1/*	$NetBSD: security.c,v 1.5 2000/06/08 09:01:05 fvdl Exp $	*/
2
3#include <sys/types.h>
4#include <sys/time.h>
5#include <sys/socket.h>
6#include <netinet/in.h>
7#include <arpa/inet.h>
8#include <rpc/rpc.h>
9#include <rpc/rpcb_prot.h>
10#include <rpc/pmap_prot.h>
11#include <stdio.h>
12#include <string.h>
13#include <unistd.h>
14#include <syslog.h>
15#include <netdb.h>
16
17/*
18 * XXX for special case checks in check_callit.
19 */
20#include <rpcsvc/mount.h>
21#include <rpcsvc/rquota.h>
22#include <rpcsvc/nfs_prot.h>
23#include <rpcsvc/yp.h>
24#include <rpcsvc/ypclnt.h>
25#include <rpcsvc/yppasswd.h>
26
27#include "rpcbind.h"
28
29#ifdef LIBWRAP
30# include <tcpd.h>
31#ifndef LIBWRAP_ALLOW_FACILITY
32# define LIBWRAP_ALLOW_FACILITY LOG_AUTH
33#endif
34#ifndef LIBWRAP_ALLOW_SEVERITY
35# define LIBWRAP_ALLOW_SEVERITY LOG_INFO
36#endif
37#ifndef LIBWRAP_DENY_FACILITY
38# define LIBWRAP_DENY_FACILITY LOG_AUTH
39#endif
40#ifndef LIBWRAP_DENY_SEVERITY
41# define LIBWRAP_DENY_SEVERITY LOG_WARNING
42#endif
43int allow_severity = LIBWRAP_ALLOW_FACILITY|LIBWRAP_ALLOW_SEVERITY;
44int deny_severity = LIBWRAP_DENY_FACILITY|LIBWRAP_DENY_SEVERITY;
45#endif
46
47#ifndef PORTMAP_LOG_FACILITY
48# define PORTMAP_LOG_FACILITY LOG_AUTH
49#endif
50#ifndef PORTMAP_LOG_SEVERITY
51# define PORTMAP_LOG_SEVERITY LOG_INFO
52#endif
53int log_severity = PORTMAP_LOG_FACILITY|PORTMAP_LOG_SEVERITY;
54
55extern int verboselog;
56
57int
58check_access(SVCXPRT *xprt, rpcproc_t proc, void *args, unsigned int rpcbvers)
59{
60	struct netbuf *caller = svc_getrpccaller(xprt);
61	struct sockaddr *addr = (struct sockaddr *)caller->buf;
62#ifdef LIBWRAP
63	struct request_info req;
64#endif
65	rpcprog_t prog = 0;
66	rpcb *rpcbp;
67	struct pmap *pmap;
68
69	/*
70	 * The older PMAP_* equivalents have the same numbers, so
71	 * they are accounted for here as well.
72	 */
73	switch (proc) {
74	case RPCBPROC_GETADDR:
75	case RPCBPROC_SET:
76	case RPCBPROC_UNSET:
77		if (rpcbvers > PMAPVERS) {
78			rpcbp = (rpcb *)args;
79			prog = rpcbp->r_prog;
80		} else {
81			pmap = (struct pmap *)args;
82			prog = pmap->pm_prog;
83		}
84		if (proc == RPCBPROC_GETADDR)
85			break;
86		if (!insecure && !is_loopback(caller)) {
87			if (verboselog)
88				logit(log_severity, addr, proc, prog,
89				    " declined (non-loopback sender)");
90			return 0;
91		}
92		break;
93	case RPCBPROC_CALLIT:
94	case RPCBPROC_INDIRECT:
95	case RPCBPROC_DUMP:
96	case RPCBPROC_GETTIME:
97	case RPCBPROC_UADDR2TADDR:
98	case RPCBPROC_TADDR2UADDR:
99	case RPCBPROC_GETVERSADDR:
100	case RPCBPROC_GETADDRLIST:
101	case RPCBPROC_GETSTAT:
102	default:
103		break;
104	}
105
106#ifdef LIBWRAP
107	if (libwrap && addr->sa_family != AF_LOCAL) {
108		request_init(&req, RQ_DAEMON, "rpcbind", RQ_CLIENT_SIN, addr,
109		    0);
110		sock_methods(&req);
111		if(!hosts_access(&req)) {
112			logit(deny_severity, addr, proc, prog,
113			    ": request from unauthorized host");
114			return 0;
115		}
116	}
117#endif
118	if (verboselog)
119		logit(log_severity, addr, proc, prog, "");
120    	return 1;
121}
122
123int
124is_loopback(struct netbuf *nbuf)
125{
126	struct sockaddr *addr = (struct sockaddr *)nbuf->buf;
127	struct sockaddr_in *sin;
128#ifdef INET6
129	struct sockaddr_in6 *sin6;
130#endif
131
132	switch (addr->sa_family) {
133	case AF_INET:
134		if (!oldstyle_local)
135			return 0;
136		sin = (struct sockaddr_in *)addr;
137        	return ((sin->sin_addr.s_addr == htonl(INADDR_LOOPBACK)) &&
138		    (ntohs(sin->sin_port) < IPPORT_RESERVED));
139#ifdef INET6
140	case AF_INET6:
141		if (!oldstyle_local)
142			return 0;
143		sin6 = (struct sockaddr_in6 *)addr;
