From f97f55cce24d9416bbf12dc5a5b5aae41e3c1ea4 Mon Sep 17 00:00:00 2001 From: guenther <> Date: Mon, 23 May 2016 00:12:58 +0000 Subject: Remove iruserok(_sa)? and __ivaliduser(sa)? ok millert@ deraadt@ --- src/lib/libc/net/rcmd.3 | 61 ++++++++++++++-------------------------------- src/lib/libc/net/ruserok.c | 49 ++----------------------------------- 2 files changed, 20 insertions(+), 90 deletions(-) (limited to 'src') diff --git a/src/lib/libc/net/rcmd.3 b/src/lib/libc/net/rcmd.3 index 5fe1ee58eb..3bba0bc73d 100644 --- a/src/lib/libc/net/rcmd.3 +++ b/src/lib/libc/net/rcmd.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: rcmd.3,v 1.32 2015/03/23 22:29:32 halex Exp $ +.\" $OpenBSD: rcmd.3,v 1.33 2016/05/23 00:12:58 guenther Exp $ .\" .\" Copyright (c) 1983, 1991, 1993 .\" The Regents of the University of California. All rights reserved. @@ -27,7 +27,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd $Mdocdate: March 23 2015 $ +.Dd $Mdocdate: May 23 2016 $ .Dt RCMD 3 .Os .Sh NAME @@ -35,9 +35,7 @@ .Nm rcmd_af , .Nm rresvport , .Nm rresvport_af , -.Nm iruserok , -.Nm ruserok , -.Nm iruserok_sa +.Nm ruserok .Nd routines for returning a stream to a remote command .Sh SYNOPSIS .In unistd.h @@ -50,11 +48,7 @@ .Ft int .Fn rresvport_af "int *port" "int af" .Ft int -.Fn iruserok "u_int32_t raddr" "int superuser" "const char *ruser" "const char *luser" -.Ft int .Fn ruserok "const char *rhost" "int superuser" "const char *ruser" "const char *luser" -.Ft int -.Fn iruserok_sa "const void *sa" "int salen" "int superuser" "const char *ruser" "const char *luser" .Sh DESCRIPTION The .Fn rcmd @@ -90,15 +84,10 @@ and functions return a descriptor to a socket with an address in the privileged port space. The -.Fn iruserok -and .Fn ruserok -functions are used by servers +function is used by servers to authenticate clients requesting service with .Fn rcmd . -.Fn iruserok_sa -is an address family independent variant of -.Fn iruserok . .Pp The .Fn rcmd @@ -149,7 +138,7 @@ must be .Fn rcmd_af takes address family in the last argument. If the last argument is -.Dv PF_UNSPEC , +.Dv AF_UNSPEC , interpretation of .Fa *ahost will obey the underlying address resolution like DNS. @@ -174,11 +163,9 @@ need to be seeded with a port number; if that port is not available these functions will find another. .Pp The -.Fn iruserok -and .Fn ruserok -functions take a remote host's IP address or name, respectively, -two user names and a flag indicating whether the local user's +function takes a remote host's name, two user names, +and a flag indicating whether the local user's name is that of the superuser. Then, if the user is .Em not @@ -198,35 +185,14 @@ Zero is returned if the machine name is listed in the file, or the host and remote user name are found in the .Pa .rhosts file; otherwise -.Fn iruserok -and .Fn ruserok -return \-1. +returns \-1. If the local domain (as obtained from .Xr gethostname 3 ) is the same as the remote domain, only the machine name need be specified. .Pp -If the IP address of the remote host is known, -.Fn iruserok -should be used in preference to -.Fn ruserok , -as it does not require trusting the DNS server for the remote host's domain. -.Pp -While -.Fn iruserok -can handle IPv4 addresses only, -.Fn iruserok_sa -and .Fn ruserok -can handle other address families as well, like IPv6. -The first argument of -.Fn iruserok_sa -is typed as -.Li "void *" -to avoid dependency between -.In unistd.h -and -.In sys/socket.h . +implicitly requires trusting the DNS server for the remote host's domain. .Sh DIAGNOSTICS The .Fn rcmd @@ -255,3 +221,12 @@ is overloaded to mean These functions appeared in .Bx 4.2 . +.Pp +The +.Fn iruserok +and +.Fn iruserok_sa +functions, IP address based versions of +.Fn ruserok , +were removed in +.Ox 6.0 . diff --git a/src/lib/libc/net/ruserok.c b/src/lib/libc/net/ruserok.c index 4218b419b7..cab6f96449 100644 --- a/src/lib/libc/net/ruserok.c +++ b/src/lib/libc/net/ruserok.c @@ -48,12 +48,11 @@ #include #include -int __ivaliduser(FILE *, in_addr_t, const char *, const char *); -int __ivaliduser_sa(FILE *, struct sockaddr *, socklen_t, +static int __ivaliduser_sa(FILE *, struct sockaddr *, socklen_t, const char *, const char *); -PROTO_NORMAL(__ivaliduser_sa); static int __icheckhost(struct sockaddr *, socklen_t, const char *); static char *__gethostloop(struct sockaddr *, socklen_t); +static int iruserok_sa(const void *, int, int, const char *, const char *); int ruserok(const char *rhost, int superuser, const char *ruser, const char *luser) @@ -79,28 +78,6 @@ ruserok(const char *rhost, int superuser, const char *ruser, const char *luser) return (-1); } -/* - * New .rhosts strategy: We are passed an ip address. We spin through - * hosts.equiv and .rhosts looking for a match. When the .rhosts only - * has ip addresses, we don't have to trust a nameserver. When it - * contains hostnames, we spin through the list of addresses the nameserver - * gives us and look for a match. - * - * Returns 0 if ok, -1 if not ok. - */ -int -iruserok(u_int32_t raddr, int superuser, const char *ruser, const char *luser) -{ - struct sockaddr_in sin; - - memset(&sin, 0, sizeof(sin)); - sin.sin_family = AF_INET; - sin.sin_len = sizeof(struct sockaddr_in); - memcpy(&sin.sin_addr, &raddr, sizeof(sin.sin_addr)); - return iruserok_sa(&sin, sizeof(struct sockaddr_in), superuser, ruser, - luser); -} - int iruserok_sa(const void *raddr, int rlen, int superuser, const char *ruser, const char *luser) @@ -173,27 +150,6 @@ again: } return (-1); } -DEF_WEAK(iruserok_sa); - -/* - * XXX - * Don't make static, used by lpd(8). - * - * Returns 0 if ok, -1 if not ok. - */ -int -__ivaliduser(FILE *hostf, in_addr_t raddrl, const char *luser, - const char *ruser) -{ - struct sockaddr_in sin; - - memset(&sin, 0, sizeof(sin)); - sin.sin_family = AF_INET; - sin.sin_len = sizeof(struct sockaddr_in); - memcpy(&sin.sin_addr, &raddrl, sizeof(sin.sin_addr)); - return __ivaliduser_sa(hostf, (struct sockaddr *)&sin, sin.sin_len, - luser, ruser); -} int __ivaliduser_sa(FILE *hostf, struct sockaddr *raddr, socklen_t salen, @@ -335,7 +291,6 @@ __ivaliduser_sa(FILE *hostf, struct sockaddr *raddr, socklen_t salen, bail: return (-1); } -DEF_STRONG(__ivaliduser_sa); /* * Returns "true" if match, 0 if no match. If we do not find any -- cgit v1.2.3-55-g6feb