source/lib/access.c

   1 /*
   2    This module is an adaption of code from the tcpd-1.4 package written
   3    by Wietse Venema, Eindhoven University of Technology, The Netherlands.
   4
   5    The code is used here with permission.
   6
   7    The code has been considerably changed from the original. Bug reports
   8    should be sent to samba@samba.org
   9 */
  10
  11 #include "includes.h"
  12
  13 /* Delimiters for lists of daemons or clients. */
  14 static const char *sep = ", \t";
  15
  16 #define FAIL            (-1)
  17
  18 #define ALLONES  ((uint32)0xFFFFFFFF)
  19
  20 /* masked_match - match address against netnumber/netmask */
  21 static int masked_match(char *tok, char *slash, char *s)
  22 {
  23         uint32 net;
  24         uint32 mask;
  25         uint32 addr;
  26
  27         if ((addr = interpret_addr(s)) == INADDR_NONE)
  28                 return (False);
  29         *slash = 0;
  30         net = interpret_addr(tok);
  31         *slash = '/';
  32
  33         if (strlen(slash + 1) > 2) {
  34                 mask = interpret_addr(slash + 1);
  35         } else {
  36                 mask = (uint32)((ALLONES >> atoi(slash + 1)) ^ ALLONES);
  37                 /* convert to network byte order */
  38                 mask = htonl(mask);
  39         }
  40
  41         if (net == INADDR_NONE || mask == INADDR_NONE) {
  42                 DEBUG(0,("access: bad net/mask access control: %s\n", tok));
  43                 return (False);
  44         }
  45
  46         return ((addr & mask) == net);
  47 }
  48
  49 /* string_match - match string against token */
  50 static int string_match(char *tok,char *s, char *invalid_char)
  51 {
  52         size_t     tok_len;
  53         size_t     str_len;
  54         char   *cut;
  55
  56         *invalid_char = '\0';
  57
  58         /* Return True if a token has the magic value "ALL". Return
  59          * FAIL if the token is "FAIL". If the token starts with a "."
  60          * (domain name), return True if it matches the last fields of
  61          * the string. If the token has the magic value "LOCAL",
  62          * return True if the string does not contain a "."
  63          * character. If the token ends on a "." (network number),
  64          * return True if it matches the first fields of the
  65          * string. If the token begins with a "@" (netgroup name),
  66          * return True if the string is a (host) member of the
  67          * netgroup. Return True if the token fully matches the
  68          * string. If the token is a netnumber/netmask pair, return
  69          * True if the address is a member of the specified subnet.  */
  70
  71         if (tok[0] == '.') {                    /* domain: match last fields */
  72                 if ((str_len = strlen(s)) > (tok_len = strlen(tok))
  73                     && strcasecmp(tok, s + str_len - tok_len) == 0)
  74                         return (True);
  75         } else if (tok[0] == '@') { /* netgroup: look it up */
  76 #ifdef  HAVE_NETGROUP
  77                 static char *mydomain = NULL;
  78                 char *hostname = NULL;
  79                 BOOL netgroup_ok = False;
  80
  81                 if (!mydomain) yp_get_default_domain(&mydomain);
  82
  83                 if (!mydomain) {
  84                         DEBUG(0,("Unable to get default yp domain.\n"));
  85                         return False;
  86                 }
  87                 if (!(hostname = strdup(s))) {
  88                         DEBUG(1,("out of memory for strdup!\n"));
  89                         return False;
  90                 }
  91
  92                 netgroup_ok = innetgr(tok + 1, hostname, (char *) 0, mydomain);
  93
  94                 DEBUG(5,("looking for %s of domain %s in netgroup %s gave %s\n",
  95                          hostname,
  96                          mydomain,
  97                          tok+1,
  98                          BOOLSTR(netgroup_ok)));
  99
 100                 SAFE_FREE(hostname);
 101
 102                 if (netgroup_ok) return(True);
 103 #else
 104                 DEBUG(0,("access: netgroup support is not configured\n"));
 105                 return (False);
 106 #endif
 107         } else if (strcasecmp(tok, "ALL") == 0) {       /* all: match any */
 108                 return (True);
 109         } else if (strcasecmp(tok, "FAIL") == 0) {      /* fail: match any */
 110                 return (FAIL);
 111         } else if (strcasecmp(tok, "LOCAL") == 0) {     /* local: no dots */
 112                 if (strchr(s, '.') == 0 && strcasecmp(s, "unknown") != 0)
 113                         return (True);
 114         } else if (!strcasecmp(tok, s)) {   /* match host name or address */
 115                 return (True);
 116         } else if (tok[(tok_len = strlen(tok)) - 1] == '.') {   /* network */
 117                 if (strncmp(tok, s, tok_len) == 0)
 118                         return (True);
 119         } else if ((cut = strchr(tok, '/')) != 0) {     /* netnumber/netmask */
 120                 if (isdigit((int)s[0]) && masked_match(tok, cut, s))
 121                         return (True);
 122         } else if (strchr(tok, '*') != 0) {
 123                 *invalid_char = '*';
 124         } else if (strchr(tok, '?') != 0) {
 125                 *invalid_char = '?';
 126         }
 127         return (False);
 128 }
 129
 130
 131 /* client_match - match host name and address against token */
 132 static int client_match(char *tok,char *item)
 133 {
 134     char **client = (char **)item;
 135     int     match;
 136         char invalid_char = '\0';
 137
 138     /*
 139      * Try to match the address first. If that fails, try to match the host
 140      * name if available.