144		return (IN6_IS_ADDR_LOOPBACK(&sin6->sin6_addr) &&
145		    (ntohs(sin6->sin6_port) < IPV6PORT_RESERVED));
146#endif
147	case AF_LOCAL:
148		return 1;
149	default:
150		break;
151	}
152
153	return 0;
154}
155
156
157/* logit - report events of interest via the syslog daemon */
158void
159logit(int severity, struct sockaddr *addr, rpcproc_t procnum, rpcprog_t prognum,
160      const char *text)
161{
162	const char *procname;
163	char	procbuf[32];
164	char   *progname;
165	char	progbuf[32];
166	char fromname[NI_MAXHOST];
167	struct rpcent *rpc;
168	static const char *procmap[] = {
169	/* RPCBPROC_NULL */		"null",
170	/* RPCBPROC_SET */		"set",
171	/* RPCBPROC_UNSET */		"unset",
172	/* RPCBPROC_GETADDR */		"getport/addr",
173	/* RPCBPROC_DUMP */		"dump",
174	/* RPCBPROC_CALLIT */		"callit",
175	/* RPCBPROC_GETTIME */		"gettime",
176	/* RPCBPROC_UADDR2TADDR */	"uaddr2taddr",
177	/* RPCBPROC_TADDR2UADDR */	"taddr2uaddr",
178	/* RPCBPROC_GETVERSADDR */	"getversaddr",
179	/* RPCBPROC_INDIRECT */		"indirect",
180	/* RPCBPROC_GETADDRLIST */	"getaddrlist",
181	/* RPCBPROC_GETSTAT */		"getstat"
182	};
183
184	/*
185	 * Fork off a process or the portmap daemon might hang while
186	 * getrpcbynumber() or syslog() does its thing.
187	 */
188
189	if (fork() == 0) {
190		setproctitle("logit");
191
192		/* Try to map program number to name. */
193
194		if (prognum == 0) {
195			progname = "";
196		} else if ((rpc = getrpcbynumber((int) prognum))) {
197			progname = rpc->r_name;
198		} else {
199			snprintf(progname = progbuf, sizeof(progbuf), "%u",
200			    (unsigned)prognum);
201		}
202
203		/* Try to map procedure number to name. */
204
205		if (procnum >= (sizeof procmap / sizeof (char *))) {
206			snprintf(procbuf, sizeof procbuf, "%u",
207			    (unsigned)procnum);
208			procname = procbuf;
209		} else
210			procname = procmap[procnum];
211
212		/* Write syslog record. */
213
214		if (addr->sa_family == AF_LOCAL)
215			strcpy(fromname, "local");
216		else
217			getnameinfo(addr, addr->sa_len, fromname,
218			    sizeof fromname, NULL, 0, NI_NUMERICHOST);
219
220		syslog(severity, "connect from %s to %s(%s)%s",
221			fromname, procname, progname, text);
222		_exit(0);
223	}
224}
225
226int
227check_callit(SVCXPRT *xprt, struct r_rmtcall_args *args, int versnum __unused)
228{
229	struct sockaddr *sa = (struct sockaddr *)svc_getrpccaller(xprt)->buf;
230
231	/*
232	 * Always allow calling NULLPROC
233	 */
234	if (args->rmt_proc == 0)
235		return 1;
236
237	/*
238	 * XXX - this special casing sucks.
239	 */
240	switch (args->rmt_prog) {
241	case RPCBPROG:
242		/*
243		 * Allow indirect calls to ourselves in insecure mode.
244		 * The is_loopback checks aren't useful then anyway.
245		 */
246		if (!insecure)
247			goto deny;
248		break;
249	case MOUNTPROG:
250		if (args->rmt_proc != MOUNTPROC_MNT &&
251		    args->rmt_proc != MOUNTPROC_UMNT)
252			break;
253		goto deny;
254	case YPBINDPROG:
255		if (args->rmt_proc != YPBINDPROC_SETDOM)
256			break;
257		/* FALLTHROUGH */
258	case YPPASSWDPROG:
259	case NFS_PROGRAM:
260	case RQUOTAPROG:
261		goto deny;
262	case YPPROG:
263		switch (args->rmt_proc) {
264		case YPPROC_ALL:
265		case YPPROC_MATCH:
266		case YPPROC_FIRST:
267		case YPPROC_NEXT:
268			goto deny;
269		default:
270			break;
271		}
272	default:
273		break;
274	}
275
276	return 1;
277deny:
278#ifdef LIBWRAP
279	logit(deny_severity, sa, args->rmt_proc, args->rmt_prog,
280	    ": indirect call not allowed");
281#else
282	logit(0, sa, args->rmt_proc, args->rmt_prog,
283	    ": indirect call not allowed");
284#endif
285	return 0;
286}
287