37 Commits

Author SHA1 Message Date
John Polstra
c97c8f4a3c Fix a bug in __ivaliduser_sa() which caused some rsh/rlogin attempts
to fail needlessly if a reverse DNS lookup of the IP address didn't
come up with a hostname.  As a comment in the code clearly stated,
the "damn hostname" was looked up only for the purpose of netgroup
matching.  But if that lookup failed, the function bailed out
immediately even though in many cases netgroup matching would not
be used.

This change marks the hostname as unknown but continues.  Where
netgroup matching is performed, an unknown hostname is handled
conservatively.  I.e., for "+@netgroup" (accept) entries an unknown
hostname never matches, and for "-@netgroup" (reject) entries an
unknown hostname always matches.

In the lines affected (only), I also fixed a few bogus casts.  There
are others, and in fact this entire file would be a good candidate
for a cleanup sweep.

Reviewed by:	imp (wearing his flourescent yellow Security Team cap)
MFC after:	2 days
2002-08-24 17:37:42 +00:00
David E. O'Brien
333fc21e3c Fix the style of the SCM ID's.
I believe have made all of libc .c's as consistent as possible.
2002-03-22 21:53:29 +00:00
David E. O'Brien
1372519b15 Remove multi-line __P() usage. 2002-03-22 09:22:15 +00:00
David E. O'Brien
c05ac53b8b Remove __P() usage. 2002-03-21 22:49:10 +00:00
David E. O'Brien
8fb3f3f682 Remove 'register' keyword. 2002-03-21 18:49:23 +00:00
Warner Losh
d45672120f Allow users to specify a command to use as remote command instead of
using rcmd directly.  This has been in my tree for a long time, but we
may need to sync with OpenBSD before MFC.

Obtained from: openbsd
PR: 15830

MFC after: 2 months
2001-10-23 06:22:15 +00:00
Daniel Eischen
d201fe46e3 Remove _THREAD_SAFE and make libc thread-safe by default by
adding (weak definitions to) stubs for some of the pthread
functions.  If the threads library is linked in, the real
pthread functions will pulled in.

Use the following convention for system calls wrapped by the
threads library:
	__sys_foo - actual system call
	_foo - weak definition to __sys_foo
	foo - weak definition to __sys_foo

Change all libc uses of system calls wrapped by the threads
library from foo to _foo.  In order to define the prototypes
for _foo(), we introduce namespace.h and un-namespace.h
(suggested by bde).  All files that need to reference these
system calls, should include namespace.h before any standard
includes, then include un-namespace.h after the standard
includes and before any local includes.  <db.h> is an exception
and shouldn't be included in between namespace.h and
un-namespace.h  namespace.h will define foo to _foo, and
un-namespace.h will undefine foo.

Try to eliminate some of the recursive calls to MT-safe
functions in libc/stdio in preparation for adding a mutex
to FILE.  We have recursive mutexes, but would like to avoid
using them if possible.

Remove uneeded includes of <errno.h> from a few files.

Add $FreeBSD$ to a few files in order to pass commitprep.

Approved by:	-arch
2001-01-24 13:01:12 +00:00
Hajimu UMEMOTO
eb74b99618 - __ivaliduser_sa() was introduced for forthcoming IPv6 support to lpd
- iruserok_sa() and __ivaliduser_af() were re-organized to use
  __ivaliduser_sa()
- __icheckhost() was re-written to use getaddrinfo() instead of
  getipnodebyname()
- better handling of multiple destination addresses in rcmd()

These changes were basically taken from KAME and changed to fit our
rcmd.c.

Obtained from:	KAME
2000-12-04 18:02:12 +00:00
Hajimu UMEMOTO
2368b03bf4 Don't retry connecting via the same medium.
I changed to close to original code before merging IPv6 support.
It seems having delay before another try is useless.  However, I'm
not sure that delay means.  So, I leave it as-is.

PR:		bin/20515
2000-08-10 17:10:57 +00:00
Hajimu UMEMOTO
c98e299e93 Copy canonname for *ahost, into static buffer.
Obtained from:	KAME Project
2000-07-20 18:49:35 +00:00
Brian Somers
732d07e535 Alocate rcmd{,_af}()'s *ahost argument using malloc() (well
strdup()) rather than pointing it at something that's free()d
(via freeaddrinfo(res)) before the function returns.

