/*
* Creates a (possibly privileged) socket for use as the ssh connection.
*/
static int
ssh_create_socket(int privileged, struct addrinfo *ai)
{
int sock, gaierr;
struct addrinfo hints, *res;
/*
* If we are running as root and want to connect to a privileged
* port, bind our own socket to a privileged port.
*/
if (privileged) {
int p = IPPORT_RESERVED - 1;
PRIV_START;
sock = rresvport_af(&p, ai->ai_family);
PRIV_END;
if (sock < 0)
error("rresvport: af=%d %.100s", ai->ai_family,
strerror(errno));
else
debug("Allocated local port %d.", p);
if (options.tcp_rcv_buf > 0)
ssh_set_socket_recvbuf(sock);
return sock;
}
sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
if (sock < 0) {
error("socket: %.100s", strerror(errno));
return -1;
}
fcntl(sock, F_SETFD, FD_CLOEXEC);
if (options.tcp_rcv_buf > 0)
ssh_set_socket_recvbuf(sock);
/* Bind the socket to an alternative local IP address */
if (options.bind_address == NULL)
return sock;
memset(&hints, 0, sizeof(hints));
hints.ai_family = ai->ai_family;
hints.ai_socktype = ai->ai_socktype;
hints.ai_protocol = ai->ai_protocol;
hints.ai_flags = AI_PASSIVE;
gaierr = getaddrinfo(options.bind_address, NULL, &hints, &res);
if (gaierr) {
error("getaddrinfo: %s: %s", options.bind_address,
ssh_gai_strerror(gaierr));
close(sock);
return -1;
}
if (bind(sock, res->ai_addr, res->ai_addrlen) < 0) {
error("bind: %s: %s", options.bind_address, strerror(errno));
close(sock);
freeaddrinfo(res);
return -1;
}
freeaddrinfo(res);
return sock;
}
/*
* Create a TCP connection to host "rhost" at port "rport".
* If rport == 0, then use the printer service port.
* Most of this code comes from rcmd.c.
*/
int
getport(const struct printer *pp, const char *rhost, int rport)
{
struct addrinfo hints, *res, *ai;
int s, timo = 1, lport = IPPORT_RESERVED - 1;
int error, refused = 0;
/*
* Get the host address and port number to connect to.
*/
if (rhost == NULL)
fatal(pp, "no remote host to connect to");
memset(&hints, 0, sizeof(hints));
hints.ai_family = family;
hints.ai_socktype = SOCK_STREAM;
hints.ai_protocol = 0;
error = getaddrinfo(rhost, (rport == 0 ? "printer" : NULL),
&hints, &res);
if (error)
fatal(pp, "%s\n", gai_strerror(error));
if (rport != 0)
((struct sockaddr_in *) res->ai_addr)->sin_port = htons(rport);
/*
* Try connecting to the server.
*/
ai = res;
retry:
PRIV_START
s = rresvport_af(&lport, ai->ai_family);
PRIV_END
if (s < 0) {
if (errno != EAGAIN) {
if (ai->ai_next) {
ai = ai->ai_next;
goto retry;
}
if (refused && timo <= 16) {
sleep(timo);
timo *= 2;
refused = 0;
ai = res;
goto retry;
}
}
freeaddrinfo(res);
return(-1);
}
if (connect(s, ai->ai_addr, ai->ai_addrlen) < 0) {
error = errno;
(void) close(s);
errno = error;
/*
* This used to decrement lport, but the current semantics
* of rresvport do not provide such a function (in fact,
* rresvport should guarantee that the chosen port will
* never result in an EADDRINUSE).
*/
if (errno == EADDRINUSE) {
goto retry;
}
if (errno == ECONNREFUSED)
refused++;
if (ai->ai_next != NULL) {
ai = ai->ai_next;
goto retry;
}
if (refused && timo <= 16) {
sleep(timo);
timo *= 2;
refused = 0;
ai = res;
goto retry;
}
freeaddrinfo(res);
return(-1);
}
freeaddrinfo(res);
return(s);
}
static int /* O - Zero on success, non-zero on failure */
lpd_queue(const char *hostname, /* I - Host to connect to */
http_addrlist_t *addrlist, /* I - List of host addresses */
const char *printer, /* I - Printer/queue name */
int print_fd, /* I - File to print */
int snmp_fd, /* I - SNMP socket */
int mode, /* I - Print mode */
const char *user, /* I - Requesting user */
const char *title, /* I - Job title */
int copies, /* I - Number of copies */
int banner, /* I - Print LPD banner? */
int format, /* I - Format specifier */
int order, /* I - Order of data/control files */
int reserve, /* I - Reserve ports? */
int manual_copies,/* I - Do copies by hand... */
int timeout, /* I - Timeout... */
int contimeout, /* I - Connection timeout */
const char *orighost) /* I - job-originating-host-name */
{
char localhost[255]; /* Local host name */
int error; /* Error number */
struct stat filestats; /* File statistics */
int lport; /* LPD connection local port */
int fd; /* LPD socket */
char control[10240], /* LPD control 'file' */
*cptr; /* Pointer into control file string */
char status; /* Status byte from command */
int delay; /* Delay for retries... */
char addrname[256]; /* Address name */
http_addrlist_t *addr; /* Socket address */
int have_supplies; /* Printer supports supply levels? */
int copy; /* Copies written */
time_t start_time; /* Time of first connect */
size_t nbytes; /* Number of bytes written */
off_t tbytes; /* Total bytes written */
char buffer[32768]; /* Output buffer */
#ifdef WIN32
DWORD tv; /* Timeout in milliseconds */
#else
struct timeval tv; /* Timeout in secs and usecs */
#endif /* WIN32 */
/*
* Remember when we started trying to connect to the printer...
*/
start_time = time(NULL);
/*
* Loop forever trying to print the file...
*/
while (!abort_job)
{
/*
* First try to reserve a port for this connection...
*/
fprintf(stderr, "DEBUG: Connecting to %s:%d for printer %s\n", hostname,
httpAddrPort(&(addrlist->addr)), printer);
_cupsLangPrintFilter(stderr, "INFO", _("Connecting to printer."));
for (lport = reserve == RESERVE_RFC1179 ? 732 : 1024, addr = addrlist,
delay = 5;;
addr = addr->next)
{
/*
* Stop if this job has been canceled...
*/
if (abort_job)
return (CUPS_BACKEND_FAILED);
/*
* Choose the next priviledged port...
*/
if (!addr)
addr = addrlist;
lport --;
if (lport < 721 && reserve == RESERVE_RFC1179)
lport = 731;
else if (lport < 1)
lport = 1023;
#ifdef HAVE_GETEUID
if (geteuid() || !reserve)
#else
if (getuid() || !reserve)
#endif /* HAVE_GETEUID */
{
/*
* Just create a regular socket...
*/
if ((fd = socket(addr->addr.addr.sa_family, SOCK_STREAM, 0)) < 0)
{
perror("DEBUG: Unable to create socket");
sleep(1);
continue;
}
lport = 0;
}
else
{
/*
* We're running as root and want to comply with RFC 1179. Reserve a
* priviledged lport between 721 and 731...
*/
if ((fd = rresvport_af(&lport, addr->addr.addr.sa_family)) < 0)
{
perror("DEBUG: Unable to reserve port");
sleep(1);
continue;
}
}
/*
* Connect to the printer or server...
*/
if (abort_job)
{
close(fd);
return (CUPS_BACKEND_FAILED);
}
if (!connect(fd, &(addr->addr.addr), httpAddrLength(&(addr->addr))))
break;
error = errno;
close(fd);
if (addr->next)
continue;
if (getenv("CLASS") != NULL)
{
/*
* If the CLASS environment variable is set, the job was submitted
* to a class and not to a specific queue. In this case, we want
* to abort immediately so that the job can be requeued on the next
* available printer in the class.
*/
_cupsLangPrintFilter(stderr, "INFO",
_("Unable to contact printer, queuing on next "
"printer in class."));
/*
* Sleep 5 seconds to keep the job from requeuing too rapidly...
*/
sleep(5);
return (CUPS_BACKEND_FAILED);
}
fprintf(stderr, "DEBUG: Connection error: %s\n", strerror(error));
if (error == ECONNREFUSED || error == EHOSTDOWN ||
error == EHOSTUNREACH)
{
if (contimeout && (time(NULL) - start_time) > contimeout)
{
_cupsLangPrintFilter(stderr, "ERROR",
_("The printer is not responding."));
return (CUPS_BACKEND_FAILED);
}
switch (error)
{
case EHOSTDOWN :
_cupsLangPrintFilter(stderr, "WARNING",
_("The printer may not exist or "
"is unavailable at this time."));
break;
case EHOSTUNREACH :
_cupsLangPrintFilter(stderr, "WARNING",
_("The printer is unreachable at "
"this time."));
break;
case ECONNREFUSED :
default :
_cupsLangPrintFilter(stderr, "WARNING",
_("The printer is in use."));
break;
}
sleep(delay);
if (delay < 30)
delay += 5;
}
else if (error == EADDRINUSE)
{
/*
* Try on another port...
*/
sleep(1);
}
else
{
_cupsLangPrintFilter(stderr, "ERROR",
_("The printer is not responding."));
sleep(30);
}
}
/*
* Set the timeout...
*/
#ifdef WIN32
tv = (DWORD)(timeout * 1000);
setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, (char *)&tv, sizeof(tv));
setsockopt(fd, SOL_SOCKET, SO_SNDTIMEO, (char *)&tv, sizeof(tv));
#else
tv.tv_sec = timeout;
tv.tv_usec = 0;
setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv));
setsockopt(fd, SOL_SOCKET, SO_SNDTIMEO, &tv, sizeof(tv));
#endif /* WIN32 */
fputs("STATE: -connecting-to-device\n", stderr);
_cupsLangPrintFilter(stderr, "INFO", _("Connected to printer."));
fprintf(stderr, "DEBUG: Connected to %s:%d (local port %d)...\n",
httpAddrString(&(addr->addr), addrname, sizeof(addrname)),
httpAddrPort(&(addr->addr)), lport);
/*
* See if the printer supports SNMP...
*/
if (snmp_fd >= 0)
have_supplies = !backendSNMPSupplies(snmp_fd, &(addrlist->addr), NULL,
NULL);
else
have_supplies = 0;
/*
* Check for side-channel requests...
*/
backendCheckSideChannel(snmp_fd, &(addrlist->addr));
/*
* Next, open the print file and figure out its size...
*/
if (print_fd)
{
/*
* Use the size from the print file...
*/
if (fstat(print_fd, &filestats))
{
close(fd);
perror("DEBUG: unable to stat print file");
return (CUPS_BACKEND_FAILED);
}
filestats.st_size *= manual_copies;
}
else
{
/*
* Use a "very large value" for the size so that the printer will
* keep printing until we close the connection...
*/
#ifdef _LARGEFILE_SOURCE
filestats.st_size = (size_t)(999999999999.0);
#else
filestats.st_size = 2147483647;
#endif /* _LARGEFILE_SOURCE */
}
/*
* Send a job header to the printer, specifying no banner page and
* literal output...
*/
if (lpd_command(fd, "\002%s\n",
printer)) /* Receive print job(s) */
{
close(fd);
return (CUPS_BACKEND_FAILED);
}
if (orighost && _cups_strcasecmp(orighost, "localhost"))
strlcpy(localhost, orighost, sizeof(localhost));
else
httpGetHostname(NULL, localhost, sizeof(localhost));
snprintf(control, sizeof(control),
"H%.31s\n" /* RFC 1179, Section 7.2 - host name <= 31 chars */
"P%.31s\n" /* RFC 1179, Section 7.2 - user name <= 31 chars */
"J%.99s\n", /* RFC 1179, Section 7.2 - job name <= 99 chars */
localhost, user, title);
cptr = control + strlen(control);
if (banner)
{
snprintf(cptr, sizeof(control) - (cptr - control),
"C%.31s\n" /* RFC 1179, Section 7.2 - class name <= 31 chars */
"L%s\n",
localhost, user);
cptr += strlen(cptr);
}
while (copies > 0)
{
snprintf(cptr, sizeof(control) - (cptr - control), "%cdfA%03d%.15s\n",
format, (int)getpid() % 1000, localhost);
cptr += strlen(cptr);
copies --;
}
snprintf(cptr, sizeof(control) - (cptr - control),
"UdfA%03d%.15s\n"
"N%.131s\n", /* RFC 1179, Section 7.2 - sourcefile name <= 131 chars */
(int)getpid() % 1000, localhost, title);
fprintf(stderr, "DEBUG: Control file is:\n%s", control);
if (order == ORDER_CONTROL_DATA)
{
/*
* Check for side-channel requests...
*/
backendCheckSideChannel(snmp_fd, &(addr->addr));
/*
* Send the control file...
