xref: /dragonfly/contrib/tcp_wrappers/tcpdchk.c (revision ae9447bd2bc98a5b32dec764b7e4a76ee850f6ad)
1  /*
2   * tcpdchk - examine all tcpd access control rules and inetd.conf entries
3   *
4   * Usage: tcpdchk [-a] [-d] [-i inet_conf] [-v]
5   *
6   * -a: complain about implicit "allow" at end of rule.
7   *
8   * -d: rules in current directory.
9   *
10   * -i: location of inetd.conf file.
11   *
12   * -v: show all rules.
13   *
14   * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
15   *
16   * $FreeBSD: src/contrib/tcp_wrappers/tcpdchk.c,v 1.3.2.1 2000/07/18 08:34:55 ume Exp $
17   */
18 
19 /* System libraries. */
20 
21 #include <sys/types.h>
22 #include <sys/stat.h>
23 #ifdef INET6
24 #include <sys/socket.h>
25 #endif
26 #include <netinet/in.h>
27 #include <arpa/inet.h>
28 #include <stdio.h>
29 #include <syslog.h>
30 #include <setjmp.h>
31 #include <errno.h>
32 #include <netdb.h>
33 #include <string.h>
34 #include <stdlib.h>
35 #include <unistd.h>
36 
37 extern void exit();
38 extern int optind;
39 extern char *optarg;
40 
41 #ifndef INADDR_NONE
42 #define INADDR_NONE     (-1)            /* XXX should be 0xffffffff */
43 #endif
44 
45 #ifndef S_ISDIR
46 #define S_ISDIR(m)  (((m) & S_IFMT) == S_IFDIR)
47 #endif
48 
49 /* Application-specific. */
50 
51 #include "tcpd.h"
52 #include "inetcf.h"
53 #include "scaffold.h"
54 
55  /*
56   * Stolen from hosts_access.c...
57   */
58 static char sep[] = ", \t\n";
59 
60 #define   BUFLEN 2048
61 
62 int     resident = 0;
63 int     hosts_access_verbose = 0;
64 char   *hosts_allow_table = HOSTS_ALLOW;
65 char   *hosts_deny_table = HOSTS_DENY;
66 extern jmp_buf tcpd_buf;
67 
68  /*
69   * Local stuff.
70   */
71 static void usage();
72 static void parse_table();
73 static void print_list();
74 static void check_daemon_list();
75 static void check_client_list();
76 static void check_daemon();
77 static void check_user();
78 static int check_host();
79 static int reserved_name();
80 
81 #define PERMIT      1
82 #define DENY        0
83 
84 #define YES         1
85 #define   NO        0
86 
87 static int defl_verdict;
88 static char *myname;
89 static int allow_check;
90 static char *inetcf;
91 
main(argc,argv)92 int     main(argc, argv)
93 int     argc;
94 char  **argv;
95 {
96     struct request_info request;
97     struct stat st;
98     int     c;
99 
100     myname = argv[0];
101 
102     /*
103      * Parse the JCL.
104      */
105     while ((c = getopt(argc, argv, "adi:v")) != EOF) {
106           switch (c) {
107           case 'a':
108               allow_check = 1;
109               break;
110           case 'd':
111               hosts_allow_table = "hosts.allow";
112               hosts_deny_table = "hosts.deny";
113               break;
114           case 'i':
115               inetcf = optarg;
116               break;
117           case 'v':
118               hosts_access_verbose++;
119               break;
120           default:
121               usage();
122               /* NOTREACHED */
123           }
124     }
125     if (argc != optind)
126           usage();
127 
128     /*
129      * When confusion really strikes...
130      */
131     if (check_path(REAL_DAEMON_DIR, &st) < 0) {
132           tcpd_warn("REAL_DAEMON_DIR %s: %m", REAL_DAEMON_DIR);
133     } else if (!S_ISDIR(st.st_mode)) {
134           tcpd_warn("REAL_DAEMON_DIR %s is not a directory", REAL_DAEMON_DIR);
135     }
136 
137     /*
138      * Process the inet configuration file (or its moral equivalent). This
139      * information is used later to find references in hosts.allow/deny to
140      * unwrapped services, and other possible problems.
141      */
142     inetcf = inet_cfg(inetcf);
143     if (hosts_access_verbose)
144           printf("Using network configuration file: %s\n", inetcf);
145 
146     /*
147      * These are not run from inetd but may have built-in access control.
148      */
149     inet_set("portmap", WR_NOT);
150     inet_set("rpcbind", WR_NOT);
151 
152     /*
153      * Check accessibility of access control files.
