Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Throw out the old ypserv access control list code. Instead, use libwrap

Browse Source 
for access control.  Add a -l option, to enable logging of all requests.
Also, just use syslog(3) for all logging, not home-grown logging code.
This commit is contained in:
thorpej 1999-01-22 02:36:12 +00:00
parent 434ecb8754
commit c87c1f135c
14 changed files with 270 additions and 1220 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
usr.sbin/ypserv/ypserv/Makefile
View File

@ -1,15 +1,18 @@
# $NetBSD: Makefile,v 1.10 1999/01/19 03:53:27 lukem Exp $
# $NetBSD: Makefile,v 1.11 1999/01/22 02:36:12 thorpej Exp $
PROG= ypserv
SRCS= acl.c gram.y scan.l ypserv.c ypserv_proc.c ypserv_db.c ypserv_xdr.c \
SRCS= ypserv.c ypserv_proc.c ypserv_db.c ypserv_xdr.c \
gethnamaddr.c getnetnamadr.c
MAN= ypserv.acl.5 securenet.5 ypserv.8
MAN= ypserv.8
LIBCDIR=${.CURDIR}/../../../lib/libc
.PATH: ${LIBCDIR}/net
CPPFLAGS+=-DYY_NO_UNPUT -DOPTIMIZE_DB -I. -I${LIBCDIR}/include
CPPFLAGS+=-DYY_NO_UNPUT -DOPTIMIZE_DB -DLIBWRAP -I. -I${LIBCDIR}/include
YHEADER=1
LDADD+= -lwrap
DPADD+= ${LIBWRAP}
.include <bsd.prog.mk>
gethnamaddr.o: gethnamaddr.c

352
usr.sbin/ypserv/ypserv/acl.c
View File

@ -1,352 +0,0 @@
/* $NetBSD: acl.c,v 1.5 1999/01/18 23:42:38 lukem Exp $ */
/*-
* Copyright (c) 1996 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This code is derived from software contributed to The NetBSD Foundation
* by Jason R. Thorpe.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the NetBSD
* Foundation, Inc. and its contributors.
* 4. Neither the name of The NetBSD Foundation nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include <sys/cdefs.h>
#ifndef lint
__RCSID("$NetBSD: acl.c,v 1.5 1999/01/18 23:42:38 lukem Exp $");
#endif
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <ctype.h>
#include <err.h>
#include <netdb.h>
#include <limits.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <rpc/rpc.h>
#include <rpc/xdr.h>
#include <rpcsvc/yp_prot.h>
#include "ypdef.h"
#include "acl.h"
struct aclent {
TAILQ_ENTRY(aclent) list;
aclallow_t allow;
u_int32_t addr;
u_int32_t mask;
};
/* The Access Control List. */
TAILQ_HEAD(, aclent) ac_list;
int acl_securenet_has_entries;
void acl_translate __P((const char *, acladdr_t, u_int32_t *));
void acl_securenet_parse __P((void));
/*
* Zap the access control list.
*/
void
acl_reset()
{
struct aclent *p, *q;
for (p = ac_list.tqh_first; p != NULL; ) {
q = p;
p = p->list.tqe_next;
TAILQ_REMOVE(&ac_list, q, list);
free(q);
}
TAILQ_INIT(&ac_list);
}
/*
* Check if a host is allowed access.
*/
int
acl_check_host(addr)
struct in_addr *addr;
{
struct aclent *p;
for (p = ac_list.tqh_first; p != NULL; p = p->list.tqe_next)
if ((addr->s_addr & p->mask) == p->addr)
return (p->allow);
return (ACL_ALLOW);
}
/*
* Add an entry to the in-core access control list.
*/
void
acl_add(addr, mask, atype, allow)
const char *addr, *mask;
acladdr_t atype;
aclallow_t allow;
{
struct aclent *acl;
acl = (struct aclent *)malloc(sizeof(struct aclent));
if (acl == NULL)
err(1, "can't allocate ACL entry");
acl->allow = allow;
acl_translate(addr, atype, &acl->addr);
/*
* If we get a NULL mask, it means we want the
* default mask for the address class.
*/
if (mask == NULL) {
NTOHL(acl->addr);
if (IN_CLASSA(acl->addr))
acl->mask = IN_CLASSA_NET;
else if (IN_CLASSB(acl->addr))
acl->mask = IN_CLASSB_NET;
else if (IN_CLASSC(acl->addr))
acl->mask = IN_CLASSC_NET;
else
errx(1, "line %d: invalid network class `%s'",
acl_line(), addr);
HTONL(acl->addr);
HTONL(acl->mask);
} else
acl_translate(mask, atype, &acl->mask);
TAILQ_INSERT_TAIL(&ac_list, acl, list);
}
/*
* Parse the access control list. If we're given a name,
* we have an ACL file. If we're not, we have a SECURENET file.
*/
void
acl_parse(fname)
const char *fname;
{
TAILQ_INIT(&ac_list);
/*
* Check SECURENET first.
*/
if (fname == NULL) {
/* Parse the SECURENET file. */
acl_securenet_parse();
/*
* Since the purpose of SECURENET is to explicitly
* list which networks are allowed to access the YP
* server, do a catch-all `deny all' for anyone who
* wasn't in the file unless the file contained no
* entries (e.g. was a comments-only example file),
* in which case we do an `allow all'.
*/
if (acl_securenet_has_entries)
acl_add(ACL_ALL, ACL_ALL, ACLADDR_HOST, ACL_DENY);
else
acl_add(ACL_ALL, ACL_ALL, ACLADDR_HOST, ACL_ALLOW);
return;
}
/*
* We are dealing with an ACL file. Since we were
* passed the name of this file, if it doesn't exist,
* it's a fatal error.
*/
if (acl_open(fname))
err(1, "can't open ACL file `%s'", fname);
/* Parse the ACL file. */
yyparse();
acl_close();
/*
* Always add a last `allow all' if the file doesn't cover
* all cases. If the file specified a `deny all' at the end,
* it will match before this one, so this is always safe to do.
*/
acl_add(ACL_ALL, ACL_ALL, ACLADDR_HOST, ACL_ALLOW);
}
/*
* Parse the securenet file; it's a really simple format.
*/
void
acl_securenet_parse()
{
FILE *f;
char line[_POSIX2_LINE_MAX];
char *cp, *addr, *mask;
int ntok;
extern int yyline, yychar;
/*
* No SECURENET file? Just return; the Right Thing
* will happen.
*/
if ((f = fopen(YP_SECURENET_FILE, "r")) == NULL)
return;
/* For simplictity in acl_add(). */
yychar = yyline = 0;
while (fgets(line, sizeof(line), f) != NULL) {
++yyline;
addr = mask = NULL;
/* Chop off trailing newline. */
if ((cp = strrchr(line, '\n')) != NULL)
*cp = '\0';
/* Handle blank lines. */
if (line[0] == '\0')
continue;
/* Break line into tokens. */
for (ntok = 0, cp = line;
(cp = strtok(cp, " \t")) != NULL; cp = NULL) {
/* Handle comments. */
if (*cp == '#')
break;
/* Assign token. */
switch (++ntok) {
case 1:
mask = cp;
break;
case 2:
addr = cp;
break;
default:
errx(1, "line %d: syntax error", yyline);
}
}
/* Add the entry to the list. */
if (addr != NULL && mask != NULL) {
acl_add(addr, mask, ACLADDR_NET, ACL_ALLOW);
/*
* Sanity check against an empty (e.g. example-only)
* SECURENET file.
*/
acl_securenet_has_entries = 1;
} else if (mask != NULL && addr == NULL)
errx(1, "line %d: syntax error", yyline);
}
/* All done. */
(void)fclose(f);
}
/*
* Given a string containing one of:
*
* - IP address
*
* - Host name
*
* - Net name
*
* fill in the address or mask as appropriate.
*/
void
acl_translate(str, atype, res)
const char *str;
acladdr_t atype;
u_int32_t *res;
{
struct hostent *hp;
struct netent *np;
struct in_addr ina;
/*
* Were we passed an IP address? Note, we _reject_
* invalid host names with this!
*/
if (isdigit(str[0])) {
if (inet_aton(str, &ina)) {
*res = ina.s_addr;
return;
} else
errx(1, "invalid IP address `%s' at line %d",
str, acl_line());
}
/*
* Host names - look it up, and use the first address.
*/
if (atype == ACLADDR_HOST) {
hp = gethostbyname(str);
if (hp == NULL)
errx(1, "unknown host `%s' at line %d",
str, acl_line());
/* Sanity. */
if (hp->h_addrtype != AF_INET)
errx(1, "host `%s' at line %d: not INET?!",
str, acl_line());
if (hp->h_length != sizeof(u_int32_t))
errx(1,
"address for host `%s' at line %d: wrong size?!",
str, acl_line());
memcpy(res, hp->h_addr_list[0], hp->h_length);
return;
}
/*
* We have a networks entry.
*/
np = getnetbyname(str);
if (np == NULL)
errx(1, "unknown net `%s' at line %d",
str, acl_line());
/* Sanity. */
if (np->n_addrtype != AF_INET)
errx(1, "net `%s' at line %d: not INET?!",
str, acl_line());
*res = htonl(np->n_net);
}

