xref: /titanic_52/usr/src/lib/print/libpapi-lpd/common/lpd-port.c (revision 634e26ec75c89095090605284938356a3145f2b8)

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */

/*
 * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 *
 */

/* $Id: lpd-port.c 155 2006-04-26 02:34:54Z ktou $ */

#include <config-site.h>

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdarg.h>
#include <string.h>
#include <signal.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <errno.h>
#include <syslog.h>
#include <values.h>
#include <stropts.h>	/* for sendfd */
#include <sys/uio.h>	/* for sendmsg stuff */
#include <pwd.h>
#include <sys/sendfile.h>
#include <ctype.h>
#ifdef HAVE_PRIV_H
#include <priv.h>
#endif

#ifndef	JOB_ID_FILE
#define	JOB_ID_FILE	"/var/run/rfc-1179.seq"
#endif	/* JOB_ID_FILE */

static int
sendfd(int sockfd, int fd)
{
	syslog(LOG_DEBUG, "sendfd(%d, %d)", sockfd, fd);

#if defined(sun) && defined(unix) && defined(I_SENDFD)
	return (ioctl(sockfd, I_SENDFD, fd));
#else
	struct iovec	iov[1];
	struct msghdr	msg;
#ifdef CMSG_DATA
	struct cmsghdr cmp[1];
	char buf[2];    /* send/recv 2 byte protocol */

	iov[0].iov_base = buf;
	iov[0].iov_len = 2;

	cmp[0].cmsg_level = SOL_SOCKET;
	cmp[0].cmsg_type = SCM_RIGHTS;
	cmp[0].cmsg_len = sizeof (struct cmsghdr) + sizeof (int);
	* (int *)CMSG_DATA(cmp) = fd;

	buf[1] = 0;
	buf[0] = 0;
	msg.msg_control = cmp;
	msg.msg_controllen = sizeof (struct cmsghdr) + sizeof (int);
#else
	iov[0].iov_base = NULL;
	iov[0].iov_len = 0;
	msg.msg_accrights = (caddr_t)&fd;
	msg.msg_accrights = sizeof (fd);
#endif
	msg.msg_iov = iov;
	msg.msg_iovlen = 1;
	msg.msg_name = NULL;
	msg.msg_namelen = 0;

	return (sendmsg(sockfd, &msg, 0));
#endif
}

static void
null(int i)
{
}

static int
sock_connect(int sock, char *host, int timeout)
{
	struct hostent *hp;
	struct servent *sp;
#if defined(HAVE_GETIPNODEBYNAME) && defined(HAVE_RRESVPORT_AF)
	struct sockaddr_in6 sin;
#else
	struct sockaddr_in sin;
#endif
	static void (*old_handler)();
	int	err, error_num;
	unsigned timo = 1;

	/*
	 * Get the host address and port number to connect to.
	 */
	if (host == NULL) {
		return (-1);
	}

	/* linux style NULL usage */
	(void) memset((char *)&sin, (int)NULL, sizeof (sin));

#if defined(HAVE_GETIPNODEBYNAME) && defined(HAVE_RRESVPORT_AF)
	if ((hp = getipnodebyname(host, AF_INET6, AI_DEFAULT,
	    &error_num)) == NULL) {
		errno = ENOENT;
		return (-1);
	}
	(void) memcpy((caddr_t)&sin.sin6_addr, hp->h_addr, hp->h_length);
	sin.sin6_family = hp->h_addrtype;
#else
	if ((hp = gethostbyname(host)) == NULL) {
		errno = ENOENT;
		return (-1);
	}

	(void) memcpy((caddr_t)&sin.sin_addr, hp->h_addr, hp->h_length);
	sin.sin_family = hp->h_addrtype;
#endif

	if ((sp = getservbyname("printer", "tcp")) == NULL) {
		errno = ENOENT;
		return (-1);
	}

#if defined(HAVE_GETIPNODEBYNAME) && defined(HAVE_RRESVPORT_AF)
	sin.sin6_port = sp->s_port;
#else
	sin.sin_port = sp->s_port;
#endif

retry:
	old_handler = signal(SIGALRM, null);
	(void) alarm(timeout);

	if (connect(sock, (struct sockaddr *)&sin, sizeof (sin)) < 0) {
		(void) alarm(0);
		(void) signal(SIGALRM, old_handler);

		if (errno == ECONNREFUSED && timo <= 16) {
			(void) sleep(timo);
			timo *= 2;
			goto retry;
		}

		return (-1);
	}

	(void) alarm(0);
	(void) signal(SIGALRM, old_handler);
	return (sock);
}

static int
next_job_id()
{
	int fd, result = getpid() % 1000;