154      */
155     (void) check_path(hosts_allow_table, &st);
156     (void) check_path(hosts_deny_table, &st);
157 
158     /*
159      * Fake up an arbitrary service request.
160      */
161     request_init(&request,
162                      RQ_DAEMON, "daemon_name",
163                      RQ_SERVER_NAME, "server_hostname",
164                      RQ_SERVER_ADDR, "server_addr",
165                      RQ_USER, "user_name",
166                      RQ_CLIENT_NAME, "client_hostname",
167                      RQ_CLIENT_ADDR, "client_addr",
168                      RQ_FILE, 1,
169                      0);
170 
171     /*
172      * Examine all access-control rules.
173      */
174     defl_verdict = PERMIT;
175     parse_table(hosts_allow_table, &request);
176     defl_verdict = DENY;
177     parse_table(hosts_deny_table, &request);
178     return (0);
179 }
180 
181 /* usage - explain */
182 
usage()183 static void usage()
184 {
185     fprintf(stderr, "usage: %s [-a] [-d] [-i inet_conf] [-v]\n", myname);
186     fprintf(stderr, "         -a: report rules with implicit \"ALLOW\" at end\n");
187     fprintf(stderr, "         -d: use allow/deny files in current directory\n");
188     fprintf(stderr, "         -i: location of inetd.conf file\n");
189     fprintf(stderr, "         -v: list all rules\n");
190     exit(1);
191 }
192 
193 /* parse_table - like table_match(), but examines _all_ entries */
194 
parse_table(table,request)195 static void parse_table(table, request)
196 char   *table;
197 struct request_info *request;
198 {
199     FILE   *fp;
200     char    sv_list[BUFLEN];            /* becomes list of daemons */
201     char   *cl_list;                              /* becomes list of requests */
202     char   *sh_cmd;                     /* becomes optional shell command */
203     char    buf[BUFSIZ];
204 #ifdef PROCESS_OPTIONS
205     int     real_verdict, verdict;
206 #endif
207     struct tcpd_context saved_context;
208 
209     saved_context = tcpd_context;                 /* stupid compilers */
210 
211     if ((fp = fopen(table, "r")) != NULL) {
212           tcpd_context.file = table;
213           tcpd_context.line = 0;
214           while (xgets(sv_list, sizeof(sv_list), fp)) {
215               if (sv_list[strlen(sv_list) - 1] != '\n') {
216                     tcpd_warn("missing newline or line too long");
217                     continue;
218               }
219               if (sv_list[0] == '#' || sv_list[strspn(sv_list, " \t\r\n")] == 0)
220                     continue;
221               if ((cl_list = split_at(sv_list, ':')) == 0) {
222                     tcpd_warn("missing \":\" separator");
223                     continue;
224               }
225               sh_cmd = split_at(cl_list, ':');
226 
227               if (hosts_access_verbose)
228                     printf("\n>>> Rule %s line %d:\n",
229                            tcpd_context.file, tcpd_context.line);
230 
231               if (hosts_access_verbose)
232                     print_list("daemons:  ", sv_list);
233               check_daemon_list(sv_list);
234 
235               if (hosts_access_verbose)
236                     print_list("clients:  ", cl_list);
237               check_client_list(cl_list);
238 
239 #ifdef PROCESS_OPTIONS
240               real_verdict = defl_verdict;
241               if (sh_cmd) {
242                     verdict = setjmp(tcpd_buf);
243                     if (verdict != 0) {
244                         real_verdict = (verdict == AC_PERMIT);
245                     } else {
246                         dry_run = 1;
247                         process_options(sh_cmd, request);
248                         if (dry_run == 1 && real_verdict && allow_check)
249                               tcpd_warn("implicit \"allow\" at end of rule");
250                     }
251               } else if (defl_verdict && allow_check) {
252                     tcpd_warn("implicit \"allow\" at end of rule");
253               }
254               if (hosts_access_verbose)
255                     printf("access:   %s\n", real_verdict ? "granted" : "denied");
256 #else
257               if (sh_cmd)
258                     shell_cmd(percent_x(buf, sizeof(buf), sh_cmd, request));
259               if (hosts_access_verbose)
260                     printf("access:   %s\n", defl_verdict ? "granted" : "denied");
261 #endif
262           }
263           (void) fclose(fp);
264     } else if (errno != ENOENT) {
265           tcpd_warn("cannot open %s: %m", table);
266     }
