2 * tcpdchk - examine all tcpd access control rules and inetd.conf entries
4 * Usage: tcpdchk [-a] [-d] [-i inet_conf] [-v]
6 * -a: complain about implicit "allow" at end of rule.
8 * -d: rules in current directory.
10 * -i: location of inetd.conf file.
14 * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
17 static char sccsid
[] = "@(#) tcpdchk.c 1.8 97/02/12 02:13:25";
19 /* System libraries. */
21 #include <sys/types.h>
23 #include <netinet/in.h>
24 #include <arpa/inet.h>
38 #define INADDR_NONE (-1) /* XXX should be 0xffffffff */
42 #define S_ISDIR(m) (((m) & S_IFMT) == S_IFDIR)
45 /* Application-specific. */
52 * Stolen from hosts_access.c...
54 static char sep
[] = ", \t\n";
59 int hosts_access_verbose
= 0;
60 char *hosts_allow_table
= HOSTS_ALLOW
;
61 char *hosts_deny_table
= HOSTS_DENY
;
62 extern jmp_buf tcpd_buf
;
68 static void parse_table();
69 static void print_list();
70 static void check_daemon_list();
71 static void check_client_list();
72 static void check_daemon();
73 static void check_user();
74 static int check_host();
75 static int reserved_name();
83 static int defl_verdict
;
85 static int allow_check
;
92 struct request_info request
;
101 while ((c
= getopt(argc
, argv
, "adi:v")) != EOF
) {
107 hosts_allow_table
= "hosts.allow";
108 hosts_deny_table
= "hosts.deny";
114 hosts_access_verbose
++;
125 * When confusion really strikes...
127 if (check_path(REAL_DAEMON_DIR
, &st
) < 0) {
128 tcpd_warn("REAL_DAEMON_DIR %s: %m", REAL_DAEMON_DIR
);
129 } else if (!S_ISDIR(st
.st_mode
)) {
130 tcpd_warn("REAL_DAEMON_DIR %s is not a directory", REAL_DAEMON_DIR
);
134 * Process the inet configuration file (or its moral equivalent). This
135 * information is used later to find references in hosts.allow/deny to
136 * unwrapped services, and other possible problems.
138 inetcf
= inet_cfg(inetcf
);
139 if (hosts_access_verbose
)
140 printf("Using network configuration file: %s\n", inetcf
);
143 * These are not run from inetd but may have built-in access control.
145 inet_set("portmap", WR_NOT
);
146 inet_set("rpcbind", WR_NOT
);
149 * Check accessibility of access control files.
151 (void) check_path(hosts_allow_table
, &st
);
152 (void) check_path(hosts_deny_table
, &st
);
155 * Fake up an arbitrary service request.
157 request_init(&request
,
158 RQ_DAEMON
, "daemon_name",
159 RQ_SERVER_NAME
, "server_hostname",
160 RQ_SERVER_ADDR
, "server_addr",
161 RQ_USER
, "user_name",
162 RQ_CLIENT_NAME
, "client_hostname",
163 RQ_CLIENT_ADDR
, "client_addr",
168 * Examine all access-control rules.
