diff options
| author | Todd C. Miller <millert@cvs.openbsd.org> | 2001-05-29 21:37:17 +0000 |
|---|---|---|
| committer | Todd C. Miller <millert@cvs.openbsd.org> | 2001-05-29 21:37:17 +0000 |
| commit | 1cedb70cebb95b2ad0b3f9fb29b5e77eeca4c37d (patch) | |
| tree | 48a69e89e2a0c802c5be78213caa223a19948763 | |
| parent | b246ff256e1368d4672270b4b95b0fbf92959894 (diff) | |
Call auth_checknologin() and auth_approval() as appropriate for BSD
authentication.
| -rw-r--r-- | libexec/atrun/atrun.c | 30 | ||||
| -rw-r--r-- | libexec/rexecd/rexecd.c | 18 | ||||
| -rw-r--r-- | libexec/rshd/rshd.c | 23 |
3 files changed, 44 insertions, 27 deletions
diff --git a/libexec/atrun/atrun.c b/libexec/atrun/atrun.c index e396245da90..6d41d60920d 100644 --- a/libexec/atrun/atrun.c +++ b/libexec/atrun/atrun.c @@ -1,4 +1,4 @@ -/* $OpenBSD: atrun.c,v 1.12 2001/05/05 23:23:31 millert Exp $ */ +/* $OpenBSD: atrun.c,v 1.13 2001/05/29 21:37:16 millert Exp $ */ /* * atrun.c - run jobs queued by at; run with root privileges. @@ -51,6 +51,7 @@ #include <paths.h> #include <login_cap.h> +#include <bsd_auth.h> /* Local headers */ @@ -70,7 +71,7 @@ /* File scope variables */ static char *namep; -static char rcsid[] = "$OpenBSD: atrun.c,v 1.12 2001/05/05 23:23:31 millert Exp $"; +static char rcsid[] = "$OpenBSD: atrun.c,v 1.13 2001/05/29 21:37:16 millert Exp $"; static int debug = 0; /* Local functions */ @@ -128,10 +129,11 @@ run_file(filename, uid, gid) int send_mail = 0; struct stat buf, lbuf; off_t size; - struct passwd *pentry; + struct passwd *pw; int fflags; uid_t nuid; gid_t ngid; + login_cap_t *lc; PRIV_START @@ -152,8 +154,8 @@ run_file(filename, uid, gid) * root. */ - pentry = getpwuid(uid); - if (pentry == NULL) { + pw = getpwuid(uid); + if (pw == NULL) { syslog(LOG_ERR,"Userid %u not found - aborting job %s", uid, filename); exit(EXIT_FAILURE); @@ -164,7 +166,7 @@ run_file(filename, uid, gid) PRIV_END - if (pentry->pw_expire && time(NULL) >= pentry->pw_expire) { + if (pw->pw_expire && time(NULL) >= pw->pw_expire) { syslog(LOG_ERR, "Userid %u has expired - aborting job %s", uid, filename); exit(EXIT_FAILURE); @@ -299,10 +301,18 @@ run_file(filename, uid, gid) if (chdir(_PATH_ATJOBS) < 0) perr2("Cannot chdir to ", _PATH_ATJOBS); - if (setusercontext(0, pentry, pentry->pw_uid, LOGIN_SETALL) < 0) + if ((lc = login_getclass(pw->pw_class)) == NULL) + perr("Cannot get login class"); + + if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETALL) < 0) perr("Cannot set user context"); - if (chdir(pentry->pw_dir) < 0) + if (auth_approval(NULL, lc, pw->pw_name, "at") <= 0) + perr2("Approval failure for ", pw->pw_name); + + login_close(lc); + + if (chdir(pw->pw_dir) < 0) chdir("/"); /* First letter indicates requested job priority */ @@ -340,10 +350,10 @@ run_file(filename, uid, gid) PRIV_START - if (setusercontext(0, pentry, pentry->pw_uid, LOGIN_SETALL) < 0) + if (setusercontext(0, pw, pw->pw_uid, LOGIN_SETALL) < 0) perr("Cannot set user context"); - if (chdir(pentry->pw_dir)) + if (chdir(pw->pw_dir)) chdir("/"); execl(_PATH_SENDMAIL, "sendmail", "-F", "Atrun Service", diff --git a/libexec/rexecd/rexecd.c b/libexec/rexecd/rexecd.c index 2bbcd115b4d..b110502028c 100644 --- a/libexec/rexecd/rexecd.c +++ b/libexec/rexecd/rexecd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rexecd.c,v 1.16 2001/01/28 19:34:30 niklas Exp $ */ +/* $OpenBSD: rexecd.c,v 1.17 2001/05/29 21:37:16 millert Exp $ */ /* * Copyright (c) 1983 The Regents of the University of California. @@ -41,13 +41,17 @@ char copyright[] = #ifndef lint /*static char sccsid[] = "from: @(#)rexecd.c 5.12 (Berkeley) 2/25/91";*/ -static char rcsid[] = "$OpenBSD: rexecd.c,v 1.16 2001/01/28 19:34:30 niklas