*/
if (lpd_command(fd, "\002%d cfA%03.3d%.15s\n", strlen(control),
(int)getpid() % 1000, localhost))
{
close(fd);
return (CUPS_BACKEND_FAILED);
}
fprintf(stderr, "DEBUG: Sending control file (%u bytes)\n",
(unsigned)strlen(control));
if (lpd_write(fd, control, strlen(control) + 1) < (strlen(control) + 1))
{
status = errno;
perror("DEBUG: Unable to write control file");
}
else
{
if (read(fd, &status, 1) < 1)
{
_cupsLangPrintFilter(stderr, "WARNING",
_("The printer did not respond."));
status = errno;
}
}
if (status != 0)
_cupsLangPrintFilter(stderr, "ERROR",
_("Remote host did not accept control file (%d)."),
status);
else
_cupsLangPrintFilter(stderr, "INFO",
_("Control file sent successfully."));
}
else
status = 0;
if (status == 0)
{
/*
* Check for side-channel requests...
*/
backendCheckSideChannel(snmp_fd, &(addr->addr));
/*
* Send the print file...
*/
if (lpd_command(fd, "\003" CUPS_LLFMT " dfA%03.3d%.15s\n",
CUPS_LLCAST filestats.st_size, (int)getpid() % 1000,
localhost))
{
close(fd);
return (CUPS_BACKEND_FAILED);
}
fprintf(stderr, "DEBUG: Sending data file (" CUPS_LLFMT " bytes)\n",
CUPS_LLCAST filestats.st_size);
tbytes = 0;
for (copy = 0; copy < manual_copies; copy ++)
{
lseek(print_fd, 0, SEEK_SET);
while ((nbytes = read(print_fd, buffer, sizeof(buffer))) > 0)
{
_cupsLangPrintFilter(stderr, "INFO",
_("Spooling job, %.0f%% complete."),
100.0 * tbytes / filestats.st_size);
if (lpd_write(fd, buffer, nbytes) < nbytes)
{
perror("DEBUG: Unable to send print file to printer");
break;
}
else
tbytes += nbytes;
}
}
if (mode == MODE_STANDARD)
{
if (tbytes < filestats.st_size)
status = errno;
else if (lpd_write(fd, "", 1) < 1)
{
perror("DEBUG: Unable to send trailing nul to printer");
status = errno;
}
else
{
/*
* Read the status byte from the printer; if we can't read the byte
* back now, we should set status to "errno", however at this point
* we know the printer got the whole file and we don't necessarily
* want to requeue it over and over...
*/
if (recv(fd, &status, 1, 0) < 1)
{
_cupsLangPrintFilter(stderr, "WARNING",
_("The printer did not respond."));
status = 0;
}
}
}
else
status = 0;
if (status != 0)
_cupsLangPrintFilter(stderr, "ERROR",
_("Remote host did not accept data file (%d)."),
status);
else
_cupsLangPrintFilter(stderr, "INFO",
_("Data file sent successfully."));
}
if (status == 0 && order == ORDER_DATA_CONTROL)
{
/*
* Check for side-channel requests...
*/
backendCheckSideChannel(snmp_fd, &(addr->addr));
/*
* Send control file...
*/
if (lpd_command(fd, "\002%d cfA%03.3d%.15s\n", strlen(control),
(int)getpid() % 1000, localhost))
{
close(fd);
return (CUPS_BACKEND_FAILED);
}
fprintf(stderr, "DEBUG: Sending control file (%lu bytes)\n",
(unsigned long)strlen(control));
if (lpd_write(fd, control, strlen(control) + 1) < (strlen(control) + 1))
{
status = errno;
perror("DEBUG: Unable to write control file");
}
else
{
if (read(fd, &status, 1) < 1)
{
_cupsLangPrintFilter(stderr, "WARNING",
_("The printer did not respond."));
status = errno;
}
}
if (status != 0)
_cupsLangPrintFilter(stderr, "ERROR",
_("Remote host did not accept control file (%d)."),
status);
else
_cupsLangPrintFilter(stderr, "INFO",
_("Control file sent successfully."));
}
/*
* Collect the final supply levels as needed...
*/
if (have_supplies)
backendSNMPSupplies(snmp_fd, &(addr->addr), NULL, NULL);
/*
* Close the socket connection and input file...
*/
close(fd);
if (status == 0)
return (CUPS_BACKEND_OK);
/*
* Waiting for a retry...
*/
sleep(30);
}
/*
* If we get here, then the job has been canceled...
*/
return (CUPS_BACKEND_FAILED);
}
void
doit(struct sockaddr *fromp)
{
extern char *__rcmd_errstr; /* syslog hook from libc/net/rcmd.c. */
struct passwd *pwd;
u_short port;
fd_set ready, readfrom;
int cc, fd, nfd, pv[2], pid, s;
int one = 1;
const char *cp, *errorstr;
char sig, buf[BUFSIZ];
char *cmdbuf, luser[16], ruser[16];
char rhost[2 * MAXHOSTNAMELEN + 1];
char numericname[INET6_ADDRSTRLEN];
int af, srcport;
int maxcmdlen;
#ifndef __APPLE__
login_cap_t *lc;
#else
struct hostent *hp;
char *hostname, *errorhost = NULL;
#endif
maxcmdlen = (int)sysconf(_SC_ARG_MAX);
if (maxcmdlen <= 0 || (cmdbuf = malloc(maxcmdlen)) == NULL)
exit(1);
#if defined(KERBEROS)
AUTH_DAT *kdata = (AUTH_DAT *) NULL;
KTEXT ticket = (KTEXT) NULL;
char instance[INST_SZ], version[VERSION_SIZE];
struct sockaddr_in fromaddr;
int rc;
long authopts;
int pv1[2], pv2[2];
fd_set wready, writeto;
fromaddr = *fromp;
#endif /* KERBEROS */
(void) signal(SIGINT, SIG_DFL);
(void) signal(SIGQUIT, SIG_DFL);
(void) signal(SIGTERM, SIG_DFL);
af = fromp->sa_family;
srcport = ntohs(*((in_port_t *)&fromp->sa_data));
if (af == AF_INET) {
inet_ntop(af, &((struct sockaddr_in *)fromp)->sin_addr,
numericname, sizeof numericname);
} else if (af == AF_INET6) {
inet_ntop(af, &((struct sockaddr_in6 *)fromp)->sin6_addr,
numericname, sizeof numericname);
} else {
syslog(LOG_ERR, "malformed \"from\" address (af %d)", af);
exit(1);
}
#ifdef IP_OPTIONS
if (af == AF_INET) {
u_char optbuf[BUFSIZ/3];
socklen_t optsize = sizeof(optbuf), ipproto, i;
struct protoent *ip;
if ((ip = getprotobyname("ip")) != NULL)
ipproto = ip->p_proto;
else
ipproto = IPPROTO_IP;
if (!getsockopt(0, ipproto, IP_OPTIONS, optbuf, &optsize) &&
optsize != 0) {
for (i = 0; i < optsize; ) {
u_char c = optbuf[i];
if (c == IPOPT_LSRR || c == IPOPT_SSRR) {
syslog(LOG_NOTICE,
"connection refused from %s with IP option %s",
numericname,
c == IPOPT_LSRR ? "LSRR" : "SSRR");
exit(1);
}
if (c == IPOPT_EOL)
break;
i += (c == IPOPT_NOP) ? 1 : optbuf[i+1];
}
}
}
#endif
#if defined(KERBEROS)
if (!use_kerberos)
#endif
if (srcport >= IPPORT_RESERVED ||
srcport < IPPORT_RESERVED/2) {
syslog(LOG_NOTICE|LOG_AUTH,
"connection from %s on illegal port %u",
numericname,
srcport);
exit(1);
}
(void) alarm(60);
port = 0;
s = 0; /* not set or used if port == 0 */
for (;;) {
char c;
if ((cc = read(STDIN_FILENO, &c, 1)) != 1) {
if (cc < 0)
syslog(LOG_NOTICE, "read: %m");
shutdown(0, SHUT_RDWR);
exit(1);
}
if (c == 0)
break;
port = port * 10 + c - '0';
}
(void) alarm(0);
if (port != 0) {
int lport = IPPORT_RESERVED - 1;
s = rresvport_af(&lport, af);
if (s < 0) {
syslog(LOG_ERR, "can't get stderr port: %m");
exit(1);
}
#if defined(KERBEROS)
if (!use_kerberos)
#endif
if (port >= IPPORT_RESERVED ||
port < IPPORT_RESERVED/2) {
syslog(LOG_NOTICE|LOG_AUTH,
"2nd socket from %s on unreserved port %u",
numericname,
port);
exit(1);
}
*((in_port_t *)&fromp->sa_data) = htons(port);
if (connect(s, fromp, fromp->sa_len) < 0) {
syslog(LOG_INFO, "connect second port %d: %m", port);
exit(1);
}
}
#if defined(KERBEROS)
if (vacuous) {
error("rshd: remote host requires Kerberos authentication\n");
exit(1);
}
#endif
errorstr = NULL;
#ifndef __APPLE__
realhostname_sa(rhost, sizeof(rhost) - 1, fromp, fromp->sa_len);
rhost[sizeof(rhost) - 1] = '\0';
/* XXX truncation! */
#else
errorstr = NULL;
hp = gethostbyaddr((char *)&((struct sockaddr_in *)fromp)->sin_addr, sizeof (struct in_addr),
((struct sockaddr_in *)fromp)->sin_family);
if (hp) {
/*
* If name returned by gethostbyaddr is in our domain,
* attempt to verify that we haven't been fooled by someone
* in a remote net; look up the name and check that this
* address corresponds to the name.
