summaryrefslogtreecommitdiff
path: root/auth-rhosts.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2014-12-23 22:42:48 +0000
committerDamien Miller <djm@mindrot.org>2015-01-09 00:13:35 +1100
commit5191df927db282d3123ca2f34a04d8d96153911a (patch)
tree753b6b2d184072f6db142b9352fc61f879a37bae /auth-rhosts.c
parent8abd80315d3419b20e6938f74d37e2e2b547f0b7 (diff)
upstream commit
KNF and add a little more debug()
Diffstat (limited to 'auth-rhosts.c')
-rw-r--r--auth-rhosts.c64
1 files changed, 42 insertions, 22 deletions
diff --git a/auth-rhosts.c b/auth-rhosts.c
index b5bedee8d..ee9e827af 100644
--- a/auth-rhosts.c
+++ b/auth-rhosts.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth-rhosts.c,v 1.45 2014/07/15 15:54:14 millert Exp $ */ 1/* $OpenBSD: auth-rhosts.c,v 1.46 2014/12/23 22:42:48 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -57,7 +57,8 @@ check_rhosts_file(const char *filename, const char *hostname,
57 const char *server_user) 57 const char *server_user)
58{ 58{
59 FILE *f; 59 FILE *f;
60 char buf[1024]; /* Must not be larger than host, user, dummy below. */ 60#define RBUFLN 1024
61 char buf[RBUFLN];/* Must not be larger than host, user, dummy below. */
61 int fd; 62 int fd;
62 struct stat st; 63 struct stat st;
63 64
@@ -80,8 +81,9 @@ check_rhosts_file(const char *filename, const char *hostname,
80 return 0; 81 return 0;
81 } 82 }
82 while (fgets(buf, sizeof(buf), f)) { 83 while (fgets(buf, sizeof(buf), f)) {
83 /* All three must be at least as big as buf to avoid overflows. */ 84 /* All three must have length >= buf to avoid overflows. */
84 char hostbuf[1024], userbuf[1024], dummy[1024], *host, *user, *cp; 85 char hostbuf[RBUFLN], userbuf[RBUFLN], dummy[RBUFLN];
86 char *host, *user, *cp;
85 int negated; 87 int negated;
86 88
87 for (cp = buf; *cp == ' ' || *cp == '\t'; cp++) 89 for (cp = buf; *cp == ' ' || *cp == '\t'; cp++)
@@ -140,8 +142,8 @@ check_rhosts_file(const char *filename, const char *hostname,
140 /* Check for empty host/user names (particularly '+'). */ 142 /* Check for empty host/user names (particularly '+'). */
141 if (!host[0] || !user[0]) { 143 if (!host[0] || !user[0]) {
142 /* We come here if either was '+' or '-'. */ 144 /* We come here if either was '+' or '-'. */
143 auth_debug_add("Ignoring wild host/user names in %.100s.", 145 auth_debug_add("Ignoring wild host/user names "
144 filename); 146 "in %.100s.", filename);
145 continue; 147 continue;
146 } 148 }
147 /* Verify that host name matches. */ 149 /* Verify that host name matches. */
@@ -149,7 +151,8 @@ check_rhosts_file(const char *filename, const char *hostname,
149 if (!innetgr(host + 1, hostname, NULL, NULL) && 151 if (!innetgr(host + 1, hostname, NULL, NULL) &&
150 !innetgr(host + 1, ipaddr, NULL, NULL)) 152 !innetgr(host + 1, ipaddr, NULL, NULL))
151 continue; 153 continue;
152 } else if (strcasecmp(host, hostname) && strcmp(host, ipaddr) != 0) 154 } else if (strcasecmp(host, hostname) &&
155 strcmp(host, ipaddr) != 0)
153 continue; /* Different hostname. */ 156 continue; /* Different hostname. */
154 157
155 /* Verify that user name matches. */ 158 /* Verify that user name matches. */
@@ -208,7 +211,8 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam
208 /* Switch to the user's uid. */ 211 /* Switch to the user's uid. */
209 temporarily_use_uid(pw); 212 temporarily_use_uid(pw);
210 /* 213 /*
211 * Quick check: if the user has no .shosts or .rhosts files, return 214 * Quick check: if the user has no .shosts or .rhosts files and
215 * no system hosts.equiv/shosts.equiv files exist then return
212 * failure immediately without doing costly lookups from name 216 * failure immediately without doing costly lookups from name
213 * servers. 217 * servers.
