The included patch adds to dump/restore the capability to access tape devices on remote hosts over an arbitrary rsh-like program. In particular, this is intended to allow the use of ssh. Currently, dump/restore offer remote tape access using rcmd(3) to call rmt on the remote host. This patch adds a flag "-P <rshcmd>" to spawn a coprocess using <rshcmd>, in lieu of rcmd(3). "-P" was chosen because it is used for the same purpose by rdist(1). Most of the actual code has been taken from rdist, too. Issues: * The biggest chunk of the patch is the addition of a dump/rshrcmd.c module, which is almost literally copied from rdist/rshrcmd.c. Alas, the latter can't be used directly. The module adds the function rshrcmd(), which is mostly a drop-in replacement for rcmd(), transparently calling a rsh-like program. - rdist uses a local function error() to display error messages, dump uses msg(). This could be handled by compiling with -Derror=msg or by adding error() as wrapper for msg(). Both solutions appear questionable to me. - If the operator presses the interrupt character (^C), SIGINT is delivered to all processes in the foreground process group. The five processes spawned by the dump command variously catch or ignore SIGINT. The operator is offered a choice of aborting or continuing the dump run. Alas, the coprocess also receives the SIGINT, and ssh apparently installs a handler and terminates on SIGINT, so the whole dump run would always abort on interrupt. Diverging from the rdist code, I solved this by putting the coprocess in its own process group. I'm not sure I fully understand all the consequences of this, but it works. An interrupt doesn't kill the dump run, and if I forcefully terminate dump, the coprocess dies along with it. * rshrcmd() doesn't really handle rcmd()'s final "fd2p" argument. Adding this appears to be rather complex, judging by the rcmd code. Considering the limited use (added post 4.4Lite) this sees in dump, I think it is a negligible omission. * I didn't add "#ifdef RDUMP" around the changes, since I couldn't decide whether this is appropriate. How-To-Repeat: Usage example: $ dump 0aPf ssh host:/dev/nrsa0 /
I don't like this at all. It is too specific to dump. Why not take a page from OpenBSD and do the following? Warner Index: net/Makefile.inc =================================================================== RCS file: /home/imp/FreeBSD/CVS/src/lib/libc/net/Makefile.inc,v retrieving revision 1.37 diff -u -r1.37 Makefile.inc --- net/Makefile.inc 2000/07/05 02:13:14 1.37 +++ net/Makefile.inc 2000/08/25 03:21:51 @@ -16,7 +16,7 @@ inet_pton.c ip6opt.c linkaddr.c map_v4v6.c name6.c ns_addr.c \ ns_name.c ns_netint.c \ ns_ntoa.c ns_parse.c ns_print.c ns_ttl.c nsap_addr.c \ - rcmd.c recv.c res_comp.c res_data.c res_debug.c \ + rcmd.c rcmdsh.c recv.c res_comp.c res_data.c res_debug.c \ res_init.c res_mkquery.c res_mkupdate.c res_query.c res_send.c \ res_update.c rthdr.c send.c vars.c # not supported: iso_addr.c Index: net/rcmd.c =================================================================== RCS file: /home/imp/FreeBSD/CVS/src/lib/libc/net/rcmd.c,v retrieving revision 1.29 diff -u -r1.29 rcmd.c --- net/rcmd.c 2000/08/10 17:10:57 1.29 +++ net/rcmd.c 2000/08/25 03:21:54 @@ -47,6 +47,7 @@ #include <signal.h> #include <fcntl.h> #include <netdb.h> +#include <stdlib.h> #include <unistd.h> #include <pwd.h> #include <errno.h> @@ -99,9 +100,27 @@ long oldmask; pid_t pid; int s, aport, lport, timo, error; - char c; + char c, *p; char num[8]; static char canonnamebuf[MAXDNAME]; /* is it proper here? */ + + /* call rcmdsh() with specified remote shell if appropriate. */ + if (!issetugid() && (p = getenv("RSH"))) { + struct servent *sp = getservbyname("shell", "tcp"); + + if (sp && sp->s_port == rport) + return (rcmdsh(ahost, rport, locuser, remuser, + cmd, p)); + } + + /* use rsh(1) if non-root and remote port is shell. */ + if (geteuid()) { + struct servent *sp = getservbyname("shell", "tcp"); + + if (sp && sp->s_port == rport) + return (rcmdsh(ahost, rport, locuser, remuser, + cmd, NULL)); + } pid = getpid(); Index: net/rcmdsh.3 =================================================================== RCS file: rcmdsh.3 diff -N rcmdsh.3 --- /dev/null Thu Aug 24 20:04:33 2000 +++ rcmdsh.3 Thu Aug 24 20:21:54 2000 @@ -0,0 +1,103 @@ +.