]> git.saurik.com Git - apple/libinfo.git/blob - util.subproj/rcmd.c
projects / apple / libinfo.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Libinfo-173.tar.gz
[apple/libinfo.git] / util.subproj / rcmd.c
1 /*
2 * Copyright (c) 1999 Apple Computer, Inc. All rights reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * Copyright (c) 1999-2003 Apple Computer, Inc. All Rights Reserved.
7 *
8 * This file contains Original Code and/or Modifications of Original Code
9 * as defined in and that are subject to the Apple Public Source License
10 * Version 2.0 (the 'License'). You may not use this file except in
11 * compliance with the License. Please obtain a copy of the License at
12 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * file.
14 *
15 * The Original Code and all software distributed under the License are
16 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
17 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
18 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
19 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
20 * Please see the License for the specific language governing rights and
21 * limitations under the License.
22 *
23 * @APPLE_LICENSE_HEADER_END@
24 */
25 /*
26 * Copyright (c) 1995, 1996, 1998 Theo de Raadt. All rights reserved.
27 * Copyright (c) 1983, 1993, 1994
28 * The Regents of the University of California. All rights reserved.
29 *
30 * Redistribution and use in source and binary forms, with or without
31 * modification, are permitted provided that the following conditions
32 * are met:
33 * 1. Redistributions of source code must retain the above copyright
34 * notice, this list of conditions and the following disclaimer.
35 * 2. Redistributions in binary form must reproduce the above copyright
36 * notice, this list of conditions and the following disclaimer in the
37 * documentation and/or other materials provided with the distribution.
38 * 3. All advertising materials mentioning features or use of this software
39 * must display the following acknowledgement:
40 * This product includes software developed by the University of
41 * California, Berkeley and its contributors.
42 * This product includes software developed by Theo de Raadt.
43 * 4. Neither the name of the University nor the names of its contributors
44 * may be used to endorse or promote products derived from this software
45 * without specific prior written permission.
46 *
47 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
48 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
49 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
50 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
51 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
52 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
53 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
54 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
55 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
56 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
57 * SUCH DAMAGE.
58 *
59 * $FreeBSD: src/lib/libc/net/rcmd.c,v 1.23.2.5 2001/03/05 10:47:11 obrien Exp $
60 */
61
62 #if defined(LIBC_SCCS) && !defined(lint)
63 static char sccsid[] = "@(#)rcmd.c 8.3 (Berkeley) 3/26/94";
64 #endif /* LIBC_SCCS and not lint */
65
66 #include <sys/param.h>
67 #include <sys/socket.h>
68 #include <sys/stat.h>
69
70 #include <netinet/in.h>
71 #include <arpa/inet.h>
72 #include <netinfo/ni_util.h>
73
74 #include <signal.h>
75 #include <fcntl.h>
76 #include <netdb.h>
77 #include <unistd.h>
78 #include <pwd.h>
79 #include <errno.h>
80 #include <stdio.h>
81 #include <ctype.h>
82 #include <string.h>
83 #ifdef YP
84 #include <rpc/rpc.h>
85 #include <rpcsvc/yp_prot.h>
86 #include <rpcsvc/ypclnt.h>
87 #endif
88 #include <arpa/nameser8_compat.h>
89
90 /* wrapper for KAME-special getnameinfo() */