57
usr.sbin/ypserv/ypserv/acl.h
View File

@ -1,57 +0,0 @@
/* $NetBSD: acl.h,v 1.3 1997/07/30 22:55:20 jtc Exp $ */
/*-
* Copyright (c) 1996 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This code is derived from software contributed to The NetBSD Foundation
* by Jason R. Thorpe.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the NetBSD
* Foundation, Inc. and its contributors.
* 4. Neither the name of The NetBSD Foundation nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include <sys/queue.h>
typedef enum { ACL_DENY = 0, ACL_ALLOW = 1 } aclallow_t;
typedef enum { ACLADDR_HOST, ACLADDR_NET } acladdr_t;
#define ACL_ALL "0.0.0.0"
#define ACL_HOST "255.255.255.255"
int acl_open __P((const char *));
void acl_close __P((void));
void acl_parse __P((const char *));
void acl_reset __P((void));
int acl_line __P((void));
void acl_add __P((const char *, const char *, acladdr_t, aclallow_t));
int acl_check_host __P((struct in_addr *));
int yylex __P((void));
int yyparse __P((void));

113
usr.sbin/ypserv/ypserv/gram.y
View File

@ -1,113 +0,0 @@
%{
/* $NetBSD: gram.y,v 1.2 1997/07/30 22:55:23 jtc Exp $ */
/*-
* Copyright (c) 1996 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This code is derived from software contributed to The NetBSD Foundation
* by Jason R. Thorpe.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the NetBSD
* Foundation, Inc. and its contributors.
* 4. Neither the name of The NetBSD Foundation nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include <sys/param.h>
#include <netinet/in.h>
#include <err.h>
#include "acl.h"
void yyerror __P((const char *));
#define ADD_ACL_H(addr, allow) \
acl_add((addr), ACL_HOST, ACLADDR_HOST, (allow))
#define ADD_ACL_N(addr, mask, allow) \
acl_add((addr), (mask), ACLADDR_NET, (allow))
%}
%union {
const char *str;
}
%token ALL ALLOW ARG DENY EOL ENDFILE HOST NET NETMASK
%token <str> ARG
%type <str> host
%type <str> net
%type <str> mask
%%
acl_file:
acl_entries;
acl_entries:
acl_entry EOL acl_entries |
/* empty */ ;
acl_entry:
acl_host_entry |
acl_net_entry |
acl_all_entry |
/* empty */ ;
acl_all_entry:
ALLOW ALL = { ADD_ACL_N(ACL_ALL,ACL_ALL,ACL_ALLOW); } |
DENY ALL = { ADD_ACL_N(ACL_ALL,ACL_ALL,ACL_DENY); };
acl_host_entry:
ALLOW HOST host = { ADD_ACL_H($3,ACL_ALLOW); } |
DENY HOST host = { ADD_ACL_H($3,ACL_DENY); };
acl_net_entry:
ALLOW NET net = { ADD_ACL_N($3,NULL,ACL_ALLOW); } |
DENY NET net = { ADD_ACL_N($3,NULL,ACL_DENY); } |
ALLOW NET net NETMASK mask = { ADD_ACL_N($3,$5,ACL_ALLOW); } |
DENY NET net NETMASK mask = { ADD_ACL_N($3,$5,ACL_DENY); };
host:
ARG = { $$ = $1; };
net:
ARG = { $$ = $1; };
mask:
ARG = { $$ = $1; };
%%
void
yyerror(s)
const char *s;
{
errx(1, "line %d: %s", acl_line(), s);
}

119
usr.sbin/ypserv/ypserv/scan.l
View File

@ -1,119 +0,0 @@
%{
/* $NetBSD: scan.l,v 1.3 1998/04/09 00:32:41 tv Exp $ */
/*-
* Copyright (c) 1996 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This code is derived from software contributed to The NetBSD Foundation
* by Jason R. Thorpe.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the NetBSD
* Foundation, Inc. and its contributors.
* 4. Neither the name of The NetBSD Foundation nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include <sys/param.h>
#include <netinet/in.h>
#include <stdio.h>
#include <string.h>
#include "gram.h"
#include "acl.h"
int yyline;
const char *yyfile;
#define yywrap() 1
%}
ARG [-A-Za-z0-9]*[-A-Za-z0-9.]*
%%
/* plain keywords */
all { return ALL; }
allow { return ALLOW; }
deny { return DENY; }
host { return HOST; }
net { return NET; }
netmask { return NETMASK; }
/* arguments */
{ARG} { yylval.str = strdup(yytext); return ARG; }
/* NULL record, end of line */
\n { yyline++; return EOL; }
<<EOF>> { return YY_NULL; }
/* comments; ignore */
#.* { ; }
/* whitespace; ignore */
[ \t]* { ; }
%%
/*
* Open the acl file.
*/
int
acl_open(file)
const char *file;
{
if ((yyin = fopen(file, "r")) == NULL)
return (-1);
yyfile = file;
yyline = 1;
return (0);
}
/*
* Close the acl file.
*/
void
acl_close()
{
(void)fclose(yyin);
}
/*
* Return the current line number. If yacc has looked ahead and
* caused us to consume a newline, we have to subtract one. yychar
* is yacc's token lookahead, so we can tell.
*/
int
acl_line()
{
extern int yychar;
return (yyline - ((yychar == '\n') ? 1 : 0));
}

7
usr.sbin/ypserv/ypserv/securenet
View File

@ -1,7 +0,0 @@
# $NetBSD: securenet,v 1.1.1.1 1996/08/09 10:15:04 thorpej Exp $
#
# This is an example /var/yp/securenet file. The format is
# netmask netnumber. The mask and number may be expressed in
# IP-address form, or as names in /etc/networks.
#
#255.255.255.0 129.99.50.0

74
usr.sbin/ypserv/ypserv/securenet.5
View File

@ -1,74 +0,0 @@
.\" $NetBSD: securenet.5,v 1.3 1997/11/08 15:03:42 lukem Exp $
.\"
.\" Copyright (c) 1994 Mats O Jansson <moj@stacken.kth.se>
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. All advertising materials mentioning features or use of this software
.\" must display the following acknowledgement:
.\" This product includes software developed by Mats O Jansson
.\" 4. The name of the author may not be used to endorse or promote products
.\" derived from this software without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS
.\" OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.Dd June 27, 1994
.Dt SECURENET 5
.Os
.Sh NAME
.Nm securenet
.Nd
.Xr ypserv 8
configuration file for secure networks
.Sh DESCRIPTION
The
.Nm
file controls which hosts can connect to the
.Tn YP
server.
.Pp
The format is rather simple. Each row consists of two items. The first item
is the network mask. The second item is the network.
.Sh EXAMPLES
.Pp
A configuration file might appear as follows:
.Bd -literal
#
# Only my local net is secure.
#
255.255.255.0 139.58.253.0
.Ed
.Sh FILES
.Bl -tag -width /var/yp/securenet -compact
.It Pa /var/yp/securenet
A
.Xr ypserv 8
configuration file.
.El
.Sh SEE ALSO
.Xr ypserv.acl 5 ,
.Xr yp 8 ,
.Xr ypserv 8
.Sh HISTORY
The
.Nm
file was added to
.Tn YP
by Sun Microsystems, Inc. as a bugfix for weak security.

