355b4669e025ff377602b6fc7caaf30dbc218371jacobs * CDDL HEADER START
355b4669e025ff377602b6fc7caaf30dbc218371jacobs * The contents of this file are subject to the terms of the
355b4669e025ff377602b6fc7caaf30dbc218371jacobs * Common Development and Distribution License (the "License").
355b4669e025ff377602b6fc7caaf30dbc218371jacobs * You may not use this file except in compliance with the License.
355b4669e025ff377602b6fc7caaf30dbc218371jacobs * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
355b4669e025ff377602b6fc7caaf30dbc218371jacobs * See the License for the specific language governing permissions
355b4669e025ff377602b6fc7caaf30dbc218371jacobs * and limitations under the License.
355b4669e025ff377602b6fc7caaf30dbc218371jacobs * When distributing Covered Code, include this CDDL HEADER in each
355b4669e025ff377602b6fc7caaf30dbc218371jacobs * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
355b4669e025ff377602b6fc7caaf30dbc218371jacobs * If applicable, add the following below this CDDL HEADER, with the
355b4669e025ff377602b6fc7caaf30dbc218371jacobs * fields enclosed by brackets "[]" replaced with your own identifying
355b4669e025ff377602b6fc7caaf30dbc218371jacobs * information: Portions Copyright [yyyy] [name of copyright owner]
355b4669e025ff377602b6fc7caaf30dbc218371jacobs * CDDL HEADER END
634e26ec75c89095090605284938356a3145f2b8Casper H.S. Dik * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
355b4669e025ff377602b6fc7caaf30dbc218371jacobs * Use is subject to license terms.
355b4669e025ff377602b6fc7caaf30dbc218371jacobs/* $Id: lpd-port.c 155 2006-04-26 02:34:54Z ktou $ */
355b4669e025ff377602b6fc7caaf30dbc218371jacobs#endif /* JOB_ID_FILE */
355b4669e025ff377602b6fc7caaf30dbc218371jacobs#if defined(sun) && defined(unix) && defined(I_SENDFD)
355b4669e025ff377602b6fc7caaf30dbc218371jacobs cmp[0].cmsg_len = sizeof (struct cmsghdr) + sizeof (int);
355b4669e025ff377602b6fc7caaf30dbc218371jacobs msg.msg_controllen = sizeof (struct cmsghdr) + sizeof (int);
355b4669e025ff377602b6fc7caaf30dbc218371jacobs#if defined(HAVE_GETIPNODEBYNAME) && defined(HAVE_RRESVPORT_AF)
355b4669e025ff377602b6fc7caaf30dbc218371jacobs static void (*old_handler)();
355b4669e025ff377602b6fc7caaf30dbc218371jacobs * Get the host address and port number to connect to.
355b4669e025ff377602b6fc7caaf30dbc218371jacobs return (-1);
355b4669e025ff377602b6fc7caaf30dbc218371jacobs /* linux style NULL usage */
355b4669e025ff377602b6fc7caaf30dbc218371jacobs (void) memset((char *)&sin, (int)NULL, sizeof (sin));
355b4669e025ff377602b6fc7caaf30dbc218371jacobs#if defined(HAVE_GETIPNODEBYNAME) && defined(HAVE_RRESVPORT_AF)
10144ea86a21f583d4eec553d1a18da7544ba6dejacobs if ((hp = getipnodebyname(host, AF_INET6, AI_DEFAULT,
355b4669e025ff377602b6fc7caaf30dbc218371jacobs return (-1);
355b4669e025ff377602b6fc7caaf30dbc218371jacobs (void) memcpy((caddr_t)&sin.sin6_addr, hp->h_addr, hp->h_length);