	/* gain back enough privilege to open the id file */
#ifdef	PRIV_ALLSETS
	if ((priv_set(PRIV_ON, PRIV_EFFECTIVE,
	    PRIV_FILE_DAC_READ, PRIV_FILE_DAC_WRITE, NULL)) < 0) {
		syslog(LOG_ERR, "lpd_port:next_job_id:priv_set fails: : %m");
		return (-1);
	}
#else
	seteuid(0);
#endif

	/* open the sequence file */
	if (((fd = open(JOB_ID_FILE, O_RDWR)) < 0) && (errno == ENOENT))
		fd = open(JOB_ID_FILE, O_CREAT|O_EXCL|O_RDWR, 0644);

	syslog(LOG_DEBUG, "sequence file fd: %d", fd);

	/* drop our privilege again */
#ifdef	PRIV_ALLSETS
	/* drop file access privilege */
	priv_set(PRIV_OFF, PRIV_PERMITTED,
	    PRIV_FILE_DAC_READ, PRIV_FILE_DAC_WRITE, NULL);
#else
	seteuid(getuid());
#endif

	if (fd >= 0) {
		/* wait for a lock on the file */
		if (lockf(fd, F_LOCK, 0) == 0) {
			char buf[8];
			int next;

			/* get the current id */
			(void) memset(buf, 0, sizeof (buf));
			if (read(fd, buf, sizeof (buf)) > 0)
				result = atoi(buf);

			next = ((result < 999) ? (result + 1) : 0);

			/* store the next id in the file */
			snprintf(buf, sizeof (buf), "%.3d", next);
			if ((lseek(fd, 0, SEEK_SET) == 0) &&
			    (ftruncate(fd, 0) == 0))
				write(fd, buf, strlen(buf));
		}
		close(fd);
	}
	syslog(LOG_DEBUG, "next_job_id() is %d", result);

	return (result);
}

static int
reserved_port()
{
	int result = -1;
	int port;

	/* gain back enough privilege to open a reserved port */
#ifdef	PRIV_ALLSETS
	if ((priv_set(
	    PRIV_ON, PRIV_EFFECTIVE, PRIV_NET_PRIVADDR, NULL)) != 0) {
		syslog(LOG_ERR, "priv_set fails for net_privaddr %m");
		return (-1);
	}
#else
	seteuid(0);
#endif

#if defined(HAVE_GETIPNODEBYNAME) && defined(HAVE_RRESVPORT_AF)
	port = 0;	/* set to 0, rresvport_af() will find us one. */
	result = rresvport_af(&port, AF_INET6);
#else
	port = IPPORT_RESERVED - 1;
	while (((result = rresvport(&port)) < 0) && (port >= 0))
		port--;
#endif

	/* drop our privilege again */
#ifdef	PRIV_ALLSETS
	priv_set(PRIV_OFF, PRIV_PERMITTED, PRIV_NET_PRIVADDR, NULL);
#else
	seteuid(getuid());
#endif

	return (result);
}

static char *
get_user_name()
{
	static struct passwd *p = NULL;

	if ((p = getpwuid(getuid())) != NULL)
		return (p->pw_name);
	else
		return ("unknown");
}

static void
add_args(int ac, char **av, char *buf, size_t len)
{
	while (ac--) {
		strlcat(buf, " ", len);
		strlcat(buf, *(av++), len);
	}
}

static int
massage_control_data(char *data, int id)
{
	char *line, *iter = NULL;
	char *ptr, *mod_ptr, *datacpy;
	char host[BUFSIZ];
	int host_present = 0;

	if (gethostname(host, sizeof (host)) != 0)
		return (-1);

	if ((datacpy = strdup(data)) == NULL) {
		return (-1);
	}

	for (ptr = strtok_r(datacpy, "\n", &iter); ptr != NULL;
	    ptr = strtok_r(NULL, "\n", &iter)) {

		if (ptr[0] == 'H') {
			if (strncmp(++ptr, host, strlen(host)) != 0) {
				free(datacpy);
				return (-1);
			}
			host_present = 1;
		} else if ((ptr[0] == 'P') || (ptr[0] == 'L')) {
			/* check the user name */
			uid_t uid = getuid();
			struct passwd *pw;
			int len;

			if (uid == 0) {	/* let root do what they want */
				continue;
			}
			if ((pw = getpwuid(uid)) == NULL) {
				free(datacpy);
				return (-1);	/* failed */
			}
			len = strlen(pw->pw_name);
			if ((strncmp(++ptr, pw->pw_name, len) != 0)) {
				free(datacpy);
				return (-1);	/* failed */
			}
		} else if ((islower(ptr[0]) != 0) || (ptr[0] == 'U')) {
			/* check/fix df?XXXhostname */
			ptr++;

