1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
|
/*
rshd.c - remote shell server
Copyright (C) 2003 Guus Sliepen <guus@sliepen.eu.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License version 2 as published
by the Free Software Foundation.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <unistd.h>
#include <pwd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/poll.h>
#include <netdb.h>
#include <string.h>
#include <errno.h>
#include <syslog.h>
#include <sys/ioctl.h>
#include <errno.h>
#include <security/pam_appl.h>
#include <pty.h>
#include <utmp.h>
#include <grp.h>
#include <paths.h>
static char *argv0;
static void usage(void) {
syslog(LOG_NOTICE, "Usage: %s", argv0);
}
/* Read until a NULL byte is encountered */
static ssize_t readtonull(int fd, char *buf, size_t count) {
int len = 0, result;
while(count) {
result = read(fd, buf, 1);
if(result <= 0)
return result;
len++;
count--;
if(!*buf++)
return len;
}
errno = ENOBUFS;
return -1;
}
/* PAM conversation function */
static int conv_h(int msgc, const struct pam_message **msgv, struct pam_response **res, void *app) {
syslog(LOG_ERR, "PAM requires conversation");
return PAM_CONV_ERR;
}
int main(int argc, char **argv) {
struct sockaddr_storage peer_sa;
struct sockaddr *peer = (struct sockaddr *)&peer_sa;
socklen_t peerlen = sizeof peer_sa;
char user[1024];
char luser[1024];
char command[1024];
char env[1024];
struct passwd *pw;
int err;
int opt;
char host[NI_MAXHOST];
char addr[NI_MAXHOST];
char port[NI_MAXSERV];
char eport[NI_MAXSERV];
char lport[NI_MAXSERV];
int portnr, eportnr;
struct addrinfo hint, *ai, *lai;
int esock;
int i;
pam_handle_t *handle;
struct pam_conv conv = {conv_h, NULL};
const void *item;
char *pamuser;
char *shellname;
argv0 = argv[0];
/* Process options */
while((opt = getopt(argc, argv, "+")) != -1) {
switch(opt) {
default:
syslog(LOG_ERR, "Unknown option!");
usage();
return 1;
}
}
if(optind != argc) {
syslog(LOG_ERR, "Too many arguments!");
usage();
return 1;
}
/* Check source of connection */
if(getpeername(0, peer, &peerlen)) {
syslog(LOG_ERR, "Can't get address of peer: %m");
return 1;
}
/* Unmap V4MAPPED addresses */
if(peer->sa_family == AF_INET6 && IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)peer)->sin6_addr)) {
((struct sockaddr_in *)peer)->sin_addr.s_addr = ((struct sockaddr_in6 *)peer)->sin6_addr.s6_addr32[3];
peer->sa_family = AF_INET;
}
/* Lookup hostname */
if((err = getnameinfo(peer, peerlen, host, sizeof host, NULL, 0, 0))) {
syslog(LOG_ERR, "Error resolving address: %s", gai_strerror(err));
return 1;
}
if((err = getnameinfo(peer, peerlen, addr, sizeof addr, port, sizeof port, NI_NUMERICHOST | NI_NUMERICSERV))) {
syslog(LOG_ERR, "Error resolving address: %s", gai_strerror(err));
return 1;
}
/* Check if connection comes from a privileged port */
portnr = atoi(port);
if(portnr < 512 || portnr >= 1024) {
syslog(LOG_ERR, "Connection from %s on illegal port %d.", host, portnr);
return 1;
}
/* Read port number for stderr socket */
if(readtonull(0, eport, sizeof eport) <= 0) {
syslog(LOG_ERR, "Error while receiving stderr port number from %s: %m", host);
return 1;
}
eportnr = atoi(eport);
if(eportnr) {
memset(&hint, '\0', sizeof hint);
hint.ai_socktype = SOCK_STREAM;
hint.ai_family = peer->sa_family;
err = getaddrinfo(addr, eport, &hint, &ai);
if(err || !ai) {
syslog(LOG_ERR, "Error looking up host: %s", gai_strerror(err));
return 1;
}
esock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
if(esock == -1) {
syslog(LOG_ERR, "socket() failed: %m");
return 1;
}
hint.ai_flags = AI_PASSIVE;
for(i = 1023; i >= 512; i--) {
snprintf(lport, sizeof lport, "%d", i);
err = getaddrinfo(NULL, lport, &hint, &lai);