82
usr.sbin/ypserv/ypserv/ypserv.8
View File

@ -1,4 +1,4 @@
.\" $NetBSD: ypserv.8,v 1.6 1997/11/08 15:03:46 lukem Exp $
.\" $NetBSD: ypserv.8,v 1.7 1999/01/22 02:36:13 thorpej Exp $
.\"
.\" Copyright (c) 1994 Mats O Jansson <moj@stacken.kth.se>
.\" All rights reserved.
@ -37,9 +37,8 @@
.Nd YP server daemon
.Sh SYNOPSIS
.Nm
.Op Fl a Ar aclfile
.Op Fl d
.Op Fl x
.Op Fl l
.Sh DESCRIPTION
.Nm
is a fundamental part of the network information system called
@ -54,7 +53,7 @@ A
.Tn YP
map is stored on the server as a
.Xr db 3
database. A number of
database. A number of
.Tn YP
maps is grouped together in a domain.
.Nm
@ -62,66 +61,55 @@ determines the domains it serves by looking for a directory with
the domain name in
.Ar /var/yp .
.Pp
In an effort to improve the security of
.Tn YP
hasn't been known for high security through the years. In recent years
security has improved by restricting access to the server. In SunOS 4.1
has a new file occured named
.Ar /var/yp/securenet .
It contains networks the server can assume is secure. For information about
file format see
.Xr securenet 5 .
(which has, historically, not been very good), this
.Nm
has support for libwrap-based access control. See
.Xr hosts_access 5
for more information. The
.Em daemon
used for access control is the name which
.Nm
was invoked as (typically
.Dq ypserv
). If a host is not allowed to query this
.Tn YP
server,
.Nm
will return the
.Tn YP
result code YP_NODOM.
.Pp
Before the author of this server had seen
.Xr securenet 5
another format was implemented
.Xr ypserv.acl 5 .
This file format makes it possible to allow and deny hosts and networks
access to the server. This file can have any name since it's given by
the argument to
.Fl a
(use full path).
.Pp
The file used can be reread by sending a SIGHUP to
.Nm "" .
The process pid
can be found in the file
The process pid of the
.Nm
process can be found in the file
.Pa /var/run/ypserv.pid .
.Pp
If a host isn't secure all queries to the server will result in a YP_NODOM
result.
.Pp
If the file
.Pa /var/yp/ypserv.log
exists then messages will be written to the file.
.Pp
The options are as follows:
.Bl -tag -width indent
.It Fl a Ar aclfile
Don't use
.Ar /var/yp/securenet .
Use another file with another file format. For further information see
.Xr ypserv.acl 5 .
.It Fl d
Use internet Domain Name System. If a query to map
.Pa hosts.byname
or
.Pa hosts.byaddr
fails, make a DNS query and return the result if successful.
.It Fl x
Terminate the server after processing
.Ar aclfile
or
.Ar /var/yp/securenet .
.It Fl l
Enable logging of all requests.
.El
.Pp
All messages are sent to the system log with the facility LOG_DAEMON.
Error messages have the priority LOG_ERR. Refused requests are logged
with the priority LOG_WARNING. All other messages are logged with the
priority LOG_INFO.
.Sh FILES
.Bl -tag -width /var/run/ypserv.pid -compact
.It Pa /var/yp/ypserv.log
.It Pa /var/yp/securenet
.It Pa /var/run/ypserv.pid
.El
.Sh SEE ALSO
.Xr securenet 5 ,
.Xr ypserv.acl 5 ,
.Xr hosts_access 5 ,
.Xr syslog 3 ,
.Xr syslogd 8 ,
.Xr yp 8 ,
.Xr ypbind 8 ,
.Xr ypinit 8 .
@ -129,5 +117,5 @@ or
This implementation of
.Nm
was originally written by Mats O Jansson <moj@stacken.kth.se>.
The access control list code was later re-written from scratch by
The access control code was later re-written from scratch by
Jason R. Thorpe <thorpej@NetBSD.ORG>.

44
usr.sbin/ypserv/ypserv/ypserv.acl
View File

@ -1,44 +0,0 @@
# $NetBSD: ypserv.acl,v 1.1.1.1 1996/08/09 10:15:03 thorpej Exp $
#
# This is an example of an access control file to be used by ypserv.
#
# This file is parsed line by line. First match will terminate the check
# of the caller.
#
#############################################################################
# This is the commands that will match a single host
#
# allow host <hostname|ip-address>
# deny host <hostname|ip-address>
#
# To process hostname gethostbyname is called. If the hostname has multiple
# ip-addresses all will be added (I hope). ip-address is processed by
# inet_aton.
deny host jodie
#############################################################################
# This is the commands that will match a network
#
# allow net <netname|netnumber> [netmask <netname|netnumber>]
# deny net <netname|netnumber> [netmask <netname|netnumber>]
#
# To process netname getnetbyname is called, and inet_aton is used for
# netnumber. inet_aton both access numbers as 255.255.255.0 and 0xffffff00.
#
# If netmask isn't given the parser will assume netmask from the first bits
# of the network number. So if the network is subneted the you have to add
# the netmask. In my case I've got the network 139.58.253.0 at home so too
# allow any of my computers to talk with the server I need the following line
#
allow net mojathome netmask 255.255.255.0
#############################################################################
# At last we have a command that will match any caller:
#
# allow all
# deny all
#
# reject all connections
deny all

