void file_manager::add_nfs_client(net_socket *sock)
{
uchar size[2];
char filename[300],mode[20],*mp;
if (sock->read(size,2)!=2) { delete sock; return ; }
if (sock->read(filename,size[0])!=size[0]) { delete sock; return ; }
if (sock->read(mode,size[1])!=size[1]) { delete sock; return ; }
secure_filename(filename,mode); // make sure this filename isn't a security risk
if (filename[0]==0) { dprintf("(denied)\n"); delete sock; return ; }
mp=mode;
int flags=0;
#ifdef __WATCOMC__
flags|=O_BINARY;
#endif
while (*mp)
{
if (*mp=='w') flags|=O_CREAT|O_RDWR;
else if (*mp=='r') flags|=O_RDONLY;
mp++;
}
#ifdef __MAC__
int f=open(macify_name(filename),flags);
#else
int f=open(filename,flags,S_IRWXU | S_IRWXG | S_IRWXO);
#endif
FILE *fp=fopen("open.log","ab");
fprintf(fp,"open file %s, fd=%d\n",filename,f);
fclose(fp);
if (f<0)
f=-1; // make sure this is -1
long ret=lltl(f);
if (sock->write(&ret,sizeof(ret))!=sizeof(ret)) { delete sock; return ; }
if (f<0) // no file, sorry
delete sock;
else
{
long cur_pos=lseek(f,0,SEEK_CUR);
long size=lseek(f,0,SEEK_END);
lseek(f,cur_pos,SEEK_SET);
size=lltl(size);
if (sock->write(&size,sizeof(size))!=sizeof(size)) { close(f); delete sock; sock=NULL; return ; }
nfs_list=new nfs_client(sock,f,nfs_list);
nfs_list->size=size;
}
}
static FILE *
auth_openfile(const char *file, struct passwd *pw, int strict_modes,
int log_missing, char *file_type)
{
char line[1024];
struct stat st;
int fd;
FILE *f;
if ((fd = open(file, O_RDONLY|O_NONBLOCK)) == -1) {
if (log_missing || errno != ENOENT)
debug("Could not open %s '%s': %s", file_type, file,
strerror(errno));
return NULL;
}
if (fstat(fd, &st) < 0) {
close(fd);
return NULL;
}
if (!S_ISREG(st.st_mode)) {
logit("User %s %s %s is not a regular file",
pw->pw_name, file_type, file);
close(fd);
return NULL;
}
unset_nonblock(fd);
if ((f = fdopen(fd, "r")) == NULL) {
close(fd);
return NULL;
}
if (strict_modes &&
secure_filename(f, file, pw, line, sizeof(line)) != 0) {
fclose(f);
logit("Authentication refused: %s", line);
auth_debug_add("Ignored %s: %s", file_type, line);
return NULL;
}
return f;
}
FILE *
auth_openkeyfile(const char *file, struct passwd *pw, int strict_modes)
{
char line[1024];
struct stat st;
int fd;
FILE *f;
/*
* Open the file containing the authorized keys
* Fail quietly if file does not exist
*/
if ((fd = open(file, O_RDONLY|O_NONBLOCK)) == -1)
return NULL;
if (fstat(fd, &st) < 0) {
close(fd);
return NULL;
}
if (!S_ISREG(st.st_mode)) {
logit("User %s authorized keys %s is not a regular file",
pw->pw_name, file);
close(fd);
return NULL;
}
unset_nonblock(fd);
if ((f = fdopen(fd, "r")) == NULL) {
close(fd);
return NULL;
}
if (options.strict_modes &&
secure_filename(f, file, pw, line, sizeof(line)) != 0) {
fclose(f);
logit("Authentication refused: %s", line);
return NULL;
}
return f;
}
/* return 1 if user allows given key */
static int
user_key_allowed2(struct passwd *pw, Key *key, char *file)
{
char line[SSH_MAX_PUBKEY_BYTES];
int found_key = 0;
FILE *f;
u_long linenum = 0;
struct stat st;
Key *found;
char *fp;
/* Temporarily use the user's uid. */
temporarily_use_uid(pw);
debug("trying public key file %s", file);
/* Fail quietly if file does not exist */
if (stat(file, &st) < 0) {
/* Restore the privileged uid. */
restore_uid();
return 0;
}
/* Open the file containing the authorized keys. */
f = fopen(file, "r");
if (!f) {
/* Restore the privileged uid. */
restore_uid();
return 0;
}
if (options.strict_modes &&
secure_filename(f, file, pw, line, sizeof(line)) != 0) {
fclose(f);
logit("Authentication refused: %s", line);
restore_uid();
return 0;
}
found_key = 0;
found = key_new(key->type);
while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
char *cp, *key_options = NULL;
/* Skip leading whitespace, empty and comment lines. */
for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
;
if (!*cp || *cp == '\n' || *cp == '#')
continue;
if (key_read(found, &cp) != 1) {
/* no key? check if there are options for this key */
int quoted = 0;
debug2("user_key_allowed: check options: '%s'", cp);
key_options = cp;
for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
if (*cp == '\\' && cp[1] == '"')
cp++; /* Skip both */
else if (*cp == '"')
quoted = !quoted;
}
/* Skip remaining whitespace. */
for (; *cp == ' ' || *cp == '\t'; cp++)
;
if (key_read(found, &cp) != 1) {
