blocklist(8) support for a couple of daemons

Fri, 03 Jul 2020 07:22:01 -0700 

Hello,

below is a simple diff to enable blocklist(3) support for bozohttpd(8)
and fingerd(8). For the former, I consider the HTTP status code 401
relevant in terms of blocking, but added also 500 and 503.

- Jukka

Index: libexec/httpd/bozohttpd.c
===================================================================
RCS file: /cvsroot/src/libexec/httpd/bozohttpd.c,v
retrieving revision 1.114
diff -u -p -r1.114 bozohttpd.c
--- libexec/httpd/bozohttpd.c 7 Jun 2020 23:33:02 -0000 1.114
+++ libexec/httpd/bozohttpd.c 3 Jul 2020 14:09:30 -0000
@@ -130,6 +130,7 @@
 
 #include <arpa/inet.h>
 
+#include <blocklist.h>
 #include <ctype.h>
 #include <dirent.h>
 #include <errno.h>
@@ -2146,6 +2147,7 @@ static struct errors_map {
  { 0, NULL,   NULL, },
 };
 
+static struct blocklist *blstate;
 static const char *help = "DANGER! WILL ROBINSON! DANGER!";
 
 static const char *
@@ -2170,6 +2172,19 @@ http_errors_long(int code)
  return (help);
 }
 
+static void
+pfilter_notify(int what, int code)
+{
+
+ if (blstate == NULL)
+  blstate = blocklist_open();
+
+ if (blstate == NULL)
+  return;
+
+ (void)blocklist_r(blstate, what, 0, http_errors_short(code));
+}
+
 /* the follow functions and variables are used in handling HTTP errors */
 /* ARGSUSED */
 int
@@ -2272,6 +2287,19 @@ bozo_http_error(bozohttpd_t *httpd, int 
   bozo_printf(httpd, "%s", httpd->errorbuf);
  bozo_flush(httpd, stdout);
 
+ /* blocklist(3) support */
+ switch(code) {
+
+ case 401:
+  pfilter_notify(BLOCKLIST_AUTH_FAIL, code);
+  break;
+
+ case 500: /* FALLTHROUGH */
+ case 503:
+  pfilter_notify(BLOCKLIST_ABUSIVE_BEHAVIOR, code);
+  break;
+ }
+
  return code;
 }
 
Index: libexec/httpd/Makefile
===================================================================
RCS file: /cvsroot/src/libexec/httpd/Makefile,v
retrieving revision 1.28
diff -u -p -r1.28 Makefile
--- libexec/httpd/Makefile 17 Jan 2019 07:39:00 -0000 1.28
+++ libexec/httpd/Makefile 3 Jul 2020 14:09:30 -0000
@@ -32,8 +32,8 @@ SRCS= bozohttpd.c ssl-bozo.c auth-bozo.c
  tilde-luzah-bozo.c dir-index-bozo.c content-bozo.c lua-bozo.c
 SRCS+= main.c
 
-LDADD= -lcrypt -llua -lm
-DPADD= ${LIBCRYPT} ${LIBLUA} ${LIBM}
+LDADD= -lblocklist -lcrypt -llua -lm
+DPADD= ${LIBBLOCKLIST} ${LIBCRYPT} ${LIBLUA} ${LIBM}
 
 WARNS?= 4
 
Index: libexec/fingerd/fingerd.c
===================================================================
RCS file: /cvsroot/src/libexec/fingerd/fingerd.c,v
retrieving revision 1.27
diff -u -p -r1.27 fingerd.c
--- libexec/fingerd/fingerd.c 15 Mar 2012 02:02:21 -0000 1.27
+++ libexec/fingerd/fingerd.c 3 Jul 2020 14:09:30 -0000
@@ -49,6 +49,7 @@ __RCSID("$NetBSD: fingerd.c,v 1.27 2012/
 #include <arpa/inet.h>
 #include <errno.h>
 
