File: | src/usr.sbin/authpf/authpf.c |
Warning: | line 103, column 7 Although the value stored to 'cp' is used in the enclosing expression, the value is never actually read from 'cp' |
Press '?' to see keyboard shortcuts
Keyboard shortcuts:
1 | /* $OpenBSD: authpf.c,v 1.129 2022/01/28 06:33:26 guenther Exp $ */ |
2 | |
3 | /* |
4 | * Copyright (C) 1998 - 2007 Bob Beck (beck@openbsd.org). |
5 | * |
6 | * Permission to use, copy, modify, and distribute this software for any |
7 | * purpose with or without fee is hereby granted, provided that the above |
8 | * copyright notice and this permission notice appear in all copies. |
9 | * |
10 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
11 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
12 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
13 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
14 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
15 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
16 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
17 | */ |
18 | |
19 | #include <sys/types.h> |
20 | #include <sys/ioctl.h> |
21 | #include <sys/socket.h> |
22 | #include <sys/stat.h> |
23 | #include <sys/wait.h> |
24 | |
25 | #include <netinet/in.h> |
26 | #include <arpa/inet.h> |
27 | #include <net/if.h> |
28 | #include <net/pfvar.h> |
29 | |
30 | #include <err.h> |
31 | #include <errno(*__errno()).h> |
32 | #include <fcntl.h> |
33 | #include <login_cap.h> |
34 | #include <pwd.h> |
35 | #include <grp.h> |
36 | #include <signal.h> |
37 | #include <stdio.h> |
38 | #include <stdlib.h> |
39 | #include <string.h> |
40 | #include <syslog.h> |
41 | #include <time.h> |
42 | #include <unistd.h> |
43 | |
44 | #include "pathnames.h" |
45 | |
46 | static int read_config(FILE *); |
47 | static void print_message(char *); |
48 | static int allowed_luser(struct passwd *); |
49 | static int check_luser(char *, char *); |
50 | static int remove_stale_rulesets(void); |
51 | static int recursive_ruleset_purge(char *, char *); |
52 | static int change_filter(int, const char *, const char *); |
53 | static int change_table(int, const char *); |
54 | static void authpf_kill_states(void); |
55 | |
56 | int dev; /* pf device */ |
57 | char anchorname[PF_ANCHOR_NAME_SIZE64] = "authpf"; |
58 | char rulesetname[PATH_MAX1024 - PF_ANCHOR_NAME_SIZE64 - 2]; |
59 | char tablename[PF_TABLE_NAME_SIZE32] = "authpf_users"; |
60 | int user_ip = 1; /* controls whether $user_ip is set */ |
61 | |
62 | FILE *pidfp; |
63 | int pidfd = -1; |
64 | char luser[LOGIN_NAME_MAX32]; /* username */ |
65 | char ipsrc[256]; /* ip as a string */ |
66 | char pidfile[PATH_MAX1024]; /* we save pid in this file. */ |
67 | |
68 | struct timespec Tstart, Tend; /* start and end times of session */ |
69 | |
70 | volatile sig_atomic_t want_death; |
71 | static void need_death(int signo); |
72 | static __dead__attribute__((__noreturn__)) void do_death(int); |
73 | extern char *__progname; /* program name */ |
74 | |
75 | /* |
76 | * User shell for authenticating gateways. Sole purpose is to allow |
77 | * a user to ssh to a gateway, and have the gateway modify packet |
78 | * filters to allow access, then remove access when the user finishes |
79 | * up. Meant to be used only from ssh(1) connections. |
80 | */ |
81 | int |
82 | main(int argc, char *argv[]) |
83 | { |
84 | int lockcnt = 0, n; |
85 | FILE *config; |
86 | struct in6_addr ina; |
87 | struct passwd *pw; |
88 | char *cp; |
89 | gid_t gid; |
90 | uid_t uid; |
91 | char *shell; |
92 | login_cap_t *lc; |
93 | |
94 | if (strcmp(__progname, "-authpf-noip") == 0) |
95 | user_ip = 0; |
96 | |
97 | config = fopen(PATH_CONFFILE"/etc/authpf/authpf.conf", "r"); |
98 | if (config == NULL((void *)0)) { |
99 | syslog(LOG_ERR3, "cannot open %s (%m)", PATH_CONFFILE"/etc/authpf/authpf.conf"); |
100 | exit(1); |
101 | } |
102 | |
103 | if ((cp = getenv("SSH_TTY")) == NULL((void *)0)) { |
Although the value stored to 'cp' is used in the enclosing expression, the value is never actually read from 'cp' | |
104 | syslog(LOG_ERR3, "non-interactive session connection for authpf"); |
