/* $NetBSD: identd.c,v 1.38 2021/12/05 05:03:05 msaitoh Exp $ */ /* * identd.c - TCP/IP Ident protocol server. * * This software is in the public domain. * Written by Peter Postma <peter@NetBSD.org> */ #include <sys/cdefs.h> __RCSID("$NetBSD: identd.c,v 1.38 2021/12/05 05:03:05 msaitoh Exp $"); #include <sys/param.h> #include <sys/socket.h> #include <sys/stat.h> #include <sys/sysctl.h> #include <netinet/in.h> #include <netinet/ip_var.h> #include <netinet/tcp.h> #include <netinet/tcp_timer.h> #include <netinet/tcp_var.h> #include <arpa/inet.h> #include <ctype.h> #include <err.h> #include <errno.h> #include <fcntl.h> #include <grp.h> #include <netdb.h> #include <poll.h> #include <pwd.h> #include <signal.h> #include <stdarg.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <syslog.h> #include <unistd.h> #include "identd.h" #define OPSYS_NAME "UNIX" #define IDENT_SERVICE "auth" #define TIMEOUT 30 /* seconds */ static int idhandle(int, const char *, const char *, const char *, const char *, struct sockaddr *, int); static void idparse(int, int, int, const char *, const char *, const char *); static void iderror(int, int, int, const char *); static const char *gethost(struct sockaddr *); static int *socketsetup(const char *, const char *, int); static int ident_getuid(struct sockaddr_storage *, socklen_t, struct sockaddr *, uid_t *); static int sysctl_getuid(struct sockaddr_storage *, socklen_t, uid_t *); static int sysctl_proxy_getuid(struct sockaddr_storage *, struct sockaddr *, uid_t *); static int forward(int, struct sockaddr *, int, int, int); static int check_noident(const char *); static int check_userident(const char *, char *, size_t); static void random_string(char *, size_t); static int change_format(const char *, struct passwd *, char *, size_t); __dead static void timeout_handler(int); __dead static void fatal(const char *); __dead static void die(const char *, ...) __printflike(1, 2); static int bflag, dflag, eflag, fflag, iflag, Iflag; static int lflag, Lflag, nflag, Nflag, rflag; /* NAT lookup function pointer. */ typedef int (*nat_lookup_t)(const struct sockaddr_storage *, struct sockaddr_storage *, in_port_t *); static nat_lookup_t nat_lookup; /* Packet filters. */ static const struct { const char *name; nat_lookup_t fn; } filters[] = { #ifdef WITH_PF { "pf", pf_natlookup }, #endif #ifdef WITH_IPF { "ipfilter", ipf_natlookup }, #endif #ifdef WITH_NPF { "npf", npf_natlookup }, #endif { NULL, NULL } }; int main(int argc, char *argv[]) { int IPv4or6, ch, error, i, *socks, timeout; const char *filter, *osname, *portno, *proxy; char *address, *charset, *fmt, *p; char user[LOGIN_NAME_MAX]; struct addrinfo *ai, hints; struct sockaddr *proxy_addr; struct group *grp; struct passwd *pw; gid_t gid; uid_t uid; socks = NULL; IPv4or6 = AF_UNSPEC; osname = OPSYS_NAME; portno = IDENT_SERVICE; timeout = TIMEOUT; nat_lookup = NULL; proxy_addr = NULL; filter = proxy = NULL; address = charset = fmt = NULL; uid = gid = 0; bflag = dflag = eflag = fflag = iflag = Iflag = 0; lflag = Lflag = nflag = Nflag = rflag = 0; /* Started from a tty? then run as daemon. */ if (isatty(STDIN_FILENO)) bflag = 1; /* Parse command line arguments. */ while ((ch = getopt(argc, argv, "46a:bcdeF:f:g:IiL:lm:Nno:P:p:rt:u:")) != -1) { switch (ch) { case '4': IPv4or6 = AF_INET; break; case '6': IPv4or6 = AF_INET6; break; case 'a': address = optarg; break; case 'b': bflag = 1; break; case 'c': charset = optarg; break; case 'd': dflag++; break; case 'e': eflag = 1; break; case 'F': fmt = optarg; break; case 'f': fflag = 1; (void)strlcpy(user, optarg, sizeof(user)); break; case 'g': gid = (gid_t)strtol(optarg, &p, 0); if (*p != '\0') { if ((grp = getgrnam(optarg)) != NULL) gid = grp->gr_gid; else die("No such group `%s'", optarg); } break; case 'I': Iflag = 1; /* FALLTHROUGH */ case 'i': iflag = 1; break; case 'L': Lflag = 1; (void)strlcpy(user, optarg, sizeof(user)); break; case 'l': if (!lflag) openlog("identd", LOG_PID, LOG_DAEMON); lflag = 1; break; case 'm': filter = optarg; break; case 'N': Nflag = 1; break; case 'n': nflag = 1; break; case 'o': osname = optarg; break; case 'P': proxy = optarg; break; case 'p': portno = optarg; break; case 'r': rflag = 1; break; case 't': timeout = (int)strtol(optarg, &p, 0); if (*p != '\0' || timeout < 1) die("Invalid timeout value `%s'", optarg); break; case 'u': uid = (uid_t)strtol(optarg, &p, 0); if (*p != '\0') { if ((pw = getpwnam(optarg)) != NULL) { uid = pw->pw_uid; gid = pw->pw_gid; } else die("No such user `%s'", optarg); } break; default: exit(EXIT_FAILURE); } } /* Verify proxy address, if enabled. */ if (proxy != NULL) { (void)memset(&hints, 0, sizeof(hints)); hints.ai_family = IPv4or6; hints.ai_socktype = SOCK_STREAM; error = getaddrinfo(proxy, NULL, &hints, &ai); if (error != 0) die("Bad proxy `%s': %s", proxy, gai_strerror(error)); if (ai->ai_next != NULL) die("Bad proxy `%s': resolves to multiple addresses", proxy); proxy_addr = ai->ai_addr; } /* Verify filter, if enabled. */ if (filter != NULL) { for (i = 0; filters[i].name != NULL; i++) { if (strcasecmp(filter, filters[i].name) == 0) { nat_lookup = filters[i].fn; break; } } if (nat_lookup == NULL) die("Packet filter `%s' is not supported", filter); } /* Setup sockets when running in the background. */ if (bflag) socks = socketsetup(address, portno, IPv4or6); /* Switch to another uid/gid? */ if (gid && setgid(gid) == -1) die("Failed to set GID to `%d': %s", gid, strerror(errno)); if (uid && setuid(uid) == -1) die("Failed to set UID to `%d': %s", uid, strerror(errno)); /* * When running as daemon: daemonize, setup pollfds and go into * the mainloop. Otherwise, just read the input from stdin and * let inetd handle the sockets. */ if (bflag) { int fd, nfds, rv; struct pollfd *rfds; if (!dflag && daemon(0, 0) < 0) die("daemon: %s", strerror(errno)); rfds = malloc(*socks * sizeof(struct pollfd)); if (rfds == NULL) fatal("malloc"); nfds = *socks; for (i = 0; i < nfds; i++) { rfds[i].fd = socks[i+1]; rfds[i].events = POLLIN; rfds[i].revents = 0; } /* Mainloop for daemon. */ for (;;) { rv = poll(rfds, nfds, INFTIM); if (rv < 0) { if (errno == EINTR) continue; fatal("poll"); } for (i = 0; i < nfds; i++) { if (rfds[i].revents & POLLIN) { fd = accept(rfds[i].fd, NULL, NULL); if (fd < 0) { maybe_syslog(LOG_ERR, "accept: %m"); continue; } switch (fork()) { case -1: /* error */ maybe_syslog(LOG_ERR, "fork: %m"); (void)sleep(1); break; case 0: /* child */ (void)idhandle(fd, charset, fmt, osname, user, proxy_addr, timeout); _exit(EXIT_SUCCESS); default: /* parent */ (void)signal(SIGCHLD, SIG_IGN); (void)close(fd); } } } } } else (void)idhandle(STDIN_FILENO, charset, fmt, osname, user, proxy_addr, timeout); return 0; } /* * Handle a request on the ident port. Returns 0 on success or 1 on * failure. The return values are