1.59 1997/08/27 20:11:16 brian Exp $
+.\" $Id: ppp.8,v 1.60 1997/08/31 20:07:03 brian Exp $
 .Dd 20 September 1995
 .Os FreeBSD
 .Dt PPP 8
@ -129,6 +129,29 @@ with clients using the Microsoft
 .Em PPP
 stack (ie. Win95, WinNT)
 .Sh PERMISSIONS
 .Nm Ppp
 is installed as user
 .Dv root
 and group
 .Dv network ,
 with permissions
 .Dv 4550 .
 .Nm Ppp
 will not execute in client mode if the invoking user id is not zero.
 .Nm Ppp
 will run in
 .Fl direct
 mode as a normal user, but due to its execution permissions, this user
 must be a member of group
 .Dv network .
 When running as a normal user,
 .Nm
 switches to user id 0 in order to alter the system routing table.  All
 external commands (executed via the "shell" or "!bg" commands) are executed
 as the user id that invoked
 .Nm ppp .
 .Sh GETTING STARTED
 When you first run
--- a/usr.sbin/ppp/ppp.8.m4
+++ b/usr.sbin/ppp/ppp.8.m4
@ -1,4 +1,4 @@
-.\" $Id: ppp.8,v 1.59 1997/08/27 20:11:16 brian Exp $
+.\" $Id: ppp.8,v 1.60 1997/08/31 20:07:03 brian Exp $
 .Dd 20 September 1995
 .Os FreeBSD
 .Dt PPP 8
@ -129,6 +129,29 @@ with clients using the Microsoft
 .Em PPP
 stack (ie. Win95, WinNT)
 .Sh PERMISSIONS
 .Nm Ppp
 is installed as user
 .Dv root
 and group
 .Dv network ,
 with permissions
 .Dv 4550 .
 .Nm Ppp
 will not execute in client mode if the invoking user id is not zero.
 .Nm Ppp
 will run in
 .Fl direct
 mode as a normal user, but due to its execution permissions, this user
 must be a member of group
 .Dv network .
 When running as a normal user,
 .Nm
 switches to user id 0 in order to alter the system routing table.  All
 external commands (executed via the "shell" or "!bg" commands) are executed
 as the user id that invoked
 .Nm ppp .
 .Sh GETTING STARTED
 When you first run
--- a/usr.sbin/ppp/server.c
+++ b/usr.sbin/ppp/server.c
@ -25,10 +25,16 @@ ServerLocalOpen(const char *name, mode_t mask)
 {
  int s;
  if (VarLocalAuth == LOCAL_DENY) {
    LogPrintf(LogERROR, "Local: Can't open socket %s: No password "
 	      "in ppp.secret\n", name);
    return 1;
  }
  ifsun.sun_len = strlen(name);
  if (ifsun.sun_len > sizeof ifsun.sun_path - 1) {
    LogPrintf(LogERROR, "Local: %s: Path too long\n", name);
-    return 1;
+    return 2;
  }
  ifsun.sun_family = AF_LOCAL;
  strcpy(ifsun.sun_path, name);
@ -36,7 +42,7 @@ ServerLocalOpen(const char *name, mode_t mask)
  s = socket(PF_LOCAL, SOCK_STREAM, 0);
  if (s < 0) {
    LogPrintf(LogERROR, "Local: socket: %s\n", strerror(errno));
-    return 2;
+    return 3;
  }
  setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &s, sizeof s);
  mask = umask(mask);
@ -47,14 +53,14 @@ ServerLocalOpen(const char *name, mode_t mask)
      fprintf(VarTerm, "Wait for a while, then try again.\n");
    close(s);
    unlink(name);
-    return 3;
+    return 4;
  }
  umask(mask);
  if (listen(s, 5) != 0) {
    LogPrintf(LogERROR, "Local: Unable to listen to socket - OS overload?\n");
    close(s);
    unlink(name);
-    return 4;
+    return 5;
  }
  ServerClose();
  server = s;
@ -69,10 +75,15 @@ ServerTcpOpen(int port)
  struct sockaddr_in ifsin;
  int s;
  if (VarLocalAuth == LOCAL_DENY) {
    LogPrintf(LogERROR, "Tcp: Can't open socket %d: No password "
 	      "in ppp.secret\n", port);
    return 6;
  }
  s = socket(PF_INET, SOCK_STREAM, 0);
  if (s < 0) {
    LogPrintf(LogERROR, "Tcp: socket: %s\n", strerror(errno));
-    return 5;
+    return 7;
  }
  ifsin.sin_family = AF_INET;
  ifsin.sin_addr.s_addr = INADDR_ANY;
@ -83,12 +94,12 @@ ServerTcpOpen(int port)
    if (errno == EADDRINUSE && VarTerm)
      fprintf(VarTerm, "Wait for a while, then try again.\n");
    close(s);
-    return 6;
+    return 8;
  }
  if (listen(s, 5) != 0) {
    LogPrintf(LogERROR, "Tcp: Unable to listen to socket - OS overload?\n");
    close(s);
-    return 7;
+    return 9;
  }
  ServerClose();
  server = s;
--- a/usr.sbin/ppp/systems.c
+++ b/usr.sbin/ppp/systems.c
@ -17,7 +17,7 @@
 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
 *
- * $Id: systems.c,v 1.14 1997/08/25 00:29:29 brian Exp $
+ * $Id: systems.c,v 1.15 1997/08/31 22:59:49 brian Exp $
 *
 *  TODO:
 */
@ -180,7 +180,8 @@ SelectSystem(char *name, char *file)
 	    LogPrintf(LogCOMMAND, "%s: %s\n", name, cp);
 	    SetPppId();
 	    olauth = VarLocalAuth;
-	    VarLocalAuth = LOCAL_AUTH;
+	    if (VarLocalAuth == LOCAL_NO_AUTH)
 	      VarLocalAuth = LOCAL_AUTH;
 	    DecodeCommand(cp, strlen(cp), 0);
 	    VarLocalAuth = olauth;
 	    SetUserId();
--- a/usr.sbin/ppp/vars.c
+++ b/usr.sbin/ppp/vars.c
@ -17,7 +17,7 @@
 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
 *
- * $Id: vars.c,v 1.24 1997/08/21 17:20:00 brian Exp $
+ * $Id: vars.c,v 1.25 1997/08/25 00:29:31 brian Exp $
 *
 */
 #include "fsm.h"
@ -30,7 +30,7 @@
 #include "defs.h"
 char VarVersion[] = "PPP Version 1.1";
-char VarLocalVersion[] = "$Date: 1997/08/21 17:20:00 $";
+char VarLocalVersion[] = "$Date: 1997/08/25 00:29:31 $";
 /*
 * Order of conf option is important. See vars.h.
@ -132,10 +132,15 @@ DenyCommand(struct cmdtab * list, int argc, char **argv)
 int
 LocalAuthCommand(struct cmdtab * list, int argc, char **argv)
 {
-  if (argc != 1)
+  char *pass;
  if (argc == 0)
    pass = "";
  else if (argc > 1)
    return -1;
  else
    pass = *argv;
-  switch (LocalAuthValidate(SECRETFILE, VarShortHost, *argv)) {
+  switch (LocalAuthValidate(SECRETFILE, VarShortHost, pass)) {
  case INVALID:
    pppVars.lauth = LOCAL_NO_AUTH;
    break;
--- a/usr.sbin/ppp/vars.h
+++ b/usr.sbin/ppp/vars.h
@ -15,7 +15,7 @@
 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
 *
- * $Id: vars.h,v 1.24 1997/08/21 16:21:39 brian Exp $
+ * $Id: vars.h,v 1.25 1997/08/25 00:29:31 brian Exp $
 *
 *	TODO:
 */
@ -74,6 +74,7 @@ struct pppvars {
  int open_mode;		/* LCP open mode */
 #define LOCAL_AUTH	0x01
 #define LOCAL_NO_AUTH	0x02
 #define LOCAL_DENY	0x03
  u_char lauth;			/* Local Authorized status */
  FILE *termfp;			/* The terminal */
 #define DIALUP_REQ	0x01