105 | exit(1); |
106 | } |
107 | |
108 | if ((cp = getenv("SSH_CLIENT")) == NULL((void *)0)) { |
109 | syslog(LOG_ERR3, "cannot determine connection source"); |
110 | exit(1); |
111 | } |
112 | |
113 | if (strlcpy(ipsrc, cp, sizeof(ipsrc)) >= sizeof(ipsrc)) { |
114 | syslog(LOG_ERR3, "SSH_CLIENT variable too long"); |
115 | exit(1); |
116 | } |
117 | cp = strchr(ipsrc, ' '); |
118 | if (!cp) { |
119 | syslog(LOG_ERR3, "corrupt SSH_CLIENT variable %s", ipsrc); |
120 | exit(1); |
121 | } |
122 | *cp = '\0'; |
123 | if (inet_pton(AF_INET2, ipsrc, &ina) != 1 && |
124 | inet_pton(AF_INET624, ipsrc, &ina) != 1) { |
125 | syslog(LOG_ERR3, |
126 | "cannot determine IP from SSH_CLIENT %s", ipsrc); |
127 | exit(1); |
128 | } |
129 | /* open the pf device */ |
130 | dev = open(PATH_DEVFILE"/dev/pf", O_RDWR0x0002); |
131 | if (dev == -1) { |
132 | syslog(LOG_ERR3, "cannot open packet filter device (%m)"); |
133 | goto die; |
134 | } |
135 | |
136 | uid = getuid(); |
137 | pw = getpwuid(uid); |
138 | if (pw == NULL((void *)0)) { |
139 | syslog(LOG_ERR3, "cannot find user for uid %u", uid); |
140 | goto die; |
141 | } |
142 | |
143 | if ((lc = login_getclass(pw->pw_class)) != NULL((void *)0)) |
144 | shell = login_getcapstr(lc, "shell", pw->pw_shell, |
145 | pw->pw_shell); |
146 | else |
147 | shell = pw->pw_shell; |
148 | |
149 | login_close(lc); |
150 | |
151 | if (strcmp(shell, PATH_AUTHPF_SHELL"/usr/sbin/authpf") && |
152 | strcmp(shell, PATH_AUTHPF_SHELL_NOIP"/usr/sbin/authpf-noip")) { |
153 | syslog(LOG_ERR3, "wrong shell for user %s, uid %u", |
154 | pw->pw_name, pw->pw_uid); |
155 | if (shell != pw->pw_shell) |
156 | free(shell); |
157 | goto die; |
158 | } |
159 | |
160 | if (shell != pw->pw_shell) |
161 | free(shell); |
162 | |
163 | /* |
164 | * Paranoia, but this data _does_ come from outside authpf, and |
165 | * truncation would be bad. |
166 | */ |
167 | if (strlcpy(luser, pw->pw_name, sizeof(luser)) >= sizeof(luser)) { |
168 | syslog(LOG_ERR3, "username too long: %s", pw->pw_name); |
169 | goto die; |
170 | } |
171 | |
172 | if ((n = snprintf(rulesetname, sizeof(rulesetname), "%s(%ld)", |
173 | luser, (long)getpid())) < 0 || (u_int)n >= sizeof(rulesetname)) { |
174 | syslog(LOG_INFO6, "%s(%ld) too large, ruleset name will be %ld", |
175 | luser, (long)getpid(), (long)getpid()); |
176 | if ((n = snprintf(rulesetname, sizeof(rulesetname), "%ld", |
177 | (long)getpid())) < 0 || (u_int)n >= sizeof(rulesetname)) { |
178 | syslog(LOG_ERR3, "pid too large for ruleset name"); |
179 | goto die; |
180 | } |
181 | } |
182 | |
183 | |
184 | /* Make our entry in /var/authpf as ipaddr or username */ |
185 | n = snprintf(pidfile, sizeof(pidfile), "%s/%s", |
186 | PATH_PIDFILE"/var/authpf", user_ip ? ipsrc : luser); |
187 | if (n < 0 || (u_int)n >= sizeof(pidfile)) { |
188 | syslog(LOG_ERR3, "path to pidfile too long"); |
189 | goto die; |
190 | } |
191 | |
192 | signal(SIGTERM15, need_death); |
193 | signal(SIGINT2, need_death); |
194 | signal(SIGALRM14, need_death); |
195 | signal(SIGPIPE13, need_death); |
196 | signal(SIGHUP1, need_death); |
197 | signal(SIGQUIT3, need_death); |
198 | signal(SIGTSTP18, need_death); |
199 | |
200 | /* |
201 | * If someone else is already using this ip, then this person |
202 | * wants to switch users - so kill the old process and exit |
203 | * as well. |
204 | * |
205 | * Note, we could print a message and tell them to log out, but the |
206 | * usual case of this is that someone has left themselves logged in, |
207 | * with the authenticated connection iconized and someone else walks |
208 | * up to use and automatically logs in before using. If this just |
209 | * gets rid of the old one silently, the new user never knows they |
210 | * could have used someone else's old authentication. If we |
211 | * tell them to log out before switching users it is an invitation |
212 | * for abuse. |
213 | */ |
214 | |
215 | do { |
216 | int save_errno, otherpid = -1; |
217 | char otherluser[LOGIN_NAME_MAX32]; |
218 | |
219 | if ((pidfd = open(pidfile, O_RDWR0x0002|O_CREAT0x0200, 0644)) == -1 || |
220 | (pidfp = fdopen(pidfd, "r+")) == NULL((void *)0)) { |