*/
hostname = hp->h_name;
#if defined(KERBEROS)
if (!use_kerberos)
#endif
if (check_all || local_domain(hp->h_name)) {
strncpy(rhost, hp->h_name, sizeof(rhost) - 1);
rhost[sizeof(rhost) - 1] = 0;
errorhost = rhost;
hp = gethostbyname(rhost);
if (hp == NULL) {
syslog(LOG_INFO,
"Couldn't look up address for %s",
rhost);
errorstr =
"Couldn't look up address for your host (%s)\n";
hostname = inet_ntoa(((struct sockaddr_in *)fromp)->sin_addr);
} else for (; ; hp->h_addr_list++) {
if (hp->h_addr_list[0] == NULL) {
syslog(LOG_NOTICE,
"Host addr %s not listed for host %s",
inet_ntoa(((struct sockaddr_in *)fromp)->sin_addr),
hp->h_name);
errorstr =
"Host address mismatch for %s\n";
hostname = inet_ntoa(((struct sockaddr_in *)fromp)->sin_addr);
break;
}
if (!bcmp(hp->h_addr_list[0],
(caddr_t)&((struct sockaddr_in *)fromp)->sin_addr,
sizeof(((struct sockaddr_in *)fromp)->sin_addr))) {
hostname = hp->h_name;
break;
}
}
}
} else
errorhost = hostname = inet_ntoa(((struct sockaddr_in *)fromp)->sin_addr);
#if defined(KERBEROS)
if (use_kerberos) {
kdata = (AUTH_DAT *) authbuf;
ticket = (KTEXT) tickbuf;
authopts = 0L;
strcpy(instance, "*");
version[VERSION_SIZE - 1] = '\0';
#if defined(CRYPT)
if (doencrypt) {
struct sockaddr_in local_addr;
rc = sizeof(local_addr);
if (getsockname(0, (struct sockaddr *)&local_addr,
&rc) < 0) {
syslog(LOG_ERR, "getsockname: %m");
error("rshd: getsockname: %m");
exit(1);
}
authopts = KOPT_DO_MUTUAL;
rc = krb_recvauth(authopts, 0, ticket,
"rcmd", instance, &fromaddr,
&local_addr, kdata, "", schedule,
version);
des_set_key(kdata->session, schedule);
} else
#endif /* CRYPT */
rc = krb_recvauth(authopts, 0, ticket, "rcmd",
instance, &fromaddr,
(struct sockaddr_in *) 0,
kdata, "", (bit_64 *) 0, version);
if (rc != KSUCCESS) {
error("Kerberos authentication failure: %s\n",
krb_err_txt[rc]);
exit(1);
}
} else
#endif /* KERBEROS */
#endif
(void) alarm(60);
getstr(ruser, sizeof(ruser), "ruser");
getstr(luser, sizeof(luser), "luser");
getstr(cmdbuf, maxcmdlen, "command");
(void) alarm(0);
#if !TARGET_OS_EMBEDDED
pam_err = pam_start("rshd", luser, &pamc, &pamh);
if (pam_err != PAM_SUCCESS) {
syslog(LOG_ERR|LOG_AUTH, "pam_start(): %s",
pam_strerror(pamh, pam_err));
rshd_errx(1, "Login incorrect.");
}
if ((pam_err = pam_set_item(pamh, PAM_RUSER, ruser)) != PAM_SUCCESS ||
(pam_err = pam_set_item(pamh, PAM_RHOST, rhost) != PAM_SUCCESS)) {
syslog(LOG_ERR|LOG_AUTH, "pam_set_item(): %s",
pam_strerror(pamh, pam_err));
rshd_errx(1, "Login incorrect.");
}
pam_err = pam_authenticate(pamh, 0);
if (pam_err == PAM_SUCCESS) {
if ((pam_err = pam_get_user(pamh, &cp, NULL)) == PAM_SUCCESS) {
strncpy(luser, cp, sizeof(luser));
luser[sizeof(luser) - 1] = '\0';
/* XXX truncation! */
}
pam_err = pam_acct_mgmt(pamh, 0);
}
if (pam_err != PAM_SUCCESS) {
syslog(LOG_INFO|LOG_AUTH,
"%s@%s as %s: permission denied (%s). cmd='%.80s'",
ruser, rhost, luser, pam_strerror(pamh, pam_err), cmdbuf);
rshd_errx(1, "Login incorrect.");
}
#endif
setpwent();
pwd = getpwnam(luser);
if (pwd == NULL) {
syslog(LOG_INFO|LOG_AUTH,
"%s@%s as %s: unknown login. cmd='%.80s'",
ruser, rhost, luser, cmdbuf);
if (errorstr == NULL)
errorstr = "Login incorrect.";
rshd_errx(1, errorstr, rhost);
}
#ifndef __APPLE__
lc = login_getpwclass(pwd);
if (pwd->pw_uid)
auth_checknologin(lc);
#endif
if (chdir(pwd->pw_dir) < 0) {
if (chdir("/") < 0 ||
#ifndef __APPLE__
login_getcapbool(lc, "requirehome", !!pwd->pw_uid)) {
#else
0) {
#endif /* __APPLE__ */
#ifdef notdef
syslog(LOG_INFO|LOG_AUTH,
"%s@%s as %s: no home directory. cmd='%.80s'",
ruser, rhost, luser, cmdbuf);
rshd_errx(0, "No remote home directory.");
#endif
}
pwd->pw_dir = slash;
}
#if defined(KERBEROS)
if (use_kerberos) {
if (pwd->pw_passwd != 0 && *pwd->pw_passwd != '\0') {
if (kuserok(kdata, luser) != 0) {
syslog(LOG_INFO|LOG_AUTH,
"Kerberos rsh denied to %s.%s@%s",
kdata->pname, kdata->pinst, kdata->prealm);
error("Permission denied.\n");
exit(1);
}
}
} else
#endif
#ifdef __APPLE__
if (errorstr ||
(pwd->pw_passwd != 0 && *pwd->pw_passwd != '\0' &&
iruserok(((struct sockaddr_in *)fromp)->sin_addr.s_addr,
#if TARGET_OS_EMBEDDED
// rdar://problem/5381734
0,
#else
pwd->pw_uid == 0,
#endif
ruser, luser) < 0)) {
if (__rcmd_errstr)
syslog(LOG_INFO|LOG_AUTH,
"%s@%s as %s: permission denied (%s). cmd='%.80s'",
ruser, rhost, luser, __rcmd_errstr,
cmdbuf);
else
syslog(LOG_INFO|LOG_AUTH,
"%s@%s as %s: permission denied. cmd='%.80s'",
ruser, rhost, luser, cmdbuf);
if (errorstr == NULL)
errorstr = "Permission denied.";
rshd_errx(1, errorstr, errorhost);
}
if (pwd->pw_uid && !access(_PATH_NOLOGIN, F_OK)) {
rshd_errx(1, "Logins currently disabled.");
}
#else
if (lc != NULL && fromp->sa_family == AF_INET) { /*XXX*/
char remote_ip[MAXHOSTNAMELEN];
strncpy(remote_ip, numericname,
sizeof(remote_ip) - 1);
remote_ip[sizeof(remote_ip) - 1] = 0;
/* XXX truncation! */
if (!auth_hostok(lc, rhost, remote_ip)) {
syslog(LOG_INFO|LOG_AUTH,
"%s@%s as %s: permission denied (%s). cmd='%.80s'",
ruser, rhost, luser, __rcmd_errstr,
cmdbuf);
rshd_errx(1, "Login incorrect.");
}
if (!auth_timeok(lc, time(NULL)))
rshd_errx(1, "Logins not available right now");
}
/*
* PAM modules might add supplementary groups in
* pam_setcred(), so initialize them first.
* But we need to open the session as root.
*/
if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETGROUP) != 0) {
syslog(LOG_ERR, "setusercontext: %m");
exit(1);
}
#endif /* !__APPLE__ */
#if !TARGET_OS_EMBEDDED
if ((pam_err = pam_open_session(pamh, 0)) != PAM_SUCCESS) {
syslog(LOG_ERR, "pam_open_session: %s", pam_strerror(pamh, pam_err));
} else if ((pam_err = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) {
syslog(LOG_ERR, "pam_setcred: %s", pam_strerror(pamh, pam_err));
}
#endif
(void) write(STDERR_FILENO, "\0", 1);
sent_null = 1;
if (port) {
if (pipe(pv) < 0)
rshd_errx(1, "Can't make pipe.");
#if defined(KERBEROS) && defined(CRYPT)
if (doencrypt) {
if (pipe(pv1) < 0)
rshd_errx(1, "Can't make 2nd pipe.");
if (pipe(pv2) < 0)
rshd_errx(1, "Can't make 3rd pipe.");
}
#endif /* KERBEROS && CRYPT */
pid = fork();
if (pid == -1)
rshd_errx(1, "Can't fork; try again.");
if (pid) {
#if defined(KERBEROS) && defined(CRYPT)
if (doencrypt) {
static char msg[] = SECURE_MESSAGE;
(void) close(pv1[1]);
(void) close(pv2[1]);
des_write(s, msg, sizeof(msg) - 1);
} else
#endif /* KERBEROS && CRYPT */
(void) close(0);
(void) close(1);
(void) close(2);
(void) close(pv[1]);
FD_ZERO(&readfrom);
FD_SET(s, &readfrom);
FD_SET(pv[0], &readfrom);
if (pv[0] > s)
nfd = pv[0];
else
nfd = s;
#if defined(KERBEROS) && defined(CRYPT)
if (doencrypt) {
FD_ZERO(&writeto);
FD_SET(pv2[0], &writeto);
FD_SET(pv1[0], &readfrom);
nfd = MAX(nfd, pv2[0]);
nfd = MAX(nfd, pv1[0]);
} else
#endif /* KERBEROS && CRYPT */
ioctl(pv[0], FIONBIO, (char *)&one);
/* should set s nbio! */
nfd++;
do {
ready = readfrom;
#if defined(KERBEROS) && defined(CRYPT)
if (doencrypt) {
wready = writeto;
if (select(nfd, &ready,
&wready, (fd_set *) 0,
(struct timeval *) 0) < 0)
break;
} else
#endif /* KERBEROS && CRYPT */
if (select(nfd, &ready, (fd_set *)0,
(fd_set *)0, (struct timeval *)0) < 0)
break;
if (FD_ISSET(s, &ready)) {
int ret;
#if defined(KERBEROS) && defined(CRYPT)
if (doencrypt)
ret = des_read(s, &sig, 1);
else
#endif /* KERBEROS && CRYPT */
ret = read(s, &sig, 1);
if (ret <= 0)
FD_CLR(s, &readfrom);
else
killpg(pid, sig);
}
if (FD_ISSET(pv[0], &ready)) {
errno = 0;
cc = read(pv[0], buf, sizeof(buf));
if (cc <= 0) {
shutdown(s, SHUT_RDWR);
FD_CLR(pv[0], &readfrom);
} else {
#if defined(KERBEROS) && defined(CRYPT)
if (doencrypt)
(void)
des_write(s, buf, cc);
else
#endif /* KERBEROS && CRYPT */
(void)write(s, buf, cc);
}
}
#if defined(KERBEROS) && defined(CRYPT)
if (doencrypt && FD_ISSET(pv1[0], &ready)) {
errno = 0;
cc = read(pv1[0], buf, sizeof(buf));
if (cc <= 0) {
shutdown(pv1[0], 1+1);
FD_CLR(pv1[0], &readfrom);
} else
(void) des_write(STDOUT_FILENO,
buf, cc);
}
if (doencrypt && FD_ISSET(pv2[0], &wready)) {
errno = 0;
cc = des_read(STDIN_FILENO,
buf, sizeof(buf));
if (cc <= 0) {
shutdown(pv2[0], 1+1);
FD_CLR(pv2[0], &writeto);
} else
(void) write(pv2[0], buf, cc);
}
#endif /* KERBEROS && CRYPT */
} while (FD_ISSET(s, &readfrom) ||
#if defined(KERBEROS) && defined(CRYPT)
(doencrypt && FD_ISSET(pv1[0], &readfrom)) ||
#endif /* KERBEROS && CRYPT */
FD_ISSET(pv[0], &readfrom));
#if !TARGET_OS_EMBEDDED
PAM_END;
#endif
exit(0);
}
#ifdef __APPLE__
// rdar://problem/4485794
setpgid(0, getpid());
#endif
(void) close(s);
(void) close(pv[0]);
#if defined(KERBEROS) && defined(CRYPT)
if (doencrypt) {
close(pv1[0]); close(pv2[0]);
dup2(pv1[1], 1);
dup2(pv2[1], 0);
close(pv1[1]);
close(pv2[1]);
}
#endif /* KERBEROS && CRYPT */
dup2(pv[1], 2);
close(pv[1]);
}
#ifndef __APPLE__
else {
pid = fork();
if (pid == -1)
rshd_errx(1, "Can't fork; try again.");
if (pid) {
/* Parent. */
while (wait(NULL) > 0 || errno == EINTR)
/* nothing */ ;
PAM_END;
exit(0);
}
}
#endif
for (fd = getdtablesize(); fd > 2; fd--) {
#ifdef __APPLE__
(void) fcntl(fd, F_SETFD, FD_CLOEXEC);
#else
(void) close(fd);
#endif
}
if (setsid() == -1)
syslog(LOG_ERR, "setsid() failed: %m");
if (setlogin(pwd->pw_name) < 0)
syslog(LOG_ERR, "setlogin() failed: %m");
if (*pwd->pw_shell == '\0')
pwd->pw_shell = bshell;
#ifdef __APPLE__
(void) setgid((gid_t)pwd->pw_gid);
initgroups(pwd->pw_name, pwd->pw_gid);
(void) setuid((uid_t)pwd->pw_uid);
environ = envinit;
strncat(homedir, pwd->pw_dir, sizeof(homedir)-6);
strcat(path, _PATH_DEFPATH);
strncat(shell, pwd->pw_shell, sizeof(shell)-7);
strncat(username, pwd->pw_name, sizeof(username)-6);
#endif
#if !TARGET_OS_EMBEDDED
(void) pam_setenv(pamh, "HOME", pwd->pw_dir, 1);
(void) pam_setenv(pamh, "SHELL", pwd->pw_shell, 1);
(void) pam_setenv(pamh, "USER", pwd->pw_name, 1);
(void) pam_setenv(pamh, "PATH", _PATH_DEFPATH, 1);
environ = pam_getenvlist(pamh);
(void) pam_end(pamh, pam_err);
#endif
cp = strrchr(pwd->pw_shell, '/');
if (cp)
cp++;
else
cp = pwd->pw_shell;
#ifndef __APPLE__
if (setusercontext(lc, pwd, pwd->pw_uid,
LOGIN_SETALL & ~LOGIN_SETGROUP) < 0) {
syslog(LOG_ERR, "setusercontext(): %m");
exit(1);
}
login_close(lc);
#endif
endpwent();
if (log_success || pwd->pw_uid == 0) {
#if defined(KERBEROS)
if (use_kerberos)
syslog(LOG_INFO|LOG_AUTH,
"Kerberos shell from %s.%s@%s on %s as %s, cmd='%.80s'",
kdata->pname, kdata->pinst, kdata->prealm,
hostname, luser, cmdbuf);
else
#endif /* KERBEROS */
syslog(LOG_INFO|LOG_AUTH, "%s@%s as %s: cmd='%.80s'",
ruser, rhost, luser, cmdbuf);
}
execl(pwd->pw_shell, cp, "-c", cmdbuf, (char *)NULL);
err(1, "%s", pwd->pw_shell);
exit(1);
}
void
doit(struct sockaddr *fromp)
{
extern char *__rcmd_errstr; /* syslog hook from libc/net/rcmd.c. */
struct passwd *pwd;
u_short port;
fd_set ready, readfrom;
int cc, fd, nfd, pv[2], pid, s;
int one = 1;
const char *cp, *errorstr;
char sig, buf[BUFSIZ];
char *cmdbuf, luser[16], ruser[16];
char rhost[2 * MAXHOSTNAMELEN + 1];
char numericname[INET6_ADDRSTRLEN];
int af, srcport;
int maxcmdlen;
login_cap_t *lc;
maxcmdlen = (int)sysconf(_SC_ARG_MAX);
if (maxcmdlen <= 0 || (cmdbuf = malloc(maxcmdlen)) == NULL)
exit(1);
(void) signal(SIGINT, SIG_DFL);
(void) signal(SIGQUIT, SIG_DFL);
(void) signal(SIGTERM, SIG_DFL);