\" $OpenBSD: rcmdsh.3,v 1.6 1999/07/05 04:41:00 aaron Exp $ +.\" +.\" Copyright (c) 1983, 1991, 1993 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. All advertising materials mentioning features or use of this software +.\" must display the following acknowledgement: +.\" This product includes software developed by the University of +.\" California, Berkeley and its contributors. +.\" 4. Neither the name of the University nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.Dd September 1, 1996 +.Dt RCMDSH 3 +.Os +.Sh NAME +.Nm rcmdsh +.Nd return a stream to a remote command without superuser +.Sh SYNOPSIS +.Fd #include <unistd.h> +.Ft int +.Fn rcmdsh "char **ahost" "int inport" "const char *locuser" "const char *remuser" "const char *cmd" "char *rshprog" +.Sh DESCRIPTION +The +.Fn rcmdsh +function +is used by normal users to execute a command on +a remote machine using an authentication scheme based +on reserved port numbers using +.Xr rshd 8 +or the value of +.Fa rshprog +(if non-null). +.Pp +The +.Fn rcmdsh +function +looks up the host +.Fa *ahost +using +.Xr gethostbyname 3 , +returning \-1 if the host does not exist. +Otherwise +.Fa *ahost +is set to the standard name of the host +and a connection is established to a server +residing at the well-known Internet port +.Li shell/tcp +(or whatever port is used by +.Fa rshprog +). The parameter +.Fa inport +is ignored; it is only included to provide an interface similar to +.Xr rcmd 3 . +.Pp +If the connection succeeds, +a socket in the +.Tn UNIX +domain of type +.Dv SOCK_STREAM +is returned to the caller, and given to the remote +command as stdin and stdout, and stderr. +.Sh DIAGNOSTICS +The +.Fn rcmdsh +function +returns a valid socket descriptor on success. +It returns \-1 on error and prints a diagnostic message on the standard error. +.Sh SEE ALSO +.Xr rsh 1 , +.Xr socketpair 2 , +.Xr rcmd 3 , +.Xr rshd 8 +.Sh BUGS +If +.Xr rsh 1 +gets an error a file descriptor is still returned instead of \-1. +.Sh HISTORY +The +.Fn rcmdsh +function first appeared in +.Ox 2.0 . Index: net/rcmdsh.c =================================================================== RCS file: rcmdsh.c diff -N rcmdsh.c --- /dev/null Thu Aug 24 20:04:33 2000 +++ rcmdsh.c Thu Aug 24 20:21:54 2000 @@ -0,0 +1,128 @@ +/* $OpenBSD: rcmdsh.c,v 1.5 1998/04/25 16:23:58 millert Exp $ */ + +/* + * This is an rcmd() replacement originally by + * Chris Siebenmann <cks@utcc.utoronto.ca>. + */ + +#if defined(LIBC_SCCS) && !defined(lint) +static char *rcsid = "$OpenBSD: rcmdsh.c,v 1.5 1998/04/25 16:23:58 millert Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include <sys/types.h> +#include <sys/socket.h> +#include <sys/wait.h> +#include <signal.h> +#include <errno.h> +#include <netdb.h> +#include <stdio.h> +#include <string.h> +#include <pwd.h> +#include <paths.h> +#include <unistd.h> + +#ifndef _PATH_RSH +#define _PATH_RSH "/usr/bin/rsh" +#endif + +/* + * This is a replacement rcmd() function that uses the rsh(1) + * program in place of a direct rcmd(3) function call so as to + * avoid having to be root. Note that rport is ignored. + */ +/* ARGSUSED */ +int +rcmdsh(ahost, rport, locuser, remuser, cmd, rshprog) + char **ahost; + int rport; + const char *locuser, *remuser, *cmd; + char *rshprog; +{ + struct hostent *hp; + int cpid, sp[2]; + char *p; + struct passwd *pw; + + /* What rsh/shell to use. */ + if (rshprog == NULL) + rshprog = _PATH_RSH; + + /* locuser must exist on this host. */ + if ((pw = getpwnam(locuser)) == NULL) { + (void) fprintf(stderr, "rcmdsh: unknown user: %s\n", locuser); + return(-1); + } + + /* Validate remote hostname. */ + if (strcmp(*ahost, "localhost") != 0) { + if ((hp = gethostbyname(*ahost)) == NULL) { + herror(*ahost); + return(-1); + } + *ahost = hp->h_name; + } + + /* Get a socketpair we'll use for stdin