1 /* This is copied from portmap 4.0-29 in RedHat. */
4 * pmap_check - additional portmap security.
6 * Always reject non-local requests to update the portmapper tables.
8 * Refuse to forward mount requests to the nfs mount daemon. Otherwise, the
9 * requests would appear to come from the local system, and nfs export
10 * restrictions could be bypassed.
12 * Refuse to forward requests to the nfsd process.
14 * Refuse to forward requests to NIS (YP) daemons; The only exception is the
15 * YPPROC_DOMAIN_NONACK broadcast rpc call that is used to establish initial
16 * contact with the NIS server.
18 * Always allocate an unprivileged port when forwarding a request.
20 * If compiled with -DCHECK_PORT, require that requests to register or
21 * unregister a privileged port come from a privileged port. This makes it
22 * more difficult to replace a critical service by a trojan.
24 * If compiled with -DHOSTS_ACCESS, reject requests from hosts that are not
25 * authorized by the /etc/hosts.{allow,deny} files. The local system is
26 * always treated as an authorized host. The access control tables are never
27 * consulted for requests from the local system, and are always consulted
28 * for requests from other hosts.
30 * Author: Wietse Venema (wietse@wzv.win.tue.nl), dept. of Mathematics and
31 * Computing Science, Eindhoven University of Technology, The Netherlands.
37 #include <tcpwrapper.h>
41 #include <rpc/pmap_prot.h>
45 #include <sys/types.h>
46 #include <sys/signal.h>
47 #include <sys/queue.h>
54 #include <netinet/in.h>
55 #include <rpc/rpcent.h>
58 static void logit(int severity, struct sockaddr_in *addr,
59 u_long procnum, u_long prognum, char *text);
60 static void toggle_verboselog(int sig);
61 static int check_files(void);
64 int allow_severity = LOG_INFO;
65 int deny_severity = LOG_WARNING;
67 /* A handful of macros for "readability". */
70 /* coming from libwrap.a (tcp_wrappers) */
71 extern int hosts_ctl(char *daemon, char *name, char *addr, char *user);
73 int hosts_ctl(char *daemon, char *name, char *addr, char *user)
79 #define legal_port(a,p) \
80 (ntohs((a)->sin_port) < IPPORT_RESERVED || (p) >= IPPORT_RESERVED)
82 #define log_bad_port(addr, proc, prog) \
83 logit(deny_severity, addr, proc, prog, ": request from unprivileged port")
85 #define log_bad_host(addr, proc, prog) \
86 logit(deny_severity, addr, proc, prog, ": request from unauthorized host")
88 #define log_bad_owner(addr, proc, prog) \
89 logit(deny_severity, addr, proc, prog, ": request from non-local host")
91 #define log_no_forward(addr, proc, prog) \
92 logit(deny_severity, addr, proc, prog, ": request not forwarded")
94 #define log_client(addr, proc, prog) \
95 logit(allow_severity, addr, proc, prog, "")
100 typedef struct _haccess_t {
101 TAILQ_ENTRY(_haccess_t) list;
106 #define HASH_TABLE_SIZE 1021
107 typedef struct _hash_head {
108 TAILQ_HEAD(host_list, _haccess_t) h_head;
110 hash_head haccess_tbl[HASH_TABLE_SIZE];
111 static haccess_t *haccess_lookup(struct sockaddr_in *addr, u_long);
112 static void haccess_add(struct sockaddr_in *addr, u_long, int);
114 inline unsigned int strtoint(char *str)
117 int len = strlen(str);
120 for (i=0; i < len; i++)
125 static inline int hashint(unsigned int num)
127 return num % HASH_TABLE_SIZE;
129 #define HASH(_addr, _prog) \
130 hashint((strtoint((_addr))+(_prog)))
132 void haccess_add(struct sockaddr_in *addr, u_long prog, int access)
138 hptr = (haccess_t *)malloc(sizeof(haccess_t));
142 hash = HASH(inet_ntoa(addr->sin_addr), prog);
143 head = &(haccess_tbl[hash]);
145 hptr->access = access;
146 hptr->addr.s_addr = addr->sin_addr.s_addr;
148 if (TAILQ_EMPTY(&head->h_head))
149 TAILQ_INSERT_HEAD(&head->h_head, hptr, list);
151 TAILQ_INSERT_TAIL(&head->h_head, hptr, list);
153 haccess_t *haccess_lookup(struct sockaddr_in *addr, u_long prog)
159 hash = HASH(inet_ntoa(addr->sin_addr), prog);
160 head = &(haccess_tbl[hash]);
162 TAILQ_FOREACH(hptr, &head->h_head, list) {
163 if (hptr->addr.s_addr == addr->sin_addr.s_addr)
170 good_client(daemon, addr)
172 struct sockaddr_in *addr;
178 /* First check the address. */
179 if (hosts_ctl(daemon, "", inet_ntoa(addr->sin_addr), "") == DENY)
182 /* Now do the hostname lookup */
183 hp = gethostbyaddr ((const char *) &(addr->sin_addr),
184 sizeof (addr->sin_addr), AF_INET);
187 "Warning: Client IP address '%s' not found in host lookup",
188 inet_ntoa(addr->sin_addr));
189 return DENY; /* never heard of it. misconfigured DNS? */
192 /* Make sure the hostent is authorative. */
193 tmpname = strdup(hp->h_name);
195 xlog(L_WARNING, "Warning: No memory for Host access check");
198 hp = gethostbyname(tmpname);
201 "Warning: Client hostname '%s' not found in host lookup", tmpname);
203 return DENY; /* never heard of it. misconfigured DNS? */
207 /* Now make sure the address is on the list */
208 for (sp = hp->h_addr_list ; *sp ; sp++) {
209 if (memcmp(*sp, &(addr->sin_addr), hp->h_length) == 0)
213 return DENY; /* it was a FAKE. */
215 /* Check the official name and address. */
216 if (hosts_ctl(daemon, hp->h_name, inet_ntoa(addr->sin_addr), "") == DENY)
219 /* Now check aliases. */
220 for (sp = hp->h_aliases; *sp ; sp++) {
221 if (hosts_ctl(daemon, *sp, inet_ntoa(addr->sin_addr), "") == DENY)
228 /* check_startup - additional startup code */
230 void check_startup(void)
234 * Give up root privileges so that we can never allocate a privileged
235 * port when forwarding an rpc request.
