1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause
3 *
4 * Copyright (c) 2002 Networks Associates Technology, Inc.
5 * All rights reserved.
6 *
7 * This software was developed for the FreeBSD Project by ThinkSec AS and
8 * NAI Labs, the Security Research Division of Network Associates, Inc.
9 * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
10 * DARPA CHATS research program.
11 *
12 * Redistribution and use in source and binary forms, with or without
13 * modification, are permitted provided that the following conditions
14 * are met:
15 * 1. Redistributions of source code must retain the above copyright
16 * notice, this list of conditions and the following disclaimer.
17 * 2. Redistributions in binary form must reproduce the above copyright
18 * notice, this list of conditions and the following disclaimer in the
19 * documentation and/or other materials provided with the distribution.
20 * 3. The name of the author may not be used to endorse or promote
21 * products derived from this software without specific prior written
22 * permission.
23 *
24 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * SUCH DAMAGE.
35 */
36
37 #include <sys/types.h>
38 #include <sys/socket.h>
39 #include <netinet/in.h>
40
41 #include <err.h>
42 #include <errno.h>
43 #include <netconfig.h>
44 #include <netdb.h>
45 #include <pwd.h>
46 #include <stdlib.h>
47 #include <string.h>
48 #include <unistd.h>
49
50 #include <rpcsvc/ypclnt.h>
51 #include <rpcsvc/yppasswd.h>
52
53 #include "ypclnt.h"
54 #include "yppasswd_private.h"
55
56 static int yppasswd_remote(ypclnt_t *, const struct passwd *, const char *);
57 static int yppasswd_local(ypclnt_t *, const struct passwd *);
58
59 /*
60 * Determines the availability of rpc.yppasswdd. Returns -1 for not
61 * available (or unable to determine), 0 for available, 1 for available in
62 * master mode.
63 */
64 int
ypclnt_havepasswdd(ypclnt_t * ypclnt)65 ypclnt_havepasswdd(ypclnt_t *ypclnt)
66 {
67 struct netconfig *nc = NULL;
68 void *localhandle = NULL;
69 CLIENT *clnt = NULL;
70 int ret;
71
72 /* check if rpc.yppasswdd is running */
73 if (getrpcport(ypclnt->server, YPPASSWDPROG,
74 YPPASSWDPROC_UPDATE, IPPROTO_UDP) == 0) {
75 ypclnt_error(ypclnt, __func__, "no rpc.yppasswdd on server");
76 return (-1);
77 }
78
79 /* if we're not root, use remote method */
80 if (getuid() != 0)
81 return (0);
82
83 /* try to connect to rpc.yppasswdd */
84 localhandle = setnetconfig();
85 while ((nc = getnetconfig(localhandle)) != NULL) {
86 if (nc->nc_protofmly != NULL &&
87 strcmp(nc->nc_protofmly, NC_LOOPBACK) == 0)
88 break;
89 }
90 if (nc == NULL) {
91 ypclnt_error(ypclnt, __func__,
92 "getnetconfig: %s", nc_sperror());
93 ret = 0;
94 goto done;
95 }
96 if ((clnt = clnt_tp_create(NULL, MASTER_YPPASSWDPROG,
97 MASTER_YPPASSWDVERS, nc)) == NULL) {
98 ypclnt_error(ypclnt, __func__,
99 "failed to connect to rpc.yppasswdd: %s",
100 clnt_spcreateerror(ypclnt->server));
101 ret = 0;
102 goto done;
103 } else
104 ret = 1;
105
106 done:
107 if (clnt != NULL) {
108 clnt_destroy(clnt);
109 }
110 endnetconfig(localhandle);
111 return (ret);
112 }
113
114 /*
115 * Updates the NIS user information for the specified user.
116 */
117 int
ypclnt_passwd(ypclnt_t * ypclnt,const struct passwd * pwd,const char * passwd)118 ypclnt_passwd(ypclnt_t *ypclnt, const struct passwd *pwd, const char *passwd)
119 {
120 switch (ypclnt_havepasswdd(ypclnt)) {
121 case 0:
122 return (yppasswd_remote(ypclnt, pwd, passwd));
123 case 1:
124 return (yppasswd_local(ypclnt, pwd));
125 default:
126 return (-1);
127 }
128 }
129
130 /*
131 * yppasswd_remote and yppasswd_local are quite similar but still
132 * sufficiently different that merging them into one makes the code
133 * significantly less readable, IMHO, so we keep them separate.
