1/*	$NetBSD: security.c,v 1.5 2000/06/08 09:01:05 fvdl Exp $	*/
2/*	$FreeBSD$ */
3
4#include <sys/types.h>
5#include <sys/time.h>
6#include <sys/socket.h>
7#include <netinet/in.h>
8#include <arpa/inet.h>
9#include <rpc/rpc.h>
10#include <rpc/rpcb_prot.h>
11#include <rpc/pmap_prot.h>
12#include <err.h>
13#include <stdio.h>
14#include <stdlib.h>
15#include <string.h>
16#include <unistd.h>
17#include <libutil.h>
18#include <syslog.h>
19#include <netdb.h>
20
21/*
22 * XXX for special case checks in check_callit.
23 */
24#include <rpcsvc/mount.h>
25#include <rpcsvc/rquota.h>
26#include <rpcsvc/nfs_prot.h>
27#include <rpcsvc/yp.h>
28#include <rpcsvc/ypclnt.h>
29#include <rpcsvc/yppasswd.h>
30
31#include "rpcbind.h"
32
33#ifdef LIBWRAP
34# include <tcpd.h>
35#ifndef LIBWRAP_ALLOW_FACILITY
36# define LIBWRAP_ALLOW_FACILITY LOG_AUTH
37#endif
38#ifndef LIBWRAP_ALLOW_SEVERITY
39# define LIBWRAP_ALLOW_SEVERITY LOG_INFO
40#endif
41#ifndef LIBWRAP_DENY_FACILITY
42# define LIBWRAP_DENY_FACILITY LOG_AUTH
43#endif
44#ifndef LIBWRAP_DENY_SEVERITY
45# define LIBWRAP_DENY_SEVERITY LOG_WARNING
46#endif
47int allow_severity = LIBWRAP_ALLOW_FACILITY|LIBWRAP_ALLOW_SEVERITY;
48int deny_severity = LIBWRAP_DENY_FACILITY|LIBWRAP_DENY_SEVERITY;
49#endif
50
51#ifndef PORTMAP_LOG_FACILITY
52# define PORTMAP_LOG_FACILITY LOG_AUTH
53#endif
54#ifndef PORTMAP_LOG_SEVERITY
55# define PORTMAP_LOG_SEVERITY LOG_INFO
56#endif
57int log_severity = PORTMAP_LOG_FACILITY|PORTMAP_LOG_SEVERITY;
58
59extern int verboselog;
60
61int
62check_access(SVCXPRT *xprt, rpcproc_t proc, void *args, unsigned int rpcbvers)
63{
64	struct netbuf *caller = svc_getrpccaller(xprt);
65	struct sockaddr *addr = (struct sockaddr *)caller->buf;
66#ifdef LIBWRAP
67	struct request_info req;
68#endif
69	rpcprog_t prog = 0;
70	rpcb *rpcbp;
71	struct pmap *pmap;
72
73	/*
74	 * The older PMAP_* equivalents have the same numbers, so
75	 * they are accounted for here as well.
76	 */
77	switch (proc) {
78	case RPCBPROC_GETADDR:
79	case RPCBPROC_SET:
80	case RPCBPROC_UNSET:
81		if (rpcbvers > PMAPVERS) {
82			rpcbp = (rpcb *)args;
83			prog = rpcbp->r_prog;
84		} else {
85			pmap = (struct pmap *)args;
86			prog = pmap->pm_prog;
87		}
88		if (proc == RPCBPROC_GETADDR)
89			break;
90		if (!insecure && !is_loopback(caller)) {
91			if (verboselog)
92				logit(log_severity, addr, proc, prog,
93				    " declined (non-loopback sender)");
94			return 0;
95		}
96		break;
97	case RPCBPROC_CALLIT:
98	case RPCBPROC_INDIRECT:
99	case RPCBPROC_DUMP:
100	case RPCBPROC_GETTIME:
101	case RPCBPROC_UADDR2TADDR:
102	case RPCBPROC_TADDR2UADDR:
103	case RPCBPROC_GETVERSADDR:
104	case RPCBPROC_GETADDRLIST:
105	case RPCBPROC_GETSTAT:
106	default:
107		break;
108	}
109
110#ifdef LIBWRAP
111	if (addr->sa_family == AF_LOCAL)
112		return 1;
113	request_init(&req, RQ_DAEMON, "rpcbind", RQ_CLIENT_SIN, addr, 0);
114	sock_methods(&req);
115	if(!hosts_access(&req)) {
116		logit(deny_severity, addr, proc, prog, ": request from unauthorized host");
117		return 0;
118	}
119#endif
120	if (verboselog)
121		logit(log_severity, addr, proc, prog, "");
122    	return 1;
123}
124
125int
126is_loopback(struct netbuf *nbuf)
127{
128	struct sockaddr *addr = (struct sockaddr *)nbuf->buf;
129	struct sockaddr_in *sin;
130#ifdef INET6
131	struct sockaddr_in6 *sin6;
132#endif
133
134	switch (addr->sa_family) {
135	case AF_INET:
136		if (!oldstyle_local)
137			return 0;
138		sin = (struct sockaddr_in *)addr;
139        	return ((sin->sin_addr.s_addr == htonl(INADDR_LOOPBACK)) &&
140		    (ntohs(sin->sin_port) < IPPORT_RESERVED));
141#ifdef INET6
142	case AF_INET6:
143		if (!oldstyle_local)
144			return 0;