91 #ifndef NI_WITHSCOPEID
92 #define NI_WITHSCOPEID 0
93 #endif
94
95 #ifndef socklen_t
96 #define socklen_t int
97 #endif
98
99 extern int innetgr __P(( const char *, const char *, const char *, const char * ));
100 extern int bindresvport_sa(int, struct sockaddr *);
101
102 #define max(a, b) ((a > b) ? a : b)
103
104 int __ivaliduser __P((FILE *, u_int32_t, const char *, const char *));
105 int __ivaliduser_af __P((FILE *,const void *, const char *, const char *,
106 int, int));
107 int __ivaliduser_sa __P((FILE *, const struct sockaddr *, socklen_t,
108 const char *,const char *));
109 static int __icheckhost __P((const struct sockaddr *, socklen_t,
110 const char *));
111
112 int
113 rcmd_af(ahost, rport, locuser, remuser, cmd, fd2p, af)
114 char **ahost;
115 u_short rport;
116 const char *locuser, *remuser, *cmd;
117 int *fd2p;
118 int af;
119 {
120 struct addrinfo hints, *res, *ai;
121 struct sockaddr_storage from;
122 fd_set reads;
123 long oldmask;
124 pid_t pid;
125 int s, aport, lport, timo, error;
126 char c;
127 int refused, nres;
128 char num[8], paddr[NI_MAXHOST];
129 static char canonnamebuf[MAXDNAME]; /* is it proper here? */
130
131 pid = getpid();
132
133 memset(&hints, 0, sizeof(hints));
134 hints.ai_flags = AI_CANONNAME;
135 hints.ai_family = af;
136 hints.ai_socktype = SOCK_STREAM;
137 hints.ai_protocol = 0;
138 (void)snprintf(num, sizeof(num), "%d", ntohs(rport));
139 error = getaddrinfo(*ahost, num, &hints, &res);
140 if (error) {
141 fprintf(stderr, "rcmd: getaddrinfo: %s\n",
142 gai_strerror(error));
143 if (error == EAI_SYSTEM)
144 fprintf(stderr, "rcmd: getaddrinfo: %s\n",
145 strerror(errno));
146 return (-1);
147 }
148
149 if (res->ai_canonname
150 && strlen(res->ai_canonname) + 1 < sizeof(canonnamebuf)) {
151 strncpy(canonnamebuf, res->ai_canonname, sizeof(canonnamebuf));
152 *ahost = canonnamebuf;
153 }
154 nres = 0;
155 for (ai = res; ai; ai = ai->ai_next)
156 nres++;
157 ai = res;
158 refused = 0;
159 oldmask = sigblock(sigmask(SIGURG));
160 for (timo = 1, lport = IPPORT_RESERVED - 1;;) {
161 s = rresvport_af(&lport, ai->ai_family);
162 if (s < 0) {
163 if (errno != EAGAIN && ai->ai_next) {
164 ai = ai->ai_next;
165 continue;
166 }
167 if (errno == EAGAIN)
168 (void)fprintf(stderr,
169 "rcmd: socket: All ports in use\n");
170 else
171 (void)fprintf(stderr, "rcmd: socket: %s\n",
172 strerror(errno));
173 freeaddrinfo(res);
174 sigsetmask(oldmask);
175 return (-1);
176 }
177 fcntl(s, F_SETOWN, pid);
178 if (connect(s, ai->ai_addr, ai->ai_addrlen) >= 0)
179 break;
180 (void)close(s);
181 if (errno == EADDRINUSE) {
182 lport--;
183 continue;
184 }
185 if (errno == ECONNREFUSED)
186 refused = 1;
187 if (ai->ai_next == NULL && (!refused || timo > 16)) {
188 (void)fprintf(stderr, "%s: %s\n",
189 *ahost, strerror(errno));
190 freeaddrinfo(res);
191 sigsetmask(oldmask);
192 return (-1);
193 }
194 if (nres > 1) {
195 int oerrno = errno;
196
197 getnameinfo(ai->ai_addr, ai->ai_addrlen,
198 paddr, sizeof(paddr),
199 NULL, 0,
200 NI_NUMERICHOST|NI_WITHSCOPEID);
201 (void)fprintf(stderr, "connect to address %s: ",
202 paddr);
203 errno = oerrno;
204 perror(0);
205 }
206 if ((ai = ai->ai_next) == NULL) {
207 /* refused && timo <= 16 */
208 struct timespec time_to_sleep, time_remaining;
209
210 time_to_sleep.tv_sec = timo;
211 time_to_sleep.tv_nsec = 0;
212 (void)nanosleep(&time_to_sleep, &time_remaining);
213 timo *= 2;
214 ai = res;
215 refused = 0;
216 }
217 if (nres > 1) {
218 getnameinfo(ai->ai_addr, ai->ai_addrlen,
219 paddr, sizeof(paddr),
220 NULL, 0,
221 NI_NUMERICHOST|NI_WITHSCOPEID);
222 fprintf(stderr, "Trying %s...\n", paddr);
223 }
224 }
225 #if 0
226 /*
227 * try to rresvport() to the same port. This will make rresvport()
228 * fail it's first bind, resulting in it choosing a random port.
