From 3f781654282c8c85317394dfd874483c4321fac1 Mon Sep 17 00:00:00 2001 From: ian Date: Sun, 30 Aug 1998 02:35:14 +0000 Subject: [PATCH] Much new build world. --- .cvsignore | 2 +- Makefile | 64 ++++++++++-- authbind-helper.8 | 81 +++++++++++++++ authbind.1 | 253 ++++++++++++++++++++++++++++++++++++++++++++++ authbind.c | 49 ++++++--- debian/changelog | 6 ++ debian/copyright | 28 ++++- debian/postrm | 7 ++ debian/rules | 56 +++++----- helper.c | 51 +++++----- libauthbind.c | 35 ++++++- 11 files changed, 548 insertions(+), 84 deletions(-) create mode 100644 authbind-helper.8 create mode 100644 authbind.1 create mode 100755 debian/postrm diff --git a/.cvsignore b/.cvsignore index 5f1941a..6b9d28f 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1,4 +1,4 @@ authbind helper libauthbind.o -libauthbind.so.0.1 +libauthbind.so.1.0 diff --git a/Makefile b/Makefile index 5618a5f..12aae95 100644 --- a/Makefile +++ b/Makefile @@ -1,19 +1,69 @@ +# Makefile for authbind +# +# authbind is Copyright (C) 1998 Ian Jackson # +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2, or (at your option) +# any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software Foundation, +# Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# $Id$ + +prefix=/usr/local +share_dir=$(prefix)/share +etc_dir=/etc/authbind +lib_dir=$(prefix)/lib/authbind +man_dir=$(share_dir)/man +man1_dir=$(man_dir)/man1 +man8_dir=$(man_dir)/man8 + OPTIMISE= -O2 CFLAGS= -g $(OPTIMISE) \ -Wall -Wwrite-strings -Wpointer-arith -Wimplicit \ -Wnested-externs -Wmissing-prototypes -Wstrict-prototypes +CPPFLAGS= -DMAJOR_VER='"$(MAJOR)"' -DMINOR_VER='"$(MINOR)"' \ + -DLIBAUTHBIND='"$(lib_dir)/$(LIBCANON)"' \ + -DHELPER='"$(prefix)/helper"' -DCONFIGDIR='"$(etc_dir)"' + +MAJOR=1 +MINOR=0 +LIBCANON= libauthbind.so.$(MAJOR) +LIBTARGET= $(LIBCANON).$(MINOR) -TARGETS= authbind helper libauthbind.so.0.1 +TARGETS= authbind helper $(LIBTARGET) +MANPAGES_1= authbind +MANPAGES_8= authbind-helper all: $(TARGETS) +install: $(TARGETS) + install -o root -g root -m 755 -d $(lib_dir) $(man_dir) + install -o root -g root -m 755 authbind $(bin_dir)/. + install -o root -g root -m 755 $(LIBTARGET) $(lib_dir)/. + strip --strip-unneeded $(lib_dir)/$(LIBTARGET) + ln -s $(LIBTARGET) $(lib_dir)/$(LIBCANON) + install -o root -g root -m 4755 helper $(lib_dir)/. + install -o root -g root -m 755 -d $(etc_dir) \ + $(etc_dir)/byport $(etc_dir)/byaddr $(etc_dir)/byuid + +install_man: $(MANPAGES_1) $(MANPAGES_8) + install -o root -g root -m 644 $(MANPAGES_1) $(man1_dir)/. + install -o root -g root -m 644 $(MANPAGES_8) $(man8_dir)/. + libauthbind.o: libauthbind.c - gcc -D_REENTRANT -g $(CFLAGS) -c -o libauthbind.o -fPIC libauthbind.c + $(CC) -D_REENTRANT $(CFLAGS) $(CPPFLAGS) -c -o $@ -fPIC $< -libauthbind.so.0.1: libauthbind.o - gcc -g -shared -Wl,-soname,libauthbind.so.0.1 -o libauthbind.so.0.1 libauthbind.o -ldl -lc +$(LIBTARGET): libauthbind.o + gcc -g -shared -Wl,-soname,$(LIBCANON) -o $@ $< -ldl -lc -clean distclean: - rm -f $(TARGETS) *.o *~ ./#*# *.bak debian/*~ - rm -f core libauthbind.so* +clean distclean: + rm -f $(TARGETS) *.o *~ ./#*# *.bak *.new core libauthbind.so* diff --git a/authbind-helper.8 b/authbind-helper.8 new file mode 100644 index 0000000..55c5e05 --- /dev/null +++ b/authbind-helper.8 @@ -0,0 +1,81 @@ +.\" Hey, Emacs! This is an -*- nroff -*- source file. +.\" Authors: Ian Jackson +.\" +.\" authbind is Copyright (C) 1998 Ian Jackson +.\" +.\" This program is free software; you can redistribute it and/or modify +.\" it under the terms of the GNU General Public License as published by +.\" the Free Software Foundation; either version 2, or (at your option) +.\" any later version. +.\" +.\" This program is distributed in the hope that it will be useful, +.\" but WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.\" GNU General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public License +.