Exp $"; +static char rcsid[] = "$OpenBSD: rexecd.c,v 1.17 2001/05/29 21:37:16 millert Exp $"; #endif /* not lint */ #include <sys/param.h> #include <sys/ioctl.h> #include <sys/socket.h> #include <sys/time.h> + +#include <netinet/in.h> +#include <arpa/inet.h> + #include <signal.h> #include <netdb.h> #include <pwd.h> @@ -61,9 +65,7 @@ static char rcsid[] = "$OpenBSD: rexecd.c,v 1.16 2001/01/28 19:34:30 niklas Exp #include <paths.h> #include <err.h> #include <login_cap.h> - -#include <netinet/in.h> -#include <arpa/inet.h> +#include <bsd_auth.h> /*VARARGS1*/ void error __P(()); @@ -167,6 +169,8 @@ doit(f, fromp) exit(1); } endpwent(); + if (pwd->pw_uid) + auth_checknologin(lc); if (*pwd->pw_passwd != '\0') { namep = crypt(pass, pwd->pw_passwd); if (strcmp(namep, pwd->pw_passwd)) { @@ -253,7 +257,7 @@ doit(f, fromp) FD_ISSET(s, &readfrom)); exit(0); } - setpgrp(0, getpid()); + setsid(); (void) close(s); (void)close(pv[0]); dup2(pv[1], 2); } @@ -270,6 +274,8 @@ doit(f, fromp) err(1, "unable to setup environment"); if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETALL)) err(1, "unable to set user context"); + if (auth_approval(NULL, lc, pwd->pw_name, "rexec") <= 0) + err(1, "approval failure"); cp = strrchr(pwd->pw_shell, '/'); if (cp) diff --git a/libexec/rshd/rshd.c b/libexec/rshd/rshd.c index b6ef7cc9e28..1676ed460a9 100644 --- a/libexec/rshd/rshd.c +++ b/libexec/rshd/rshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rshd.c,v 1.36 2001/02/04 17:51:30 millert Exp $ */ +/* $OpenBSD: rshd.c,v 1.37 2001/05/29 21:37:16 millert Exp $ */ /*- * Copyright (c) 1988, 1989, 1992, 1993, 1994 @@ -41,7 +41,7 @@ static char copyright[] = #ifndef lint /* from: static char sccsid[] = "@(#)rshd.c 8.2 (Berkeley) 4/6/94"; */ -static char *rcsid = "$OpenBSD: rshd.c,v 1.36 2001/02/04 17:51:30 millert Exp $"; +static char *rcsid = "$OpenBSD: rshd.c,v 1.37 2001/05/29 21:37:16 millert Exp $"; #endif /* not lint */ /* @@ -76,6 +76,7 @@ static char *rcsid = "$OpenBSD: rshd.c,v 1.36 2001/02/04 17:51:30 millert Exp $" #include <syslog.h> #include <unistd.h> #include <login_cap.h> +#include <bsd_auth.h> int keepalive = 1; int check_all; @@ -196,7 +197,7 @@ main(argc, argv) syslog(LOG_WARNING, "setsockopt (SO_LINGER): %m"); doit((struct sockaddr *)&from); /* NOTREACHED */ - return 0; + exit(0); } char *envinit[1] = { 0 }; @@ -327,7 +328,7 @@ doit(fromp) shutdown(0, 1+1); exit(1); } - if (c== 0) + if (c == 0) break; port = port * 10 + c - '0'; } @@ -373,7 +374,7 @@ doit(fromp) if (getnameinfo(fromp, fromp->sa_len, saddr, sizeof(saddr), NULL, 0, NI_NAMEREQD)== 0) { /* - * If name returned by gethostbyaddr is in our domain, + * If name returned by getnameinfo is in our domain, * attempt to verify that we haven't been fooled by someone * in a remote net; look up the name and check that this * address corresponds to the name. @@ -544,10 +545,8 @@ fail: exit(1); } - if (pwd->pw_uid && !access(_PATH_NOLOGIN, F_OK)) { - error("Logins currently disabled.\n"); - exit(1); - } + if (pwd->pw_uid) + auth_checknologin(lc); (void) write(STDERR_FILENO, "\0", 1); sent_null = 1; @@ -730,9 +729,11 @@ fail: setenv("USER", pwd->pw_name, 1) == -1 || setenv("LOGNAME", pwd->pw_name, 1) == -1) errx(1, "cannot setup environment"); - + if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETALL)) errx(1, "cannot set user context"); + if (auth_approval(NULL, lc, pwd->pw_name, "rsh") <= 0) + errx(1, "approval failure"); cp = strrchr(pwd->pw_shell, '/'); if (cp) @@ -791,7 +792,7 @@ error(fmt, va_alist) len = 1; } else len = 0; - (void)vsnprintf(bp, sizeof(buf) - 1, fmt, ap); + (void)vsnprintf(bp, sizeof(buf) - len, fmt, ap); (void)write(STDERR_FILENO, buf, len + strlen(bp)); } |