af = fromp->sa_family;
srcport = ntohs(*((in_port_t *)&fromp->sa_data));
if (af == AF_INET) {
inet_ntop(af, &((struct sockaddr_in *)fromp)->sin_addr,
numericname, sizeof numericname);
} else if (af == AF_INET6) {
inet_ntop(af, &((struct sockaddr_in6 *)fromp)->sin6_addr,
numericname, sizeof numericname);
} else {
syslog(LOG_ERR, "malformed \"from\" address (af %d)", af);
exit(1);
}
#ifdef IP_OPTIONS
if (af == AF_INET) {
u_char optbuf[BUFSIZ/3];
socklen_t optsize = sizeof(optbuf), ipproto, i;
struct protoent *ip;
if ((ip = getprotobyname("ip")) != NULL)
ipproto = ip->p_proto;
else
ipproto = IPPROTO_IP;
if (!getsockopt(0, ipproto, IP_OPTIONS, optbuf, &optsize) &&
optsize != 0) {
for (i = 0; i < optsize; ) {
u_char c = optbuf[i];
if (c == IPOPT_LSRR || c == IPOPT_SSRR) {
syslog(LOG_NOTICE,
"connection refused from %s with IP option %s",
numericname,
c == IPOPT_LSRR ? "LSRR" : "SSRR");
exit(1);
}
if (c == IPOPT_EOL)
break;
i += (c == IPOPT_NOP) ? 1 : optbuf[i+1];
}
}
}
#endif
if (srcport >= IPPORT_RESERVED ||
srcport < IPPORT_RESERVED/2) {
syslog(LOG_NOTICE|LOG_AUTH,
"connection from %s on illegal port %u",
numericname,
srcport);
exit(1);
}
(void) alarm(60);
port = 0;
s = 0; /* not set or used if port == 0 */
for (;;) {
char c;
if ((cc = read(STDIN_FILENO, &c, 1)) != 1) {
if (cc < 0)
syslog(LOG_NOTICE, "read: %m");
shutdown(0, SHUT_RDWR);
exit(1);
}
if (c == 0)
break;
port = port * 10 + c - '0';
}
(void) alarm(0);
if (port != 0) {
int lport = IPPORT_RESERVED - 1;
s = rresvport_af(&lport, af);
if (s < 0) {
syslog(LOG_ERR, "can't get stderr port: %m");
exit(1);
}
if (port >= IPPORT_RESERVED ||
port < IPPORT_RESERVED/2) {
syslog(LOG_NOTICE|LOG_AUTH,
"2nd socket from %s on unreserved port %u",
numericname,
port);
exit(1);
}
*((in_port_t *)&fromp->sa_data) = htons(port);
if (connect(s, fromp, fromp->sa_len) < 0) {
syslog(LOG_INFO, "connect second port %d: %m", port);
exit(1);
}
}
errorstr = NULL;
realhostname_sa(rhost, sizeof(rhost) - 1, fromp, fromp->sa_len);
rhost[sizeof(rhost) - 1] = '\0';
/* XXX truncation! */
(void) alarm(60);
getstr(ruser, sizeof(ruser), "ruser");
getstr(luser, sizeof(luser), "luser");
getstr(cmdbuf, maxcmdlen, "command");
(void) alarm(0);
pam_err = pam_start("rsh", luser, &pamc, &pamh);
if (pam_err != PAM_SUCCESS) {
syslog(LOG_ERR|LOG_AUTH, "pam_start(): %s",
pam_strerror(pamh, pam_err));
rshd_errx(1, "Login incorrect.");
}
if ((pam_err = pam_set_item(pamh, PAM_RUSER, ruser)) != PAM_SUCCESS ||
(pam_err = pam_set_item(pamh, PAM_RHOST, rhost)) != PAM_SUCCESS) {
syslog(LOG_ERR|LOG_AUTH, "pam_set_item(): %s",
pam_strerror(pamh, pam_err));
rshd_errx(1, "Login incorrect.");
}
pam_err = pam_authenticate(pamh, 0);
if (pam_err == PAM_SUCCESS) {
if ((pam_err = pam_get_user(pamh, &cp, NULL)) == PAM_SUCCESS) {
strncpy(luser, cp, sizeof(luser));
luser[sizeof(luser) - 1] = '\0';
/* XXX truncation! */
}
pam_err = pam_acct_mgmt(pamh, 0);
}
if (pam_err != PAM_SUCCESS) {
syslog(LOG_INFO|LOG_AUTH,
"%s@%s as %s: permission denied (%s). cmd='%.80s'",
ruser, rhost, luser, pam_strerror(pamh, pam_err), cmdbuf);
rshd_errx(1, "Login incorrect.");
}
setpwent();
pwd = getpwnam(luser);
if (pwd == NULL) {
syslog(LOG_INFO|LOG_AUTH,
"%s@%s as %s: unknown login. cmd='%.80s'",
ruser, rhost, luser, cmdbuf);
if (errorstr == NULL)
errorstr = "Login incorrect.";
rshd_errx(1, errorstr, rhost);
}
lc = login_getpwclass(pwd);
if (pwd->pw_uid)
auth_checknologin(lc);
if (chdir(pwd->pw_dir) < 0) {
if (chdir("/") < 0 ||
login_getcapbool(lc, "requirehome", !!pwd->pw_uid)) {
syslog(LOG_INFO|LOG_AUTH,
"%s@%s as %s: no home directory. cmd='%.80s'",
ruser, rhost, luser, cmdbuf);
rshd_errx(0, "No remote home directory.");
}
pwd->pw_dir = slash;
}
if (lc != NULL && fromp->sa_family == AF_INET) { /*XXX*/
char remote_ip[MAXHOSTNAMELEN];
strncpy(remote_ip, numericname,
sizeof(remote_ip) - 1);
remote_ip[sizeof(remote_ip) - 1] = 0;
/* XXX truncation! */
if (!auth_hostok(lc, rhost, remote_ip)) {
syslog(LOG_INFO|LOG_AUTH,
"%s@%s as %s: permission denied (%s). cmd='%.80s'",
ruser, rhost, luser, __rcmd_errstr,
cmdbuf);
rshd_errx(1, "Login incorrect.");
}
if (!auth_timeok(lc, time(NULL)))
rshd_errx(1, "Logins not available right now");
}
/*
* PAM modules might add supplementary groups in
* pam_setcred(), so initialize them first.
* But we need to open the session as root.
*/
if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETGROUP) != 0) {
syslog(LOG_ERR, "setusercontext: %m");
exit(1);
}
if ((pam_err = pam_open_session(pamh, 0)) != PAM_SUCCESS) {
syslog(LOG_ERR, "pam_open_session: %s", pam_strerror(pamh, pam_err));
} else if ((pam_err = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) {
syslog(LOG_ERR, "pam_setcred: %s", pam_strerror(pamh, pam_err));
}
(void) write(STDERR_FILENO, "\0", 1);
sent_null = 1;
if (port) {
if (pipe(pv) < 0)
rshd_errx(1, "Can't make pipe.");
pid = fork();
if (pid == -1)
rshd_errx(1, "Can't fork; try again.");
if (pid) {
(void) close(0);
(void) close(1);
(void) close(2);
(void) close(pv[1]);
FD_ZERO(&readfrom);
FD_SET(s, &readfrom);
FD_SET(pv[0], &readfrom);
if (pv[0] > s)
nfd = pv[0];
else
nfd = s;
ioctl(pv[0], FIONBIO, (char *)&one);
/* should set s nbio! */
nfd++;
do {
ready = readfrom;
if (select(nfd, &ready, (fd_set *)0,
(fd_set *)0, (struct timeval *)0) < 0)
break;
if (FD_ISSET(s, &ready)) {
int ret;
ret = read(s, &sig, 1);
if (ret <= 0)
FD_CLR(s, &readfrom);
else
killpg(pid, sig);
}
if (FD_ISSET(pv[0], &ready)) {
errno = 0;
cc = read(pv[0], buf, sizeof(buf));
if (cc <= 0) {
shutdown(s, SHUT_RDWR);
FD_CLR(pv[0], &readfrom);
} else {
(void)write(s, buf, cc);
}
}
} while (FD_ISSET(s, &readfrom) ||
FD_ISSET(pv[0], &readfrom));
PAM_END;
exit(0);
}
(void) close(s);
(void) close(pv[0]);
dup2(pv[1], 2);
close(pv[1]);
}
else {
pid = fork();
if (pid == -1)
rshd_errx(1, "Can't fork; try again.");
if (pid) {
/* Parent. */
while (wait(NULL) > 0 || errno == EINTR)
/* nothing */ ;
PAM_END;
exit(0);
}
}
for (fd = getdtablesize(); fd > 2; fd--)
(void) close(fd);
if (setsid() == -1)
syslog(LOG_ERR, "setsid() failed: %m");
if (setlogin(pwd->pw_name) < 0)
syslog(LOG_ERR, "setlogin() failed: %m");
if (*pwd->pw_shell == '\0')
pwd->pw_shell = bshell;
(void) pam_setenv(pamh, "HOME", pwd->pw_dir, 1);
(void) pam_setenv(pamh, "SHELL", pwd->pw_shell, 1);
(void) pam_setenv(pamh, "USER", pwd->pw_name, 1);
(void) pam_setenv(pamh, "PATH", _PATH_DEFPATH, 1);
environ = pam_getenvlist(pamh);
(void) pam_end(pamh, pam_err);
cp = strrchr(pwd->pw_shell, '/');
if (cp)
cp++;
else
cp = pwd->pw_shell;
if (setusercontext(lc, pwd, pwd->pw_uid,
LOGIN_SETALL & ~LOGIN_SETGROUP) < 0) {
syslog(LOG_ERR, "setusercontext(): %m");
exit(1);
}
login_close(lc);
endpwent();
if (log_success || pwd->pw_uid == 0) {
syslog(LOG_INFO|LOG_AUTH, "%s@%s as %s: cmd='%.80s'",
ruser, rhost, luser, cmdbuf);
}
execl(pwd->pw_shell, cp, "-c", cmdbuf, (char *)NULL);
err(1, "%s", pwd->pw_shell);
exit(1);
}
int
rcmd_af(char **ahost, int rport, const char *locuser, const char *remuser,
const char *cmd, int *fd2p, int af)
{
struct addrinfo hints, *res, *ai;
struct sockaddr_storage from;
fd_set reads;
sigset_t oldmask, newmask;
pid_t pid;
int s, aport, lport, timo, error;
char c, *p;
int refused, nres;
char num[8];
static char canonnamebuf[MAXDNAME]; /* is it proper here? */
/* call rcmdsh() with specified remote shell if appropriate. */
if (!issetugid() && (p = getenv("RSH"))) {
struct servent *sp = getservbyname("shell", "tcp");
if (sp && sp->s_port == rport)
return (rcmdsh(ahost, rport, locuser, remuser,
cmd, p));
}
/* use rsh(1) if non-root and remote port is shell. */
if (geteuid()) {
struct servent *sp = getservbyname("shell", "tcp");
if (sp && sp->s_port == rport)
return (rcmdsh(ahost, rport, locuser, remuser,
cmd, NULL));
}
pid = getpid();
memset(&hints, 0, sizeof(hints));
hints.ai_flags = AI_CANONNAME;
hints.ai_family = af;
hints.ai_socktype = SOCK_STREAM;
hints.ai_protocol = 0;
snprintf(num, sizeof(num), "%d", ntohs(rport));
error = getaddrinfo(*ahost, num, &hints, &res);
if (error) {
fprintf(stderr, "rcmd: getaddrinfo: %s\n",
gai_strerror(error));
if (error == EAI_SYSTEM)
fprintf(stderr, "rcmd: getaddrinfo: %s\n",
strerror(errno));
return (-1);
}
if (res->ai_canonname &&
strlen(res->ai_canonname) + 1 < sizeof(canonnamebuf)) {
strncpy(canonnamebuf, res->ai_canonname, sizeof(canonnamebuf));
*ahost = canonnamebuf;
}
nres = 0;
for (ai = res; ai; ai = ai->ai_next)
nres++;
ai = res;
refused = 0;
sigemptyset(&newmask);
sigaddset(&newmask, SIGURG);
_sigprocmask(SIG_BLOCK, (const sigset_t *)&newmask, &oldmask);
for (timo = 1, lport = IPPORT_RESERVED - 1;;) {
s = rresvport_af(&lport, ai->ai_family);
if (s < 0) {
if (errno != EAGAIN && ai->ai_next) {
ai = ai->ai_next;
continue;
}
if (errno == EAGAIN)
fprintf(stderr,
"rcmd: socket: All ports in use\n");
else
fprintf(stderr, "rcmd: socket: %s\n",
strerror(errno));
freeaddrinfo(res);
_sigprocmask(SIG_SETMASK, (const sigset_t *)&oldmask,
NULL);
return (-1);
}
_fcntl(s, F_SETOWN, pid);
if (_connect(s, ai->ai_addr, ai->ai_addrlen) >= 0)
break;
_close(s);
if (errno == EADDRINUSE) {
lport--;
continue;
}
if (errno == ECONNREFUSED)
refused = 1;
if (ai->ai_next == NULL && (!refused || timo > 16)) {
fprintf(stderr, "%s: %s\n", *ahost, strerror(errno));
freeaddrinfo(res);
_sigprocmask(SIG_SETMASK, (const sigset_t *)&oldmask,
NULL);
return (-1);
}
if (nres > 1) {
int oerrno = errno;
getnameinfo(ai->ai_addr, ai->ai_addrlen, paddr,
sizeof(paddr), NULL, 0, NI_NUMERICHOST);
fprintf(stderr, "connect to address %s: ", paddr);
errno = oerrno;
perror(0);
}
if ((ai = ai->ai_next) == NULL) {
/* refused && timo <= 16 */
struct timespec time_to_sleep, time_remaining;
time_to_sleep.tv_sec = timo;
time_to_sleep.tv_nsec = 0;
_nanosleep(&time_to_sleep, &time_remaining);
timo *= 2;
ai = res;
refused = 0;
}
if (nres > 1) {
getnameinfo(ai->ai_addr, ai->ai_addrlen, paddr,
sizeof(paddr), NULL, 0, NI_NUMERICHOST);
fprintf(stderr, "Trying %s...\n", paddr);
}
}
lport--;
if (fd2p == 0) {
_write(s, "", 1);
lport = 0;
} else {
int s2 = rresvport_af(&lport, ai->ai_family), s3;
socklen_t len = ai->ai_addrlen;
int nfds;
if (s2 < 0)
goto bad;
_listen(s2, 1);
snprintf(num, sizeof(num), "%d", lport);
if (_write(s, num, strlen(num)+1) != strlen(num)+1) {
fprintf(stderr,
"rcmd: write (setting up stderr): %s\n",
strerror(errno));
_close(s2);
goto bad;
}
nfds = max(s, s2)+1;
if(nfds > FD_SETSIZE) {
fprintf(stderr, "rcmd: too many files\n");
_close(s2);
goto bad;
}
again:
FD_ZERO(&reads);
FD_SET(s, &reads);
FD_SET(s2, &reads);
errno = 0;
if (_select(nfds, &reads, 0, 0, 0) < 1 || !FD_ISSET(s2, &reads)){
if (errno != 0)
fprintf(stderr,
"rcmd: select (setting up stderr): %s\n",
strerror(errno));
else
fprintf(stderr,
"select: protocol failure in circuit setup\n");
_close(s2);
goto bad;
}
s3 = _accept(s2, (struct sockaddr *)&from, &len);
switch (from.ss_family) {
case AF_INET:
aport = ntohs(((struct sockaddr_in *)&from)->sin_port);
break;
#ifdef INET6
case AF_INET6:
aport = ntohs(((struct sockaddr_in6 *)&from)->sin6_port);
break;
#endif
default:
aport = 0; /* error */
break;
}
/*
* XXX careful for ftp bounce attacks. If discovered, shut them
* down and check for the real auxiliary channel to connect.