if(err || !ai) {
syslog(LOG_ERR, "Error looking up localhost: %s", gai_strerror(err));
return 1;
}
err = bind(esock, lai->ai_addr, lai->ai_addrlen);
freeaddrinfo(lai);
if(err)
continue;
else
break;
}
if(err) {
syslog(LOG_ERR, "Could not bind to privileged port: %m");
return 1;
}
if(connect(esock, ai->ai_addr, ai->ai_addrlen)) {
syslog(LOG_ERR, "Connecting to stderr port %d on %s failed: %m", eportnr, host);
return 1;
}
freeaddrinfo(ai);
if(esock != 2) {
if(dup2(esock, 2) == -1) {
syslog(LOG_ERR, "dup2() failed: %m");
return 1;
}
close(esock);
}
}
/* Read usernames and terminal info */
if(readtonull(0, user, sizeof user) <= 0 || readtonull(0, luser, sizeof luser) <= 0) {
syslog(LOG_ERR, "Error while receiving usernames from %s: %m", host);
return 1;
}
if(readtonull(0, command, sizeof command) <= 0) {
syslog(LOG_ERR, "Error while receiving command from %s: %m", host);
return 1;
}
syslog(LOG_NOTICE, "Connection from %s@%s for %s", user, host, luser);
/* Start PAM */
if((err = pam_start("rsh", luser, &conv, &handle)) != PAM_SUCCESS) {
write(1, "Authentication failure\n", 23);
syslog(LOG_ERR, "PAM error: %s", pam_strerror(handle, err));
return 1;
}
pam_set_item(handle, PAM_USER, luser);
pam_set_item(handle, PAM_RUSER, user);
pam_set_item(handle, PAM_RHOST, host);
/* Write NULL byte to client so we can give a login prompt if necessary */
if(write(1, "", 1) <= 0) {
syslog(LOG_ERR, "Unable to write NULL byte: %m");
return 1;
}
/* Try to authenticate */
err = pam_authenticate(handle, 0);
/* PAM might ask for a new password */
if(err == PAM_NEW_AUTHTOK_REQD) {
err = pam_chauthtok(handle, PAM_CHANGE_EXPIRED_AUTHTOK);
if(err == PAM_SUCCESS)
err = pam_authenticate(handle, 0);
}
if(err != PAM_SUCCESS) {
write(1, "Authentication failure\n", 23);
syslog(LOG_ERR, "PAM error: %s", pam_strerror(handle, err));
return 1;
}
/* Check account */
err = pam_acct_mgmt(handle, 0);
if(err != PAM_SUCCESS) {
write(1, "Authentication failure\n", 23);
syslog(LOG_ERR, "PAM error: %s", pam_strerror(handle, err));
return 1;
}
/* PAM can map the user to a different user */
err = pam_get_item(handle, PAM_USER, &item);
if(err != PAM_SUCCESS) {
syslog(LOG_ERR, "PAM error: %s", pam_strerror(handle, err));
return 1;
}
pamuser = strdup((char *)item);
if(!pamuser || !*pamuser) {
syslog(LOG_ERR, "PAM didn't return a username?!");
return 1;
}
pw = getpwnam(pamuser);
if (!pw) {
syslog(LOG_ERR, "PAM_USER does not exist?!");
return 1;
}
if (setgid(pw->pw_gid)) {
syslog(LOG_ERR, "setgid() failed: %m");
return 1;
}
if (initgroups(pamuser, pw->pw_gid)) {
syslog(LOG_ERR, "initgroups() failed: %m");
return 1;
}
err = pam_setcred(handle, PAM_ESTABLISH_CRED);
if(err != PAM_SUCCESS) {
syslog(LOG_ERR, "PAM error: %s", pam_strerror(handle, err));
return 1;
}
/* Authentication succeeded */
if(setuid(pw->pw_uid)) {
syslog(LOG_ERR, "setuid() failed: %m");
return 1;
}
if(!pw->pw_shell || !*pw->pw_shell) {
syslog(LOG_ERR, "No shell for %s", pamuser);
return 1;
}
/* Set some environment variables PAM doesn't set */
snprintf(env, sizeof env, "USER=%s", pamuser);
pam_putenv(handle, env);
snprintf(env, sizeof env, "SHELL=%s", pw->pw_shell);
pam_putenv(handle, env);
snprintf(env, sizeof env, "PATH=%s", _PATH_DEFPATH);
pam_putenv(handle, env);
snprintf(env, sizeof env, "HOME=%s", pw->pw_dir);
pam_putenv(handle, env);
/* Run command */
if(chdir(pw->pw_dir) && chdir("/")) {
syslog(LOG_DEBUG, "chdir() failed: %m");
return 1;
}
shellname = strrchr(pw->pw_shell, '/');
if(shellname)
shellname++;
else
shellname = pw->pw_shell;
if(strrchr(pw->pw_shell, '/'))
execle(pw->pw_shell, shellname, "-c", command, NULL, pam_getenvlist(handle));
syslog(LOG_ERR, "Failed to spawn shell: %m");
return 1;
}
|