\" along with this program; if not, write to the Free Software Foundation, +.\" Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +.\" +.\" $Id$ +.\" +.TH AUTHBIND\-HELPER 8 "30th August 1998" "Debian Project" "Debian Linux manual" +.br +.SH NAME +authbind\-helper \- helper program to bind sockets to privileged ports without root +.SH SYNOPSIS +.BI /usr/lib/authbind/helper " addr\-hex port\-hex " < socket +.SH DESCRIPTION +.B helper +is the program used by +.BR libauthbind , +which is in turn used by +.B authbind +to allow programs which do not or should not run as root to bind to +low-numbered ports in a controlled way. See +.BR authbind (1). +.PP +It may also be used standalone, i.e. without assistance from +.BR authbind . +Its standard input should be a TCP/IP socket, and it should be passed +two arguments. +.PP +The arguments are the address and port number, respectively, to which +the caller desires that the socket be bound. They should be hex +strings, +.I without +leading +.BR 0x , +of exactly the right length (8 and 4 digits, respectively), being +a pairs of hex digits for each byte in the address or port number when +expressed in network byte order. +.SH EXIT STATUS +.B helper +will exit with code 0 on success. +.PP +If possible, +.B helper +will return an appropriate +.B errno +value as its exit status. If this is not possible it may exit with +status 255 or with an exit status corresponding to +.B ENOSYS +.RI ( "Function not implemented" ). +.SH ACCESS CONTROL +See +.BR authbind (1) +for details of the access control regime implemented by +.BR helper . +.SH SEE ALSO +.BR authbind (1), +.BR bind (2) +.SH AUTHOR +.B authbind +and this manpage were written by Ian Jackson. They are +Copyright (C)1998 +by him and released under the GNU General Public Licence; there is NO +WARRANTY. See +.B /usr/doc/authbind/copyright +and +.B /usr/doc/copyright/GPL +for details. diff --git a/authbind.1 b/authbind.1 new file mode 100644 index 0000000..10531b5 --- /dev/null +++ b/authbind.1 @@ -0,0 +1,253 @@ +.\" Hey, Emacs! This is an -*- nroff -*- source file. +.\" Authors: Ian Jackson +.\" +.\" authbind is Copyright (C) 1998 Ian Jackson +.\" +.\" This program is free software; you can redistribute it and/or modify +.\" it under the terms of the GNU General Public License as published by +.\" the Free Software Foundation; either version 2, or (at your option) +.\" any later version. +.\" +.\" This program is distributed in the hope that it will be useful, +.\" but WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.\" GNU General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public License +.\" along with this program; if not, write to the Free Software Foundation, +.\" Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +.\" +.\" $Id$ +.\" +.TH AUTHBIND 1 "30th August 1998" "Debian Project" "Debian Linux manual" +.SH NAME +authbind \- bind sockets to privileged ports without root +.SH SYNOPSIS +.BI authbind " program" +.RI [ argument " ...]" +.SH DESCRIPTION +.B authbind +allows a program which does not or should not run as root to bind to +low-numbered ports in a controlled way. +.PP +You must invoke the program using +.BR authbind ". " authbind +will set up some environment variables, including an +.BR LD_PRELOAD , +which will allow the program (including any subprocesses it may run) +to bind to low-numbered (<1024) ports if the system is configured to +allow this. +.SH ACCESS CONTROL +Access to low numbered ports is controlled by permissions and contents +of files in a configuration area, +.BR /etc/authbind . +.PP +Firstly, +.BI /etc/authbind/byport/ port +is tested. If this file is accessible for execution to the calling +user, according to +.BR access (2), +then binding to the port is authorised. If the file can be seen not +to exist (the existence check returns +.BR ENOENT ) +then further tests will be used to find authorisation; otherwise, +binding is not