355b4669e025ff377602b6fc7caaf30dbc218371jacobs return (-1);
355b4669e025ff377602b6fc7caaf30dbc218371jacobs (void) memcpy((caddr_t)&sin.sin_addr, hp->h_addr, hp->h_length);
355b4669e025ff377602b6fc7caaf30dbc218371jacobs if ((sp = getservbyname("printer", "tcp")) == NULL) {
355b4669e025ff377602b6fc7caaf30dbc218371jacobs return (-1);
355b4669e025ff377602b6fc7caaf30dbc218371jacobs#if defined(HAVE_GETIPNODEBYNAME) && defined(HAVE_RRESVPORT_AF)
355b4669e025ff377602b6fc7caaf30dbc218371jacobs if (connect(sock, (struct sockaddr *)&sin, sizeof (sin)) < 0) {
355b4669e025ff377602b6fc7caaf30dbc218371jacobs return (-1);
355b4669e025ff377602b6fc7caaf30dbc218371jacobs /* gain back enough privilege to open the id file */
0485cf53f277ad1364b39e092bfa2480dbcac144Jonathan Cowper-Andrewes PRIV_FILE_DAC_READ, PRIV_FILE_DAC_WRITE, NULL)) < 0) {
355b4669e025ff377602b6fc7caaf30dbc218371jacobs syslog(LOG_ERR, "lpd_port:next_job_id:priv_set fails: : %m");
355b4669e025ff377602b6fc7caaf30dbc218371jacobs return (-1);
355b4669e025ff377602b6fc7caaf30dbc218371jacobs /* open the sequence file */
355b4669e025ff377602b6fc7caaf30dbc218371jacobs if (((fd = open(JOB_ID_FILE, O_RDWR)) < 0) && (errno == ENOENT))
355b4669e025ff377602b6fc7caaf30dbc218371jacobs /* drop our privilege again */
355b4669e025ff377602b6fc7caaf30dbc218371jacobs /* drop file access privilege */
0485cf53f277ad1364b39e092bfa2480dbcac144Jonathan Cowper-Andrewes PRIV_FILE_DAC_READ, PRIV_FILE_DAC_WRITE, NULL);
355b4669e025ff377602b6fc7caaf30dbc218371jacobs if (fd >= 0) {
355b4669e025ff377602b6fc7caaf30dbc218371jacobs /* wait for a lock on the file */
355b4669e025ff377602b6fc7caaf30dbc218371jacobs /* get the current id */
355b4669e025ff377602b6fc7caaf30dbc218371jacobs /* store the next id in the file */
355b4669e025ff377602b6fc7caaf30dbc218371jacobs /* gain back enough privilege to open a reserved port */
0485cf53f277ad1364b39e092bfa2480dbcac144Jonathan Cowper-Andrewes PRIV_ON, PRIV_EFFECTIVE, PRIV_NET_PRIVADDR, NULL)) != 0) {
355b4669e025ff377602b6fc7caaf30dbc218371jacobs syslog(LOG_ERR, "priv_set fails for net_privaddr %m");
355b4669e025ff377602b6fc7caaf30dbc218371jacobs return (-1);
355b4669e025ff377602b6fc7caaf30dbc218371jacobs#if defined(HAVE_GETIPNODEBYNAME) && defined(HAVE_RRESVPORT_AF)
355b4669e025ff377602b6fc7caaf30dbc218371jacobs port = 0; /* set to 0, rresvport_af() will find us one. */
355b4669e025ff377602b6fc7caaf30dbc218371jacobs while (((result = rresvport(&port)) < 0) && (port >= 0))
355b4669e025ff377602b6fc7caaf30dbc218371jacobs /* drop our privilege again */
355b4669e025ff377602b6fc7caaf30dbc218371jacobs priv_set(PRIV_OFF, PRIV_PERMITTED, PRIV_NET_PRIVADDR, NULL);
355b4669e025ff377602b6fc7caaf30dbc218371jacobsstatic char *
355b4669e025ff377602b6fc7caaf30dbc218371jacobs return (p->pw_name);
355b4669e025ff377602b6fc7caaf30dbc218371jacobs return ("unknown");
355b4669e025ff377602b6fc7caaf30dbc218371jacobs while (ac--) {
