X-Git-Url: https://git.decadent.org.uk/gitweb/?p=nfs-utils.git;a=blobdiff_plain;f=utils%2Fstatd%2Fmonitor.c;h=286a5e21e173442c6445f109ffe82765ea4bfdaf;hp=834847341eb11044a87cd8c99a0b77cffa2169b0;hb=014e00dfaea0efc92150e2aedc5ca43aa337545e;hpb=ac5b03be829b4c9369ebfb07a688308721103228 diff --git a/utils/statd/monitor.c b/utils/statd/monitor.c index 8348473..286a5e2 100644 --- a/utils/statd/monitor.c +++ b/utils/statd/monitor.c @@ -19,13 +19,41 @@ #include #include #include -#include "misc.h" +#include + +#include "sockaddr.h" +#include "rpcmisc.h" +#include "nsm.h" #include "statd.h" #include "notlist.h" #include "ha-callout.h" notify_list * rtnl = NULL; /* Run-time notify list. */ +/* + * Reject requests from non-loopback addresses in order + * to prevent attack described in CERT CA-99.05. + * + * Although the kernel contacts the statd service via only IPv4 + * transports, the statd service can receive other requests, such + * as SM_NOTIFY, from remote peers via IPv6. + */ +static _Bool +caller_is_localhost(struct svc_req *rqstp) +{ + struct sockaddr *sap = nfs_getrpccaller(rqstp->rq_xprt); + char buf[INET6_ADDRSTRLEN]; + + if (!nfs_is_v4_loopback(sap)) + goto out_nonlocal; + return true; + +out_nonlocal: + if (!statd_present_address(sap, buf, sizeof(buf))) + buf[0] = '\0'; + xlog_warn("SM_MON/SM_UNMON call from non-local host %s", buf); + return false; +} /* * Services SM_MON requests. @@ -37,38 +65,26 @@ sm_mon_1_svc(struct mon *argp, struct svc_req *rqstp) char *mon_name = argp->mon_id.mon_name, *my_name = argp->mon_id.my_id.my_name; struct my_id *id = &argp->mon_id.my_id; - char *path; - int fd; + char *cp; notify_list *clnt; - struct in_addr my_addr; -#ifdef RESTRICTED_STATD - struct in_addr mon_addr, caller; -#else - struct hostent *hostinfo = NULL; -#endif + struct sockaddr_in my_addr = { + .sin_family = AF_INET, + .sin_addr.s_addr = htonl(INADDR_LOOPBACK), + }; + char *dnsname = NULL; + + xlog(D_CALL, "Received SM_MON for %s from %s", mon_name, my_name); /* Assume that we'll fail. */ result.res_stat = STAT_FAIL; result.state = -1; /* State is undefined for STAT_FAIL. */ - /* Restrict access to statd. - * In the light of CERT CA-99.05, we tighten access to - * statd. --okir - */ -#ifdef RESTRICTED_STATD - /* 1. Reject anyone not calling from 127.0.0.1. + /* 1. Reject any remote callers. * Ignore the my_name specified by the caller, and * use "127.0.0.1" instead. */ - caller = svc_getcaller(rqstp->rq_xprt)->sin_addr; - if (caller.s_addr != htonl(INADDR_LOOPBACK)) { - note(N_WARNING, - "Call to statd from non-local host %s", - inet_ntoa(caller)); + if (!caller_is_localhost(rqstp)) goto failure; - } - my_addr.s_addr = htonl(INADDR_LOOPBACK); - my_name = "127.0.0.1"; /* 2. Reject any registrations for non-lockd services. * @@ -81,46 +97,43 @@ sm_mon_1_svc(struct mon *argp, struct svc_req *rqstp) if (id->my_prog != 100021 || (id->my_proc != 16 && id->my_proc != 24)) { - note(N_WARNING, - "Attempt to register callback to %d/%d", + xlog_warn("Attempt to register callback to %d/%d", id->my_prog, id->my_proc); goto failure; } - /* 3. mon_name must be an address in dotted quad. - * Again, specific to the linux kernel lockd. - */ - if (!inet_aton(mon_name, &mon_addr)) { - note(N_WARNING, - "Attempt to register host %s (not a dotted quad)", - mon_name); - goto failure; - } -#else /* * Check hostnames. If I can't look them up, I won't monitor. This * might not be legal, but it adds a little bit of safety and sanity. */ /* must check for /'s in hostname! See CERT's CA-96.09 for details. */ - if (strchr(mon_name, '/')) { - note(N_CRIT, "SM_MON request for hostname containing '/': %s", - mon_name); - note(N_CRIT, "POSSIBLE SPOOF/ATTACK ATTEMPT!"); - goto failure; - } else if (gethostbyname(mon_name) == NULL) { - note(N_WARNING, "gethostbyname error for %s", mon_name); - goto failure; - } else if (!