authorised, and the +.B bind +call will return with the +.B errno +value from the +.BR access (2) +call, usually +.B EACCES +.RI ( "Permission denied" ). +.PP +Secondly, if that test fails to resolve the matter, +.BI /etc/authbind/byaddr/ addr : port +is tested, in the same manner as above. +.PP +Thirdly, if the question is still unresolved, the file +.BI /etc/authbind/byuid/ uid +will be opened and read. If the file does not exist then the binding +is not authorised and +.B bind +will return +.B EPERM +.RI ( "Operation not permitted" ", or " "Not owner" ). +If the file does exist it will be searched for a line of the form +.nf +.IB addr / length : min\-port , max\-port +.fi +matching the request (ie, the initial +.I length +bits of +.I addr +match those in the proposed +.B bind +call, and the proposed port number lies is in the inclusive range +specified. If such a line is found then the binding is authorised. +Otherwise it is not, and +.B bind +will fail with +.B ENOENT +.RI ( "No such file or directory" ). +.PP +In each case above, +.TP +.I port +is the (local) TCP or UDP port number, expressed as an unsigned +integer in the minimal non-zero number of digits, and +.TP +.I addr +is the (local) IP address, as a dotted quad. +.PP +If a read error occurs, or the directory +.B /etc/authbind +cannot be accessed, then not only will +.B bind +fail, but an error message will be printed to stderr. Unrecognised +lines in +.BI /etc/authbind/byuid/ uid +files are silently ignored (as are lines whose +.I addr +has non-zero bits more than +.I length +from the top). +.SH MECHANISM +The shared library loaded using +.B LD_PRELOAD +overrides the +.BR bind (2) +system call. When a program invoked via +.B authbind +calls +.B bind +to bind a socket to a low-numbered TCP/IP port, and if the program +doesn't already have an effective uid of 0, the version of +.B bind +supposed by +.B authbind +forks and executes a setuid-root helper program. For non-TCP/IP +sockets, high-numbered ports, or programs which are already root, +.B authbind +passes the call to the original +.BR bind (2) +system call, which is found using +.BR dlsym (3) +with the handle +.BR RTLD_NEXT . +.PP +.SH ERROR HANDLING +Usually the normal C error handling mechanisms apply. If +.B authbind +cannot find the program it has been asked to execute it will print a +message to stderr and exit with code 255. +.PP +The helper program usually reports back to the shared library with an +exit status containing an +.B errno +value which encodes whether the +.B bind +was permitted and successful. This will be returned to the calling +program in the usual way. +.PP +In the case of apparent configuration or other serious errors the +library and/or the helper program may cause messages to be printed to +the program's stderr, was well as returning -1 from +.BR bind . +.SH BUGS +.B authbind +currently only supports IPv4 sockets. Programs which open other kinds +of sockets will not benefit from +.BR authbind , +but it won't get in their way. +.PP +The use of +.B LD_PRELOAD +makes an +.B authbind +installation specific to a particular C library. This version is for +GNU/Linux libc6 (glibc2). +.PP +It is quite possible that +.B authbind +and other programs and facilities which use +.B LD_PRELOAD +may interfere with each other, causing unpredictable behaviour or even +core dumps. +.B authbind +is known sometimes not to work correctly with +.BR fakeroot , +for example (even supposing it could be determined what `correctly' +means in this context). +.PP +.B authbind +is ineffective with setuid programs, because they do not honour +.B LD_PRELOAD +for security reasons. Of course a setuid-root program does not need +.BR authbind , +but it might be useful to apply it to program which are setuid to +another user or setgid. If the author or builder of such a programs +wishes it to use authbind they could have it load the +.B libauthbind +library explicitly rather than via +.BR LD_PRELOAD . +.PP +Some badly-written programs may have trouble because +.B authbind +spawns a child process `under their feet', causing (for example) a +.BR fork (2) +to happen and +.B SIGCHLD +signal to be delivered. Programs should not rely on standard +libraries not doing these things. +.PP +The access control configuration scheme is somewhat strange. +.SH FILES AND ENVIRONMENT VARIABLES +.TP +.I /usr/lib/authbind/libauthbind.so.1.0 +The shared library which +.B authbind +causes to be loaded using +.BR LD_PRELOAD , +and which actually implements the diversion of +.BR bind (2) +to an external program. +.TP +.I LD_PRELOAD +The variable used by the dynamic linker when starting dynamically +linked programs and deciding which shared libraries to load and +modifed by the +.B authbind +program to allow it to override the usual meaning of +.BR bind (2) . +.TP +.I AUTHBIND_LIB +If set, forces +.B authbind +to use its value as the path to the shared library to put in +.BR LD_PRELOAD , +instead of the compiled-in value. +.TP +.I AUTHBIND_NESTED +Do not set this variable. It is set to +.B 1 +by +.B libauthbind +when it invokes the helper program. This allows detection of the +situation where the helper has not been installed setuid, which would +otherwise lead to infinite recursion. +.SH SEE ALSO +.BR bind (2), +.BR authbind\-helper (8), +.BR dlsym (3), +.BR ld.so (8) +.SH AUTHOR +.B authbind +and this manpage were written by Ian Jackson. They are +Copyright (C)1998 +by him and released under the GNU General Public Licence; there is NO +WARRANTY. See +.B /usr/doc/authbind/copyright +and +.B /usr/doc/copyright/GPL +for details. diff --git a/authbind.c b/authbind.c index 6d957ae..7f80e3e 100644 --- a/authbind.c +++ b/authbind.c @@ -1,28 +1,51 @@ -/**/ +/* + * authbind.c - main invoker program + * + * authbind is Copyright (C) 1998 Ian Jackson + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2, or (at your option) + * any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software Foundation, + * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + */ #include #include #include #include -#define LD_PRELOAD "LD_PRELOAD" -#define AUTHBINDLIB "AUTHBIND_LIB" -#define LIBAUTHBIND "/usr/lib/authbind/libauthbind.so.0" +static const char *rcsid="$Id$"; + +#ifndef LIBAUTHBIND +# define "/usr/local/lib/authbind/libauthbind.so." MAJOR_VER +#endif + +#define PRELOAD_VAR "LD_PRELOAD" +#define AUTHBINDLIB_VAR "AUTHBIND_LIB" int main(int argc, char *const *argv) { const char *expreload, *authbindlib, *preload; char *newpreload; - authbindlib= getenv(AUTHBINDLIB); - if (!authbindlib) { - if (setenv(AUTHBINDLIB,LIBAUTHBIND,0)) { - perror("authbind: setenv " AUTHBINDLIB); - exit(-1); - } - authbindlib= LIBAUTHBIND; + if (argc<2 || argv[1][0]=='-') { + fprintf(stderr,"authbind: usage: authbind program arg arg ...\n %s\n",rcsid); + exit(-1); } + + authbindlib= getenv(AUTHBINDLIB_VAR); + if (!authbindlib) authbindlib= LIBAUTHBIND; - if ((expreload= getenv(LD_PRELOAD))) { + if ((expreload= getenv(PRELOAD_VAR))) { newpreload= malloc(strlen(expreload)+strlen(authbindlib)+2); strcpy(newpreload,expreload); strcat(newpreload,":"); @@ -31,7 +54,7 @@ int main(int argc, char *const *argv) { } else { preload= authbindlib; } - if (setenv(LD_PRELOAD,preload,1)) { perror("authbind: setenv"); exit(-1); } + if (setenv(PRELOAD_VAR,preload,1)) { perror("authbind: setenv"); exit(-1); } execvp(argv[1],argv+1); perror(argv[1]); exit(-1); diff --git a/debian/changelog b/debian/changelog index 3ac61d6..ac3a5ea 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +authbind (1.0-1) experimental; urgency=low + + * Following testing, we can call this 1.0. + + -- Ian Jackson Sun, 30 Aug 1998 03:15:21 +0100 + authbind (0.1-1) experimental; urgency=low * Initial release. diff --git a/debian/copyright b/debian/copyright index 220317d..544519d 