source/lib/access.c

   1 /*
   2    This module is an adaption of code from the tcpd-1.4 package written
   3    by Wietse Venema, Eindhoven University of Technology, The Netherlands.
   4
   5    The code is used here with permission.
   6
   7    The code has been considerably changed from the original. Bug reports
   8    should be sent to samba@samba.org
   9 */
  10
  11 #include "includes.h"
  12
  13 /* Delimiters for lists of daemons or clients. */
  14 static const char *sep = ", \t";
  15
  16 #define FAIL            (-1)
  17
  18 #define ALLONES  ((uint32)0xFFFFFFFF)
  19
  20 /* masked_match - match address against netnumber/netmask */
  21 static int masked_match(char *tok, char *slash, char *s)
  22 {
  23         uint32 net;
  24         uint32 mask;
  25         uint32 addr;
  26
  27         if ((addr = interpret_addr(s)) == INADDR_NONE)
  28                 return (False);
  29         *slash = 0;
  30         net = interpret_addr(tok);
  31         *slash = '/';
  32
  33         if (strlen(slash + 1) > 2) {
  34                 mask = interpret_addr(slash + 1);
  35         } else {
  36                 mask = (uint32)((ALLONES >> atoi(slash + 1)) ^ ALLONES);
  37         }
  38
  39         if (net == INADDR_NONE || mask == INADDR_NONE) {
  40                 DEBUG(0,("access: bad net/mask access control: %s\n", tok));
  41                 return (False);
  42         }
  43         return ((addr & mask) == net);
  44 }
  45
  46 /* string_match - match string against token */
  47 static int string_match(char *tok,char *s, char *invalid_char)
  48 {
  49         size_t     tok_len;
  50         size_t     str_len;
  51         char   *cut;
  52
  53         *invalid_char = '\0';
  54
  55         /* Return True if a token has the magic value "ALL". Return
  56          * FAIL if the token is "FAIL". If the token starts with a "."
  57          * (domain name), return True if it matches the last fields of
  58          * the string. If the token has the magic value "LOCAL",
  59          * return True if the string does not contain a "."
  60          * character. If the token ends on a "." (network number),
  61          * return True if it matches the first fields of the
  62          * string. If the token begins with a "@" (netgroup name),
  63          * return True if the string is a (host) member of the
  64          * netgroup. Return True if the token fully matches the
  65          * string. If the token is a netnumber/netmask pair, return
  66          * True if the address is a member of the specified subnet.  */
  67
  68         if (tok[0] == '.') {                    /* domain: match last fields */
  69                 if ((str_len = strlen(s)) > (tok_len = strlen(tok))
  70                     && strcasecmp(tok, s + str_len - tok_len) == 0)
  71                         return (True);
  72         } else if (tok[0] == '@') { /* netgroup: look it up */
  73 #ifdef  HAVE_NETGROUP
  74                 static char *mydomain = NULL;
  75                 char *hostname = NULL;
  76                 BOOL netgroup_ok = False;
  77
  78                 if (!mydomain) yp_get_default_domain(&mydomain);
  79
  80                 if (!mydomain) {
  81                         DEBUG(0,("Unable to get default yp domain.\n"));
  82                         return False;
  83                 }
  84                 if (!(hostname = strdup(s))) {
  85                         DEBUG(1,("out of memory for strdup!\n"));
  86                         return False;
  87                 }
  88
  89                 netgroup_ok = innetgr(tok + 1, hostname, (char *) 0, mydomain);
  90
  91                 DEBUG(5,("looking for %s of domain %s in netgroup %s gave %s\n",
  92                          hostname,
  93                          mydomain,
  94                          tok+1,
  95                          BOOLSTR(netgroup_ok)));
  96
  97                 SAFE_FREE(hostname);
  98
  99                 if (netgroup_ok) return(True);
 100 #else
 101                 DEBUG(0,("access: netgroup support is not configured\n"));
 102                 return (False);
 103 #endif
 104         } else if (strcasecmp(tok, "ALL") == 0) {       /* all: match any */
 105                 return (True);
 106         } else if (strcasecmp(tok, "FAIL") == 0) {      /* fail: match any */
 107                 return (FAIL);
 108         } else if (strcasecmp(tok, "LOCAL") == 0) {     /* local: no dots */
 109                 if (strchr(s, '.') == 0 && strcasecmp(s, "unknown") != 0)
 110                         return (True);
 111         } else if (!strcasecmp(tok, s)) {   /* match host name or address */
 112                 return (True);
 113         } else if (tok[(tok_len = strlen(tok)) - 1] == '.') {   /* network */
 114                 if (strncmp(tok, s, tok_len) == 0)
 115                         return (True);
 116         } else if ((cut = strchr(tok, '/')) != 0) {     /* netnumber/netmask */
 117                 if (isdigit((int)s[0]) && masked_match(tok, cut, s))
 118                         return (True);
 119         } else if (strchr(tok, '*') != 0) {
 120                 *invalid_char = '*';
 121         } else if (strchr(tok, '?') != 0) {
 122                 *invalid_char = '?';
 123         }
 124         return (False);
 125 }
 126
 127
 128 /* client_match - match host name and address against token */
 129 static int client_match(char *tok,char *item)
 130 {
 131     char **client = (char **)item;
 132     int     match;
 133         char invalid_char = '\0';
 134
 135     /*
 136      * Try to match the address first. If that fails, try to match the host
 137      * name if available.