229 */
230 lport--;
231 #endif
232 if (fd2p == 0) {
233 write(s, "", 1);
234 lport = 0;
235 } else {
236 char num[8];
237 int s2 = rresvport_af(&lport, ai->ai_family), s3;
238 int len = ai->ai_addrlen;
239 int nfds;
240
241 if (s2 < 0)
242 goto bad;
243 listen(s2, 1);
244 (void)snprintf(num, sizeof(num), "%d", lport);
245 if (write(s, num, strlen(num)+1) != strlen(num)+1) {
246 (void)fprintf(stderr,
247 "rcmd: write (setting up stderr): %s\n",
248 strerror(errno));
249 (void)close(s2);
250 goto bad;
251 }
252 nfds = max(s, s2)+1;
253 if(nfds > FD_SETSIZE) {
254 fprintf(stderr, "rcmd: too many files\n");
255 (void)close(s2);
256 goto bad;
257 }
258 again:
259 FD_ZERO(&reads);
260 FD_SET(s, &reads);
261 FD_SET(s2, &reads);
262 errno = 0;
263 if (select(nfds, &reads, 0, 0, 0) < 1 || !FD_ISSET(s2, &reads)){
264 if (errno != 0)
265 (void)fprintf(stderr,
266 "rcmd: select (setting up stderr): %s\n",
267 strerror(errno));
268 else
269 (void)fprintf(stderr,
270 "select: protocol failure in circuit setup\n");
271 (void)close(s2);
272 goto bad;
273 }
274 s3 = accept(s2, (struct sockaddr *)&from, &len);
275 switch (from.ss_family) {
276 case AF_INET:
277 aport = ntohs(((struct sockaddr_in *)&from)->sin_port);
278 break;
279 #ifdef INET6
280 case AF_INET6:
281 aport = ntohs(((struct sockaddr_in6 *)&from)->sin6_port);
282 break;
283 #endif
284 default:
285 aport = 0; /* error */
286 break;
287 }
288 /*
289 * XXX careful for ftp bounce attacks. If discovered, shut them
290 * down and check for the real auxiliary channel to connect.
291 */
292 if (aport == 20) {
293 close(s3);
294 goto again;
295 }
296 (void)close(s2);
297 if (s3 < 0) {
298 (void)fprintf(stderr,
299 "rcmd: accept: %s\n", strerror(errno));
300 lport = 0;
301 goto bad;
302 }
303 *fd2p = s3;
304 if (aport >= IPPORT_RESERVED || aport < IPPORT_RESERVED / 2) {
305 (void)fprintf(stderr,
306 "socket: protocol failure in circuit setup.\n");
307 goto bad2;
308 }
309 }
310 (void)write(s, locuser, strlen(locuser)+1);
311 (void)write(s, remuser, strlen(remuser)+1);
312 (void)write(s, cmd, strlen(cmd)+1);
313 if (read(s, &c, 1) != 1) {
314 (void)fprintf(stderr,
315 "rcmd: %s: %s\n", *ahost, strerror(errno));
316 goto bad2;
317 }
318 if (c != 0) {
319 while (read(s, &c, 1) == 1) {
320 (void)write(STDERR_FILENO, &c, 1);
321 if (c == '\n')
322 break;
323 }
324 goto bad2;
325 }
326 sigsetmask(oldmask);
327 freeaddrinfo(res);
328 return (s);
329 bad2:
330 if (lport)
331 (void)close(*fd2p);
332 bad:
333 (void)close(s);
334 sigsetmask(oldmask);
335 freeaddrinfo(res);
336 return (-1);
337 }
338
339 int
340 rcmd(ahost, rport, locuser, remuser, cmd, fd2p)
341 char **ahost;
342 in_port_t rport;
343 const char *locuser, *remuser, *cmd;
344 int *fd2p;
345 {
