1 files changed, 140 insertions, 140 deletions
diff --git a/usr.sbin/authpf/authpf.c b/usr.sbin/authpf/authpf.c
index 27c1375f7be..53cb8b364f0 100644
--- a/usr.sbin/authpf/authpf.c
+++ b/usr.sbin/authpf/authpf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: authpf.c,v 1.16 2002/05/30 09:11:59 form Exp $	*/
+/*	$OpenBSD: authpf.c,v 1.17 2002/06/07 08:36:56 deraadt Exp $	*/
 
 /*
  * Copyright (C) 1998 - 2002 Bob Beck (beck@openbsd.org).
@@ -70,28 +70,31 @@ int Rdr_Action = PF_CHANGE_ADD_HEAD;
 int dev;			/* pf device */
 int Delete_Rules;		/* for parse_rules callbacks */
 
+FILE *pidfp;
+int ufd = -1;
 char *infile;			/* infile name needed by parse_[rules|nat] */
-char luser[MAXLOGNAME] = "";	/* username */
-char ipsrc[256] = "";		/* ip as a string */
+char luser[MAXLOGNAME];		/* username */
+char ipsrc[256];		/* ip as a string */
 char pidfile[MAXPATHLEN];	/* we save pid in this file. */
 char userfile[MAXPATHLEN];	/* we save username in this file */
 
 struct timeval Tstart, Tend;		/* start and end times of session */
-static volatile sig_atomic_t want_death;
 
 int	pfctl_add_rule(struct pfctl *, struct pf_rule *);
 int	pfctl_add_nat(struct pfctl *, struct pf_nat *);
 int	pfctl_add_rdr(struct pfctl *, struct pf_rdr *);
 int	pfctl_add_binat(struct pfctl *, struct pf_binat *);
 
-static void	read_config(void);
+static int	read_config(FILE *);
 static void	print_message(char *);
 static int	allowed_luser(char *);
 static int	check_luser(char *, char *);
 static int	changefilter(int, char *, char *);
 static void	authpf_kill_states(void);
-static void	need_death(int s);
-static __dead void	do_death(void);
+
+volatile sig_atomic_t want_death;
+static void	need_death(int signo);
+static __dead void do_death(int);
 
 /*
  * User shell for authenticating gateways. sole purpose is to allow
@@ -102,85 +105,62 @@ static __dead void	do_death(void);
 int
 main(int argc, char *argv[])
 {
-	int pidfd, ufd, namelen;
-	int lockcnt = 0;
-	char *foo, *cp;
-	FILE *fp = NULL;
-	struct passwd *pwp;
-	struct sockaddr *namep;
-	struct sockaddr_in peer;
-	char bannedir[] = PATH_BAN_DIR;
-
-	namep = (struct sockaddr *)&peer;
-	namelen = sizeof(peer);
-
-	read_config();
-
-	memset(namep, 0, namelen);
-
-	pwp = getpwuid(getuid());
-	if (pwp == NULL) {
-		syslog(LOG_ERR, "can't find user for uid %d", getuid());
+	int lockcnt = 0, pidfd;
+	FILE *config;
+	struct in_addr ina;
+	struct passwd *pw;
+	char *cp;
+	uid_t uid;
+
+	config = fopen(PATH_CONFFILE, "r");
+	if (config == NULL)
 		exit(1);
-	}
 
-	if (strcmp(pwp->pw_shell, PATH_AUTHPF_SHELL)) {
-		syslog(LOG_ERR, "wrong shell for user %s, uid %u",
-		    pwp->pw_name, pwp->pw_uid);
+	if ((cp = getenv("SSH_CLIENT")) == NULL) {
+		syslog(LOG_ERR, "Can't determine connection source");
 		exit(1);
 	}
 
-	strlcpy(luser, pwp->pw_name, sizeof(luser));
-
-	if ((foo = getenv("SSH_CLIENT")) != NULL) {
-		struct in_addr jnk;
-		strlcpy(ipsrc, foo, sizeof(ipsrc));
-		cp = ipsrc;
-		while (*cp != '\0') {
-			if (*cp == ' ')
-				*cp = '\0';
-			else
-				cp++;
-		}
-		if (inet_pton(AF_INET, ipsrc, &jnk) != 1) {
-			syslog(LOG_ERR, "Can't get IP from SSH_CLIENT %s",
-			    ipsrc);
-			exit(1);
-		}
-
-	} else {
-		syslog(LOG_ERR, "Can't determine connection source");
+	strlcpy(ipsrc, cp, sizeof(ipsrc));
+	cp = strchr(ipsrc, ' ');
+	if (!cp) {
+		syslog(LOG_ERR, "Corrupt SSH_CLIENT variable %s", ipsrc);
 		exit(1);
 	}
-	if (!check_luser(bannedir, luser) || !allowed_luser(luser)) {
-		/* give the luser time to read our nastygram on the screen */
-		sleep(180);
+	*cp = '\0';
+	if (inet_pton(AF_INET, ipsrc, &ina) != 1) {
+		syslog(LOG_ERR,
+		    "Cannot determine IP from SSH_CLIENT %s", ipsrc);
 		exit(1);
 	}
 