			if (strlen(ptr) < 6) {
				free(datacpy);
				return (-1);
			}

			/*
			 * As ptr is a copy of the string (df?XXX...) the code
			 * needs to work on the original, hence the need for
			 * mod_ptr. No need to check for a NULL mod_ptr
			 * because the required string must already exist as
			 * ptr is a copy of the original data.
			 */

			mod_ptr = strstr(data, ptr);

			if ((mod_ptr[0] == 'd') && (mod_ptr[1] == 'f') &&
			    (mod_ptr[3] == 'X') && (mod_ptr[4] == 'X') &&
			    (mod_ptr[5] == 'X')) {
				mod_ptr[3] = '0' + (id / 100) % 10;
				mod_ptr[4] = '0' + (id / 10) % 10;
				mod_ptr[5] = '0' + id % 10;

				if (strncmp(&mod_ptr[6], host, strlen(host))
				    != 0) {
					free(datacpy);
					return (-1);
				}
			} else {
				free(datacpy);
				return (-1);
			}
		}

	}
	free(datacpy);

	if (!host_present) {
		return (-1);
	}

	return (1);
}

static int
send_lpd_message(int fd, char *fmt, ...)
{
	char buf[BUFSIZ];
	size_t size;
	va_list ap;

	va_start(ap, fmt);
	size = vsnprintf(buf, sizeof (buf), fmt, ap);
	va_end(ap);
	if (size == 0)
		size = 1;

	syslog(LOG_DEBUG, "lpd_messsage(%d, %s)", fd, buf);

	if (write(fd, buf, size) != size) {
		errno = EIO;
		return (-1);
	}

	if ((read(fd, buf, 1) != 1) || (buf[0] != 0))
		return (-1);

	return (0);
}

static int
send_data_file(int sock, char *dfname, char *name)
{
	size_t len;
	off_t off = 0;
	struct stat st;
	char buf[32];
	int fd = -1;

	if (strcmp(name, "standard input") != 0) {
		if ((fd = open(name, O_RDONLY)) < 0)
			return (-1);

		if (fstat(fd, &st) < 0)
			return (-1);
	} else
		st.st_size = MAXINT; /* should be 0 */

	/* request data file transfer, read ack/nack */
	errno = ENOSPC;
	if (send_lpd_message(sock, "\003%d %s\n", st.st_size, dfname) < 0)
		return (-1);

	if (fd != -1) {
		/* write the data */
		if (sendfile(sock, fd, &off, st.st_size) != st.st_size)
			return (-1);
		close(fd);

		/* request ack/nack after the data transfer */
		errno = EIO;
		if (send_lpd_message(sock, "") < 0)
			return (-1);
	}

	return (0);
}

static int
send_control_file(int sock, char *data, int id)
{
	int len;
	char buf[BUFSIZ];
	char *ptr, *iter = NULL;
	char *datacpy = NULL;
	char *host = NULL;

	len = strlen(data);

	if ((datacpy = strdup(data)) == NULL)
		return (-1);

	syslog(LOG_DEBUG, "cfA: %s\n", datacpy);

	for (ptr = strtok_r(datacpy, "\n", &iter); ptr != NULL;
	    ptr = strtok_r(NULL, "\n", &iter)) {

		if (ptr[0] != 'H')
			continue;

		ptr++;
		host = ptr;
		syslog(LOG_DEBUG, "hostname: %s\n", host);
	}

	free(datacpy);

	/* request data file transfer, read ack/nack */
	errno = ENOSPC;
	if (send_lpd_message(sock, "\002%d cfA%.3d%s\n", len, id, host) < 0)
		return (-1);

	/* write the data */
	if (write(sock, data, len) != len)
		return (-1);

	/* request ack/nack after the data transfer */
	errno = EIO;
	if (send_lpd_message(sock, "") < 0)
		return (-1);

	return (0);
}


static int
submit_job(int sock, char *printer, int job_id, char *path)
{
	struct stat st;
	int current = 0;
	off_t off = 0;
	char *metadata = NULL;
	char *ptr, *iter = NULL;
	int fd, err;
	int sent_files = 0;
	char buf[BUFSIZ];
	size_t len;

	/* open the control file */
	if ((fd = open(path, O_RDONLY)) < 0) {
		syslog(LOG_ERR, "submit_job(%d, %s, %d, %s): open(): %m",
		    sock, printer, job_id, path);
		return (-1);
	}

