2 * This module implements a simple access control language that is based on
3 * host (or domain) names, NIS (host) netgroup names, IP addresses (or
4 * network numbers) and daemon process names. When a match is found the
5 * search is terminated, and depending on whether PROCESS_OPTIONS is defined,
6 * a list of options is executed or an optional shell command is executed.
8 * Host and user names are looked up on demand, provided that suitable endpoint
9 * information is available as sockaddr_in structures or TLI netbufs. As a
10 * side effect, the pattern matching process may change the contents of
11 * request structure fields.
13 * Diagnostics are reported through syslog(3).
15 * Compile with -DNETGROUP if your library provides support for netgroups.
17 * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
19 * $FreeBSD: src/contrib/tcp_wrappers/hosts_access.c,v 1.3.2.1 2000/07/18 08:34:54 ume Exp $
22 /* System libraries. */
24 #include <sys/types.h>
26 typedef uint32_t u_int32_t
;
28 #include <sys/param.h>
30 #include <sys/socket.h>
32 #include <netinet/in.h>
33 #include <arpa/inet.h>
44 #include <rpcsvc/ypclnt.h>
49 #define INADDR_NONE (-1) /* XXX should be 0xffffffff */
58 extern jmp_buf tcpd_buf
;
60 /* Delimiters for lists of daemons or clients. */
62 static char sep
[] = ", \t\r\n";
64 /* Constants to be used in assignments only, not in comparisons... */
70 * These variables are globally visible so that they can be redirected in
74 char *hosts_allow_table
= HOSTS_ALLOW
;
75 char *hosts_deny_table
= HOSTS_DENY
;
76 int hosts_access_verbose
= 0;
79 * In a long-running process, we are not at liberty to just go away.
82 int resident
= (-1); /* -1, 0: unknown; +1: yes */
84 /* Forward declarations. */
86 static int table_match();
87 static int list_match();
88 static int server_match();
89 static int client_match();
90 static int host_match();
91 static int string_match();
92 static int masked_match();
94 static int masked_match4();
95 static int masked_match6();
98 /* Size of logical line buffer. */
102 /* hosts_access - host access control facility */
104 int hosts_access(request
)
105 struct request_info
*request
;
110 * If the (daemon, client) pair is matched by an entry in the file
111 * /etc/hosts.allow, access is granted. Otherwise, if the (daemon,
112 * client) pair is matched by an entry in the file /etc/hosts.deny,
113 * access is denied. Otherwise, access is granted. A non-existent
114 * access-control file is treated as an empty file.
116 * After a rule has been matched, the optional language extensions may
117 * decide to grant or refuse service anyway. Or, while a rule is being
118 * processed, a serious error is found, and it seems better to play safe
119 * and deny service. All this is done by jumping back into the
120 * hosts_access() routine, bypassing the regular return from the
121 * table_match() function calls below.
126 verdict
= setjmp(tcpd_buf
);
128 return (verdict
== AC_PERMIT
);
129 if (table_match(hosts_allow_table
, request
))
131 if (table_match(hosts_deny_table
, request
))
136 /* table_match - match table entries with (daemon, client) pair */
138 static int table_match(table
, request
)
140 struct request_info
*request
;
143 char sv_list
[BUFLEN
]; /* becomes list of daemons */
144 char *cl_list
; /* becomes list of clients */
145 char *sh_cmd
; /* becomes optional shell command */
147 struct tcpd_context saved_context
;
149 saved_context
= tcpd_context
; /* stupid compilers */
152 * Between the fopen() and fclose() calls, avoid jumps that may cause
153 * file descriptor leaks.
156 if ((fp
= fopen(table
, "r")) != 0) {
157 tcpd_context
.file
= table
;
158 tcpd_context
.line
= 0;
159 while (match
== NO
&& xgets(sv_list
, sizeof(sv_list
), fp
) != 0) {
160 if (sv_list
[strlen(sv_list
) - 1] != '\n') {
161 tcpd_warn("missing newline or line too long");
164 if (sv_list
[0] == '#' || sv_list
[strspn(sv_list
, " \t\r\n")] == 0)
166 if ((cl_list
= split_at(sv_list
, ':')) == 0) {
167 tcpd_warn("missing \":\" separator");
170 sh_cmd
= split_at(cl_list
, ':');
171 match
= list_match(sv_list
, request
, server_match
)
172 && list_match(cl_list
, request
, client_match
);
175 } else if (errno
!= ENOENT
) {
176 tcpd_warn("cannot open %s: %m", table
);
179 if (hosts_access_verbose
> 1)
180 syslog(LOG_DEBUG
, "matched: %s line %d",
181 tcpd_context
.file
, tcpd_context
.line
);
183 #ifdef PROCESS_OPTIONS
184 process_options(sh_cmd
, request
);
187 shell_cmd(percent_x(cmd
, sizeof(cmd
), sh_cmd
, request
));
191 tcpd_context
= saved_context
;
195 /* list_match - match a request against a list of patterns with exceptions */
197 static int list_match(list
, request
, match_fn
)
199 struct request_info
*request
;
205 * Process tokens one at a time. We have exhausted all possible matches
206 * when we reach an "EXCEPT" token or the end of the list. If we do find
207 * a match, look for an "EXCEPT" list and recurse to determine whether
208 * the match is affected by any exceptions.