-	/*
-	 * make ourselves an entry in /var/run as /var/run/authpf-ipaddr,
-	 * so that things may find us easily to kill us if necessary.
-	 */
-	if (snprintf(pidfile, sizeof pidfile, "%s-%s", PATH_PIDFILE, ipsrc) >=
-	    sizeof pidfile) {
-		fprintf(stderr, "Sorry, host too long for me to handle..\n");
-		syslog(LOG_ERR, "snprintf pidfile bogosity  - exiting");
-		goto dogdeath;
+	/* open the pf device */
+	dev = open(PATH_DEVFILE, O_RDWR);
+	if (dev == -1) {
+		syslog(LOG_ERR, "Can't open filter device (%m)");
+		goto die;
 	}
 
-	if ((pidfd = open(pidfile, O_RDWR|O_CREAT, 0644)) == -1 ||
-	    (fp = fdopen(pidfd, "r+")) == NULL) {
-		syslog(LOG_ERR, "can't open or create %s: %s",
-		    pidfile, strerror(errno));
-		goto dogdeath;
+	uid = getuid();
+	pw = getpwuid(uid);
+	if (pw == NULL) {
+		syslog(LOG_ERR, "can't find user for uid %u", uid);
+		goto die;
+	}
+	if (strcmp(pw->pw_shell, PATH_AUTHPF_SHELL)) {
+		syslog(LOG_ERR, "wrong shell for user %s, uid %u",
+		    pw->pw_name, pw->pw_uid);
+		goto die;
 	}
+	strlcpy(luser, pw->pw_name, sizeof(luser));
+
+	/* Make our entry in /var/run as /var/run/authpf-ipaddr */
+	snprintf(pidfile, sizeof pidfile, "%s-%s", PATH_PIDFILE, ipsrc);
 
 	/*
 	 * If someone else is already using this ip, then this person
-	 * wants to switch users - so kill the old process and we
-	 * exit as well. Of course, this will only work if we are
-	 * running with priviledge.
+	 * wants to switch users - so kill the old process and exit
+	 * as well.
 	 *
 	 * Note, we could print a message and tell them to log out, but the
 	 * usual case of this is that someone has left themselves logged in,
@@ -191,17 +171,29 @@ main(int argc, char *argv[])
 	 * tell them to log out before switching users it is an invitation
 	 * for abuse.
 	 */
-	while (flock(pidfd, LOCK_EX|LOCK_NB) == -1 && errno != EBADF) {
-		int otherpid = -1;
-		int save_errno = errno;
+	do {
+		int save_errno, otherpid = -1;
+
+		if ((pidfd = open(pidfile, O_RDWR|O_CREAT, 0644)) == -1 ||
+		    (pidfp = fdopen(pidfd, "r+")) == NULL) {
+			if (pidfd == -1)
+				close(pidfd);
+			syslog(LOG_ERR, "can't open or create %s: %s", pidfile,
+			    strerror(errno));
+			goto die;
+		}
 
-		lockcnt++;
-		fscanf(fp, "%d", &otherpid);
-		syslog(LOG_DEBUG, "Tried to lock %s, in use by pid %d: %s",
+		if (flock(fileno(pidfp), LOCK_EX|LOCK_NB) == 0)
+			break;
+		save_errno = errno;
+
+		rewind(pidfp);
+		if (fscanf(pidfp, "%d", &otherpid) != 1)
+			otherpid = -1;
+		syslog(LOG_DEBUG,
+		    "Tried to lock %s, in use by pid %d: %s",
 		    pidfile, otherpid, strerror(save_errno));
-		fclose(fp);
 
-		close(pidfd);
 		if (otherpid > 0) {
 			syslog(LOG_INFO,
 			    "killing prior auth (pid %d) of %s by user %s",
@@ -214,33 +206,26 @@ main(int argc, char *argv[])
 		}
 
