Commit Graph

57 Commits

Author SHA1 Message Date
pjd
3c622b2c1f Remove fallback to fork(2) if pdfork(2) is not available. If the parent
process dies, the process descriptor will be closed and pdfork(2)ed child
will be killed, which is not the case when regular fork(2) is used.

The PROCDESC option is now part of the GENERIC kernel configuration, so we
can start depending on it.

Add UPDATING entry to inform that this option is now required and log
detailed instruction to syslog if pdfork(2) is not available:

	The pdfork(2) system call is not available; recompile the kernel with options PROCDESC

Submitted by:	Mariusz Zaborski <oshogbo@FreeBSD.org>
Sponsored by:	Google Summer of Code 2013
2013-09-05 01:05:48 +00:00
pjd
029a6f5d92 Change the cap_rights_t type from uint64_t to a structure that we can extend
in the future in a backward compatible (API and ABI) way.

The cap_rights_t represents capability rights. We used to use one bit to
represent one right, but we are running out of spare bits. Currently the new
structure provides place for 114 rights (so 50 more than the previous
cap_rights_t), but it is possible to grow the structure to hold at least 285
rights, although we can make it even larger if 285 rights won't be enough.

The structure definition looks like this:

	struct cap_rights {
		uint64_t	cr_rights[CAP_RIGHTS_VERSION + 2];
	};

The initial CAP_RIGHTS_VERSION is 0.

The top two bits in the first element of the cr_rights[] array contain total
number of elements in the array - 2. This means if those two bits are equal to
0, we have 2 array elements.

The top two bits in all remaining array elements should be 0.
The next five bits in all array elements contain array index. Only one bit is
used and bit position in this five-bits range defines array index. This means
there can be at most five array elements in the future.

To define new right the CAPRIGHT() macro must be used. The macro takes two
arguments - an array index and a bit to set, eg.

	#define	CAP_PDKILL	CAPRIGHT(1, 0x0000000000000800ULL)

We still support aliases that combine few rights, but the rights have to belong
to the same array element, eg:

	#define	CAP_LOOKUP	CAPRIGHT(0, 0x0000000000000400ULL)
	#define	CAP_FCHMOD	CAPRIGHT(0, 0x0000000000002000ULL)

	#define	CAP_FCHMODAT	(CAP_FCHMOD | CAP_LOOKUP)

There is new API to manage the new cap_rights_t structure:

	cap_rights_t *cap_rights_init(cap_rights_t *rights, ...);
	void cap_rights_set(cap_rights_t *rights, ...);
	void cap_rights_clear(cap_rights_t *rights, ...);
	bool cap_rights_is_set(const cap_rights_t *rights, ...);

	bool cap_rights_is_valid(const cap_rights_t *rights);
	void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src);
	void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src);
	bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little);

Capability rights to the cap_rights_init(), cap_rights_set(),
cap_rights_clear() and cap_rights_is_set() functions are provided by
separating them with commas, eg:

	cap_rights_t rights;

	cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT);

There is no need to terminate the list of rights, as those functions are
actually macros that take care of the termination, eg:

	#define	cap_rights_set(rights, ...)				\
		__cap_rights_set((rights), __VA_ARGS__, 0ULL)
	void __cap_rights_set(cap_rights_t *rights, ...);

Thanks to using one bit as an array index we can assert in those functions that
there are no two rights belonging to different array elements provided
together. For example this is illegal and will be detected, because CAP_LOOKUP
belongs to element 0 and CAP_PDKILL to element 1:

	cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL);

Providing several rights that belongs to the same array's element this way is
correct, but is not advised. It should only be used for aliases definition.

This commit also breaks compatibility with some existing Capsicum system calls,
but I see no other way to do that. This should be fine as Capsicum is still
experimental and this change is not going to 9.x.

Sponsored by:	The FreeBSD Foundation
2013-09-05 00:09:56 +00:00
pjd
92598e5bb7 Cast argument of is*() ctype functions to unsigned char.
Without the cast there is ambiguity between 0xFF and -1 (EOF).

Suggested by:	jilles
Submitted by:	Mariusz Zaborski <oshogbo@FreeBSD.org>
Sponsored by:	Google Summer of Code 2013
2013-08-18 11:25:42 +00:00
hrs
d635351bf1 Unbreak rwhod(8):
- It did not work with GENERIC kernel after r250603 because
  options PROCDESC was required for pdfork(2).  It now just uses fork(2)
  instead when this syscall is not available.

- Fix verify().  This function was broken in r250602 because the outermost
  "()" was removed from the condition !(isalnum() || ispunct()).
  It prevented hostnames including "-", for example.
2013-08-17 07:12:52 +00:00
pjd
9256efca5e Sandbox rwhod(8) receiver process using capability mode and Capsicum
capabilities.

rwhod(8) receiver can now only receive packages, write to /var/rwho/ directory
and log to syslog.

