1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License, Version 1.0 only 6 * (the "License"). You may not use this file except in compliance 7 * with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 /* 23 * Copyright 2005 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 /* Copyright (c) 1983-1989 AT&T */ 28 /* All Rights Reserved */ 29 30 /* 31 * Portions of this source code were derived from Berkeley 4.3 BSD 32 * under license from the Regents of the University of California. 33 */ 34 35 #pragma ident "%Z%%M% %I% %E% SMI" 36 37 #include <sys/types.h> 38 #include <sys/ioctl.h> 39 #include <sys/param.h> 40 #include <sys/socket.h> 41 #include <sys/time.h> 42 #include <sys/filio.h> 43 44 #include <netinet/in.h> 45 #include <arpa/inet.h> 46 47 #include <unistd.h> 48 #include <string.h> 49 #include <stdlib.h> 50 #include <stdio.h> 51 #include <stdarg.h> 52 #include <errno.h> 53 #include <pwd.h> 54 #include <grp.h> 55 #include <signal.h> 56 #include <netdb.h> 57 #include <syslog.h> 58 #include <security/pam_appl.h> 59 60 #ifdef SYSV 61 #include <shadow.h> 62 #endif /* SYSV */ 63 64 #ifndef NCARGS 65 #define NCARGS 5120 66 #endif /* NCARGS */ 67 68 #ifdef SYSV 69 #define rindex strrchr 70 #define killpg(a, b) kill(-(a), (b)) 71 #else 72 char *sprintf(); 73 #endif /* SYSV */ 74 75 #define MAXFD(A, B) ((A) > (B) ? (A) : (B)) 76 77 static void error(char *fmt, ...); 78 static void doit(int f, struct sockaddr_storage *fromp); 79 static void getstr(char *buf, int cnt, char *err); 80 81 static int legalenvvar(char *s); 82 83 /* Function decls. for functions not in any header file. (Grrrr.) */ 84 extern int audit_rexecd_setup(void); 85 extern int audit_rexecd_success(char *, char *, char *); 86 extern int audit_rexecd_fail(char *, char *, char *, char *); 87 extern int audit_settid(int); /* set termnal ID */ 88 89 /* PAM conversation function */ 90 static int rexec_conv(int, struct pam_message **, 91 struct pam_response **, void *); 92 93 static pam_handle_t *pamh; /* authentication handle */ 94 static struct pam_conv conv = { 95 rexec_conv, 96 NULL 97 }; 98 99 /* 100 * remote execute server: 101 * username\0 102 * password\0 103 * command\0 104 * data 105 * 106 * in.rexecd has been modified to run as the user invoking it. Hence there is no 107 * need to limit any privileges. 108 */ 109 /*ARGSUSED*/ 110 void 111 main(int argc, char **argv) 112 { 113 struct sockaddr_storage from; 114 socklen_t fromlen; 115 116 openlog("rexec", LOG_PID | LOG_ODELAY, LOG_DAEMON); 117 (void) audit_rexecd_setup(); /* BSM */ 118 fromlen = (socklen_t)sizeof (from); 119 if (getpeername(0, (struct sockaddr *)&from, &fromlen) < 0) { 120 (void) fprintf(stderr, "%s: ", argv[0]); 121 perror("getpeername"); 122 exit(1); 123 } 124 125 if (audit_settid(0) != 0) { 126 perror("settid"); 127 exit(1); 128 } 129 130 doit(0, &from); 131 /* NOTREACHED */ 132 } 133 134 static char username[20] = "USER="; 135 static char homedir[64] = "HOME="; 136 static char shell[64] = "SHELL="; 137 138 static char *envinit[] = 139 #ifdef SYSV 140 {homedir, shell, (char *)0, username, 141 (char *)0, (char *)0, (char *)0, (char *)0, 142 (char *)0, (char *)0, (char *)0, (char *)0, 143 (char *)0, (char *)0, (char *)0, (char *)0, 144 (char *)0, (char *)0, (char *)0, (char *)0, 145 (char *)0}; 146 #define ENVINIT_PATH 2 /* position of PATH in envinit[] */ 