FreeBSD Mail Archives

Date:      Fri, 3 Jun 2016 06:58:20 +0000 (UTC)
From:      Kurt Lidl <lidl@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r301242 - head/libexec/rshd
Message-ID:  <201606030658.u536wKs3079935@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help

Author: lidl
Date: Fri Jun  3 06:58:20 2016
New Revision: 301242
URL: https://svnweb.freebsd.org/changeset/base/301242

Log:
  Add blacklist support to rshd
  
  Reviewed by:	rpaulo
  Approved by:	rpaulo
  Relnotes:	YES
  Sponsored by:	The FreeBSD Foundation
  Differential Revision:	https://reviews.freebsd.org/D6594

Modified:
  head/libexec/rshd/Makefile
  head/libexec/rshd/rshd.c

Modified: head/libexec/rshd/Makefile
==============================================================================
--- head/libexec/rshd/Makefile	Fri Jun  3 06:24:03 2016	(r301241)
+++ head/libexec/rshd/Makefile	Fri Jun  3 06:58:20 2016	(r301242)
@@ -2,6 +2,9 @@
 # $FreeBSD$
 
 PACKAGE=rcmds
+
+.include <src.opts.mk>
+
 PROG=	rshd
 MAN=	rshd.8
 
@@ -12,4 +15,10 @@ WFORMAT=0
 
 LIBADD=	util pam
 
+.if ${MK_BLACKLIST_SUPPORT} != "no"
+CFLAGS+= -DUSE_BLACKLIST -I${SRCTOP}/contrib/blacklist/include
+LIBADD+= blacklist
+LDFLAGS+=-L${LIBBLACKLISTDIR}
+.endif
+
 .include <bsd.prog.mk>

Modified: head/libexec/rshd/rshd.c
==============================================================================
--- head/libexec/rshd/rshd.c	Fri Jun  3 06:24:03 2016	(r301241)
+++ head/libexec/rshd/rshd.c	Fri Jun  3 06:58:20 2016	(r301242)
@@ -88,6 +88,10 @@ __FBSDID("$FreeBSD$");
 #include <security/openpam.h>
 #include <sys/wait.h>
 
+#ifdef USE_BLACKLIST
+#include <blacklist.h>
+#endif
+
 static struct pam_conv pamc = { openpam_nullconv, NULL };
 static pam_handle_t *pamh;
 static int pam_err;
@@ -252,6 +256,9 @@ doit(struct sockaddr *fromp)
 		    "connection from %s on illegal port %u",
 		    numericname,
 		    srcport);
+#ifdef USE_BLACKLIST
+		blacklist(1, STDIN_FILENO, "illegal port");
+#endif
 		exit(1);
 	}
 
@@ -285,6 +292,9 @@ doit(struct sockaddr *fromp)
 			    "2nd socket from %s on unreserved port %u",
 			    numericname,
 			    port);
+#ifdef USE_BLACKLIST
+			blacklist(1, STDIN_FILENO, "unreserved port");
+#endif
 			exit(1);
 		}
 		*((in_port_t *)&fromp->sa_data) = htons(port);
@@ -309,6 +319,9 @@ doit(struct sockaddr *fromp)
 	if (pam_err != PAM_SUCCESS) {
 		syslog(LOG_ERR|LOG_AUTH, "pam_start(): %s",
 		    pam_strerror(pamh, pam_err));
+#ifdef USE_BLACKLIST
+		blacklist(1, STDIN_FILENO, "login incorrect");
+#endif
 		rshd_errx(1, "Login incorrect.");
 	}
 
@@ -316,6 +329,9 @@ doit(struct sockaddr *fromp)
 	    (pam_err = pam_set_item(pamh, PAM_RHOST, rhost)) != PAM_SUCCESS) {
 		syslog(LOG_ERR|LOG_AUTH, "pam_set_item(): %s",
 		    pam_strerror(pamh, pam_err));
+#ifdef USE_BLACKLIST
+		blacklist(1, STDIN_FILENO, "login incorrect");
+#endif
 		rshd_errx(1, "Login incorrect.");
 	}
 
@@ -332,6 +348,9 @@ doit(struct sockaddr *fromp)
 		syslog(LOG_INFO|LOG_AUTH,
 		    "%s@%s as %s: permission denied (%s). cmd='%.80s'",
 		    ruser, rhost, luser, pam_strerror(pamh, pam_err), cmdbuf);
+#ifdef USE_BLACKLIST
+		blacklist(1, STDIN_FILENO, "permission denied");
+#endif
 		rshd_errx(1, "Login incorrect.");
 	}
 
@@ -341,6 +360,9 @@ doit(struct sockaddr *fromp)
 		syslog(LOG_INFO|LOG_AUTH,
 		    "%s@%s as %s: unknown login. cmd='%.80s'",
 		    ruser, rhost, luser, cmdbuf);
+#ifdef USE_BLACKLIST
+		blacklist(1, STDIN_FILENO, "unknown login");
+#endif
 		if (errorstr == NULL)
 			errorstr = "Login incorrect.";
 		rshd_errx(1, errorstr, rhost);
@@ -373,6 +395,9 @@ doit(struct sockaddr *fromp)
 			    "%s@%s as %s: permission denied (%s). cmd='%.80s'",
 			    ruser, rhost, luser, __rcmd_errstr,
 			    cmdbuf);
+#ifdef USE_BLACKLIST
+			blacklist(1, STDIN_FILENO, "permission denied");
+#endif
 			rshd_errx(1, "Login incorrect.");
 		}
 		if (!auth_timeok(lc, time(NULL)))
@@ -468,6 +493,9 @@ doit(struct sockaddr *fromp)
 		}
 	}
 
+#ifdef USE_BLACKLIST
+	blacklist(0, STDIN_FILENO, "success");
+#endif
 	for (fd = getdtablesize(); fd > 2; fd--)
 		(void) close(fd);
 	if (setsid() == -1)
@@ -534,8 +562,12 @@ getstr(char *buf, int cnt, const char *e
 		if (read(STDIN_FILENO, &c, 1) != 1)
 			exit(1);
 		*buf++ = c;
-		if (--cnt == 0)
+		if (--cnt == 0) {
+#ifdef USE_BLACKLIST
+			blacklist(1, STDIN_FILENO, "buffer overflow");
+#endif
 			rshd_errx(1, "%s too long", error);
+		}
 	} while (c != 0);
 }

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201606030658.u536wKs3079935>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation