From b663f78b86ac6ca6a5167f64e828a8e718c1b666 Mon Sep 17 00:00:00 2001 From: Neil Brown Date: Mon, 23 Apr 2007 16:20:21 +1000 Subject: [PATCH] Enable compile-time configurable DNS lookup for tcp_wrapper checking. There is some small risk of deadlocking if portmap uses gethostbyaddr for source host authentication. But some people like it. So make it compile-time configurable: make USE_DNS=yes --- Makefile | 8 ++++++++ pmap_check.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++-- portmap.8 | 22 +++++++++++++++++++-- 3 files changed, 80 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index 23f361b..4db2277 100644 --- a/Makefile +++ b/Makefile @@ -14,10 +14,18 @@ FACILITY=LOG_DAEMON # macro definitions. Access control can also be turned off by providing # no access control tables. The local system, since it runs the portmap # daemon, is always treated as an authorized host. +# By default, access control does not do hostname lookup as there is a risk +# that will require portmap access, hence deadlock. If you are sure the +# target system will never user NIS for hostname lookup, you can define +# USE_DNS to add hostname tests in hosts.allow/deny. ifeq ($(NO_TCP_WRAPPER),) CPPFLAGS += -DHOSTS_ACCESS WRAP_LIB = -lwrap +ifdef USE_DNS +CPPFLAGS += -DENABLE_DNS +MAN_SED += -e 's/USE_DNS/yes/' +endif endif # Comment out if your RPC library does not allocate privileged ports for diff --git a/pmap_check.c b/pmap_check.c index 116eb49..7465913 100644 --- a/pmap_check.c +++ b/pmap_check.c @@ -73,8 +73,6 @@ int deny_severity __attribute ((visibility ("hidden"))) = LOG_WARNING; /* A handful of macros for "readability". */ -#define good_client(a) hosts_ctl("portmap", "", inet_ntoa(a->sin_addr), "") - #define reserved_port(p) (IPPORT_RESERVED/2 < (p) && (p) < IPPORT_RESERVED) #define unreserved_port(p) (IPPORT_RESERVED <= (p) && (p) != NFS_PORT) @@ -115,6 +113,58 @@ void check_startup(void) (void) signal(SIGINT, toggle_verboselog); } + +#ifdef HOSTS_ACCESS +static int +good_client(struct sockaddr_in *addr) +{ + if (hosts_ctl("portmap", "", inet_ntoa(addr->sin_addr), "")) + return 1; +#ifdef ENABLE_DNS +{ + struct hostent *hp; + char **sp; + char *tmpname; + + /* Check the hostname. */ + hp = gethostbyaddr ((const char *) &(addr->sin_addr), + sizeof (addr->sin_addr), AF_INET); + + if (!hp) + return 0; + + /* must make sure the hostent is authoritative. */ + tmpname = alloca (strlen (hp->h_name) + 1); + strcpy (tmpname, hp->h_name); + hp = gethostbyname(tmpname); + if (hp) { + /* now make sure the "addr->sin_addr" is on the list */ + for (sp = hp->h_addr_list ; *sp ; sp++) { + if (memcmp(*sp, &(addr->sin_addr), hp->h_length)==0) + break; + } + if (!*sp) + /* it was a FAKE. */ + return 0; + } else + /* never heard of it. misconfigured DNS? */ + return 0; + + /* Check the official name first. */ + if (hosts_ctl("portmap", "", hp->h_name, "")) + return 1; + + /* Check aliases. */ + for (sp = hp->h_aliases; *sp ; sp++) { + if (hosts_ctl("portmap", "", *sp, "")) + return 1; + } +} +#endif /* ENABLE_DNS */ + return 0; +} +#endif /* HOSTS_ACCESS */ + /* check_default - additional checks for NULL, DUMP, GETPORT and unknown */ int diff --git a/portmap.8 b/portmap.8 index f4d5d94..39e07cd 100644 --- a/portmap.8 +++ b/portmap.8 @@ -157,8 +157,10 @@ version is protected by the .Nm tcp_wrapper library. You have to give the clients access to .Nm portmap -if they should be allowed to use it. To allow connects from clients of -the network 192.168. you could use the following line in /etc/hosts.allow: +if they should be allowed to use it. +.if 'USE_DNS'yes' .ig +To allow connects from clients of the network 192.168. you could use +the following line in /etc/hosts.allow: portmap: 192.168. @@ -174,6 +176,22 @@ You have to use the daemon name for the daemon name (even if the binary has a different name). For the client names you can only use the keyword ALL or IP addresses (NOT host or domain names). +.. +.if !'USE_DNS'yes' .ig +To allow connects from clients of +the .bar.com domain you could use the following line in /etc/hosts.allow: +.Pp +portmap: .bar.com +.Pp +You have to use the daemon name +.Nm portmap +for the daemon name (even if the binary has a different name). For the +client names you can use the keyword ALL, IP addresses, hostnames or domain +names. Using netgroup names will likely cause +.Nm portmap +to deadlock. +Note that localhost will always be allowed access to the portmapper. +.. For further information please have a look at the .Xr tcpd 8 , -- 2.39.5