[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU Inetutils branch, master, updated. inetutils-1_9_1-258-gdc951
|
From: |
Mats Erik Andersson |
|
Subject: |
[SCM] GNU Inetutils branch, master, updated. inetutils-1_9_1-258-gdc951ef |
|
Date: |
Fri, 15 Mar 2013 15:23:11 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU Inetutils ".
The branch, master has been updated
via dc951ef19cd5568ec15630a4c9ffd0decdb201af (commit)
from 43b50bb11e6aec4b92de64807967f1173eb4326b (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=dc951ef19cd5568ec15630a4c9ffd0decdb201af
commit dc951ef19cd5568ec15630a4c9ffd0decdb201af
Author: Mats Erik Andersson <address@hidden>
Date: Fri Mar 15 15:42:36 2013 +0100
rlogind: Incomplete source route security.
diff --git a/ChangeLog b/ChangeLog
index 39256c1..4bb36a1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,18 @@
2013-03-15 Mats Erik Andersson <address@hidden>
+ rlogind: Incomplete source route security.
+ The protection against IPOPT_LSRR was not
+ enforced during Kerberised execution.
+
+ * src/rlogind.c (prevent_routing) [IP_OPTIONS]:
+ New function, broken out of old code. Replace
+ socket number 0 by a parameter `fd', which makes
+ certain that daemon-mode is examined correctly.
+ (rlogind_auth) [IP_OPTIONS]: Call prevent_routing()
+ early on, before code path separation for Kerberos.
+
+2013-03-15 Mats Erik Andersson <address@hidden>
+
rshd: Differentiate PAM services.
* src/rshd.c (service) [WITH_PAM]: New variable.
diff --git a/src/rlogind.c b/src/rlogind.c
index 681d59e..23e22fb 100644
--- a/src/rlogind.c
+++ b/src/rlogind.c
@@ -295,6 +295,10 @@ int do_shishi_login (int infd, struct auth_data *ad, const
char **err_msg);
int do_pam_check (int infd, struct auth_data *ap, const char *service);
#endif
+#ifdef IP_OPTIONS
+void prevent_routing (int fd, struct auth_data *ap);
+#endif
+
void
rlogind_sigchld (int signo _GL_UNUSED_PARAMETER)
{
@@ -960,6 +964,10 @@ rlogind_auth (int fd, struct auth_data *ap)
}
}
+#ifdef IP_OPTIONS
+ prevent_routing (fd, ap);
+#endif
+
#if defined KERBEROS || defined SHISHI
if (kerberos)
{
@@ -987,59 +995,7 @@ rlogind_auth (int fd, struct auth_data *ap)
ap->hostaddr, port);
fatal (fd, "Permission denied", 0);
}
-#ifdef IP_OPTIONS
- {
- unsigned char optbuf[BUFSIZ / 3], *cp;
- char lbuf[BUFSIZ], *lp;
- socklen_t optsize = sizeof (optbuf);
- int ipproto;
- struct protoent *ip;
-
- ip = getprotobyname ("ip");
- if (ip != NULL)
- ipproto = ip->p_proto;
- else
- ipproto = IPPROTO_IP;
- if (getsockopt (0, ipproto, IP_OPTIONS, (char *) optbuf,
- &optsize) == 0 && optsize != 0)
- {
- lp = lbuf;
- for (cp = optbuf; optsize > 0; )
- {
- sprintf (lp, " %2.2x", *cp);
- lp += 3;
-
- /* These two open an attack vector. */
- if (*cp == IPOPT_SSRR || *cp == IPOPT_LSRR)
- {
- syslog (LOG_NOTICE,
- "Discarding connection from %s with set source
routing",
- ap->hostaddr);
- exit (EXIT_FAILURE);
- }
- if (*cp == IPOPT_EOL)
- break;
- if (*cp == IPOPT_NOP)
- cp++, optsize--;
- else
- {
- /* Options using a length octet, see RFC 791. */
- int inc = cp[1];
- optsize -= inc;
- cp += inc;
- }
- }
-
- syslog (LOG_NOTICE, "Ignoring IP options: %s", lbuf);
- if (setsockopt (0, ipproto, IP_OPTIONS, (char *) NULL, optsize))
- {
- syslog (LOG_ERR, "setsockopt IP_OPTIONS NULL: %m");
- exit (EXIT_FAILURE);
- }
- }
- }
-#endif /* IP_OPTIONS */
if (do_rlogin (fd, ap) == 0)
authenticated++;
}
@@ -1060,6 +1016,66 @@ rlogind_auth (int fd, struct auth_data *ap)
return authenticated;
}
+#ifdef IP_OPTIONS
+void
+prevent_routing (int fd, struct auth_data *ap)
+{
+ unsigned char optbuf[BUFSIZ / 3], *cp;
+ char lbuf[BUFSIZ], *lp;
+ socklen_t optsize = sizeof (optbuf);
+ int ipproto;
+ struct protoent *ip;
+
+ ip = getprotobyname ("ip");
+ if (ip != NULL)
+ ipproto = ip->p_proto;
+ else
+ ipproto = IPPROTO_IP;
+
+ if (getsockopt (fd, ipproto, IP_OPTIONS, (char *) optbuf, &optsize) == 0
+ && optsize != 0)
+ {
+ lp = lbuf;
+ for (cp = optbuf; optsize > 0; )
+ {
+ sprintf (lp, " %2.2x", *cp);
+ lp += 3;
+
+ /* These two open an attack vector. */
+ if (*cp == IPOPT_SSRR || *cp == IPOPT_LSRR)
+ {
+ syslog (LOG_NOTICE,
+ "Discarding connection from %s with set source routing",
+ ap->hostaddr);
+ exit (EXIT_FAILURE);
+ }
+
+ if (*cp == IPOPT_EOL)
+ break;
+
+ if (*cp == IPOPT_NOP)
+ cp++, optsize--;
+ else
+ {
+ /* Options using a length octet, see RFC 791. */
+ int inc = cp[1];
+
+ optsize -= inc;
+ cp += inc;
+ }
+ }
+
+ syslog (LOG_NOTICE, "Ignoring IP options: %s", lbuf);
+
+ if (setsockopt (fd, ipproto, IP_OPTIONS, (char *) NULL, optsize))
+ {
+ syslog (LOG_ERR, "setsockopt IP_OPTIONS NULL: %m");
+ exit (EXIT_FAILURE);
+ }
+ }
+}
+#endif /* IP_OPTIONS */
+
void
setup_tty (int fd, struct auth_data *ap)
{
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 13 ++++++
src/rlogind.c | 122 ++++++++++++++++++++++++++++++++-------------------------
2 files changed, 82 insertions(+), 53 deletions(-)
hooks/post-receive
--
GNU Inetutils
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU Inetutils branch, master, updated. inetutils-1_9_1-258-gdc951ef,
Mats Erik Andersson <=