42 Commits

Author SHA1 Message Date
imp
cd1f140ae4 Per Regents of the University of Calfornia letter, remove advertising
clause.

# If I've done so improperly on a file, please let me know.
2007-01-09 00:28:16 +00:00
ume
e33ba03345 NI_WITHSCOPEID cleanup. Neither RFC 2553 nor RFC 3493 defines
NI_WITHSCOPEID, and our getaddrinfo(3) does nothing special
for it, now.
2005-05-13 16:31:11 +00:00
stefanf
3681db07f4 - Use socklen_t.
- No need for two instances of 'num'.
2005-02-14 17:51:45 +00:00
bz
4b83c5852a Add knob NO_NIS (fka NO_YP_LIBC) and make world compileable when set.
If turned on  no NIS support and related programs will be built.

Lost parts rediscovered by:	Danny Braniss <danny at cs.huji.ac.il>
PR:		bin/68303
No objections:	des, gshapiro, nectar
Reviewed by:	ru
Approved by:	rwatson (mentor)
MFC after:	2 weeks
2004-11-13 20:40:32 +00:00
nectar
e369901c4d Whack 28 unused variables. 2003-02-18 13:39:52 +00:00
jdp
5e4153d486 Fix a bug in __ivaliduser_sa() which caused some rsh/rlogin attempts
to fail needlessly if a reverse DNS lookup of the IP address didn't
come up with a hostname.  As a comment in the code clearly stated,
the "damn hostname" was looked up only for the purpose of netgroup
matching.  But if that lookup failed, the function bailed out
immediately even though in many cases netgroup matching would not
be used.

This change marks the hostname as unknown but continues.  Where
netgroup matching is performed, an unknown hostname is handled
conservatively.  I.e., for "+@netgroup" (accept) entries an unknown
hostname never matches, and for "-@netgroup" (reject) entries an
unknown hostname always matches.

In the lines affected (only), I also fixed a few bogus casts.  There
are others, and in fact this entire file would be a good candidate
for a cleanup sweep.

Reviewed by:	imp (wearing his flourescent yellow Security Team cap)
MFC after:	2 days
2002-08-24 17:37:42 +00:00
obrien
d90536e35b Fix the style of the SCM ID's.
I believe have made all of libc .c's as consistent as possible.
2002-03-22 21:53:29 +00:00
obrien
e2881f49cc Remove multi-line __P() usage. 2002-03-22 09:22:15 +00:00
obrien
3b73ce2319 Remove __P() usage. 2002-03-21 22:49:10 +00:00
obrien
1196344bb3 Remove 'register' keyword. 2002-03-21 18:49:23 +00:00
imp
af77ecc675 Allow users to specify a command to use as remote command instead of
using rcmd directly.  This has been in my tree for a long time, but we
may need to sync with OpenBSD before MFC.

Obtained from: openbsd
PR: 15830

MFC after: 2 months
2001-10-23 06:22:15 +00:00
deischen
1635c221b7 Remove _THREAD_SAFE and make libc thread-safe by default by
adding (weak definitions to) stubs for some of the pthread
functions.  If the threads library is linked in, the real
pthread functions will pulled in.

Use the following convention for system calls wrapped by the
threads library:
	__sys_foo - actual system call
	_foo - weak definition to __sys_foo
	foo - weak definition to __sys_foo

Change all libc uses of system calls wrapped by the threads
library from foo to _foo.  In order to define the prototypes
for _foo(), we introduce namespace.h and un-namespace.h
(suggested by bde).  All files that need to reference these
system calls, should include namespace.h before any standard
includes, then include un-namespace.h after the standard
includes and before any local includes.  <db.h> is an exception
and shouldn't be included in between namespace.h and
un-namespace.h  namespace.h will define foo to _foo, and
un-namespace.h will undefine foo.

Try to eliminate some of the recursive calls to MT-safe
functions in libc/stdio in preparation for adding a mutex
to FILE.  We have recursive mutexes, but would like to avoid
using them if possible.

Remove uneeded includes of <errno.h> from a few files.

Add $FreeBSD$ to a few files in order to pass commitprep.

Approved by:	-arch
2001-01-24 13:01:12 +00:00
ume
af22402f6e - __ivaliduser_sa() was introduced for forthcoming IPv6 support to lpd
- iruserok_sa() and __ivaliduser_af() were re-organized to use
  __ivaliduser_sa()
- __icheckhost() was re-written to use getaddrinfo() instead of
  getipnodebyname()
- better handling of multiple destination addresses in rcmd()

These changes were basically taken from KAME and changed to fit our
rcmd.c.