 138      */
 139
 140     if ((match = string_match(tok, client[1], &invalid_char)) == 0) {
 141                 if(invalid_char)
 142                         DEBUG(0,("client_match: address match failing due to invalid character '%c' found in \
 143 token '%s' in an allow/deny hosts line.\n", invalid_char, tok ));
 144
 145                 if (client[0][0] != 0)
 146                         match = string_match(tok, client[0], &invalid_char);
 147
 148                 if(invalid_char)
 149                         DEBUG(0,("client_match: address match failing due to invalid character '%c' found in \
 150 token '%s' in an allow/deny hosts line.\n", invalid_char, tok ));
 151         }
 152
 153     return (match);
 154 }
 155
 156 /* list_match - match an item against a list of tokens with exceptions */
 157 /* (All modifications are marked with the initials "jkf") */
 158 static int list_match(char *list,char *item, int (*match_fn)(char *, char *))
 159 {
 160     char   *tok;
 161     char   *listcopy;           /* jkf */
 162     int     match = False;
 163
 164     /*
 165      * jkf@soton.ac.uk -- 31 August 1994 -- Stop list_match()
 166      * overwriting the list given as its first parameter.
 167      */
 168
 169     /* jkf -- can get called recursively with NULL list */
 170     listcopy = (list == 0) ? (char *)0 : strdup(list);
 171
 172     /*
 173      * Process tokens one at a time. We have exhausted all possible matches
 174      * when we reach an "EXCEPT" token or the end of the list. If we do find
 175      * a match, look for an "EXCEPT" list and recurse to determine whether
 176      * the match is affected by any exceptions.
 177      */
 178
 179     for (tok = strtok(listcopy, sep); tok ; tok = strtok(NULL, sep)) {
 180         if (strcasecmp(tok, "EXCEPT") == 0)     /* EXCEPT: give up */
 181             break;
 182         if ((match = (*match_fn) (tok, item)))  /* True or FAIL */
 183             break;
 184     }
 185     /* Process exceptions to True or FAIL matches. */
 186
 187     if (match != False) {
 188         while ((tok = strtok((char *) 0, sep)) && strcasecmp(tok, "EXCEPT"))
 189              /* VOID */ ;
 190         if (tok == 0 || list_match((char *) 0, item, match_fn) == False) {
 191             SAFE_FREE(listcopy); /* jkf */
 192             return (match);
 193         }
 194     }
 195
 196     SAFE_FREE(listcopy); /* jkf */
 197     return (False);
 198 }
 199
 200
 201 /* return true if access should be allowed */
 202 BOOL allow_access(char *deny_list,char *allow_list,
 203                   char *cname,char *caddr)
 204 {
 205         char *client[2];
 206
 207         client[0] = cname;
 208         client[1] = caddr;
 209
 210         /* if it is loopback then always allow unless specifically denied */
 211         if (strcmp(caddr, "127.0.0.1") == 0) {
 212                 /*
 213                  * If 127.0.0.1 matches both allow and deny then allow.
 214                  * Patch from Steve Langasek vorlon@netexpress.net.