e49444533f596b3ba3b1c737aa885da109f08a55Jonathan Cowper-Andrewes if (gethostname(host, sizeof (host)) != 0)
e49444533f596b3ba3b1c737aa885da109f08a55Jonathan Cowper-Andrewes if ((datacpy = strdup(data)) == NULL) {
e49444533f596b3ba3b1c737aa885da109f08a55Jonathan Cowper-Andrewes for (ptr = strtok_r(datacpy, "\n", &iter); ptr != NULL;
e49444533f596b3ba3b1c737aa885da109f08a55Jonathan Cowper-Andrewes ptr = strtok_r(NULL, "\n", &iter)) {
e49444533f596b3ba3b1c737aa885da109f08a55Jonathan Cowper-Andrewes if (strncmp(++ptr, host, strlen(host)) != 0) {
355b4669e025ff377602b6fc7caaf30dbc218371jacobs return (-1);
355b4669e025ff377602b6fc7caaf30dbc218371jacobs /* check the user name */
e49444533f596b3ba3b1c737aa885da109f08a55Jonathan Cowper-Andrewes if (uid == 0) { /* let root do what they want */
e49444533f596b3ba3b1c737aa885da109f08a55Jonathan Cowper-Andrewes if ((pw = getpwuid(uid)) == NULL) {
e49444533f596b3ba3b1c737aa885da109f08a55Jonathan Cowper-Andrewes if ((strncmp(++ptr, pw->pw_name, len) != 0)) {
355b4669e025ff377602b6fc7caaf30dbc218371jacobs } else if ((islower(ptr[0]) != 0) || (ptr[0] == 'U')) {
355b4669e025ff377602b6fc7caaf30dbc218371jacobs /* check/fix df?XXXhostname */
355b4669e025ff377602b6fc7caaf30dbc218371jacobs return (-1);
41232a16855167ab2d0a91f671d4660993d6939dJonathan Cowper-Andrewes * As ptr is a copy of the string (df?XXX...) the code
41232a16855167ab2d0a91f671d4660993d6939dJonathan Cowper-Andrewes * needs to work on the original, hence the need for
41232a16855167ab2d0a91f671d4660993d6939dJonathan Cowper-Andrewes * mod_ptr. No need to check for a NULL mod_ptr
41232a16855167ab2d0a91f671d4660993d6939dJonathan Cowper-Andrewes * because the required string must already exist as
41232a16855167ab2d0a91f671d4660993d6939dJonathan Cowper-Andrewes * ptr is a copy of the original data.
41232a16855167ab2d0a91f671d4660993d6939dJonathan Cowper-Andrewes if ((mod_ptr[0] == 'd') && (mod_ptr[1] == 'f') &&
41232a16855167ab2d0a91f671d4660993d6939dJonathan Cowper-Andrewes (mod_ptr[3] == 'X') && (mod_ptr[4] == 'X') &&
41232a16855167ab2d0a91f671d4660993d6939dJonathan Cowper-Andrewes mod_ptr[3] = '0' + (id / 100) % 10;
41232a16855167ab2d0a91f671d4660993d6939dJonathan Cowper-Andrewes if (strncmp(&mod_ptr[6], host, strlen(host))
355b4669e025ff377602b6fc7caaf30dbc218371jacobs return (-1);
355b4669e025ff377602b6fc7caaf30dbc218371jacobs return (1);
355b4669e025ff377602b6fc7caaf30dbc218371jacobs return (-1);
355b4669e025ff377602b6fc7caaf30dbc218371jacobs return (-1);
355b4669e025ff377602b6fc7caaf30dbc218371jacobs return (0);
355b4669e025ff377602b6fc7caaf30dbc218371jacobs return (-1);
355b4669e025ff377602b6fc7caaf30dbc218371jacobs return (-1);
355b4669e025ff377602b6fc7caaf30dbc218371jacobs /* request data file transfer, read ack/nack */
355b4669e025ff377602b6fc7caaf30dbc218371jacobs if (send_lpd_message(sock, "\003%d %s\n", st.st_size, dfname) < 0)
355b4669e025ff377602b6fc7caaf30dbc218371jacobs return (-1);