346 return rcmd_af(ahost, rport, locuser, remuser, cmd, fd2p, AF_INET);
347 }
348
349 int
350 rresvport(port)
351 int *port;
352 {
353 return rresvport_af(port, AF_INET);
354 }
355
356 int
357 rresvport_af(alport, family)
358 int *alport, family;
359 {
360 int s;
361 struct sockaddr_storage ss;
362 u_short *sport;
363
364 memset(&ss, 0, sizeof(ss));
365 ss.ss_family = family;
366 switch (family) {
367 case AF_INET:
368 ((struct sockaddr *)&ss)->sa_len = sizeof(struct sockaddr_in);
369 sport = &((struct sockaddr_in *)&ss)->sin_port;
370 ((struct sockaddr_in *)&ss)->sin_addr.s_addr = INADDR_ANY;
371 break;
372 #ifdef INET6
373 case AF_INET6:
374 ((struct sockaddr *)&ss)->sa_len = sizeof(struct sockaddr_in6);
375 sport = &((struct sockaddr_in6 *)&ss)->sin6_port;
376 ((struct sockaddr_in6 *)&ss)->sin6_addr = in6addr_any;
377 break;
378 #endif
379 default:
380 errno = EAFNOSUPPORT;
381 return -1;
382 }
383
384 s = socket(ss.ss_family, SOCK_STREAM, 0);
385 if (s < 0)
386 return (-1);
387 #if 0 /* compat_exact_traditional_rresvport_semantics */
388 sin.sin_port = htons((u_short)*alport);
389 if (bind(s, (struct sockaddr *)&sin, sizeof(sin)) >= 0)
390 return (s);
391 if (errno != EADDRINUSE) {
392 (void)close(s);
393 return (-1);
394 }
395 #endif
396 *sport = 0;
397 if (bindresvport_sa(s, (struct sockaddr *)&ss) == -1) {
398 (void)close(s);
399 return (-1);
400 }
401 *alport = (int)ntohs(*sport);
402 return (s);
403 }
404
405 int __check_rhosts_file = 1;
406 char *__rcmd_errstr;
407
408 /*
409 * AF independent extension of iruserok.
410 *
411 * Returns 0 if ok, -1 if not ok.
412 */
413 int
414 iruserok_sa(ra, rlen, superuser, ruser, luser)
415 const void *ra;
416 int rlen;
417 int superuser;
418 const char *ruser, *luser;
419 {
420 register char *cp;
421 struct stat sbuf;
422 struct passwd *pwd;
423 FILE *hostf;
424 uid_t uid;
425 int first;
426 char pbuf[MAXPATHLEN];
427 const struct sockaddr *raddr;
428 struct sockaddr_storage ss;
429
430 /* avoid alignment issue */
431 if (rlen > sizeof(ss))
432 return(-1);
433 memcpy(&ss, ra, rlen);
434 raddr = (struct sockaddr *)&ss;
435
436 first = 1;
437 hostf = superuser ? NULL : fopen(_PATH_HEQUIV, "r");
438 again:
439 if (hostf) {
440 if (__ivaliduser_sa(hostf, raddr, rlen, luser, ruser) == 0) {
441 (void)fclose(hostf);
442 return (0);
443 }
444 (void)fclose(hostf);
445 }
446 if (first == 1 && (__check_rhosts_file || superuser)) {
447 first = 0;
448 if ((pwd = getpwnam(luser)) == NULL)
449 return (-1);
450 (void)strcpy(pbuf, pwd->pw_dir);
451 (void)strcat(pbuf, "/.rhosts");
452
453 /*
454 * Change effective uid while opening .rhosts. If root and
455 * reading an NFS mounted file system, can't read files that
456 * are protected read/write owner only.