Submitted by:	Mariusz Zaborski <oshogbo@FreeBSD.org>
Sponsored by:	Google Summer of Code 2013
Reviewed by:	pjd
MFC after:	1 month
2013-07-03 21:07:02 +00:00
pjd
22651ea46d The whole sending functionality was implemented within signal handler,
which is very bad idea. Split sending and receiving in two processes,
which fixes this problem and will help to sandbox rwhod.

Submitted by:	Mariusz Zaborski <oshogbo@FreeBSD.org>
Sponsored by:	Google Summer of Code 2013
Reviewed by:	pjd
MFC after:	1 month
2013-07-03 21:04:20 +00:00
pjd
8996216f5b Style cleanups.
Submitted by:	Mariusz Zaborski <oshogbo@FreeBSD.org>
Sponsored by:	Google Summer of Code 2013
Reviewed by:	pjd
MFC after:	1 month
2013-07-03 20:58:58 +00:00
eadler
e08a8123c5 Bump date missed in r202756
PR:		docs/171624
Submitted by:	bdrewery
Approved by:	gabor
MFC after:	3 days
2012-09-14 17:50:42 +00:00
ed
e7e5b53bf1 Replace index() and rindex() calls with strchr() and strrchr().
The index() and rindex() functions were marked LEGACY in the 2001
revision of POSIX and were subsequently removed from the 2008 revision.
The strchr() and strrchr() functions are part of the C standard.

This makes the source code a lot more consistent, as most of these C
files also call into other str*() routines. In fact, about a dozen
already perform strchr() calls.
2012-01-03 18:51:58 +00:00
simon
ae749f8e80 Check return code of setuid(), setgid(), and setgroups() in rwhod.
While they will not fail in normal circumstances, better safe than
sorry.

MFC after:	1 week
2011-04-23 13:42:03 +00:00
ed
b28da9a61e Remove stale references to utmp(5) and its corresponding filenames.
I removed utmp and its manpage, but not other manpages referring to it.
2010-01-21 17:25:12 +00:00
ed
57d10a6e95 Port all applications in usr.sbin/ from libulog to utmpx. 2010-01-13 18:17:53 +00:00
ed
073cafdd42 The last big commit: let usr.sbin/ use WARNS=6 by default. 2010-01-02 11:07:44 +00:00
ed
d04999d8c6 Let rwhod use libulog.
I am not planning on providing a mechanism tot stat() the database files
directly. The disadvantage of this, is that rwhod will now be a little
bit more heavy than it used to be. It normally used to fstat() the file
descriptor to see whether the file had changed, but this is now
impossible to implement, meaning we have to parse the entire utmp file
each 180 seconds.

This is probably not an issue on modern 16-way servers, but if it turns
out to be a problem, we'll think of something.
2009-12-27 21:14:55 +00:00
ssouhlal
d2230420e9 - Avoid a memory leak if realloc(3) fails by using reallocf(3)
Submitted by:	Liam J. Foy <liamfoy@dragonflybsd.org>
Approved by:	mdodd (in-lieu of mentor who is away)
MFC after:	1 week
2005-06-03 17:38:33 +00:00
stefanf
03a2de3818 Fix most cases where the address of an int is passed to a function expecting a
socklen_t * argument.
2005-02-14 17:42:58 +00:00
ru
1541af42f1 Expand *n't contractions. 2005-02-13 22:25:33 +00:00
ru
c05985f13f Sort sections. 2005-01-18 20:02:45 +00:00
imp
9fbed704d5 Per letter dated July 22, 1999 remove 3rd clause of Berkeley derived software
(with permission of addtional copyright holders where appropriate)
2004-08-07 04:28:56 +00:00
ru
6294018a20 Mechanically kill hard sentence breaks. 2004-07-02 23:13:00 +00:00
luigi
ce58934c26 Replace ROUNDUP/ADVANCE with SA_SIZE 2004-04-13 11:24:43 +00:00
charnier
ba4d45d75f use a list to enumerate options 2003-07-06 12:27:52 +00:00
charnier
0ad2e8b805 de-__P
use port/proto to represent services (not proto/port).
add FBSDID
2003-07-06 10:37:00 +00:00
obrien
a920d12f89 style.Makefile(5) 2003-04-04 17:49:21 +00:00
des
5332a2b179 Comment out WARNS?=4 to unbreak the Alpha build. 2002-07-15 17:11:20 +00:00
charnier
d2168fe021 The .Nm utility 2002-07-14 14:47:15 +00:00
alfred
fc30cb8474 WARNS=4, de-__P() 2002-07-11 21:40:15 +00:00
joe
36c976074e Replace /kernel with /boot/kernel/kernel.
PR:		docs/37757
Submitted by:	Hiten Pandya <hiten@uk.FreeBSD.org>
2002-05-09 11:47:42 +00:00
dillon
c3dbbbabdf I've been meaning to do this for a while. Add an underscore to the
time_to_xxx() and xxx_to_time() functions.  e.g. _time_to_xxx()
instead of time_to_xxx(), to make it more obvious that these are
stopgap functions & placemarkers and not meant to create a defacto
standard.  They will eventually be replaced when a real standard
comes out of committee.
2002-01-19 23:20:02 +00:00
dillon
044c1da2a5 Convert time_t to/from 32 bit representations for transmission over
a network and storage.
2001-10-28 20:33:07 +00:00
dd
911ca14c87 Remove whitespace at EOL. 2001-07-15 08:06:20 +00:00
ru
0d5f9334cf mdoc(7) police: removed HISTORY info from the .Os call. 2001-07-10 15:12:08 +00:00
ru
afd506414e - Backout botched attempt to introduce MANSECT feature.
- MAN[1-9] -> MAN.
2001-03-26 14:42:20 +00:00
ru
f10dc9aca1 Set the default manual section for usr.sbin/ to 8. 2001-03-20 18:17:26 +00:00
iedowse
cd6399ca0f Ensure that received packets are at least as long as the rwho packet
header before trying to process them. Without this sanity check,
rwhod can attempt to byte-swap all of memory when a short packet
is received, and so dies with a SIGBUS.

