source/lib/access.c

   1 /*
   2    This module is an adaption of code from the tcpd-1.4 package written
   3    by Wietse Venema, Eindhoven University of Technology, The Netherlands.
   4
   5    The code is used here with permission.
   6
   7    The code has been considerably changed from the original. Bug reports
   8    should be sent to samba@samba.org
   9 */
  10
  11 #include "includes.h"
  12
  13 #define FAIL            (-1)
  14
  15 #define ALLONES  ((uint32)0xFFFFFFFF)
  16
  17 /* masked_match - match address against netnumber/netmask */
  18 static BOOL masked_match(const char *tok, const char *slash, const char *s)
  19 {
  20         uint32 net;
  21         uint32 mask;
  22         uint32 addr;
  23         fstring tok_cpy;
  24
  25         if ((addr = interpret_addr(s)) == INADDR_NONE)
  26                 return (False);
  27
  28         fstrcpy(tok_cpy, tok);
  29         tok_cpy[PTR_DIFF(slash,tok)] = '\0';
  30         net = interpret_addr(tok_cpy);
  31         tok_cpy[PTR_DIFF(slash,tok)] = '/';
  32
  33         if (strlen(slash + 1) > 2) {
  34                 mask = interpret_addr(slash + 1);
  35         } else {
  36                 mask = (uint32)((ALLONES << atoi(slash + 1)) ^ ALLONES);
  37         }
  38
  39         if (net == INADDR_NONE || mask == INADDR_NONE) {
  40                 DEBUG(0,("access: bad net/mask access control: %s\n", tok));
  41                 return (False);
  42         }
  43         return ((addr & mask) == net);
  44 }
  45
  46 /* string_match - match string against token */
  47 static BOOL string_match(const char *tok,const char *s, char *invalid_char)
  48 {
  49         size_t     tok_len;
  50         size_t     str_len;
  51         const char   *cut;
  52
  53         *invalid_char = '\0';
  54
  55         /* Return True if a token has the magic value "ALL". Return
  56          * FAIL if the token is "FAIL". If the token starts with a "."
  57          * (domain name), return True if it matches the last fields of
  58          * the string. If the token has the magic value "LOCAL",
  59          * return True if the string does not contain a "."
  60          * character. If the token ends on a "." (network number),
  61          * return True if it matches the first fields of the
  62          * string. If the token begins with a "@" (netgroup name),
  63          * return True if the string is a (host) member of the
  64          * netgroup. Return True if the token fully matches the
  65          * string. If the token is a netnumber/netmask pair, return
  66          * True if the address is a member of the specified subnet.
  67          */
  68
  69         if (tok[0] == '.') {                    /* domain: match last fields */
  70                 if ((str_len = strlen(s)) > (tok_len = strlen(tok))
  71                     && strcasecmp(tok, s + str_len - tok_len) == 0)
  72                         return (True);
  73         } else if (tok[0] == '@') { /* netgroup: look it up */
  74 #ifdef  HAVE_NETGROUP
  75                 static char *mydomain = NULL;
  76                 char *hostname = NULL;
  77                 BOOL netgroup_ok = False;
  78
  79                 if (!mydomain)
  80                         yp_get_default_domain(&mydomain);
  81
  82                 if (!mydomain) {
  83                         DEBUG(0,("Unable to get default yp domain.\n"));
  84                         return False;
  85                 }
  86                 if (!(hostname = strdup(s))) {
  87                         DEBUG(1,("out of memory for strdup!\n"));
  88                         return False;
  89                 }
  90
  91                 netgroup_ok = innetgr(tok + 1, hostname, (char *) 0, mydomain);
  92
  93                 DEBUG(5,("looking for %s of domain %s in netgroup %s gave %s\n",
  94                          hostname,
  95                          mydomain,
  96                          tok+1,
  97                          BOOLSTR(netgroup_ok)));
  98
  99                 SAFE_FREE(hostname);
 100
 101                 if (netgroup_ok)
 102                         return(True);
 103 #else
 104                 DEBUG(0,("access: netgroup support is not configured\n"));
 105                 return (False);
 106 #endif
 107         } else if (strcasecmp(tok, "ALL") == 0) {       /* all: match any */