167
usr.sbin/ypserv/ypserv/ypserv.acl.5
View File

@ -1,167 +0,0 @@
.\" $NetBSD: ypserv.acl.5,v 1.3 1997/11/08 15:03:47 lukem Exp $
.\"
.\" Copyright (c) 1994 Mats O Jansson <moj@stacken.kth.se>
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. All advertising materials mentioning features or use of this software
.\" must display the following acknowledgement:
.\" This product includes software developed by Mats O Jansson
.\" 4. The name of the author may not be used to endorse or promote products
.\" derived from this software without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS
.\" OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.Dd July 2, 1994
.Dt YPSERV.ACL 5
.Os
.Sh NAME
.Nm ypserv.acl
.Nd
.Xr ypserv 8
configuration file
.Sh DESCRIPTION
The
.Nm
file controls which hosts can connect to the
.Tn YP
server.
.Pp
The format is more complex than the format for
.Xr securenet 5 .
The first two verbs on each line controls if the line will
.Em allow
or
.Em deny
access for a
.Em host ,
network
.Em (net)
or
.Em all
hosts.
.Pp
The
.Tn YP
server reads the configuration file and build a list in memory.
This list is processed from the beginning for every incomming request.
As soon a match is found in the list the search terminates and it
returns success or failure depending on
.Em allow
or
.Em deny .
If no match was found in the list success is returned.
.Pp
If access is denied every call will cause a
.Dq no such domain
error for the caller.
.Pp
There is no default name for this file. Start
.Nm ypserv
with a
.Fl a Ar filename
to read a file with this format.
.Pp
The following different syntax can be used:
.Pp
.Aq Em allow|deny
.Em host
.Aq Em hostname|ip-address
.Pp
If
.Em hostname
has more than one ip address then all will be added to the list.
.Pp
.Aq Em allow|deny
.Em net
.Aq Em netname|netnumber
.Op Em netmask Aq netname|netnumber
.Pp
If the
.Em netmask
part of the command isn't given then the netmask will be assumed to be a
class A, B or C net depending on the net number.
.Pp
.Aq Em allow|deny
.Em all
.Pp
A line containing one of these commands will always match any host.
.Sh EXAMPLES
.Pp
A configuration file might appear as follows:
.Bd -literal
# This is an example of an access control file to be used by ypserv.
#
# This file is parsed line by line. First match will terminate the check
# of the caller.
#
###########################################################################
# This is the commands that will match a single host
#
# allow host <hostname|ip-address>
# deny host <hostname|ip-address>
#
# To process hostname gethostbyname is called. If the hostname has
# multiple ip-addresses all will be added (I hope). ip-address
# processed by inet_aton.
deny host jodie
###########################################################################
# This is the commands that will match a network
#
# allow net <netname|netnumber> [netmask <netname|netnumber>]
# deny net <netname|netnumber> [netmask <netname|netnumber>]
#
# To process netname getnetbyname is called, and inet_aton is used for
# netnumber. inet_aton both access numbers as 255.255.255.0 and 0xffffff00.
#
# If netmask isn't given the parser will assume netmask from the first bits
# of the network number. So if the network is subneted the you have to add
# the netmask. In my case I've got the network 139.58.253.0 at home so too
# allow any of my computers to talk with the server I need the following
# line
#
allow net mojathome netmask 255.255.255.0
###########################################################################
# At last we have a command that will match any caller:
#
# allow all
# deny all
#
# reject all connections
deny all
.Ed
.Sh FILES
.Bl -tag -width /var/yp/ypserv.acl -compact
.It Pa /var/yp/ypserv.acl
A
.Xr ypserv 8
configuration file.
.El
.Sh SEE ALSO
.Xr securenet 5 ,
.Xr yp 8 ,
.Xr ypserv 8
.Sh AUTHOR
Mats O Jansson <moj@stacken.kth.se>

128
usr.sbin/ypserv/ypserv/ypserv.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: ypserv.c,v 1.7 1997/10/15 05:01:24 lukem Exp $ */
/* $NetBSD: ypserv.c,v 1.8 1999/01/22 02:36:13 thorpej Exp $ */
/*
* Copyright (c) 1994 Mats O Jansson <moj@stacken.kth.se>
@ -33,7 +33,7 @@
#include <sys/cdefs.h>
#ifndef lint
__RCSID("$NetBSD: ypserv.c,v 1.7 1997/10/15 05:01:24 lukem Exp $");
__RCSID("$NetBSD: ypserv.c,v 1.8 1999/01/22 02:36:13 thorpej Exp $");
#endif
#include <sys/types.h>
@ -57,11 +57,20 @@ __RCSID("$NetBSD: ypserv.c,v 1.7 1997/10/15 05:01:24 lukem Exp $");
#include <rpcsvc/yp_prot.h>
#include "acl.h"
#include "yplog.h"
#include "ypdef.h"
#include "ypserv.h"
#ifdef LIBWRAP
#include <tcpd.h>
int allow_severity = LOG_DAEMON | LOG_INFO;
int deny_severity = LOG_DAEMON | LOG_WARNING;
/* XXX For ypserv_proc.c -- NOT THREAD SAFE! (like any of this code is) */
const char *clientstr;
const char *svcname;
#endif /* LIBWRAP */
#ifdef __STDC__
#define SIG_PF void(*)(int)
#endif
@ -76,7 +85,9 @@ static int _rpcfdtype; /* Whether Stream or Datagram ? */
static int _rpcsvcdirty; /* Still serving ? */
int usedns;
char *aclfile;
#ifdef LIBWRAP
int lflag;
#endif
extern char *__progname; /* from crt0.s */
@ -140,79 +151,105 @@ ypprog_2(struct svc_req *rqstp, SVCXPRT *transp)
char *result;
xdrproc_t xdr_argument, xdr_result;
void *(*local) __P((void *, struct svc_req *));
#ifdef LIBWRAP
struct request_info req;
struct sockaddr_in *caller;
#define SVCNAME(x) svcname = x
#else
#define SVCNAME(x) /* nothing */
#endif
_rpcsvcdirty = 1;
#ifdef LIBWRAP
caller = svc_getcaller(transp);
request_init(&req, RQ_DAEMON, __progname, RQ_CLIENT_SIN, caller, NULL);
sock_methods(&req);
#endif
switch (rqstp->rq_proc) {
case YPPROC_NULL:
xdr_argument = xdr_void;
xdr_result = xdr_void;
local = ypproc_null_2_svc;
SVCNAME("null_2");
break;
case YPPROC_DOMAIN:
xdr_argument = xdr_ypdomain_wrap_string;
xdr_result = xdr_bool;
local = ypproc_domain_2_svc;
SVCNAME("domain_2");
break;
case YPPROC_DOMAIN_NONACK:
xdr_argument = xdr_ypdomain_wrap_string;
xdr_result = xdr_bool;
local = ypproc_domain_nonack_2_svc;
SVCNAME("domain_nonack_2");
break;
case YPPROC_MATCH:
xdr_argument = xdr_ypreq_key;
xdr_result = xdr_ypresp_val;
local = ypproc_match_2_svc;
SVCNAME("match_2");
break;
case YPPROC_FIRST:
xdr_argument = xdr_ypreq_nokey;
xdr_result = xdr_ypresp_key_val;
local = ypproc_first_2_svc;
SVCNAME("first_2");
break;
case YPPROC_NEXT:
xdr_argument = xdr_ypreq_key;
xdr_result = xdr_ypresp_key_val;
local = ypproc_next_2_svc;
SVCNAME("next_2");
break;
case YPPROC_XFR:
xdr_argument = xdr_ypreq_xfr;
xdr_result = xdr_ypresp_xfr;
local = ypproc_xfr_2_svc;
SVCNAME("xfer_2");
break;
case YPPROC_CLEAR:
xdr_argument = xdr_void;
xdr_result = xdr_void;
local = ypproc_clear_2_svc;
SVCNAME("clear_2");
break;
case YPPROC_ALL:
xdr_argument = xdr_ypreq_nokey;
xdr_result = xdr_ypresp_all;
local = ypproc_all_2_svc;
SVCNAME("all_2");
break;
case YPPROC_MASTER:
xdr_argument = xdr_ypreq_nokey;
xdr_result = xdr_ypresp_master;
local = ypproc_master_2_svc;
SVCNAME("master_2");
break;
case YPPROC_ORDER:
xdr_argument = xdr_ypreq_nokey;
xdr_result = xdr_ypresp_order;
local = ypproc_order_2_svc;
SVCNAME("order_2");
break;
case YPPROC_MAPLIST:
xdr_argument = xdr_ypdomain_wrap_string;
xdr_result = xdr_ypresp_maplist;
local = ypproc_maplist_2_svc;
SVCNAME("maplist_2");
break;
default:
@ -220,6 +257,19 @@ ypprog_2(struct svc_req *rqstp, SVCXPRT *transp)
_rpcsvcdirty = 0;
return;
}
#ifdef LIBWRAP
clientstr = eval_client(&req);
if (hosts_access(&req) == 0) {
syslog(deny_severity,
"%s: refused request from %.500s", svcname, clientstr);
svcerr_auth(transp, AUTH_FAILED);
_rpcsvcdirty = 0;
return;
}
#endif
(void) memset((char *)&argument, 0, sizeof (argument));
if (!svc_getargs(transp, xdr_argument, (caddr_t) &argument)) {
svcerr_decode(transp);
@ -268,70 +318,75 @@ main(argc, argv)
SVCXPRT *transp;
int sock, proto;
struct sigaction sa;
int xflag = 0;
int ch;
transp = NULL; /* XXX gcc -Wuninitialized */
proto = 0; /* XXX gcc -Wuninitialized */
while ((ch = getopt(argc, argv, "a:dx")) != -1) {
switch (ch) {
case 'a':
aclfile = optarg;
break;
#ifdef LIBWRAP
#define GETOPTSTR "dl"
#else
#define GETOPTSTR "d"
#endif
while ((ch = getopt(argc, argv, GETOPTSTR)) != -1) {
switch (ch) {
case 'd':
usedns = 1;
break;
case 'x':
xflag = 1;
#ifdef LIBWRAP
case 'l':
lflag = 1;
break;
#endif
default:
usage();
}
}
#undef GETOPTSTR
/* This program must be run by root. */
if (geteuid() != 0)
errx(1, "must run as root");
/* Deal with the acl file. */
acl_parse(aclfile);
if (xflag)
exit(1);
#ifndef RPC_SVC_FG
if (daemon(0, 0))
err(1, "can't detach");
openlog("ypserv", LOG_PID, LOG_DAEMON);
#endif
openlog(__progname, LOG_PID, LOG_DAEMON);
syslog(LOG_INFO, "starting");
{
FILE *pidfile = fopen(YPSERV_PID_PATH, "w");
if (pidfile != NULL) {
fprintf(pidfile, "%d\n", getpid());
fclose(pidfile);
} else
err(1, "can't write PID file");
} else {
_msgout("can't write PID file: %m");
exit(1);
}
}
sock = RPC_ANYSOCK;
(void) pmap_unset(YPPROG, YPVERS);
(void) pmap_unset(YPPROG, YPVERS_ORIG);
ypopenlog(); /* open log file */
ypdb_init(); /* init db stuff */
sa.sa_handler = sighandler;
sa.sa_flags = 0;
if (sigemptyset(&sa.sa_mask))
err(1, "sigemptyset");
if (sigaction(SIGCHLD, &sa, NULL) || sigaction(SIGHUP, &sa, NULL))
err(1, "sigaction");
if (sigemptyset(&sa.sa_mask)) {
_msgout("sigemptyset: %m");
exit(1);
}
if (sigaction(SIGCHLD, &sa, NULL)) {
_msgout("sigaction: %m");
exit(1);
}
if ((_rpcfdtype == 0) || (_rpcfdtype == SOCK_DGRAM)) {
transp = svcudp_create(sock);
@ -403,13 +458,6 @@ sighandler(sig)
int sig;
{
if (sig == SIGHUP) {
acl_reset();
yplog("reread %s", aclfile ? aclfile : YP_SECURENET_FILE);
acl_parse(aclfile);
return;
}
/* SIGCHLD */
while (wait3((int *)NULL, WNOHANG, (struct rusage *)NULL) > 0);
}
@ -418,8 +466,16 @@ void
usage()
{
fprintf(stderr, "usage: %s [-a aclfile] [-d] [-x]\n", __progname);
#ifdef LIBWRAP
#define USAGESTR "usage: %s [-d] [-l]\n"
#else
#define USAGESTR "usage: %s [-d]\n"
#endif
fprintf(stderr, USAGESTR, __progname);
exit(1);
#undef USAGESTR
}

