From dad50c0e589b5651242de50e81200b036d995b73 Mon Sep 17 00:00:00 2001 From: Neil Brown Date: Thu, 15 Mar 2007 15:38:35 +1100 Subject: [PATCH] Make --enable-secure-statd the default. i.e. you now need --disable-secure-statd if you want any client other than lockd to talk to statd. Also relax the RESTRICTED_STATD checks so that a recent kernel with /proc/sys/fs/nfs/nsm_use_hostnames set can still talk to statd. Finally, restrict access to simulate_crash so that only privileged processes on localhost can call it. Having it accessible by the whole world is probably not much more than a minor inconvenience, but it really should be kept closed. --- configure.in | 2 +- utils/statd/monitor.c | 20 ++++++++++++++------ utils/statd/simu.c | 24 ++++++++++++++++++++++++ 3 files changed, 39 insertions(+), 7 deletions(-) diff --git a/configure.in b/configure.in index c0148bd..258188a 100644 --- a/configure.in +++ b/configure.in @@ -91,7 +91,7 @@ AC_ARG_ENABLE(secure-statd, [AC_HELP_STRING([--enable-secure-statd], [Only lockd can use statd (security)])], test "$enableval" = "yes" && secure_statd=yes, - secure_statd=no) + secure_statd=yes) if test "$secure_statd" = yes; then AC_DEFINE(RESTRICTED_STATD, 1, [Define this if you want to enable various security checks in statd. These checks basically keep anyone but lockd from using this service.]) fi diff --git a/utils/statd/monitor.c b/utils/statd/monitor.c index 98cbf4a..8ee0441 100644 --- a/utils/statd/monitor.c +++ b/utils/statd/monitor.c @@ -42,7 +42,7 @@ sm_mon_1_svc(struct mon *argp, struct svc_req *rqstp) notify_list *clnt; struct in_addr my_addr; #ifdef RESTRICTED_STATD - struct in_addr mon_addr, caller; + struct in_addr caller; #else struct hostent *hostinfo = NULL; #endif @@ -87,6 +87,11 @@ sm_mon_1_svc(struct mon *argp, struct svc_req *rqstp) goto failure; } +#if 0 + This is not usable anymore. Linux-kernel can be configured to use + host names with NSM so that multi-homed hosts are handled properly. + NeilBrown 15mar2007 + /* 3. mon_name must be an address in dotted quad. * Again, specific to the linux kernel lockd. */ @@ -96,22 +101,25 @@ sm_mon_1_svc(struct mon *argp, struct svc_req *rqstp) mon_name); goto failure; } -#else +#endif +#endif /* * Check hostnames. If I can't look them up, I won't monitor. This * might not be legal, but it adds a little bit of safety and sanity. */ /* must check for /'s in hostname! See CERT's CA-96.09 for details. */ - if (strchr(mon_name, '/')) { - note(N_CRIT, "SM_MON request for hostname containing '/': %s", - mon_name); + if (strchr(mon_name, '/') || mon_name[0] == '.') { + note(N_CRIT, "SM_MON request for hostname containing '/' " + "or starting '.': %s", mon_name); note(N_CRIT, "POSSIBLE SPOOF/ATTACK ATTEMPT!"); goto failure; } else if (gethostbyname(mon_name) == NULL) { note(N_WARNING, "gethostbyname error for %s", mon_name); goto failure; - } else if (!(hostinfo = gethostbyname(my_name))) { + } +#ifndef RESTRICTED_STATD + if (!(hostinfo = gethostbyname(my_name))) { note(N_WARNING, "gethostbyname error for %s", my_name); goto failure; } else diff --git a/utils/statd/simu.c b/utils/statd/simu.c index 9d685ad..82d794e 100644 --- a/utils/statd/simu.c +++ b/utils/statd/simu.c @@ -7,6 +7,7 @@ #ifdef HAVE_CONFIG_H #include #endif +#include #include "statd.h" #include "notlist.h" @@ -22,11 +23,34 @@ sm_simu_crash_1_svc (void *argp, struct svc_req *rqstp) { static char *result = NULL; +#ifdef RESTRICTED_STATD + struct in_addr caller; + + /* 1. Reject anyone not calling from 127.0.0.1. + * Ignore the my_name specified by the caller, and + * use "127.0.0.1" instead. + */ + caller = svc_getcaller(rqstp->rq_xprt)->sin_addr; + if (caller.s_addr != htonl(INADDR_LOOPBACK)) { + note(N_WARNING, + "Call to statd from non-local host %s", + inet_ntoa(caller)); + goto failure; + } + if (ntohs(svc_getcaller(rqstp->rq_xprt)->sin_port) >= 1024) { + note(N_WARNING, + "Call to statd-simu-crash from unprivileged port\n"); + goto failure; + } +#endif note (N_WARNING, "*** SIMULATING CRASH! ***"); my_svc_exit (); if (rtnl) nlist_kill (&rtnl); +#ifdef RESTRICTED_STATD + failure: +#endif return ((void *)&result); } -- 2.39.5