2 This module is an adaption of code from the tcpd-1.4 package written
3 by Wietse Venema, Eindhoven University of Technology, The Netherlands.
5 The code is used here with permission.
7 The code has been considerably changed from the original. Bug reports
8 should be sent to samba-technical@lists.samba.org
10 Updated for IPv6 by Jeremy Allison (C) 2007.
14 #include "system/locale.h"
15 #include "lib/util/debug.h"
16 #include "../lib/util/memcache.h"
17 #include "lib/socket/interfaces.h"
18 #include "lib/util/samba_util.h"
19 #include "lib/util/util_net.h"
20 #include "lib/util/samba_util.h"
21 #include "lib/util/memory.h"
22 #include "lib/util/access.h"
23 #include "lib/util/unix_match.h"
28 /* masked_match - match address against netnumber/netmask */
29 static bool masked_match(const char *tok
, const char *slash
, const char *s
)
31 struct sockaddr_storage ss_mask
;
32 struct sockaddr_storage ss_tok
;
33 struct sockaddr_storage ss_host
;
34 char *tok_copy
= NULL
;
36 if (!interpret_string_addr(&ss_host
, s
, 0)) {
41 /* IPv6 address - remove braces. */
42 tok_copy
= smb_xstrdup(tok
+1);
46 /* Remove the terminating ']' */
47 tok_copy
[PTR_DIFF(slash
,tok
)-1] = '\0';
49 tok_copy
= smb_xstrdup(tok
);
53 /* Remove the terminating '/' */
54 tok_copy
[PTR_DIFF(slash
,tok
)] = '\0';
57 if (!interpret_string_addr(&ss_tok
, tok_copy
, 0)) {
64 if (strlen(slash
+ 1) > 2) {
65 if (!interpret_string_addr(&ss_mask
, slash
+1, 0)) {
70 unsigned long val
= strtoul(slash
+1, &endp
, 0);
71 if (slash
+1 == endp
|| (endp
&& *endp
!= '\0')) {
74 if (!make_netmask(&ss_mask
, &ss_tok
, val
)) {
79 return same_net((struct sockaddr
*)(void *)&ss_host
,
80 (struct sockaddr
*)(void *)&ss_tok
,
81 (struct sockaddr
*)(void *)&ss_mask
);
84 /* string_match - match string s against token tok */
85 static bool string_match(const char *tok
,const char *s
)
91 /* Return true if a token has the magic value "ALL". Return
92 * true if the token is "FAIL". If the token starts with a "."
93 * (domain name), return true if it matches the last fields of
94 * the string. If the token has the magic value "LOCAL",
95 * return true if the string does not contain a "."
96 * character. If the token ends on a "." (network number),
97 * return true if it matches the first fields of the
98 * string. If the token begins with a "@" (netgroup name),
99 * return true if the string is a (host) member of the
100 * netgroup. Return true if the token fully matches the
101 * string. If the token is a netnumber/netmask pair, return
102 * true if the address is a member of the specified subnet.
105 if (tok
[0] == '.') { /* domain: match last fields */
106 if ((str_len
= strlen(s
)) > (tok_len
= strlen(tok
))
107 && strequal_m(tok
, s
+ str_len
- tok_len
)) {
110 } else if (tok
[0] == '@') { /* netgroup: look it up */
113 char *mydomain
= NULL
;
114 char *hostname
= NULL
;
115 bool netgroup_ok
= false;
118 NULL
, SINGLETON_CACHE
,
119 data_blob_string_const_null("yp_default_domain"),
122 SMB_ASSERT(tmp
.length
> 0);
123 mydomain
= (tmp
.data
[0] == '\0')
124 ? NULL
: (char *)tmp
.data
;
127 yp_get_default_domain(&mydomain
);
130 NULL
, SINGLETON_CACHE
,
131 data_blob_string_const_null("yp_default_domain"),
132 data_blob_string_const_null(mydomain
?mydomain
:""));
136 DEBUG(0,("Unable to get default yp domain. "
137 "Try without it.\n"));
139 if (!(hostname
= smb_xstrdup(s
))) {
140 DEBUG(1,("out of memory for strdup!\n"));
144 netgroup_ok
= innetgr(tok
+ 1, hostname
, (char *) 0, mydomain
);
146 DEBUG(5,("looking for %s of domain %s in netgroup %s gave %s\n",
148 mydomain
?mydomain
:"(ANY)",
150 BOOLSTR(netgroup_ok
)));
157 DEBUG(0,("access: netgroup support is not configured\n"));
160 } else if (strequal_m(tok
, "ALL")) { /* all: match any */
162 } else if (strequal_m(tok
, "FAIL")) { /* fail: match any */
164 } else if (strequal_m(tok
, "LOCAL")) { /* local: no dots */
165 if (strchr_m(s
, '.') == 0 && !strequal_m(s
, "unknown")) {
168 } else if (strequal_m(tok
, s
)) { /* match host name or address */
170 } else if (tok
[(tok_len
= strlen(tok
)) - 1] == '.') { /* network */
171 if (strncmp(tok
, s
, tok_len
) == 0) {
174 } else if ((cut
= strchr_m(tok
, '/')) != 0) { /* netnumber/netmask */
175 if ((isdigit(s
[0]) && strchr_m(tok
, '.') != NULL
) ||
176 (tok
[0] == '[' && cut
> tok
&& cut
[-1] == ']') ||
177 ((isxdigit(s
[0]) || s
[0] == ':') &&
178 strchr_m(tok
, ':') != NULL
)) {
180 * [IPv6:addr]/netmask or IPv6:addr/netmask */
181 return masked_match(tok
, cut
, s
);
183 } else if (strchr_m(tok
, '*') != 0 || strchr_m(tok
, '?')) {
184 return unix_wild_match(tok
, s
);
189 /* client_match - match host name and address against token */
190 bool client_match(const char *tok
, const void *item
)
192 const char **client
= discard_const_p(const char *, item
);
193 const char *tok_addr
= tok
;
194 const char *cli_addr
= client
[ADDR_INDEX
];
197 * tok and client[ADDR_INDEX] can be an IPv4 mapped to IPv6,
198 * we try and match the IPv4 part of address only.
