| blob | 604655d33f058b613c96b0223849f0034023b80c |
1 /*
2 * Copyright (c) 1995
3 * Bill Paul <wpaul@ctr.columbia.edu>. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. All advertising materials mentioning features or use of this software
14 * must display the following acknowledgement:
15 * This product includes software developed by Bill Paul.
16 * 4. Neither the name of the author nor the names of any co-contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY Bill Paul AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL Bill Paul OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGE.
31 *
32 * $FreeBSD: src/usr.sbin/ypserv/yp_access.c,v 1.17.2.1 2002/02/15 00:47:00 des Exp $
33 * $DragonFly: src/usr.sbin/ypserv/yp_access.c,v 1.5 2006/06/13 12:38:37 corecode Exp $
34 */
36 #include <stdlib.h>
37 #include <rpc/rpc.h>
38 #include <rpcsvc/yp.h>
39 #include <rpcsvc/yppasswd.h>
40 #include <rpcsvc/ypxfrd.h>
41 #include <sys/types.h>
42 #include <limits.h>
43 #include <db.h>
44 #include <sys/socket.h>
45 #include <netinet/in.h>
46 #include <arpa/inet.h>
47 #include <sys/stat.h>
48 #include <sys/fcntl.h>
49 #include <paths.h>
50 #include <errno.h>
51 #include <sys/param.h>
53 #ifdef TCP_WRAPPER
55 #endif
59 /* NIS v1 */
73 /* NIS v2 */
85 "ypproc_maplist"
86 };
92 };
96 #define LINEBUFSZ 1024
98 /*
99 * Read /var/yp/securenets file and initialize the securenets
100 * list. If the file doesn't exist, we set up a dummy entry that
101 * allows all hosts to connect.
102 */
103 void
105 {
111 /*
112 * If securenets is not NULL, we are being called to reload
113 * the list; free the existing list before re-reading the
114 * securenets file.
115 */
120 }
134 }
135 }
147 linebuf);
149 }
157 }
163 }
167 }
171 }
173 /*
174 * Access control functions.
175 *
176 * yp_access() checks the mapname and client host address and watches for
177 * the following things:
178 *
179 * - If the client is referencing one of the master.passwd.* maps, it must
180 * be using a privileged port to make its RPC to us. If it is, then we can
181 * assume that the caller is root and allow the RPC to succeed. If it
182 * isn't access is denied.
183 *
184 * - The client's IP address is checked against the securenets rules.
185 * There are two kinds of securenets support: the built-in support,
186 * which is very simple and depends on the presence of a
187 * /var/yp/securenets file, and tcp-wrapper support, which requires
188 * Wietse Venema's libwrap.a and tcpd.h. (Since the tcp-wrapper
189 * package does not ship with FreeBSD, we use the built-in support
190 * by default. Users can recompile the server with the tcp-wrapper library
191 * if they already have it installed and want to use hosts.allow and
192 * hosts.deny to control access instead of having a separate securenets
193 * file.)
194 *
195 * If no /var/yp/securenets file is present, the host access checks
196 * are bypassed and all hosts are allowed to connect.
197 *
198 * The yp_validdomain() function checks the domain specified by the caller
199 * to make sure it's actually served by this server. This is more a sanity
200 * check than an a security check, but this seems to be the best place for
201 * it.
202 */
204 #ifdef DB_CACHE
205 int
207 #else
208 int
210 #endif
211 {
214 #ifdef TCP_WRAPPER
216 #endif
230 }
240 }
242 /* Check the map name if one was supplied. */
250 }
251 #ifdef DB_CACHE
253 #else
255 #endif
264 }
265 }
267 #ifdef TCP_WRAPPER
270 #endif
277 }
279 }
281 #ifdef TCP_WRAPPER
283 #else
285 #endif
286 /*
287 * One of the following two events occured:
288 *
289 * (1) The /var/yp/securenets exists and the remote host does not
290 * match any of the networks specified in it.
291 * (2) The hosts.allow file has denied access and TCP_WRAPPER is
292 * defined.
293 *
294 * In either case deny access.
295 */
300 yp_procedure);
302 }
304 }
307 }
309 int
311 {
327 }