 		/*
-		 * we try to kill the previous process and aquire the lock
+		 * we try to kill the previous process and acquire the lock
 		 * for 10 seconds, trying once a second. if we can't after
 		 * 10 attempts we log an error and give up
 		 */
-		if (lockcnt > 10) {
+		if (++lockcnt > 10) {
 			syslog(LOG_ERR, "Can't kill previous authpf (pid %d)",
 			    otherpid);
 			goto dogdeath;
 		}
 		sleep(1);
-	}
 
-	fp = fopen(pidfile, "w+");
-	rewind(fp);
-	fprintf(fp, "%d\n", getpid());
-	fflush(fp);
-	(void) ftruncate(fileno(fp), ftell(fp));
-
-	/* open the pf device */
-	dev = open (PATH_DEVFILE, O_RDWR);
-	if (dev == -1) {
-		syslog(LOG_ERR, "Can't open filter device (%m)");
-		goto dogdeath;
-	}
+		/* re-open, and try again. The previous authpf process
+		 * we killed above should unlink the file and release
+		 * it's lock, giving us a chance to get it now
+		 */
+		fclose(pidfp);
+	} while (1);
 
 	/*
-	 * make an entry in file /var/authpf/ipaddr, containing the username.
+	 * Make an entry in file /var/authpf/ipaddr, containing the username.
 	 * this lets external applications check for authentication by looking
 	 * for the ipaddress in that directory, and retrieving the username
 	 * from it.
@@ -251,12 +236,33 @@ main(int argc, char *argv[])
 		goto dogdeath;
 	}
 
+	/* revoke privs */
+	seteuid(getuid());
+	setuid(getuid());
+
+	/*
+	 * Now we are unable to unlink /var/authpf/$ipsec and /var/run/$pid
+	 * and instead have to settle for only truncating them.
+	 */
+
+	if (!check_luser(PATH_BAN_DIR, luser) || !allowed_luser(luser))
+		do_death(0);
+
+	if (read_config(config))
+		do_death(0);
+
+	/* We appear to be making headway, so actually mark our pid */
+	rewind(pidfp);
+	fprintf(pidfp, "%ld\n", (long)getpid());
+	fflush(pidfp);
+	(void) ftruncate(fileno(pidfp), ftell(pidfp));
+
 	write(ufd, luser, strlen(luser));
 	write(ufd, "\n", 1);
-	close(ufd);
 
 	if (changefilter(1, luser, ipsrc) == -1) {
-		/* XXX */
+		printf("Unable to modify filters\r\n");
+		do_death(1);
 	}
 
 	signal(SIGTERM, need_death);
@@ -273,37 +279,30 @@ main(int argc, char *argv[])
 		while (1) {
 			sleep(10);
 			if (want_death)
-				do_death();
+				do_death(1);
 		}
 	}
+
 	/* NOTREACHED */
- dogdeath:
+dogdeath:
 	printf("\r\n\r\nSorry, this service is currently unavailable due to ");
 	printf("technical difficulties\r\n\r\n");
 	print_message(PATH_PROBLEM);
 	printf("\r\nYour authentication process (pid %d) was unable to run\n",
 	    getpid());
 	sleep(180); /* them lusers read reaaaaal slow */
-	if (pidfile[0] != '\0')
-		unlink(pidfile); /* fail silently */
-	if (userfile[0] != '\0')
-		unlink(userfile); /* fail silently */
-	exit(1);
+die:
+	do_death(0);
 }
 
 /*
  * reads config file in PATH_CONFFILE to set optional behaviours up
  */
-static void
-read_config(void)
+static int
+read_config(FILE *f)
 {
 	char buf[1024];
 	int i = 0;
-	FILE *f;
-
-	f = fopen(PATH_CONFFILE, "r");
-	if (f == NULL) 
-		exit(1); /* exit silently if we have no config file */
 
 	openlog("authpf", LOG_PID | LOG_NDELAY, LOG_DAEMON);
 
@@ -313,14 +312,14 @@ read_config(void)
 
 		if (fgets(buf, sizeof(buf), f) == NULL) {
 			fclose(f);
-			return;
+			return (0);
 		}
 		i++;
 		len = strlen(buf);
 		if (buf[len - 1] != '\n' && !feof(f)) {
 			syslog(LOG_ERR, "line %d too long in %s", i,
 			    PATH_CONFFILE);
-			exit(1);
+			return (1);
 		}
 		buf[len - 1] = '\0';
 
@@ -367,11 +366,11 @@ read_config(void)
 		}
 	} while (!feof(f) && !ferror(f));
 	fclose(f);
-	return;
- parse_error:
+	return (0);
+parse_error:
 	fclose(f);
 	syslog(LOG_ERR, "parse error, line %d of %s", i, PATH_CONFFILE);
-	exit(1);
+	return (1);
 }
 