199 * Bug #5311 and #7383.
202 if (strncasecmp_m(tok_addr
, "::ffff:", 7) == 0) {
206 if (strncasecmp_m(cli_addr
, "::ffff:", 7) == 0) {
211 * Try to match the address first. If that fails, try to match the host
215 if (string_match(tok_addr
, cli_addr
)) {
219 if (client
[NAME_INDEX
][0] != 0) {
220 if (string_match(tok
, client
[NAME_INDEX
])) {
228 /* list_match - match an item against a list of tokens with exceptions */
229 bool list_match(const char **list
,const void *item
,
230 bool (*match_fn
)(const char *, const void *))
239 * Process tokens one at a time. We have exhausted all possible matches
240 * when we reach an "EXCEPT" token or the end of the list. If we do find
241 * a match, look for an "EXCEPT" list and recurse to determine whether
242 * the match is affected by any exceptions.
245 for (; *list
; list
++) {
246 if (strequal_m(*list
, "EXCEPT")) {
247 /* EXCEPT: give up */
250 if ((match
= (*match_fn
) (*list
, item
))) {
255 /* Process exceptions to true or FAIL matches. */
257 if (match
!= false) {
258 while (*list
&& !strequal_m(*list
, "EXCEPT")) {
262 for (; *list
; list
++) {
263 if ((*match_fn
) (*list
, item
)) {
264 /* Exception Found */
273 /* return true if access should be allowed */
274 static bool allow_access_internal(const char **deny_list
,
275 const char **allow_list
,
279 const char *client
[2];
281 client
[NAME_INDEX
] = cname
;
282 client
[ADDR_INDEX
] = caddr
;
284 /* if it is loopback then always allow unless specifically denied */
285 if (strcmp(caddr
, "127.0.0.1") == 0 || strcmp(caddr
, "::1") == 0) {
287 * If 127.0.0.1 matches both allow and deny then allow.
288 * Patch from Steve Langasek vorlon@netexpress.net.
291 list_match(deny_list
,client
,client_match
) &&
293 !list_match(allow_list
,client
, client_match
))) {
299 /* if theres no deny list and no allow list then allow access */
300 if ((!deny_list
|| *deny_list
== 0) &&
301 (!allow_list
|| *allow_list
== 0)) {
305 /* if there is an allow list but no deny list then allow only hosts
307 if (!deny_list
|| *deny_list
== 0) {
308 return(list_match(allow_list
,client
,client_match
));
311 /* if theres a deny list but no allow list then allow
312 all hosts not on the deny list */
313 if (!allow_list
|| *allow_list
== 0) {
314 return(!list_match(deny_list
,client
,client_match
));
317 /* if there are both types of list then allow all hosts on the
319 if (list_match(allow_list
,(const char *)client
,client_match
)) {
323 /* if there are both types of list and it's not on the allow then
324 allow it if its not on the deny */
325 if (list_match(deny_list
,(const char *)client
,client_match
)) {
332 /* return true if access should be allowed - doesn't print log message */
333 bool allow_access_nolog(const char **deny_list
,
334 const char **allow_list
,
339 char *nc_cname
= smb_xstrdup(cname
);
340 char *nc_caddr
= smb_xstrdup(caddr
);
342 ret
= allow_access_internal(deny_list
, allow_list
, nc_cname
, nc_caddr
);
349 /* return true if access should be allowed - prints log message */
350 bool allow_access(const char **deny_list
,
351 const char **allow_list
,
357 ret
= allow_access_nolog(deny_list
, allow_list
, cname
, caddr
);
360 ("%s connection from %s (%s)\n",
361 ret
? "Allowed" : "Denied", cname
, caddr
));