147 #define PAM_ENV_ELIM 16 /* max PAM environment variables */ 148 149 /* 150 * See PSARC opinion 1992/025 151 */ 152 static char userpath[] = "PATH=/usr/bin:"; 153 static char rootpath[] = "PATH=/usr/sbin:/usr/bin"; 154 #else 155 {homedir, shell, "PATH=:/usr/ucb:/bin:/usr/bin", username, 0}; 156 #endif /* SYSV */ 157 158 static struct sockaddr_storage asin; 159 static char pass[16]; 160 161 static void 162 doit(int f, struct sockaddr_storage *fromp) 163 { 164 char cmdbuf[NCARGS+1], *cp; 165 char user[16]; 166 char hostname [MAXHOSTNAMELEN + 1]; 167 struct passwd *pwd; 168 int s; 169 ushort_t port; 170 pid_t pid; 171 int pv[2], cc; 172 fd_set readfrom, ready; 173 char buf[BUFSIZ], sig; 174 int one = 1; 175 int idx = 0, end_env = 0; 176 char **pam_env; 177 int status = PAM_AUTH_ERR; 178 char abuf[INET6_ADDRSTRLEN]; 179 struct in_addr v4dst; 180 socklen_t fromplen; 181 struct sockaddr_in *sin; 182 struct sockaddr_in6 *sin6; 183 184 (void) signal(SIGINT, SIG_DFL); 185 (void) signal(SIGQUIT, SIG_DFL); 186 (void) signal(SIGTERM, SIG_DFL); 187 #ifdef DEBUG 188 { 189 int t = open("/dev/tty", 2); 190 if (t >= 0) { 191 #ifdef SYSV 192 (void) setsid(); 193 #else 194 (void) ioctl(t, TIOCNOTTY, (char *)0); 195 #endif /* SYSV */ 196 (void) close(t); 197 } 198 } 199 #endif 200 if (fromp->ss_family == AF_INET) { 201 sin = (struct sockaddr_in *)fromp; 202 fromplen = sizeof (struct sockaddr_in); 203 asin.ss_family = AF_INET; /* used for bind */ 204 } else if (fromp->ss_family == AF_INET6) { 205 sin6 = (struct sockaddr_in6 *)fromp; 206 fromplen = sizeof (struct sockaddr_in6); 207 asin.ss_family = AF_INET6; /* used for bind */ 208 } else { 209 syslog(LOG_ERR, "unknown address family %d\n", 210 fromp->ss_family); 211 exit(1); 212 } 213 /* 214 * store common info. for audit record 215 */ 216 217 if (getnameinfo((const struct sockaddr *) fromp, fromplen, hostname, 218 sizeof (hostname), NULL, 0, 0) != 0) { 219 if (fromp->ss_family == AF_INET6) { 220 if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) { 221 struct in_addr ipv4_addr; 222 223 IN6_V4MAPPED_TO_INADDR(&sin6->sin6_addr, 224 &ipv4_addr); 225 inet_ntop(AF_INET, &ipv4_addr, abuf, 226 sizeof (abuf)); 227 } else { 228 inet_ntop(AF_INET6, &sin6->sin6_addr, 229 abuf, sizeof (abuf)); 230 } 231 } else if (fromp->ss_family == AF_INET) { 232 inet_ntop(AF_INET, &sin->sin_addr, 233 abuf, sizeof (abuf)); 234 } 235 (void) strncpy(hostname, abuf, sizeof (hostname)); 236 } 237 (void) dup2(f, 0); 238 (void) dup2(f, 1); 239 (void) dup2(f, 2); 240 (void) alarm(60); 241 port = 0; 242 for (;;) { 243 char c; 244 if (read(f, &c, 1) != 1) 245 exit(1); 246 if (c == 0) 247 break; 248 port = port * 10 + c - '0'; 249 } 250 (void) alarm(0); 251 if (port != 0) { 252 s = socket(fromp->ss_family, SOCK_STREAM, 0); 253 if (s < 0) 254 exit(1); 255 if (bind(s, (struct sockaddr *)&asin, fromplen) < 0) 256 exit(1); 257 (void) alarm(60); 258 if (fromp->ss_family == AF_INET) { 259 sin->sin_port = htons((ushort_t)port); 260 } else if (fromp->ss_family == AF_INET6) { 261 sin6->sin6_port = htons((ushort_t)port); 262 } 263 if (connect(s, (struct sockaddr *)fromp, fromplen) < 0) 264 exit(1); 265 (void) alarm(0); 266 } 267 getstr(user, sizeof (user), "username"); 268 getstr(pass, sizeof (pass), "password"); 269 getstr(cmdbuf, sizeof (cmdbuf), "command"); 270 271 setpwent(); 272 pwd = getpwnam(user); 273 if (pwd == NULL) { 274 (void) audit_rexecd_fail("Login incorrect", hostname, user, 275 cmdbuf); /* BSM */ 276 error("Login incorrect.