 141      */
 142
 143     if ((match = string_match(tok, client[1], &invalid_char)) == 0) {
 144                 if(invalid_char)
 145                         DEBUG(0,("client_match: address match failing due to invalid character '%c' found in \
 146 token '%s' in an allow/deny hosts line.\n", invalid_char, tok ));
 147
 148                 if (client[0][0] != 0)
 149                         match = string_match(tok, client[0], &invalid_char);
 150
 151                 if(invalid_char)
 152                         DEBUG(0,("client_match: address match failing due to invalid character '%c' found in \
 153 token '%s' in an allow/deny hosts line.\n", invalid_char, tok ));
 154         }
 155
 156     return (match);
 157 }
 158
 159 /* list_match - match an item against a list of tokens with exceptions */
 160 /* (All modifications are marked with the initials "jkf") */
 161 static int list_match(char *list,char *item, int (*match_fn)(char *, char *))
 162 {
 163     char   *tok;
 164     char   *listcopy;           /* jkf */
 165     int     match = False;
 166
 167     /*
 168      * jkf@soton.ac.uk -- 31 August 1994 -- Stop list_match()
 169      * overwriting the list given as its first parameter.
 170      */
 171
 172     /* jkf -- can get called recursively with NULL list */
 173     listcopy = (list == 0) ? (char *)0 : strdup(list);
 174
 175     /*
 176      * Process tokens one at a time. We have exhausted all possible matches
 177      * when we reach an "EXCEPT" token or the end of the list. If we do find
 178      * a match, look for an "EXCEPT" list and recurse to determine whether
 179      * the match is affected by any exceptions.
 180      */
 181
 182     for (tok = strtok(listcopy, sep); tok ; tok = strtok(NULL, sep)) {
 183         if (strcasecmp(tok, "EXCEPT") == 0)     /* EXCEPT: give up */
 184             break;
 185         if ((match = (*match_fn) (tok, item)))  /* True or FAIL */
 186             break;
 187     }
 188     /* Process exceptions to True or FAIL matches. */
 189
 190     if (match != False) {
 191         while ((tok = strtok((char *) 0, sep)) && strcasecmp(tok, "EXCEPT"))
 192              /* VOID */ ;
 193         if (tok == 0 || list_match((char *) 0, item, match_fn) == False) {
 194             SAFE_FREE(listcopy); /* jkf */
 195             return (match);
 196         }
 197     }
 198
 199     SAFE_FREE(listcopy); /* jkf */
 200     return (False);
 201 }
 202
 203
 204 /* return true if access should be allowed */
 205 BOOL allow_access(char *deny_list,char *allow_list,
 206                   char *cname,char *caddr)
 207 {
 208         char *client[2];
 209
 210         client[0] = cname;
 211         client[1] = caddr;
 212
 213         /* if it is loopback then always allow unless specifically denied */
 214         if (strcmp(caddr, "127.0.0.1") == 0) {
 215                 /*
 216                  * If 127.0.0.1 matches both allow and deny then allow.
 217                  * Patch from Steve Langasek vorlon@netexpress.net.