9
usr.sbin/ypserv/ypserv/ypserv.h
View File

@ -1,4 +1,4 @@
/* $NetBSD: ypserv.h,v 1.3 1997/10/15 05:01:30 lukem Exp $ */
/* $NetBSD: ypserv.h,v 1.4 1999/01/22 02:36:13 thorpej Exp $ */
/*-
* Copyright (c) 1996 The NetBSD Foundation, Inc.
@ -72,3 +72,10 @@ void ypdb_close_all __P((void));
void ypdb_init __P((void));
int ypdb_secure __P((const char *, const char *));
bool_t ypdb_xdr_get_all __P((XDR *, struct ypreq_nokey *));
#ifdef LIBWRAP
/* from ypserv.c */
extern int lflag;
extern int allow_severity;
extern const char *clientstr;
#endif

68
usr.sbin/ypserv/ypserv/ypserv_db.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: ypserv_db.c,v 1.8 1999/01/19 03:53:27 lukem Exp $ */
/* $NetBSD: ypserv_db.c,v 1.9 1999/01/22 02:36:13 thorpej Exp $ */
/*
* Copyright (c) 1994 Mats O Jansson <moj@stacken.kth.se>
@ -35,7 +35,7 @@
#include <sys/cdefs.h>
#ifndef lint
__RCSID("$NetBSD: ypserv_db.c,v 1.8 1999/01/19 03:53:27 lukem Exp $");
__RCSID("$NetBSD: ypserv_db.c,v 1.9 1999/01/22 02:36:13 thorpej Exp $");
#endif
/*
@ -67,7 +67,6 @@ __RCSID("$NetBSD: ypserv_db.c,v 1.8 1999/01/19 03:53:27 lukem Exp $");
#include <rpcsvc/yp_prot.h>
#include <rpcsvc/ypclnt.h>
#include "yplog.h"
#include "ypdb.h"
#include "ypdef.h"
#include "ypserv.h"
@ -178,8 +177,9 @@ ypdb_close_map(map)
LIST_REMOVE(map, mapsl); /* remove from domain list */
#ifdef DEBUG
yplog(" ypdb_close_map: closing map %s in domain %s [db=%#x]",
map->map, map->dom->domain, map->db);
syslog(LOG_DEBUG,
"ypdb_close_map: closing map %s in domain %s [db=%#x]",
map->map, map->dom->domain, map->db);
#endif
ypdb_close(map->db); /* close DB */
@ -197,7 +197,8 @@ ypdb_close_last()
struct opt_map *last = maps.cqh_last;
if (last == (void *) &maps) {
yplog(" ypdb_close_last: LRU list is empty!");
syslog(LOG_ERR,
"ypdb_close_last: LRU list is empty!");
return;
}
ypdb_close_map(last);
@ -211,14 +212,14 @@ ypdb_close_all()
{
#ifdef DEBUG
yplog(" ypdb_close_all(): start");
syslog(LOG_DEBUG, "ypdb_close_all(): start");
#endif
while (maps.cqh_first != (void *) &maps)
ypdb_close_last();
#ifdef DEBUG
yplog(" ypdb_close_all(): done");
syslog(LOG_DEBUG, "ypdb_close_all(): done");
#endif
}
@ -231,7 +232,7 @@ ypdb_close_db(db)
{
#ifdef DEBUG
yplog(" ypdb_close_db(%#x)", db);
syslog(LOG_DEBUG, "ypdb_close_db(%#x)", db);
#endif
#ifndef OPTIMIZE_DB
@ -278,7 +279,8 @@ ypdb_open_db(domain, map, status, map_info)
snprintf(map_path, sizeof(map_path), "%s/%s", YP_DB_PATH, domain);
if (stat(map_path, &finfo) < 0 || S_ISDIR(finfo.st_mode) == 0) {
#ifdef DEBUG
yplog(" ypdb_open_db: no domain %s (map=%s)", domain, map);
syslog(LOG_DEBUG,
"ypdb_open_db: no domain %s (map=%s)", domain, map);
#endif
*status = YP_NODOM;
} else {
@ -286,7 +288,8 @@ ypdb_open_db(domain, map, status, map_info)
YP_DB_PATH, domain, map, YPDB_SUFFIX);
if (stat(map_path, &finfo) < 0) {
#ifdef DEBUG
yplog(" ypdb_open_db: no map %s (domain=%s)", map,
syslog(LOG_DEBUG,
"ypdb_open_db: no map %s (domain=%s)", map,
domain);
#endif
*status = YP_NOMAP;
@ -310,9 +313,11 @@ ypdb_open_db(domain, map, status, map_info)
*/
if (m) {
#ifdef DEBUG
yplog(" ypdb_open_db: cached open: domain=%s, map=%s, db=%#x,",
syslog(LOG_DEBUG,
"ypdb_open_db: cached open: domain=%s, map=%s, db=%#x,",
domain, map, m->db);
yplog("\t\tdbdev %d new %d; dbino %d new %d; dbmtime %d new %d",
syslog(LOG_DEBUG,
"\tdbdev %d new %d; dbino %d new %d; dbmtime %d new %d",
m->dbdev, finfo.st_dev, m->dbino, finfo.st_ino,
m->dbmtime, finfo.st_mtime);
#endif
@ -322,8 +327,9 @@ ypdb_open_db(domain, map, status, map_info)
*/
if (*status != YP_TRUE) {
#ifdef DEBUG
yplog(
" ypdb_open_db: cached db is now unavailable - closing: status %s",
syslog(LOG_DEBUG,
"ypdb_open_db: cached db is now unavailable - "
"closing: status %s",
yperr_string(ypprot_err(*status)));
#endif
ypdb_close_map(m);
@ -342,7 +348,8 @@ ypdb_open_db(domain, map, status, map_info)
return (m->db);
} else {
#ifdef DEBUG
yplog(" ypdb_open_db: db changed; closing");
syslog(LOG_DEBUG,
"ypdb_open_db: db changed; closing");
#endif
ypdb_close_map(m);
m = NULL;
@ -367,7 +374,8 @@ retryopen:
#ifdef OPTIMIZE_DB
if (db == NULL) {
#ifdef DEBUG
yplog(" ypdb_open_db: errno %d (%s)", errno, strerror(errno));
syslog(LOG_DEBUG,
"ypdb_open_db: errno %d (%s)", errno, strerror(errno));
#endif /* DEBUG */
if ((errno == ENFILE) || (errno == EMFILE)) {
ypdb_close_last();
@ -380,7 +388,8 @@ retryopen:
if (db == NULL) {
#ifdef DEBUG
yplog(" ypdb_open_db: ypdb_open FAILED: map %s (domain=%s)",
syslog(LOG_DEBUG,
"ypdb_open_db: ypdb_open FAILED: map %s (domain=%s)",
map, domain);
#endif
return (NULL);
@ -394,7 +403,8 @@ retryopen:
if (d)
d->domain = strdup(domain);
if (d == NULL || d->domain == NULL) {
yplog(" ypdb_open_db: MALLOC failed");
syslog(LOG_ERR,
"ypdb_open_db: MALLOC failed");
ypdb_close(db);
if (d)
free(d);
@ -403,7 +413,8 @@ retryopen:
LIST_INIT(&d->dmaps);
LIST_INSERT_HEAD(&doms, d, domsl);
#ifdef DEBUG
yplog(" ypdb_open_db: NEW DOMAIN %s", domain);
syslog(LOG_DEBUG,
"ypdb_open_db: NEW DOMAIN %s", domain);
#endif
}
@ -417,7 +428,7 @@ retryopen:
if (m == NULL || m->map == NULL) {
if (m)
free(m);
yplog(" ypdb_open_db: MALLOC failed");
syslog(LOG_ERR, "ypdb_open_db: MALLOC failed");
ypdb_close(db);
return (NULL);
}
@ -453,7 +464,8 @@ retryopen:
*map_info = m;
#ifdef DEBUG
yplog(" ypdb_open_db: NEW MAP domain=%s, map=%s, hl=%d, s=%d, db=%#x",
syslog(LOG_DEBUG,
"ypdb_open_db: NEW MAP domain=%s, map=%s, hl=%d, s=%d, db=%#x",
domain, map, m->host_lookup, m->secure, m->db);
#endif
@ -525,11 +537,9 @@ lookup_host(nametable, host_lookup, db, keystr, result)
l++;
if (l == 0) {
yplog("lookup_host: address %s not listed for host %s\n",
inet_ntoa(addr_addr), hostname);
syslog(LOG_NOTICE,
"ypserv: address %s not listed for host %s\n",
inet_ntoa(addr_addr), hostname);
"address %s not listed for host %s\n",
inet_ntoa(addr_addr), hostname);
return (YP_NOKEY);
}
@ -815,7 +825,8 @@ ypdb_xdr_get_all(xdrs, req)
if (!xdr_ypresp_all(xdrs, &resp)) {
#ifdef DEBUG
yplog(" ypdb_xdr_get_all: xdr_ypresp_all failed");
syslog(LOG_DEBUG,
"ypdb_xdr_get_all: xdr_ypresp_all failed");
#endif
return (FALSE);
}
@ -832,7 +843,8 @@ ypdb_xdr_get_all(xdrs, req)
if (!xdr_ypresp_all(xdrs, &resp)) {
#ifdef DEBUG
yplog(" ypdb_xdr_get_all: final xdr_ypresp_all failed");
syslog(LOG_DEBUG,
"ypdb_xdr_get_all: final xdr_ypresp_all failed");
#endif
return (FALSE);
}