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1 +1,27 @@ -GNU copyleft joost witteveen, . +This is the Debian/GNU Linux prepackaged version of my `authbind' +utility for allowing non-root programs to bind to privileged ports, +subject to configuration by the sysadmin. + +This package was put together by me, Ian Jackson +, from my CVS repository. + + +authbind is Copyright (C)1998 Ian Jackson . + +authbind is free software; you can redistribute it and/or modify it +under the terms of the GNU General Public License as published by the +Free Software Foundation; either version 2 of the License, or (at your +option) any later version. + +This program is distributed in the hope that it will be useful, but +WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +General Public License for more details. + +You should have received a copy of the GNU General Public License with +your Debian GNU/Linux system, in /usr/doc/copyright/GPL, or with the +Debian GNU/Linux userv source package as the file COPYING; if not, +email me at one of the addresses above or write to the Free Software +Foundation, 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + +$Id$ diff --git a/debian/postrm b/debian/postrm new file mode 100755 index 0000000..4883c3b --- /dev/null +++ b/debian/postrm @@ -0,0 +1,7 @@ +#!/bin/sh +# $Id$ +set -e +if test "$1" = purge +then + rm -rf /etc/authbind +fi diff --git a/debian/rules b/debian/rules index b6fc00b..5a30616 100755 --- a/debian/rules +++ b/debian/rules @@ -1,28 +1,30 @@ #! /usr/bin/make -f -# -*- mode: makefile; -*- # -# Modified by Ian Jackson for authbind. -# Then last updated: Sat Dec 17 10:52:20 EST 1994 by imurdock. +# debian/rules for authbind +# +# authbind is Copyright (C) 1998 Ian Jackson # -# To make the binary distribution package, the ``Debianized'' source package -# and the context diff to the original package, type `./debian.rules dist'. -# Make sure that `debian.rules' is executable before the final distribution -# is made. +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2, or (at your option) +# any later version. # -# Invoke each target with `./debian.rules '. All targets should be -# invoked with the package root as the current directory. +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. # -# The `binary' target must be run as root, as it needs to install files with -# specific ownerships. The `diff' target assumes that you have the original -# source package available, unpacked, in ../$(p)-$(v).orig, or that you have -# the previous revision of the ``Debianized'' source package and context diff -# in the parent directory. +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software Foundation, +# Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# $Id$ -CC = gcc +CC= gcc package=authbind -major=0 -minor=1 +major=1 +minor=0 arch = $(shell dpkg --print-architecture) @@ -40,21 +42,17 @@ binary-indep: checkroot build # made here. lab=libauthbind.so.$(major).$(minor) +udp=debian/tmp/usr/doc/$(package) binary-arch: checkroot build rm -rf debian/tmp - install -d -g root -m 755 -o root debian/tmp/DEBIAN \ - debian/tmp/usr/{bin,lib/$(package),doc/$(package)} \ - debian/tmp/etc/authbind/{byport,byname,byuid} - install -s -g root -o root -m 755 authbind debian/tmp/usr/bin/. - install -s -g root -o root -m 4755 helper debian/tmp/usr/lib/authbind/. - install -s -g root -o root -m 755 $(lab) debian/tmp/usr/lib/authbind/. - ln -s $(lab) debian/tmp/usr/lib/authbind/libauthbind.so.