134 */
135
136 static int
yppasswd_local(ypclnt_t * ypclnt,const struct passwd * pwd)137 yppasswd_local(ypclnt_t *ypclnt, const struct passwd *pwd)
138 {
139 struct master_yppasswd yppwd;
140 struct rpc_err rpcerr;
141 struct netconfig *nc = NULL;
142 void *localhandle = NULL;
143 CLIENT *clnt = NULL;
144 int ret, *result;
145
146 /* fill the master_yppasswd structure */
147 memset(&yppwd, 0, sizeof yppwd);
148 yppwd.newpw.pw_uid = pwd->pw_uid;
149 yppwd.newpw.pw_gid = pwd->pw_gid;
150 yppwd.newpw.pw_change = pwd->pw_change;
151 yppwd.newpw.pw_expire = pwd->pw_expire;
152 yppwd.newpw.pw_fields = pwd->pw_fields;
153 yppwd.oldpass = strdup("");
154 yppwd.domain = strdup(ypclnt->domain);
155 if ((yppwd.newpw.pw_name = strdup(pwd->pw_name)) == NULL ||
156 (yppwd.newpw.pw_passwd = strdup(pwd->pw_passwd)) == NULL ||
157 (yppwd.newpw.pw_class = strdup(pwd->pw_class)) == NULL ||
158 (yppwd.newpw.pw_gecos = strdup(pwd->pw_gecos)) == NULL ||
159 (yppwd.newpw.pw_dir = strdup(pwd->pw_dir)) == NULL ||
160 (yppwd.newpw.pw_shell = strdup(pwd->pw_shell)) == NULL) {
161 ypclnt_error(ypclnt, __func__, strerror(errno));
162 ret = -1;
163 goto done;
164 }
165
166 /* connect to rpc.yppasswdd */
167 localhandle = setnetconfig();
168 while ((nc = getnetconfig(localhandle)) != NULL) {
169 if (nc->nc_protofmly != NULL &&
170 strcmp(nc->nc_protofmly, NC_LOOPBACK) == 0)
171 break;
172 }
173 if (nc == NULL) {
174 ypclnt_error(ypclnt, __func__,
175 "getnetconfig: %s", nc_sperror());
176 ret = -1;
177 goto done;
178 }
179 if ((clnt = clnt_tp_create(NULL, MASTER_YPPASSWDPROG,
180 MASTER_YPPASSWDVERS, nc)) == NULL) {
181 ypclnt_error(ypclnt, __func__,
182 "failed to connect to rpc.yppasswdd: %s",
183 clnt_spcreateerror(ypclnt->server));
184 ret = -1;
185 goto done;
186 }
187 clnt->cl_auth = authunix_create_default();
188
189 /* request the update */
190 result = yppasswdproc_update_master_1(&yppwd, clnt);
191
192 /* check for RPC errors */
193 clnt_geterr(clnt, &rpcerr);
194 if (rpcerr.re_status != RPC_SUCCESS) {
195 ypclnt_error(ypclnt, __func__,
196 "NIS password update failed: %s",
197 clnt_sperror(clnt, ypclnt->server));
198 ret = -1;
199 goto done;
200 }
201
202 /* check the result of the update */
203 if (result == NULL || *result != 0) {
204 ypclnt_error(ypclnt, __func__,
205 "NIS password update failed");
206 /* XXX how do we get more details? */
207 ret = -1;
208 goto done;
209 }
210
211 ypclnt_error(ypclnt, NULL, NULL);
212 ret = 0;
213
214 done:
215 if (clnt != NULL) {
216 auth_destroy(clnt->cl_auth);
217 clnt_destroy(clnt);
218 }
219 endnetconfig(localhandle);
220 free(yppwd.newpw.pw_name);
221 if (yppwd.newpw.pw_passwd != NULL) {
222 memset(yppwd.newpw.pw_passwd, 0, strlen(yppwd.newpw.pw_passwd));
