svn commit: r301242 - head/libexec/rshd
Kurt Lidl
lidl at FreeBSD.org
Fri Jun 3 06:58:21 UTC 2016
Author: lidl
Date: Fri Jun 3 06:58:20 2016
New Revision: 301242
URL: https://svnweb.freebsd.org/changeset/base/301242
Log:
Add blacklist support to rshd
Reviewed by: rpaulo
Approved by: rpaulo
Relnotes: YES
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D6594
Modified:
head/libexec/rshd/Makefile
head/libexec/rshd/rshd.c
Modified: head/libexec/rshd/Makefile
==============================================================================
--- head/libexec/rshd/Makefile Fri Jun 3 06:24:03 2016 (r301241)
+++ head/libexec/rshd/Makefile Fri Jun 3 06:58:20 2016 (r301242)
@@ -2,6 +2,9 @@
# $FreeBSD$
PACKAGE=rcmds
+
+.include <src.opts.mk>
+
PROG= rshd
MAN= rshd.8
@@ -12,4 +15,10 @@ WFORMAT=0
LIBADD= util pam
+.if ${MK_BLACKLIST_SUPPORT} != "no"
+CFLAGS+= -DUSE_BLACKLIST -I${SRCTOP}/contrib/blacklist/include
+LIBADD+= blacklist
+LDFLAGS+=-L${LIBBLACKLISTDIR}
+.endif
+
.include <bsd.prog.mk>
Modified: head/libexec/rshd/rshd.c
==============================================================================
--- head/libexec/rshd/rshd.c Fri Jun 3 06:24:03 2016 (r301241)
+++ head/libexec/rshd/rshd.c Fri Jun 3 06:58:20 2016 (r301242)
@@ -88,6 +88,10 @@ __FBSDID("$FreeBSD$");
#include <security/openpam.h>
#include <sys/wait.h>
+#ifdef USE_BLACKLIST
+#include <blacklist.h>
+#endif
+
static struct pam_conv pamc = { openpam_nullconv, NULL };
static pam_handle_t *pamh;
static int pam_err;
@@ -252,6 +256,9 @@ doit(struct sockaddr *fromp)
"connection from %s on illegal port %u",
numericname,
srcport);
+#ifdef USE_BLACKLIST
+ blacklist(1, STDIN_FILENO, "illegal port");
+#endif
exit(1);
}
@@ -285,6 +292,9 @@ doit(struct sockaddr *fromp)
"2nd socket from %s on unreserved port %u",
numericname,
port);
+#ifdef USE_BLACKLIST
+ blacklist(1, STDIN_FILENO, "unreserved port");
+#endif
exit(1);
}
*((in_port_t *)&fromp->sa_data) = htons(port);
@@ -309,6 +319,9 @@ doit(struct sockaddr *fromp)
if (pam_err != PAM_SUCCESS) {
syslog(LOG_ERR|LOG_AUTH, "pam_start(): %s",
pam_strerror(pamh, pam_err));
+#ifdef USE_BLACKLIST
+ blacklist(1, STDIN_FILENO, "login incorrect");
+#endif
rshd_errx(1, "Login incorrect.");
}
@@ -316,6 +329,9 @@ doit(struct sockaddr *fromp)
(pam_err = pam_set_item(pamh, PAM_RHOST, rhost)) != PAM_SUCCESS) {
syslog(LOG_ERR|LOG_AUTH, "pam_set_item(): %s",
pam_strerror(pamh, pam_err));
+#ifdef USE_BLACKLIST
+ blacklist(1, STDIN_FILENO, "login incorrect");
+#endif
rshd_errx(1, "Login incorrect.");
}
@@ -332,6 +348,9 @@ doit(struct sockaddr *fromp)
syslog(LOG_INFO|LOG_AUTH,
"%s@%s as %s: permission denied (%s). cmd='%.80s'",
ruser, rhost, luser, pam_strerror(pamh, pam_err), cmdbuf);
+#ifdef USE_BLACKLIST
+ blacklist(1, STDIN_FILENO, "permission denied");
+#endif
rshd_errx(1, "Login incorrect.");
}
@@ -341,6 +360,9 @@ doit(struct sockaddr *fromp)
syslog(LOG_INFO|LOG_AUTH,
"%s@%s as %s: unknown login. cmd='%.80s'",
ruser, rhost, luser, cmdbuf);
+#ifdef USE_BLACKLIST
+ blacklist(1, STDIN_FILENO, "unknown login");
+#endif
if (errorstr == NULL)
errorstr = "Login incorrect.";
rshd_errx(1, errorstr, rhost);
@@ -373,6 +395,9 @@ doit(struct sockaddr *fromp)
"%s@%s as %s: permission denied (%s). cmd='%.80s'",
ruser, rhost, luser, __rcmd_errstr,
cmdbuf);
+#ifdef USE_BLACKLIST
+ blacklist(1, STDIN_FILENO, "permission denied");
+#endif
rshd_errx(1, "Login incorrect.");
}
if (!auth_timeok(lc, time(NULL)))
@@ -468,6 +493,9 @@ doit(struct sockaddr *fromp)
}
}
+#ifdef USE_BLACKLIST
+ blacklist(0, STDIN_FILENO, "success");
+#endif
for (fd = getdtablesize(); fd > 2; fd--)
(void) close(fd);
if (setsid() == -1)
@@ -534,8 +562,12 @@ getstr(char *buf, int cnt, const char *e
if (read(STDIN_FILENO, &c, 1) != 1)
exit(1);
*buf++ = c;
- if (--cnt == 0)
+ if (--cnt == 0) {
+#ifdef USE_BLACKLIST
+ blacklist(1, STDIN_FILENO, "buffer overflow");
+#endif
rshd_errx(1, "%s too long", error);
+ }
} while (c != 0);
}
More information about the svn-src-head
mailing list