X-Git-Url: http://git.ozlabs.org/?a=blobdiff_plain;f=pppd%2Fauth.c;h=4b68650ab4ec1f9f2e45a8e422d970eab3f546c5;hb=ac19750e0fb64986870e9bd9bad52d5ae46e2551;hp=c924d7be35bfaf72105a4d8ce288f19a4808a3ff;hpb=bfa20ccde2a70b1252dbb614132f1a4cbee815d4;p=ppp.git diff --git a/pppd/auth.c b/pppd/auth.c index c924d7b..4b68650 100644 --- a/pppd/auth.c +++ b/pppd/auth.c @@ -33,7 +33,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: auth.c,v 1.39 1998/11/07 06:59:25 paulus Exp $"; +static char rcsid[] = "$Id: auth.c,v 1.44 1999/03/08 01:47:54 paulus Exp $"; #endif #include @@ -154,10 +154,7 @@ static int scan_authfile __P((FILE *, char *, char *, u_int32_t, char *, static void free_wordlist __P((struct wordlist *)); static void auth_script __P((char *)); static void set_allowed_addrs __P((int, struct wordlist *)); - -#ifdef OLD_OPTIONS static int setupapfile __P((char **)); -#endif /* * Authentication-related options. @@ -170,7 +167,7 @@ option_t auth_options[] = { { "refuse-pap", o_bool, &refuse_pap, "Don't agree to auth to peer with PAP", 1 }, { "-pap", o_bool, &refuse_pap, - "Don't allow UPAP authentication with peer", 1 }, + "Don't allow PAP authentication with peer", 1 }, { "require-chap", o_bool, &lcp_wantoptions[0].neg_chap, "Require CHAP authentication from peer", 1, &auth_required }, { "+chap", o_bool, &lcp_wantoptions[0].neg_chap, @@ -196,14 +193,11 @@ option_t auth_options[] = { "Use system password database for PAP", 1 }, { "papcrypt", o_bool, &cryptpap, "PAP passwords are encrypted", 1 }, -#if OLD_OPTIONS { "+ua", o_special, setupapfile, "Get PAP user and password from file" }, -#endif { NULL } }; -#if OLD_OPTIONS /* * setupapfile - specifies UPAP info for authenticating with peer. */ @@ -217,14 +211,19 @@ setupapfile(argv) lcp_allowoptions[0].neg_upap = 1; /* open user info file */ - if ((ufile = fopen(*argv, "r")) == NULL) { + seteuid(getuid()); + ufile = fopen(*argv, "r"); + seteuid(0); + if (ufile == NULL) { option_error("unable to open user login data file %s", *argv); return 0; } +#if 0 /* check done by setting effective UID above */ if (!readable(fileno(ufile))) { option_error("%s: access denied", *argv); return 0; } +#endif check_access(ufile, *argv); /* get username */ @@ -245,7 +244,6 @@ setupapfile(argv) return (1); } -#endif /* @@ -635,6 +633,13 @@ auth_check_options() wo->neg_upap = 0; } + /* + * If we have a default route, require the peer to authenticate + * unless the noauth option was given. + */ + if (!auth_required && !allow_any_ip && have_route_to(0)) + auth_required = 1; + /* * Check whether we have appropriate secrets to use * to authenticate the peer. @@ -660,10 +665,6 @@ auth_check_options() * set by root. */ if (allow_any_ip) { - if (!default_device && devnam_info.priv == 0) { - option_error("can't override device name when noauth option used"); - exit(1); - } if ((connector != NULL && connector_info.priv == 0) || (disconnector != NULL && disconnector_info.priv == 0) || (welcomer != NULL && welcomer_info.priv == 0)) { @@ -1288,6 +1289,12 @@ auth_ip_addr(unit, addr) int unit; u_int32_t addr; { + + if (addresses[unit] == NULL) { + if (auth_required) + return 0; /* no addresses authorized */ + return allow_any_ip || !have_route_to(addr); + } return ip_addr_check(addr, addresses[unit]); } @@ -1306,11 +1313,8 @@ ip_addr_check(addr, addrs) if (bad_ip_adrs(addr)) return 0; - if (addrs == NULL) { - if (auth_required) - return 0; /* no addresses authorized */ - return allow_any_ip || !have_route_to(addr); - } + if (addrs == NULL) + return 0; /* no addresses authorized */ for (; addrs != NULL; addrs = addrs->next) { /* "-" means no addresses authorized, "*" means any address allowed */ @@ -1537,6 +1541,8 @@ scan_authfile(f, client, server, ipaddr, secret, addrs, filename) /* * Check if the given IP address is allowed by the wordlist. + * XXX accepts this entry even if it has no allowed IP addresses + * if they didn't specify a remote IP address. XXX */ if (ipaddr != 0 && !ip_addr_check(ipaddr, alist)) { free_wordlist(alist);