1 /*- 2 * Copyright (c) 2002 Networks Associates Technology, Inc. 3 * All rights reserved. 4 * 5 * This software was developed for the FreeBSD Project by ThinkSec AS and 6 * NAI Labs, the Security Research Division of Network Associates, Inc. 7 * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 8 * DARPA CHATS research program. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. The name of the author may not be used to endorse or promote 19 * products derived from this software without specific prior written 20 * permission. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * 34 * $FreeBSD$ 35 */ 36 37 #include <sys/types.h> 38 #include <sys/socket.h> 39 #include <netinet/in.h> 40 41 #include <err.h> 42 #include <errno.h> 43 #include <netconfig.h> 44 #include <netdb.h> 45 #include <pwd.h> 46 #include <stdlib.h> 47 #include <string.h> 48 #include <unistd.h> 49 50 #include <rpcsvc/ypclnt.h> 51 #include <rpcsvc/yppasswd.h> 52 53 #include "ypclnt.h" 54 #include "yppasswd_private.h" 55 56 static int yppasswd_remote(ypclnt_t *, const struct passwd *, const char *); 57 static int yppasswd_local(ypclnt_t *, const struct passwd *, const char *); 58 59 /* 60 * Determines the availability of rpc.yppasswdd. Returns -1 for not 61 * available (or unable to determine), 0 for available, 1 for available in 62 * master mode. 63 */ 64 int 65 ypclnt_havepasswdd(ypclnt_t *ypclnt) 66 { 67 struct addrinfo hints, *res; 68 int sd; 69 70 /* check that rpc.yppasswdd is running */ 71 if (getrpcport(ypclnt->server, YPPASSWDPROG, 72 YPPASSWDPROC_UPDATE, IPPROTO_UDP) == 0) { 73 ypclnt_error(ypclnt, __func__, "no rpc.yppasswdd on server"); 74 return (-1); 75 } 76 77 /* if we're not root, use remote method */ 78 if (getuid() != 0) 79 return (0); 80 81 /* try to determine if we are the server */ 82 memset(&hints, 0, sizeof(hints)); 83 hints.ai_family = AF_UNSPEC; 84 hints.ai_socktype = SOCK_STREAM; 85 hints.ai_protocol = 0; 86 if (getaddrinfo(ypclnt->server, NULL, &hints, &res) != 0) 87 return (0); 88 sd = socket(res->ai_family, res->ai_socktype, res->ai_protocol); 89 if (sd == -1) { 90 freeaddrinfo(res); 91 return (0); 92 } 93 if (bind(sd, res->ai_addr, res->ai_addrlen) == -1) { 94 close(sd); 95 freeaddrinfo(res); 96 return (0); 97 } 98 freeaddrinfo(res); 99 close(sd); 100 return (1); 101 } 102 103 /* 104 * Updates the NIS user information for the specified user. 105 */ 106 int 107 ypclnt_passwd(ypclnt_t *ypclnt, const struct passwd *pwd, const char *passwd) 108 { 109 switch (ypclnt_havepasswdd(ypclnt)) { 110 case 0: 111 YPCLNT_DEBUG("using remote update method"); 112 return (yppasswd_remote(ypclnt, pwd, passwd)); 113 case 1: 114 YPCLNT_DEBUG("using local update method"); 115 return (yppasswd_local(ypclnt, pwd, passwd)); 116 default: 117 YPCLNT_DEBUG("no rpc.yppasswdd"); 118 return (-1); 119 } 120 } 121 122 /* 123 * yppasswd_remote and yppasswd_local are quite similar but still 124 * sufficiently different that merging them into one makes the code 125 * significantly less readable, IMHO, so we keep them separate. 126 */ 127 128 static int 129 yppasswd_local(ypclnt_t *ypclnt, const struct passwd *pwd, const char *passwd) 130 { 131 struct master_yppasswd yppwd; 132 struct rpc_err rpcerr; 133 struct netconfig *nc = NULL; 134 CLIENT *clnt = NULL; 135 int ret, *result; 136 137 /* fill the master_yppasswd structure */ 138 memset(&yppwd, 0, sizeof yppwd); 139 yppwd.newpw.pw_uid = pwd->pw_uid; 140 yppwd.newpw.pw_gid = pwd->pw_gid; 141 yppwd.newpw.pw_change = pwd->pw_change; 142 yppwd.newpw.pw_expire = pwd->pw_expire; 143 yppwd.newpw.pw_fields = pwd->pw_fields; 144 if ((yppwd.newpw.pw_name = strdup(pwd->pw_name)) == NULL || 145 (yppwd.newpw.pw_passwd = strdup(pwd->pw_passwd)) == NULL || 146 (yppwd.newpw.pw_class = strdup(pwd->pw_class)) == NULL || 147 (yppwd.newpw.pw_gecos = strdup(pwd->pw_gecos)) == NULL || 148 (yppwd.newpw.pw_dir = strdup(pwd->pw_dir)) == NULL || 149 (yppwd.newpw.pw_shell = strdup(pwd->pw_shell)) == NULL || 150 (yppwd.oldpass = strdup(passwd ? passwd : "")) == NULL) { 151 