170 defl_verdict
= PERMIT
;
171 parse_table(hosts_allow_table
, &request
);
173 parse_table(hosts_deny_table
, &request
);
177 /* usage - explain */
181 fprintf(stderr
, "usage: %s [-a] [-d] [-i inet_conf] [-v]\n", myname
);
182 fprintf(stderr
, " -a: report rules with implicit \"ALLOW\" at end\n");
183 fprintf(stderr
, " -d: use allow/deny files in current directory\n");
184 fprintf(stderr
, " -i: location of inetd.conf file\n");
185 fprintf(stderr
, " -v: list all rules\n");
189 /* parse_table - like table_match(), but examines _all_ entries */
191 static void parse_table(table
, request
)
193 struct request_info
*request
;
197 char sv_list
[BUFLEN
]; /* becomes list of daemons */
198 char *cl_list
; /* becomes list of requests */
199 char *sh_cmd
; /* becomes optional shell command */
202 struct tcpd_context saved_context
;
204 saved_context
= tcpd_context
; /* stupid compilers */
206 if (fp
= fopen(table
, "r")) {
207 tcpd_context
.file
= table
;
208 tcpd_context
.line
= 0;
209 while (xgets(sv_list
, sizeof(sv_list
), fp
)) {
210 if (sv_list
[strlen(sv_list
) - 1] != '\n') {
211 tcpd_warn("missing newline or line too long");
214 if (sv_list
[0] == '#' || sv_list
[strspn(sv_list
, " \t\r\n")] == 0)
216 if ((cl_list
= split_at(skip_ipv6_addrs(sv_list
), ':')) == 0) {
217 tcpd_warn("missing \":\" separator");
220 sh_cmd
= split_at(skip_ipv6_addrs(cl_list
), ':');
222 if (hosts_access_verbose
)
223 printf("\n>>> Rule %s line %d:\n",
224 tcpd_context
.file
, tcpd_context
.line
);
226 if (hosts_access_verbose
)
227 print_list("daemons: ", sv_list
);
228 check_daemon_list(sv_list
);
230 if (hosts_access_verbose
)
231 print_list("clients: ", cl_list
);
232 check_client_list(cl_list
);
234 #ifdef PROCESS_OPTIONS
235 real_verdict
= defl_verdict
;
237 verdict
= setjmp(tcpd_buf
);
239 real_verdict
= (verdict
== AC_PERMIT
);
242 process_options(sh_cmd
, request
);
243 if (dry_run
== 1 && real_verdict
&& allow_check
)
244 tcpd_warn("implicit \"allow\" at end of rule");
246 } else if (defl_verdict
&& allow_check
) {
247 tcpd_warn("implicit \"allow\" at end of rule");
249 if (hosts_access_verbose
)
250 printf("access: %s\n", real_verdict
? "granted" : "denied");
253 shell_cmd(percent_x(buf
, sizeof(buf
), sh_cmd
, request
));
254 if (hosts_access_verbose
)
255 printf("access: %s\n", defl_verdict
? "granted" : "denied");
259 } else if (errno
!= ENOENT
) {
260 tcpd_warn("cannot open %s: %m", table
);
262 tcpd_context
= saved_context
;
265 /* print_list - pretty-print a list */
267 static void print_list(title
, list
)
275 fputs(title
, stdout
);
278 for (cp
= strtok(buf
, sep
); cp
!= 0; cp
= next
) {
280 next
= strtok(NULL
, sep
);
287 /* check_daemon_list - criticize daemon list */
289 static void check_daemon_list(list
)
299 for (cp
= strtok(buf
, sep
); cp
!= 0; cp
= strtok(NULL
, sep
)) {
300 if (STR_EQ(cp
, "EXCEPT")) {
304 if ((host
= split_at(cp
+ 1, '@')) != 0 && check_host(host
) > 1) {
305 tcpd_warn("host %s has more than one address", host
);
306 tcpd_warn("(consider using an address instead)");
312 tcpd_warn("daemon list is empty or ends in EXCEPT");
315 /* check_client_list - criticize client list */
317 static void check_client_list(list
)
327 for (cp
= strtok(buf
, sep
); cp
!= 0; cp
= strtok(NULL
, sep
)) {
328 if (STR_EQ(cp
, "EXCEPT")) {
332 if (host
= split_at(cp
+ 1, '@')) { /* user@host */
341 tcpd_warn("client list is empty or ends in EXCEPT");
