If hosts.lpd contains '+', don't insist on reverse DNS == forward DNS.

2011-11-09 12:45:58 +00:00 · 2011-11-09 12:45:58 +00:00 · 5224338e35
commit 5224338e35
parent 6a222e7196
2 changed files with 52 additions and 18 deletions
--- a/usr.sbin/lpr/lpd/lpd.8
+++ b/usr.sbin/lpr/lpd/lpd.8
@ -1,4 +1,4 @@
-.\"	$NetBSD: lpd.8,v 1.33 2006/01/22 21:31:17 wiz Exp $
+.\"	$NetBSD: lpd.8,v 1.34 2011/11/09 12:45:58 is Exp $
 .\"
 .\" Copyright (c) 1983, 1991, 1993
 .\"	The Regents of the University of California.  All rights reserved.
@ -176,7 +176,11 @@ Second, all requests must come from one of the machines listed in
 the file
 .Pa /etc/hosts.equiv
 or
-.Pa /etc/hosts.lpd .
+.Pa /etc/hosts.lpd 
+unless there is a line consisting of '+', in which case any host
+will be accepted that passes the 
+.Xr hosts_access 5
+test and has reverse resolving set up.
 Lastly, if the
 .Li rs
 capability is specified in the
--- a/usr.sbin/lpr/lpd/lpd.c
+++ b/usr.sbin/lpr/lpd/lpd.c
@ -1,4 +1,4 @@
-/*	$NetBSD: lpd.c,v 1.56 2011/08/30 19:27:37 joerg Exp $	*/
+/*	$NetBSD: lpd.c,v 1.57 2011/11/09 12:45:58 is Exp $	*/

 /*
 * Copyright (c) 1983, 1993, 1994
@ -41,7 +41,7 @@ __COPYRIGHT("@(#) Copyright (c) 1983, 1993, 1994\
 #if 0
 static char sccsid[] = "@(#)lpd.c	8.7 (Berkeley) 5/10/95";
 #else
-__RCSID("$NetBSD: lpd.c,v 1.56 2011/08/30 19:27:37 joerg Exp $");
+__RCSID("$NetBSD: lpd.c,v 1.57 2011/11/09 12:45:58 is Exp $");
 #endif
 #endif /* not lint */

@ -133,6 +133,7 @@ static void		startup(void);
 static void		chkhost(struct sockaddr *, int);
 __dead static void	usage(void);
 static struct pollfd	*socksetup(int, int, const char *, int *);
+static void		chkplushost(int, FILE *, char*);

 uid_t	uid, euid;
 int child_count;
@ -362,6 +363,35 @@ main(int argc, char **argv)
 	}
 }

+/*
+ * If there was a forward/backward name resolution mismatch, check
+ * that there's a '+' entry in fhost.
+ */
+
+void
+chkplushost(int good, FILE *fhost, char *hst)
+{
+	int c1, c2, c3;
+
+	if (good) {
+		return;
+	}
+
+	rewind(fhost);
+	while (EOF != (c1 = fgetc(fhost))) {
+		if (c1 == '+') {
+			c2 = fgetc(fhost);
+			if (c2 == ' ' || c2 == '\t' || c2 == '\n') {
+				return;
+			}
+		}
+		do {
+			c3 = fgetc(fhost);
+		} while (c3 != EOF && c3 != '\n');
+	}
+	fatal("address for your hostname (%s) not matched", hst);
+}
+
 static void
 reapchild(int signo)
 {
@ -606,25 +636,23 @@ chkhost(struct sockaddr *f, int check_opts)
 		fatal("Cannot print address");

 	/* Check for spoof, ala rlogind */
+	good = 0;
 	memset(&hints, 0, sizeof(hints));
 	hints.ai_family = PF_UNSPEC;
 	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
 	error = getaddrinfo(fromb, NULL, &hints, &res);
-	if (error) {
-		fatal("hostname for your address (%s) unknown: %s", hst,
-		    gai_strerror(error));
+	if (!error) {
+		for (r = res; good == 0 && r; r = r->ai_next) {
+			error = getnameinfo(r->ai_addr, r->ai_addrlen,
+				    ip, sizeof(ip), NULL, 0, NI_NUMERICHOST);
+			if (!error && !strcmp(hst, ip))
+				good = 1;
+		}
+		if (res)
+			freeaddrinfo(res);
 	}
-	good = 0;
-	for (r = res; good == 0 && r; r = r->ai_next) {
-		error = getnameinfo(r->ai_addr, r->ai_addrlen, ip, sizeof(ip),
-				    NULL, 0, NI_NUMERICHOST);
-		if (!error && !strcmp(hst, ip))
-			good = 1;
-	}
-	if (res)
-		freeaddrinfo(res);
-	if (good == 0)
-		fatal("address for your hostname (%s) not matched", hst);
+
+	/* complain about !good later in chkplushost if needed. */

 	setproctitle("serving %s", from);

@ -639,6 +667,7 @@ chkhost(struct sockaddr *f, int check_opts)
 	hostf = fopen(_PATH_HOSTSEQUIV, "r");
 	if (hostf) {
 		if (__ivaliduser_sa(hostf, f, f->sa_len, DUMMY, DUMMY) == 0) {
+			chkplushost(good, hostf, hst);
 			(void)fclose(hostf);
 			return;
 		}
@ -647,6 +676,7 @@ chkhost(struct sockaddr *f, int check_opts)
 	hostf = fopen(_PATH_HOSTSLPD, "r");
 	if (hostf) {
 		if (__ivaliduser_sa(hostf, f, f->sa_len, DUMMY, DUMMY) == 0) {
+			chkplushost(good, hostf, hst);
 			(void)fclose(hostf);
 			return;
 		}