*/
if (aport == 20) {
_close(s3);
goto again;
}
_close(s2);
if (s3 < 0) {
fprintf(stderr,
"rcmd: accept: %s\n", strerror(errno));
lport = 0;
goto bad;
}
*fd2p = s3;
if (aport >= IPPORT_RESERVED || aport < IPPORT_RESERVED / 2) {
fprintf(stderr,
"socket: protocol failure in circuit setup.\n");
goto bad2;
}
}
_write(s, locuser, strlen(locuser)+1);
_write(s, remuser, strlen(remuser)+1);
_write(s, cmd, strlen(cmd)+1);
if (_read(s, &c, 1) != 1) {
fprintf(stderr,
"rcmd: %s: %s\n", *ahost, strerror(errno));
goto bad2;
}
if (c != 0) {
while (_read(s, &c, 1) == 1) {
_write(STDERR_FILENO, &c, 1);
if (c == '\n')
break;
}
goto bad2;
}
_sigprocmask(SIG_SETMASK, (const sigset_t *)&oldmask, NULL);
freeaddrinfo(res);
return (s);
bad2:
if (lport)
_close(*fd2p);
bad:
_close(s);
_sigprocmask(SIG_SETMASK, (const sigset_t *)&oldmask, NULL);
freeaddrinfo(res);
return (-1);
}
int
rresvport(int *port)
{
return rresvport_af(port, AF_INET);
}
void
rsh_dual_relay(int s_src, int s_dst)
{
fd_set readfds;
int len, s_wld, error;
struct sockaddr_storage ctladdr6;
struct sockaddr_storage ctladdr;
int port6 = 0, lport, lport6;
char *p;
struct timeval tv;
struct sockaddr *sa;
half = NO;
s_rcv = s_src;
s_snd = s_dst;
syslog(LOG_INFO, "starting rsh connection");
for (p = rshbuf; *p; p++)
port6 = port6 * 10 + *p - '0';
len = sizeof(ctladdr6);
getpeername(s_src, (struct sockaddr *)&ctladdr6, &len);
if (((struct sockaddr *)&ctladdr6)->sa_family == AF_INET6)
((struct sockaddr_in6 *)&ctladdr6)->sin6_port = htons(port6);
else
((struct sockaddr_in *)&ctladdr6)->sin_port = htons(port6);
s_wld = rresvport(&lport);
if (s_wld == -1) goto bad;
error = listen(s_wld, 1);
if (error == -1) goto bad;
snprintf(rshbuf, sizeof(rshbuf), "%d", lport);
write(s_dst, rshbuf, strlen(rshbuf)+1);
len = sizeof(ctladdr);
s_ctl = accept(s_wld, (struct sockaddr *)&ctladdr, &len);
if (s_ctl == -1) goto bad;
close(s_wld);
sa = (struct sockaddr *)&ctladdr6;
s_ctl6 = rresvport_af(&lport6, sa->sa_family);
if (s_ctl6 == -1) goto bad;
error = connect(s_ctl6, sa, sa->sa_len);
if (error == -1) goto bad;
syslog(LOG_INFO, "starting rsh control connection");
for (;;) {
int maxfd = 0;
FD_ZERO(&readfds);
if (half == NO)
FD_SET(s_src, &readfds);
FD_SET(s_dst, &readfds);
if (s_dst > maxfd)
maxfd = s_dst;
FD_SET(s_ctl, &readfds);
if (s_ctl > maxfd)
maxfd = s_ctl;
FD_SET(s_ctl6, &readfds);
if (s_ctl6 > maxfd)
maxfd = s_ctl6;
tv.tv_sec = FAITH_TIMEOUT;
tv.tv_usec = 0;
error = select(maxfd + 1, &readfds, NULL, NULL, &tv);
if (error == -1)
exit_failure("select 4 sockets: %s", strerror(errno));
else if (error == 0)
exit_failure("connection timeout");
if (half == NO && FD_ISSET(s_src, &readfds)) {
s_rcv = s_src;
s_snd = s_dst;
relay(s_src, s_dst);
}
if (FD_ISSET(s_dst, &readfds)) {
s_rcv = s_dst;
s_snd = s_src;
relay(s_src, s_dst);
}
if (FD_ISSET(s_ctl, &readfds)) {
s_rcv = s_ctl;
s_snd = s_ctl6;
relay(s_src, s_dst);
}
if (FD_ISSET(s_ctl6, &readfds)) {
s_rcv = s_ctl6;
s_snd = s_ctl;
relay(s_src, s_dst);
}
}
/* NOTREACHED */
bad:
exit_failure("%s", strerror(errno));
}
void
doit(struct sockaddr *fromp)
{
extern char *__rcmd_errstr; /* syslog hook from libc/net/rcmd.c. */
struct addrinfo hints, *res, *res0;
int gaierror;
struct passwd *pwd;
u_short port;
in_port_t *portp;
struct pollfd pfd[4];
int cc, nfd, pv[2], s = 0, one = 1;
pid_t pid;
char *hostname, *errorstr, *errorhost = (char *) NULL;
char *cp, sig, buf[BUFSIZ];
char cmdbuf[NCARGS+1], locuser[_PW_NAME_LEN+1], remuser[_PW_NAME_LEN+1];
char remotehost[2 * MAXHOSTNAMELEN + 1];
char hostnamebuf[2 * MAXHOSTNAMELEN + 1];
char naddr[NI_MAXHOST];
char saddr[NI_MAXHOST];
char raddr[NI_MAXHOST];
char pbuf[NI_MAXSERV];
auth_session_t *as;
const int niflags = NI_NUMERICHOST | NI_NUMERICSERV;
#ifdef KERBEROS
AUTH_DAT *kdata = (AUTH_DAT *) NULL;
KTEXT ticket = (KTEXT) NULL;
char instance[INST_SZ], version[VERSION_SIZE];
struct sockaddr_storage fromaddr;
int rc;
long authopts;
#ifdef CRYPT
int pv1[2], pv2[2];
#endif
if (sizeof(fromaddr) < fromp->sa_len) {
syslog(LOG_ERR, "malformed \"from\" address (af %d)",
fromp->sa_family);
exit(1);
}
memcpy(&fromaddr, fromp, fromp->sa_len);
#endif
(void) signal(SIGINT, SIG_DFL);
(void) signal(SIGQUIT, SIG_DFL);
(void) signal(SIGTERM, SIG_DFL);
#ifdef DEBUG
{ int t = open(_PATH_TTY, 2);
if (t >= 0) {
ioctl(t, TIOCNOTTY, (char *)0);
(void) close(t);
}
}
#endif
switch (fromp->sa_family) {
case AF_INET:
portp = &((struct sockaddr_in *)fromp)->sin_port;
break;
case AF_INET6:
portp = &((struct sockaddr_in6 *)fromp)->sin6_port;
break;
default:
syslog(LOG_ERR, "malformed \"from\" address (af %d)",
fromp->sa_family);
exit(1);
}
if (getnameinfo(fromp, fromp->sa_len, naddr, sizeof(naddr),
pbuf, sizeof(pbuf), niflags) != 0) {
syslog(LOG_ERR, "malformed \"from\" address (af %d)",
fromp->sa_family);
exit(1);
}
#ifdef IP_OPTIONS
if (fromp->sa_family == AF_INET) {
struct ipoption opts;
socklen_t optsize = sizeof(opts);
int ipproto, i;
struct protoent *ip;
if ((ip = getprotobyname("ip")) != NULL)
ipproto = ip->p_proto;
else
ipproto = IPPROTO_IP;
if (!getsockopt(STDIN_FILENO, ipproto, IP_OPTIONS,
(char *)&opts, &optsize) && optsize != 0) {
for (i = 0; (void *)&opts.ipopt_list[i] - (void *)&opts <
optsize; ) {
u_char c = (u_char)opts.ipopt_list[i];
if (c == IPOPT_LSRR || c == IPOPT_SSRR)
exit(1);
if (c == IPOPT_EOL)
break;
i += (c == IPOPT_NOP) ? 1 :
(u_char)opts.ipopt_list[i+1];
}
}
}
#endif
#ifdef KERBEROS
if (!use_kerberos)
#endif
if (ntohs(*portp) >= IPPORT_RESERVED ||
ntohs(*portp) < IPPORT_RESERVED/2) {
syslog(LOG_NOTICE|LOG_AUTH,
"Connection from %s on illegal port %u",
naddr, ntohs(*portp));
exit(1);
}
(void) alarm(60);
port = 0;
for (;;) {
char c;
if ((cc = read(STDIN_FILENO, &c, 1)) != 1) {
if (cc < 0)
syslog(LOG_NOTICE, "read: %m");
shutdown(STDIN_FILENO, SHUT_RDWR);
exit(1);
}
if (c == 0)
break;
port = port * 10 + c - '0';
}
(void) alarm(0);
if (port != 0) {
int lport;
#ifdef KERBEROS
if (!use_kerberos)
#endif
if (port >= IPPORT_RESERVED ||
port < IPPORT_RESERVED/2) {
syslog(LOG_ERR, "2nd port not reserved");
exit(1);
}
*portp = htons(port);
lport = IPPORT_RESERVED - 1;
s = rresvport_af(&lport, fromp->sa_family);
if (s < 0) {
syslog(LOG_ERR, "can't get stderr port: %m");
exit(1);
}
if (connect(s, (struct sockaddr *)fromp, fromp->sa_len) < 0) {
syslog(LOG_INFO, "connect second port %d: %m", port);
exit(1);
}
}
#ifdef KERBEROS
if (vacuous) {
error("rshd: remote host requires Kerberos authentication\n");
exit(1);
}
#endif
#ifdef notdef
/* from inetd, socket is already on 0, 1, 2 */
dup2(f, 0);
dup2(f, 1);
dup2(f, 2);
#endif
errorstr = NULL;
if (getnameinfo(fromp, fromp->sa_len, saddr, sizeof(saddr),
NULL, 0, NI_NAMEREQD)== 0) {
/*
* If name returned by getnameinfo is in our domain,
* attempt to verify that we haven't been fooled by someone
* in a remote net; look up the name and check that this
* address corresponds to the name.