259
usr.sbin/ypserv/ypserv/ypserv_proc.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: ypserv_proc.c,v 1.6 1997/12/31 06:59:54 thorpej Exp $ */
/* $NetBSD: ypserv_proc.c,v 1.7 1999/01/22 02:36:13 thorpej Exp $ */
/*
* Copyright (c) 1994 Mats O Jansson <moj@stacken.kth.se>
@ -33,7 +33,7 @@
#include <sys/cdefs.h>
#ifndef lint
__RCSID("$NetBSD: ypserv_proc.c,v 1.6 1997/12/31 06:59:54 thorpej Exp $");
__RCSID("$NetBSD: ypserv_proc.c,v 1.7 1999/01/22 02:36:13 thorpej Exp $");
#endif
#include <sys/stat.h>
@ -47,27 +47,27 @@ __RCSID("$NetBSD: ypserv_proc.c,v 1.6 1997/12/31 06:59:54 thorpej Exp $");
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#ifdef LIBWRAP
#include <syslog.h>
#endif
#include <rpc/rpc.h>
#include <rpc/xdr.h>
#include <rpcsvc/yp_prot.h>
#include <rpcsvc/ypclnt.h>
#include "acl.h"
#include "ypserv.h"
#include "ypdb.h"
#include "yplog.h"
#include "ypdef.h"
#ifdef DEBUG
#define YPLOG yplog
#else /* DEBUG */
#define YPLOG if (!ok) yplog
#endif /* DEBUG */
static char *True = "true";
static char *False = "FALSE";
#define TORF(N) ((N) ? True : False)
#ifdef LIBWRAP
#define YPLOG(x) if (lflag) syslog x
static const char *True = "TRUE";
static const char *False = "FALSE";
#define TORF(x) (x) ? True : False
#else
#define YPLOG(x) /* nothing */
#endif
void *
ypproc_null_2_svc(argp, rqstp)
@ -75,17 +75,8 @@ ypproc_null_2_svc(argp, rqstp)
struct svc_req *rqstp;
{
static char result;
struct sockaddr_in *caller = svc_getcaller(rqstp->rq_xprt);
int ok = acl_check_host(&caller->sin_addr);
YPLOG("null_2: caller=[%s].%d, auth_ok=%s",
inet_ntoa(caller->sin_addr), ntohs(caller->sin_port),
TORF(ok));
if (!ok) {
svcerr_auth(rqstp->rq_xprt, AUTH_FAILED);
return (NULL);
}
YPLOG((allow_severity, "null_2: request from %.500s", clientstr));
memset(&result, 0, sizeof(result));
return ((void *)&result);
@ -97,14 +88,14 @@ ypproc_domain_2_svc(argp, rqstp)
struct svc_req *rqstp;
{
static bool_t result; /* is domain_served? */
struct sockaddr_in *caller = svc_getcaller(rqstp->rq_xprt);
int ok = acl_check_host(&caller->sin_addr);
char *domain = *(char **)argp;
char domain_path[MAXPATHLEN];
struct stat finfo;
if (_yp_invalid_domain(domain))
goto bail_domain;
if (_yp_invalid_domain(domain)) {
svcerr_auth(rqstp->rq_xprt, AUTH_FAILED);
return (NULL);
}
snprintf(domain_path, sizeof(domain_path), "%s/%s",
YP_DB_PATH, domain);
if ((stat(domain_path, &finfo) == 0) && S_ISDIR(finfo.st_mode))
@ -112,15 +103,9 @@ ypproc_domain_2_svc(argp, rqstp)
else
result = FALSE;
YPLOG("domain_2: caller=[%s].%d, auth_ok=%s, domain=%s, served=%s",
inet_ntoa(caller->sin_addr), ntohs(caller->sin_port),
TORF(ok), domain, TORF(result));
if (!ok) {
bail_domain:
svcerr_auth(rqstp->rq_xprt, AUTH_FAILED);
return (NULL);
}
YPLOG((allow_severity,
"domain_2: request from %.500s, domain %s, served %s",
clientstr, domain, TORF(result)));
return ((void *)&result);
}
@ -131,14 +116,14 @@ ypproc_domain_nonack_2_svc(argp, rqstp)
struct svc_req *rqstp;
{
static bool_t result; /* is domain served? */
struct sockaddr_in *caller = svc_getcaller(rqstp->rq_xprt);
int ok = acl_check_host(&caller->sin_addr);
char *domain = *(char **)argp;
char domain_path[MAXPATHLEN];
struct stat finfo;
if (_yp_invalid_domain(domain))
goto bail_nonack;
if (_yp_invalid_domain(domain)) {
svcerr_auth(rqstp->rq_xprt, AUTH_FAILED);
return (NULL);
}
snprintf(domain_path, sizeof(domain_path), "%s/%s",
YP_DB_PATH, domain);
if ((stat(domain_path, &finfo) == 0) && S_ISDIR(finfo.st_mode))
@ -146,16 +131,9 @@ ypproc_domain_nonack_2_svc(argp, rqstp)
else
result = FALSE;
YPLOG(
"domain_nonack_2: caller=[%s].%d, auth_ok=%s, domain=%s, served=%s",
inet_ntoa(caller->sin_addr), ntohs(caller->sin_port), TORF(ok),
domain, TORF(result));
if (!ok) {
bail_nonack:
svcerr_auth(rqstp->rq_xprt, AUTH_FAILED);
return (NULL);
}
YPLOG((allow_severity,
"domain_nonack_2: request from %.500s, domain %s, served %s",
clientstr, domain, TORF(result)));
if (!result)
return (NULL); /* don't send nack */
@ -170,34 +148,26 @@ ypproc_match_2_svc(argp, rqstp)
{
static struct ypresp_val res;
struct sockaddr_in *caller = svc_getcaller(rqstp->rq_xprt);
int ok = acl_check_host(&caller->sin_addr);
struct ypreq_key *k = argp;
int secure;
if (_yp_invalid_domain(k->domain) || _yp_invalid_map(k->map))
goto bail_match;
secure = ypdb_secure(k->domain, k->map);
YPLOG(
"match_2: caller=[%s].%d, auth_ok=%s, secure=%s, domain=%s, map=%s, key=%.*s",
inet_ntoa(caller->sin_addr), ntohs(caller->sin_port), TORF(ok),
TORF(secure), k->domain, k->map, k->keydat.dsize, k->keydat.dptr);
if (!ok) {
bail_match:
if (_yp_invalid_domain(k->domain) || _yp_invalid_map(k->map)) {
svcerr_auth(rqstp->rq_xprt, AUTH_FAILED);
return (NULL);
}
secure = ypdb_secure(k->domain, k->map);
YPLOG((allow_severity,
"match_2: request from %.500s, secure %s, domain %s, map %s, "
"key %.*s", clientstr, TORF(secure), k->domain, k->map,
k->keydat.dsize, k->keydat.dptr));
if (secure && (ntohs(caller->sin_port) >= IPPORT_RESERVED))
res.status = YP_YPERR;
else
res = ypdb_get_record(k->domain, k->map, k->keydat, FALSE);
#ifdef DEBUG
yplog(" match2_status: %s", yperr_string(ypprot_err(res.status)));
#endif
return ((void *)&res);
}
@ -208,34 +178,25 @@ ypproc_first_2_svc(argp, rqstp)
{
static struct ypresp_key_val res;
struct sockaddr_in *caller = svc_getcaller(rqstp->rq_xprt);
int ok = acl_check_host(&caller->sin_addr);
struct ypreq_nokey *k = argp;
int secure;
if (_yp_invalid_domain(k->domain) || _yp_invalid_map(k->map))
goto bail_first;
secure = ypdb_secure(k->domain, k->map);
YPLOG(
"first_2: caller=[%s].%d, auth_ok=%s, secure=%s, domain=%s, map=%s",
inet_ntoa(caller->sin_addr), ntohs(caller->sin_port), TORF(ok),
TORF(secure), k->domain, k->map);
if (!ok) {
bail_first:
if (_yp_invalid_domain(k->domain) || _yp_invalid_map(k->map)) {
svcerr_auth(rqstp->rq_xprt, AUTH_FAILED);
return (NULL);
}
secure = ypdb_secure(k->domain, k->map);
YPLOG((allow_severity,
"first_2: request from %.500s, secure %s, domain %s, map %s",
clientstr, TORF(secure), k->domain, k->map));
if (secure && (ntohs(caller->sin_port) >= IPPORT_RESERVED))
res.status = YP_YPERR;
else
res = ypdb_get_first(k->domain, k->map, FALSE);
#ifdef DEBUG
yplog(" first2_status: %s", yperr_string(ypprot_err(res.status)));
#endif
return ((void *)&res);
}
@ -246,34 +207,26 @@ ypproc_next_2_svc(argp, rqstp)
{
static struct ypresp_key_val res;
struct sockaddr_in *caller = svc_getcaller(rqstp->rq_xprt);
int ok = acl_check_host(&caller->sin_addr);
struct ypreq_key *k = argp;
int secure;
if (_yp_invalid_domain(k->domain) || _yp_invalid_map(k->map))
goto bail_next;
secure = ypdb_secure(k->domain, k->map);
YPLOG(
"next_2: caller=[%s].%d, auth_ok=%s, secure=%s, domain=%s, map=%s, key=%.*s",
inet_ntoa(caller->sin_addr), ntohs(caller->sin_port), TORF(ok),
