1 /* This is copied from portmap 4.0-29 in RedHat. */
4 * pmap_check - additional portmap security.
6 * Always reject non-local requests to update the portmapper tables.
8 * Refuse to forward mount requests to the nfs mount daemon. Otherwise, the
9 * requests would appear to come from the local system, and nfs export
10 * restrictions could be bypassed.
12 * Refuse to forward requests to the nfsd process.
14 * Refuse to forward requests to NIS (YP) daemons; The only exception is the
15 * YPPROC_DOMAIN_NONACK broadcast rpc call that is used to establish initial
16 * contact with the NIS server.
18 * Always allocate an unprivileged port when forwarding a request.
20 * If compiled with -DCHECK_PORT, require that requests to register or
21 * unregister a privileged port come from a privileged port. This makes it
22 * more difficult to replace a critical service by a trojan.
24 * If compiled with -DHOSTS_ACCESS, reject requests from hosts that are not
25 * authorized by the /etc/hosts.{allow,deny} files. The local system is
26 * always treated as an authorized host. The access control tables are never
27 * consulted for requests from the local system, and are always consulted
28 * for requests from other hosts.
30 * Author: Wietse Venema (wietse@wzv.win.tue.nl), dept. of Mathematics and
31 * Computing Science, Eindhoven University of Technology, The Netherlands.
37 #include <tcpwrapper.h>
41 #include <rpc/pmap_prot.h>
45 #include <sys/types.h>
46 #include <sys/signal.h>
48 #include <netinet/in.h>
49 #include <rpc/rpcent.h>
52 static void logit(int severity, struct sockaddr_in *addr,
53 u_long procnum, u_long prognum, char *text);
54 static void toggle_verboselog(int sig);
56 int allow_severity = LOG_INFO;
57 int deny_severity = LOG_WARNING;
59 /* A handful of macros for "readability". */
62 /* coming from libwrap.a (tcp_wrappers) */
63 extern int hosts_ctl(char *daemon, char *name, char *addr, char *user);
65 int hosts_ctl(char *daemon, char *name, char *addr, char *user)
71 #define legal_port(a,p) \
72 (ntohs((a)->sin_port) < IPPORT_RESERVED || (p) >= IPPORT_RESERVED)
74 #define log_bad_port(addr, proc, prog) \
75 logit(deny_severity, addr, proc, prog, ": request from unprivileged port")
77 #define log_bad_host(addr, proc, prog) \
78 logit(deny_severity, addr, proc, prog, ": request from unauthorized host")
80 #define log_bad_owner(addr, proc, prog) \
81 logit(deny_severity, addr, proc, prog, ": request from non-local host")
83 #define log_no_forward(addr, proc, prog) \
84 logit(deny_severity, addr, proc, prog, ": request not forwarded")
86 #define log_client(addr, proc, prog) \
87 logit(allow_severity, addr, proc, prog, "")
90 good_client(daemon, addr)
92 struct sockaddr_in *addr;
98 /* Check the IP address first. */
99 if (hosts_ctl(daemon, "", inet_ntoa(addr->sin_addr), ""))
102 /* Check the hostname. */
103 hp = gethostbyaddr ((const char *) &(addr->sin_addr),
104 sizeof (addr->sin_addr), AF_INET);
109 /* must make sure the hostent is authorative. */
110 tmpname = alloca (strlen (hp->h_name) + 1);
111 strcpy (tmpname, hp->h_name);
112 hp = gethostbyname(tmpname);
114 /* now make sure the "addr->sin_addr" is on the list */
115 for (sp = hp->h_addr_list ; *sp ; sp++) {
116 if (memcmp(*sp, &(addr->sin_addr), hp->h_length)==0)
124 /* never heard of it. misconfigured DNS? */
127 /* Check the official name first. */
128 if (hosts_ctl(daemon, "", hp->h_name, ""))
132 for (sp = hp->h_aliases; *sp ; sp++) {
133 if (hosts_ctl(daemon, "", *sp, ""))
141 /* check_startup - additional startup code */
143 void check_startup(void)
147 * Give up root privileges so that we can never allocate a privileged
148 * port when forwarding an rpc request.
150 * Fix 8/3/00 Philipp Knirsch: First lookup our rpc user. If we find it,
151 * switch to that uid, otherwise simply resue the old bin user and print
152 * out a warning in syslog.
155 struct passwd *pwent;
157 pwent = getpwnam("rpc");
159 syslog(LOG_WARNING, "user rpc not found, reverting to user bin");
160 if (setuid(1) == -1) {
161 syslog(LOG_ERR, "setuid(1) failed: %m");
166 if (setuid(pwent->pw_uid) == -1) {
167 syslog(LOG_WARNING, "setuid() to rpc user failed: %m");
168 if (setuid(1) == -1) {
169 syslog(LOG_ERR, "setuid(1) failed: %m");
175 (void) signal(SIGINT, toggle_verboselog);
178 /* check_default - additional checks for NULL, DUMP, GETPORT and unknown */
181 check_default(daemon, addr, proc, prog)
183 struct sockaddr_in *addr;
187 if (!(from_local(addr) || good_client(daemon, addr))) {
188 log_bad_host(addr, proc, prog);
192 log_client(addr, proc, prog);
196 /* check_privileged_port - additional checks for privileged-port updates */
198 check_privileged_port(struct sockaddr_in *addr,
199 u_long proc, u_long prog, u_long port)
202 if (!legal_port(addr, port)) {
203 log_bad_port(addr, proc, prog);
210 /* toggle_verboselog - toggle verbose logging flag */
212 static void toggle_verboselog(int sig)
214 (void) signal(sig, toggle_verboselog);
215 verboselog = !verboselog;
218 /* logit - report events of interest via the syslog daemon */
220 static void logit(int severity, struct sockaddr_in *addr,
221 u_long procnum, u_long prognum, char *text)
224 char procbuf[16 + 4 * sizeof(u_long)];
226 char progbuf[16 + 4 * sizeof(u_long)];
230 * Fork off a process or the portmap daemon might hang while
231 * getrpcbynumber() or syslog() does its thing.
233 * Don't forget to wait for the children, too...
238 /* Try to map program number to name. */
242 } else if ((rpc = getrpcbynumber((int) prognum))) {
243 progname = rpc->r_name;
245 snprintf(progname = progbuf, sizeof (progbuf),
246 "prog (%lu)", prognum);
249 /* Try to map procedure number to name. */
251 snprintf(procname = procbuf, sizeof (procbuf),
252 "proc (%lu)", (u_long) procnum);
254 /* Write syslog record. */
256 syslog(severity, "connect from %s to %s in %s%s",
257 inet_ntoa(addr->sin_addr), procname, progname, text);