I appreciate that this is an API change, but it's the only way
(AFAIK) of doing this without breaking existing code that uses
rcmd{,_af}().

Pointed out by: phkmalloc
2000-07-20 09:05:15 +00:00
Peter Wemm
4a1afa49fd Try and fix the worst of some highly bogus malloc/free resource
management involving rcmd_af(), getaddrinfo(), freeaddrinfo(), etc.
We set *ahost to point to ai->canonname; and later free the ai-> stuff
and still leave the old pointers in *ahost to the freed data.
Perhaps the best way to deal with this is a static buffer or a static
strdup() that is freed on the next iteration or something.  This gives
me headaches just thinking about this.

The new 'AJ' default for malloc() tripped this up.
2000-07-11 09:31:19 +00:00
Brian S. Dean
a9f9141ca5 Back out that last commit, it may be insecure (pointed out by Warner
Losh).
2000-03-16 23:53:41 +00:00
Brian S. Dean
9c8e9b4a14 Slight adjustment to __ivaliduser() - don't ignore the last line in
the .rhosts file just because there is no ending linefeed.
2000-03-16 22:58:34 +00:00
Yoshinobu Inoue
474ce1d190 Add more dual stack consideration.
-Should not error return when rresvport_af() failed for one of dest
     addrs resolved by getaddrinfo().
     Should retry until all dest addr fail.

Approved by: jkh
2000-02-10 19:46:47 +00:00
Yoshinobu Inoue
e3be4d7b7e sync iruserok() extension API with other BSDs
Some of rcmd related function is need to be updated to
  support IPv6. Some of them are already updated as standard
  document. But there is also several de-facto functions and
  they are not listed in standard documents.
  They are,

    iruserok()  (used by rlogind, rshd)
    ruserok()   (used by kerberos, etc)

  KAME package updated those functions in original way.

    iruserok_af()
    ruserok_af()

  But recently there was discussion on IETF IPng mailing
  list about how to sync those API, and it is decided,

    -Those function is not standard and not documented.
    -But let BSDs sync their API as de-facto.

  And after some discussion, it is announced that

    -add update to iruserok() as iruserok_sa()
    -no ruserok() API change(it is only updated internaly)

So I sync those API before 4.0 is released.
The changes are,
   -prototype changes
   -ruserok() internal update (use iruserok_sa() inside)
   -removal of ruserok_af()
   -change iruserok_af() as static functioin, and also prefix the name with __.
   -add iruserok_sa() (Just call __iruserok_af() inside)
   -adding flag AI_ALL to getipnodebyaddr() called from __icheckhost().
    This is necessary to support IPv4 communication via AF_INET6 socket
    could be correctly authenticated via iruserok_sa()
   -irusreok_af() call is replaced to iruserok_sa() call
    in rlogind, and rshd.

Approved by: jkh
2000-02-01 15:55:56 +00:00
Jason Evans
9233c4d942 Simplify sytem call renaming. Instead of _foo() <-- _libc_foo <-- foo(),
just use _foo() <-- foo().  In the case of a libpthread that doesn't do
call conversion (such as linuxthreads and our upcoming libpthread), this
is adequate.  In the case of libc_r, we still need three names, which are
now _thread_sys_foo() <-- _foo() <-- foo().

Convert all internal libc usage of: aio_suspend(), close(), fsync(), msync(),
nanosleep(), open(), fcntl(), read(), and write() to _foo() instead of foo().

Remove all internal libc usage of: creat(), pause(), sleep(), system(),
tcdrain(), wait(), and waitpid().

Make thread cancellation fully POSIX-compliant.

Suggested by:	deischen
2000-01-27 23:07:25 +00:00
Yoshinobu Inoue
ae42b66633 Removed 3rd arg from bindresvport_sa() call, because the 3rd arg have been
already removed.

