diff options
| author | Todd C. Miller <millert@cvs.openbsd.org> | 1998-07-09 23:54:37 +0000 |
|---|---|---|
| committer | Todd C. Miller <millert@cvs.openbsd.org> | 1998-07-09 23:54:37 +0000 |
| commit | 00f5e7aaf83be7616589a278ab2f746d47873bf8 (patch) | |
| tree | f706873b486f12d3acb99ea39cafab886e5d25e0 /libexec/rexecd/rexecd.c | |
| parent | e7587c5b4f6237baf2975b515e4db14a7ba1cc83 (diff) | |
Don't open stderr channel until after the user has authenticated themselves
and never open a reserved port. Fix from www.infilsec.com, credited
to "The South African Tiger Team". While we're in here, don't leak
info about who is a valid user.
Diffstat (limited to 'libexec/rexecd/rexecd.c')
| -rw-r--r-- | libexec/rexecd/rexecd.c | 34 |
1 files changed, 19 insertions, 15 deletions
diff --git a/libexec/rexecd/rexecd.c b/libexec/rexecd/rexecd.c index 823fdfd8d8c..45d61959144 100644 --- a/libexec/rexecd/rexecd.c +++ b/libexec/rexecd/rexecd.c @@ -39,7 +39,7 @@ char copyright[] = #ifndef lint /*static char sccsid[] = "from: @(#)rexecd.c 5.12 (Berkeley) 2/25/91";*/ -static char rcsid[] = "$Id: rexecd.c,v 1.9 1998/07/07 06:02:12 deraadt Exp $"; +static char rcsid[] = "$Id: rexecd.c,v 1.10 1998/07/09 23:54:36 millert Exp $"; #endif /* not lint */ #include <sys/param.h> @@ -150,32 +150,20 @@ doit(f, fromp) port = port * 10 + c - '0'; } (void) alarm(0); - if (port != 0) { - s = socket(AF_INET, SOCK_STREAM, 0); - if (s < 0) - exit(1); - if (bind(s, (struct sockaddr *)&asin, sizeof (asin)) < 0) - exit(1); - (void) alarm(60); - fromp->sin_port = htons(port); - if (connect(s, (struct sockaddr *)fromp, sizeof (*fromp)) < 0) - exit(1); - (void) alarm(0); - } getstr(user, sizeof(user), "username"); getstr(pass, sizeof(pass), "password"); getstr(cmdbuf, sizeof(cmdbuf), "command"); setpwent(); pwd = getpwnam(user); if (pwd == NULL) { - error("Login incorrect.\n"); + error("Permission denied.\n"); exit(1); } endpwent(); if (*pwd->pw_passwd != '\0') { namep = crypt(pass, pwd->pw_passwd); if (strcmp(namep, pwd->pw_passwd)) { - error("Password incorrect.\n"); + error("Permission denied.\n"); exit(1); } } @@ -188,6 +176,22 @@ doit(f, fromp) error("No remote directory.\n"); exit(1); } + if (port != 0) { + if (port < IPPORT_RESERVED) { + syslog(LOG_ERR, "client stderr port in reserved range\n"); + exit(1); + } + s = socket(AF_INET, SOCK_STREAM, 0); + if (s < 0) + exit(1); + if (bind(s, (struct sockaddr *)&asin, sizeof (asin)) < 0) + exit(1); + (void) alarm(60); + fromp->sin_port = htons(port); + if (connect(s, (struct sockaddr *)fromp, sizeof (*fromp)) < 0) + exit(1); + (void) alarm(0); + } seteuid(0); setegid(0); /* XXX use a saved gid instead? */ |