*/
hostname = saddr;
res0 = NULL;
#ifdef KERBEROS
if (!use_kerberos)
#endif
if (check_all || local_domain(saddr)) {
strlcpy(remotehost, saddr, sizeof(remotehost));
errorhost = remotehost;
memset(&hints, 0, sizeof(hints));
hints.ai_family = fromp->sa_family;
hints.ai_socktype = SOCK_STREAM;
hints.ai_flags = AI_CANONNAME;
gaierror = getaddrinfo(remotehost, pbuf, &hints, &res0);
if (gaierror) {
syslog(LOG_INFO,
"Couldn't look up address for %s: %s",
remotehost, gai_strerror(gaierror));
errorstr =
"Couldn't look up address for your host (%s)\n";
hostname = naddr;
} else {
for (res = res0; res; res = res->ai_next) {
if (res->ai_family != fromp->sa_family)
continue;
if (res->ai_addrlen != fromp->sa_len)
continue;
if (getnameinfo(res->ai_addr,
res->ai_addrlen,
raddr, sizeof(raddr), NULL, 0,
niflags) == 0
&& strcmp(naddr, raddr) == 0) {
hostname = res->ai_canonname
? res->ai_canonname
: saddr;
break;
}
}
if (res == NULL) {
syslog(LOG_NOTICE,
"Host addr %s not listed for host %s",
naddr, res0->ai_canonname
? res0->ai_canonname
: saddr);
errorstr =
"Host address mismatch for %s\n";
hostname = naddr;
}
}
}
strlcpy(hostnamebuf, hostname, sizeof(hostnamebuf));
hostname = hostnamebuf;
if (res0)
freeaddrinfo(res0);
} else
strlcpy(hostnamebuf, naddr, sizeof(hostnamebuf));
errorhost = hostname = hostnamebuf;
#ifdef KERBEROS
if (use_kerberos) {
kdata = (AUTH_DAT *) authbuf;
ticket = (KTEXT) tickbuf;
authopts = 0L;
strlcpy(instance, "*", sizeof instance);
version[VERSION_SIZE - 1] = '\0';
#ifdef CRYPT
if (doencrypt) {
struct sockaddr_in local_addr;
rc = sizeof(local_addr);
if (getsockname(STDIN_FILENO,
(struct sockaddr *)&local_addr, &rc) < 0) {
syslog(LOG_ERR, "getsockname: %m");
error("rshd: getsockname: %m");
exit(1);
}
authopts = KOPT_DO_MUTUAL;
rc = krb_recvauth(authopts, 0, ticket,
"rcmd", instance, (struct sockaddr_in *)&fromaddr,
&local_addr, kdata, "", schedule, version);
desrw_set_key(&kdata->session, &schedule);
} else
#endif
rc = krb_recvauth(authopts, 0, ticket, "rcmd",
instance, (struct sockaddr_in *)&fromaddr,
NULL, kdata, "", NULL, version);
if (rc != KSUCCESS) {
error("Kerberos authentication failure: %s\n",
krb_get_err_text(rc));
exit(1);
}
} else
#endif
getstr(remuser, sizeof(remuser), "remuser");
getstr(locuser, sizeof(locuser), "locuser");
getstr(cmdbuf, sizeof(cmdbuf), "command");
pwd = getpwnam(locuser);
if (pwd == NULL) {
syslog(LOG_INFO|LOG_AUTH,
"%s@%s as %s: unknown login. cmd='%.80s'",
remuser, hostname, locuser, cmdbuf);
if (errorstr == NULL)
errorstr = "Permission denied.\n";
goto fail;
}
lc = login_getclass(pwd->pw_class);
if (lc == NULL) {
syslog(LOG_INFO|LOG_AUTH,
"%s@%s as %s: unknown class. cmd='%.80s'",
remuser, hostname, locuser, cmdbuf);
if (errorstr == NULL)
errorstr = "Login incorrect.\n";
goto fail;
}
as = auth_open();
if (as == NULL || auth_setpwd(as, pwd) != 0) {
syslog(LOG_INFO|LOG_AUTH,
"%s@%s as %s: unable to allocate memory. cmd='%.80s'",
remuser, hostname, locuser, cmdbuf);
if (errorstr == NULL)
errorstr = "Cannot allocate memory.\n";
goto fail;
}
setegid(pwd->pw_gid);
seteuid(pwd->pw_uid);
if (chdir(pwd->pw_dir) < 0) {
(void) chdir("/");
#ifdef notdef
syslog(LOG_INFO|LOG_AUTH,
"%s@%s as %s: no home directory. cmd='%.80s'",
remuser, hostname, locuser, cmdbuf);
error("No remote directory.\n");
exit(1);
#endif
}
seteuid(0);
setegid(0); /* XXX use a saved gid instead? */
#ifdef KERBEROS
if (use_kerberos) {
if (pwd->pw_passwd != 0 && *pwd->pw_passwd != '\0') {
if (kuserok(kdata, locuser) != 0) {
syslog(LOG_INFO|LOG_AUTH,
"Kerberos rsh denied to %s.%s@%s",
kdata->pname, kdata->pinst, kdata->prealm);
error("Permission denied.\n");
exit(1);
}
}
} else
#endif
if (errorstr ||
(pwd->pw_passwd != 0 && *pwd->pw_passwd != '\0' &&
iruserok_sa(fromp, fromp->sa_len, pwd->pw_uid == 0,
remuser, locuser) < 0)) {
if (__rcmd_errstr)
syslog(LOG_INFO|LOG_AUTH,
"%s@%s as %s: permission denied (%s). cmd='%.80s'",
remuser, hostname, locuser, __rcmd_errstr,
cmdbuf);
else
syslog(LOG_INFO|LOG_AUTH,
"%s@%s as %s: permission denied. cmd='%.80s'",
remuser, hostname, locuser, cmdbuf);
fail:
if (errorstr == NULL)
errorstr = "Permission denied.\n";
error(errorstr, errorhost);
exit(1);
}
if (pwd->pw_uid)
auth_checknologin(lc);
(void) write(STDERR_FILENO, "\0", 1);
sent_null = 1;
if (port) {
if (pipe(pv) < 0) {
error("Can't make pipe.\n");
exit(1);
}
#ifdef CRYPT
#ifdef KERBEROS
if (doencrypt) {
if (pipe(pv1) < 0) {
error("Can't make 2nd pipe.\n");
exit(1);
}
if (pipe(pv2) < 0) {
error("Can't make 3rd pipe.\n");
exit(1);
}
}
#endif
#endif
pid = fork();
if (pid == -1) {
error("Can't fork; try again.\n");
exit(1);
}
if (pid) {
#ifdef CRYPT
#ifdef KERBEROS
if (doencrypt) {
static char msg[] = SECURE_MESSAGE;
(void) close(pv1[1]);
(void) close(pv2[1]);
des_write(s, msg, sizeof(msg) - 1);
} else
#endif
#endif
{
(void) close(STDIN_FILENO);
(void) close(STDOUT_FILENO);
}
(void) close(STDERR_FILENO);
(void) close(pv[1]);
pfd[P_SOCKREAD].fd = s;
pfd[P_SOCKREAD].events = POLLIN;
pfd[P_PIPEREAD].fd = pv[0];
pfd[P_PIPEREAD].events = POLLIN;
nfd = 2;
#ifdef CRYPT
#ifdef KERBEROS
if (doencrypt) {
pfd[P_CRYPTREAD].fd = pv1[0];
pfd[P_CRYPTREAD].events = POLLIN;
pfd[P_CRYPTWRITE].fd = pv2[0];
pfd[P_CRYPTWRITE].events = POLLOUT;
nfd += 2;
} else
#endif
#endif
ioctl(pv[0], FIONBIO, (char *)&one);
/* should set s nbio! */
do {
if (poll(pfd, nfd, INFTIM) < 0)
break;
if (pfd[P_SOCKREAD].revents & POLLIN) {
int ret;
#ifdef CRYPT
#ifdef KERBEROS
if (doencrypt)
ret = des_read(s, &sig, 1);
else
#endif
#endif
ret = read(s, &sig, 1);
if (ret <= 0)
pfd[P_SOCKREAD].revents = 0;
else
killpg(pid, sig);
}
if (pfd[P_PIPEREAD].revents & POLLIN) {
errno = 0;
cc = read(pv[0], buf, sizeof(buf));
if (cc <= 0) {
shutdown(s, SHUT_RDWR);
pfd[P_PIPEREAD].revents = 0;
} else {
#ifdef CRYPT
#ifdef KERBEROS
if (doencrypt)
(void)
des_write(s, buf, cc);
else
#endif
#endif
(void)
write(s, buf, cc);
}
}
#ifdef CRYPT
#ifdef KERBEROS
if (doencrypt &&
(pfd[P_CRYPTREAD].revents & POLLIN)) {
errno = 0;
cc = read(pv1[0], buf, sizeof(buf));
if (cc <= 0) {
shutdown(pv1[0], SHUT_RDWR);
pfd[P_CRYPTREAD].revents = 0;
} else
(void) des_write(STDOUT_FILENO,
buf, cc);
}
if (doencrypt &&
(pfd[P_CRYPTWRITE].revents & POLLIN)) {
errno = 0;
cc = des_read(STDIN_FILENO,
buf, sizeof(buf));
if (cc <= 0) {
shutdown(pv2[0], SHUT_RDWR);
pfd[P_CRYPTWRITE].revents = 0;
} else
(void) write(pv2[0], buf, cc);
}
#endif
#endif
} while ((pfd[P_SOCKREAD].revents & POLLIN) ||
#ifdef CRYPT
#ifdef KERBEROS
(doencrypt && (pfd[P_CRYPTREAD].revents & POLLIN)) ||
#endif
#endif
(pfd[P_PIPEREAD].revents & POLLIN));
exit(0);
}
setsid();
(void) close(s);
(void) close(pv[0]);
#ifdef CRYPT
#ifdef KERBEROS
if (doencrypt) {
close(pv1[0]); close(pv2[0]);
dup2(pv1[1], 1);
dup2(pv2[1], 0);
close(pv1[1]);
close(pv2[1]);
}
#endif
#endif
dup2(pv[1], 2);
close(pv[1]);
} else
setsid();
if (*pwd->pw_shell == '\0')
pwd->pw_shell = _PATH_BSHELL;
environ = envinit;
if (setenv("HOME", pwd->pw_dir, 1) == -1 ||
setenv("SHELL", pwd->pw_shell, 1) == -1 ||
setenv("USER", pwd->pw_name, 1) == -1 ||
setenv("LOGNAME", pwd->pw_name, 1) == -1)
errx(1, "cannot setup environment");
if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETALL))
errx(1, "cannot set user context");
if (auth_approval(as, lc, pwd->pw_name, "rsh") <= 0)
errx(1, "approval failure");
auth_close(as);
login_close(lc);
cp = strrchr(pwd->pw_shell, '/');
if (cp)
cp++;
else
cp = pwd->pw_shell;
endpwent();
if (log_success || pwd->pw_uid == 0) {
#ifdef KERBEROS
if (use_kerberos)
syslog(LOG_INFO|LOG_AUTH,
"Kerberos shell from %s.%s@%s on %s as %s, cmd='%.80s'",
kdata->pname, kdata->pinst, kdata->prealm,
hostname, locuser, cmdbuf);
else
#endif
syslog(LOG_INFO|LOG_AUTH, "%s@%s as %s: cmd='%.80s'",
remuser, hostname, locuser, cmdbuf);
}
execl(pwd->pw_shell, cp, "-c", cmdbuf, (char *)NULL);
perror(pwd->pw_shell);
exit(1);
}
int
rresvport(int *alport)
{
return rresvport_af(alport, AF_INET);
}
int rcmd_af(char **ahost, unsigned short rport, const char *locuser,
const char *remuser, const char *cmd, int *fd2p, int af)
{
int s, timo = 1;
ssize_t retval;
pid_t pid;
struct sockaddr_storage caddr, faddr;
struct sockaddr_in *sin;
struct sockaddr_in6 *sin6;
struct addrinfo hints;
struct addrinfo *res, *resp;
size_t addrlen;
int rc;
#define MAX_SHORTSTRLEN 6
char aport[MAX_SHORTSTRLEN];
char c;
int lport = 0;
#ifdef SYSV
sigset_t oldmask;
sigset_t newmask;
struct sigaction oldaction;
struct sigaction newaction;
#else
int oldmask;
#endif /* SYSV */
fd_set fdset;
int selret;
char *addr;
static char hostname[MAXHOSTNAMELEN];
socklen_t len;
char abuf[INET6_ADDRSTRLEN];
if (!(af == AF_INET || af == AF_INET6 || af == AF_UNSPEC)) {
errno = EAFNOSUPPORT;
return (-1);
}
pid = getpid();
memset(&hints, 0, sizeof (hints));
hints.ai_socktype = SOCK_STREAM;
hints.ai_flags = AI_CANONNAME;
if (af == AF_INET6) {
hints.ai_flags |= AI_V4MAPPED;
hints.ai_family = AF_UNSPEC;
} else {
hints.ai_family = af;
}
(void) snprintf(aport, MAX_SHORTSTRLEN, "%u", ntohs(rport));
rc = getaddrinfo(*ahost, aport, &hints, &res);
if (rc != 0) {
(void) fprintf(stderr,
_dgettext(TEXT_DOMAIN, "%s: unknown host%s\n"),
*ahost, rc == EAI_AGAIN ? " (try again later)" : "");
return (-1);
}
resp = res;
(void) strlcpy(hostname, res->ai_canonname, MAXHOSTNAMELEN);
*ahost = hostname;
#ifdef SYSV
/* ignore SIGPIPE */
bzero((char *)&newaction, sizeof (newaction));
newaction.sa_handler = SIG_IGN;
(void) _sigaction(SIGPIPE, &newaction, &oldaction);
/* block SIGURG */
bzero((char *)&newmask, sizeof (newmask));
(void) _sigaddset(&newmask, SIGURG);
(void) _sigprocmask(SIG_BLOCK, &newmask, &oldmask);
#else
oldmask = _sigblock(sigmask(SIGURG));
#endif /* SYSV */
for (;;) {
s = rresvport_af(&lport, res->ai_family);
if (s < 0) {
int af = res->ai_family;
/*
* See if we have any addresses of a different type
* to try.