currently ignored. */ static int idhandle(int fd, const char *charset, const char *fmt, const char *osname, const char *user, struct sockaddr *proxy, int timeout) { struct sockaddr_storage ss[2]; char userbuf[LOGIN_NAME_MAX]; /* actual user name (or numeric uid) */ char idbuf[LOGIN_NAME_MAX]; /* name to be used in response */ char buf[BUFSIZ], *p; struct passwd *pw; int lport, fport; socklen_t len; uid_t uid; ssize_t n; size_t qlen; lport = fport = 0; (void)strlcpy(idbuf, user, sizeof(idbuf)); (void)signal(SIGALRM, timeout_handler); (void)alarm(timeout); /* Get foreign internet address. */ len = sizeof(ss[0]); if (getpeername(fd, (struct sockaddr *)&ss[0], &len) < 0) fatal("getpeername"); maybe_syslog(LOG_INFO, "Connection from %s", gethost((struct sockaddr *)&ss[0])); /* Get local internet address. */ len = sizeof(ss[1]); if (getsockname(fd, (struct sockaddr *)&ss[1], &len) < 0) fatal("getsockname"); /* Be sure to have the same address families. */ if (ss[0].ss_family != ss[1].ss_family) { maybe_syslog(LOG_ERR, "Different foreign/local address family"); return 1; } /* Receive data from the client. */ qlen = 0; for (;;) { if ((n = recv(fd, &buf[qlen], sizeof(buf) - qlen, 0)) < 0) { fatal("recv"); } else if (n == 0) { maybe_syslog(LOG_NOTICE, "recv: EOF"); iderror(fd, 0, 0, "UNKNOWN-ERROR"); return 1; } /* * 1413 is not clear on what to do if data follows the first * CRLF before we respond. We do not consider the query * complete until we get a CRLF _at the end of the buffer_. */ qlen += n; if (qlen >= sizeof(buf)) { maybe_syslog(LOG_NOTICE, "recv: message too long"); exit(0); } if ((qlen >= 2) && (buf[qlen - 2] == '\r') && (buf[qlen - 1] == '\n')) break; } buf[qlen - 2] = '\0'; /* Get local and remote ports from the received data. */ p = buf; while (*p != '\0' && isspace((unsigned char)*p)) p++; if ((p = strtok(p, " \t,")) != NULL) { lport = atoi(p); if ((p = strtok(NULL, " \t,")) != NULL) fport = atoi(p); } /* Are the ports valid? */ if (lport < 1 || lport > 65535 || fport < 1 || fport > 65535) { maybe_syslog(LOG_NOTICE, "Invalid port(s): %d, %d from %s", lport, fport, gethost((struct sockaddr *)&ss[0])); iderror(fd, 0, 0, eflag ? "UNKNOWN-ERROR" : "INVALID-PORT"); return 1; } /* If there is a 'lie' user enabled, then handle it now and stop. */ if (Lflag) { maybe_syslog(LOG_NOTICE, "Lying with name %s to %s", idbuf, gethost((struct sockaddr *)&ss[0])); idparse(fd, lport, fport, charset, osname, idbuf); return 0; } /* Protocol dependent stuff. */ switch (ss[0].ss_family) { case AF_INET: satosin(&ss[0])->sin_port = htons(fport); satosin(&ss[1])->sin_port = htons(lport); break; case AF_INET6: satosin6(&ss[0])->sin6_port = htons(fport); satosin6(&ss[1])->sin6_port = htons(lport); break; default: maybe_syslog(LOG_ERR, "Unsupported protocol (no. %d)", ss[0].ss_family); return 1; } /* Try to get the UID of the connection owner using sysctl. */ if (ident_getuid(ss, sizeof(ss), proxy, &uid) == -1) { /* Lookup failed, try to forward if enabled. */ if (nat_lookup != NULL) { struct sockaddr_storage nat_addr; in_port_t nat_lport; (void)memset(&nat_addr, 0, sizeof(nat_addr)); if ((*nat_lookup)(ss, &nat_addr, &nat_lport) && forward(fd, (struct sockaddr *)&nat_addr, nat_lport, fport, lport)) { maybe_syslog(LOG_INFO, "Successfully forwarded the request to %s", gethost((struct sockaddr *)&nat_addr)); return 0; } } /* Fall back to a default name? */ if (fflag) { maybe_syslog(LOG_NOTICE, "Using fallback name %s to %s", idbuf, gethost((struct sockaddr *)&ss[0])); idparse(fd, lport, fport, charset, osname, idbuf); return 0; } maybe_syslog(LOG_ERR, "Lookup failed, returning error to %s", gethost((struct sockaddr *)&ss[0])); iderror(fd, lport, fport, eflag ? "UNKNOWN-ERROR" : "NO-USER"); return 1; } /* Fill in userbuf with user name if possible, else numeric UID. */ if ((pw = getpwuid(uid)) == NULL) { maybe_syslog(LOG_ERR, "Couldn't map uid (%u) to name", uid); (void)snprintf(userbuf, sizeof(userbuf), "%u", uid); } else { maybe_syslog(LOG_INFO, "Successful lookup: %d, %d: %s for %s", lport, fport, pw->pw_name, gethost((struct sockaddr *)&ss[0])); (void)strlcpy(userbuf, pw->pw_name, sizeof(userbuf)); } /* No ident enabled? */ if (Nflag && pw && check_noident(pw->pw_dir)) { maybe_syslog(LOG_NOTICE, "Returning HIDDEN-USER for user %s" " to %s", pw->pw_name, gethost((struct sockaddr *)&ss[0])); iderror(fd, lport, fport, "HIDDEN-USER"); return 1; } /* User ident enabled? */ if (iflag && pw && check_userident(pw->pw_dir, idbuf, sizeof(idbuf))) { if (!Iflag) { if ((strspn(idbuf, "0123456789") && getpwuid(atoi(idbuf)) != NULL) || (getpwnam(idbuf) != NULL)) { maybe_syslog(LOG_NOTICE, "Ignoring user-specified '%s' for user %s", idbuf, userbuf); (void)strlcpy(idbuf, userbuf, sizeof(idbuf)); } } maybe_syslog(LOG_NOTICE, "Returning user-specified '%s' for user %s to %s", idbuf, userbuf, gethost((struct sockaddr *)&ss[0])); idparse(fd, lport, fport, charset, osname, idbuf); return 0; } /* Send a random message? */ if (rflag) { /* Random number or string? */ if (nflag) (void)snprintf(idbuf, sizeof(idbuf), "%u", (unsigned int)(arc4random() % 65535)); else random_string(idbuf, sizeof(idbuf)); maybe_syslog(LOG_NOTICE, "Returning random '%s' for user %s to %s", idbuf, userbuf, gethost((struct sockaddr *)&ss[0])); idparse(fd, lport, fport, charset, osname, idbuf); return 0; } /* Return numeric user ID? */ if (nflag) (void)snprintf(idbuf, sizeof(idbuf), "%u", uid); else (void)strlcpy(idbuf, userbuf, sizeof(idbuf)); /* * Change the output format? Note that 512 is the maximum * size of the result according to RFC 1413. */ if (fmt && change_format(fmt, pw, buf, 512 + 1)) idparse(fd, lport, fport, charset, osname, buf); else idparse(fd, lport, fport, charset, osname, idbuf); return 0; } /* Send/parse the ident result. */ static void idparse(int fd, int lport, int fport, const char *charset, const char *osname, const char *user) { char *p; if (asprintf(&p, "%d,%d:USERID:%s%s%s:%s\r\n", lport, fport, osname, charset ? "," : "", charset ? charset : "", user) < 0) fatal("asprintf"); if (send(fd, p, strlen(p), 0) < 0) { free(p); fatal("send"); } free(p); } /* Return a specified ident error. */ static void iderror(int fd, int lport, int fport, const char *error) { char *p; if (asprintf(&p, "%d,%d:ERROR:%s\r\n", lport, fport, error) < 0) fatal("asprintf"); if (send(fd, p, strlen(p), 0) < 0) { free(p); fatal("send"); } free(p); } /* Return the IP address of the connecting host. */ static const char * gethost(struct sockaddr *sa) { static char host[NI_MAXHOST]; if (getnameinfo(sa, sa->sa_len, host, sizeof(host), NULL, 0, NI_NUMERICHOST) == 0) return host; return "UNKNOWN"; } /* Setup sockets, for daemon mode. */ static int * socketsetup(const char *address, const char *port, int af) { struct addrinfo hints, *res, *res0; int