and stdout. */ + if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, sp) < 0) { + perror("rcmdsh: socketpair"); + return(-1); + } + + cpid = fork(); + if (cpid < 0) { + perror("rcmdsh: fork failed"); + return(-1); + } else if (cpid == 0) { + /* + * Child. We use sp[1] to be stdin/stdout, and close sp[0]. + */ + (void) close(sp[0]); + if (dup2(sp[1], 0) < 0 || dup2(0, 1) < 0) { + perror("rcmdsh: dup2 failed"); + _exit(255); + } + /* Fork again to lose parent. */ + cpid = fork(); + if (cpid < 0) { + perror("rcmdsh: fork to lose parent failed"); + _exit(255); + } + if (cpid > 0) + _exit(0); + + /* In grandchild here. Become local user for rshprog. */ + if (setuid(pw->pw_uid)) { + (void) fprintf(stderr, "rcmdsh: setuid(%u): %s\n", + pw->pw_uid, strerror(errno)); + _exit(255); + } + + /* + * If remote host is "localhost" and local and remote user + * are the same, avoid running remote shell for efficiency. + */ + if (!strcmp(*ahost, "localhost") && !strcmp(locuser, remuser)) { + if (pw->pw_shell[0] == '\0') + rshprog = _PATH_BSHELL; + else + rshprog = pw->pw_shell; + p = strrchr(rshprog, '/'); + execlp(rshprog, p ? p+1 : rshprog, "-c", cmd, + (char *) NULL); + } else { + p = strrchr(rshprog, '/'); + execlp(rshprog, p ? p+1 : rshprog, *ahost, "-l", + remuser, cmd, (char *) NULL); + } + (void) fprintf(stderr, "rcmdsh: execlp %s failed: %s\n", + rshprog, strerror(errno)); + _exit(255); + } else { + /* Parent. close sp[1], return sp[0]. */ + (void) close(sp[1]); + /* Reap child. */ + (void) wait(NULL); + return(sp[0]); + } + /* NOTREACHED */ +} Index: net/res_query.c =================================================================== RCS file: /home/imp/FreeBSD/CVS/src/lib/libc/net/res_query.c,v retrieving revision 1.19 diff -u -r1.19 res_query.c --- net/res_query.c 1999/11/04 04:30:44 1.19 +++ net/res_query.c 2000/08/25 03:21:55 @@ -76,6 +76,7 @@ #include <sys/types.h> #include <sys/param.h> +#include <sys/stat.h> #include <netinet/in.h> #include <arpa/inet.h> #include <arpa/nameser.h> @@ -376,14 +377,23 @@ char *file; char buf[BUFSIZ]; static char abuf[MAXDNAME]; + struct stat sb; if (_res.options & RES_NOALIASES) return (NULL); - if (issetugid()) - return (NULL); file = getenv("HOSTALIASES"); if (file == NULL || (fp = fopen(file, "r")) == NULL) return (NULL); + if (issetugid()) { + if (fstat(fileno(fp), &sb)) { + fclose(fp); + return (NULL); + } + if ((sb.st_mode & 0444) != 0444) { + fclose(fp); + return (NULL); + } + } setbuf(fp, NULL); buf[sizeof(buf) - 1] = '\0'; while (fgets(buf, sizeof(buf), fp)) {
State Changed From-To: open->feedback Need feedback from Christian, regarding Warner's alternative.
State Changed From-To: feedback->open The originator's address bounces, so leaving this in the feedback state isn't going to score us much.
Responsible Changed From-To: freebsd-bugs->imp This is a reminder for Warner to commit the stuff he got from OpenBSD.
Is there a reason this hasn't been committed yet? I successfully applied and built Warner's patch with 4.4-STABLE, with the following change to the patchset for Makefile.in (so it builds and installs the manpage). The result is perfect for using dump over ssh (just "setenv RSH ssh" before running dump with -f username@hostname:/dev/device). --- orig/Makefile.inc Thu Sep 13 17:12:39 2001 +++ Makefile.inc Tue Oct 9 18:46:25 2001 @@ -16,7 +16,7 @@ inet_pton.c ip6opt.c linkaddr.c map_v4v6.c name6.c ns_addr.c \ ns_name.c ns_netint.c \ ns_ntoa.c ns_parse.c ns_print.c ns_ttl.c nsap_addr.c \ - rcmd.c recv.c res_comp.c res_data.c res_debug.c \ + rcmd.c rcmdsh.c recv.c res_comp.c res_data.c res_debug.c \ res_init.c res_mkquery.c res_mkupdate.c res_query.c res_send.c \ res_update.c rthdr.c send.c vars.c # not supported: iso_addr.c @@ -32,7 +32,7 @@ getnameinfo.3 getnetent.3 getprotoent.3 getservent.3 if_indextoname.3 \ inet.3 inet_net.3 \ inet6_option_space.3 inet6_rthdr_space.3 linkaddr.3 \ - rcmd.3 resolver.3 + rcmd.3 rcmdsh.3 resolver.3 # not installed: iso_addr.3 ns.3 MLINKS+=addr2ascii.3 ascii2addr.3
State Changed From-To: open->closed I fixed this.