Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/usr.sbin/inetd Inetd enhancements by James Browning, Gabe Co...



details:   https://anonhg.NetBSD.org/src/rev/acf76685ab61
branches:  trunk
changeset: 1023202:acf76685ab61
user:      christos <christos%NetBSD.org@localhost>
date:      Sun Aug 29 09:54:18 2021 +0000

description:
Inetd enhancements by James Browning, Gabe Coffland, Alex Gavin, Solomon Ritzow
Described in:
    https://www.mail-archive.com/tech-userlevel%netbsd.org@localhost/msg03114.html
And developed in:
    https://github.com/ritzow/src/pull/1

>From their notes:

All new functionality should be explained by the updated manpage.

The manpage has been refactored a bit: A new section "Directives"
has been added and the information about default hostnames and
IPsec directives has been moved there, and the new file include
directive information is also there.

getconfigent has the most major changes. A newline is no longer
read immediately, but is called only by a "goto more" (inside an
if(false) block). This allows multiple definitions or directives
to exist on a single line for anything that doesn't terminate using
a newline. This means a key-values service definition can be followed
by another key-values service definition, a positional definition,
or an ipsec, hostname, or .include directive on the same line.

memset is no longer used explicitly to clear the servtab structure,
a function init_servtab() is used instead, which uses a C struct
initializer.

The servtab se_group field is its own allocation now, and not just
a pointer into the user:group string.

Refactored some stuff out of getconfigent to separate functions
for use by parse_v2.c. These functions in inetd.c are named with
the form parse_*()

parse_v2.c only has code for parsing a key-values service definition
into a provided servtab. It should not have anything that affects
global state other than line and line_number.

Some function prototypes, structures, and #defines have been moved
from inetd.c to inetd.h.

The function config_root replaces config as the function called on
a config file load/reload. The code removed from the end of
config(void) is now called in config_root, so it is not run on each
recursive config call.

setconfig(void) was removed and its code added into config_root
because that is the only place it is called, and redundant checks
for non-null globals were removed because they are always freed by
endconfig. The fseek code was also removed because the config files
are always closed by endconfig.

Rate limiting code was updated to add a per-service per-IP rate
limiting form. Some of that code was refactored out of other places
into functions with names in the form rl_*()

We have not added any of the license or version information to the
new files parse_v2.c, parse_v2.h, and inetd.h and we have not
updated the license or version info for inetd.c.

Security related:

The behavior when reading invalid IPsec strings has changed. Inetd
no longer exits, it quits reading the current config file instead.
Could this impact program security?

We have not checked for memory leaks. Solomon tried to use dmalloc
without success. getconfigent seemed to have a memory leak at each
"goto more". It seems like inetd has never free'd allocated strings
when throwing away erroneous service definitions during parsing
(i.e. when "goto more" is called when parsing fields). OpenBSD's
version calls freeconfig on "goto more"
(https://github.com/openbsd/src/blob/c5eae130d6c937080c3d30d124e8c8b86db7d625/usr.sbin/inetd/inetd.c#L1049)
but NetBSD only calls it when service definitions are no longer
needed. This has been fixed. freeconfig is called immediately before
any "goto more". There shouldn't be any time when a servtab is in
an invalid state where freeconfig would break.

diffstat:

 distrib/sets/lists/debug/mi               |     4 +-
 distrib/sets/lists/tests/mi               |     9 +-
 etc/mtree/NetBSD.dist.tests               |     4 +-
 tests/usr.sbin/Makefile                   |     3 +-
 tests/usr.sbin/inetd/Makefile             |    18 +
 tests/usr.sbin/inetd/inetd_ratelimit.conf |   101 +
 tests/usr.sbin/inetd/t_inetd.c            |   296 +++++
 tests/usr.sbin/inetd/test_server.c        |   160 ++
 usr.sbin/inetd/Makefile                   |     7 +-
 usr.sbin/inetd/inetd.8                    |   324 +++++-
 usr.sbin/inetd/inetd.c                    |  1556 +++++++++++++++++++++-------
 usr.sbin/inetd/inetd.h                    |   223 ++++
 usr.sbin/inetd/parse_v2.c                 |  1153 +++++++++++++++++++++
 13 files changed, 3379 insertions(+), 479 deletions(-)

diffs (truncated from 4622 to 300 lines):