*/
while (res != NULL && res->ai_family == af)
res = res->ai_next;
if (res != NULL)
continue;
if (errno == EAGAIN)
(void) fprintf(stderr,
_dgettext(TEXT_DOMAIN,
"socket: All ports in use\n"));
else
perror("rcmd: socket");
#ifdef SYSV
/* restore original SIGPIPE handler */
(void) _sigaction(SIGPIPE, &oldaction,
(struct sigaction *)0);
/* restore original signal mask */
(void) _sigprocmask(SIG_SETMASK, &oldmask,
(sigset_t *)0);
#else
sigsetmask(oldmask);
#endif /* SYSV */
freeaddrinfo(resp);
return (-1);
}
bzero((char *)&caddr, sizeof (caddr));
bcopy(res->ai_addr, &caddr, res->ai_addrlen);
addrlen = res->ai_addrlen;
if (af == AF_INET6 && res->ai_addr->sa_family == AF_INET) {
struct in6_addr ia6;
struct sockaddr_in6 *in6addr;
IN6_INADDR_TO_V4MAPPED(&((struct sockaddr_in *)
res->ai_addr)->sin_addr, &ia6);
in6addr = (struct sockaddr_in6 *)&caddr;
in6addr->sin6_addr = ia6;
in6addr->sin6_family = AF_INET6;
addrlen = sizeof (struct sockaddr_in6);
}
(void) _fcntl(s, F_SETOWN, pid);
if (connect(s, (struct sockaddr *)&caddr, addrlen) >= 0)
break;
(void) close(s);
if (errno == EADDRINUSE) {
lport = 0;
continue;
}
if (errno == ECONNREFUSED && timo <= 16) {
(void) sleep(timo);
timo *= 2;
continue;
}
if (res->ai_next != NULL) {
int oerrno = errno;
if (res->ai_addr->sa_family == AF_INET6)
addr = (char *)&((struct sockaddr_in6 *)
res->ai_addr)->sin6_addr;
else
addr = (char *)&((struct sockaddr_in *)
res->ai_addr)->sin_addr;
(void) fprintf(stderr,
_dgettext(TEXT_DOMAIN, "connect to address %s: "),
inet_ntop(res->ai_addr->sa_family, addr,
abuf, sizeof (abuf)));
errno = oerrno;
perror(0);
res = res->ai_next;
if (res->ai_addr->sa_family == AF_INET6)
addr = (char *)&((struct sockaddr_in6 *)
res->ai_addr)->sin6_addr;
else
addr = (char *)&((struct sockaddr_in *)
res->ai_addr)->sin_addr;
(void) fprintf(stderr,
_dgettext(TEXT_DOMAIN, "Trying %s...\n"),
inet_ntop(res->ai_addr->sa_family, addr,
abuf, sizeof (abuf)));
continue;
}
perror(*ahost);
freeaddrinfo(resp);
#ifdef SYSV
/* restore original SIGPIPE handler */
(void) _sigaction(SIGPIPE, &oldaction,
(struct sigaction *)0);
/* restore original signal mask */
(void) _sigprocmask(SIG_SETMASK, &oldmask, (sigset_t *)0);
#else
sigsetmask(oldmask);
#endif /* SYSV */
return (-1);
}
lport = 0;
if (fd2p == 0) {
(void) write(s, "", 1);
} else {
int s2 = rresvport_af(&lport, res->ai_family), s3;
len = (socklen_t)sizeof (faddr);
if (s2 < 0)
goto bad;
(void) listen(s2, 1);
(void) snprintf(aport, MAX_SHORTSTRLEN, "%d", lport);
if (write(s, aport, strlen(aport)+1) != strlen(aport)+1) {
perror(_dgettext(TEXT_DOMAIN,
"write: setting up stderr"));
(void) close(s2);
goto bad;
}
FD_ZERO(&fdset);
FD_SET(s, &fdset);
FD_SET(s2, &fdset);
while ((selret = select(FD_SETSIZE, &fdset, (fd_set *)0,
(fd_set *)0, (struct timeval *)0)) > 0) {
if (FD_ISSET(s, &fdset)) {
/*
* Something's wrong: we should get no
* data on this connection at this point,
* so we assume that the connection has
* gone away.
*/
(void) close(s2);
goto bad;
}
if (FD_ISSET(s2, &fdset)) {
/*
* We assume this is an incoming connect
* request and proceed normally.
*/
s3 = accept(s2, (struct sockaddr *)&faddr,
&len);
FD_CLR(s2, &fdset);
(void) close(s2);
if (s3 < 0) {
perror("accept");
lport = 0;
goto bad;
}
else
break;
}
}
if (selret == -1) {
/*
* This should not happen, and we treat it as
* a fatal error.
*/
(void) close(s2);
goto bad;
}
*fd2p = s3;
switch (faddr.ss_family) {
case AF_INET:
sin = (struct sockaddr_in *)&faddr;
if (ntohs(sin->sin_port) >= IPPORT_RESERVED) {
(void) fprintf(stderr,
_dgettext(TEXT_DOMAIN,
"socket: protocol failure in circuit "
"setup.\n"));
goto bad2;
}
break;
case AF_INET6:
sin6 = (struct sockaddr_in6 *)&faddr;
if (ntohs(sin6->sin6_port) >= IPPORT_RESERVED) {
(void) fprintf(stderr,
_dgettext(TEXT_DOMAIN,
"socket: protocol failure in circuit "
"setup.\n"));
goto bad2;
}
break;
default:
(void) fprintf(stderr,
_dgettext(TEXT_DOMAIN,
"socket: protocol failure in circuit setup.\n"));
goto bad2;
}
}
(void) write(s, locuser, strlen(locuser)+1);
(void) write(s, remuser, strlen(remuser)+1);
(void) write(s, cmd, strlen(cmd)+1);
retval = read(s, &c, 1);
if (retval != 1) {
if (retval == 0) {
(void) fprintf(stderr,
_dgettext(TEXT_DOMAIN,
"Protocol error, %s closed connection\n"),
*ahost);
} else if (retval < 0) {
perror(*ahost);
} else {
(void) fprintf(stderr,
_dgettext(TEXT_DOMAIN,
"Protocol error, %s sent %d bytes\n"),
*ahost, retval);
}
goto bad2;
}
if (c != 0) {
while (read(s, &c, 1) == 1) {
(void) write(2, &c, 1);
if (c == '\n')
break;
}
goto bad2;
}
#ifdef SYSV
/* restore original SIGPIPE handler */
(void) _sigaction(SIGPIPE, &oldaction, (struct sigaction *)0);
/* restore original signal mask */
(void) _sigprocmask(SIG_SETMASK, &oldmask, (sigset_t *)0);
#else
sigsetmask(oldmask);
#endif /* SYSV */
freeaddrinfo(resp);
return (s);
bad2:
if (lport)
(void) close(*fd2p);
bad:
(void) close(s);
#ifdef SYSV
/* restore original SIGPIPE handler */
(void) _sigaction(SIGPIPE, &oldaction, (struct sigaction *)0);
/* restore original signal mask */
(void) _sigprocmask(SIG_SETMASK, &oldmask, (sigset_t *)0);
#else
sigsetmask(oldmask);
#endif /* SYSV */
freeaddrinfo(resp);
return (-1);
}
int
rcmd_af(char **ahost, int porta, const char *locuser, const char *remuser,
const char *cmd, int *fd2p, int af)
{
static char hbuf[HOST_NAME_MAX+1];
char pbuf[NI_MAXSERV];
struct addrinfo hints, *res, *r;
int error;
struct sockaddr_storage from;
sigset_t oldmask, mask;
pid_t pid;
int s, lport;
struct timespec timo;
char c, *p;
int refused;
in_port_t rport = porta;
int numread;
/* call rcmdsh() with specified remote shell if appropriate. */
if (!issetugid() && (p = getenv("RSH")) && *p) {
struct servent *sp = getservbyname("shell", "tcp");
if (sp && sp->s_port == rport)
return (rcmdsh(ahost, rport, locuser, remuser,
cmd, p));
}
/* use rsh(1) if non-root and remote port is shell. */
if (geteuid()) {
struct servent *sp = getservbyname("shell", "tcp");
if (sp && sp->s_port == rport)
return (rcmdsh(ahost, rport, locuser, remuser,
cmd, NULL));
}
pid = getpid();
snprintf(pbuf, sizeof(pbuf), "%u", ntohs(rport));
memset(&hints, 0, sizeof(hints));
hints.ai_family = af;
hints.ai_socktype = SOCK_STREAM;
hints.ai_flags = AI_CANONNAME;
error = getaddrinfo(*ahost, pbuf, &hints, &res);
if (error) {
(void)fprintf(stderr, "rcmd: %s: %s\n", *ahost,
gai_strerror(error));
return (-1);
}
if (res->ai_canonname) {
strlcpy(hbuf, res->ai_canonname, sizeof(hbuf));
*ahost = hbuf;
} else
; /*XXX*/
r = res;
refused = 0;
timespecclear(&timo);
sigemptyset(&mask);
sigaddset(&mask, SIGURG);
sigprocmask(SIG_BLOCK, &mask, &oldmask);
for (timo.tv_sec = 1, lport = IPPORT_RESERVED - 1;;) {
s = rresvport_af(&lport, r->ai_family);
if (s < 0) {
if (errno == EAGAIN)
(void)fprintf(stderr,
"rcmd: socket: All ports in use\n");
else
(void)fprintf(stderr, "rcmd: socket: %s\n",
strerror(errno));
if (r->ai_next) {
r = r->ai_next;
continue;
} else {
sigprocmask(SIG_SETMASK, &oldmask, NULL);
freeaddrinfo(res);
return (-1);
}
}
fcntl(s, F_SETOWN, pid);
if (connect(s, r->ai_addr, r->ai_addrlen) >= 0)
break;
(void)close(s);
if (errno == EADDRINUSE) {
lport--;
continue;
}
if (errno == ECONNREFUSED)
refused++;
if (r->ai_next) {
int oerrno = errno;
char hbuf[NI_MAXHOST];
const int niflags = NI_NUMERICHOST;
hbuf[0] = '\0';
if (getnameinfo(r->ai_addr, r->ai_addrlen,
hbuf, sizeof(hbuf), NULL, 0, niflags) != 0)
strlcpy(hbuf, "(invalid)", sizeof hbuf);
(void)fprintf(stderr, "connect to address %s: ", hbuf);
errno = oerrno;
perror(0);
r = r->ai_next;
hbuf[0] = '\0';
if (getnameinfo(r->ai_addr, r->ai_addrlen,
hbuf, sizeof(hbuf), NULL, 0, niflags) != 0)
strlcpy(hbuf, "(invalid)", sizeof hbuf);
(void)fprintf(stderr, "Trying %s...\n", hbuf);
continue;
}
if (refused && timo.tv_sec <= 16) {
(void)nanosleep(&timo, NULL);
timo.tv_sec *= 2;
r = res;
refused = 0;
continue;
}
(void)fprintf(stderr, "%s: %s\n", res->ai_canonname,
strerror(errno));
sigprocmask(SIG_SETMASK, &oldmask, NULL);
freeaddrinfo(res);
return (-1);
}
/* given "af" can be PF_UNSPEC, we need the real af for "s" */
af = r->ai_family;
freeaddrinfo(res);
if (fd2p == 0) {
write(s, "", 1);
lport = 0;
} else {
struct pollfd pfd[2];
char num[8];
int s2 = rresvport_af(&lport, af), s3;
socklen_t len = sizeof(from);
if (s2 < 0)
goto bad;
listen(s2, 1);
(void)snprintf(num, sizeof(num), "%d", lport);
if (write(s, num, strlen(num)+1) != strlen(num)+1) {
(void)fprintf(stderr,
"rcmd: write (setting up stderr): %s\n",
strerror(errno));
(void)close(s2);
goto bad;
}
again:
pfd[0].fd = s;
pfd[0].events = POLLIN;
pfd[1].fd = s2;
pfd[1].events = POLLIN;
errno = 0;
if (poll(pfd, 2, INFTIM) < 1 ||
(pfd[1].revents & (POLLIN|POLLHUP)) == 0) {
if (errno != 0)
(void)fprintf(stderr,
"rcmd: poll (setting up stderr): %s\n",
strerror(errno));
else
(void)fprintf(stderr,
"poll: protocol failure in circuit setup\n");
(void)close(s2);
goto bad;
}
s3 = accept(s2, (struct sockaddr *)&from, &len);
if (s3 < 0) {
(void)fprintf(stderr,
"rcmd: accept: %s\n", strerror(errno));
lport = 0;
close(s2);
goto bad;
}
/*
* XXX careful for ftp bounce attacks. If discovered, shut them
* down and check for the real auxiliary channel to connect.