267     tcpd_context = saved_context;
268 }
269 
270 /* print_list - pretty-print a list */
271 
print_list(title,list)272 static void print_list(title, list)
273 char   *title;
274 char   *list;
275 {
276     char    buf[BUFLEN];
277     char   *cp;
278     char   *next;
279 
280     fputs(title, stdout);
281     strcpy(buf, list);
282 
283     for (cp = strtok(buf, sep); cp != 0; cp = next) {
284           fputs(cp, stdout);
285           next = strtok((char *) 0, sep);
286           if (next != 0)
287               fputs(" ", stdout);
288     }
289     fputs("\n", stdout);
290 }
291 
292 /* check_daemon_list - criticize daemon list */
293 
check_daemon_list(list)294 static void check_daemon_list(list)
295 char   *list;
296 {
297     char    buf[BUFLEN];
298     char   *cp;
299     char   *host;
300     int     daemons = 0;
301 
302     strcpy(buf, list);
303 
304     for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) {
305           if (STR_EQ(cp, "EXCEPT")) {
306               daemons = 0;
307           } else {
308               daemons++;
309               if ((host = split_at(cp + 1, '@')) != 0 && check_host(host) > 1) {
310                     tcpd_warn("host %s has more than one address", host);
311                     tcpd_warn("(consider using an address instead)");
312               }
313               check_daemon(cp);
314           }
315     }
316     if (daemons == 0)
317           tcpd_warn("daemon list is empty or ends in EXCEPT");
318 }
319 
320 /* check_client_list - criticize client list */
321 
check_client_list(list)322 static void check_client_list(list)
323 char   *list;
324 {
325     char    buf[BUFLEN];
326     char   *cp;
327     char   *host;
328     int     clients = 0;
329 
330     strcpy(buf, list);
331 
332     for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) {
333           if (STR_EQ(cp, "EXCEPT")) {
334               clients = 0;
335           } else {
336               clients++;
337               if ((host = split_at(cp + 1, '@')) != NULL) { /* user@host */
338                     check_user(cp);
339                     check_host(host);
340               } else {
341                     check_host(cp);
342               }
343           }
344     }
345     if (clients == 0)
346           tcpd_warn("client list is empty or ends in EXCEPT");
347 }
348 
349 /* check_daemon - criticize daemon pattern */
350 
check_daemon(pat)351 static void check_daemon(pat)
352 char   *pat;
353 {
354     if (pat[0] == '@') {
355           tcpd_warn("%s: daemon name begins with \"@\"", pat);
356     } else if (pat[0] == '/') {
357           tcpd_warn("%s: daemon name begins with \"/\"", pat);
358     } else if (pat[0] == '.') {
359           tcpd_warn("%s: daemon name begins with dot", pat);
360     } else if (pat[strlen(pat) - 1] == '.') {
361           tcpd_warn("%s: daemon name ends in dot", pat);
362     } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown)) {
363            /* void */ ;
364     } else if (STR_EQ(pat, "FAIL")) {             /* obsolete */
365           tcpd_warn("FAIL is no longer recognized");
366           tcpd_warn("(use EXCEPT or DENY instead)");
367     } else if (reserved_name(pat)) {
368           tcpd_warn("%s: daemon name may be reserved word", pat);
369     } else {
370           switch (inet_get(pat)) {
371           case WR_UNKNOWN:
372               tcpd_warn("%s: no such process name in %s", pat, inetcf);
373               inet_set(pat, WR_YES);              /* shut up next time */
374               break;
375           case WR_NOT:
376               tcpd_warn("%s: service possibly not wrapped", pat);
377               inet_set(pat, WR_YES);
378               break;
379           }
380     }
381 }
382 
383 /* check_user - criticize user pattern */
384 
check_user(pat)385 static void check_user(pat)
386 char   *pat;
387 {
388     if (pat[0] == '@') {                          /* @netgroup */
389           tcpd_warn("%s: user name begins with \"@\"", pat);
390     } else if (pat[0] == '/') {
391           tcpd_warn("%s: user name begins with \"/\"", pat);
392     } else if (pat[0] == '.') {
393           tcpd_warn("%s: user name begins with dot", pat);
394     } else if (pat[strlen(pat) - 1] == '.') {
395           tcpd_warn("%s: user name ends in dot", pat);
396     } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown)
397                  || STR_EQ(pat, "KNOWN")) {
398            /* void */ ;
399     } else if (STR_EQ(pat, "FAIL")) {             /* obsolete */
400           tcpd_warn("FAIL is no longer recognized");