145		sin6 = (struct sockaddr_in6 *)addr;
146		return (IN6_IS_ADDR_LOOPBACK(&sin6->sin6_addr) &&
147		    (ntohs(sin6->sin6_port) < IPV6PORT_RESERVED));
148#endif
149	case AF_LOCAL:
150		return 1;
151	default:
152		break;
153	}
154
155	return 0;
156}
157
158
159/* logit - report events of interest via the syslog daemon */
160void
161logit(int severity, struct sockaddr *addr, rpcproc_t procnum, rpcprog_t prognum,
162      const char *text)
163{
164	const char *procname;
165	char	procbuf[32];
166	char   *progname;
167	char	progbuf[32];
168	char fromname[NI_MAXHOST];
169	struct rpcent *rpc;
170	static const char *procmap[] = {
171	/* RPCBPROC_NULL */		"null",
172	/* RPCBPROC_SET */		"set",
173	/* RPCBPROC_UNSET */		"unset",
174	/* RPCBPROC_GETADDR */		"getport/addr",
175	/* RPCBPROC_DUMP */		"dump",
176	/* RPCBPROC_CALLIT */		"callit",
177	/* RPCBPROC_GETTIME */		"gettime",
178	/* RPCBPROC_UADDR2TADDR */	"uaddr2taddr",
179	/* RPCBPROC_TADDR2UADDR */	"taddr2uaddr",
180	/* RPCBPROC_GETVERSADDR */	"getversaddr",
181	/* RPCBPROC_INDIRECT */		"indirect",
182	/* RPCBPROC_GETADDRLIST */	"getaddrlist",
183	/* RPCBPROC_GETSTAT */		"getstat"
184	};
185
186	/*
187	 * Fork off a process or the portmap daemon might hang while
188	 * getrpcbynumber() or syslog() does its thing.
189	 */
190
191	if (fork() == 0) {
192		setproctitle("logit");
193
194		/* Try to map program number to name. */
195
196		if (prognum == 0) {
197			progname = "";
198		} else if ((rpc = getrpcbynumber((int) prognum))) {
199			progname = rpc->r_name;
200		} else {
201			snprintf(progname = progbuf, sizeof(progbuf), "%u",
202			    (unsigned)prognum);
203		}
204
205		/* Try to map procedure number to name. */
206
207		if (procnum >= (sizeof procmap / sizeof (char *))) {
208			snprintf(procbuf, sizeof procbuf, "%u",
209			    (unsigned)procnum);
210			procname = procbuf;
211		} else
212			procname = procmap[procnum];
213
214		/* Write syslog record. */
215
216		if (addr->sa_family == AF_LOCAL)
217			strcpy(fromname, "local");
218		else
219			getnameinfo(addr, addr->sa_len, fromname,
220			    sizeof fromname, NULL, 0, NI_NUMERICHOST);
221
222		syslog(severity, "connect from %s to %s(%s)%s",
223			fromname, procname, progname, text);
224		_exit(0);
225	}
226}
227
228int
229check_callit(SVCXPRT *xprt, struct r_rmtcall_args *args, int versnum __unused)
230{
231	struct sockaddr *sa = (struct sockaddr *)svc_getrpccaller(xprt)->buf;
232
233	/*
234	 * Always allow calling NULLPROC
235	 */
236	if (args->rmt_proc == 0)
237		return 1;
238
239	/*
240	 * XXX - this special casing sucks.
241	 */
242	switch (args->rmt_prog) {
243	case RPCBPROG:
244		/*
245		 * Allow indirect calls to ourselves in insecure mode.
246		 * The is_loopback checks aren't useful then anyway.
247		 */
248		if (!insecure)
249			goto deny;
250		break;
251	case MOUNTPROG:
252		if (args->rmt_proc != MOUNTPROC_MNT &&
253		    args->rmt_proc != MOUNTPROC_UMNT)
254			break;
255		goto deny;
256	case YPBINDPROG:
257		if (args->rmt_proc != YPBINDPROC_SETDOM)
258			break;
259		/* FALLTHROUGH */
260	case YPPASSWDPROG:
261	case NFS_PROGRAM:
262	case RQUOTAPROG:
263		goto deny;
264	case YPPROG:
265		switch (args->rmt_proc) {
266		case YPPROC_ALL:
267		case YPPROC_MATCH:
268		case YPPROC_FIRST:
269		case YPPROC_NEXT:
270			goto deny;
271		default:
272			break;
273		}
274	default:
275		break;
276	}
277
278	return 1;
279deny:
280#ifdef LIBWRAP
281	logit(deny_severity, sa, args->rmt_proc, args->rmt_prog,
282	    ": indirect call not allowed");
283#else
284	logit(0, sa, args->rmt_proc, args->rmt_prog,
285	    ": indirect call not allowed");
286#endif
287	return 0;
288}
289