237 * Fix 8/3/00 Philipp Knirsch: First lookup our rpc user. If we find it,
238 * switch to that uid, otherwise simply resue the old bin user and print
239 * out a warning in syslog.
242 struct passwd *pwent;
244 pwent = getpwnam("rpc");
246 syslog(LOG_WARNING, "user rpc not found, reverting to user bin");
247 if (setuid(1) == -1) {
248 syslog(LOG_ERR, "setuid(1) failed: %m");
253 if (setuid(pwent->pw_uid) == -1) {
254 syslog(LOG_WARNING, "setuid() to rpc user failed: %m");
255 if (setuid(1) == -1) {
256 syslog(LOG_ERR, "setuid(1) failed: %m");
262 (void) signal(SIGINT, toggle_verboselog);
265 /* check_files - check to see if either access files have changed */
267 static int check_files()
269 static time_t allow_mtime, deny_mtime;
270 struct stat astat, dstat;
273 if (stat("/etc/hosts.allow", &astat) < 0)
275 if (stat("/etc/hosts.deny", &dstat) < 0)
278 if(!astat.st_mtime || !dstat.st_mtime)
281 if (astat.st_mtime != allow_mtime)
283 else if (dstat.st_mtime != deny_mtime)
286 allow_mtime = astat.st_mtime;
287 deny_mtime = dstat.st_mtime;
292 /* check_default - additional checks for NULL, DUMP, GETPORT and unknown */
295 check_default(daemon, addr, proc, prog)
297 struct sockaddr_in *addr;
301 haccess_t *acc = NULL;
302 int changed = check_files();
304 acc = haccess_lookup(addr, prog);
305 if (acc && changed == 0)
306 return (acc->access);
308 if (!(from_local(addr) || good_client(daemon, addr))) {
309 log_bad_host(addr, proc, prog);
313 haccess_add(addr, prog, FALSE);
317 log_client(addr, proc, prog);
322 haccess_add(addr, prog, TRUE);
326 /* check_privileged_port - additional checks for privileged-port updates */
328 check_privileged_port(struct sockaddr_in *addr,
329 u_long proc, u_long prog, u_long port)
332 if (!legal_port(addr, port)) {
333 log_bad_port(addr, proc, prog);
340 /* toggle_verboselog - toggle verbose logging flag */
342 static void toggle_verboselog(int sig)
344 (void) signal(sig, toggle_verboselog);
345 verboselog = !verboselog;
348 /* logit - report events of interest via the syslog daemon */
350 static void logit(int severity, struct sockaddr_in *addr,
351 u_long procnum, u_long prognum, char *text)
354 char procbuf[16 + 4 * sizeof(u_long)];
356 char progbuf[16 + 4 * sizeof(u_long)];
360 * Fork off a process or the portmap daemon might hang while
361 * getrpcbynumber() or syslog() does its thing.
363 * Don't forget to wait for the children, too...
368 /* Try to map program number to name. */
372 } else if ((rpc = getrpcbynumber((int) prognum))) {
373 progname = rpc->r_name;
375 snprintf(progname = progbuf, sizeof (progbuf),
376 "prog (%lu)", prognum);
379 /* Try to map procedure number to name. */
381 snprintf(procname = procbuf, sizeof (procbuf),
382 "proc (%lu)", (u_long) procnum);
384 /* Write syslog record. */
386 syslog(severity, "connect from %s to %s in %s%s",
387 inet_ntoa(addr->sin_addr), procname, progname, text);