 218                  */
 219                 if (deny_list &&
 220                         list_match(deny_list,(char *)client,client_match) &&
 221                                 (!allow_list ||
 222                                 !list_match(allow_list,(char *)client, client_match))) {
 223                         return False;
 224                 }
 225                 return True;
 226         }
 227
 228         /* if theres no deny list and no allow list then allow access */
 229         if ((!deny_list || *deny_list == 0) &&
 230             (!allow_list || *allow_list == 0)) {
 231                 return(True);
 232         }
 233
 234         /* if there is an allow list but no deny list then allow only hosts
 235            on the allow list */
 236         if (!deny_list || *deny_list == 0)
 237                 return(list_match(allow_list,(char *)client,client_match));
 238
 239         /* if theres a deny list but no allow list then allow
 240            all hosts not on the deny list */
 241         if (!allow_list || *allow_list == 0)
 242                 return(!list_match(deny_list,(char *)client,client_match));
 243
 244         /* if there are both type of list then allow all hosts on the
 245            allow list */
 246         if (list_match(allow_list,(char *)client,client_match))
 247                 return (True);
 248
 249         /* if there are both type of list and it's not on the allow then
 250            allow it if its not on the deny */
 251         if (list_match(deny_list,(char *)client,client_match))
 252                 return (False);
 253
 254         return (True);
 255 }
 256
 257 /* return true if the char* contains ip addrs only.  Used to avoid
 258 gethostbyaddr() calls */
 259 static BOOL only_ipaddrs_in_list(const char* list)
 260 {
 261         BOOL            only_ip = True;
 262         char            *listcopy,
 263                         *tok;
 264
 265         listcopy = strdup(list);
 266
 267         for (tok = strtok(listcopy, sep); tok ; tok = strtok(NULL, sep))
 268         {
 269                 /* factor out the special strings */
 270                 if (!strcasecmp(tok, "ALL") || !strcasecmp(tok, "FAIL") ||
 271                     !strcasecmp(tok, "EXCEPT"))
 272                 {
 273                         continue;
 274                 }
 275
 276                 if (!is_ipaddress(tok))
 277                 {
 278                         /*
 279                          * if we failed, make sure that it was not because the token
 280                          * was a network/netmask pair.  Only network/netmask pairs
 281                          * have a '/' in them
 282                          */
 283                         if (strchr(tok, '/') == NULL)
 284                         {
 285                                 only_ip = False;
 286                                 DEBUG(3,("only_ipaddrs_in_list: list [%s] has non-ip address %s\n", list, tok));
 287                                 break;
 288                         }
 289                 }
 290         }
 291
 292         SAFE_FREE(listcopy);
 293
 294         return only_ip;
 295 }
 296
 297 /* return true if access should be allowed to a service for a socket */
 298 BOOL check_access(int sock, char *allow_list, char *deny_list)
 299 {
 300         BOOL ret = False;
 301         BOOL only_ip = False;
 302         char    *deny = NULL;
 303         char    *allow = NULL;
 304
 305         DEBUG(10,("check_access: allow = %s, deny = %s\n",
 306                 allow_list ? allow_list : "NULL",
 307                 deny_list ? deny_list : "NULL"));
 308
 309         if (deny_list)
 310                 deny = strdup(deny_list);
 311         if (allow_list)
 312                 allow = strdup(allow_list);
 313
 314         if ((!deny || *deny==0) && (!allow || *allow==0))
 315                 ret = True;
 316
 317         if (!ret) {
 318                 /* bypass gethostbyaddr() calls if the lists only contain IP addrs */
 319                 if (only_ipaddrs_in_list(allow) && only_ipaddrs_in_list(deny)) {
 320                         only_ip = True;
 321                         DEBUG (3, ("check_access: no hostnames in host allow/deny list.\n"));
 322                         ret = allow_access(deny,allow, "", get_socket_addr(sock));
 323                 } else {
 324                         DEBUG (3, ("check_access: hostnames in host allow/deny list.\n"));
 325                         ret = allow_access(deny,allow, get_socket_name(sock),
 326                                            get_socket_addr(sock));
 327                 }
 328
 329                 if (ret) {
 330                         DEBUG(2,("Allowed connection from %s (%s)\n",
 331                                  only_ip ? "" : get_socket_name(sock),
 332                                  get_socket_addr(sock)));
 333                 } else {
 334                         DEBUG(0,("Denied connection from %s (%s)\n",
 335                                  only_ip ? "" : get_socket_name(sock),
 336                                  get_socket_addr(sock)));
 337                 }
 338         }
 339
 340         SAFE_FREE(deny);
 341         SAFE_FREE(allow);
 342
 343         return(ret);
 344 }