diff options
| author | David Gwynne <dlg@cvs.openbsd.org> | 2013-04-29 04:17:59 +0000 |
|---|---|---|
| committer | David Gwynne <dlg@cvs.openbsd.org> | 2013-04-29 04:17:59 +0000 |
| commit | 36387fce6954faace2920fd35a993a593d6203dd (patch) | |
| tree | 695ac930a48d5e0cb100d7e8c4110aedd46983dc | |
| parent | 893b957ab23fe3eb2386c9acedd396606f76b5cb (diff) | |
implement -h from libexec/identd, which hides usernames/uids.
| -rw-r--r-- | usr.sbin/identd/identd.8 | 11 | ||||
| -rw-r--r-- | usr.sbin/identd/identd.c | 56 |
2 files changed, 55 insertions, 12 deletions
diff --git a/usr.sbin/identd/identd.8 b/usr.sbin/identd/identd.8 index 2bde9209c09..84d0559ba6c 100644 --- a/usr.sbin/identd/identd.8 +++ b/usr.sbin/identd/identd.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: identd.8,v 1.9 2013/04/23 21:18:56 sthen Exp $ +.\" $OpenBSD: identd.8,v 1.10 2013/04/29 04:17:58 dlg Exp $ .\" .\" Copyright (c) 2013 David Gwynne <dlg@openbsd.org> .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: April 23 2013 $ +.Dd $Mdocdate: April 29 2013 $ .Dt IDENTD 8 .Os .Sh NAME @@ -22,7 +22,7 @@ .Nd Identification Protocol daemon .Sh SYNOPSIS .Nm -.Op Fl 46deNn +.Op Fl 46dehNn .Op Fl l Ar address .Op Fl t Ar timeout .Sh DESCRIPTION @@ -57,6 +57,11 @@ instead of the or .Dq INVALID-PORT errors. +.It Fl h +Hide the actual information about the user by providing an opaque +token instead. +This token is entered into the local system logs +so that the administrator can later discover who the real user was. .It Fl l Ar address Listen on the specified address. By default diff --git a/usr.sbin/identd/identd.c b/usr.sbin/identd/identd.c index 7bf8563adb0..93fa45b8db4 100644 --- a/usr.sbin/identd/identd.c +++ b/usr.sbin/identd/identd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: identd.c,v 1.17 2013/04/23 21:18:57 sthen Exp $ */ +/* $OpenBSD: identd.c,v 1.18 2013/04/29 04:17:58 dlg Exp $ */ /* * Copyright (c) 2013 David Gwynne <dlg@openbsd.org> @@ -107,6 +107,7 @@ void parent_rd(int, short, void *); void parent_wr(int, short, void *); int parent_username(struct ident_resolver *, struct passwd *); int parent_uid(struct ident_resolver *, struct passwd *); +int parent_token(struct ident_resolver *, struct passwd *); void parent_noident(struct ident_resolver *, struct passwd *); void child_rd(int, short, void *); @@ -127,13 +128,14 @@ int fetchuid(struct ident_client *); const char *gethost(struct sockaddr_storage *); const char *getport(struct sockaddr_storage *); +const char *gentoken(void); struct loggers { void (*err)(int, const char *, ...); void (*errx)(int, const char *, ...); void (*warn)(const char *, ...); void (*warnx)(const char *, ...); - void (*info)(const char *, ...); + void (*notice)(const char *, ...); void (*debug)(const char *, ...); }; @@ -142,7 +144,7 @@ const struct loggers conslogger = { errx, warn, warnx, - warnx, /* info */ + warnx, /* notice */ warnx /* debug */ }; @@ -150,7 +152,7 @@ void syslog_err(int, const char *, ...); void syslog_errx(int, const char *, ...); void syslog_warn(const char *, ...); void syslog_warnx(const char *, ...); -void syslog_info(const char *, ...); +void syslog_notice(const char *, ...); void syslog_debug(const char *, ...); void syslog_vstrerror(int, int, const char *, va_list); @@ -159,7 +161,7 @@ const struct loggers syslogger = { syslog_errx, syslog_warn, syslog_warnx, - syslog_info, + syslog_notice, syslog_debug }; @@ -169,7 +171,7 @@ const struct loggers *logger = &conslogger; #define lerrx(_e, _f...) logger->errx((_e), _f) #define lwarn(_f...) logger->warn(_f) #define lwarnx(_f...) logger->warnx(_f) -#define linfo(_f...) logger->info(_f) +#define lnotice(_f...) logger->notice(_f) #define ldebug(_f...) logger->debug(_f) #define sa(_ss) ((struct sockaddr *)(_ss)) @@ -218,7 +220,7 @@ main(int argc, char *argv[]) pid_t parent; int sibling; - while ((c = getopt(argc, argv, "46del:Nnp:t:")) != -1) { + while ((c = getopt(argc, argv, "46dehl:Nnp:t:")) != -1) { switch (c) { case '4': family = AF_INET; @@ -232,6 +234,9 @@ main(int argc, char *argv[]) case 'e': unknown_err = 1; break; + case 'h': + parent_uprintf = parent_token; + break; case 'l': addr = optarg; break; @@ -406,6 +411,22 @@ parent_uid(struct ident_resolver *r, struct passwd *pw) return (asprintf(&r->buf, "%u", (u_int)pw->pw_uid)); } +int +parent_token(struct ident_resolver *r, struct passwd *pw) +{ + const char *token; + int rv; + + token = gentoken(); + rv = asprintf(&r->buf, "%s", token); + if (rv != -1) { + lnotice("token %s == uid %u (%s)", token, + (u_int)pw->pw_uid, pw->pw_name); + } + + return (rv); +} + void parent_noident(struct ident_resolver *r, struct passwd *pw) { @@ -1052,12 +1073,12 @@ syslog_warnx(const char *fmt, ...) } void -syslog_info(const char *fmt, ...) +syslog_notice(const char *fmt, ...) { va_list ap; va_start(ap, fmt); - vsyslog(LOG_INFO, fmt, ap); + vsyslog(LOG_NOTICE, fmt, ap); va_end(ap); } @@ -1100,6 +1121,23 @@ getport(struct sockaddr_storage *ss) return (buf); } +const char * +gentoken(void) +{ + static char buf[21]; + u_int32_t r; + int i; + + buf[0] = 'a' + arc4random_uniform(26); + for (i = 1; i < sizeof(buf) - 1; i++) { + r = arc4random_uniform(36); + buf[i] = (r < 26 ? 'a' : '0' - 26) + r; + } + buf[i] = '\0'; + + return (buf); +} + int fetchuid(struct ident_client *c) { |