While I'm here, change two other syslog messages to be more
informative: use dotted quad rather than hex notation for IP
addresses, and include the source IP in the 'bad from port' message.

PR:		bin/14844
Reviewed by:	dwmalone
2000-12-22 21:30:15 +00:00
ru
71e2293ad4 mdoc(7) police: use the new features of the Nm macro. 2000-11-20 20:10:44 +00:00
kris
54b13849f6 Don't call syslog() without a format string. 2000-07-12 00:50:49 +00:00
chris
3e0ef0bbfc Grammar fix: `Different than'' should really be `different from''. 2000-01-29 01:54:59 +00:00
charnier
df72d21847 Name of program and trailing \n will be added by syslog(3) 1999-11-27 17:11:55 +00:00
peter
efabb9ccb1 $Id$ -> $FreeBSD$ 1999-08-28 01:35:59 +00:00
nik
559bbb333e Add $Id$, to make it simpler for members of the translation teams to
track.

The Id line is normally at the bottom of the main comment block in the
man page, separated from the rest of the manpage by an empty comment,
like so;

     .\"    $Id$
     .\"

If the immediately preceding comment is a @(#) format ID marker than the
the $Id$ will line up underneath it with no intervening blank lines.
Otherwise, an additional blank line is inserted.

Approved by:            bde
1999-07-12 20:12:29 +00:00
brian
f8e5afd193 Correct usage message 1999-06-26 03:11:39 +00:00
brian
97a0215ac1 Add the -p switch - tells rwhod to ignore POINTOPOINT interfaces.
Mostly submitted by: Stefan Zehl <sec@42.org>
PR:	12216
1999-06-16 21:05:21 +00:00
steve
710a04e8b4 Implement the -l commandline option which turns off broadcast of
information, but still allows you to monitor other machines.

PR:		9301
Submitted by:	Matthew Fuller <fullermd@futuresouth.com>
1999-01-11 05:27:37 +00:00
des
d3d2905cbc Add an option for insecure mode, in which rwhod does not discard packets
from incorrect source ports.
1998-12-17 11:05:57 +00:00
des
49c359a7e6 There is no "rwho" service, it's "who"
PR:		bin/6396
Submitted by:	Ruslan Ermilov <ru@ucb.crimea.ua>
1998-04-23 19:12:41 +00:00
charnier
1f77e4ee4c Use err(3). Add usage.
Use syslog instead of fprintf when being a daemon.
Change sprintf to snprintf obtained from OpenBSD.
Obtained from: OpenBSD
1997-10-13 11:27:55 +00:00
wosch
3c5e4a3bbe Sort cross references. 1997-01-20 00:03:00 +00:00
imp
a508b60adc Fix minor buffer problems:
Off by one in verify allowed one to march one byte off the end of
	wd.wd_hostname if wd.wd_hostname had no NUL characters in it.

	strncpy of myname into mywd used the source buffer's length, rather
	than the dest.
1996-11-01 06:29:34 +00:00
peter
7e1f106f1d When looking for "group daemon" (since that's what's in mtree), make sure
we actually look for the *group* and not the user's gid.  user daemon
has traditionally been group 31 (guest).

Also clear out the groups vector so that it doesn't inherit the groups
of the invoking user (ever run rwhod by hand before?)  Unfortunately, we
can't empty the supplemental groups list because the !&@^#! egid is stored
in there! :-(
1996-09-07 01:43:08 +00:00