release/src/router/samba3/source/lib/access.c

   1 /*
   2    This module is an adaption of code from the tcpd-1.4 package written
   3    by Wietse Venema, Eindhoven University of Technology, The Netherlands.
   4
   5    The code is used here with permission.
   6
   7    The code has been considerably changed from the original. Bug reports
   8    should be sent to samba@samba.org
   9 */
  10
  11 #include "includes.h"
  12
  13 #define FAIL            (-1)
  14
  15 #define ALLONES  ((uint32)0xFFFFFFFF)
  16
  17 /* masked_match - match address against netnumber/netmask */
  18 static BOOL masked_match(const char *tok, const char *slash, const char *s)
  19 {
  20         uint32 net;
  21         uint32 mask;
  22         uint32 addr;
  23         fstring tok_cpy;
  24
  25         if ((addr = interpret_addr(s)) == INADDR_NONE)
  26                 return (False);
  27
  28         fstrcpy(tok_cpy, tok);
  29         tok_cpy[PTR_DIFF(slash,tok)] = '\0';
  30         net = interpret_addr(tok_cpy);
  31         tok_cpy[PTR_DIFF(slash,tok)] = '/';
  32
  33         if (strlen(slash + 1) > 2) {
  34                 mask = interpret_addr(slash + 1);
  35         } else {
  36                 mask = (uint32)((ALLONES >> atoi(slash + 1)) ^ ALLONES);
  37                 /* convert to network byte order */
  38                 mask = htonl(mask);
  39         }
  40
  41         if (net == INADDR_NONE || mask == INADDR_NONE) {
  42                 DEBUG(0,("access: bad net/mask access control: %s\n", tok));
  43                 return (False);
  44         }
  45
  46         return ((addr & mask) == (net & mask));
  47 }
  48
  49 /* string_match - match string against token */
  50 static BOOL string_match(const char *tok,const char *s, char *invalid_char)
  51 {
  52         size_t     tok_len;
  53         size_t     str_len;
  54         const char   *cut;
  55
  56         *invalid_char = '\0';
  57
  58         /* Return True if a token has the magic value "ALL". Return
  59          * FAIL if the token is "FAIL". If the token starts with a "."
  60          * (domain name), return True if it matches the last fields of
  61          * the string. If the token has the magic value "LOCAL",
  62          * return True if the string does not contain a "."
  63          * character. If the token ends on a "." (network number),
  64          * return True if it matches the first fields of the
  65          * string. If the token begins with a "@" (netgroup name),
  66          * return True if the string is a (host) member of the
  67          * netgroup. Return True if the token fully matches the
  68          * string. If the token is a netnumber/netmask pair, return
  69          * True if the address is a member of the specified subnet.
  70          */
  71
  72         if (tok[0] == '.') {                    /* domain: match last fields */
  73                 if ((str_len = strlen(s)) > (tok_len = strlen(tok))
  74                     && strequal(tok, s + str_len - tok_len))
  75                         return (True);
  76         } else if (tok[0] == '@') { /* netgroup: look it up */
  77 #ifdef  HAVE_NETGROUP
  78                 static char *mydomain = NULL;
  79                 char *hostname = NULL;
  80                 BOOL netgroup_ok = False;
  81
  82                 if (!mydomain)
  83                         yp_get_default_domain(&mydomain);
  84
  85                 if (!mydomain) {
  86                         DEBUG(0,("Unable to get default yp domain. Try without it.\n"));
  87                 }
  88                 if (!(hostname = SMB_STRDUP(s))) {
  89                         DEBUG(1,("out of memory for strdup!\n"));
  90                         return False;
  91                 }
  92
  93                 netgroup_ok = innetgr(tok + 1, hostname, (char *) 0, mydomain);
  94
  95                 DEBUG(5,("looking for %s of domain %s in netgroup %s gave %s\n",
  96                          hostname,
  97                          mydomain?mydomain:"(ANY)",
  98                          tok+1,
  99                          BOOLSTR(netgroup_ok)));
 100
 101                 SAFE_FREE(hostname);
 102
 103                 if (netgroup_ok)
 104                         return(True);
 105 #else
 106                 DEBUG(0,("access: netgroup support is not configured\n"));
 107                 return (False);