 
@@ -410,23 +409,22 @@ print_message(char *filename)
  * use this gateway. If /etc/authpf.allow does exist, then a
  * user must be listed if the connection is to continue, else
  * the session terminates in the same manner as being banned.
- *
  */
 static int
 allowed_luser(char *luser)
 {
 	char *buf, *lbuf;
+	int matched;
 	size_t len;
 	FILE *f;
-	int matched;
 
 	if ((f = fopen(PATH_ALLOWFILE, "r")) == NULL) {
 		if (errno == ENOENT) {
 			/*
-			 * PATH_ALLOWFILE doesn't exist, this this gateway
+			 * allowfile doesn't exist, this this gateway
 			 * isn't restricted to certain users...
 			 */
-			return (1);
+			return(1);
 		}
 
 		/*
@@ -436,7 +434,7 @@ allowed_luser(char *luser)
 		 */
 		syslog(LOG_ERR, "Can't open allowed users file %s (%s)",
 		    PATH_ALLOWFILE, strerror(errno));
-		return (0);
+		return(0);
 	} else {
 		/*
 		 * /etc/authpf.allow exists, thus we do a linear
@@ -465,7 +463,7 @@ allowed_luser(char *luser)
 			}
 
 			if (matched)
-				return (1); /* matched an allowed username */
+				return(1); /* matched an allowed username */
 		}
 		syslog(LOG_INFO, "Denied access to %s: not listed in %s",
 		    luser, PATH_ALLOWFILE);
@@ -475,7 +473,7 @@ allowed_luser(char *luser)
 		fputs(buf, stdout);
 	}
 	fflush(stdout);
-	return (0);
+	return(0);
 }
 
 /*
@@ -498,7 +496,7 @@ check_luser(char *luserdir, char *luser)
 	    sizeof(tmp)) {
 		syslog(LOG_ERR, "Provided banned directory line too long (%s)",
 		    luserdir);
-		return (0);
+		return(0);
 	}
 	if ((f = fopen(tmp, "r")) == NULL) {
 		if (errno == ENOENT) {
@@ -506,7 +504,7 @@ check_luser(char *luserdir, char *luser)
 			 * file or dir doesn't exist, so therefore
 			 * this luser isn't banned..  all is well
 			 */
-			return (1);
+			return(1);
 		} else {
 			/*
 			 * luser may in fact be banned, but we can't open the
@@ -515,7 +513,7 @@ check_luser(char *luserdir, char *luser)
 			 */
 			syslog(LOG_ERR, "Can't open banned file %s (%s)",
 			    tmp, strerror(errno));
-			return (0);
+			return(0);
 		}
 	} else {
 		/*
@@ -531,12 +529,12 @@ check_luser(char *luserdir, char *luser)
 		while ((fputs(tmp, stdout) != EOF) && !feof(f)) {
 			if (fgets(tmp, sizeof(tmp), f) == NULL) {
 				fflush(stdout);
-				return (0);
+				return(0);
 			}
 		}
 	}
 	fflush(stdout);
-	return (0);
+	return(0);
 }
 
 
@@ -770,7 +768,7 @@ changefilter(int add, char *luser, char *ipsrc)
 		syslog(LOG_INFO, "Removed %s, user %s - duration %ld seconds",
 		    ipsrc, luser, Tend.tv_sec - Tstart.tv_sec);
 	}
-	return (ret);
+	return(ret);
 }
 
 /*
@@ -807,7 +805,7 @@ authpf_kill_states()
 
 /* signal handler that makes us go away properly */
 static void
-need_death(int s)
+need_death(int signo)
 {
 	want_death = 1;
 }
@@ -816,20 +814,22 @@ need_death(int s)
  * function that removes our stuff when we go away.
  */
 static __dead void
-do_death(void)
+do_death(int active)
 {
 	int ret = 0;
 
-	changefilter(0, luser, ipsrc);
-	authpf_kill_states();
-	if (unlink(pidfile) != 0) {
-		syslog(LOG_ERR, "Couldn't unlink %s! (%m)", pidfile);
-		ret = 1;
-	}
-	if (unlink(userfile) != 0) {
-		syslog(LOG_ERR, "Couldn't unlink %s! (%m)", userfile);
-		ret = 1;
-	}
+	if (active) {
+		changefilter(0, luser, ipsrc);
+		authpf_kill_states();
+	}
+	if (pidfp)
+		ftruncate(fileno(pidfp), 0);
+	if (pidfile[0])
+		unlink(pidfile);
+	if (ufd)
+		ftruncate(ufd, 0);
+	if (userfile[0])
+		unlink(userfile);
 	exit(ret);
 }