*/
switch (from.ss_family) {
case AF_INET:
case AF_INET6:
if (getnameinfo((struct sockaddr *)&from, len,
NULL, 0, num, sizeof(num), NI_NUMERICSERV) == 0 &&
atoi(num) != 20) {
break;
}
close(s3);
goto again;
default:
break;
}
(void)close(s2);
*fd2p = s3;
switch (from.ss_family) {
case AF_INET:
case AF_INET6:
if (getnameinfo((struct sockaddr *)&from, len,
NULL, 0, num, sizeof(num), NI_NUMERICSERV) != 0 ||
(atoi(num) >= IPPORT_RESERVED ||
atoi(num) < IPPORT_RESERVED / 2)) {
(void)fprintf(stderr,
"socket: protocol failure in circuit setup.\n");
goto bad2;
}
break;
default:
break;
}
}
(void)write(s, locuser, strlen(locuser)+1);
(void)write(s, remuser, strlen(remuser)+1);
(void)write(s, cmd, strlen(cmd)+1);
if ((numread = read(s, &c, 1)) != 1) {
(void)fprintf(stderr,
"rcmd: %s: %s\n", *ahost,
numread == -1 ? strerror(errno) : "Short read");
goto bad2;
}
if (c != 0) {
while (read(s, &c, 1) == 1) {
(void)write(STDERR_FILENO, &c, 1);
if (c == '\n')
break;
}
goto bad2;
}
sigprocmask(SIG_SETMASK, &oldmask, NULL);
return (s);
bad2:
if (lport)
(void)close(*fd2p);
bad:
(void)close(s);
sigprocmask(SIG_SETMASK, &oldmask, NULL);
return (-1);
}
/*
* Create a TCP connection to host "rhost" at port "rport".
* If rport == 0, then use the printer service port.
* Most of this code comes from rcmd.c.
*/
int
getport(char *rhost, int rport)
{
struct addrinfo hints, *res, *r;
u_int timo = 1;
int s, lport = IPPORT_RESERVED - 1;
int error;
int refuse, trial;
char pbuf[NI_MAXSERV];
/*
* Get the host address and port number to connect to.
*/
if (rhost == NULL)
fatal("no remote host to connect to");
memset(&hints, 0, sizeof(hints));
hints.ai_family = PF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
if (rport)
snprintf(pbuf, sizeof(pbuf), "%d", rport);
else
snprintf(pbuf, sizeof(pbuf), "printer");
siginterrupt(SIGINT, 1);
error = getaddrinfo(rhost, pbuf, &hints, &res);
siginterrupt(SIGINT, 0);
if (error)
fatal("printer/tcp: %s", gai_strerror(error));
/*
* Try connecting to the server.
*/
retry:
s = -1;
refuse = trial = 0;
for (r = res; r; r = r->ai_next) {
trial++;
retryport:
PRIV_START;
s = rresvport_af(&lport, r->ai_family);
PRIV_END;
if (s < 0) {
/* fall back to non-privileged port */
if (errno != EACCES ||
(s = socket(r->ai_family, SOCK_STREAM, 0)) < 0) {
freeaddrinfo(res);
return(-1);
}
}
siginterrupt(SIGINT, 1);
if (connect(s, r->ai_addr, r->ai_addrlen) < 0) {
error = errno;
siginterrupt(SIGINT, 0);
(void)close(s);
s = -1;
errno = error;
if (errno == EADDRINUSE) {
lport--;
goto retryport;
} else if (errno == ECONNREFUSED)
refuse++;
continue;
} else {
siginterrupt(SIGINT, 0);
break;
}
}
if (s < 0 && trial == refuse && timo <= 16) {
sleep(timo);
timo *= 2;
goto retry;
}
if (res)
freeaddrinfo(res);
/* Don't worry if we get an error from setsockopt(). */
trial = 1;
setsockopt(s, SOL_SOCKET, SO_KEEPALIVE, &trial, sizeof(trial));
return(s);
}
int
rcmd_af(char **ahost, int porta, const char *locuser, const char *remuser,
const char *cmd, int *fd2p, int af)
{
static char hbuf[MAXHOSTNAMELEN];
char pbuf[NI_MAXSERV];
struct addrinfo hints, *res, *r;
int error;
struct sockaddr_storage from;
fd_set *readsp = NULL;
sigset_t oldmask, mask;
pid_t pid;
int s, lport, timo;
char c, *p;
int refused;
in_port_t rport = porta;
/* call rcmdsh() with specified remote shell if appropriate. */
if (!issetugid() && (p = getenv("RSH")) && *p) {
struct servent *sp = getservbyname("shell", "tcp");
if (sp && sp->s_port == rport)
return (rcmdsh(ahost, rport, locuser, remuser,
cmd, p));
}
/* use rsh(1) if non-root and remote port is shell. */
if (geteuid()) {
struct servent *sp = getservbyname("shell", "tcp");
if (sp && sp->s_port == rport)
return (rcmdsh(ahost, rport, locuser, remuser,
cmd, NULL));
}
pid = getpid();
snprintf(pbuf, sizeof(pbuf), "%u", ntohs(rport));
memset(&hints, 0, sizeof(hints));
hints.ai_family = af;
hints.ai_socktype = SOCK_STREAM;
hints.ai_flags = AI_CANONNAME;
error = getaddrinfo(*ahost, pbuf, &hints, &res);
if (error) {
#if 0
warnx("%s: %s", *ahost, gai_strerror(error));
#endif
return (-1);
}
if (res->ai_canonname) {
strlcpy(hbuf, res->ai_canonname, sizeof(hbuf));
*ahost = hbuf;
} else
; /*XXX*/
r = res;
refused = 0;
sigemptyset(&mask);
sigaddset(&mask, SIGURG);
sigprocmask(SIG_BLOCK, &mask, &oldmask);
for (timo = 1, lport = IPPORT_RESERVED - 1;;) {
s = rresvport_af(&lport, r->ai_family);
if (s < 0) {
if (errno == EAGAIN)
(void)fprintf(stderr,
"rcmd: socket: All ports in use\n");
else
(void)fprintf(stderr, "rcmd: socket: %s\n",
strerror(errno));
if (r->ai_next) {
r = r->ai_next;
continue;
} else {
sigprocmask(SIG_SETMASK, &oldmask, NULL);
freeaddrinfo(res);
return (-1);
}
}
fcntl(s, F_SETOWN, pid);
if (connect(s, r->ai_addr, r->ai_addrlen) >= 0)
break;
(void)close(s);
if (errno == EADDRINUSE) {
lport--;
continue;
}
if (errno == ECONNREFUSED)
refused++;
if (r->ai_next) {
int oerrno = errno;
char hbuf[NI_MAXHOST];
const int niflags = NI_NUMERICHOST;
hbuf[0] = '\0';
if (getnameinfo(r->ai_addr, r->ai_addrlen,
hbuf, sizeof(hbuf), NULL, 0, niflags) != 0)
strlcpy(hbuf, "(invalid)", sizeof hbuf);
(void)fprintf(stderr, "connect to address %s: ", hbuf);
errno = oerrno;
perror(0);
r = r->ai_next;
hbuf[0] = '\0';
if (getnameinfo(r->ai_addr, r->ai_addrlen,
hbuf, sizeof(hbuf), NULL, 0, niflags) != 0)
strlcpy(hbuf, "(invalid)", sizeof hbuf);
(void)fprintf(stderr, "Trying %s...\n", hbuf);
continue;
}
if (refused && timo <= 16) {
(void)sleep(timo);
timo *= 2;
r = res;
refused = 0;
continue;
}
(void)fprintf(stderr, "%s: %s\n", res->ai_canonname,
strerror(errno));
sigprocmask(SIG_SETMASK, &oldmask, NULL);
freeaddrinfo(res);
return (-1);
}
/* given "af" can be PF_UNSPEC, we need the real af for "s" */
af = r->ai_family;
freeaddrinfo(res);
#if 0
/*
* try to rresvport() to the same port. This will make rresvport()
* fail it's first bind, resulting in it choosing a random port.
*/
lport--;
#endif
if (fd2p == 0) {
write(s, "", 1);
lport = 0;
} else {
char num[8];
int s2 = rresvport_af(&lport, af), s3;
socklen_t len = sizeof(from);
int fdssize = howmany(MAX(s, s2)+1, NFDBITS) * sizeof(fd_mask);
if (s2 < 0)
goto bad;
readsp = (fd_set *)malloc(fdssize);
if (readsp == NULL) {
close(s2);
goto bad;
}
listen(s2, 1);
(void)snprintf(num, sizeof(num), "%d", lport);
if (write(s, num, strlen(num)+1) != strlen(num)+1) {
(void)fprintf(stderr,
"rcmd: write (setting up stderr): %s\n",
strerror(errno));
(void)close(s2);
goto bad;
}
again:
bzero(readsp, fdssize);
FD_SET(s, readsp);
FD_SET(s2, readsp);
errno = 0;
if (select(MAX(s, s2) + 1, readsp, 0, 0, 0) < 1 ||
!FD_ISSET(s2, readsp)) {
if (errno != 0)
(void)fprintf(stderr,
"rcmd: select (setting up stderr): %s\n",
strerror(errno));
else
(void)fprintf(stderr,
"select: protocol failure in circuit setup\n");
(void)close(s2);
goto bad;
}
s3 = accept(s2, (struct sockaddr *)&from, &len);
if (s3 < 0) {
(void)fprintf(stderr,
"rcmd: accept: %s\n", strerror(errno));
lport = 0;
close(s2);
goto bad;
}
/*
* XXX careful for ftp bounce attacks. If discovered, shut them
* down and check for the real auxiliary channel to connect.
*/
switch (from.ss_family) {
case AF_INET:
case AF_INET6:
if (getnameinfo((struct sockaddr *)&from, len,
NULL, 0, num, sizeof(num), NI_NUMERICSERV) == 0 &&
atoi(num) != 20) {
break;
}
close(s3);
goto again;
default:
break;
}
(void)close(s2);
*fd2p = s3;
switch (from.ss_family) {
case AF_INET:
case AF_INET6:
if (getnameinfo((struct sockaddr *)&from, len,
NULL, 0, num, sizeof(num), NI_NUMERICSERV) != 0 ||
(atoi(num) >= IPPORT_RESERVED ||
atoi(num) < IPPORT_RESERVED / 2)) {
(void)fprintf(stderr,
"socket: protocol failure in circuit setup.\n");
goto bad2;
}
break;
default:
break;
}
}
(void)write(s, locuser, strlen(locuser)+1);
(void)write(s, remuser, strlen(remuser)+1);
(void)write(s, cmd, strlen(cmd)+1);
if (read(s, &c, 1) != 1) {
(void)fprintf(stderr,
"rcmd: %s: %s\n", *ahost, strerror(errno));
goto bad2;
}
if (c != 0) {
while (read(s, &c, 1) == 1) {
(void)write(STDERR_FILENO, &c, 1);
if (c == '\n')
break;
}
goto bad2;
}
sigprocmask(SIG_SETMASK, &oldmask, NULL);
free(readsp);
return (s);
bad2:
if (lport)
(void)close(*fd2p);
bad:
if (readsp)
free(readsp);
(void)close(s);
sigprocmask(SIG_SETMASK, &oldmask, NULL);
return (-1);
}