 108 #endif
 109         } else if (strequal(tok, "ALL")) {      /* all: match any */
 110                 return (True);
 111         } else if (strequal(tok, "FAIL")) {     /* fail: match any */
 112                 return (FAIL);
 113         } else if (strequal(tok, "LOCAL")) {    /* local: no dots */
 114                 if (strchr_m(s, '.') == 0 && !strequal(s, "unknown"))
 115                         return (True);
 116         } else if (strequal(tok, s)) {   /* match host name or address */
 117                 return (True);
 118         } else if (tok[(tok_len = strlen(tok)) - 1] == '.') {   /* network */
 119                 if (strncmp(tok, s, tok_len) == 0)
 120                         return (True);
 121         } else if ((cut = strchr_m(tok, '/')) != 0) {   /* netnumber/netmask */
 122                 if (isdigit((int)s[0]) && masked_match(tok, cut, s))
 123                         return (True);
 124         } else if (strchr_m(tok, '*') != 0) {
 125                 *invalid_char = '*';
 126         } else if (strchr_m(tok, '?') != 0) {
 127                 *invalid_char = '?';
 128         }
 129         return (False);
 130 }
 131
 132 /* client_match - match host name and address against token */
 133 static BOOL client_match(const char *tok, const char *item)
 134 {
 135         const char **client = (const char **)item;
 136         BOOL match;
 137         char invalid_char = '\0';
 138
 139         /*
 140          * Try to match the address first. If that fails, try to match the host
 141          * name if available.
 142          */
 143
 144         if ((match = string_match(tok, client[1], &invalid_char)) == 0) {
 145                 if(invalid_char)
 146                         DEBUG(0,("client_match: address match failing due to invalid character '%c' found in \
 147 token '%s' in an allow/deny hosts line.\n", invalid_char, tok ));
 148
 149                 if (client[0][0] != 0)
 150                         match = string_match(tok, client[0], &invalid_char);
 151
 152                 if(invalid_char)
 153                         DEBUG(0,("client_match: address match failing due to invalid character '%c' found in \
 154 token '%s' in an allow/deny hosts line.\n", invalid_char, tok ));
 155         }
 156
 157         return (match);
 158 }
 159
 160 /* list_match - match an item against a list of tokens with exceptions */
 161 static BOOL list_match(const char **list,const char *item,
 162                 BOOL (*match_fn)(const char *, const char *))
 163 {
 164         BOOL match = False;
 165
 166         if (!list)
 167                 return False;
 168
 169         /*
 170          * Process tokens one at a time. We have exhausted all possible matches
 171          * when we reach an "EXCEPT" token or the end of the list. If we do find
 172          * a match, look for an "EXCEPT" list and recurse to determine whether
 173          * the match is affected by any exceptions.
 174          */
 175
 176         for (; *list ; list++) {
 177                 if (strequal(*list, "EXCEPT"))  /* EXCEPT: give up */
 178                         break;
 179                 if ((match = (*match_fn) (*list, item)))        /* True or FAIL */
 180                         break;
 181         }
 182         /* Process exceptions to True or FAIL matches. */
 183
 184         if (match != False) {
 185                 while (*list  && !strequal(*list, "EXCEPT"))
 186                         list++;
 187
 188                 for (; *list; list++) {
 189                         if ((*match_fn) (*list, item)) /* Exception Found */
 190                                 return False;
 191                 }
 192         }
 193
 194         return (match);
 195 }
 196
 197 /* return true if access should be allowed */
 198 static BOOL allow_access_internal(const char **deny_list,const char **allow_list,
 199                         const char *cname, const char *caddr)
 200 {
 201         const char *client[2];
 202
 203         client[0] = cname;
 204         client[1] = caddr;
 205
 206         /* if it is loopback then always allow unless specifically denied */
 207         if (strcmp(caddr, "127.0.0.1") == 0) {
 208                 /*
 209                  * If 127.0.0.1 matches both allow and deny then allow.
 210                  * Patch from Steve Langasek vorlon@netexpress.net.