355b4669e025ff377602b6fc7caaf30dbc218371jacobs /* write the data */
355b4669e025ff377602b6fc7caaf30dbc218371jacobs if (sendfile(sock, fd, &off, st.st_size) != st.st_size)
355b4669e025ff377602b6fc7caaf30dbc218371jacobs return (-1);
355b4669e025ff377602b6fc7caaf30dbc218371jacobs /* request ack/nack after the data transfer */
355b4669e025ff377602b6fc7caaf30dbc218371jacobs return (-1);
355b4669e025ff377602b6fc7caaf30dbc218371jacobs return (0);
0485cf53f277ad1364b39e092bfa2480dbcac144Jonathan Cowper-Andrewes if ((datacpy = strdup(data)) == NULL)
0485cf53f277ad1364b39e092bfa2480dbcac144Jonathan Cowper-Andrewes syslog(LOG_DEBUG, "cfA: %s\n", datacpy);
0485cf53f277ad1364b39e092bfa2480dbcac144Jonathan Cowper-Andrewes for (ptr = strtok_r(datacpy, "\n", &iter); ptr != NULL;
0485cf53f277ad1364b39e092bfa2480dbcac144Jonathan Cowper-Andrewes ptr = strtok_r(NULL, "\n", &iter)) {
0485cf53f277ad1364b39e092bfa2480dbcac144Jonathan Cowper-Andrewes syslog(LOG_DEBUG, "hostname: %s\n", host);
355b4669e025ff377602b6fc7caaf30dbc218371jacobs /* request data file transfer, read ack/nack */
355b4669e025ff377602b6fc7caaf30dbc218371jacobs if (send_lpd_message(sock, "\002%d cfA%.3d%s\n", len, id, host) < 0)
355b4669e025ff377602b6fc7caaf30dbc218371jacobs return (-1);
355b4669e025ff377602b6fc7caaf30dbc218371jacobs /* write the data */
355b4669e025ff377602b6fc7caaf30dbc218371jacobs return (-1);
355b4669e025ff377602b6fc7caaf30dbc218371jacobs /* request ack/nack after the data transfer */
355b4669e025ff377602b6fc7caaf30dbc218371jacobs return (-1);
355b4669e025ff377602b6fc7caaf30dbc218371jacobs return (0);
10144ea86a21f583d4eec553d1a18da7544ba6dejacobssubmit_job(int sock, char *printer, int job_id, char *path)
10144ea86a21f583d4eec553d1a18da7544ba6dejacobs /* open the control file */
10144ea86a21f583d4eec553d1a18da7544ba6dejacobs syslog(LOG_ERR, "submit_job(%d, %s, %d, %s): open(): %m",
10144ea86a21f583d4eec553d1a18da7544ba6dejacobs return (-1);
10144ea86a21f583d4eec553d1a18da7544ba6dejacobs /* get the size of the control file */
10144ea86a21f583d4eec553d1a18da7544ba6dejacobs syslog(LOG_ERR, "submit_job(%d, %s, %d, %s): fstat(): %m",
10144ea86a21f583d4eec553d1a18da7544ba6dejacobs return (-1);
10144ea86a21f583d4eec553d1a18da7544ba6dejacobs /* allocate memory for the control file */
10144ea86a21f583d4eec553d1a18da7544ba6dejacobs if ((metadata = calloc(1, st.st_size + 1)) == NULL) {
10144ea86a21f583d4eec553d1a18da7544ba6dejacobs syslog(LOG_ERR, "submit_job(%d, %s, %d, %s): calloc(): %m",
10144ea86a21f583d4eec553d1a18da7544ba6dejacobs return (-1);
10144ea86a21f583d4eec553d1a18da7544ba6dejacobs /* read in the control file */
10144ea86a21f583d4eec553d1a18da7544ba6dejacobs syslog(LOG_ERR, "submit_job(%d, %s, %d, %s): read(): %m",
355b4669e025ff377602b6fc7caaf30dbc218371jacobs return (-1);
355b4669e025ff377602b6fc7caaf30dbc218371jacobs /* massage the control file */
355b4669e025ff377602b6fc7caaf30dbc218371jacobs /* bad control data, dump the job */