+#include <pwd.h>
 #include <unistd.h>
 #include <syslog.h>
 #include <netdb.h>
@@ -56,10 +57,28 @@ __RCSID("$NetBSD: fingerd.c,v 1.27 2012/
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <blocklist.h>
+
 #include "pathnames.h"
 
+static struct blocklist *blstate;
+
+static void pfilter_notify(int, const char *);
 __dead static void my_err(const char *, ...) __printflike(1, 2);
 
+static void
+pfilter_notify(int what, const char *msg)
+{
+
+ if (blstate == NULL)
+  blstate = blocklist_open();
+
+ if (blstate == NULL)
+  return;
+
+ (void)blocklist_r(blstate, what, 0, msg);
+}
+
 int
 main(int argc, char *argv[])
 {
@@ -67,7 +86,8 @@ main(int argc, char *argv[])
  int ch, ac = 2;
  char *lp = NULL /* XXX gcc */;
  struct sockaddr_storage ss;
- int p[2], logging, no_forward, user_required, short_list;
+ int p[2], logging, no_forward, short_list;
+ int user_name_only, user_required;
  socklen_t sval;
 #define ENTRIES 50
  char **ap, *av[ENTRIES + 1], **comp, line[1024], *prog, *s;
@@ -78,7 +98,8 @@ main(int argc, char *argv[])
  char hostbuf[MAXHOSTNAMELEN];
 
  prog = __UNCONST(_PATH_FINGER);
- logging = no_forward = user_required = short_list = 0;
+ logging = no_forward = short_list = 0;
+ user_name_only = user_required = 0;
  openlog("fingerd", LOG_PID, LOG_DAEMON);
  opterr = 0;
  while ((ch = getopt(argc, argv, "gsluShmpP:8")) != -1) {
@@ -103,6 +124,7 @@ main(int argc, char *argv[])
    av[ac++] = __UNCONST("-h");
    break;
   case 'm':
+   user_name_only = 1;
    av[ac++] = __UNCONST("-m");
    break;
   case 'p':
@@ -131,7 +153,13 @@ main(int argc, char *argv[])
     hostbuf, sizeof(hostbuf), NULL, 0, 0);
   lp = hostbuf;
  }
- 
+
+ /*
+  * BLOCKLIST_BAD_USER would be better, but it is not yet implemented.
+  */
+ if (user_name_only != 0 && getpwnam(line) == NULL)
+  pfilter_notify(BLOCKLIST_AUTH_FAIL, "no such user");
+
  if (!fgets(line, sizeof(line), stdin)) {
   if (logging)
    syslog(LOG_NOTICE, "query from %s", lp);
@@ -157,6 +185,7 @@ main(int argc, char *argv[])
    break;
   lp = NULL;
   if (no_forward && strchr(*ap, '@')) {
+   pfilter_notify(BLOCKLIST_ABUSIVE_BEHAVIOR, "fwd");
    (void) puts("forwarding service denied\r\n");
    exit(1);
   }
@@ -188,6 +217,7 @@ main(int argc, char *argv[])
  if (user_required) {
   for (ap = comp + 1; strcmp("--", *(ap++)); );
   if (*ap == NULL) {
+   pfilter_notify(BLOCKLIST_AUTH_FAIL, "no username");
    (void) puts("must provide username\r\n");
    exit(1);
   }
Index: libexec/fingerd/Makefile
===================================================================
RCS file: /cvsroot/src/libexec/fingerd/Makefile,v
retrieving revision 1.9
diff -u -p -r1.9 Makefile
--- libexec/fingerd/Makefile 10 Jan 2005 02:58:58 -0000 1.9
+++ libexec/fingerd/Makefile 3 Jul 2020 14:09:30 -0000
@@ -6,6 +6,9 @@
 PROG= fingerd
 MAN= fingerd.8
 
+LDADD+= -lblocklist
+DPADD+= ${LIBBLOCKLIST}
+
 .if (${USE_INET6} != "no")
 CPPFLAGS+=-DINET6
 .endif

Reply via email to