error, maxs, *s, *socks; const char *cause = NULL; socklen_t y = 1; (void)memset(&hints, 0, sizeof(hints)); hints.ai_flags = AI_PASSIVE; hints.ai_family = af; hints.ai_socktype = SOCK_STREAM; error = getaddrinfo(address, port, &hints, &res0); if (error) { die("getaddrinfo: %s", gai_strerror(error)); /* NOTREACHED */ } /* Count max number of sockets we may open. */ for (maxs = 0, res = res0; res != NULL; res = res->ai_next) maxs++; socks = malloc((maxs + 1) * sizeof(int)); if (socks == NULL) { die("malloc: %s", strerror(errno)); /* NOTREACHED */ } *socks = 0; s = socks + 1; for (res = res0; res != NULL; res = res->ai_next) { *s = socket(res->ai_family, res->ai_socktype, res->ai_protocol); if (*s < 0) { cause = "socket"; continue; } (void)setsockopt(*s, SOL_SOCKET, SO_REUSEADDR, &y, sizeof(y)); if (bind(*s, res->ai_addr, res->ai_addrlen) < 0) { cause = "bind"; (void)close(*s); continue; } if (listen(*s, 5) < 0) { cause = "listen"; (void)close(*s); continue; } *socks = *socks + 1; s++; } if (*socks == 0) { free(socks); die("%s: %s", cause, strerror(errno)); /* NOTREACHED */ } if (res0) freeaddrinfo(res0); return socks; } /* UID lookup wrapper. */ static int ident_getuid(struct sockaddr_storage *ss, socklen_t len, struct sockaddr *proxy, uid_t *uid) { int rc; rc = sysctl_getuid(ss, len, uid); if (rc == -1 && proxy != NULL) rc = sysctl_proxy_getuid(ss, proxy, uid); return rc; } /* Try to get the UID of the connection owner using sysctl. */ static int sysctl_getuid(struct sockaddr_storage *ss, socklen_t len, uid_t *uid) { int mib[4]; uid_t myuid; size_t uidlen; uidlen = sizeof(myuid); mib[0] = CTL_NET; mib[1] = ss->ss_family; mib[2] = IPPROTO_TCP; mib[3] = TCPCTL_IDENT; if (sysctl(mib, sizeof(mib)/ sizeof(int), &myuid, &uidlen, ss, len) < 0) return -1; *uid = myuid; return 0; } /* Try to get the UID of the connection owner using sysctl (proxy version). */ static int sysctl_proxy_getuid(struct sockaddr_storage *ss, struct sockaddr *proxy, uid_t *uid) { struct sockaddr_storage new[2]; int rc, name[CTL_MAXNAME]; size_t i; struct kinfo_pcb *kp; size_t sz, len; const char *list; rc = -1; sz = CTL_MAXNAME; list = NULL; /* Retrieve a list of sockets. */ switch (ss[0].ss_family) { case AF_INET: /* We only accept queries from the proxy. */ if (in_hosteq(satosin(&ss[0])->sin_addr, satosin(proxy)->sin_addr)) list = "net.inet.tcp.pcblist"; break; case AF_INET6: /* We only accept queries from the proxy. */ if (IN6_ARE_ADDR_EQUAL(&satosin6(&ss[0])->sin6_addr, &satosin6(proxy)->sin6_addr)) list = "net.inet6.tcp.pcblist"; break; default: maybe_syslog(LOG_ERR, "Unsupported protocol for proxy (no. %d)", ss[0].ss_family); } if (list != NULL) rc = sysctlnametomib(list, &name[0], &sz); if (rc == -1) return -1; len = sz; name[len++] = PCB_ALL; name[len++] = 0; name[len++] = sizeof(struct kinfo_pcb); name[len++] = INT_MAX; kp = NULL; sz = 0; do { rc = sysctl(&name[0], len, kp, &sz, NULL, 0); if (rc == -1 && errno != ENOMEM) return -1; if (kp == NULL) { kp = malloc(sz); rc = -1; } if (kp == NULL) return -1; } while (rc == -1); rc = -1; /* * Walk through the list of sockets and try to find a match. * We don't know who has sent the query (we only know that the * proxy has forwarded to us) so just try to match the ports and * the local address. */ for (i = 0; i < sz / sizeof(struct kinfo_pcb); i++) { switch (ss[0].ss_family) { case AF_INET: /* Foreign and local ports must