457 */
458 uid = geteuid();
459 (void)seteuid(pwd->pw_uid);
460 hostf = fopen(pbuf, "r");
461 (void)seteuid(uid);
462
463 if (hostf == NULL)
464 return (-1);
465 /*
466 * If not a regular file, or is owned by someone other than
467 * user or root or if writeable by anyone but the owner, quit.
468 */
469 cp = NULL;
470 if (lstat(pbuf, &sbuf) < 0)
471 cp = ".rhosts lstat failed";
472 else if (!S_ISREG(sbuf.st_mode))
473 cp = ".rhosts not regular file";
474 else if (fstat(fileno(hostf), &sbuf) < 0)
475 cp = ".rhosts fstat failed";
476 else if (sbuf.st_uid && sbuf.st_uid != pwd->pw_uid)
477 cp = "bad .rhosts owner";
478 else if (sbuf.st_mode & (S_IWGRP|S_IWOTH))
479 cp = ".rhosts writeable by other than owner";
480 /* If there were any problems, quit. */
481 if (cp) {
482 __rcmd_errstr = cp;
483 (void)fclose(hostf);
484 return (-1);
485 }
486 goto again;
487 }
488 return (-1);
489 }
490
491 int
492 ruserok(rhost, superuser, ruser, luser)
493 const char *rhost, *ruser, *luser;
494 int superuser;
495 {
496 struct addrinfo hints, *res, *r;
497 int error;
498
499 memset(&hints, 0, sizeof(hints));
500 hints.ai_family = PF_UNSPEC;
501 hints.ai_socktype = SOCK_DGRAM; /*dummy*/
502 error = getaddrinfo(rhost, "0", &hints, &res);
503 if (error)
504 return (-1);
505
506 for (r = res; r; r = r->ai_next) {
507 if (iruserok_sa(r->ai_addr, r->ai_addrlen, superuser, ruser,
508 luser) == 0) {
509 freeaddrinfo(res);
510 return (0);
511 }
512 }
513 freeaddrinfo(res);
514 return (-1);
515 }
516
517 /*
518 * New .rhosts strategy: We are passed an ip address. We spin through
519 * hosts.equiv and .rhosts looking for a match. When the .rhosts only
520 * has ip addresses, we don't have to trust a nameserver. When it
521 * contains hostnames, we spin through the list of addresses the nameserver
522 * gives us and look for a match.
523 *
524 * Returns 0 if ok, -1 if not ok.
525 */
526 int
527 iruserok(raddr, superuser, ruser, luser)
528 unsigned long raddr;
529 int superuser;
530 const char *ruser, *luser;
531 {
532 struct sockaddr_in sin;
533
534 memset(&sin, 0, sizeof(sin));
535 sin.sin_family = AF_INET;
536 sin.sin_len = sizeof(struct sockaddr_in);
537 memcpy(&sin.sin_addr, &raddr, sizeof(sin.sin_addr));
538 return iruserok_sa((struct sockaddr *)&sin, sin.sin_len, superuser,
539 ruser, luser);
540 }
541
542 /*
543 * XXX
544 * Don't make static, used by lpd(8).
545 *
546 * Returns 0 if ok, -1 if not ok.
547 */
548 int
549 __ivaliduser(hostf, raddr, luser, ruser)
550 FILE *hostf;
551 u_int32_t raddr;
552 const char *luser, *ruser;
553 {
554 struct sockaddr_in sin;
555
556 memset(&sin, 0, sizeof(sin));
557 sin.sin_family = AF_INET;
558 sin.sin_len = sizeof(struct sockaddr_in);
559 memcpy(&sin.sin_addr, &raddr, sizeof(sin.sin_addr));
560 return __ivaliduser_sa(hostf, (struct sockaddr *)&sin, sin.sin_len,
561 luser, ruser);
562 }
563
564 /*
565 * Returns 0 if ok, -1 if not ok.
566 *
567 * XXX obsolete API.