Obtained from:	KAME
2000-12-04 18:02:12 +00:00
ume
d4ba157d9f Don't retry connecting via the same medium.
I changed to close to original code before merging IPv6 support.
It seems having delay before another try is useless.  However, I'm
not sure that delay means.  So, I leave it as-is.

PR:		bin/20515
2000-08-10 17:10:57 +00:00
ume
54a296ab27 Copy canonname for *ahost, into static buffer.
Obtained from:	KAME Project
2000-07-20 18:49:35 +00:00
brian
145f71945d Alocate rcmd{,_af}()'s *ahost argument using malloc() (well
strdup()) rather than pointing it at something that's free()d
(via freeaddrinfo(res)) before the function returns.

I appreciate that this is an API change, but it's the only way
(AFAIK) of doing this without breaking existing code that uses
rcmd{,_af}().

Pointed out by: phkmalloc
2000-07-20 09:05:15 +00:00
peter
63c050d16c Try and fix the worst of some highly bogus malloc/free resource
management involving rcmd_af(), getaddrinfo(), freeaddrinfo(), etc.
We set *ahost to point to ai->canonname; and later free the ai-> stuff
and still leave the old pointers in *ahost to the freed data.
Perhaps the best way to deal with this is a static buffer or a static
strdup() that is freed on the next iteration or something.  This gives
me headaches just thinking about this.

The new 'AJ' default for malloc() tripped this up.
2000-07-11 09:31:19 +00:00
bsd
c1a1c736a7 Back out that last commit, it may be insecure (pointed out by Warner
Losh).
2000-03-16 23:53:41 +00:00
bsd
bf05d34440 Slight adjustment to __ivaliduser() - don't ignore the last line in
the .rhosts file just because there is no ending linefeed.
2000-03-16 22:58:34 +00:00
shin
4d04714b75 Add more dual stack consideration.
-Should not error return when rresvport_af() failed for one of dest
     addrs resolved by getaddrinfo().
     Should retry until all dest addr fail.

Approved by: jkh
2000-02-10 19:46:47 +00:00
shin
9742b65930 sync iruserok() extension API with other BSDs
Some of rcmd related function is need to be updated to
  support IPv6. Some of them are already updated as standard
  document. But there is also several de-facto functions and
  they are not listed in standard documents.
  They are,

    iruserok()  (used by rlogind, rshd)
    ruserok()   (used by kerberos, etc)

  KAME package updated those functions in original way.

    iruserok_af()
    ruserok_af()

  But recently there was discussion on IETF IPng mailing
  list about how to sync those API, and it is decided,

    -Those function is not standard and not documented.
    -But let BSDs sync their API as de-facto.

  And after some discussion, it is announced that

    -add update to iruserok() as iruserok_sa()
    -no ruserok() API change(it is only updated internaly)

So I sync those API before 4.0 is released.
The changes are,
   -prototype changes
   -ruserok() internal update (use iruserok_sa() inside)
   -removal of ruserok_af()
   -change iruserok_af() as static functioin, and also prefix the name with __.
   -add iruserok_sa() (Just call __iruserok_af() inside)
   -adding flag AI_ALL to getipnodebyaddr() called from __icheckhost().
    This is necessary to support IPv4 communication via AF_INET6 socket
    could be correctly authenticated via iruserok_sa()
   -irusreok_af() call is replaced to iruserok_sa() call
    in rlogind, and rshd.

Approved by: jkh
2000-02-01 15:55:56 +00:00
jasone
8abe2a2d86 Simplify sytem call renaming. Instead of _foo() <-- _libc_foo <-- foo(),
just use _foo() <-- foo().  In the case of a libpthread that doesn't do
call conversion (such as linuxthreads and our upcoming libpthread), this
is adequate.  In the case of libc_r, we still need three names, which are
now _thread_sys_foo() <-- _foo() <-- foo().

Convert all internal libc usage of: aio_suspend(), close(), fsync(), msync(),
nanosleep(), open(), fcntl(), read(), and write() to _foo() instead of foo().

Remove all internal libc usage of: creat(), pause(), sleep(), system(),
tcdrain(), wait(), and waitpid().