 211                  */
 212                 if (deny_list &&
 213                         list_match(deny_list,(const char *)client,client_match) &&
 214                                 (!allow_list ||
 215                                 !list_match(allow_list,(const char *)client, client_match))) {
 216                         return False;
 217                 }
 218                 return True;
 219         }
 220
 221         /* if theres no deny list and no allow list then allow access */
 222         if ((!deny_list || *deny_list == 0) &&
 223             (!allow_list || *allow_list == 0)) {
 224                 return(True);
 225         }
 226
 227         /* if there is an allow list but no deny list then allow only hosts
 228            on the allow list */
 229         if (!deny_list || *deny_list == 0)
 230                 return(list_match(allow_list,(const char *)client,client_match));
 231
 232         /* if theres a deny list but no allow list then allow
 233            all hosts not on the deny list */
 234         if (!allow_list || *allow_list == 0)
 235                 return(!list_match(deny_list,(const char *)client,client_match));
 236
 237         /* if there are both types of list then allow all hosts on the
 238            allow list */
 239         if (list_match(allow_list,(const char *)client,client_match))
 240                 return (True);
 241
 242         /* if there are both types of list and it's not on the allow then
 243            allow it if its not on the deny */
 244         if (list_match(deny_list,(const char *)client,client_match))
 245                 return (False);
 246
 247         return (True);
 248 }
 249
 250 /* return true if access should be allowed */
 251 BOOL allow_access(const char **deny_list, const char **allow_list,
 252                   const char *cname, const char *caddr)
 253 {
 254         BOOL ret;
 255         char *nc_cname = smb_xstrdup(cname);
 256         char *nc_caddr = smb_xstrdup(caddr);
 257
 258         ret = allow_access_internal(deny_list, allow_list, nc_cname, nc_caddr);
 259
 260         SAFE_FREE(nc_cname);
 261         SAFE_FREE(nc_caddr);
 262         return ret;
 263 }
 264
 265 /* return true if the char* contains ip addrs only.  Used to avoid
 266 gethostbyaddr() calls */
 267
 268 static BOOL only_ipaddrs_in_list(const char** list)
 269 {
 270         BOOL only_ip = True;
 271
 272         if (!list)
 273                 return True;
 274
 275         for (; *list ; list++) {
 276                 /* factor out the special strings */
 277                 if (strequal(*list, "ALL") || strequal(*list, "FAIL") ||
 278                     strequal(*list, "EXCEPT")) {
 279                         continue;
 280                 }
 281
 282                 if (!is_ipaddress(*list)) {
 283                         /*
 284                          * if we failed, make sure that it was not because the token
 285                          * was a network/netmask pair.  Only network/netmask pairs
 286                          * have a '/' in them
 287                          */
 288                         if ((strchr_m(*list, '/')) == NULL) {
 289                                 only_ip = False;
 290                                 DEBUG(3,("only_ipaddrs_in_list: list has non-ip address (%s)\n", *list));
 291                                 break;
 292                         }
 293                 }
 294         }
 295
 296         return only_ip;
 297 }
 298
 299 /* return true if access should be allowed to a service for a socket */
 300 BOOL check_access(int sock, const char **allow_list, const char **deny_list)
 301 {
 302         BOOL ret = False;
 303         BOOL only_ip = False;
 304
 305         if ((!deny_list || *deny_list==0) && (!allow_list || *allow_list==0))
 306                 ret = True;
 307
 308         if (!ret) {
 309                 /* bypass gethostbyaddr() calls if the lists only contain IP addrs */
 310                 if (only_ipaddrs_in_list(allow_list) && only_ipaddrs_in_list(deny_list)) {
 311                         only_ip = True;
 312                         DEBUG (3, ("check_access: no hostnames in host allow/deny list.\n"));
 313                         ret = allow_access(deny_list,allow_list, "", get_peer_addr(sock));
 314                 } else {
 315                         DEBUG (3, ("check_access: hostnames in host allow/deny list.\n"));
 316                         ret = allow_access(deny_list,allow_list, get_peer_name(sock,True),
 317                                            get_peer_addr(sock));
 318                 }
 319
 320                 if (ret) {
 321                         DEBUG(2,("Allowed connection from %s (%s)\n",
 322                                  only_ip ? "" : get_peer_name(sock,True),
 323                                  get_peer_addr(sock)));
 324                 } else {
 325                         DEBUG(0,("Denied connection from %s (%s)\n",
 326                                  only_ip ? "" : get_peer_name(sock,True),
 327                                  get_peer_addr(sock)));
 328                 }
 329         }
 330
 331         return(ret);
 332 }