568 */
569 int
570 __ivaliduser_af(hostf, raddr, luser, ruser, af, len)
571 FILE *hostf;
572 const void *raddr;
573 const char *luser, *ruser;
574 int af, len;
575 {
576 struct sockaddr *sa = NULL;
577 struct sockaddr_in *sin = NULL;
578 #ifdef INET6
579 struct sockaddr_in6 *sin6 = NULL;
580 #endif
581 struct sockaddr_storage ss;
582
583 memset(&ss, 0, sizeof(ss));
584 switch (af) {
585 case AF_INET:
586 if (len != sizeof(sin->sin_addr))
587 return -1;
588 sin = (struct sockaddr_in *)&ss;
589 sin->sin_family = AF_INET;
590 sin->sin_len = sizeof(struct sockaddr_in);
591 memcpy(&sin->sin_addr, raddr, sizeof(sin->sin_addr));
592 break;
593 #ifdef INET6
594 case AF_INET6:
595 if (len != sizeof(sin6->sin6_addr))
596 return -1;
597 /* you will lose scope info */
598 sin6 = (struct sockaddr_in6 *)&ss;
599 sin6->sin6_family = AF_INET6;
600 sin6->sin6_len = sizeof(struct sockaddr_in6);
601 memcpy(&sin6->sin6_addr, raddr, sizeof(sin6->sin6_addr));
602 break;
603 #endif
604 default:
605 return -1;
606 }
607
608 sa = (struct sockaddr *)&ss;
609 return __ivaliduser_sa(hostf, sa, sa->sa_len, luser, ruser);
610 }
611
612 /*
613 * Returns 0 if ok, -1 if not ok.
614 */
615 int
616 __ivaliduser_sa(hostf, raddr, salen, luser, ruser)
617 FILE *hostf;
618 const struct sockaddr *raddr;
619 socklen_t salen;
620 const char *luser, *ruser;
621 {
622 register char *user, *p;
623 int ch;
624 char buf[MAXHOSTNAMELEN + 128]; /* host + login */
625 char hname[MAXHOSTNAMELEN];
626 /* Presumed guilty until proven innocent. */
627 int userok = 0, hostok = 0;
628 #ifdef YP
629 char *ypdomain;
630
631 if (yp_get_default_domain(&ypdomain))
632 ypdomain = NULL;
633 #else
634 #define ypdomain NULL
635 #endif
636 /*
637 * We try to get the hostname back for netgroup matching.
638 * However, the .rosts file may contain IP addresses as well
639 * as names, so a name is not always required.
640 */
641 getnameinfo(raddr, salen, hname, sizeof(hname), NULL, 0, NI_NAMEREQD);
642
643 while (fgets(buf, sizeof(buf), hostf)) {
644 p = buf;
645 /* Skip lines that are too long. */
646 if (strchr(p, '\n') == NULL) {
647 while ((ch = getc(hostf)) != '\n' && ch != EOF);
648 continue;
649 }
650 if (*p == '\n' || *p == '#') {
651 /* comment... */
652 continue;
653 }
654 while (*p != '\n' && *p != ' ' && *p != '\t' && *p != '\0') {
655 *p = isupper((unsigned char)*p) ? tolower((unsigned char)*p) : *p;
656 p++;
657 }
658 if (*p == ' ' || *p == '\t') {
659 *p++ = '\0';
660 while (*p == ' ' || *p == '\t')
661 p++;
662 user = p;
663 while (*p != '\n' && *p != ' ' &&
664 *p != '\t' && *p != '\0')
665 p++;
666 } else
667 user = p;
668 *p = '\0';
669 /*
670 * Do +/- and +@/-@ checking. This looks really nasty,
671 * but it matches SunOS's behavior so far as I can tell.