214 */ 218 */
@@ -223,27 +227,38 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam
223 /* Switch back to privileged uid. */ 227 /* Switch back to privileged uid. */
224 restore_uid(); 228 restore_uid();
225 229
226 /* Deny if The user has no .shosts or .rhosts file and there are no system-wide files. */ 230 /*
231 * Deny if The user has no .shosts or .rhosts file and there
232 * are no system-wide files.
233 */
227 if (!rhosts_files[rhosts_file_index] && 234 if (!rhosts_files[rhosts_file_index] &&
228 stat(_PATH_RHOSTS_EQUIV, &st) < 0 && 235 stat(_PATH_RHOSTS_EQUIV, &st) < 0 &&
229 stat(_PATH_SSH_HOSTS_EQUIV, &st) < 0) 236 stat(_PATH_SSH_HOSTS_EQUIV, &st) < 0) {
237 debug3("%s: no hosts access files exist", __func__);
230 return 0; 238 return 0;
239 }
231 240
232 /* If not logging in as superuser, try /etc/hosts.equiv and shosts.equiv. */ 241 /*
233 if (pw->pw_uid != 0) { 242 * If not logging in as superuser, try /etc/hosts.equiv and
243 * shosts.equiv.
244 */
245 if (pw->pw_uid == 0)
246 debug3("%s: root user, ignoring system hosts files", __func__);
247 else {
234 if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr, 248 if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr,
235 client_user, pw->pw_name)) { 249 client_user, pw->pw_name)) {
236 auth_debug_add("Accepted for %.100s [%.100s] by /etc/hosts.equiv.", 250 auth_debug_add("Accepted for %.100s [%.100s] by "
237 hostname, ipaddr); 251 "/etc/hosts.equiv.", hostname, ipaddr);
238 return 1; 252 return 1;
239 } 253 }
240 if (check_rhosts_file(_PATH_SSH_HOSTS_EQUIV, hostname, ipaddr, 254 if (check_rhosts_file(_PATH_SSH_HOSTS_EQUIV, hostname, ipaddr,
241 client_user, pw->pw_name)) { 255 client_user, pw->pw_name)) {
242 auth_debug_add("Accepted for %.100s [%.100s] by %.100s.", 256 auth_debug_add("Accepted for %.100s [%.100s] by "
243 hostname, ipaddr, _PATH_SSH_HOSTS_EQUIV); 257 "%.100s.", hostname, ipaddr, _PATH_SSH_HOSTS_EQUIV);
244 return 1; 258 return 1;
245 } 259 }
246 } 260 }
261
247 /* 262 /*
248 * Check that the home directory is owned by root or the user, and is 263 * Check that the home directory is owned by root or the user, and is
249 * not group or world writable. 264 * not group or world writable.
@@ -290,20 +305,25 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam
290 auth_debug_add("Bad file modes for %.200s", buf); 305 auth_debug_add("Bad file modes for %.200s", buf);
291 continue; 306 continue;
292 } 307 }
293 /* Check if we have been configured to ignore .rhosts and .shosts files. */ 308 /*
309 * Check if we have been configured to ignore .rhosts
310 * and .shosts files.
311 */
294 if (options.ignore_rhosts) { 312 if (options.ignore_rhosts) {
295 auth_debug_add("Server has been configured to ignore %.100s.", 313 auth_debug_add("Server has been configured to "
296 rhosts_files[rhosts_file_index]); 314 "ignore %.100s.", rhosts_files[rhosts_file_index]);
297 continue; 315 continue;
298 } 316 }
299 /* Check if authentication is permitted by the file. */ 317 /* Check if authentication is permitted by the file. */
300 if (check_rhosts_file(buf, hostname, ipaddr, client_user, pw->pw_name)) { 318 if (check_rhosts_file(buf, hostname, ipaddr,
319 client_user, pw->pw_name)) {
301 auth_debug_add("Accepted by %.100s.", 320 auth_debug_add("Accepted by %.100s.",
302 rhosts_files[rhosts_file_index]); 321 rhosts_files[rhosts_file_index]);
303 /* Restore the privileged uid. */ 322 /* Restore the privileged uid. */
304 restore_uid(); 323 restore_uid();
305 auth_debug_add("Accepted host %s ip %s client_user %s server_user %s", 324 auth_debug_add("Accepted host %s ip %s client_user "
306 hostname, ipaddr, client_user, pw->pw_name); 325 "%s server_user %s", hostname, ipaddr,
326 client_user, pw->pw_name);
307 return 1; 327 return 1;
308 } 328 }
309 } 329 }
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-02 12:25:13 +0000