debug2("user_key_allowed: advance: '%s'", cp);
/* still no key? advance to next line*/
continue;
}
}
if (key_equal(found, key) &&
auth_parse_options(pw, key_options, file, linenum) == 1) {
found_key = 1;
debug("matching key found: file %s, line %lu",
file, linenum);
fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
verbose("Found matching %s key: %s",
key_type(found), fp);
xfree(fp);
break;
}
}
restore_uid();
fclose(f);
key_free(found);
if (!found_key)
debug2("key not found");
return found_key;
}
int
auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
{
char line[8192], *file;
int allowed = 0;
u_int bits;
FILE *f;
u_long linenum = 0;
struct stat st;
Key *key;
/* Temporarily use the user's uid. */
temporarily_use_uid(pw);
/* The authorized keys. */
file = authorized_keys_file(pw);
debug("trying public RSA key file %s", file);
/* Fail quietly if file does not exist */
if (stat(file, &st) < 0) {
/* Restore the privileged uid. */
restore_uid();
xfree(file);
return (0);
}
/* Open the file containing the authorized keys. */
f = fopen(file, "r");
if (!f) {
/* Restore the privileged uid. */
restore_uid();
xfree(file);
return (0);
}
if (options.strict_modes &&
secure_filename(f, file, pw, line, sizeof(line)) != 0) {
xfree(file);
fclose(f);
log("Authentication refused: %s", line);
restore_uid();
return (0);
}
/* Flag indicating whether the key is allowed. */
allowed = 0;
key = key_new(KEY_RSA1);
/*
* Go though the accepted keys, looking for the current key. If
* found, perform a challenge-response dialog to verify that the
* user really has the corresponding private key.
*/
while (fgets(line, sizeof(line), f)) {
char *cp;
char *options;
linenum++;
/* Skip leading whitespace, empty and comment lines. */
for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
;
if (!*cp || *cp == '\n' || *cp == '#')
continue;
/*
* Check if there are options for this key, and if so,
* save their starting address and skip the option part
* for now. If there are no options, set the starting
* address to NULL.
*/
if (*cp < '0' || *cp > '9') {
int quoted = 0;
options = cp;
for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
if (*cp == '\\' && cp[1] == '"')
cp++; /* Skip both */
else if (*cp == '"')
quoted = !quoted;
}
} else
options = NULL;
/* Parse the key from the line. */
if (hostfile_read_key(&cp, &bits, key) == 0) {
debug("%.100s, line %lu: non ssh1 key syntax",
file, linenum);
continue;
}
/* cp now points to the comment part. */
/* Check if the we have found the desired key (identified by its modulus). */
if (BN_cmp(key->rsa->n, client_n) != 0)
continue;
/* check the real bits */
if (bits != BN_num_bits(key->rsa->n))
log("Warning: %s, line %lu: keysize mismatch: "
"actual %d vs. announced %d.",
file, linenum, BN_num_bits(key->rsa->n), bits);
/* We have found the desired key. */
/*
* If our options do not allow this key to be used,
* do not send challenge.
*/
if (!auth_parse_options(pw, options, file, linenum))
continue;
/* break out, this key is allowed */
allowed = 1;
break;
}
/* Restore the privileged uid. */
restore_uid();
/* Close the file. */
xfree(file);
fclose(f);
/* return key if allowed */
if (allowed && rkey != NULL)
*rkey = key;
else
key_free(key);
return (allowed);
}
int file_manager::rf_open_file(char *&filename, char *mode)
{
net_address *fs_server_addr=NULL;
if (filename[0]=='/' && filename[1]=='/') // passive server file reference?
{
filename+=2;
fs_server_addr=prot->get_node_address(filename,DEFAULT_COMM_PORT,0);
if (!fs_server_addr)
{
dprintf("couldn not get address for %s\n",filename);
return -1;
}
} else if (default_fs)
fs_server_addr=default_fs->copy();
if (fs_server_addr)
{
net_socket *sock=proto->connect_to_server(fs_server_addr,net_socket::SOCKET_SECURE);
delete fs_server_addr;
if (!sock)
{
dprintf("unable to connect\n");
return -1;
}
remote_file *rf=new remote_file(sock,filename,mode,remote_list);
if (rf->open_failure())
{
delete rf;
return -1;
}
else
{
remote_list=rf;
return rf->sock->get_fd();
}
}
secure_filename(filename,mode);
if (filename[0]==0) return -1;
int flags=0;
while (*mode)
{
if (*mode=='w') flags|=O_CREAT|O_RDWR;
else if (*mode=='r') flags|=O_RDONLY;
mode++;
}
#ifdef __MAC__
int f=open(macify_name(filename),flags);
#else
int f=open(filename,flags,S_IRWXU | S_IRWXG | S_IRWXO);
#endif
if (f>=0)
{ close(f);
return -2;
}
return -1;
}