diff -r 59d6787f73d0 -r acf76685ab61 distrib/sets/lists/debug/mi
--- a/distrib/sets/lists/debug/mi       Sun Aug 29 09:48:02 2021 +0000
+++ b/distrib/sets/lists/debug/mi       Sun Aug 29 09:54:18 2021 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.359 2021/08/12 13:27:42 martin Exp $
+# $NetBSD: mi,v 1.360 2021/08/29 09:54:18 christos Exp $
 ./etc/mtree/set.debug                           comp-sys-root
 ./usr/lib                                      comp-sys-usr            compatdir
 ./usr/lib/i18n/libBIG5_g.a                     comp-c-debuglib         debuglib,compatfile
@@ -2489,6 +2489,8 @@
 ./usr/libdata/debug/usr/tests/usr.bin/id/h_id.debug                    tests-usr.bin-debug     debug,atf,compattestfile
 ./usr/libdata/debug/usr/tests/usr.bin/mkdep/h_findcc.debug             tests-usr.bin-debug     debug,atf,compattestfile
 ./usr/libdata/debug/usr/tests/usr.bin/tar/h_tar.debug                  tests-usr.bin-debug     debug,atf,compattestfile
+./usr/libdata/debug/usr/tests/usr.sbin/inetd/t_inetd.debug             tests-usr.sbin-debug    debug,atf,compattestfile
+./usr/libdata/debug/usr/tests/usr.sbin/inetd/test_server.debug         tests-usr.sbin-debug    debug,atf,compattestfile
 ./usr/libdata/debug/usr/tests/util/df/h_df.debug                       tests-obsolete          obsolete,compattestfile
 ./usr/libdata/debug/usr/tests/util/id/h_id.debug                       tests-obsolete          obsolete,compattestfile
 ./usr/libdata/debug/usr/tests/util/systrace/h_have_systrace.debug      tests-obsolete          obsolete,compattestfile
diff -r 59d6787f73d0 -r acf76685ab61 distrib/sets/lists/tests/mi
--- a/distrib/sets/lists/tests/mi       Sun Aug 29 09:48:02 2021 +0000
+++ b/distrib/sets/lists/tests/mi       Sun Aug 29 09:54:18 2021 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.1118 2021/08/28 19:45:18 rillig Exp $
+# $NetBSD: mi,v 1.1119 2021/08/29 09:54:18 christos Exp $
 #
 # Note: don't delete entries from here - mark them as "obsolete" instead.
 #
@@ -201,6 +201,7 @@
 ./usr/libdata/debug/usr/tests/usr.bin/netpgpverify     tests-usr.bin-debug     compattestfile,atf
 ./usr/libdata/debug/usr/tests/usr.bin/tar              tests-usr.bin-debug     compattestfile,atf
 ./usr/libdata/debug/usr/tests/usr.sbin                 tests-usr.sbin-debug    compattestfile,atf
+./usr/libdata/debug/usr/tests/usr.sbin/inetd           tests-usr.sbin-debug    compattestfile,atf
 ./usr/libdata/debug/usr/tests/util                     tests-obsolete          obsolete
 ./usr/libdata/debug/usr/tests/util/df                  tests-obsolete          obsolete
 ./usr/libdata/debug/usr/tests/util/id                  tests-obsolete          obsolete
@@ -7107,6 +7108,12 @@
 ./usr/tests/usr.sbin/execsnoop/Atffile                 tests-usr.sbin-tests    compattestfile,atf
 ./usr/tests/usr.sbin/execsnoop/Kyuafile                        tests-usr.sbin-tests    compattestfile,atf,kyua
 ./usr/tests/usr.sbin/execsnoop/t_execsnoop             tests-usr.sbin-tests    compattestfile,atf
+./usr/tests/usr.sbin/inetd                             tests-usr.sbin-tests    compattestfile,atf
+./usr/tests/usr.sbin/inetd/Atffile                     tests-usr.sbin-tests    compattestfile,atf
+./usr/tests/usr.sbin/inetd/Kyuafile                    tests-usr.sbin-tests    compattestfile,atf,kyua
+./usr/tests/usr.sbin/inetd/inetd_ratelimit.conf                tests-usr.sbin-tests    compattestfile,atf
+./usr/tests/usr.sbin/inetd/t_inetd                     tests-usr.sbin-tests    compattestfile,atf
+./usr/tests/usr.sbin/inetd/test_server                 tests-usr.sbin-tests    compattestfile,atf
 ./usr/tests/usr.sbin/mtree                             tests-usr.sbin-tests    compattestfile,atf
 ./usr/tests/usr.sbin/mtree/Atffile                     tests-usr.sbin-tests    compattestfile,atf
 ./usr/tests/usr.sbin/mtree/Kyuafile                    tests-usr.sbin-tests    compattestfile,atf,kyua
diff -r 59d6787f73d0 -r acf76685ab61 etc/mtree/NetBSD.dist.tests
--- a/etc/mtree/NetBSD.dist.tests       Sun Aug 29 09:48:02 2021 +0000
+++ b/etc/mtree/NetBSD.dist.tests       Sun Aug 29 09:54:18 2021 +0000
@@ -1,4 +1,4 @@
-#      $NetBSD: NetBSD.dist.tests,v 1.187 2021/08/12 11:50:42 martin Exp $
+#      $NetBSD: NetBSD.dist.tests,v 1.188 2021/08/29 09:54:18 christos Exp $
 