221 | if (pidfd != -1) |
222 | close(pidfd); |
223 | syslog(LOG_ERR3, "cannot open or create %s: %s", pidfile, |
224 | strerror(errno(*__errno()))); |
225 | goto die; |
226 | } |
227 | |
228 | if (flock(fileno(pidfp)(!__isthreaded ? ((pidfp)->_file) : (fileno)(pidfp)), LOCK_EX0x02|LOCK_NB0x04) == 0) |
229 | break; |
230 | save_errno = errno(*__errno()); |
231 | |
232 | /* Mark our pid, and username to our file. */ |
233 | |
234 | rewind(pidfp); |
235 | /* 31 == MAXLOGNAME - 1 */ |
236 | if (fscanf(pidfp, "%d\n%31s\n", &otherpid, otherluser) != 2) |
237 | otherpid = -1; |
238 | syslog(LOG_DEBUG7, "tried to lock %s, in use by pid %d: %s", |
239 | pidfile, otherpid, strerror(save_errno)); |
240 | |
241 | if (otherpid > 0) { |
242 | syslog(LOG_INFO6, |
243 | "killing prior auth (pid %d) of %s by user %s", |
244 | otherpid, ipsrc, otherluser); |
245 | if (kill((pid_t) otherpid, SIGTERM15) == -1) { |
246 | syslog(LOG_INFO6, |
247 | "could not kill process %d: (%m)", |
248 | otherpid); |
249 | } |
250 | } |
251 | |
252 | /* |
253 | * We try to kill the previous process and acquire the lock |
254 | * for 10 seconds, trying once a second. if we can't after |
255 | * 10 attempts we log an error and give up. |
256 | */ |
257 | if (want_death || ++lockcnt > 10) { |
258 | if (!want_death) |
259 | syslog(LOG_ERR3, "cannot kill previous authpf (pid %d)", |
260 | otherpid); |
261 | fclose(pidfp); |
262 | pidfp = NULL((void *)0); |
263 | pidfd = -1; |
264 | goto dogdeath; |
265 | } |
266 | sleep(1); |
267 | |
268 | /* re-open, and try again. The previous authpf process |
269 | * we killed above should unlink the file and release |
270 | * its lock, giving us a chance to get it now |
271 | */ |
272 | fclose(pidfp); |
273 | pidfp = NULL((void *)0); |
274 | pidfd = -1; |
275 | } while (1); |
276 | |
277 | /* whack the group list */ |
278 | gid = getegid(); |
279 | if (setgroups(1, &gid) == -1) { |
280 | syslog(LOG_INFO6, "setgroups: %s", strerror(errno(*__errno()))); |
281 | do_death(0); |
282 | } |
283 | |
284 | /* revoke privs */ |
285 | uid = getuid(); |
286 | if (setresuid(uid, uid, uid) == -1) { |
287 | syslog(LOG_INFO6, "setresuid: %s", strerror(errno(*__errno()))); |
288 | do_death(0); |
289 | } |
290 | openlog("authpf", LOG_PID0x01 | LOG_NDELAY0x08, LOG_DAEMON(3<<3)); |
291 | |
292 | if (!check_luser(PATH_BAN_DIR"/etc/authpf/banned", luser) || !allowed_luser(pw)) { |
293 | syslog(LOG_INFO6, "user %s prohibited", luser); |
294 | do_death(0); |
295 | } |
296 | |
297 | if (read_config(config)) { |
298 | syslog(LOG_ERR3, "invalid config file %s", PATH_CONFFILE"/etc/authpf/authpf.conf"); |
299 | do_death(0); |
300 | } |
301 | |
302 | if (remove_stale_rulesets()) { |
303 | syslog(LOG_INFO6, "error removing stale rulesets"); |
304 | do_death(0); |
305 | } |
306 | |
307 | /* We appear to be making headway, so actually mark our pid */ |
308 | rewind(pidfp); |
309 | fprintf(pidfp, "%ld\n%s\n", (long)getpid(), luser); |
310 | fflush(pidfp); |
311 | (void) ftruncate(fileno(pidfp)(!__isthreaded ? ((pidfp)->_file) : (fileno)(pidfp)), ftello(pidfp)); |
312 | |
313 | if (change_filter(1, luser, ipsrc) == -1) { |
314 | printf("Unable to modify filters\r\n"); |
315 | do_death(0); |
316 | } |
317 | if (user_ip && change_table(1, ipsrc) == -1) { |
318 | printf("Unable to modify table\r\n"); |
319 | change_filter(0, luser, ipsrc); |
320 | do_death(0); |
321 | } |
322 | |
323 | while (1) { |
324 | struct stat sb; |
325 | char *path_message; |
326 | printf("\r\nHello %s. ", luser); |
327 | printf("You are authenticated from host \"%s\"\r\n", ipsrc); |
328 | setproctitle("%s@%s", luser, ipsrc); |
329 | if (asprintf(&path_message, "%s/%s/authpf.message", |
330 | PATH_USER_DIR"/etc/authpf/users", luser) == -1) |
331 | do_death(1); |
332 | if (stat(path_message, &sb) == -1 || ! S_ISREG(sb.st_mode)((sb.st_mode & 0170000) == 0100000)) { |
333 | free(path_message); |
334 | if ((path_message = strdup(PATH_MESSAGE"/etc/authpf/authpf.message")) == NULL((void *)0)) |
335 | do_death(1); |
336 | } |
337 | print_message(path_message); |
338 | while (1) { |
