From: maja Date: Tue, 11 Mar 1997 09:12:25 +0000 (+0000) Subject: Now with support for "secure" maps a'la FreeBSD. Support exists in makedbm X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=3bbc0e8a380fa4c21144e6efd00e07f9d5f0e632;p=openbsd Now with support for "secure" maps a'la FreeBSD. Support exists in makedbm and ypxfrd since dawn of time. Support is missing in YP-makefile and in libc. I have the changes for YP-makefile to support master.passwd but since the support is missing in libc I will not commit them yet. -moj --- diff --git a/usr.sbin/ypserv/ypserv/ypserv_db.c b/usr.sbin/ypserv/ypserv/ypserv_db.c index 1d7ef585aca..66700cf82c8 100644 --- a/usr.sbin/ypserv/ypserv/ypserv_db.c +++ b/usr.sbin/ypserv/ypserv/ypserv_db.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ypserv_db.c,v 1.9 1996/12/02 21:14:16 deraadt Exp $ */ +/* $OpenBSD: ypserv_db.c,v 1.10 1997/03/11 09:12:25 maja Exp $ */ /* * Copyright (c) 1994 Mats O Jansson @@ -34,7 +34,7 @@ */ #ifndef LINT -static char rcsid[] = "$OpenBSD: ypserv_db.c,v 1.9 1996/12/02 21:14:16 deraadt Exp $"; +static char rcsid[] = "$OpenBSD: ypserv_db.c,v 1.10 1997/03/11 09:12:25 maja Exp $"; #endif /* @@ -75,6 +75,7 @@ struct opt_map { DBM *db; /* database */ struct opt_domain *dom; /* back ptr to our domain */ int host_lookup; /* host lookup */ + int secure; /* secure map? */ CIRCLEQ_ENTRY(opt_map) mapsq; /* map queue pointers */ LIST_ENTRY(opt_map) mapsl; /* map list pointers */ }; @@ -226,6 +227,7 @@ ypdb_open_db(domain, map, status, map_info) { char map_path[MAXPATHLEN]; static char *domain_key = YP_INTERDOMAIN_KEY; + static char *secure_key = YP_SECURE_KEY; struct stat finfo; DBM *db; int fd; @@ -359,11 +361,16 @@ ypdb_open_db(domain, map, status, map_info) m->host_lookup = TRUE; } } + m->secure = FALSE; + k.dptr = secure_key; + k.dsize = YP_SECURE_LEN; + v = ypdb_fetch(db,k); + if (v.dptr) m->secure = TRUE; *status = YP_TRUE; if (map_info) *map_info = m; #ifdef DEBUG - yplog(" ypdb_open_db: NEW MAP domain=%s, map=%s, hl=%d, db=0x%x", - domain, map, m->host_lookup, m->db); + yplog(" ypdb_open_db: NEW MAP domain=%s, map=%s, hl=%d, s=%d, db=0x%x", + domain, map, m->host_lookup, m->secure, m->db); #endif return(m->db); } @@ -750,3 +757,27 @@ ypdb_xdr_get_all(xdrs, req) return (TRUE); } + +int +ypdb_secure(domain, map) + domainname domain; + mapname map; +{ + static ypresp_val res; + DBM *db; + int secure; + struct opt_map *map_info = NULL; + + bzero((char *)&res, sizeof(res)); + secure = FALSE; + + db = ypdb_open_db(domain, map, &res.stat, &map_info); + if (!db || res.stat < 0) + return(secure); /* ? */ + if (map_info) + secure = map_info->secure; + + ypdb_close_db(db); + return(secure); +} + diff --git a/usr.sbin/ypserv/ypserv/ypserv_proc.c b/usr.sbin/ypserv/ypserv/ypserv_proc.c index d904d75e49f..4d58d098b69 100644 --- a/usr.sbin/ypserv/ypserv/ypserv_proc.c +++ b/usr.sbin/ypserv/ypserv/ypserv_proc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ypserv_proc.c,v 1.8 1996/10/03 19:50:57 deraadt Exp $ */ +/* $OpenBSD: ypserv_proc.c,v 1.9 1997/03/11 09:12:27 maja Exp $ */ /* * Copyright (c) 1994 Mats O Jansson @@ -32,7 +32,7 @@ */ #ifndef LINT -static char rcsid[] = "$OpenBSD: ypserv_proc.c,v 1.8 1996/10/03 19:50:57 deraadt Exp $"; +static char rcsid[] = "$OpenBSD: ypserv_proc.c,v 1.9 1997/03/11 09:12:27 maja Exp $"; #endif #include @@ -66,6 +66,7 @@ extern ypresp_order ypdb_get_order(); extern ypresp_master ypdb_get_master(); extern bool_t ypdb_xdr_get_all(); extern void ypdb_close_all(); +extern int ypdb_secure(); static char *True = "true"; static char *False = "FALSE"; @@ -80,7 +81,7 @@ ypproc_null_2_svc(argp, rqstp) int ok = acl_check_host(&caller->sin_addr); YPLOG("null_2: caller=[%s].