 ./usr/libdata/debug/usr/tests
 ./usr/libdata/debug/usr/tests/atf
@@ -180,6 +180,7 @@
 ./usr/libdata/debug/usr/tests/usr.bin/mkdep
 ./usr/libdata/debug/usr/tests/usr.bin/netpgpverify
 ./usr/libdata/debug/usr/tests/usr.sbin
+./usr/libdata/debug/usr/tests/usr.sbin/inetd
 ./usr/tests
 ./usr/tests/atf
 ./usr/tests/atf/atf-c
@@ -468,6 +469,7 @@
 ./usr/tests/usr.sbin
 ./usr/tests/usr.sbin/cpuctl
 ./usr/tests/usr.sbin/execsnoop
+./usr/tests/usr.sbin/inetd
 ./usr/tests/usr.sbin/mtree
 ./usr/tests/usr.sbin/opensnoop
 ./usr/tests/usr.sbin/stdethers
diff -r 59d6787f73d0 -r acf76685ab61 tests/usr.sbin/Makefile
--- a/tests/usr.sbin/Makefile   Sun Aug 29 09:48:02 2021 +0000
+++ b/tests/usr.sbin/Makefile   Sun Aug 29 09:54:18 2021 +0000
@@ -1,10 +1,11 @@
-# $NetBSD: Makefile,v 1.6 2020/06/30 14:30:49 jruoho Exp $
+# $NetBSD: Makefile,v 1.7 2021/08/29 09:54:18 christos Exp $
 .include <bsd.own.mk>
 