(hostinfo = gethostbyname(my_name))) { - note(N_WARNING, "gethostbyname error for %s", my_name); + if (strchr(mon_name, '/') || mon_name[0] == '.') { + xlog(L_ERROR, "SM_MON request for hostname containing '/' " + "or starting '.': %s", mon_name); + xlog(L_ERROR, "POSSIBLE SPOOF/ATTACK ATTEMPT!"); goto failure; - } else - my_addr = *(struct in_addr *) hostinfo->h_addr; -#endif + } + + /* my_name must not have white space */ + for (cp=my_name ; *cp ; cp++) + if (*cp == ' ' || *cp == '\t' || *cp == '\r' || *cp == '\n') + *cp = '_'; /* * Hostnames checked OK. - * Now check to see if this is a duplicate, and warn if so. + * Now choose a hostname to use for matching. We cannot + * really trust much in the incoming NOTIFY, so to make + * sure that multi-homed hosts work nicely, we get an + * FQDN now, and use that for matching. + */ + dnsname = statd_canonical_name(mon_name); + if (dnsname == NULL) { + xlog(L_WARNING, "No canonical hostname found for %s", mon_name); + goto failure; + } + + /* Now check to see if this is a duplicate, and warn if so. * I will also return STAT_FAIL. (I *think* this is how I should * handle it.) * @@ -129,27 +142,25 @@ sm_mon_1_svc(struct mon *argp, struct svc_req *rqstp) * I'll just do a quickie success return and things should * be happy. */ - if (rtnl) { - notify_list *temp = rtnl; - - while ((temp = nlist_gethost(temp, mon_name, 0))) { - if (matchhostname(NL_MY_NAME(temp), my_name) && - NL_MY_PROC(temp) == id->my_proc && - NL_MY_PROG(temp) == id->my_prog && - NL_MY_VERS(temp) == id->my_vers) { - /* Hey! We already know you guys! */ - dprintf(N_DEBUG, - "Duplicate SM_MON request for %s " - "from procedure on %s", - mon_name, my_name); + clnt = rtnl; - /* But we'll let you pass anyway. */ - result.res_stat = STAT_SUCC; - result.state = MY_STATE; - return (&result); - } - temp = NL_NEXT(temp); + while ((clnt = nlist_gethost(clnt, mon_name, 0))) { + if (statd_matchhostname(NL_MY_NAME(clnt), my_name) && + NL_MY_PROC(clnt) == id->my_proc && + NL_MY_PROG(clnt) == id->my_prog && + NL_MY_VERS(clnt) == id->my_vers && + memcmp(NL_PRIV(clnt), argp->priv, SM_PRIV_SIZE) == 0) { + /* Hey! We already know you guys! */ + xlog(D_GENERAL, + "Duplicate SM_MON request for %s " + "from procedure on %s", + mon_name, my_name); + + /* But we'll let you pass anyway. */ + free(dnsname); + goto success; } + clnt = NL_NEXT(clnt); } /* @@ -157,45 +168,89 @@ sm_mon_1_svc(struct mon *argp, struct svc_req *rqstp) * doesn't fail. (I should probably fix this assumption.) */ if (!