344 /* check_daemon - criticize daemon pattern */
346 static void check_daemon(pat
)
350 tcpd_warn("%s: daemon name begins with \"@\"", pat
);
351 } else if (pat
[0] == '.') {
352 tcpd_warn("%s: daemon name begins with dot", pat
);
353 } else if (pat
[strlen(pat
) - 1] == '.') {
354 tcpd_warn("%s: daemon name ends in dot", pat
);
355 } else if (STR_EQ(pat
, "ALL") || STR_EQ(pat
, unknown
)) {
357 } else if (STR_EQ(pat
, "FAIL")) { /* obsolete */
358 tcpd_warn("FAIL is no longer recognized");
359 tcpd_warn("(use EXCEPT or DENY instead)");
360 } else if (reserved_name(pat
)) {
361 tcpd_warn("%s: daemon name may be reserved word", pat
);
363 switch (inet_get(pat
)) {
365 tcpd_warn("%s: no such process name in %s", pat
, inetcf
);
366 inet_set(pat
, WR_YES
); /* shut up next time */
369 tcpd_warn("%s: service possibly not wrapped", pat
);
370 inet_set(pat
, WR_YES
);
376 /* check_user - criticize user pattern */
378 static void check_user(pat
)
381 if (pat
[0] == '@') { /* @netgroup */
382 tcpd_warn("%s: user name begins with \"@\"", pat
);
383 } else if (pat
[0] == '.') {
384 tcpd_warn("%s: user name begins with dot", pat
);
385 } else if (pat
[strlen(pat
) - 1] == '.') {
386 tcpd_warn("%s: user name ends in dot", pat
);
387 } else if (STR_EQ(pat
, "ALL") || STR_EQ(pat
, unknown
)
388 || STR_EQ(pat
, "KNOWN")) {
390 } else if (STR_EQ(pat
, "FAIL")) { /* obsolete */
391 tcpd_warn("FAIL is no longer recognized");
392 tcpd_warn("(use EXCEPT or DENY instead)");
393 } else if (reserved_name(pat
)) {
394 tcpd_warn("%s: user name may be reserved word", pat
);
398 /* check_host - criticize host pattern */
400 static int check_host(pat
)
406 if (pat
[0] == '@') { /* @netgroup */
408 /* SCO has no *netgrent() support */
415 setnetgrent(pat
+ 1);
416 if (getnetgrent(&machinep
, &userp
, &domainp
) == 0)
417 tcpd_warn("%s: unknown or empty netgroup", pat
+ 1);
420 tcpd_warn("netgroup support disabled");
424 } else if (pat
[0] == '[') {
426 char *cbr
= strchr(pat
, ']');
427 char *slash
= strchr(pat
, '/');
429 int mask
= IPV6_ABITS
;
433 mask
= atoi(slash
+ 1);
434 err
= mask
< 0 || mask
> IPV6_ABITS
;
440 err
+= inet_pton(AF_INET6
, pat
+1, &in6
) != 1;
442 if (slash
) *slash
= '/';
445 tcpd_warn("bad IP6 address specification: %s", pat
);
447 } else if (mask
= split_at(pat
, '/')) { /* network/netmask */
448 if (dot_quad_addr(pat
) == INADDR_NONE
449 || dot_quad_addr(mask
) == INADDR_NONE
)
450 tcpd_warn("%s/%s: bad net/mask pattern", pat
, mask
);
451 } else if (STR_EQ(pat
, "FAIL")) { /* obsolete */
452 tcpd_warn("FAIL is no longer recognized");
453 tcpd_warn("(use EXCEPT or DENY instead)");
454 } else if (reserved_name(pat
)) { /* other reserved */
456 } else if (NOT_INADDR(pat
)) { /* internet name */
457 if (pat
[strlen(pat
) - 1] == '.') {
458 tcpd_warn("%s: domain or host name ends in dot", pat
);
459 } else if (pat
[0] != '.') {
460 addr_count
= check_dns(pat
);
462 } else { /* numeric form */
463 if (STR_EQ(pat
, "0.0.0.0") || STR_EQ(pat
, "255.255.255.255")) {
465 } else if (pat
[0] == '.') {
466 tcpd_warn("%s: network number begins with dot", pat
);
467 } else if (pat
[strlen(pat
) - 1] != '.') {
474 /* reserved_name - determine if name is reserved */
476 static int reserved_name(pat
)
479 return (STR_EQ(pat
, unknown
)
480 || STR_EQ(pat
, "KNOWN")
481 || STR_EQ(pat
, paranoid
)
482 || STR_EQ(pat
, "ALL")
483 || STR_EQ(pat
, "LOCAL"));