\n"); 277 exit(1); 278 } 279 endpwent(); 280 281 if (pam_start("rexec", user, &conv, &pamh) != PAM_SUCCESS) { 282 exit(1); 283 } 284 if (pam_set_item(pamh, PAM_RHOST, hostname) != PAM_SUCCESS) { 285 exit(1); 286 } 287 288 if ((status = pam_authenticate(pamh, 0)) != PAM_SUCCESS) { 289 switch (status) { 290 case PAM_USER_UNKNOWN: 291 (void) audit_rexecd_fail("Login incorrect", hostname, 292 user, cmdbuf); /* BSM */ 293 error("Login incorrect.\n"); 294 break; 295 default: 296 (void) audit_rexecd_fail("Password incorrect", hostname, 297 user, cmdbuf); /* BSM */ 298 error("Password incorrect.\n"); 299 } 300 pam_end(pamh, status); 301 exit(1); 302 } 303 if ((status = pam_acct_mgmt(pamh, 0)) != PAM_SUCCESS) { 304 (void) audit_rexecd_fail("Account or Password Expired", 305 hostname, user, cmdbuf); 306 switch (status) { 307 case PAM_NEW_AUTHTOK_REQD: 308 error("Password Expired.\n"); 309 break; 310 case PAM_PERM_DENIED: 311 error("Account Expired.\n"); 312 break; 313 case PAM_AUTHTOK_EXPIRED: 314 error("Password Expired.\n"); 315 break; 316 default: 317 error("Login incorrect.\n"); 318 break; 319 } 320 pam_end(pamh, status); 321 exit(1); 322 } 323 324 (void) write(2, "\0", 1); 325 326 if (setgid((gid_t)pwd->pw_gid) < 0) { 327 (void) audit_rexecd_fail("Can't setgid", hostname, 328 user, cmdbuf); /* BSM */ 329 error("setgid"); 330 pam_end(pamh, PAM_ABORT); 331 exit(1); 332 } 333 (void) initgroups(pwd->pw_name, pwd->pw_gid); 334 335 if ((status = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) { 336 (void) audit_rexecd_fail("Unable to establish credentials", 337 hostname, user, cmdbuf); /* BSM */ 338 error("Unable to establish credentials.\n"); 339 pam_end(pamh, PAM_SUCCESS); 340 } 341 342 (void) audit_rexecd_success(hostname, user, cmdbuf); /* BSM */ 343 344 if (setuid((uid_t)pwd->pw_uid) < 0) { 345 (void) audit_rexecd_fail("Can't setuid", hostname, 346 user, cmdbuf); /* BSM */ 347 error("setuid"); 348 pam_end(pamh, PAM_ABORT); 349 exit(1); 350 } 351 352 353 if (port) { 354 (void) pipe(pv); 355 pid = fork(); 356 if (pid == (pid_t)-1) { 357 error("Try again.\n"); 358 pam_end(pamh, PAM_ABORT); 359 exit(1); 360 } 361 if (pid) { 362 /* 363 * since the daemon is running as the user no need 364 * to prune privileges. 365 */ 366 (void) close(0); (void) close(1); (void) close(2); 367 (void) close(f); (void) close(pv[1]); 368 FD_ZERO(&readfrom); 369 FD_SET(s, &readfrom); 370 FD_SET(pv[0], &readfrom); 371 (void) ioctl(pv[0], FIONBIO, (char *)&one); 372 /* should set s nbio! */ 373 do { 374 ready = readfrom; 375 if (select(MAXFD(s, pv[0])+1, &ready, NULL, 376 NULL, NULL) < 0) { 377 perror("select:"); 378 exit(1); 379 } 380 if (FD_ISSET(s, &ready)) { 381 if (read(s, &sig, 1) <= 0) 382 FD_CLR(s, &readfrom); 383 else 384 (void) killpg(pid, sig); 385 } 386 if (FD_ISSET(pv[0], &ready)) { 387 cc = read(pv[0], buf, sizeof (buf)); 388 if (cc <= 0) { 389 (void) shutdown(s, 1+1); 390 FD_CLR(pv[0], &readfrom); 391 } else 392 (void) write(s, buf, cc); 393 } 394 } while (FD_ISSET(s, &readfrom) || 395 FD_ISSET(pv[0], &readfrom)); 396 exit(0); 397 } 398 /* setpgrp(0, getpid()); */ 399 (void) setsid(); /* Should be the same as above. */ 400 (void) close(s); (void)close(pv[0]); 401 (void) dup2(pv[1], 2); 402 } 403 404 if (*pwd->pw_shell == '\0') 405 pwd->pw_shell = "/bin/sh"; 406 if (f > 2) 407 (void) close(f); 408 /* Change directory only after becoming the appropriate user. */ 409 if (chdir(pwd->pw_dir) < 0) { 410 error("No remote directory.