 TESTSDIR=       ${TESTSBASE}/usr.sbin
 
 TESTS_SUBDIRS+= cpuctl
 TESTS_SUBDIRS+= execsnoop
+TESTS_SUBDIRS+= inetd
 TESTS_SUBDIRS+= mtree
 TESTS_SUBDIRS+= opensnoop
 TESTS_SUBDIRS+= stdethers
diff -r 59d6787f73d0 -r acf76685ab61 tests/usr.sbin/inetd/Makefile
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/usr.sbin/inetd/Makefile     Sun Aug 29 09:54:18 2021 +0000
@@ -0,0 +1,18 @@
+# $NetBSD: Makefile,v 1.1 2021/08/29 09:54:18 christos Exp $
+
+.include <bsd.own.mk>
+
+TESTSDIR=${TESTSBASE}/usr.sbin/inetd
+
+TESTS_C += t_inetd
+
+#inetd service, supports dgram and stream via args
+MKMAN = no
+PROGS += test_server
+BINDIR=${TESTSDIR}
+
+#Other files that should be copied to /usr/tests
+FILESDIR=${TESTSDIR}
+FILES=test_server inetd_ratelimit.conf
+
+.include <bsd.test.mk>
diff -r 59d6787f73d0 -r acf76685ab61 tests/usr.sbin/inetd/inetd_ratelimit.conf
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/usr.sbin/inetd/inetd_ratelimit.conf Sun Aug 29 09:54:18 2021 +0000
@@ -0,0 +1,101 @@
+# $NetBSD: inetd_ratelimit.conf,v 1.1 2021/08/29 09:54:18 christos Exp $
+
+127.0.0.1:
+
+#DGRAM WAIT SERVICE
+
+#Test ip_max of 3
+5432 on
+       protocol = udp,
+       wait = yes,
+       user = root,
+       service_max = 5,
+       ip_max = 3,
+       exec = test_server,
+       args = test_server dgram wait;
+
+#Test ip_max of 0
+5433 on
+       protocol = udp,
+       wait = yes,
+       user = root,
+       ip_max = 0,
+       exec = test_server,
+       args = test_server dgram wait;
+
+#Test service_max of 2
+5434 on
+       protocol = udp,
+       wait = yes,
+       user = root,
+       service_max = 2,
+       exec = test_server,
+       args = test_server dgram wait;
+
+#Test service_max of 0
+5435 on
+       protocol = udp,
+       wait = yes,
+       user = root,
+       service_max = 0,
+       exec = test_server,
+       args = test_server dgram wait;
+
+#STREAM WAIT SERVICE
+
+#Test service_max of 2
+5434 on
+       protocol = tcp,
+       wait = yes,
+       user = root,
+       service_max = 2,
+       exec = test_server,
+       args = test_server stream wait;
+
+#Test service_max of 0
+5435 on
+       protocol = tcp,
+       wait = yes,
+       user = root,
+       service_max = 0,
+       exec = test_server,
+       args = test_server stream wait;
+
+#STREAM NOWAIT SERVICE
+
+#Test ip_max of 3
+5436 on
+       protocol = tcp,
+       wait = no,
+       user = root,
+       service_max = 5,
+       ip_max = 3,
+       exec = test_server,
+       args = test_server stream nowait;
+
+#Test ip_max of 0
+5437 on
+       protocol = tcp,
+       wait = no,
+       user = root,
+       ip_max = 0,
+       exec = test_server,
+       args = test_server stream nowait;
+
+#Test service_max of 2
+5438 on
+       protocol = tcp,
+       wait = no,
+       user = root,
+       service_max = 2,
+       exec = test_server,
+       args = test_server stream nowait;
+
+#Test service_max of 0
+5439 on
+       protocol = tcp,
+       wait = no,
+       user = root,
+       service_max = 0,
+       exec = test_server,
+       args = test_server stream nowait;
diff -r 59d6787f73d0 -r acf76685ab61 tests/usr.sbin/inetd/t_inetd.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/usr.sbin/inetd/t_inetd.c    Sun Aug 29 09:54:18 2021 +0000
@@ -0,0 +1,296 @@
+/*     $NetBSD: t_inetd.c,v 1.1 2021/08/29 09:54:18 christos Exp $     */
+
+/*-
+ * Copyright (c) 2021 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by James Browning, Gabe Coffland, Alex Gavin, and Solomon Ritzow.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__RCSID("$NetBSD: t_inetd.c,v 1.1 2021/08/29 09:54:18 christos Exp $");
+
+#include <atf-c.h>
+#include <spawn.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <signal.h>
+#include <stdio.h>
+#include <string.h>
+#include <err.h>
+#include <sys/wait.h>
+#include <sys/time.h>
+#include <sys/socket.h>
+#include <netdb.h>
+
+#define CHECK_ERROR(expr) ATF_REQUIRE_MSG((expr) != -1,\
+    "%s", strerror(errno))
+
+#define TCP 6
+#define UDP 17
+
+static pid_t   run(const char *, char **);
+static char    *concat(const char *restrict, const char *restrict);
+static void    waitfor(pid_t, const char *);
+static bool    run_udp_client(const char *);
+static int     create_socket(const char *, const char *, int, int, time_t, struct sockaddr_storage *);
+static bool    run_tcp_client(const char *);
+
+/* This test should take around 5 to 7 seconds to complete. */
+ATF_TC(test_ratelimit);
+
+ATF_TC_HEAD(test_ratelimit, tc)
+{
+       atf_tc_set_md_var(tc, "descr", "Test inetd rate limiting values, "
+       "uses UDP/TCP ports 5432-5439 with localhost.");
+       /* Need to run as root so inetd can set uid */
+       atf_tc_set_md_var(tc, "require.user", "root");
+       atf_tc_set_md_var(tc, "require.progs", "inetd");
+       /* Time out after 10 seconds, just in case */
+       atf_tc_set_md_var(tc, "timeout", "10");
+}
+
+ATF_TC_BODY(test_ratelimit, tc)
+{
+       pid_t proc;
+
+       /* Copy test server to relative path used in inetd_ratelimit.conf */
+       atf_utils_copy_file(



Home | Main Index | Thread Index | Old Index