Specified by: Philipp Mergenthaler <un1i@rz.uni-karlsruhe.de>
2000-01-26 14:13:41 +00:00
Yoshinobu Inoue
469bed11ef bindresvport related changes
-changed bindresvport2 to bindresvport_sa
 -merged the man into bindresvport.3

All discussion between Jean-Luc Richier <Jean-Luc.Richier@imag.fr>,
Theo de Raadt <deraadt@cvs.openbsd.org>, itojun, is reflected to
this code. (Actually Theo de Raadt write the code simultaneously as the
discussion change.)
2000-01-26 09:02:42 +00:00
Yoshinobu Inoue
0cac72f42c several tcp apps IPv6 update
-inetd
 -rshd
 -rlogind
 -telnetd
 -rsh
 -rlogin

Reviewed by: freebsd-arch, cvs-committers
Obtained from: KAME project
2000-01-25 14:52:10 +00:00
Yoshinobu Inoue
42b4f28ebd libc rcmd update for IPv6.
A new function bindresvport2(), AF independent version of bindresvport()
is also added.

Reviewed by: sumikawa
Obtained from: KAME project
2000-01-13 15:09:48 +00:00
Jason Evans
929273386f Add three-tier symbol naming in support of POSIX thread cancellation
points.  For library functions, the pattern is __sleep() <--
_libc_sleep() <-- sleep().  The arrows represent weak aliases.  For
system calls, the pattern is _read() <-- _libc_read() <-- read().
2000-01-12 09:23:48 +00:00
Andrey A. Chernov
fbc8d502c5 Add unsigned char cast to is[x]digit 1999-11-04 04:52:34 +00:00
Andrey A. Chernov
3fb85bff81 unsigned char cast to ctype macros 1999-11-04 04:35:33 +00:00
Doug Rabson
e0ce825e94 64bit portability fixes.
Submitted by: Andrew Gallatin <gallatin@cs.duke.edu>
1998-10-05 18:35:04 +00:00
Warner Losh
2a62f02315 Buffer overflow from DNS name information which could cause root access
when called from lpd.

Reviewed by:	jkh, pst
Submitted by:	Oliver Friedrichs <oliver@secnet.com>
1997-02-26 06:12:34 +00:00
Warner Losh
5480d8d5c2 Fix PR2579: potential security hole in rcmd.c
Submitted by:	Julian Assange
1997-02-09 06:54:46 +00:00
Peter Wemm
ce70b6caf8 clear sockaddr_in's on stack before use
set sin_len
close one ftp port bounce attack
have rresvport() use bindresvport() rather than duplicate the code,
  rresvport() is a superset of bindresvport().

Obtained from: OpenBSD / Jason Downs / Theo de Raadt, minor tweaks by me.
1996-08-12 14:14:09 +00:00
Jordan K. Hubbard
51295a4d3e General -Wall warning cleanup, part I.
Submitted-By: Kent Vander Velden <graphix@iastate.edu>
1996-07-12 18:57:58 +00:00
Peter Wemm
3ccd4a12e8 Use the setsockopt for IP_PORTRANGE to cause rresvport() to allocate a
privileged port within a single bind(), rather than looping through
attempts to bind over and over again over progressively lower ports.

This should speed up rlogin/rsh etc, and will probably cure some of the
strange rlogin hangs that have been reported in the past where rresvport()
managed to bind() to a port address that it shouldn't have.
1996-05-31 04:00:21 +00:00
Bill Paul
97cb50947e Submitted by: Bill Fenner <fenner@parc.xerox.com>
Fix for PR #510. The original problem was that __ivaliduser() was
failing to grant access to a machine listed in a +@netgroup specified
in /etc/hosts.equiv, even though the host being checked was most
certainly in the +@netgroup.

The /etc/hosts.equiv file in question looked like this:

localhost
+@netgroup

The reason for the failure was had to do with gethostbyaddr(). Inside
the __ivaliduser() routine, we need to do a gethostbyaddr() in order
to get back the actual name of the host we're trying to validate since
we're only passed its IP address. The hostname returned by gethostbyaddr()
is later passed as an argument to innetgr(). The problem is that
__icheckhost() later does a gethostbyname() of its own, which clobbers
the buffer returned by gethostbyaddr().

The fix is just to copy the hostname into a private buffer and use
_that_ as the 'host' argument that gets passed to innetgr().