339 | sleep(10); |
340 | if (want_death) |
341 | do_death(1); |
342 | } |
343 | } |
344 | |
345 | dogdeath: |
346 | printf("\r\n\r\nSorry, this service is currently unavailable due to "); |
347 | printf("technical difficulties\r\n\r\n"); |
348 | print_message(PATH_PROBLEM"/etc/authpf/authpf.problem"); |
349 | printf("\r\nYour authentication process (pid %ld) was unable to run\n", |
350 | (long)getpid()); |
351 | sleep(180); /* them lusers read reaaaaal slow */ |
352 | die: |
353 | do_death(0); |
354 | } |
355 | |
356 | /* |
357 | * reads config file in PATH_CONFFILE to set optional behaviours up |
358 | */ |
359 | static int |
360 | read_config(FILE *f) |
361 | { |
362 | char buf[1024]; |
363 | int i = 0; |
364 | |
365 | do { |
366 | char **ap; |
367 | char *pair[4], *cp, *tp; |
368 | int len; |
369 | |
370 | if (fgets(buf, sizeof(buf), f) == NULL((void *)0)) { |
371 | fclose(f); |
372 | return (0); |
373 | } |
374 | i++; |
375 | len = strlen(buf); |
376 | if (len == 0) |
377 | continue; |
378 | if (buf[len - 1] != '\n' && !feof(f)(!__isthreaded ? (((f)->_flags & 0x0020) != 0) : (feof )(f))) { |
379 | syslog(LOG_ERR3, "line %d too long in %s", i, |
380 | PATH_CONFFILE"/etc/authpf/authpf.conf"); |
381 | return (1); |
382 | } |
383 | buf[len - 1] = '\0'; |
384 | |
385 | for (cp = buf; *cp == ' ' || *cp == '\t'; cp++) |
386 | ; /* nothing */ |
387 | |
388 | if (!*cp || *cp == '#' || *cp == '\n') |
389 | continue; |
390 | |
391 | for (ap = pair; ap < &pair[3] && |
392 | (*ap = strsep(&cp, "=")) != NULL((void *)0); ) { |
393 | if (**ap != '\0') |
394 | ap++; |
395 | } |
396 | if (ap != &pair[2]) |
397 | goto parse_error; |
398 | |
399 | tp = pair[1] + strlen(pair[1]); |
400 | while ((*tp == ' ' || *tp == '\t') && tp >= pair[1]) |
401 | *tp-- = '\0'; |
402 | |
403 | if (strcasecmp(pair[0], "anchor") == 0) { |
404 | if (!pair[1][0] || strlcpy(anchorname, pair[1], |
405 | sizeof(anchorname)) >= sizeof(anchorname)) |
406 | goto parse_error; |
407 | } |
408 | if (strcasecmp(pair[0], "table") == 0) { |
409 | if (!pair[1][0] || strlcpy(tablename, pair[1], |
410 | sizeof(tablename)) >= sizeof(tablename)) |
411 | goto parse_error; |
412 | } |
413 | } while (!feof(f)(!__isthreaded ? (((f)->_flags & 0x0020) != 0) : (feof )(f)) && !ferror(f)(!__isthreaded ? (((f)->_flags & 0x0040) != 0) : (ferror )(f))); |
414 | fclose(f); |
415 | return (0); |
416 | |
417 | parse_error: |
418 | fclose(f); |
419 | syslog(LOG_ERR3, "parse error, line %d of %s", i, PATH_CONFFILE"/etc/authpf/authpf.conf"); |
420 | return (1); |
421 | } |
422 | |
423 | |
424 | /* |
425 | * splatter a file to stdout - max line length of 1024, |
426 | * used for spitting message files at users to tell them |
427 | * they've been bad or we're unavailable. |
428 | */ |
429 | static void |
430 | print_message(char *filename) |
431 | { |
432 | char buf[1024]; |
433 | FILE *f; |
434 | |
435 | if ((f = fopen(filename, "r")) == NULL((void *)0)) |
436 | return; /* fail silently, we don't care if it isn't there */ |
437 | |
438 | do { |
439 | if (fgets(buf, sizeof(buf), f) == NULL((void *)0)) { |
440 | fflush(stdout(&__sF[1])); |
441 | fclose(f); |
442 | return; |
443 | } |
444 | } while (fputs(buf, stdout(&__sF[1])) != EOF(-1) && !feof(f)(!__isthreaded ? (((f)->_flags & 0x0020) != 0) : (feof )(f))); |
445 | fflush(stdout(&__sF[1])); |
446 | fclose(f); |
447 | } |
448 | |
449 | /* |
450 | * allowed_luser checks to see if user "luser" is allowed to |
451 | * use this gateway by virtue of being listed in an allowed |
452 | * users file, namely /etc/authpf/authpf.allow . |
453 | * Users may be listed by <username>, %<group>, or @<login_class>. |
454 | * |
455 | * If /etc/authpf/authpf.allow does not exist, then we assume that |
456 | * all users who are allowed in by sshd(8) are permitted to |
457 | * use this gateway. If /etc/authpf/authpf.allow does exist, then a |
458 | * user must be listed if the connection is to continue, else |
459 | * the session terminates in the same manner as being banned. |
460 | */ |
461 | static int |
462 | allowed_luser(struct passwd *pw) |
463 | { |
464 | char *buf, *lbuf; |