	/* get the size of the control file */
	if (fstat(fd, &st) < 0) {
		syslog(LOG_ERR, "submit_job(%d, %s, %d, %s): fstat(): %m",
		    sock, printer, job_id, path);
		close(fd);
		return (-1);
	}

	/* allocate memory for the control file */
	if ((metadata = calloc(1, st.st_size + 1)) == NULL) {
		syslog(LOG_ERR, "submit_job(%d, %s, %d, %s): calloc(): %m",
		    sock, printer, job_id, path);
		close(fd);
		return (-1);
	}

	/* read in the control file */
	if (read(fd, metadata, st.st_size) != st.st_size) {
		syslog(LOG_ERR, "submit_job(%d, %s, %d, %s): read(): %m",
		    sock, printer, job_id, path);
		free(metadata);
		close(fd);
		return (-1);
	}

	/* massage the control file */
	if (massage_control_data(metadata, job_id) < 0) {
		/* bad control data, dump the job */
		syslog(LOG_ALERT,
		    "bad control file, possible subversion attempt");
		free(metadata);
		errno = EINVAL;
		close(fd);
		return (-1);
	}

	/* request to transfer the job */
	if (send_lpd_message(sock, "\002%s\n", printer) < 0) {
		/* no such (or disabled) queue, got to love rfc-1179 */
		errno = ENOENT;
		return (-1);
	}

	/* send the control data */
	if (send_control_file(sock, metadata, job_id) < 0) {
		err = errno;
		write(sock, "\001\n", 2); /* abort */
		errno = err;
		return (-1);
	}

	/* walk the control file sending the data files */
	for (ptr = strtok_r(metadata, "\n", &iter); ptr != NULL;
	    ptr = strtok_r(NULL, "\n", &iter)) {
		char *name = NULL;

		if (ptr[0] != 'U')
			continue;

		name = strtok_r(NULL, "\n", &iter);
		if (name[0] != 'N')
			continue;

		ptr++;
		name++;

		if (send_data_file(sock, ptr, name) < 0) {
			err = errno;
			write(sock, "\001\n", 2); /* abort */
			errno = err;
			return (-1);
		}
		if (strcmp(name, "standard input") != 0)
			sent_files++;
	}

	/* write back the job-id */
	err = errno;
	if ((fd = open(path, O_WRONLY)) >= 0) {
		ftruncate(fd, 0);
		write(fd, &job_id, sizeof (job_id));
		close(fd);
	}
	errno = err;

	if (sent_files != 0) {
		err = errno;
		close(sock);
		errno = err;
	}

	return (0);
}
static int
query(int fd, char *printer, int ac, char **av)
{
	char buf[BUFSIZ];
	int rc, len;

	/* build the request */
	snprintf(buf, sizeof (buf), "\04%s", printer);
	add_args(ac, av, buf, sizeof (buf));
	strlcat(buf, "\n", sizeof (buf));
	len = strlen(buf);

	if (((rc = write(fd, buf, len)) >= 0) && (rc != len)) {
		errno = EMSGSIZE;
		rc = -1;
	} else
		rc = 0;

	return (rc);
}

static int
cancel(int fd, char *printer, int ac, char **av)
{
	char buf[BUFSIZ];
	int rc, len;

	/* build the request */
	snprintf(buf, sizeof (buf), "\05%s %s", printer, get_user_name());
	add_args(ac, av, buf, sizeof (buf));
	strlcat(buf, "\n", sizeof (buf));
	len = strlen(buf);

	if (((rc = write(fd, buf, len)) >= 0) && (rc != len)) {
		errno = EMSGSIZE;
		rc = -1;
	} else
		rc = 0;

	return (rc);
}

static void
usage(char *program)
{
	char *name;

	setreuid(getuid(), getuid());

	if ((name = strrchr(program, '/')) == NULL)
		name = program;
	else
		name++;

	fprintf(stderr, "usage:\t%s -H host [-t timeout] -s queue control ]\n",
	    name);
	fprintf(stderr, "\t%s -H host [-t timeout] -c queue [user|job ...]\n",
	    name);
	fprintf(stderr, "\t%s -H host [-t timeout] -q queue [user|job ...]\n",
	    name);
	exit(EINVAL);
}