 108                 return (True);
 109         } else if (strcasecmp(tok, "FAIL") == 0) {      /* fail: match any */
 110                 return (FAIL);
 111         } else if (strcasecmp(tok, "LOCAL") == 0) {     /* local: no dots */
 112                 if (strchr_m(s, '.') == 0 && strcasecmp(s, "unknown") != 0)
 113                         return (True);
 114         } else if (!strcasecmp(tok, s)) {   /* match host name or address */
 115                 return (True);
 116         } else if (tok[(tok_len = strlen(tok)) - 1] == '.') {   /* network */
 117                 if (strncmp(tok, s, tok_len) == 0)
 118                         return (True);
 119         } else if ((cut = strchr_m(tok, '/')) != 0) {   /* netnumber/netmask */
 120                 if (isdigit((int)s[0]) && masked_match(tok, cut, s))
 121                         return (True);
 122         } else if (strchr_m(tok, '*') != 0) {
 123                 *invalid_char = '*';
 124         } else if (strchr_m(tok, '?') != 0) {
 125                 *invalid_char = '?';
 126         }
 127         return (False);
 128 }
 129
 130 /* client_match - match host name and address against token */
 131 static BOOL client_match(const char *tok, const char *item)
 132 {
 133         const char **client = (const char **)item;
 134         BOOL match;
 135         char invalid_char = '\0';
 136
 137         /*
 138          * Try to match the address first. If that fails, try to match the host
 139          * name if available.
 140          */
 141
 142         if ((match = string_match(tok, client[1], &invalid_char)) == 0) {
 143                 if(invalid_char)
 144                         DEBUG(0,("client_match: address match failing due to invalid character '%c' found in \
 145 token '%s' in an allow/deny hosts line.\n", invalid_char, tok ));
 146
 147                 if (client[0][0] != 0)
 148                         match = string_match(tok, client[0], &invalid_char);
 149
 150                 if(invalid_char)
 151                         DEBUG(0,("client_match: address match failing due to invalid character '%c' found in \
 152 token '%s' in an allow/deny hosts line.\n", invalid_char, tok ));
 153         }
 154
 155         return (match);
 156 }
 157
 158 /* list_match - match an item against a list of tokens with exceptions */
 159 static BOOL list_match(const char **list,const char *item,
 160                 BOOL (*match_fn)(const char *, const char *))
 161 {
 162         BOOL match = False;
 163
 164         if (!list)
 165                 return False;
 166
 167         /*
 168          * Process tokens one at a time. We have exhausted all possible matches
 169          * when we reach an "EXCEPT" token or the end of the list. If we do find
 170          * a match, look for an "EXCEPT" list and recurse to determine whether
 171          * the match is affected by any exceptions.
 172          */
 173
 174         for (; *list ; list++) {
 175                 if (strcasecmp(*list, "EXCEPT") == 0)   /* EXCEPT: give up */
 176                         break;
 177                 if ((match = (*match_fn) (*list, item)))        /* True or FAIL */
 178                         break;
 179         }
 180         /* Process exceptions to True or FAIL matches. */
 181
 182         if (match != False) {
 183                 while (*list  && strcasecmp(*list, "EXCEPT"))
 184                         list++;
 185
 186                 for (; *list; list++) {
 187                         if ((*match_fn) (*list, item)) /* Exception Found */
 188                                 return False;
 189                 }
 190         }
 191
 192         return (match);
 193 }
 194
 195 /* return true if access should be allowed */
 196 static BOOL allow_access_internal(const char **deny_list,const char **allow_list,
 197                         const char *cname, const char *caddr)
 198 {
 199         const char *client[2];
 200
 201         client[0] = cname;
 202         client[1] = caddr;
 203
 204         /* if it is loopback then always allow unless specifically denied */
 205         if (strcmp(caddr, "127.0.0.1") == 0) {
 206                 /*
 207                  * If 127.0.0.1 matches both allow and deny then allow.
 208                  * Patch from Steve Langasek vorlon@netexpress.net.