%d, auth_ok=%s", - inet_ntoa(caller->sin_addr), ntohs(caller->sin_port), TORF(ok)); + inet_ntoa(caller->sin_addr), ntohs(caller->sin_port), TORF(ok)); if (!ok) { svcerr_auth(rqstp->rq_xprt, AUTH_FAILED); @@ -108,8 +109,8 @@ ypproc_domain_2_svc(argp, rqstp) (finfo.st_mode & S_IFDIR)); YPLOG("domain_2: caller=[%s].%d, auth_ok=%s, domain=%s, served=%s", - inet_ntoa(caller->sin_addr), ntohs(caller->sin_port), - TORF(ok), *argp, TORF(result)); + inet_ntoa(caller->sin_addr), ntohs(caller->sin_port), + TORF(ok), *argp, TORF(result)); if (!ok) { svcerr_auth(rqstp->rq_xprt, AUTH_FAILED); @@ -159,10 +160,12 @@ ypproc_match_2_svc(argp, rqstp) static ypresp_val res; struct sockaddr_in *caller = svc_getcaller(rqstp->rq_xprt); int ok = acl_check_host(&caller->sin_addr); + int secure = ypdb_secure(argp->domain,argp->map); YPLOG( - "match_2: caller=[%s].%d, auth_ok=%s, domain=%s, map=%s, key=%.*s", - inet_ntoa(caller->sin_addr), ntohs(caller->sin_port), TORF(ok), + "match_2: caller=[%s].%d, auth_ok=%s, secure=%s, domain=%s, map=%s, key=%.*s", + inet_ntoa(caller->sin_addr), ntohs(caller->sin_port), + TORF(ok), TORF(secure), argp->domain, argp->map, argp->key.keydat_len, argp->key.keydat_val); if (!ok) { @@ -170,8 +173,12 @@ ypproc_match_2_svc(argp, rqstp) return(NULL); } - res = ypdb_get_record(argp->domain,argp->map,argp->key, FALSE); - + if (secure && (ntohs(caller->sin_port) >= IPPORT_RESERVED)) { + res.stat = YP_YPERR; + } else { + res = ypdb_get_record(argp->domain,argp->map,argp->key, FALSE); + } + #ifdef DEBUG yplog(" match2_status: %s", yperr_string(ypprot_err(res.stat))); #endif @@ -187,9 +194,11 @@ ypproc_first_2_svc(argp, rqstp) static ypresp_key_val res; struct sockaddr_in *caller = svc_getcaller(rqstp->rq_xprt); int ok = acl_check_host(&caller->sin_addr); + int secure = ypdb_secure(argp->domain,argp->map); - YPLOG( "first_2: caller=[%s].%d, auth_ok=%s, domain=%s, map=%s", - inet_ntoa(caller->sin_addr), ntohs(caller->sin_port), TORF(ok), + YPLOG( "first_2: caller=[%s].%d, auth_ok=%s, secure=%s, domain=%s, map=%s", + inet_ntoa(caller->sin_addr), ntohs(caller->sin_port), + TORF(ok), TORF(secure), argp->domain, argp->map); if (!ok) { @@ -197,7 +206,11 @@ ypproc_first_2_svc(argp, rqstp) return(NULL); } - res = ypdb_get_first(argp->domain,argp->map,FALSE); + if (secure && (ntohs(caller->sin_port) >= IPPORT_RESERVED)) { + res.stat = YP_YPERR; + } else { + res = ypdb_get_first(argp->domain,argp->map,FALSE); + } #ifdef DEBUG yplog(" first2_status: %s", yperr_string(ypprot_err(res.stat))); @@ -214,10 +227,12 @@ ypproc_next_2_svc(argp, rqstp) static ypresp_key_val res; struct sockaddr_in *caller = svc_getcaller(rqstp->rq_xprt); int ok = acl_check_host(&caller->sin_addr); + int secure = ypdb_secure(argp->domain,argp->map); YPLOG( - "next_2: caller=[%s].%d, auth_ok=%s, domain=%s, map=%s, key=%.*s", - inet_ntoa(caller->sin_addr), ntohs(caller->sin_port), TORF(ok), + "next_2: caller=[%s].%d, auth_ok=%s, secure=%s, domain=%s, map=%s, key=%.