match. */ if (satosin(&ss[0])->sin_port != satosin(&kp[i].ki_src)->sin_port) continue; if (satosin(&ss[1])->sin_port != satosin(&kp[i].ki_dst)->sin_port) continue; /* Foreign address may not match proxy address. */ if (in_hosteq(satosin(proxy)->sin_addr, satosin(&kp[i].ki_dst)->sin_addr)) continue; /* Local addresses must match. */ if (!in_hosteq(satosin(&ss[1])->sin_addr, satosin(&kp[i].ki_src)->sin_addr)) continue; break; case AF_INET6: /* Foreign and local ports must match. */ if (satosin6(&ss[0])->sin6_port != satosin6(&kp[i].ki_src)->sin6_port) continue; if (satosin6(&ss[1])->sin6_port != satosin6(&kp[i].ki_dst)->sin6_port) continue; /* Foreign address may not match proxy address. */ if (IN6_ARE_ADDR_EQUAL(&satosin6(proxy)->sin6_addr, &satosin6(&kp[i].ki_dst)->sin6_addr)) continue; /* Local addresses must match. */ if (!IN6_ARE_ADDR_EQUAL(&satosin6(&ss[1])->sin6_addr, &satosin6(&kp[i].ki_src)->sin6_addr)) continue; break; } /* * We have found the foreign address, copy it to a new * struct and retrieve the UID of the connection owner. */ (void)memcpy(&new[0], &kp[i].ki_dst, kp[i].ki_dst.sa_len); (void)memcpy(&new[1], &kp[i].ki_src, kp[i].ki_src.sa_len); rc = sysctl_getuid(new, sizeof(new), uid); /* Done. */ break; } free(kp); return rc; } /* Forward ident queries. Returns 1 when successful, or zero if not. */ static int forward(int fd, struct sockaddr *nat_addr, int nat_lport, int fport, int lport) { char buf[BUFSIZ], reply[BUFSIZ], *p; ssize_t n; int sock; /* Connect to the NAT host. */ sock = socket(nat_addr->sa_family, SOCK_STREAM, 0); if (sock < 0) { maybe_syslog(LOG_ERR, "socket: %m"); return 0; } if (connect(sock, nat_addr, nat_addr->sa_len) < 0) { maybe_syslog(LOG_ERR, "Can't connect to %s: %m", gethost(nat_addr)); (void)close(sock); return 0; } /* * Send the ident query to the NAT host, but use as local port * the port of the NAT host. */ (void)snprintf(buf, sizeof(buf), "%d , %d\r\n", fport, nat_lport); if (send(sock, buf, strlen(buf), 0) < 0) { maybe_syslog(LOG_ERR, "send: %m"); (void)close(sock); return 0; } /* Read the reply from the NAT host. */ if ((n = recv(sock, reply, sizeof(reply) - 1, 0)) < 0) { maybe_syslog(LOG_ERR, "recv: %m"); (void)close(sock); return 0; } else if (n == 0) { maybe_syslog(LOG_NOTICE, "recv: EOF"); (void)close(sock); return 0; } reply[n] = '\0'; if (dflag) maybe_syslog(LOG_ERR, "Replied %s", reply); (void)close(sock); /* Extract everything after the port specs from the ident reply. */ for (p = reply; *p != '\0' && *p != ':'; p++) continue; if (*p == '\0' || *++p == '\0') { maybe_syslog(LOG_ERR, "Malformed ident reply from %s", gethost(nat_addr)); return 0; } /* Build reply for the requesting host, use the original local port. */ (void)snprintf(buf, sizeof(buf), "%d,%d:%s", lport, fport, p); /* Send the reply from the NAT host back to the requesting host. */ if (send(fd, buf, strlen(buf), 0) < 0) { maybe_syslog(LOG_ERR, "send: %m"); return 0; } return 1; } /* Check if a .noident file exists in the user home directory. */ static int check_noident(const char *homedir) { struct stat sb; char *path; int ret; if (homedir == NULL) return 0; if (asprintf(&path, "%s/.noident", homedir) < 0) return 0; ret = stat(path, &sb); free(path); return (ret == 0); } /* * Check if a .ident file exists in the user home directory and * return the contents of that file. */ static int check_userident(const char *homedir, char *username, size_t len) { struct stat sb; char *path, *p; ssize_t n; int fd; if (len == 0 || homedir == NULL) return 0; if (asprintf(&path, "%s/.ident", homedir) < 0) return 0; if ((fd = open(path, O_RDONLY|O_NONBLOCK|O_NOFOLLOW, 0)) < 0) { free(path); return 0; } if (fstat(fd, &sb) < 0 || !S_ISREG(sb.st_mode)) { (void)close(fd); free(path); return 0; } if ((n = read(fd, username, len - 1)) < 1) { (void)close(fd); free(path); return 0; } username[n] = '\0'; if ((p = strpbrk(username, "\r\n")) != NULL) *p = '\0'; (void)close(fd); free(path); return 1; } /* Generate a random string. */ static void random_string(char *str, size_t len) { static const char chars[] = "abcdefghijklmnopqrstuvwxyz1234567890"; char *p; if (len == 0) return; for (p = str; len > 1; len--) *p++ = chars[arc4random() % (sizeof(chars) - 1)]; *p = '\0'; } /* Change the output format. */ static int change_format(const char *format, struct passwd *pw, char *dest, size_t len) { struct group *gr; const char *cp; char **gmp; size_t bp; if (len == 0 || ((gr = getgrgid(pw->pw_gid)) == NULL)) return 0; for (bp = 0, cp = format; *cp != '\0' && bp < len - 1; cp++) { if (*cp != '%') { dest[bp++] = *cp; continue; } if (*++cp == '\0') break; switch (*cp) { case 'u': (void)snprintf(&dest[bp], len - bp, "%s", pw->pw_name); break; case 'U': (void)snprintf(&dest[bp], len - bp, "%d", pw->pw_uid); break; case 'g': (void)snprintf(&dest[bp], len - bp, "%s", gr->gr_name); break; case 'G': (void)snprintf(&dest[bp], len - bp, "%d", gr->gr_gid); break; case 'l': (void)snprintf(&dest[bp], len - bp, "%s", gr->gr_name); bp += strlen(&dest[bp]); if (bp >= len) break; setgrent(); while ((gr = getgrent()) != NULL) { if (gr->gr_gid == pw->pw_gid) continue; for (gmp = gr->gr_mem; *gmp && **gmp; gmp++) { if (strcmp(*gmp, pw->pw_name) == 0) { (void)snprintf(&dest[bp], len - bp, ",%s", gr->gr_name); bp += strlen(&dest[bp]); break; } } if (bp >= len) break; } endgrent(); break; case 'L': (void)snprintf(&dest[bp], len - bp, "%u", gr->gr_gid); bp += strlen(&dest[bp]); if (bp >= len) break; setgrent(); while ((gr = getgrent()) != NULL) { if (gr->gr_gid == pw->pw_gid) continue; for (gmp = gr->gr_mem; *gmp && **gmp; gmp++) { if (strcmp(*gmp, pw->pw_name) == 0) { (void)snprintf(&dest[bp], len - bp, ",%u", gr->gr_gid); bp += strlen(&dest[bp]); break; } } if (bp >= len) break; } endgrent(); break; default: dest[bp] = *cp; dest[bp+1] = '\0'; break; } bp += strlen(&dest[bp]); } dest[bp] = '\0'; return 1; } /* Just exit when we caught SIGALRM. */ static void timeout_handler(int __unused s) { maybe_syslog(LOG_INFO, "Timeout for request, closing connection..."); exit(EXIT_FAILURE); } /* Report error message string through syslog and quit. */ static void fatal(const char *func) { maybe_syslog(LOG_ERR, "%s: %m", func); exit(EXIT_FAILURE); } /* * Report an error through syslog and/or stderr and quit. Only used when * running identd in the background and when it isn't a daemon yet. */ static void die(const char *message, ...) { va_list ap; if (bflag) { va_start(ap, message); vwarnx(message, ap); va_end(ap); } if (lflag) { va_start(ap, message); vsyslog(LOG_ERR, message, ap); va_end(ap); } exit(EXIT_FAILURE); } /* Log using syslog, but only if enabled with the -l flag. */ void maybe_syslog(int priority, const char *message, ...) { va_list ap; if (lflag) { va_start(ap, message); vsyslog(priority, message, ap); va_end(ap); } }