465 | int matched; |
466 | size_t len; |
467 | FILE *f; |
468 | |
469 | if ((f = fopen(PATH_ALLOWFILE"/etc/authpf/authpf.allow", "r")) == NULL((void *)0)) { |
470 | if (errno(*__errno()) == ENOENT2) { |
471 | /* |
472 | * allowfile doesn't exist, thus this gateway |
473 | * isn't restricted to certain users... |
474 | */ |
475 | return (1); |
476 | } |
477 | |
478 | /* |
479 | * luser may in fact be allowed, but we can't open |
480 | * the file even though it's there. probably a config |
481 | * problem. |
482 | */ |
483 | syslog(LOG_ERR3, "cannot open allowed users file %s (%s)", |
484 | PATH_ALLOWFILE"/etc/authpf/authpf.allow", strerror(errno(*__errno()))); |
485 | return (0); |
486 | } else { |
487 | /* |
488 | * /etc/authpf/authpf.allow exists, thus we do a linear |
489 | * search to see if they are allowed. |
490 | * also, if username "*" exists, then this is a |
491 | * "public" gateway, such as it is, so let |
492 | * everyone use it. |
493 | */ |
494 | int gl_init = 0, ngroups = NGROUPS_MAX16 + 1; |
495 | gid_t groups[NGROUPS_MAX16 + 1]; |
496 | |
497 | lbuf = NULL((void *)0); |
498 | matched = 0; |
499 | |
500 | while ((buf = fgetln(f, &len))) { |
501 | |
502 | if (buf[len - 1] == '\n') |
503 | buf[len - 1] = '\0'; |
504 | else { |
505 | if ((lbuf = malloc(len + 1)) == NULL((void *)0)) |
506 | err(1, NULL((void *)0)); |
507 | memcpy(lbuf, buf, len); |
508 | lbuf[len] = '\0'; |
509 | buf = lbuf; |
510 | } |
511 | |
512 | if (buf[0] == '@') { |
513 | /* check login class */ |
514 | if (strcmp(pw->pw_class, buf + 1) == 0) |
515 | matched++; |
516 | } else if (buf[0] == '%') { |
517 | /* check group membership */ |
518 | int cnt; |
519 | struct group *group; |
520 | |
521 | if ((group = getgrnam(buf + 1)) == NULL((void *)0)) { |
522 | syslog(LOG_ERR3, |
523 | "invalid group '%s' in %s (%s)", |
524 | buf + 1, PATH_ALLOWFILE"/etc/authpf/authpf.allow", |
525 | strerror(errno(*__errno()))); |
526 | fclose(f); |
527 | return (0); |
528 | } |
529 | |
530 | if (!gl_init) { |
531 | (void) getgrouplist(pw->pw_name, |
532 | pw->pw_gid, groups, &ngroups); |
533 | gl_init++; |
534 | } |
535 | |
536 | for ( cnt = 0; cnt < ngroups; cnt++) { |
537 | if (group->gr_gid == groups[cnt]) { |
538 | matched++; |
539 | break; |
540 | } |
541 | } |
542 | } else { |
543 | /* check username and wildcard */ |
544 | matched = strcmp(pw->pw_name, buf) == 0 || |
545 | strcmp("*", buf) == 0; |
546 | } |
547 | |
548 | free(lbuf); |
549 | lbuf = NULL((void *)0); |
550 | |
551 | if (matched) { |
552 | fclose(f); |
553 | return (1); /* matched an allowed user/group */ |
554 | } |
555 | } |
556 | syslog(LOG_INFO6, "denied access to %s: not listed in %s", |
557 | pw->pw_name, PATH_ALLOWFILE"/etc/authpf/authpf.allow"); |
558 | |
559 | /* reuse buf */ |
560 | buf = "\n\nSorry, you are not allowed to use this facility!\n"; |
561 | fputs(buf, stdout(&__sF[1])); |
562 | } |
563 | fflush(stdout(&__sF[1])); |
564 | fclose(f); |
565 | return (0); |
566 | } |
567 | |
568 | /* |
569 | * check_luser checks to see if user "luser" has been banned |
570 | * from using us by virtue of having an file of the same name |
571 | * in the "luserdir" directory. |
572 | * |
573 | * If the user has been banned, we copy the contents of the file |
574 | * to the user's screen. (useful for telling the user what to |
575 | * do to get un-banned, or just to tell them they aren't |
576 | * going to be un-banned.) |
577 | */ |
578 | static int |
579 | check_luser(char *luserdir, char *luser) |
580 | { |
581 | FILE *f; |
582 | int n; |
583 | char tmp[PATH_MAX1024]; |
584 | |
585 | n = snprintf(tmp, sizeof(tmp), "%s/%s", luserdir, luser); |
586 | if (n < 0 || (u_int)n >= sizeof(tmp)) { |
587 | syslog(LOG_ERR3, "provided banned directory line too long (%s)", |
588 | luserdir); |
589 | return (0); |
590 | } |
591 | if ((f = fopen(tmp, "r")) == NULL((void *)0)) { |
592 | if (errno(*__errno()) == ENOENT2) { |
593 | /* |
594 | * file or dir doesn't exist, so therefore |
595 | * this luser isn't banned.. all is well |
596 | */ |
597 | return (1); |
598 | } else { |
599 | /* |