ypclnt_error(ypclnt, __func__, strerror(errno)); 152 ret = -1; 153 goto done; 154 } 155 156 /* connect to rpc.yppasswdd */ 157 nc = getnetconfigent("local"); 158 if (nc == NULL) 159 nc = getnetconfigent("unix"); 160 clnt = clnt_tp_create(ypclnt->server, YPPASSWDPROG, YPPASSWDVERS, nc); 161 if (clnt == NULL) { 162 ypclnt_error(ypclnt, __func__, 163 "failed to connect to rpc.yppasswdd: %s", 164 clnt_spcreateerror(ypclnt->server)); 165 ret = -1; 166 goto done; 167 } 168 clnt->cl_auth = authunix_create_default(); 169 170 /* request the update */ 171 result = yppasswdproc_update_master_1(&yppwd, clnt); 172 173 /* check for RPC errors */ 174 clnt_geterr(clnt, &rpcerr); 175 if (rpcerr.re_status != RPC_SUCCESS) { 176 ypclnt_error(ypclnt, __func__, 177 "NIS password update failed: %s", 178 clnt_sperror(clnt, ypclnt->server)); 179 ret = -1; 180 goto done; 181 } 182 183 /* check the result of the update */ 184 if (result == NULL || *result != 0) { 185 ypclnt_error(ypclnt, __func__, 186 "NIS password update failed"); 187 /* XXX how do we get more details? */ 188 ret = -1; 189 goto done; 190 } 191 192 ypclnt_error(ypclnt, NULL, NULL); 193 ret = 0; 194 195 done: 196 if (clnt != NULL) { 197 auth_destroy(clnt->cl_auth); 198 clnt_destroy(clnt); 199 } 200 if (nc != NULL) 201 freenetconfigent(nc); 202 free(yppwd.newpw.pw_name); 203 if (yppwd.newpw.pw_passwd != NULL) { 204 memset(yppwd.newpw.pw_passwd, 0, strlen(yppwd.newpw.pw_passwd)); 205 free(yppwd.newpw.pw_passwd); 206 } 207 free(yppwd.newpw.pw_class); 208 free(yppwd.newpw.pw_gecos); 209 free(yppwd.newpw.pw_dir); 210 free(yppwd.newpw.pw_shell); 211 if (yppwd.oldpass != NULL) { 212 memset(yppwd.oldpass, 0, strlen(yppwd.oldpass)); 213 free(yppwd.oldpass); 214 } 215 return (ret); 216 } 217 218 static int 219 yppasswd_remote(ypclnt_t *ypclnt, const struct passwd *pwd, const char *passwd) 220 { 221 struct yppasswd yppwd; 222 struct rpc_err rpcerr; 223 CLIENT *clnt = NULL; 224 int ret, *result; 225 226 /* fill the yppasswd structure */ 227 memset(&yppwd, 0, sizeof yppwd); 228 yppwd.newpw.pw_uid = pwd->pw_uid; 229 yppwd.newpw.pw_gid = pwd->pw_gid; 230 if ((yppwd.newpw.pw_name = strdup(pwd->pw_name)) == NULL || 231 (yppwd.newpw.pw_passwd = strdup(pwd->pw_passwd)) == NULL || 232 (yppwd.newpw.pw_gecos = strdup(pwd->pw_gecos)) == NULL || 233 (yppwd.newpw.pw_dir = strdup(pwd->pw_dir)) == NULL || 234 (yppwd.newpw.pw_shell = strdup(pwd->pw_shell)) == NULL || 235 (yppwd.oldpass = strdup(passwd ? passwd : "")) == NULL) { 236 ypclnt_error(ypclnt, __func__, strerror(errno)); 237 ret = -1; 238 goto done; 239 } 240 241 /* connect to rpc.yppasswdd */ 242 clnt = clnt_create(ypclnt->server, YPPASSWDPROG, YPPASSWDVERS, "udp"); 243 if (clnt == NULL) { 244 ypclnt_error(ypclnt, __func__, 245 "failed to connect to rpc.yppasswdd: %s", 246 clnt_spcreateerror(ypclnt->server)); 247 ret = -1; 248 goto done; 249 } 250 clnt->cl_auth = authunix_create_default(); 251 252 /* request the update */ 253 result = yppasswdproc_update_1(&yppwd, clnt); 254 255 /* check for RPC errors */ 256 clnt_geterr(clnt, &rpcerr); 257 if (rpcerr.re_status != RPC_SUCCESS) { 258 ypclnt_error(ypclnt, __func__, 259 "NIS password update failed: %s", 260 clnt_sperror(clnt, ypclnt->server)); 261 ret = -1; 262 goto done; 263 } 264 265 /* check the result of the update */ 266 if (result == NULL || *result != 0) { 267 ypclnt_error(ypclnt, __func__, 268 "NIS password update failed"); 269 /* XXX how do we get more details? */ 270 ret = -1; 271 goto done; 272 } 273 274 ypclnt_error(ypclnt, NULL, NULL); 275 ret = 0; 276 277 done: 278 if (clnt != NULL) { 279 auth_destroy(clnt->cl_auth); 280 clnt_destroy(clnt); 281 } 282 free(yppwd.newpw.pw_name); 283 if (yppwd.newpw.pw_passwd != NULL) { 284 memset(yppwd.newpw.pw_passwd, 0, strlen(yppwd.newpw.pw_passwd)); 285 free(yppwd.newpw.pw_passwd); 286 } 287 free(yppwd.newpw.pw_gecos); 288 free(yppwd.newpw.pw_dir); 289 free(yppwd.newpw.pw_shell); 290 if (yppwd.oldpass != NULL) { 291 memset(yppwd.oldpass, 0, strlen(yppwd.oldpass)); 292 free(yppwd.oldpass); 293 } 294 return (ret); 295 } 296