/*
 * The main program temporarily loses privilege while searching the command
 * line arguments.  It then allocates any resources it need privilege for
 * job-id, reserved port.  Once it has the resources it needs, it perminently
 * drops all elevated privilege.  It ghen connects to the remote print service
 * based on destination hostname.  Doing it this way reduces the potenential
 * opportunity for a breakout with elevated privilege, breakout with an
 * unconnected reserved port, and exploitation of the remote print service
 * by a calling program.
 */
int
main(int ac, char *av[])
{
	enum { OP_NONE, OP_SUBMIT, OP_QUERY, OP_CANCEL } operation = OP_NONE;
	int fd, c, timeout = 0, exit_code = 0;
	char *host = NULL, *queue = NULL;
	uid_t uid = getuid();
#ifdef	PRIV_ALLSETS
	priv_set_t *saveset;
#endif

	openlog("lpd-port", LOG_PID, LOG_LPR);

#ifdef	PRIV_ALLSETS

	/* lose as much as we can perminently and temporarily drop the rest. */

	if ((saveset = priv_allocset()) == NULL) {
		syslog(LOG_ERR, "lpd_port: priv_allocset saveset failed: %m\n");
		return (-1);
	}

	priv_basicset(saveset);
	(void) priv_addset(saveset, PRIV_NET_PRIVADDR);
	(void) priv_addset(saveset, PRIV_FILE_DAC_READ);
	(void) priv_addset(saveset, PRIV_FILE_DAC_WRITE);

	if ((setppriv(PRIV_SET, PRIV_PERMITTED, saveset)) < 0) {
		syslog(LOG_ERR, "lpd_port:setppriv:priv_set failed: %m");
		return (-1);
	}

	priv_freeset(saveset);

	/*
	 * These privileges permanently dropped in next_job_id() and
	 * reserved_port()
	 */

	if (priv_set(PRIV_OFF, PRIV_EFFECTIVE, PRIV_NET_PRIVADDR,
	    PRIV_FILE_DAC_READ, PRIV_FILE_DAC_WRITE, (char *)NULL) < 0) {
		syslog(LOG_ERR, "lpd_port:priv_set:priv_off failed: %m");
		return (-1);
	}

	syslog(LOG_DEBUG, "using privs");
#else

	syslog(LOG_DEBUG, "no  privs");
	seteuid(uid);
#endif

	while ((c = getopt(ac, av, "H:t:c:q:s:")) != EOF) {
		switch (c) {
		case 'H':
			host = optarg;
			break;
		case 't':
			timeout = atoi(optarg);
			break;
		case 'c':
			if (operation != OP_NONE)
				usage(av[0]);
			operation = OP_CANCEL;
			queue = optarg;
			break;
		case 'q':
			if (operation != OP_NONE)
				usage(av[0]);
			operation = OP_QUERY;
			queue = optarg;
			break;
		case 's':
			if (operation != OP_NONE)
				usage(av[0]);
			operation = OP_SUBMIT;
			queue = optarg;
			break;
		default:
			usage(av[0]);
			/* does not return */
		}
	}

	if ((host == NULL) || (queue == NULL) || (timeout < 0) ||
	    (operation == OP_NONE))
		usage(av[0]);

	if (operation == OP_SUBMIT)	/* get a job-id if we need it */
		if ((c = next_job_id()) < 0) {
			syslog(LOG_ERR, "lpd_port:main:next_job_id fails");
			return (-1);
		}

	if ((fd = reserved_port()) < 0) {
		syslog(LOG_ERR, "reserved_port() failed %m");
		return (errno);
	}

	/*
	 * we no longer want or need any elevated privilege, lose it all
	 * permanently.
	 */

	setreuid(uid, uid);

	/* connect to the print service */
	if ((fd = sock_connect(fd, host, timeout)) < 0)
		return (errno);

	/* perform the requested operation */
	switch (operation) {
	case OP_SUBMIT:	/* transfer the job, close the fd */
		if (submit_job(fd, queue, c, av[optind]) < 0)
			exit_code = errno;
		break;
	case OP_QUERY:	/* send the query string, return the fd */
		if (query(fd, queue, ac - optind, &av[optind]) < 0)
			exit_code = errno;
		break;
	case OP_CANCEL:	/* send the cancel string, return the fd */
		if (cancel(fd, queue, ac - optind, &av[optind]) < 0)
			exit_code = errno;
		break;
	default:	/* This should never happen */
		exit_code = EINVAL;
	}


	/* if the operation succeeded, send the fd to our parent */
	if ((exit_code == 0) && (sendfd(1, fd) < 0)) {
		char buf[BUFSIZ];

		exit_code = errno;

		/* sendfd() failed, dump the socket data for the heck of it */
		while ((c = read(fd, buf, sizeof (buf))) > 0)
			write(1, buf, c);
	}

	syslog(LOG_DEBUG, "exit code: %d", exit_code);
	return (exit_code);
}