600 | * luser may in fact be banned, but we can't open the |
601 | * file even though it's there. probably a config |
602 | * problem. |
603 | */ |
604 | syslog(LOG_ERR3, "cannot open banned file %s (%s)", |
605 | tmp, strerror(errno(*__errno()))); |
606 | return (0); |
607 | } |
608 | } else { |
609 | /* |
610 | * luser is banned - spit the file at them to |
611 | * tell what they can do and where they can go. |
612 | */ |
613 | syslog(LOG_INFO6, "denied access to %s: %s exists", |
614 | luser, tmp); |
615 | |
616 | /* reuse tmp */ |
617 | strlcpy(tmp, "\n\n-**- Sorry, you have been banned! -**-\n\n", |
618 | sizeof(tmp)); |
619 | while (fputs(tmp, stdout(&__sF[1])) != EOF(-1) && !feof(f)(!__isthreaded ? (((f)->_flags & 0x0020) != 0) : (feof )(f))) { |
620 | if (fgets(tmp, sizeof(tmp), f) == NULL((void *)0)) { |
621 | fflush(stdout(&__sF[1])); |
622 | fclose(f); |
623 | return (0); |
624 | } |
625 | } |
626 | fclose(f); |
627 | } |
628 | fflush(stdout(&__sF[1])); |
629 | return (0); |
630 | } |
631 | |
632 | /* |
633 | * Search for rulesets left by other authpf processes (either because they |
634 | * died ungracefully or were terminated) and remove them. |
635 | */ |
636 | static int |
637 | remove_stale_rulesets(void) |
638 | { |
639 | struct pfioc_ruleset prs; |
640 | u_int32_t nr; |
641 | |
642 | memset(&prs, 0, sizeof(prs)); |
643 | strlcpy(prs.path, anchorname, sizeof(prs.path)); |
644 | if (ioctl(dev, DIOCGETRULESETS(((unsigned long)0x80000000|(unsigned long)0x40000000) | ((sizeof (struct pfioc_ruleset) & 0x1fff) << 16) | ((('D')) << 8) | ((58))), &prs) == -1) { |
645 | if (errno(*__errno()) == EINVAL22) |
646 | return (0); |
647 | else |
648 | return (1); |
649 | } |
650 | |
651 | nr = prs.nr; |
652 | while (nr) { |
653 | char *s, *t; |
654 | pid_t pid; |
655 | |
656 | prs.nr = nr - 1; |
657 | if (ioctl(dev, DIOCGETRULESET(((unsigned long)0x80000000|(unsigned long)0x40000000) | ((sizeof (struct pfioc_ruleset) & 0x1fff) << 16) | ((('D')) << 8) | ((59))), &prs) == -1) |
658 | return (1); |
659 | errno(*__errno()) = 0; |
660 | if ((t = strchr(prs.name, '(')) == NULL((void *)0)) |
661 | t = prs.name; |
662 | else |
663 | t++; |
664 | pid = strtoul(t, &s, 10); |
665 | if (!prs.name[0] || errno(*__errno()) || |
666 | (*s && (t == prs.name || *s != ')'))) |
667 | return (1); |
668 | if ((kill(pid, 0) && errno(*__errno()) != EPERM1) || pid == getpid()) { |
669 | if (recursive_ruleset_purge(anchorname, prs.name)) |
670 | return (1); |
671 | } |
672 | nr--; |
673 | } |
674 | return (0); |
675 | } |
676 | |
677 | static int |
678 | recursive_ruleset_purge(char *an, char *rs) |
679 | { |
680 | struct pfioc_trans_e *t_e = NULL((void *)0); |
681 | struct pfioc_trans *t = NULL((void *)0); |
682 | struct pfioc_ruleset *prs = NULL((void *)0); |
683 | |
684 | /* purge rules */ |
685 | errno(*__errno()) = 0; |
686 | if ((t = calloc(1, sizeof(struct pfioc_trans))) == NULL((void *)0)) |
687 | goto no_mem; |
688 | if ((t_e = calloc(2, sizeof(struct pfioc_trans_e))) == NULL((void *)0)) |
689 | goto no_mem; |
690 | t->size = 2; |
691 | t->esize = sizeof(struct pfioc_trans_e); |
692 | t->array = t_e; |
693 | t_e[0].type = PF_TRANS_RULESET; |
694 | snprintf(t_e[0].anchor, sizeof(t_e[0].anchor), "%s/%s", an, rs); |
695 | t_e[1].type = PF_TRANS_TABLE; |
696 | |
697 | if ((ioctl(dev, DIOCXBEGIN(((unsigned long)0x80000000|(unsigned long)0x40000000) | ((sizeof (struct pfioc_trans) & 0x1fff) << 16) | ((('D')) << 8) | ((81))), t) == -1|| |
698 | ioctl(dev, DIOCXCOMMIT(((unsigned long)0x80000000|(unsigned long)0x40000000) | ((sizeof (struct pfioc_trans) & 0x1fff) << 16) | ((('D')) << 8) | ((82))), t) == -1) && |
699 | errno(*__errno()) != EINVAL22) |
700 | goto cleanup; |
701 | |
702 | /* purge any children */ |
703 | if ((prs = calloc(1, sizeof(struct pfioc_ruleset))) == NULL((void *)0)) |
704 | goto no_mem; |
705 | snprintf(prs->path, sizeof(prs->path), "%s/%s", an, rs); |
706 | if (ioctl(dev, DIOCGETRULESETS(((unsigned long)0x80000000|(unsigned long)0x40000000) | ((sizeof (struct pfioc_ruleset) & 0x1fff) << 16) | ((('D')) << 8) | ((58))), prs) == -1) { |
707 | if (errno(*__errno()) != EINVAL22) |
