search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Resync patch with contrib.
[dragonfly.git] / contrib / tcp_wrappers / tcpdmatch.c
blob047e2b93d159c0d3a16024104219b639fcc53d6b
1 /*
2 * tcpdmatch - explain what tcpd would do in a specific case
3 *
4 * usage: tcpdmatch [-d] [-i inet_conf] daemon[@host] [user@]host
5 *
6 * -d: use the access control tables in the current directory.
7 *
8 * -i: location of inetd.conf file.
9 *
10 * All errors are reported to the standard error stream, including the errors
11 * that would normally be reported via the syslog daemon.
12 *
13 * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
14 *
15 * $FreeBSD: src/contrib/tcp_wrappers/tcpdmatch.c,v 1.2.2.1 2000/07/18 08:34:55 ume Exp $
16 * $DragonFly: src/contrib/tcp_wrappers/tcpdmatch.c,v 1.2 2003/06/17 04:24:06 dillon Exp $
17 */
18
19 #ifndef lint
20 static char sccsid[] = "@(#) tcpdmatch.c 1.5 96/02/11 17:01:36";
21 #endif
22
23 /* System libraries. */
24
25 #include <sys/types.h>
26 #include <sys/stat.h>
27 #include <sys/socket.h>
28 #include <netinet/in.h>
29 #include <arpa/inet.h>
30 #include <netdb.h>
31 #include <stdio.h>
32 #include <syslog.h>
33 #include <setjmp.h>
34 #include <string.h>
35
36 extern void exit();
37 extern int optind;
38 extern char *optarg;
39
40 #ifndef INADDR_NONE
41 #define INADDR_NONE (-1) /* XXX should be 0xffffffff */
42 #endif
43
44 #ifndef S_ISDIR
45 #define S_ISDIR(m) (((m) & S_IFMT) == S_IFDIR)
46 #endif
47
48 /* Application-specific. */
49
50 #include "tcpd.h"
51 #include "inetcf.h"
52 #include "scaffold.h"
53
54 static void usage();
55 static void tcpdmatch();
56
57 /* The main program */
58
59 int main(argc, argv)
60 int argc;
61 char **argv;
62 {
63 #ifdef INET6
64 struct addrinfo hints, *hp, *res;
65 #else
66 struct hostent *hp;
67 #endif
68 char *myname = argv[0];
69 char *client;
70 char *server;
71 char *addr;
72 char *user;
73 char *daemon;
74 struct request_info request;
75 int ch;
76 char *inetcf = 0;
77 int count;
78 #ifdef INET6
79 struct sockaddr_storage server_sin;
80 struct sockaddr_storage client_sin;
81 #else
82 struct sockaddr_in server_sin;
83 struct sockaddr_in client_sin;
84 #endif
85 struct stat st;
86
87 /*
88 * Show what rule actually matched.
89 */
90 hosts_access_verbose = 2;
91
92 /*
93 * Parse the JCL.
94 */
95 while ((ch = getopt(argc, argv, "di:")) != EOF) {
96 switch (ch) {
97 case 'd':
98 hosts_allow_table = "hosts.allow";
99 hosts_deny_table = "hosts.deny";
100 break;
101 case 'i':
102 inetcf = optarg;
103 break;
104 default:
105 usage(myname);
106 /* NOTREACHED */
107 }
108 }
109 if (argc != optind + 2)
110 usage(myname);
111
112 /*
113 * When confusion really strikes...
114 */
115 if (check_path(REAL_DAEMON_DIR, &st) < 0) {
116 tcpd_warn("REAL_DAEMON_DIR %s: %m", REAL_DAEMON_DIR);
117 } else if (!S_ISDIR(st.st_mode)) {
118 tcpd_warn("REAL_DAEMON_DIR %s is not a directory", REAL_DAEMON_DIR);
119 }
120
121 /*
122 * Default is to specify a daemon process name. When daemon@host is
123 * specified, separate the two parts.
124 */
125 if ((server = split_at(argv[optind], '@')) == 0)
126 server = unknown;
127 if (argv[optind][0] == '/') {
128 daemon = strrchr(argv[optind], '/') + 1;
129 tcpd_warn("%s: daemon name normalized to: %s", argv[optind], daemon);
130 } else {
131 daemon = argv[optind];
132 }
133
134 /*
135 * Default is to specify a client hostname or address. When user@host is
136 * specified, separate the two parts.