211 for (tok
= strtok(list
, sep
); tok
!= 0; tok
= strtok((char *) 0, sep
)) {
212 if (STR_EQ(tok
, "EXCEPT")) /* EXCEPT: give up */
214 if (match_fn(tok
, request
)) { /* YES: look for exceptions */
215 while ((tok
= strtok((char *) 0, sep
)) && STR_NE(tok
, "EXCEPT"))
217 return (tok
== 0 || list_match((char *) 0, request
, match_fn
) == 0);
223 /* server_match - match server information */
225 static int server_match(tok
, request
)
227 struct request_info
*request
;
231 if ((host
= split_at(tok
+ 1, '@')) == 0) { /* plain daemon */
232 return (string_match(tok
, eval_daemon(request
)));
233 } else { /* daemon@host */
234 return (string_match(tok
, eval_daemon(request
))
235 && host_match(host
, request
->server
));
239 /* client_match - match client information */
241 static int client_match(tok
, request
)
243 struct request_info
*request
;
247 if ((host
= split_at(tok
+ 1, '@')) == 0) { /* plain host */
248 return (host_match(tok
, request
->client
));
249 } else { /* user@host */
250 return (host_match(host
, request
->client
)
251 && string_match(tok
, eval_user(request
)));
255 /* hostfile_match - look up host patterns from file */
257 static int hostfile_match(path
, host
)
259 struct hosts_info
*host
;
265 if ((fp
= fopen(path
, "r")) != 0) {
266 while (fscanf(fp
, "%s", tok
) == 1 && !(match
= host_match(tok
, host
)))
269 } else if (errno
!= ENOENT
) {
270 tcpd_warn("open %s: %m", path
);
275 /* host_match - match host name and/or address against pattern */
277 static int host_match(tok
, host
)
279 struct host_info
*host
;
284 * This code looks a little hairy because we want to avoid unnecessary
287 * The KNOWN pattern requires that both address AND name be known; some
288 * patterns are specific to host names or to host addresses; all other
289 * patterns are satisfied when either the address OR the name match.
292 if (tok
[0] == '@') { /* netgroup: look it up */
294 static char *mydomain
= 0;
296 yp_get_default_domain(&mydomain
);
297 return (innetgr(tok
+ 1, eval_hostname(host
), (char *) 0, mydomain
));
299 tcpd_warn("netgroup support is disabled"); /* not tcpd_jump() */
302 } else if (tok
[0] == '/') { /* /file hack */
303 return (hostfile_match(tok
, host
));
304 } else if (STR_EQ(tok
, "KNOWN")) { /* check address and name */
305 char *name
= eval_hostname(host
);
306 return (STR_NE(eval_hostaddr(host
), unknown
) && HOSTNAME_KNOWN(name
));
307 } else if (STR_EQ(tok
, "LOCAL")) { /* local: no dots in name */
308 char *name
= eval_hostname(host
);
309 return (strchr(name
, '.') == 0 && HOSTNAME_KNOWN(name
));
310 } else if ((mask
= split_at(tok
, '/')) != 0) { /* net/mask */
311 return (masked_match(tok
, mask
, eval_hostaddr(host
)));
312 } else { /* anything else */
313 return (string_match(tok
, eval_hostaddr(host
))
314 || (NOT_INADDR(tok
) && string_match(tok
, eval_hostname(host
))));
318 /* string_match - match string against pattern */
320 static int string_match(tok
, string
)
327 /* convert IPv4 mapped IPv6 address to IPv4 address */
328 if (STRN_EQ(string
, "::ffff:", 7)
329 && dot_quad_addr(string
+ 7) != INADDR_NONE
) {
333 if (tok
[0] == '.') { /* suffix */
334 n
= strlen(string
) - strlen(tok
);
335 return (n
> 0 && STR_EQ(tok
, string
+ n
));
336 } else if (STR_EQ(tok
, "ALL")) { /* all: match any */
338 } else if (STR_EQ(tok
, "KNOWN")) { /* not unknown */
339 return (STR_NE(string