TORF(secure), k->domain, k->map, k->keydat.dsize, k->keydat.dptr);
if (!ok) {
bail_next:
if (_yp_invalid_domain(k->domain) || _yp_invalid_map(k->map)) {
svcerr_auth(rqstp->rq_xprt, AUTH_FAILED);
return (NULL);
}
secure = ypdb_secure(k->domain, k->map);
YPLOG((allow_severity,
"next_2: request from %.500s, secure %s, domain %s, map %s, "
"key %.*s", clientstr, TORF(secure), k->domain, k->map,
k->keydat.dsize, k->keydat.dptr));
if (secure && (ntohs(caller->sin_port) >= IPPORT_RESERVED))
res.status = YP_YPERR;
else
res = ypdb_get_next(k->domain, k->map, k->keydat, FALSE);
#ifdef DEBUG
yplog(" next2_status: %s", yperr_string(ypprot_err(res.status)));
#endif
return ((void *)&res);
}
@ -284,7 +237,6 @@ ypproc_xfr_2_svc(argp, rqstp)
{
static struct ypresp_xfr res;
struct sockaddr_in *caller = svc_getcaller(rqstp->rq_xprt);
int ok = acl_check_host(&caller->sin_addr);
struct ypreq_xfr *ypx = argp;
char tid[11], prog[11], port[11];
char ypxfr_proc[] = YPXFR_PROC;
@ -293,16 +245,14 @@ ypproc_xfr_2_svc(argp, rqstp)
memset(&res, 0, sizeof(res));
YPLOG("xfr_2: caller=[%s].%d, auth_ok=%s, domain=%s, tid=%d, prog=%d",
inet_ntoa(caller->sin_addr), ntohs(caller->sin_port), TORF(ok),
ypx->map_parms.domain, ypx->transid, ypx->proto);
YPLOG(" ipadd=%s, port=%d, map=%s", inet_ntoa(caller->sin_addr),
ypx->port, ypx->map_parms.map);
YPLOG((allow_severity,
"xfr_2: request from %.500s, domain %s, tid %d, prog %d, port %d, "
"map %s", clientstr, ypx->map_parms.domain, ypx->transid,
ypx->proto, ypx->port, ypx->map_parms.map));
if (_yp_invalid_domain(ypx->map_parms.domain) ||
_yp_invalid_map(ypx->map_parms.map) ||
ntohs(caller->sin_port) >= IPPORT_RESERVED ||
!ok) {
ntohs(caller->sin_port) >= IPPORT_RESERVED) {
svcerr_auth(rqstp->rq_xprt, AUTH_FAILED);
return (NULL);
}
@ -339,18 +289,17 @@ ypproc_clear_2_svc(argp, rqstp)
{
static char res;
struct sockaddr_in *caller = svc_getcaller(rqstp->rq_xprt);
int ok = acl_check_host(&caller->sin_addr);
#ifdef OPTIMIZE_DB
char *optdbstr = True;
const char *optdbstr = True;
#else
char *optdbstr = False;
const char *optdbstr = False;
#endif
YPLOG("clear_2: caller=[%s].%d, auth_ok=%s, optimize_db=%s",
inet_ntoa(caller->sin_addr), ntohs(caller->sin_port),
TORF(ok), optdbstr);
YPLOG((allow_severity,
"clear_2: request from %.500s, optimize_db %s",
clientstr, optdbstr));
if (ntohs(caller->sin_port) >= IPPORT_RESERVED || !ok) {
if (ntohs(caller->sin_port) >= IPPORT_RESERVED) {
svcerr_auth(rqstp->rq_xprt, AUTH_FAILED);
return (NULL);
}
@ -370,25 +319,21 @@ ypproc_all_2_svc(argp, rqstp)
{
static struct ypresp_all res;
struct sockaddr_in *caller = svc_getcaller(rqstp->rq_xprt);
int ok = acl_check_host(&caller->sin_addr);
struct ypreq_nokey *k = argp;
pid_t pid;
int secure;
if (_yp_invalid_domain(k->domain) || _yp_invalid_map(k->map))
goto bail_all;
secure = ypdb_secure(k->domain, k->map);
YPLOG("all_2: caller=[%s].%d, auth_ok=%s, secure=%s, domain=%s, map=%s",
inet_ntoa(caller->sin_addr), ntohs(caller->sin_port), TORF(ok),
TORF(secure), k->domain, k->map);
if (!ok) {
bail_all:
if (_yp_invalid_domain(k->domain) || _yp_invalid_map(k->map)) {
svcerr_auth(rqstp->rq_xprt, AUTH_FAILED);
return (NULL);
}
secure = ypdb_secure(k->domain, k->map);
YPLOG((allow_severity,
"all_2: request from %.500s, secure %s, domain %s, map %s",
clientstr, TORF(secure), k->domain, k->map));
memset(&res, 0, sizeof(res));
if (secure && (ntohs(caller->sin_port) >= IPPORT_RESERVED)) {
@ -423,34 +368,25 @@ ypproc_master_2_svc(argp, rqstp)
static struct ypresp_master res;
static char *nopeer = "";
struct sockaddr_in *caller = svc_getcaller(rqstp->rq_xprt);
int ok = acl_check_host(&caller->sin_addr);
struct ypreq_nokey *k = argp;
int secure;
if (_yp_invalid_domain(k->domain) || _yp_invalid_map(k->map))
goto bail_master;
secure = ypdb_secure(k->domain, k->map);
YPLOG(
"master_2: caller=[%s].%d, auth_ok=%s, secure=%s, domain=%s, map=%s",
inet_ntoa(caller->sin_addr), ntohs(caller->sin_port), TORF(ok),
TORF(secure), k->domain, k->map);
if (!ok) {
bail_master:
if (_yp_invalid_domain(k->domain) || _yp_invalid_map(k->map)) {
svcerr_auth(rqstp->rq_xprt, AUTH_FAILED);
return (NULL);
}
secure = ypdb_secure(k->domain, k->map);
YPLOG((allow_severity,
"master_2: request from %.500s, secure %s, domain %s, map %s",
clientstr, TORF(secure), k->domain, k->map));
if (secure && (ntohs(caller->sin_port) >= IPPORT_RESERVED))
res.status = YP_YPERR;
else
res = ypdb_get_master(k->domain, k->map);
#ifdef DEBUG
yplog(" master2_status: %s", yperr_string(ypprot_err(res.status)));
#endif
/*
* This code was added because a yppoll <unknown-domain>
* from a sun crashed the server in xdr_string, trying
@ -475,26 +411,20 @@ ypproc_order_2_svc(argp, rqstp)
{
static struct ypresp_order res;
struct sockaddr_in *caller = svc_getcaller(rqstp->rq_xprt);
int ok = acl_check_host(&caller->sin_addr);
struct ypreq_nokey *k = argp;
int secure;
if (_yp_invalid_domain(k->domain))
goto bail_order;
secure = ypdb_secure(k->domain, k->map);
YPLOG(
"order_2: caller=[%s].%d, auth_ok=%s, secure=%s, domain=%s, map=%s",
inet_ntoa(caller->sin_addr), ntohs(caller->sin_port), TORF(ok),
TORF(secure), k->domain, k->map);
if (!ok) {
bail_order:
if (_yp_invalid_domain(k->domain)) {
svcerr_auth(rqstp->rq_xprt, AUTH_FAILED);
return (NULL);
}
secure = ypdb_secure(k->domain, k->map);
YPLOG((allow_severity,
"order_2: request from %.500s, secure %s, domain %s, map %s",
clientstr, TORF(secure), k->domain, k->map));
if (secure && (ntohs(caller->sin_port) >= IPPORT_RESERVED))
res.status = YP_YPERR;
else if (_yp_invalid_map(k->map))
@ -502,10 +432,6 @@ bail_order:
else
res = ypdb_get_order(k->domain, k->map);
#ifdef DEBUG
yplog(" order2_status: %s", yperr_string(ypprot_err(res.status)));
#endif
return ((void *)&res);
}
@ -515,8 +441,6 @@ ypproc_maplist_2_svc(argp, rqstp)
struct svc_req *rqstp;
{
static struct ypresp_maplist res;
struct sockaddr_in *caller = svc_getcaller(rqstp->rq_xprt);
int ok = acl_check_host(&caller->sin_addr);
char domain_path[MAXPATHLEN];
char *domain = *(char **)argp;
struct stat finfo;
@ -526,18 +450,15 @@ ypproc_maplist_2_svc(argp, rqstp)
int status;
struct ypmaplist *m;
if (_yp_invalid_domain(domain))
goto bail_maplist;
YPLOG("maplist_2: caller=[%s].%d, auth_ok=%s, domain=%s",
inet_ntoa(caller->sin_addr), ntohs(caller->sin_port), TORF(ok),
domain);
if (!ok) {
bail_maplist:
if (_yp_invalid_domain(domain)) {
svcerr_auth(rqstp->rq_xprt, AUTH_FAILED);
return (NULL);
}
YPLOG((allow_severity,
"maplist_2: request from %.500s, domain %s",
clientstr, domain));
memset(&res, 0, sizeof(res));
snprintf(domain_path, sizeof(domain_path), "%s/%s", YP_DB_PATH, domain);
@ -594,9 +515,5 @@ bail_maplist:
res.status = status;
#ifdef DEBUG
yplog(" maplist_status: %s", yperr_string(ypprot_err(res.status)));
#endif
return ((void *)&res);
}