137 */
138 if ((client = split_at(argv[optind + 1], '@')) != 0) {
139 user = argv[optind + 1];
140 } else {
141 client = argv[optind + 1];
142 user = unknown;
143 }
144
145 /*
146 * Analyze the inetd (or tlid) configuration file, so that we can warn
147 * the user about services that may not be wrapped, services that are not
148 * configured, or services that are wrapped in an incorrect manner. Allow
149 * for services that are not run from inetd, or that have tcpd access
150 * control built into them.
151 */
152 inetcf = inet_cfg(inetcf);
153 inet_set("portmap", WR_NOT);
154 inet_set("rpcbind", WR_NOT);
155 switch (inet_get(daemon)) {
156 case WR_UNKNOWN:
157 tcpd_warn("%s: no such process name in %s", daemon, inetcf);
158 break;
159 case WR_NOT:
160 tcpd_warn("%s: service possibly not wrapped", daemon);
161 break;
162 }
163
164 /*
165 * Check accessibility of access control files.
166 */
167 (void) check_path(hosts_allow_table, &st);
168 (void) check_path(hosts_deny_table, &st);
169
170 /*
171 * Fill in what we have figured out sofar. Use socket and DNS routines
172 * for address and name conversions. We attach stdout to the request so
173 * that banner messages will become visible.
174 */
175 request_init(&request, RQ_DAEMON, daemon, RQ_USER, user, RQ_FILE, 1, 0);
176 sock_methods(&request);
177
178 /*
179 * If a server hostname is specified, insist that the name maps to at
180 * most one address. eval_hostname() warns the user about name server
181 * problems, while using the request.server structure as a cache for host
182 * address and name conversion results.
183 */
184 if (NOT_INADDR(server) == 0 || HOSTNAME_KNOWN(server)) {
185 if ((hp = find_inet_addr(server)) == 0)
186 exit(1);
187 #ifndef INET6
188 memset((char *) &server_sin, 0, sizeof(server_sin));
189 server_sin.sin_family = AF_INET;
190 #endif
191 request_set(&request, RQ_SERVER_SIN, &server_sin, 0);
192
193 #ifdef INET6
194 for (res = hp, count = 0; res; res = res->ai_next, count++) {
195 memcpy(&server_sin, res->ai_addr, res->ai_addrlen);
196 #else
197 for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) {
198 memcpy((char *) &server_sin.sin_addr, addr,
199 sizeof(server_sin.sin_addr));
200 #endif
201
202 /*
203 * Force evaluation of server host name and address. Host name
204 * conflicts will be reported while eval_hostname() does its job.
205 */
206 request_set(&request, RQ_SERVER_NAME, "", RQ_SERVER_ADDR, "", 0);
207 if (STR_EQ(eval_hostname(request.server), unknown))
208 tcpd_warn("host address %s->name lookup failed",
209 eval_hostaddr(request.server));
210 }
211 if (count > 1) {
212 fprintf(stderr, "Error: %s has more than one address\n", server);
213 fprintf(stderr, "Please specify an address instead\n");
214 exit(1);
215 }
216 #ifdef INET6
217 freeaddrinfo(hp);
218 #else
219 free((char *) hp);
220 #endif
221 } else {
222 request_set(&request, RQ_SERVER_NAME, server, 0);
223 }
224
225 /*
226 * If a client address is specified, we simulate the effect of client
227 * hostname lookup failure.
228 */
229 if (dot_quad_addr(client) != INADDR_NONE) {
230 request_set(&request, RQ_CLIENT_ADDR, client, 0);
231 tcpdmatch(&request);
232 exit(0);
233 }
234 #ifdef INET6
235 memset(&hints, 0, sizeof(hints));
236 hints.ai_family = AF_INET6;
237 hints.ai_socktype = SOCK_STREAM;
238 hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
239 if (getaddrinfo(client, NULL, &hints, &res) == 0) {
240 freeaddrinfo(res);
241 request_set(&request, RQ_CLIENT_ADDR, client, 0);
242 tcpdmatch(&request);
243 exit(0);
244 }
245 #endif
246
247 /*
248 * Perhaps they are testing special client hostname patterns that aren't
249 * really host names at all.
250 */
251 if (NOT_INADDR(client) && HOSTNAME_KNOWN(client) == 0) {
252 request_set(&request, RQ_CLIENT_NAME, client, 0);
253 tcpdmatch(&request);
254 exit(0);
255 }
256
257 /*
258 * Otherwise, assume that a client hostname is specified, and insist that
259 * the address can be looked up. The reason for this requirement is that
260 * in real life the client address is available (at least with IP). Let
261 * eval_hostname() figure out if this host is properly registered, while
262 * using the request.client structure as a cache for host name and
263 * address conversion results.