0485cf53f277ad1364b39e092bfa2480dbcac144Jonathan Cowper-Andrewes "bad control file, possible subversion attempt");
10144ea86a21f583d4eec553d1a18da7544ba6dejacobs return (-1);
355b4669e025ff377602b6fc7caaf30dbc218371jacobs /* request to transfer the job */
355b4669e025ff377602b6fc7caaf30dbc218371jacobs if (send_lpd_message(sock, "\002%s\n", printer) < 0) {
355b4669e025ff377602b6fc7caaf30dbc218371jacobs /* no such (or disabled) queue, got to love rfc-1179 */
355b4669e025ff377602b6fc7caaf30dbc218371jacobs return (-1);
355b4669e025ff377602b6fc7caaf30dbc218371jacobs /* send the control data */
355b4669e025ff377602b6fc7caaf30dbc218371jacobs return (-1);
355b4669e025ff377602b6fc7caaf30dbc218371jacobs /* walk the control file sending the data files */
355b4669e025ff377602b6fc7caaf30dbc218371jacobs for (ptr = strtok_r(metadata, "\n", &iter); ptr != NULL;
0485cf53f277ad1364b39e092bfa2480dbcac144Jonathan Cowper-Andrewes ptr = strtok_r(NULL, "\n", &iter)) {
355b4669e025ff377602b6fc7caaf30dbc218371jacobs return (-1);
355b4669e025ff377602b6fc7caaf30dbc218371jacobs /* write back the job-id */
355b4669e025ff377602b6fc7caaf30dbc218371jacobs return (0);
355b4669e025ff377602b6fc7caaf30dbc218371jacobs /* build the request */
355b4669e025ff377602b6fc7caaf30dbc218371jacobs if (((rc = write(fd, buf, len)) >= 0) && (rc != len)) {
355b4669e025ff377602b6fc7caaf30dbc218371jacobs /* build the request */
355b4669e025ff377602b6fc7caaf30dbc218371jacobs snprintf(buf, sizeof (buf), "\05%s %s", printer, get_user_name());
355b4669e025ff377602b6fc7caaf30dbc218371jacobs if (((rc = write(fd, buf, len)) >= 0) && (rc != len)) {
10144ea86a21f583d4eec553d1a18da7544ba6dejacobs fprintf(stderr, "usage:\t%s -H host [-t timeout] -s queue control ]\n",
10144ea86a21f583d4eec553d1a18da7544ba6dejacobs fprintf(stderr, "\t%s -H host [-t timeout] -c queue [user|job ...]\n",
10144ea86a21f583d4eec553d1a18da7544ba6dejacobs fprintf(stderr, "\t%s -H host [-t timeout] -q queue [user|job ...]\n",
355b4669e025ff377602b6fc7caaf30dbc218371jacobs * The main program temporarily loses privilege while searching the command
355b4669e025ff377602b6fc7caaf30dbc218371jacobs * line arguments. It then allocates any resources it need privilege for
355b4669e025ff377602b6fc7caaf30dbc218371jacobs * job-id, reserved port. Once it has the resources it needs, it perminently
355b4669e025ff377602b6fc7caaf30dbc218371jacobs * drops all elevated privilege. It ghen connects to the remote print service
355b4669e025ff377602b6fc7caaf30dbc218371jacobs * based on destination hostname. Doing it this way reduces the potenential
355b4669e025ff377602b6fc7caaf30dbc218371jacobs * opportunity for a breakout with elevated privilege, breakout with an
355b4669e025ff377602b6fc7caaf30dbc218371jacobs * unconnected reserved port, and exploitation of the remote print service
355b4669e025ff377602b6fc7caaf30dbc218371jacobs * by a calling program.