708 | goto cleanup; |
709 | errno(*__errno()) = 0; |
710 | } else { |
711 | int nr = prs->nr; |
712 | |
713 | while (nr) { |
714 | prs->nr = 0; |
715 | if (ioctl(dev, DIOCGETRULESET(((unsigned long)0x80000000|(unsigned long)0x40000000) | ((sizeof (struct pfioc_ruleset) & 0x1fff) << 16) | ((('D')) << 8) | ((59))), prs) == -1) |
716 | goto cleanup; |
717 | |
718 | if (recursive_ruleset_purge(prs->path, prs->name)) |
719 | goto cleanup; |
720 | nr--; |
721 | } |
722 | } |
723 | |
724 | no_mem: |
725 | if (errno(*__errno()) == ENOMEM12) |
726 | syslog(LOG_ERR3, "calloc failed"); |
727 | |
728 | cleanup: |
729 | free(t); |
730 | free(t_e); |
731 | free(prs); |
732 | return (errno(*__errno())); |
733 | } |
734 | |
735 | /* |
736 | * Add/remove filter entries for user "luser" from ip "ipsrc" |
737 | */ |
738 | static int |
739 | change_filter(int add, const char *luser, const char *ipsrc) |
740 | { |
741 | char *fdpath = NULL((void *)0), *userstr = NULL((void *)0), *ipstr = NULL((void *)0); |
742 | char *rsn = NULL((void *)0), *fn = NULL((void *)0); |
743 | pid_t pid; |
744 | gid_t gid; |
745 | int s; |
746 | |
747 | if (add) { |
748 | struct stat sb; |
749 | struct group *grent; |
750 | char *pargv[13] = { |
751 | "pfctl", "-p", "/dev/pf", "-q", "-a", "anchor/ruleset", |
752 | "-D", "user_id=X", "-D", "user_ip=X", "-f", "file", NULL((void *)0) |
753 | }; |
754 | |
755 | if((grent = getgrgid(getgid())) == NULL((void *)0)) { |
756 | syslog(LOG_ERR3, "Group not found user %s, gid %d", |
757 | luser, getgid()); |
758 | goto error; |
759 | } |
760 | |
761 | if (luser == NULL((void *)0) || !luser[0] || ipsrc == NULL((void *)0) || !ipsrc[0]) { |
762 | syslog(LOG_ERR3, "invalid luser/ipsrc"); |
763 | goto error; |
764 | } |
765 | |
766 | if (asprintf(&rsn, "%s/%s", anchorname, rulesetname) == -1) |
767 | goto no_mem; |
768 | if (asprintf(&fdpath, "/dev/fd/%d", dev) == -1) |
769 | goto no_mem; |
770 | if (asprintf(&ipstr, "user_ip=%s", ipsrc) == -1) |
771 | goto no_mem; |
772 | if (asprintf(&userstr, "user_id=%s", luser) == -1) |
773 | goto no_mem; |
774 | if (asprintf(&fn, "%s/%s/authpf.rules", |
775 | PATH_USER_DIR"/etc/authpf/users", luser) == -1) |
776 | goto no_mem; |
777 | if (stat(fn, &sb) == -1) { |
778 | free(fn); |
779 | if(asprintf(&fn, "%s/%s/authpf.rules", PATH_GROUP_DIR"/etc/authpf/groups", |
780 | grent->gr_name) == -1) |
781 | goto no_mem; |
782 | if(stat(fn, &sb) == -1) { |
783 | free(fn); |
784 | if ((fn = strdup(PATH_PFRULES"/etc/authpf/authpf.rules")) == NULL((void *)0)) |
785 | goto no_mem; |
786 | } |
787 | } |
788 | pargv[2] = fdpath; |
789 | pargv[5] = rsn; |
790 | pargv[7] = userstr; |
791 | if (user_ip) { |
792 | pargv[9] = ipstr; |
793 | pargv[11] = fn; |
794 | } else { |
795 | pargv[8] = "-f"; |
796 | pargv[9] = fn; |
797 | pargv[10] = NULL((void *)0); |
798 | } |
799 | |
800 | switch (pid = fork()) { |
801 | case -1: |
802 | syslog(LOG_ERR3, "fork failed"); |
803 | goto error; |
804 | case 0: |
805 | /* revoke group privs before exec */ |
806 | gid = getgid(); |
807 | if (setresgid(gid, gid, gid) == -1) { |
808 | err(1, "setregid"); |
809 | } |
810 | execvp(PATH_PFCTL"/sbin/pfctl", pargv); |
811 | warn("exec of %s failed", PATH_PFCTL"/sbin/pfctl"); |
812 | _exit(1); |
813 | } |
814 | |
815 | /* parent */ |
816 | waitpid(pid, &s, 0); |
817 | if (s != 0) { |
818 | syslog(LOG_ERR3, "pfctl exited abnormally"); |
819 | goto error; |
820 | } |
821 | |
822 | clock_gettime(CLOCK_MONOTONIC3, &Tstart); |
823 | syslog(LOG_INFO6, "allowing %s, user %s", ipsrc, luser); |
824 | } else { |
825 | remove_stale_rulesets(); |
826 | |
827 | clock_gettime(CLOCK_MONOTONIC3, &Tend); |
828 | syslog(LOG_INFO6, "removed %s, user %s - duration %d seconds", |
829 | ipsrc, luser, (int)(Tend.tv_sec - Tstart.tv_sec)); |
830 | } |
831 | return (0); |
832 | no_mem: |
833 | syslog(LOG_ERR3, "malloc failed"); |
834 | error: |
835 | free(fdpath); |
836 | free(rsn); |
837 | free(userstr); |
838 | free(ipstr); |
839 | free(fn); |
840 | return (-1); |
841 | } |
842 | |
843 | /* |
844 | * Add/remove this IP from the "authpf_users" table. |
845 | */ |