(clnt = nlist_new(my_name, mon_name, 0))) { - note(N_WARNING, "out of memory"); + free(dnsname); + xlog_warn("out of memory"); goto failure; } - NL_ADDR(clnt) = my_addr; NL_MY_PROG(clnt) = id->my_prog; NL_MY_VERS(clnt) = id->my_vers; NL_MY_PROC(clnt) = id->my_proc; memcpy(NL_PRIV(clnt), argp->priv, SM_PRIV_SIZE); + clnt->dns_name = dnsname; /* * Now, Create file on stable storage for host. */ - - path=xmalloc(strlen(SM_DIR)+strlen(mon_name)+2); - sprintf(path, "%s/%s", SM_DIR, mon_name); - if ((fd = open(path, O_WRONLY|O_SYNC|O_CREAT, S_IRUSR|S_IWUSR)) < 0) { - /* Didn't fly. We won't monitor. */ - note(N_ERROR, "creat(%s) failed: %s", path, strerror (errno)); + if (!nsm_insert_monitored_host(dnsname, + (struct sockaddr *)(char *)&my_addr, argp)) { nlist_free(NULL, clnt); - free(path); goto failure; } - free(path); + /* PRC: do the HA callout: */ ha_callout("add-client", mon_name, my_name, -1); nlist_insert(&rtnl, clnt); - close(fd); - + xlog(D_GENERAL, "MONITORING %s for %s", mon_name, my_name); + success: result.res_stat = STAT_SUCC; + /* SUN's sm_inter.x says this should be "state number of local site". + * X/Open says '"state" will be contain the state of the remote NSM.' + * href=http://www.opengroup.org/onlinepubs/9629799/SM_MON.htm + * Linux lockd currently (2.6.21 and prior) ignores whatever is + * returned, and given the above contraction, it probably always will.. + * So we just return what we always returned. If possible, we + * have already told lockd about our state number via a sysctl. + * If lockd wants the remote state, it will need to + * use SM_STAT (and prayer). + */ result.state = MY_STATE; - dprintf(N_DEBUG, "MONITORING %s for %s", mon_name, my_name); return (&result); failure: - note(N_WARNING, "STAT_FAIL to %s for SM_MON of %s", my_name, mon_name); + xlog_warn("STAT_FAIL to %s for SM_MON of %s", my_name, mon_name); return (&result); } +static unsigned int +load_one_host(const char *hostname, + __attribute__ ((unused)) const struct sockaddr *sap, + const struct mon *m, + __attribute__ ((unused)) const time_t timestamp) +{ + notify_list *clnt; + + clnt = nlist_new(m->mon_id.my_id.my_name, + m->mon_id.mon_name, 0); + if (clnt == NULL) + return 0; + + clnt->dns_name = strdup(hostname); + if (clnt->dns_name == NULL) { + nlist_free(NULL, clnt); + return 0; + } + + xlog(D_GENERAL, "Adding record for %s to the monitor list...", + hostname); + + NL_MY_PROG(clnt) = m->mon_id.my_id.my_prog; + NL_MY_VERS(clnt) = m->mon_id.my_id.my_vers; + NL_MY_PROC(clnt) = m->mon_id.my_id.my_proc; + memcpy(NL_PRIV(clnt), m->priv, SM_PRIV_SIZE); + + nlist_insert(&rtnl, clnt); + return 1; +} + +void load_state(void) +{ + unsigned int count; + + count = nsm_load_monitor_list(load_one_host); + if (count) + xlog(D_GENERAL, "Loaded %u previously monitored hosts", count); +} /* * Services SM_UNMON requests. @@ -213,34 +268,28 @@ sm_unmon_1_svc(struct mon_id *argp, struct svc_req *rqstp) char *mon_name = argp->mon_name, *my_name = argp->my_id.my_name; struct my_id *id = &argp->my_id; -#ifdef RESTRICTED_STATD - struct in_addr caller; -#endif + char *cp; + + xlog(D_CALL, "Received SM_UNMON for %s from %s", mon_name, my_name); result.state = MY_STATE; -#ifdef RESTRICTED_STATD - /* 1. Reject anyone not calling from 127.0.0.1. - * Ignore the my_name specified by the caller, and - * use "127.0.0.1" instead. - */ - caller = svc_getcaller(rqstp->rq_xprt)->sin_addr; - if (caller.s_addr != htonl(INADDR_LOOPBACK)) { - note(N_WARNING, - "Call to statd from non-local host %s", - inet_ntoa(caller)); + if (!caller_is_localhost(rqstp)) goto failure; - } - my_name = "127.0.0.1"; -#endif + + /* my_name must not have white space */ + for (cp=my_name ; *cp ; cp++) + if (*cp == ' ' || *cp == '\t' || *cp == '\r' || *cp == '\n') + *cp = '_'; + /* Check if we're monitoring anyone. */ - if (!