From owner-svn-src-all@freebsd.org  Fri Jun  3 06:58:21 2016
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7557FB687D2;
 Fri,  3 Jun 2016 06:58:21 +0000 (UTC)
 (envelope-from lidl@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 3FC821662;
 Fri,  3 Jun 2016 06:58:21 +0000 (UTC)
 (envelope-from lidl@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u536wKx2079937;
 Fri, 3 Jun 2016 06:58:20 GMT (envelope-from lidl@FreeBSD.org)
Received: (from lidl@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id u536wKs3079935;
 Fri, 3 Jun 2016 06:58:20 GMT (envelope-from lidl@FreeBSD.org)
Message-Id: <201606030658.u536wKs3079935@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: lidl set sender to
 lidl@FreeBSD.org using -f
From: Kurt Lidl <lidl@FreeBSD.org>
Date: Fri, 3 Jun 2016 06:58:20 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r301242 - head/libexec/rshd
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jun 2016 06:58:21 -0000

Author: lidl
Date: Fri Jun  3 06:58:20 2016
New Revision: 301242
URL: https://svnweb.freebsd.org/changeset/base/301242

Log:
  Add blacklist support to rshd
  
  Reviewed by:	rpaulo
  Approved by:	rpaulo
  Relnotes:	YES
  Sponsored by:	The FreeBSD Foundation
  Differential Revision:	https://reviews.freebsd.org/D6594

Modified:
  head/libexec/rshd/Makefile
  head/libexec/rshd/rshd.c

Modified: head/libexec/rshd/Makefile
==============================================================================
--- head/libexec/rshd/Makefile	Fri Jun  3 06:24:03 2016	(r301241)
+++ head/libexec/rshd/Makefile	Fri Jun  3 06:58:20 2016	(r301242)
@@ -2,6 +2,9 @@
 # $FreeBSD$
 
 PACKAGE=rcmds
+
+.include <src.opts.mk>
+
 PROG=	rshd
 MAN=	rshd.8
 
@@ -12,4 +15,10 @@ WFORMAT=0
 
 LIBADD=	util pam
 
+.if ${MK_BLACKLIST_SUPPORT} != "no"
+CFLAGS+= -DUSE_BLACKLIST -I${SRCTOP}/contrib/blacklist/include
+LIBADD+= blacklist
+LDFLAGS+=-L${LIBBLACKLISTDIR}
+.endif
+
 .include <bsd.prog.mk>

Modified: head/libexec/rshd/rshd.c
==============================================================================
--- head/libexec/rshd/rshd.c	Fri Jun  3 06:24:03 2016	(r301241)
+++ head/libexec/rshd/rshd.c	Fri Jun  3 06:58:20 2016	(r301242)
@@ -88,6 +88,10 @@ __FBSDID("$FreeBSD$");
 #include <security/openpam.h>
 #include <sys/wait.h>
 
+#ifdef USE_BLACKLIST
+#include <blacklist.h>
+#endif
+
 static struct pam_conv pamc = { openpam_nullconv, NULL };
 static pam_handle_t *pamh;
 static int pam_err;
@@ -252,6 +256,9 @@ doit(struct sockaddr *fromp)
 		    "connection from %s on illegal port %u",
 		    numericname,
 		    srcport);
+#ifdef USE_BLACKLIST
+		blacklist(1, STDIN_FILENO, "illegal port");
+#endif
 		exit(1);
 	}
 
@@ -285,6 +292,9 @@ doit(struct sockaddr *fromp)
 			    "2nd socket from %s on unreserved port %u",
 			    numericname,
 			    port);
+#ifdef USE_BLACKLIST
+			blacklist(1, STDIN_FILENO, "unreserved port");
+#endif
 			exit(1);
 		}
 		*((in_port_t *)&fromp->sa_data) = htons(port);
@@ -309,6 +319,9 @@ doit(struct sockaddr *fromp)
 	if (pam_err != PAM_SUCCESS) {
 		syslog(LOG_ERR|LOG_AUTH, "pam_start(): %s",
 		    pam_strerror(pamh, pam_err));
+#ifdef USE_BLACKLIST
+		blacklist(1, STDIN_FILENO, "login incorrect");
+#endif
 		rshd_errx(1, "Login incorrect.");
 	}
 
@@ -316,6 +329,9 @@ doit(struct sockaddr *fromp)
 	    (pam_err = pam_set_item(pamh, PAM_RHOST, rhost)) != PAM_SUCCESS) {
 		syslog(LOG_ERR|LOG_AUTH, "pam_set_item(): %s",
 		    pam_strerror(pamh, pam_err));
+#ifdef USE_BLACKLIST
+		blacklist(1, STDIN_FILENO, "login incorrect");
+#endif
 		rshd_errx(1, "Login incorrect.");
 	}
 
@@ -332,6 +348,9 @@ doit(struct sockaddr *fromp)
 		syslog(LOG_INFO|LOG_AUTH,
 		    "%s@%s as %s: permission denied (%s). cmd='%.80s'",
 		    ruser, rhost, luser, pam_strerror(pamh, pam_err), cmdbuf);
+#ifdef USE_BLACKLIST
+		blacklist(1, STDIN_FILENO, "permission denied");
+#endif
 		rshd_errx(1, "Login incorrect.");
 	}
 
@@ -341,6 +360,9 @@ doit(struct sockaddr *fromp)
 		syslog(LOG_INFO|LOG_AUTH,
 		    "%s@%s as %s: unknown login. cmd='%.80s'",
 		    ruser, rhost, luser, cmdbuf);
+#ifdef USE_BLACKLIST
+		blacklist(1, STDIN_FILENO, "unknown login");
+#endif
 		if (errorstr == NULL)
 			errorstr = "Login incorrect.";
 		rshd_errx(1, errorstr, rhost);
@@ -373,6 +395,9 @@ doit(struct sockaddr *fromp)
 			    "%s@%s as %s: permission denied (%s). cmd='%.80s'",
 			    ruser, rhost, luser, __rcmd_errstr,
 			    cmdbuf);
+#ifdef USE_BLACKLIST
+			blacklist(1, STDIN_FILENO, "permission denied");
+#endif
 			rshd_errx(1, "Login incorrect.");
 		}
 		if (!auth_timeok(lc, time(NULL)))
@@ -468,6 +493,9 @@ doit(struct sockaddr *fromp)
 		}
 	}
 
+#ifdef USE_BLACKLIST
+	blacklist(0, STDIN_FILENO, "success");
+#endif
 	for (fd = getdtablesize(); fd > 2; fd--)
 		(void) close(fd);
 	if (setsid() == -1)
@@ -534,8 +562,12 @@ getstr(char *buf, int cnt, const char *e
 		if (read(STDIN_FILENO, &c, 1) != 1)
 			exit(1);
 		*buf++ = c;
-		if (--cnt == 0)
+		if (--cnt == 0) {
+#ifdef USE_BLACKLIST
+			blacklist(1, STDIN_FILENO, "buffer overflow");
+#endif
 			rshd_errx(1, "%s too long", error);
+		}
 	} while (c != 0);
 }