And here I was crawling all over the innetgr() code thinking the
problem was there. *sigh*
1995-08-14 23:52:49 +00:00
Bill Paul
1e890b056a Just when you thought it was safe...
- getnetgrent.c: address some NIS compatibility problems. We really need
to use the netgroup.byuser and netgroup.byhost maps to speed up innetgr()
when using NIS. Also, change the NIS interaction in the following way:

If /etc/netgroup does not exist or is empty (or contains only the
NIS '+' token), we now use NIS exclusively. This lets us use the
'reverse netgroup' maps and is more or less the behavior of other
platforms.

If /etc/netgroup exists and contains local netgroup data (but no '+').
we use only lthe local stuff and ignore NIS.

If /etc/netgroup exists and contains both local data and the '+',
we use the local data nd the netgroup map as a single combined
database (which, unfortunately, can be slow when the netgroup
database is large). This is what we have been doing up until now.

Head off a potential NULL pointer dereference in the old innetgr()
matching code.

Also fix the way the NIS netgroup map is incorporated into things:
adding the '+' is supposed to make it seem as though the netgroup
database is 'inserted' wherever the '+' is placed. We didn't quite
do it that way before.

(The NetBSD people apparently use a real, honest-to-gosh, netgroup.db
database that works just like the password database. This is
actually a neat idea since netgroups is the sort of thing that
can really benefit from having multi-key search capability,
particularly since reverse lookups require more than a trivial
amount of processing. Should we do something like this too?)

- netgroup.5: document all this stuff.

- rcmd.c: some sleuthing with some test programs linked with my own
version of innetgr() has revealed that SunOS always passes the NIS
domain name to innetgr() in the 'domain' argument. We might as well
do the same (if YP is defined).

- ether_addr.c: also fix the NIS interaction so that placing the
'+' token in the /etc/ethers file makes it seem like the NIS
ethers data is 'inserted' at that point. (Chances are nobody will
notice the effect of this change, which is just te way I like it. :)
1995-08-07 03:42:14 +00:00
Peter Wemm
acc7e87c9b Slight adjustment to previous fix for __ivaliduser(). It was checking for
the comment before checking for long lines, so there was a possibility
that the wrap-around might be used as an exploitable hostname.
Reviewed by:
Submitted by:
Obtained from:
1995-07-16 17:03:58 +00:00
Joerg Wunsch
8f26c8ef60 Make ruserok() accept the #-starting comment lines we used to have
in our default /etc/hosts.equiv.

Closes PR #conf/620: Default /etc/hosts.equiv...
1995-07-16 10:12:32 +00:00
Bill Paul
8538335f21 At last! Modified __ivaliduser() to do the same kind of user/host validation
that everyone else does: you can now use +host/-host, +user,-user and
+@netgroup/-@netgroup in /etc/hosts.equiv, /.rhosts, /etc/hosts.lpd and
~/.rhosts. Previously, __ivaliduser would only do host/user matches,
which was lame. This affects all the r-commands, lpd, and any other
program/service that uses ruserok().

An example of the usefullness of this feature would be a hosts.equiv
file that looks like this:

+@equiv-hosts

Since the netgroup database can now be accessed via NIS, this lets you
set up client machines once and then never have to worry about them
again: all hosts.equiv changes can now be done through NIS. Once I
finish with getpwent.c, we'll be able to do similar wacky things
with login authentication too. (Our password field substitution
will finally be on par with everyone else's, and I'll finally be
able to fully integrate my FreeBSD machine into my network without
having to worry about the grad students sneaking into it when I'm
not looking. :)

Danger Will Robinson! I tested this thing every which way I could, but
Murphy's Law applies! If anybody spots a potential security problem with
the way my matching algorithm works, tell me immediately! I don't want
crackers snickering and calling me names behind my back. :)
1995-03-20 07:29:55 +00:00
Geoff Rehmet
d1f32ba5df Based on fix from 1.1.5.1:
>From: jtk@atria.com (John T. Kohl)
in rcmd:
It calls select() with a hardcoded "number of file descriptors" argument
of 32, rather than computing it based on the sockets about which it
cares.

- Now we work out the nfds arg, and do some error checking
Submitted by:	Geoff.
1994-09-08 20:55:02 +00:00
Rodney W. Grimes
58f0484fa2 BSD 4.4 Lite Lib Sources 1994-05-27 05:00:24 +00:00