Make thread cancellation fully POSIX-compliant.

Suggested by:	deischen
2000-01-27 23:07:25 +00:00
shin
5c7b071c6b Removed 3rd arg from bindresvport_sa() call, because the 3rd arg have been
already removed.

Specified by: Philipp Mergenthaler <un1i@rz.uni-karlsruhe.de>
2000-01-26 14:13:41 +00:00
shin
eb4463295b bindresvport related changes
-changed bindresvport2 to bindresvport_sa
 -merged the man into bindresvport.3

All discussion between Jean-Luc Richier <Jean-Luc.Richier@imag.fr>,
Theo de Raadt <deraadt@cvs.openbsd.org>, itojun, is reflected to
this code. (Actually Theo de Raadt write the code simultaneously as the
discussion change.)
2000-01-26 09:02:42 +00:00
shin
fc29f7bcf7 several tcp apps IPv6 update
-inetd
 -rshd
 -rlogind
 -telnetd
 -rsh
 -rlogin

Reviewed by: freebsd-arch, cvs-committers
Obtained from: KAME project
2000-01-25 14:52:10 +00:00
shin
16085f4294 libc rcmd update for IPv6.
A new function bindresvport2(), AF independent version of bindresvport()
is also added.

Reviewed by: sumikawa
Obtained from: KAME project
2000-01-13 15:09:48 +00:00
jasone
75903038bc Add three-tier symbol naming in support of POSIX thread cancellation
points.  For library functions, the pattern is __sleep() <--
_libc_sleep() <-- sleep().  The arrows represent weak aliases.  For
system calls, the pattern is _read() <-- _libc_read() <-- read().
2000-01-12 09:23:48 +00:00
ache
7cff08527c Add unsigned char cast to is[x]digit 1999-11-04 04:52:34 +00:00
ache
dc0dd57e24 unsigned char cast to ctype macros 1999-11-04 04:35:33 +00:00
dfr
46dbddcd3c 64bit portability fixes.
Submitted by: Andrew Gallatin <gallatin@cs.duke.edu>
1998-10-05 18:35:04 +00:00
imp
00bfe049f9 Buffer overflow from DNS name information which could cause root access
when called from lpd.

Reviewed by:	jkh, pst
Submitted by:	Oliver Friedrichs <oliver@secnet.com>
1997-02-26 06:12:34 +00:00
imp
b0afeca2e2 Fix PR2579: potential security hole in rcmd.c
Submitted by:	Julian Assange
1997-02-09 06:54:46 +00:00
peter
665b6e261b clear sockaddr_in's on stack before use
set sin_len
close one ftp port bounce attack
have rresvport() use bindresvport() rather than duplicate the code,
  rresvport() is a superset of bindresvport().

Obtained from: OpenBSD / Jason Downs / Theo de Raadt, minor tweaks by me.
1996-08-12 14:14:09 +00:00
jkh
c4d4a99d31 General -Wall warning cleanup, part I.
Submitted-By: Kent Vander Velden <graphix@iastate.edu>
1996-07-12 18:57:58 +00:00
peter
3259f4bdca Use the setsockopt for IP_PORTRANGE to cause rresvport() to allocate a
privileged port within a single bind(), rather than looping through
attempts to bind over and over again over progressively lower ports.

This should speed up rlogin/rsh etc, and will probably cure some of the
strange rlogin hangs that have been reported in the past where rresvport()
managed to bind() to a port address that it shouldn't have.
1996-05-31 04:00:21 +00:00
wpaul
26b873784e Submitted by: Bill Fenner <fenner@parc.xerox.com>
Fix for PR #510. The original problem was that __ivaliduser() was
failing to grant access to a machine listed in a +@netgroup specified
in /etc/hosts.equiv, even though the host being checked was most
certainly in the +@netgroup.

The /etc/hosts.equiv file in question looked like this:

localhost
+@netgroup

The reason for the failure was had to do with gethostbyaddr(). Inside
the __ivaliduser() routine, we need to do a gethostbyaddr() in order
to get back the actual name of the host we're trying to validate since
we're only passed its IP address. The hostname returned by gethostbyaddr()
is later passed as an argument to innetgr(). The problem is that
__icheckhost() later does a gethostbyname() of its own, which clobbers
the buffer returned by gethostbyaddr().

The fix is just to copy the hostname into a private buffer and use
_that_ as the 'host' argument that gets passed to innetgr().