, unknown
));
340 } else if (tok
[(n
= strlen(tok
)) - 1] == '.') { /* prefix */
341 return (STRN_EQ(tok
, string
, n
));
342 } else { /* exact match */
344 struct addrinfo hints
, *res
;
345 struct sockaddr_in6 pat
, addr
;
350 if (*tok
== '[' && tok
[len
- 1] == ']') {
353 memset(&hints
, 0, sizeof(hints
));
354 hints
.ai_family
= AF_INET6
;
355 hints
.ai_socktype
= SOCK_STREAM
;
356 hints
.ai_flags
= AI_PASSIVE
| AI_NUMERICHOST
;
357 if ((ret
= getaddrinfo(tok
+ 1, NULL
, &hints
, &res
)) == 0) {
358 memcpy(&pat
, res
->ai_addr
, sizeof(pat
));
362 if (ret
!= 0 || getaddrinfo(string
, NULL
, &hints
, &res
) != 0)
364 memcpy(&addr
, res
->ai_addr
, sizeof(addr
));
366 #ifdef NI_WITHSCOPEID
367 if (pat
.sin6_scope_id
!= 0 &&
368 addr
.sin6_scope_id
!= pat
.sin6_scope_id
)
371 return (!memcmp(&pat
.sin6_addr
, &addr
.sin6_addr
,
372 sizeof(struct in6_addr
)));
376 return (STR_EQ(tok
, string
));
380 /* masked_match - match address against netnumber/netmask */
383 static int masked_match(net_tok
, mask_tok
, string
)
388 return (masked_match4(net_tok
, mask_tok
, string
) ||
389 masked_match6(net_tok
, mask_tok
, string
));
392 static int masked_match4(net_tok
, mask_tok
, string
)
394 static int masked_match(net_tok
, mask_tok
, string
)
411 * Disallow forms other than dotted quad: the treatment that inet_addr()
412 * gives to forms with less than four components is inconsistent with the
413 * access control language. John P. Rouillard <rouilj@cs.umb.edu>.
416 if ((addr
= dot_quad_addr(string
)) == INADDR_NONE
)
418 if ((net
= dot_quad_addr(net_tok
)) == INADDR_NONE
419 || (mask
= dot_quad_addr(mask_tok
)) == INADDR_NONE
) {
421 tcpd_warn("bad net/mask expression: %s/%s", net_tok
, mask_tok
);
423 return (NO
); /* not tcpd_jump() */
425 return ((addr
& mask
) == net
);
429 static int masked_match6(net_tok
, mask_tok
, string
)
434 struct addrinfo hints
, *res
;
435 struct sockaddr_in6 net
, addr
;
437 int len
, mask_len
, i
= 0;
440 memset(&hints
, 0, sizeof(hints
));
441 hints
.ai_family
= AF_INET6
;
442 hints
.ai_socktype
= SOCK_STREAM
;
443 hints
.ai_flags
= AI_PASSIVE
| AI_NUMERICHOST
;
444 if (getaddrinfo(string
, NULL
, &hints
, &res
) != 0)
446 memcpy(&addr
, res
->ai_addr
, sizeof(addr
));
449 if (IN6_IS_ADDR_V4MAPPED(&addr
.sin6_addr
)) {
450 if ((*(u_int32_t
*)&net
.sin6_addr
.s6_addr
[12] = dot_quad_addr(net_tok
)) == INADDR_NONE
451 || (mask
= dot_quad_addr(mask_tok
)) == INADDR_NONE
)
453 return ((*(u_int32_t
*)&addr
.sin6_addr
.s6_addr
[12] & mask
) == *(u_int32_t
*)&net
.sin6_addr
.s6_addr
[12]);
456 /* match IPv6 address against netnumber/prefixlen */
457 len
= strlen(net_tok
);
458 if (*net_tok
!= '[' || net_tok
[len
- 1] != ']')
460 ch
= net_tok
[len
- 1];
461 net_tok
[len
- 1] = '\0';
462 if (getaddrinfo(net_tok
+ 1, NULL
, &hints
, &res
) != 0) {
463 net_tok
[len
- 1] = ch
;
466 memcpy(&net
, res
->ai_addr
, sizeof(net
));
468 net_tok
[len
- 1] = ch
;
469 if ((mask_len
= atoi(mask_tok
)) < 0 || mask_len
> 128)
472 #ifdef NI_WITHSCOPEID
473 if (net
.sin6_scope_id
!= 0 && addr
.sin6_scope_id
!= net
.sin6_scope_id
)
476 while (mask_len
> 0) {
478 mask
= htonl(~(0xffffffff >> mask_len
));
479 if ((*(u_int32_t
*)&addr
.sin6_addr
.s6_addr
[i
] & mask
) != (*(u_int32_t
*)&net
.sin6_addr
.s6_addr
[i
] & mask
))
483 if (*(u_int32_t
*)&addr
.sin6_addr
.s6_addr
[i
] != *(u_int32_t
*)&net
.sin6_addr
.s6_addr
[i
])