846 | static int |
847 | change_table(int add, const char *ipsrc) |
848 | { |
849 | struct pfioc_table io; |
850 | struct pfr_addr addr; |
851 | |
852 | bzero(&io, sizeof(io)); |
853 | strlcpy(io.pfrio_table.pfrt_name, tablename, |
854 | sizeof(io.pfrio_table.pfrt_name)); |
855 | io.pfrio_buffer = &addr; |
856 | io.pfrio_esize = sizeof(addr); |
857 | io.pfrio_size = 1; |
858 | |
859 | bzero(&addr, sizeof(addr)); |
860 | if (ipsrc == NULL((void *)0) || !ipsrc[0]) |
861 | return (-1); |
862 | if (inet_pton(AF_INET2, ipsrc, &addr.pfra_ip4addrpfra_u._pfra_ip4addr) == 1) { |
863 | addr.pfra_af = AF_INET2; |
864 | addr.pfra_net = 32; |
865 | } else if (inet_pton(AF_INET624, ipsrc, &addr.pfra_ip6addrpfra_u._pfra_ip6addr) == 1) { |
866 | addr.pfra_af = AF_INET624; |
867 | addr.pfra_net = 128; |
868 | } else { |
869 | syslog(LOG_ERR3, "invalid ipsrc"); |
870 | return (-1); |
871 | } |
872 | |
873 | if (ioctl(dev, add ? DIOCRADDADDRS(((unsigned long)0x80000000|(unsigned long)0x40000000) | ((sizeof (struct pfioc_table) & 0x1fff) << 16) | ((('D')) << 8) | ((67))) : DIOCRDELADDRS(((unsigned long)0x80000000|(unsigned long)0x40000000) | ((sizeof (struct pfioc_table) & 0x1fff) << 16) | ((('D')) << 8) | ((68))), &io) == -1 && |
874 | errno(*__errno()) != ESRCH3) { |
875 | syslog(LOG_ERR3, "cannot %s %s from table %s: %s", |
876 | add ? "add" : "remove", ipsrc, tablename, |
877 | strerror(errno(*__errno()))); |
878 | return (-1); |
879 | } |
880 | return (0); |
881 | } |
882 | |
883 | /* |
884 | * This is to kill off states that would otherwise be left behind stateful |
885 | * rules. This means we don't need to allow in more traffic than we really |
886 | * want to, since we don't have to worry about any luser sessions lasting |
887 | * longer than their ssh session. This function is based on |
888 | * pfctl_kill_states from pfctl. |
889 | */ |
890 | static void |
891 | authpf_kill_states(void) |
892 | { |
893 | struct pfioc_state_kill psk; |
894 | struct pf_addr target; |
895 | |
896 | memset(&psk, 0, sizeof(psk)); |
897 | memset(&target, 0, sizeof(target)); |
898 | |
899 | if (inet_pton(AF_INET2, ipsrc, &target.v4pfa.v4) == 1) |
900 | psk.psk_af = AF_INET2; |
901 | else if (inet_pton(AF_INET624, ipsrc, &target.v6pfa.v6) == 1) |
902 | psk.psk_af = AF_INET624; |
903 | else { |
904 | syslog(LOG_ERR3, "inet_pton(%s) failed", ipsrc); |
905 | return; |
906 | } |
907 | |
908 | /* Kill all states from ipsrc */ |
909 | memcpy(&psk.psk_src.addr.v.a.addr, &target, |
910 | sizeof(psk.psk_src.addr.v.a.addr)); |
911 | memset(&psk.psk_src.addr.v.a.mask, 0xff, |
912 | sizeof(psk.psk_src.addr.v.a.mask)); |
913 | if (ioctl(dev, DIOCKILLSTATES(((unsigned long)0x80000000|(unsigned long)0x40000000) | ((sizeof (struct pfioc_state_kill) & 0x1fff) << 16) | ((('D' )) << 8) | ((41))), &psk) == -1) |
914 | syslog(LOG_ERR3, "DIOCKILLSTATES failed (%m)"); |
915 | |
916 | /* Kill all states to ipsrc */ |
917 | memset(&psk.psk_src, 0, sizeof(psk.psk_src)); |
918 | memcpy(&psk.psk_dst.addr.v.a.addr, &target, |
919 | sizeof(psk.psk_dst.addr.v.a.addr)); |
920 | memset(&psk.psk_dst.addr.v.a.mask, 0xff, |
921 | sizeof(psk.psk_dst.addr.v.a.mask)); |
922 | if (ioctl(dev, DIOCKILLSTATES(((unsigned long)0x80000000|(unsigned long)0x40000000) | ((sizeof (struct pfioc_state_kill) & 0x1fff) << 16) | ((('D' )) << 8) | ((41))), &psk) == -1) |
923 | syslog(LOG_ERR3, "DIOCKILLSTATES failed (%m)"); |
924 | } |
925 | |
926 | /* signal handler that makes us go away properly */ |
927 | static void |
928 | need_death(int signo) |
929 | { |
930 | want_death = 1; |
931 | } |
932 | |
933 | /* |
934 | * function that removes our stuff when we go away. |
935 | */ |
936 | static __dead__attribute__((__noreturn__)) void |
937 | do_death(int active) |
938 | { |
939 | int ret = 0; |
940 | |
941 | if (active) { |
942 | change_filter(0, luser, ipsrc); |
943 | if (user_ip) { |
944 | change_table(0, ipsrc); |
945 | authpf_kill_states(); |
946 | } |
947 | } |
948 | if (pidfile[0] && pidfd != -1) |
949 | if (unlink(pidfile) == -1) |
950 | syslog(LOG_ERR3, "cannot unlink %s (%m)", pidfile); |
951 | exit(ret); |
952 | } |