*s", + inet_ntoa(caller->sin_addr), ntohs(caller->sin_port), + TORF(ok), TORF(secure), argp->domain, argp->map, argp->key.keydat_len, argp->key.keydat_val); if (!ok) { @@ -225,8 +240,11 @@ ypproc_next_2_svc(argp, rqstp) return(NULL); } - res = ypdb_get_next(argp->domain,argp->map,argp->key,FALSE); - + if (secure && (ntohs(caller->sin_port) >= IPPORT_RESERVED)) { + res.stat = YP_YPERR; + } else { + res = ypdb_get_next(argp->domain,argp->map,argp->key,FALSE); + } #ifdef DEBUG yplog(" next2_status: %s", yperr_string(ypprot_err(res.stat))); @@ -335,10 +353,11 @@ ypproc_all_2_svc(argp, rqstp) pid_t pid; struct sockaddr_in *caller = svc_getcaller(rqstp->rq_xprt); int ok = acl_check_host(&caller->sin_addr); + int secure = ypdb_secure(argp->domain,argp->map); - YPLOG( "all_2: caller=[%s].%d, auth_ok=%s, domain=%s, map=%s", - inet_ntoa(caller->sin_addr), ntohs(caller->sin_port), TORF(ok), - argp->domain, argp->map); + YPLOG( "all_2: caller=[%s].%d, auth_ok=%s, secure=%s, domain=%s, map=%s", + inet_ntoa(caller->sin_addr), ntohs(caller->sin_port), + TORF(ok), TORF(secure), argp->domain, argp->map); if (!ok) { svcerr_auth(rqstp->rq_xprt, AUTH_FAILED); @@ -347,16 +366,21 @@ ypproc_all_2_svc(argp, rqstp) bzero((char *)&res, sizeof(res)); + if (secure && (ntohs(caller->sin_port) >= IPPORT_RESERVED)) { + res.ypresp_all_u.val.stat = YP_YPERR; + return(&res); + } + pid = fork(); if (pid) { - if (pid == -1) { - /* XXXCDC An error has occurred */ - } - - return(NULL); /* PARENT: continue */ - + if (pid == -1) { + /* XXXCDC An error has occurred */ + } + + return(NULL); /* PARENT: continue */ + } /* CHILD: send result, then exit */ @@ -378,17 +402,22 @@ ypproc_master_2_svc(argp, rqstp) static peername nopeer = ""; struct sockaddr_in *caller = svc_getcaller(rqstp->rq_xprt); int ok = acl_check_host(&caller->sin_addr); + int secure = ypdb_secure(argp->domain,argp->map); - YPLOG( "master_2: caller=[%s].%d, auth_ok=%s, domain=%s, map=%s", - inet_ntoa(caller->sin_addr), ntohs(caller->sin_port), TORF(ok), - argp->domain, argp->map); + YPLOG( "master_2: caller=[%s].%d, auth_ok=%s, secure=%s, domain=%s, map=%s", + inet_ntoa(caller->sin_addr), ntohs(caller->sin_port), + TORF(ok), TORF(secure), argp->domain, argp->map); if (!ok) { svcerr_auth(rqstp->rq_xprt, AUTH_FAILED); return(NULL); } - res = ypdb_get_master(argp->domain,argp->map); + if (secure && (ntohs(caller->sin_port) >= IPPORT_RESERVED)) { + res.stat = YP_YPERR; + } else { + res = ypdb_get_master(argp->domain,argp->map); + } #ifdef DEBUG yplog(" master2_status: %s", yperr_string(ypprot_err(res.stat))); @@ -404,7 +433,7 @@ ypproc_master_2_svc(argp, rqstp) /* xdr_string in ypserv_xdr.c may be a better place? */ if (res.peer == NULL) { - res.peer = nopeer; + res.peer = nopeer; } /* End of fix */ @@ -421,17 +450,22 @@ ypproc_order_2_svc(argp, rqstp) static ypresp_order res; struct sockaddr_in *caller = svc_getcaller(rqstp->rq_xprt); int ok = acl_check_host(&caller->sin_addr); + int secure = ypdb_secure(argp->domain,argp->map); - YPLOG( "order_2: caller=[%s].%d, auth_ok=%s, domain=%s, map=%s", - inet_ntoa(caller->sin_addr), ntohs(caller->sin_port), TORF(ok), - argp->domain, argp->map); + YPLOG( "order_2: caller=[%s].%d, auth_ok=%s, secure=%s, domain=%s, map=%s", + inet_ntoa(caller->sin_addr), ntohs(caller->sin_port), + TORF(ok), TORF(secure), argp->domain, argp->map); if (!ok) { svcerr_auth(rqstp->rq_xprt, AUTH_FAILED); return(NULL); } - res = ypdb_get_order(argp->domain,argp->map); + if (secure && (ntohs(caller->sin_port) >= IPPORT_RESERVED)) { + res.stat = YP_YPERR; + } else { + res = ypdb_get_order(argp->domain,argp->map); + } #ifdef DEBUG yplog(" order2_status: %s", yperr_string(ypprot_err(res.stat)));