And here I was crawling all over the innetgr() code thinking the
problem was there. *sigh*
1995-08-14 23:52:49 +00:00
wpaul
d9b1099758 Just when you thought it was safe...
- getnetgrent.c: address some NIS compatibility problems. We really need
to use the netgroup.byuser and netgroup.byhost maps to speed up innetgr()
when using NIS. Also, change the NIS interaction in the following way:

If /etc/netgroup does not exist or is empty (or contains only the
NIS '+' token), we now use NIS exclusively. This lets us use the
'reverse netgroup' maps and is more or less the behavior of other
platforms.

If /etc/netgroup exists and contains local netgroup data (but no '+').
we use only lthe local stuff and ignore NIS.

If /etc/netgroup exists and contains both local data and the '+',
we use the local data nd the netgroup map as a single combined
database (which, unfortunately, can be slow when the netgroup
database is large). This is what we have been doing up until now.

Head off a potential NULL pointer dereference in the old innetgr()
matching code.

Also fix the way the NIS netgroup map is incorporated into things:
adding the '+' is supposed to make it seem as though the netgroup
database is 'inserted' wherever the '+' is placed. We didn't quite
do it that way before.

(The NetBSD people apparently use a real, honest-to-gosh, netgroup.db
database that works just like the password database. This is
actually a neat idea since netgroups is the sort of thing that
can really benefit from having multi-key search capability,
particularly since reverse lookups require more than a trivial
amount of processing. Should we do something like this too?)

- netgroup.5: document all this stuff.

- rcmd.c: some sleuthing with some test programs linked with my own
version of innetgr() has revealed that SunOS always passes the NIS
domain name to innetgr() in the 'domain' argument. We might as well
do the same (if YP is defined).

- ether_addr.c: also fix the NIS interaction so that placing the
'+' token in the /etc/ethers file makes it seem like the NIS
ethers data is 'inserted' at that point. (Chances are nobody will
notice the effect of this change, which is just te way I like it. :)
1995-08-07 03:42:14 +00:00
peter
28fb9a318f Slight adjustment to previous fix for __ivaliduser(). It was checking for
the comment before checking for long lines, so there was a possibility
that the wrap-around might be used as an exploitable hostname.
Reviewed by:
Submitted by:
Obtained from:
1995-07-16 17:03:58 +00:00
joerg
694c427284 Make ruserok() accept the #-starting comment lines we used to have
in our default /etc/hosts.equiv.

Closes PR #conf/620: Default /etc/hosts.equiv...
1995-07-16 10:12:32 +00:00
wpaul
48d35b4b93 At last! Modified __ivaliduser() to do the same kind of user/host validation
that everyone else does: you can now use +host/-host, +user,-user and
+@netgroup/-@netgroup in /etc/hosts.equiv, /.rhosts, /etc/hosts.lpd and
~/.rhosts. Previously, __ivaliduser would only do host/user matches,
which was lame. This affects all the r-commands, lpd, and any other
program/service that uses ruserok().

An example of the usefullness of this feature would be a hosts.equiv
file that looks like this:

+@equiv-hosts

Since the netgroup database can now be accessed via NIS, this lets you
set up client machines once and then never have to worry about them
again: all hosts.equiv changes can now be done through NIS. Once I
finish with getpwent.c, we'll be able to do similar wacky things
with login authentication too. (Our password field substitution
will finally be on par with everyone else's, and I'll finally be
able to fully integrate my FreeBSD machine into my network without
having to worry about the grad students sneaking into it when I'm
not looking. :)

Danger Will Robinson! I tested this thing every which way I could, but
Murphy's Law applies! If anybody spots a potential security problem with
the way my matching algorithm works, tell me immediately! I don't want
crackers snickering and calling me names behind my back. :)
1995-03-20 07:29:55 +00:00
csgr
7ca8cf71da Based on fix from 1.1.5.1:
>From: jtk@atria.com (John T. Kohl)
in rcmd:
It calls select() with a hardcoded "number of file descriptors" argument
of 32, rather than computing it based on the sockets about which it
cares.

- Now we work out the nfds arg, and do some error checking
Submitted by:	Geoff.
1994-09-08 20:55:02 +00:00
rgrimes
be22b15ae2 BSD 4.4 Lite Lib Sources 1994-05-27 05:00:24 +00:00