Check the "prog.deny" login.conf capability and

refuse to run if "ppp" is in the list. Suggested by: "Daniel O'Callaghan" <danny@panda.hilink.com.au>
2026-05-28 04:12:45 -04:00 · 1997-08-26 23:20:16 +00:00 · 1997-08-26 23:20:16 +00:00 · 4e752f44f0
commit 4e752f44f0
parent 889d7d1524
3 changed files with 70 additions and 5 deletions
--- a/usr.sbin/ppp/main.c
+++ b/usr.sbin/ppp/main.c
@ -17,7 +17,7 @@
 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
 *
- * $Id: main.c,v 1.71 1997/08/25 00:29:19 brian Exp $
+ * $Id: main.c,v 1.72 1997/08/25 01:52:11 brian Exp $
 *
 *	TODO:
 *		o Add commands for traffic summary, version display, etc.
@ -37,6 +37,9 @@
 #include <arpa/inet.h>
 #include <netinet/in_systm.h>
 #include <netinet/ip.h>
+#include <sysexits.h>
+#include <pwd.h>
+#include <login_cap.h>
 #include "modem.h"
 #include "os.h"
 #include "hdlc.h"
@ -317,6 +320,40 @@ Greetings()
  }
 }

+static int
+Runnable()
+{
+  login_cap_t *lc;
+  const struct passwd *pwd;
+  char **data;
+  int result;
+
+  result = 1;  /* return non-zero if I'm runnable */
+
+  pwd = getpwuid(getuid());
+  if (!pwd) {
+    perror("getpwuid");
+    return result;  /* Run anyway - probably spawned from inetd or the like */
+  }
+  lc = login_getpwclass(pwd);
+  if (!lc) {
+    perror("login_getpwclass");
+    return result;  /* Run anyway - We're missing login.conf ? */
+  }
+
+  data = login_getcaplist(lc, "prog.deny", NULL);
+  if (data) 
+    for (; *data; data++)
+      if (!strcmp(*data, "ppp")) {
+	result = 0;
+	break;
+      }
+
+  login_close(lc);
+
+  return result;    /* OK to run */
+}
+
 int
 main(int argc, char **argv)
 {
@ -335,6 +372,12 @@ main(int argc, char **argv)
  ProcessArgs(argc, argv);
  if (!(mode & MODE_DIRECT))
    VarTerm = stdout;
+
+  if (!Runnable()) {
+    LogPrintf(LogERROR, "You do not have permission to execute ppp\n");
+    return EX_NOPERM;
+  }
+
  Greetings();
  GetUid();
  IpcpDefAddress();
--- a/usr.sbin/ppp/ppp.8
+++ b/usr.sbin/ppp/ppp.8
@ -1,4 +1,4 @@
-.\" $Id: ppp.8,v 1.56 1997/08/21 17:16:21 brian Exp $
+.\" $Id: ppp.8,v 1.57 1997/08/23 23:14:24 brian Exp $
 .Dd 20 September 1995
 .Os FreeBSD
 .Dt PPP 8
@ -129,6 +129,16 @@ with clients using the Microsoft
 .Em PPP
 stack (ie. Win95, WinNT)

+.It Supports execution restriction.
+If
+.Nm
+is specified in the
+.Dv prog.deny
+list in
+.Pa /etc/login.conf ,
+.Nm
+will refuse to execute.
+
 .Sh GETTING STARTED

 When you first run
@ -2070,7 +2080,8 @@ Get port number if port number is using service name.
 .Xr uucplock 3 ,
 .Xr syslog 3 ,
 .Xr syslog.conf 5 ,
-.Xr syslogd 8
+.Xr syslogd 8 ,
+.Xr login.conf 5

 .Sh HISTORY

--- a/usr.sbin/ppp/ppp.8.m4
+++ b/usr.sbin/ppp/ppp.8.m4
@ -1,4 +1,4 @@
-.\" $Id: ppp.8,v 1.56 1997/08/21 17:16:21 brian Exp $
+.\" $Id: ppp.8,v 1.57 1997/08/23 23:14:24 brian Exp $
 .Dd 20 September 1995
 .Os FreeBSD
 .Dt PPP 8
@ -129,6 +129,16 @@ with clients using the Microsoft
 .Em PPP
 stack (ie. Win95, WinNT)

+.It Supports execution restriction.
+If
+.Nm
+is specified in the
+.Dv prog.deny
+list in
+.Pa /etc/login.conf ,
+.Nm
+will refuse to execute.
+
 .Sh GETTING STARTED

 When you first run
@ -2070,7 +2080,8 @@ Get port number if port number is using service name.
 .Xr uucplock 3 ,
 .Xr syslog 3 ,
 .Xr syslog.conf 5 ,
-.Xr syslogd 8
+.Xr syslogd 8 ,
+.Xr login.conf 5

 .Sh HISTORY