 215                  */
 216                 if (deny_list &&
 217                         list_match(deny_list,(char *)client,client_match) &&
 218                                 (!allow_list ||
 219                                 !list_match(allow_list,(char *)client, client_match))) {
 220                         return False;
 221                 }
 222                 return True;
 223         }
 224
 225         /* if theres no deny list and no allow list then allow access */
 226         if ((!deny_list || *deny_list == 0) &&
 227             (!allow_list || *allow_list == 0)) {
 228                 return(True);
 229         }
 230
 231         /* if there is an allow list but no deny list then allow only hosts
 232            on the allow list */
 233         if (!deny_list || *deny_list == 0)
 234                 return(list_match(allow_list,(char *)client,client_match));
 235
 236         /* if theres a deny list but no allow list then allow
 237            all hosts not on the deny list */
 238         if (!allow_list || *allow_list == 0)
 239                 return(!list_match(deny_list,(char *)client,client_match));
 240
 241         /* if there are both type of list then allow all hosts on the
 242            allow list */
 243         if (list_match(allow_list,(char *)client,client_match))
 244                 return (True);
 245
 246         /* if there are both type of list and it's not on the allow then
 247            allow it if its not on the deny */
 248         if (list_match(deny_list,(char *)client,client_match))
 249                 return (False);
 250
 251         return (True);
 252 }
 253
 254 /* return true if the char* contains ip addrs only.  Used to avoid
 255 gethostbyaddr() calls */
 256 static BOOL only_ipaddrs_in_list(const char* list)
 257 {
 258         BOOL            only_ip = True;
 259         char            *listcopy,
 260                         *tok;
 261
 262         listcopy = strdup(list);
 263
 264         for (tok = strtok(listcopy, sep); tok ; tok = strtok(NULL, sep))
 265         {
 266                 /* factor out the special strings */
 267                 if (!strcasecmp(tok, "ALL") || !strcasecmp(tok, "FAIL") ||
 268                     !strcasecmp(tok, "EXCEPT"))
 269                 {
 270                         continue;
 271                 }
 272
 273                 if (!is_ipaddress(tok))
 274                 {
 275                         /*
 276                          * if we failed, make sure that it was not because the token
 277                          * was a network/netmask pair.  Only network/netmask pairs
 278                          * have a '/' in them
 279                          */
 280                         if (strchr(tok, '/') == NULL)
 281                         {
 282                                 only_ip = False;
 283                                 DEBUG(3,("only_ipaddrs_in_list: list [%s] has non-ip address %s\n", list, tok));
 284                                 break;
 285                         }
 286                 }
 287         }
 288
 289         SAFE_FREE(listcopy);
 290
 291         return only_ip;
 292 }
 293
 294 /* return true if access should be allowed to a service for a socket */
 295 BOOL check_access(int sock, char *allow_list, char *deny_list)
 296 {
 297         BOOL ret = False;
 298         BOOL only_ip = False;
 299         char    *deny = NULL;
 300         char    *allow = NULL;
 301
 302         DEBUG(10,("check_access: allow = %s, deny = %s\n",
 303                 allow_list ? allow_list : "NULL",
 304                 deny_list ? deny_list : "NULL"));
 305
 306         if (deny_list)
 307                 deny = strdup(deny_list);
 308         if (allow_list)
 309                 allow = strdup(allow_list);
 310
 311         if ((!deny || *deny==0) && (!allow || *allow==0))
 312                 ret = True;
 313
 314         if (!ret) {
 315                 /* bypass gethostbyaddr() calls if the lists only contain IP addrs */
 316                 if (only_ipaddrs_in_list(allow) && only_ipaddrs_in_list(deny)) {
 317                         only_ip = True;
 318                         DEBUG (3, ("check_access: no hostnames in host allow/deny list.\n"));
 319                         ret = allow_access(deny,allow, "", get_socket_addr(sock));
 320                 } else {
 321                         DEBUG (3, ("check_access: hostnames in host allow/deny list.\n"));
 322                         ret = allow_access(deny,allow, get_socket_name(sock),
 323                                            get_socket_addr(sock));
 324                 }
 325
 326                 if (ret) {
 327                         DEBUG(2,("Allowed connection from %s (%s)\n",
 328                                  only_ip ? "" : get_socket_name(sock),
 329                                  get_socket_addr(sock)));
 330                 } else {
 331                         DEBUG(0,("Denied connection from %s (%s)\n",
 332                                  only_ip ? "" : get_socket_name(sock),
 333                                  get_socket_addr(sock)));
 334                 }
 335         }
 336
 337         SAFE_FREE(deny);
 338         SAFE_FREE(allow);
 339
 340         return(ret);
 341 }