\n"); 411 pam_end(pamh, PAM_ABORT); 412 exit(1); 413 } 414 #ifdef SYSV 415 if (pwd->pw_uid) 416 envinit[ENVINIT_PATH] = userpath; 417 else 418 envinit[ENVINIT_PATH] = rootpath; 419 #endif /* SYSV */ 420 (void) strncat(homedir, pwd->pw_dir, sizeof (homedir) - 6); 421 (void) strncat(shell, pwd->pw_shell, sizeof (shell) - 7); 422 (void) strncat(username, pwd->pw_name, sizeof (username) - 6); 423 424 /* 425 * add PAM environment variables set by modules 426 * -- only allowed 16 (PAM_ENV_ELIM) 427 * -- check to see if the environment variable is legal 428 */ 429 for (end_env = 0; envinit[end_env] != 0; end_env++) 430 ; 431 if ((pam_env = pam_getenvlist(pamh)) != 0) { 432 while (pam_env[idx] != 0) { 433 if (idx < PAM_ENV_ELIM && 434 legalenvvar(pam_env[idx])) { 435 envinit[end_env + idx] = pam_env[idx]; 436 } 437 idx++; 438 } 439 } 440 441 pam_end(pamh, PAM_SUCCESS); 442 443 cp = rindex(pwd->pw_shell, '/'); 444 if (cp) 445 cp++; 446 else 447 cp = pwd->pw_shell; 448 (void) execle(pwd->pw_shell, cp, "-c", cmdbuf, (char *)0, envinit); 449 perror(pwd->pw_shell); 450 exit(1); 451 } 452 453 static void 454 getstr(char *buf, int cnt, char *err) 455 { 456 char c; 457 458 do { 459 if (read(0, &c, 1) != 1) 460 exit(1); 461 *buf++ = c; 462 if (--cnt == 0) { 463 error("%s too long\n", err); 464 exit(1); 465 } 466 } while (c != 0); 467 } 468 469 static void 470 error(char *fmt, ...) 471 { 472 va_list ap; 473 char buf[BUFSIZ]; 474 475 buf[0] = 1; 476 va_start(ap, fmt); 477 (void) vsprintf(buf+1, fmt, ap); 478 va_end(ap); 479 (void) write(2, buf, strlen(buf)); 480 } 481 482 static char *illegal[] = { 483 "SHELL=", 484 "HOME=", 485 "LOGNAME=", 486 #ifndef NO_MAIL 487 "MAIL=", 488 #endif 489 "CDPATH=", 490 "IFS=", 491 "PATH=", 492 "USER=", 493 0 494 }; 495 496 /* 497 * legalenvvar - can PAM insert this environmental variable? 498 */ 499 500 static int 501 legalenvvar(char *s) 502 { 503 register char **p; 504 505 for (p = illegal; *p; p++) 506 if (strncmp(s, *p, strlen(*p)) == 0) 507 return (0); 508 509 if (s[0] == 'L' && s[1] == 'D' && s[2] == '_') 510 return (0); 511 512 return (1); 513 } 514 515 /* 516 * rexec_conv - This is the conv (conversation) function called from 517 * a PAM authentication module to print error messages 518 * or garner information from the user. 519 */ 520 521 /* ARGSUSED3 */ 522 static int 523 rexec_conv(int num_msg, struct pam_message **msg, 524 struct pam_response **response, void *appdata_ptr) 525 { 526 struct pam_message *m; 527 struct pam_response *r; 528 int i; 529 530 if (num_msg <= 0) 531 return (PAM_CONV_ERR); 532 533 *response = calloc(num_msg, sizeof (struct pam_response)); 534 if (*response == NULL) 535 return (PAM_BUF_ERR); 536 537 m = *msg; 538 r = *response; 539 540 if (m->msg_style == PAM_PROMPT_ECHO_OFF) { 541 if (pass[0] != '\0') { 542 r->resp = strdup(pass); 543 if (r->resp == NULL) { 544 /* free responses */ 545 r = *response; 546 for (i = 0; i < num_msg; i++, r++) { 547 if (r->resp) 548 free(r->resp); 549 } 550 free(*response); 551 *response = NULL; 552 return (PAM_BUF_ERR); 553 } 554 } 555 } 556 557 return (PAM_SUCCESS); 558 } 559