 209                  */
 210                 if (deny_list &&
 211                         list_match(deny_list,(const char *)client,client_match) &&
 212                                 (!allow_list ||
 213                                 !list_match(allow_list,(const char *)client, client_match))) {
 214                         return False;
 215                 }
 216                 return True;
 217         }
 218
 219         /* if theres no deny list and no allow list then allow access */
 220         if ((!deny_list || *deny_list == 0) &&
 221             (!allow_list || *allow_list == 0)) {
 222                 return(True);
 223         }
 224
 225         /* if there is an allow list but no deny list then allow only hosts
 226            on the allow list */
 227         if (!deny_list || *deny_list == 0)
 228                 return(list_match(allow_list,(const char *)client,client_match));
 229
 230         /* if theres a deny list but no allow list then allow
 231            all hosts not on the deny list */
 232         if (!allow_list || *allow_list == 0)
 233                 return(!list_match(deny_list,(const char *)client,client_match));
 234
 235         /* if there are both types of list then allow all hosts on the
 236            allow list */
 237         if (list_match(allow_list,(const char *)client,client_match))
 238                 return (True);
 239
 240         /* if there are both types of list and it's not on the allow then
 241            allow it if its not on the deny */
 242         if (list_match(deny_list,(const char *)client,client_match))
 243                 return (False);
 244
 245         return (True);
 246 }
 247
 248 /* return true if access should be allowed */
 249 BOOL allow_access(const char **deny_list, const char **allow_list,
 250                   const char *cname, const char *caddr)
 251 {
 252         BOOL ret;
 253         char *nc_cname = smb_xstrdup(cname);
 254         char *nc_caddr = smb_xstrdup(caddr);
 255
 256         ret = allow_access_internal(deny_list, allow_list, nc_cname, nc_caddr);
 257
 258         SAFE_FREE(nc_cname);
 259         SAFE_FREE(nc_caddr);
 260         return ret;
 261 }
 262
 263 /* return true if the char* contains ip addrs only.  Used to avoid
 264 gethostbyaddr() calls */
 265
 266 static BOOL only_ipaddrs_in_list(const char** list)
 267 {
 268         BOOL only_ip = True;
 269
 270         if (!list)
 271                 return True;
 272
 273         for (; *list ; list++) {
 274                 /* factor out the special strings */
 275                 if (!strcasecmp(*list, "ALL") || !strcasecmp(*list, "FAIL") ||
 276                     !strcasecmp(*list, "EXCEPT")) {
 277                         continue;
 278                 }
 279
 280                 if (!is_ipaddress(*list)) {
 281                         char *p;
 282                         /*
 283                          * if we failed, make sure that it was not because the token
 284                          * was a network/netmask pair.  Only network/netmask pairs
 285                          * have a '/' in them
 286                          */
 287                         if ((p=strchr_m(*list, '/')) == NULL) {
 288                                 only_ip = False;
 289                                 DEBUG(3,("only_ipaddrs_in_list: list has non-ip address (%s)\n", *list));
 290                                 break;
 291                         }
 292                 }
 293         }
 294
 295         return only_ip;
 296 }
 297
 298 /* return true if access should be allowed to a service for a socket */
 299 BOOL check_access(int sock, const char **allow_list, const char **deny_list)
 300 {
 301         BOOL ret = False;
 302         BOOL only_ip = False;
 303
 304         if ((!deny_list || *deny_list==0) && (!allow_list || *allow_list==0))
 305                 ret = True;
 306
 307         if (!ret) {
 308                 /* bypass gethostbyaddr() calls if the lists only contain IP addrs */
 309                 if (only_ipaddrs_in_list(allow_list) && only_ipaddrs_in_list(deny_list)) {
 310                         only_ip = True;
 311                         DEBUG (3, ("check_access: no hostnames in host allow/deny list.\n"));
 312                         ret = allow_access(deny_list,allow_list, "", get_socket_addr(sock));
 313                 } else {
 314                         DEBUG (3, ("check_access: hostnames in host allow/deny list.\n"));
 315                         ret = allow_access(deny_list,allow_list, get_socket_name(sock,True),
 316                                            get_socket_addr(sock));
 317                 }
 318
 319                 if (ret) {
 320                         DEBUG(2,("Allowed connection from %s (%s)\n",
 321                                  only_ip ? "" : get_socket_name(sock,True),
 322                                  get_socket_addr(sock)));
 323                 } else {
 324                         DEBUG(0,("Denied connection from %s (%s)\n",
 325                                  only_ip ? "" : get_socket_name(sock,True),
 326                                  get_socket_addr(sock)));
 327                 }
 328         }
 329
 330         return(ret);
 331 }