401           tcpd_warn("(use EXCEPT or DENY instead)");
402     } else if (reserved_name(pat)) {
403           tcpd_warn("%s: user name may be reserved word", pat);
404     }
405 }
406 
407 #ifdef INET6
is_inet6_addr(pat)408 static int is_inet6_addr(pat)
409     char *pat;
410 {
411     struct addrinfo hints, *res;
412     int len, ret;
413     char ch;
414 
415     if (*pat != '[')
416           return (0);
417     len = strlen(pat);
418     if ((ch = pat[len - 1]) != ']')
419           return (0);
420     pat[len - 1] = '\0';
421     memset(&hints, 0, sizeof(hints));
422     hints.ai_family = AF_INET6;
423     hints.ai_socktype = SOCK_STREAM;
424     hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
425     if ((ret = getaddrinfo(pat + 1, NULL, &hints, &res)) == 0)
426           freeaddrinfo(res);
427     pat[len - 1] = ch;
428     return (ret == 0);
429 }
430 #endif
431 
432 /* check_host - criticize host pattern */
433 
check_host(pat)434 static int check_host(pat)
435 char   *pat;
436 {
437     char    buf[BUFSIZ];
438     char   *mask;
439     int     addr_count = 1;
440     FILE   *fp;
441     struct tcpd_context saved_context;
442     char   *cp;
443     char   *wsp = " \t\r\n";
444 
445     if (pat[0] == '@') {                          /* @netgroup */
446 #ifdef NO_NETGRENT
447           /* SCO has no *netgrent() support */
448 #else
449 #ifdef NETGROUP
450           char   *machinep;
451           char   *userp;
452           char   *domainp;
453 
454           setnetgrent(pat + 1);
455           if (getnetgrent(&machinep, &userp, &domainp) == 0)
456               tcpd_warn("%s: unknown or empty netgroup", pat + 1);
457           endnetgrent();
458 #else
459           tcpd_warn("netgroup support disabled");
460 #endif
461 #endif
462     } else if (pat[0] == '/') {                             /* /path/name */
463           if ((fp = fopen(pat, "r")) != 0) {
464               saved_context = tcpd_context;
465               tcpd_context.file = pat;
466               tcpd_context.line = 0;
467               while (fgets(buf, sizeof(buf), fp)) {
468                     tcpd_context.line++;
469                     for (cp = strtok(buf, wsp); cp; cp = strtok((char *) 0, wsp))
470                         check_host(cp);
471               }
472               tcpd_context = saved_context;
473               fclose(fp);
474           } else if (errno != ENOENT) {
475               tcpd_warn("open %s: %m", pat);
476           }
477     } else if ((mask = split_at(pat, '/')) != NULL) {       /* network/netmask */
478 #ifdef INET6
479           int mask_len;
480 
481           if ((dot_quad_addr(pat) == INADDR_NONE
482               || dot_quad_addr(mask) == INADDR_NONE)
483               && (!is_inet6_addr(pat)
484                     || ((mask_len = atoi(mask)) < 0 || mask_len > 128)))
485 #else
486           if (dot_quad_addr(pat) == INADDR_NONE
487               || dot_quad_addr(mask) == INADDR_NONE)
488 #endif
489               tcpd_warn("%s/%s: bad net/mask pattern", pat, mask);
490     } else if (STR_EQ(pat, "FAIL")) {             /* obsolete */
491           tcpd_warn("FAIL is no longer recognized");
492           tcpd_warn("(use EXCEPT or DENY instead)");
493     } else if (reserved_name(pat)) {              /* other reserved */
494            /* void */ ;
495 #ifdef INET6
496     } else if (is_inet6_addr(pat)) { /* IPv6 address */
497           addr_count = 1;
498 #endif
499     } else if (NOT_INADDR(pat)) {                 /* internet name */
500           if (pat[strlen(pat) - 1] == '.') {
501               tcpd_warn("%s: domain or host name ends in dot", pat);
502           } else if (pat[0] != '.') {
503               addr_count = check_dns(pat);
504           }
505     } else {                                                /* numeric form */
506           if (STR_EQ(pat, "0.0.0.0") || STR_EQ(pat, "255.255.255.255")) {
507               /* void */ ;
508           } else if (pat[0] == '.') {
509               tcpd_warn("%s: network number begins with dot", pat);
510           } else if (pat[strlen(pat) - 1] != '.') {
511               check_dns(pat);
512           }
513     }
514     return (addr_count);
515 }
516 
517 /* reserved_name - determine if name is reserved */
518 
reserved_name(pat)519 static int reserved_name(pat)
520 char   *pat;
521 {
522     return (STR_EQ(pat, unknown)
523               || STR_EQ(pat, "KNOWN")
524               || STR_EQ(pat, paranoid)
525               || STR_EQ(pat, "ALL")
526               || STR_EQ(pat, "LOCAL"));
527 }
528