223 free(yppwd.newpw.pw_passwd);
224 }
225 free(yppwd.newpw.pw_class);
226 free(yppwd.newpw.pw_gecos);
227 free(yppwd.newpw.pw_dir);
228 free(yppwd.newpw.pw_shell);
229 if (yppwd.oldpass != NULL) {
230 memset(yppwd.oldpass, 0, strlen(yppwd.oldpass));
231 free(yppwd.oldpass);
232 }
233 return (ret);
234 }
235
236 static int
yppasswd_remote(ypclnt_t * ypclnt,const struct passwd * pwd,const char * passwd)237 yppasswd_remote(ypclnt_t *ypclnt, const struct passwd *pwd, const char *passwd)
238 {
239 struct yppasswd yppwd;
240 struct rpc_err rpcerr;
241 CLIENT *clnt = NULL;
242 int ret, *result;
243
244 /* fill the yppasswd structure */
245 memset(&yppwd, 0, sizeof yppwd);
246 yppwd.newpw.pw_uid = pwd->pw_uid;
247 yppwd.newpw.pw_gid = pwd->pw_gid;
248 if ((yppwd.newpw.pw_name = strdup(pwd->pw_name)) == NULL ||
249 (yppwd.newpw.pw_passwd = strdup(pwd->pw_passwd)) == NULL ||
250 (yppwd.newpw.pw_gecos = strdup(pwd->pw_gecos)) == NULL ||
251 (yppwd.newpw.pw_dir = strdup(pwd->pw_dir)) == NULL ||
252 (yppwd.newpw.pw_shell = strdup(pwd->pw_shell)) == NULL ||
253 (yppwd.oldpass = strdup(passwd ? passwd : "")) == NULL) {
254 ypclnt_error(ypclnt, __func__, strerror(errno));
255 ret = -1;
256 goto done;
257 }
258
259 /* connect to rpc.yppasswdd */
260 clnt = clnt_create(ypclnt->server, YPPASSWDPROG, YPPASSWDVERS, "udp");
261 if (clnt == NULL) {
262 ypclnt_error(ypclnt, __func__,
263 "failed to connect to rpc.yppasswdd: %s",
264 clnt_spcreateerror(ypclnt->server));
265 ret = -1;
266 goto done;
267 }
268 clnt->cl_auth = authunix_create_default();
269
270 /* request the update */
271 result = yppasswdproc_update_1(&yppwd, clnt);
272
273 /* check for RPC errors */
274 clnt_geterr(clnt, &rpcerr);
275 if (rpcerr.re_status != RPC_SUCCESS) {
276 ypclnt_error(ypclnt, __func__,
277 "NIS password update failed: %s",
278 clnt_sperror(clnt, ypclnt->server));
279 ret = -1;
280 goto done;
281 }
282
283 /* check the result of the update */
284 if (result == NULL || *result != 0) {
285 ypclnt_error(ypclnt, __func__,
286 "NIS password update failed");
287 /* XXX how do we get more details? */
288 ret = -1;
289 goto done;
290 }
291
292 ypclnt_error(ypclnt, NULL, NULL);
293 ret = 0;
294
295 done:
296 if (clnt != NULL) {
297 auth_destroy(clnt->cl_auth);
298 clnt_destroy(clnt);
299 }
300 free(yppwd.newpw.pw_name);
301 if (yppwd.newpw.pw_passwd != NULL) {
302 memset(yppwd.newpw.pw_passwd, 0, strlen(yppwd.newpw.pw_passwd));
303 free(yppwd.newpw.pw_passwd);
304 }
305 free(yppwd.newpw.pw_gecos);
306 free(yppwd.newpw.pw_dir);
307 free(yppwd.newpw.pw_shell);
308 if (yppwd.oldpass != NULL) {
309 memset(yppwd.oldpass, 0, strlen(yppwd.oldpass));
310 free(yppwd.oldpass);
311 }
312 return (ret);
313 }
314