672 */
673 switch(buf[0]) {
674 case '+':
675 if (!buf[1]) { /* '+' matches all hosts */
676 hostok = 1;
677 break;
678 }
679 if (buf[1] == '@') /* match a host by netgroup */
680 hostok = innetgr((char *)&buf[2],
681 (char *)&hname, NULL, ypdomain);
682 else /* match a host by addr */
683 hostok = __icheckhost(raddr, salen,
684 (char *)&buf[1]);
685 break;
686 case '-': /* reject '-' hosts and all their users */
687 if (buf[1] == '@') {
688 if (innetgr((char *)&buf[2],
689 (char *)&hname, NULL, ypdomain))
690 return(-1);
691 } else {
692 if (__icheckhost(raddr, salen,
693 (char *)&buf[1]))
694 return(-1);
695 }
696 break;
697 default: /* if no '+' or '-', do a simple match */
698 hostok = __icheckhost(raddr, salen, buf);
699 break;
700 }
701 switch(*user) {
702 case '+':
703 if (!*(user+1)) { /* '+' matches all users */
704 userok = 1;
705 break;
706 }
707 if (*(user+1) == '@') /* match a user by netgroup */
708 userok = innetgr(user+2, NULL, ruser, ypdomain);
709 else /* match a user by direct specification */
710 userok = !(strcmp(ruser, user+1));
711 break;
712 case '-': /* if we matched a hostname, */
713 if (hostok) { /* check for user field rejections */
714 if (!*(user+1))
715 return(-1);
716 if (*(user+1) == '@') {
717 if (innetgr(user+2, NULL,
718 ruser, ypdomain))
719 return(-1);
720 } else {
721 if (!strcmp(ruser, user+1))
722 return(-1);
723 }
724 }
725 break;
726 default: /* no rejections: try to match the user */
727 if (hostok)
728 userok = !(strcmp(ruser,*user ? user : luser));
729 break;
730 }
731 if (hostok && userok)
732 return(0);
733 }
734 return (-1);
735 }
736
737 /*
738 * Returns "true" if match, 0 if no match.
739 *
740 * NI_WITHSCOPEID is useful for comparing sin6_scope_id portion
741 * if af == AF_INET6.
742 */
743 static int
744 __icheckhost(raddr, salen, lhost)
745 const struct sockaddr *raddr;
746 socklen_t salen;
747 const char *lhost;
748 {
749 struct sockaddr_in sin;
750 struct sockaddr_in6 *sin6;
751 struct addrinfo hints, *res, *r;
752 int error;
753 char h1[NI_MAXHOST], h2[NI_MAXHOST];
754
755 if (raddr->sa_family == AF_INET6) {
756 sin6 = (struct sockaddr_in6 *)raddr;
757 if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
758 memset(&sin, 0, sizeof(sin));
759 sin.sin_family = AF_INET;
760 sin.sin_len = sizeof(struct sockaddr_in);
761 memcpy(&sin.sin_addr, &sin6->sin6_addr.s6_addr[12],
762 sizeof(sin.sin_addr));
763 raddr = (struct sockaddr *)&sin;
764 salen = sin.sin_len;
765 }
766 }
767
768 h1[0] = '\0';
769 if (getnameinfo(raddr, salen, h1, sizeof(h1), NULL, 0,
770 NI_NUMERICHOST | NI_WITHSCOPEID) != 0)
771 return (0);
772
773 /* Resolve laddr into sockaddr */
774 memset(&hints, 0, sizeof(hints));
775 hints.ai_family = raddr->sa_family;
776 hints.ai_socktype = SOCK_DGRAM; /*XXX dummy*/
777 res = NULL;
778 error = getaddrinfo(lhost, "0", &hints, &res);
779 if (error)
780 return (0);
781
782 for (r = res; r ; r = r->ai_next) {
783 h2[0] = '\0';
784 if (getnameinfo(r->ai_addr, r->ai_addrlen, h2, sizeof(h2),
785 NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID) != 0)
786 continue;
787 if (strcmp(h1, h2) == 0) {
788 freeaddrinfo(res);
789 return (1);
790 }
791 }
792
793 /* No match. */
794 freeaddrinfo(res);
795 return (0);
796 }
mirror of libinfo