264 */
265 if ((hp = find_inet_addr(client)) == 0)
266 exit(1);
267 #ifdef INET6
268 request_set(&request, RQ_CLIENT_SIN, &client_sin, 0);
269
270 for (res = hp, count = 0; res; res = res->ai_next, count++) {
271 memcpy(&client_sin, res->ai_addr, res->ai_addrlen);
272
273 /*
274 * getnameinfo() doesn't do reverse lookup against link-local
275 * address. So, we pass through host name evaluation against
276 * such addresses.
277 */
278 if (res->ai_family != AF_INET6 ||
279 !IN6_IS_ADDR_LINKLOCAL(&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr)) {
280 /*
281 * Force evaluation of client host name and address. Host name
282 * conflicts will be reported while eval_hostname() does its job.
283 */
284 request_set(&request, RQ_CLIENT_NAME, "", RQ_CLIENT_ADDR, "", 0);
285 if (STR_EQ(eval_hostname(request.client), unknown))
286 tcpd_warn("host address %s->name lookup failed",
287 eval_hostaddr(request.client));
288 }
289 tcpdmatch(&request);
290 if (res->ai_next)
291 printf("\n");
292 }
293 freeaddrinfo(hp);
294 #else
295 memset((char *) &client_sin, 0, sizeof(client_sin));
296 client_sin.sin_family = AF_INET;
297 request_set(&request, RQ_CLIENT_SIN, &client_sin, 0);
298
299 for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) {
300 memcpy((char *) &client_sin.sin_addr, addr,
301 sizeof(client_sin.sin_addr));
302
303 /*
304 * Force evaluation of client host name and address. Host name
305 * conflicts will be reported while eval_hostname() does its job.
306 */
307 request_set(&request, RQ_CLIENT_NAME, "", RQ_CLIENT_ADDR, "", 0);
308 if (STR_EQ(eval_hostname(request.client), unknown))
309 tcpd_warn("host address %s->name lookup failed",
310 eval_hostaddr(request.client));
311 tcpdmatch(&request);
312 if (hp->h_addr_list[count + 1])
313 printf("\n");
314 }
315 free((char *) hp);
316 #endif
317 exit(0);
318 }
319
320 /* Explain how to use this program */
321
322 static void usage(myname)
323 char *myname;
324 {
325 fprintf(stderr, "usage: %s [-d] [-i inet_conf] daemon[@host] [user@]host\n",
326 myname);
327 fprintf(stderr, " -d: use allow/deny files in current directory\n");
328 fprintf(stderr, " -i: location of inetd.conf file\n");
329 exit(1);
330 }
331
332 /* Print interesting expansions */
333
334 static void expand(text, pattern, request)
335 char *text;
336 char *pattern;
337 struct request_info *request;
338 {
339 char buf[BUFSIZ];
340
341 if (STR_NE(percent_x(buf, sizeof(buf), pattern, request), unknown))
342 printf("%s %s\n", text, buf);
343 }
344
345 /* Try out a (server,client) pair */
346
347 static void tcpdmatch(request)
348 struct request_info *request;
349 {
350 int verdict;
351
352 /*
353 * Show what we really know. Suppress uninteresting noise.
354 */
355 expand("client: hostname", "%n", request);
356 expand("client: address ", "%a", request);
357 expand("client: username", "%u", request);
358 expand("server: hostname", "%N", request);
359 expand("server: address ", "%A", request);
360 expand("server: process ", "%d", request);
361
362 /*
363 * Reset stuff that might be changed by options handlers. In dry-run
364 * mode, extension language routines that would not return should inform
365 * us of their plan, by clearing the dry_run flag. This is a bit clumsy
366 * but we must be able to verify hosts with more than one network
367 * address.
368 */
369 rfc931_timeout = RFC931_TIMEOUT;
370 allow_severity = SEVERITY;
371 deny_severity = LOG_WARNING;
372 dry_run = 1;
373
374 /*
375 * When paranoid mode is enabled, access is rejected no matter what the
376 * access control rules say.
377 */
378 #ifdef PARANOID
379 if (STR_EQ(eval_hostname(request->client), paranoid)) {
380 printf("access: denied (PARANOID mode)\n\n");
381 return;
382 }
383 #endif
384
385 /*
386 * Report the access control verdict.
387 */
388 verdict = hosts_access(request);
389 printf("access: %s\n",
390 dry_run == 0 ? "delegated" :
391 verdict ? "granted" : "denied");
392 }
DragonFly BSD