355b4669e025ff377602b6fc7caaf30dbc218371jacobs enum { OP_NONE, OP_SUBMIT, OP_QUERY, OP_CANCEL } operation = OP_NONE;
355b4669e025ff377602b6fc7caaf30dbc218371jacobs /* lose as much as we can perminently and temporarily drop the rest. */
634e26ec75c89095090605284938356a3145f2b8Casper H.S. Dik syslog(LOG_ERR, "lpd_port: priv_allocset saveset failed: %m\n");
355b4669e025ff377602b6fc7caaf30dbc218371jacobs return (-1);
634e26ec75c89095090605284938356a3145f2b8Casper H.S. Dik (void) priv_addset(saveset, PRIV_NET_PRIVADDR);
634e26ec75c89095090605284938356a3145f2b8Casper H.S. Dik (void) priv_addset(saveset, PRIV_FILE_DAC_READ);
634e26ec75c89095090605284938356a3145f2b8Casper H.S. Dik (void) priv_addset(saveset, PRIV_FILE_DAC_WRITE);
355b4669e025ff377602b6fc7caaf30dbc218371jacobs if ((setppriv(PRIV_SET, PRIV_PERMITTED, saveset)) < 0) {
355b4669e025ff377602b6fc7caaf30dbc218371jacobs syslog(LOG_ERR, "lpd_port:setppriv:priv_set failed: %m");
355b4669e025ff377602b6fc7caaf30dbc218371jacobs return (-1);
355b4669e025ff377602b6fc7caaf30dbc218371jacobs * These privileges permanently dropped in next_job_id() and
355b4669e025ff377602b6fc7caaf30dbc218371jacobs * reserved_port()
634e26ec75c89095090605284938356a3145f2b8Casper H.S. Dik if (priv_set(PRIV_OFF, PRIV_EFFECTIVE, PRIV_NET_PRIVADDR,
634e26ec75c89095090605284938356a3145f2b8Casper H.S. Dik PRIV_FILE_DAC_READ, PRIV_FILE_DAC_WRITE, (char *)NULL) < 0) {
634e26ec75c89095090605284938356a3145f2b8Casper H.S. Dik syslog(LOG_ERR, "lpd_port:priv_set:priv_off failed: %m");
355b4669e025ff377602b6fc7caaf30dbc218371jacobs return (-1);
355b4669e025ff377602b6fc7caaf30dbc218371jacobs switch (c) {
355b4669e025ff377602b6fc7caaf30dbc218371jacobs /* does not return */
10144ea86a21f583d4eec553d1a18da7544ba6dejacobs if ((host == NULL) || (queue == NULL) || (timeout < 0) ||
355b4669e025ff377602b6fc7caaf30dbc218371jacobs if (operation == OP_SUBMIT) /* get a job-id if we need it */
355b4669e025ff377602b6fc7caaf30dbc218371jacobs if ((c = next_job_id()) < 0) {
355b4669e025ff377602b6fc7caaf30dbc218371jacobs return (-1);
355b4669e025ff377602b6fc7caaf30dbc218371jacobs * we no longer want or need any elevated privilege, lose it all
355b4669e025ff377602b6fc7caaf30dbc218371jacobs * permanently.
355b4669e025ff377602b6fc7caaf30dbc218371jacobs /* connect to the print service */
355b4669e025ff377602b6fc7caaf30dbc218371jacobs /* perform the requested operation */
355b4669e025ff377602b6fc7caaf30dbc218371jacobs case OP_QUERY: /* send the query string, return the fd */
355b4669e025ff377602b6fc7caaf30dbc218371jacobs case OP_CANCEL: /* send the cancel string, return the fd */
355b4669e025ff377602b6fc7caaf30dbc218371jacobs default: /* This should never happen */
355b4669e025ff377602b6fc7caaf30dbc218371jacobs /* if the operation succeeded, send the fd to our parent */
355b4669e025ff377602b6fc7caaf30dbc218371jacobs /* sendfd() failed, dump the socket data for the heck of it */