$(major) - strip --strip-unneeded debian/tmp/usr/lib/authbind/$(lab) - install -g root -o root -m 644 debian/copyright debian/tmp/usr/doc/$(package)/ - install -g root -o root -m 644 debian/changelog \ - debian/tmp/usr/doc/$(package)/changelog.Debian - gzip -9 debian/tmp/usr/doc/$(package)/* + install -d -g root -m 755 -o root debian/tmp/DEBIAN $udp \ + debian/tmp/usr/{bin,lib/$(package),man} + $(MAKE) prefix=debian/tmp/usr install install_man + install -g root -o root -m 644 debian/copyright $(udp)/. + install -g root -o root -m 644 debian/changelog $(udp)/changelog.Debian + gzip -9 debian/tmp/usr/man/man*/* $(udp)/* + install -g root -o root -m 755 debian/postrm debian/tmp/DEBIAN ifneq ($(arch),alpha) install -g root -o root -m 644 debian/shlibs debian/tmp/DEBIAN else diff --git a/helper.c b/helper.c index e086e9e..5bd95fd 100644 --- a/helper.c +++ b/helper.c @@ -1,31 +1,22 @@ /* - * setuid. Invoked with socket on stdin. - * Usage: helper - * both are hex strings, padded to the right length. - * they are pairs of hex digits for each byte (network byte order) + * helper.c - setuid helper program for authbind * - * If /etc/authbind cannot be chdir'd into, is an error. - * - * First, check /etc/authbind/byport/ with access(2,X_OK). - * If OK, then authorised. - * If ENOENT then keep looking. - * Otherwise, not authorised, errno=whatever - * - * Then check /etc/authbind/byboth/: likewise. - * - * Then try to read /etc/authbind/byuid/ (with superuser privs!) - * If ENOENT, then not authorised, errno=EPERM - * If cannot open, then not authorised, errno=whatever - * If it contains a line of the form - * /:, - * then authorised, otherwise not authorised, errno=ENOENT - * If read error then is an error - * - * In each case, - * is dotted quad - * is decimal in host order - * is prefix length (so 0.0.0.0/32 matches any) - * is decimal unsigned + * authbind is Copyright (C) 1998 Ian Jackson + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2, or (at your option) + * any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software Foundation, + * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * */ #include @@ -39,7 +30,11 @@ #include #include -#define CONFIGDIR "/etc/authbind" +#ifndef CONFIGDIR +# define CONFIGDIR "/etc/authbind" +#endif + +static const char *rcsid="$Id$"; static void exiterrno(int e) { exit(e>0 && e<128 ? e : ENOSYS); @@ -53,7 +48,7 @@ static void perrorfail(const char *m) { } static void badusage(void) { - fputs("libauthbind's helper: bad usage\n",stderr); + fprintf(stderr,"libauthbind's helper: bad usage\n %s\n",rcsid); exit(ENOSYS); } diff --git a/libauthbind.c b/libauthbind.c index d7b3f89..0de3d3c 100644 --- a/libauthbind.c +++ b/libauthbind.c @@ -1,4 +1,22 @@ /* + * libauthbind.c - bind(2)-redirector library for authbind + * + * authbind is Copyright (C) 1998 Ian Jackson + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2, or (at your option) + * any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software Foundation, + * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * */ #include @@ -12,8 +30,13 @@ #include #include -#define AUTHBIND_NESTED "AUTHBIND_NESTED" -#define HELPER "/usr/lib/authbind/helper" +static const char *rcsid="$Id$"; + +#ifndef HELPER +# define HELPER "/usr/local/lib/authbind/helper" +#endif + +#define AUTHBIND_NESTED_VAR "AUTHBIND_NESTED" typedef void anyfn_type(void); typedef int bindfn_type(int fd, const struct sockaddr *addr, socklen_t addrlen); @@ -60,9 +83,11 @@ int bind(int fd, const struct sockaddr *addr, socklen_t addrlen) { ntohs(((struct sockaddr_in*)addr)->sin_port) >= 1024 || !geteuid()) return old_bind(fd,addr,addrlen); - if (getenv(AUTHBIND_NESTED)) { + if (getenv(AUTHBIND_NESTED_VAR)) { STDERRSTR_CONST("libauthbind: possible installation problem - " - "nested invocation, perhaps helper is not setuid\n"); + "nested invocation, perhaps helper is not setuid\n "); + STDERRSTR_STRING(rcsid); + STDERRSTR_CONST("\n"); return old_bind(fd,addr,addrlen); } @@ -75,7 +100,7 @@ int bind(int fd, const struct sockaddr *addr, socklen_t addrlen) { if (!child) { if (dup2(fd,0)) exiterrno(errno); - if (setenv(AUTHBIND_NESTED,"1",1)) exiterrno(errno); + if (setenv(AUTHBIND_NESTED_VAR,"1",1)) exiterrno(errno); execl(HELPER,HELPER,addrarg,portarg,(char*)0); status= errno; STDERRSTR_CONST("libauthbind: possible installation problem - " -- 2.30.2