From 0397d42c21db212800dbf01f38fb29b93248e3be Mon Sep 17 00:00:00 2001
From: Assar Westerlund <assar@sics.se>
Date: Wed, 7 Feb 2001 05:05:58 +0000
Subject: [PATCH] (login_access): add prototype (syslog_and_die, fatal): add
 printf attributes (*): AIX -> _AIX (doit): use login_access based on patches
 from Ake Sandgren <ake@cs.umu.se>

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@9641 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 appl/rsh/rshd.c | 38 ++++++++++++++++++++++++++++++++------
 1 file changed, 32 insertions(+), 6 deletions(-)

diff --git a/appl/rsh/rshd.c b/appl/rsh/rshd.c
index 7c94d9637..b8b11b25d 100644
--- a/appl/rsh/rshd.c
+++ b/appl/rsh/rshd.c
@@ -34,6 +34,9 @@
 #include "rsh_locl.h"
 RCSID("$Id$");
 
+int
+login_access( struct passwd *user, char *from);
+
 enum auth_method auth_method;
 
 krb5_context context;
@@ -70,6 +73,10 @@ int dfsfwd = 0;
 krb5_ticket *user_ticket;
 #endif
 
+static void
+syslog_and_die (const char *m, ...)
+    __attribute__ ((format (printf, 1, 2)));
+
 static void
 syslog_and_die (const char *m, ...)
 {
@@ -81,6 +88,10 @@ syslog_and_die (const char *m, ...)
     exit (1);
 }
 
+static void
+fatal (int sock, const char *m, ...)
+    __attribute__ ((format (printf, 2, 3)));
+
 static void
 fatal (int sock, const char *m, ...)
 {
@@ -586,7 +597,7 @@ doit (int do_kerberos, int check_rhosts)
     struct sockaddr *thataddr = (struct sockaddr *)&thataddr_ss;
     struct sockaddr_storage erraddr_ss;
     struct sockaddr *erraddr = (struct sockaddr *)&erraddr_ss;
-    socklen_t addrlen;
+    socklen_t thisaddr_len, thataddr_len;
     int port;
     int errsock = -1;
     char client_user[COMMAND_SZ], server_user[USERNAME_SZ];
@@ -594,12 +605,14 @@ doit (int do_kerberos, int check_rhosts)
     struct passwd *pwd;
     int s = STDIN_FILENO;
     char **env;
+    int ret;
+    char that_host[NI_MAXHOST];
 
-    addrlen = sizeof(thisaddr_ss);
-    if (getsockname (s, thisaddr, &addrlen) < 0)
+    thisaddr_len = sizeof(thisaddr_ss);
+    if (getsockname (s, thisaddr, &thisaddr_len) < 0)
 	syslog_and_die("getsockname: %m");
-    addrlen = sizeof(thataddr_ss);
-    if (getpeername (s, thataddr, &addrlen) < 0)
+    thataddr_len = sizeof(thataddr_ss);
+    if (getpeername (s, thataddr, &thataddr_len) < 0)
 	syslog_and_die ("getpeername: %m");
 
     if (!do_kerberos && !is_reserved(socket_get_port(thataddr)))
@@ -689,7 +702,7 @@ doit (int do_kerberos, int check_rhosts)
 	    syslog_and_die("recv_bsd_auth failed");
     }
 
-#if defined(DCE) && defined(AIX)
+#if defined(DCE) && defined(_AIX)
     esetenv("AUTHSTATE", "DCE", 1);
 #endif
 
@@ -703,6 +716,19 @@ doit (int do_kerberos, int check_rhosts)
     if (pwd->pw_uid != 0 && access (_PATH_NOLOGIN, F_OK) == 0)
 	fatal (s, "Login disabled.");
 
+
+    ret = getnameinfo_verified (thataddr, thataddr_len,
+				that_host, sizeof(that_host),
+				NULL, 0, 0);
+    if (ret)
+	fatal (s, "getnameinfo: %s", gai_strerror(ret));
+
+    if (login_access(pwd, that_host) == 0) {
+	syslog(LOG_NOTICE, "Kerberos rsh denied to %s from %s",
+	       server_user, that_host);
+	fatal(s, "Permission denied");
+    }
+
 #ifdef HAVE_GETSPNAM
     {
 	struct spwd *sp;