(login_access): add prototype
(syslog_and_die, fatal): add printf attributes (*): AIX -> _AIX (doit): use login_access based on patches from Ake Sandgren <ake@cs.umu.se> git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@9641 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Assar Westerlund
@@ -34,6 +34,9 @@
|
||||
#include "rsh_locl.h"
|
||||
RCSID("$Id$");
|
||||
|
||||
int
|
||||
login_access( struct passwd *user, char *from);
|
||||
|
||||
enum auth_method auth_method;
|
||||
|
||||
krb5_context context;
|
||||
@@ -70,6 +73,10 @@ int dfsfwd = 0;
|
||||
krb5_ticket *user_ticket;
|
||||
#endif
|
||||
|
||||
static void
|
||||
syslog_and_die (const char *m, ...)
|
||||
__attribute__ ((format (printf, 1, 2)));
|
||||
|
||||
static void
|
||||
syslog_and_die (const char *m, ...)
|
||||
{
|
||||
@@ -81,6 +88,10 @@ syslog_and_die (const char *m, ...)
|
||||
exit (1);
|
||||
}
|
||||
|
||||
static void
|
||||
fatal (int sock, const char *m, ...)
|
||||
__attribute__ ((format (printf, 2, 3)));
|
||||
|
||||
static void
|
||||
fatal (int sock, const char *m, ...)
|
||||
{
|
||||
@@ -586,7 +597,7 @@ doit (int do_kerberos, int check_rhosts)
|
||||
struct sockaddr *thataddr = (struct sockaddr *)&thataddr_ss;
|
||||
struct sockaddr_storage erraddr_ss;
|
||||
struct sockaddr *erraddr = (struct sockaddr *)&erraddr_ss;
|
||||
socklen_t addrlen;
|
||||
socklen_t thisaddr_len, thataddr_len;
|
||||
int port;
|
||||
int errsock = -1;
|
||||
char client_user[COMMAND_SZ], server_user[USERNAME_SZ];
|
||||
@@ -594,12 +605,14 @@ doit (int do_kerberos, int check_rhosts)
|
||||
struct passwd *pwd;
|
||||
int s = STDIN_FILENO;
|
||||
char **env;
|
||||
int ret;
|
||||
char that_host[NI_MAXHOST];
|
||||
|
||||
addrlen = sizeof(thisaddr_ss);
|
||||
if (getsockname (s, thisaddr, &addrlen) < 0)
|
||||
thisaddr_len = sizeof(thisaddr_ss);
|
||||
if (getsockname (s, thisaddr, &thisaddr_len) < 0)
|
||||
syslog_and_die("getsockname: %m");
|
||||
addrlen = sizeof(thataddr_ss);
|
||||
if (getpeername (s, thataddr, &addrlen) < 0)
|
||||
thataddr_len = sizeof(thataddr_ss);
|
||||
if (getpeername (s, thataddr, &thataddr_len) < 0)
|
||||
syslog_and_die ("getpeername: %m");
|
||||
|
||||
if (!do_kerberos && !is_reserved(socket_get_port(thataddr)))
|
||||
@@ -689,7 +702,7 @@ doit (int do_kerberos, int check_rhosts)
|
||||
syslog_and_die("recv_bsd_auth failed");
|
||||
}
|
||||
|
||||
#if defined(DCE) && defined(AIX)
|
||||
#if defined(DCE) && defined(_AIX)
|
||||
esetenv("AUTHSTATE", "DCE", 1);
|
||||
#endif
|
||||
|
||||
@@ -703,6 +716,19 @@ doit (int do_kerberos, int check_rhosts)
|
||||
if (pwd->pw_uid != 0 && access (_PATH_NOLOGIN, F_OK) == 0)
|
||||
fatal (s, "Login disabled.");
|
||||
|
||||
|
||||
ret = getnameinfo_verified (thataddr, thataddr_len,
|
||||
that_host, sizeof(that_host),
|
||||
NULL, 0, 0);
|
||||
if (ret)
|
||||
fatal (s, "getnameinfo: %s", gai_strerror(ret));
|
||||
|
||||
if (login_access(pwd, that_host) == 0) {
|
||||
syslog(LOG_NOTICE, "Kerberos rsh denied to %s from %s",
|
||||
server_user, that_host);
|
||||
fatal(s, "Permission denied");
|
||||
}
|
||||
|
||||
#ifdef HAVE_GETSPNAM
|
||||
{
|
||||
struct spwd *sp;
|
||||
|
||||
Reference in New Issue
Block a user