(clnt = rtnl)) { - note(N_WARNING, - "Received SM_UNMON request from %s for %s while not " - "monitoring any hosts.", my_name, argp->mon_name); + if (rtnl == NULL) { + xlog_warn("Received SM_UNMON request from %s for %s while not " + "monitoring any hosts", my_name, argp->mon_name); return (&result); } + clnt = rtnl; /* * OK, we are. Now look for appropriate entry in run-time list. @@ -249,19 +298,20 @@ sm_unmon_1_svc(struct mon_id *argp, struct svc_req *rqstp) * entry winds up in the list the way I'm currently handling them.) */ while ((clnt = nlist_gethost(clnt, mon_name, 0))) { - if (matchhostname(NL_MY_NAME(clnt), my_name) && + if (statd_matchhostname(NL_MY_NAME(clnt), my_name) && NL_MY_PROC(clnt) == id->my_proc && NL_MY_PROG(clnt) == id->my_prog && NL_MY_VERS(clnt) == id->my_vers) { /* Match! */ - dprintf(N_DEBUG, "UNMONITORING %s for %s", + xlog(D_GENERAL, "UNMONITORING %s for %s", mon_name, my_name); /* PRC: do the HA callout: */ ha_callout("del-client", mon_name, my_name, -1); + nsm_delete_monitored_host(clnt->dns_name, + mon_name, my_name); nlist_free(&rtnl, clnt); - xunlink(SM_DIR, mon_name, 1); return (&result); } else @@ -269,7 +319,7 @@ sm_unmon_1_svc(struct mon_id *argp, struct svc_req *rqstp) } failure: - note(N_WARNING, "Received erroneous SM_UNMON request from %s for %s", + xlog_warn("Received erroneous SM_UNMON request from %s for %s", my_name, mon_name); return (&result); } @@ -282,30 +332,20 @@ sm_unmon_all_1_svc(struct my_id *argp, struct svc_req *rqstp) static sm_stat result; notify_list *clnt; char *my_name = argp->my_name; -#ifdef RESTRICTED_STATD - struct in_addr caller; - /* 1. Reject anyone not calling from 127.0.0.1. - * Ignore the my_name specified by the caller, and - * use "127.0.0.1" instead. - */ - caller = svc_getcaller(rqstp->rq_xprt)->sin_addr; - if (caller.s_addr != htonl(INADDR_LOOPBACK)) { - note(N_WARNING, - "Call to statd from non-local host %s", - inet_ntoa(caller)); + xlog(D_CALL, "Received SM_UNMON_ALL for %s", my_name); + + if (!caller_is_localhost(rqstp)) goto failure; - } - my_name = "127.0.0.1"; -#endif result.state = MY_STATE; - if (!(clnt = rtnl)) { - note(N_WARNING, "Received SM_UNMON_ALL request from %s " + if (rtnl == NULL) { + xlog_warn("Received SM_UNMON_ALL request from %s " "while not monitoring any hosts", my_name); return (&result); } + clnt = rtnl; while ((clnt = nlist_gethost(clnt, my_name, 1))) { if (NL_MY_PROC(clnt) == argp->my_proc && @@ -315,7 +355,7 @@ sm_unmon_all_1_svc(struct my_id *argp, struct svc_req *rqstp) char mon_name[SM_MAXSTRLEN + 1]; notify_list *temp; - dprintf(N_DEBUG, + xlog(D_GENERAL, "UNMONITORING (SM_UNMON_ALL) %s for %s", NL_MON_NAME(clnt), NL_MY_NAME(clnt)); strncpy(mon_name, NL_MON_NAME(clnt), @@ -324,8 +364,9 @@ sm_unmon_all_1_svc(struct my_id *argp, struct svc_req *rqstp) temp = NL_NEXT(clnt); /* PRC: do the HA callout: */ ha_callout("del-client", mon_name, my_name, -1); + nsm_delete_monitored_host(clnt->dns_name, + mon_name, my_name); nlist_free(&rtnl, clnt); - xunlink(SM_DIR, mon_name, 1); ++count; clnt = temp; } else @@ -333,9 +374,10 @@ sm_unmon_all_1_svc(struct my_id *argp, struct svc_req *rqstp) } if (!count) { - dprintf(N_DEBUG, "SM_UNMON_ALL request from %s with no " - "SM_MON requests from it.", my_name); + xlog(D_GENERAL, "SM_UNMON_ALL request from %s with no " + "SM_MON requests from it", my_name); } + failure: return (&result); }