search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Unleashed v1.4
[unleashed.git] / usr / src / cmd / tcpd / tcpdchk.c
blobf634613ce20d55652d44b4807b0be3b997073b62
1 /*
2 * tcpdchk - examine all tcpd access control rules and inetd.conf entries
3 *
4 * Usage: tcpdchk [-a] [-d] [-i inet_conf] [-v]
5 *
6 * -a: complain about implicit "allow" at end of rule.
7 *
8 * -d: rules in current directory.
9 *
10 * -i: location of inetd.conf file.
11 *
12 * -v: show all rules.
13 *
14 * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
15 */
16
17 static char sccsid[] = "@(#) tcpdchk.c 1.8 97/02/12 02:13:25";
18
19 /* System libraries. */
20
21 #include <sys/types.h>
22 #include <sys/stat.h>
23 #include <netinet/in.h>
24 #include <arpa/inet.h>
25 #include <stdio.h>
26 #include <syslog.h>
27 #include <setjmp.h>
28 #include <errno.h>
29 #include <netdb.h>
30 #include <string.h>
31
32 extern int errno;
33 extern void exit();
34 extern int optind;
35 extern char *optarg;
36
37 #ifndef INADDR_NONE
38 #define INADDR_NONE (-1) /* XXX should be 0xffffffff */
39 #endif
40
41 #ifndef S_ISDIR
42 #define S_ISDIR(m) (((m) & S_IFMT) == S_IFDIR)
43 #endif
44
45 /* Application-specific. */
46
47 #include "tcpd.h"
48 #include "inetcf.h"
49 #include "scaffold.h"
50
51 /*
52 * Stolen from hosts_access.c...
53 */
54 static char sep[] = ", \t\n";
55
56 #define BUFLEN 2048
57
58 int resident = 0;
59 int hosts_access_verbose = 0;
60 char *hosts_allow_table = HOSTS_ALLOW;
61 char *hosts_deny_table = HOSTS_DENY;
62 extern jmp_buf tcpd_buf;
63
64 /*
65 * Local stuff.
66 */
67 static void usage();
68 static void parse_table();
69 static void print_list();
70 static void check_daemon_list();
71 static void check_client_list();
72 static void check_daemon();
73 static void check_user();
74 static int check_host();
75 static int reserved_name();
76
77 #define PERMIT 1
78 #define DENY 0
79
80 #define YES 1
81 #define NO 0
82
83 static int defl_verdict;
84 static char *myname;
85 static int allow_check;
86 static char *inetcf;
87
88 int main(argc, argv)
89 int argc;
90 char **argv;
91 {
92 struct request_info request;
93 struct stat st;
94 int c;
95
96 myname = argv[0];
97
98 /*
99 * Parse the JCL.
100 */
101 while ((c = getopt(argc, argv, "adi:v")) != EOF) {
102 switch (c) {
103 case 'a':
104 allow_check = 1;
105 break;
106 case 'd':
107 hosts_allow_table = "hosts.allow";
108 hosts_deny_table = "hosts.deny";
109 break;
110 case 'i':
111 inetcf = optarg;
112 break;
113 case 'v':
114 hosts_access_verbose++;
115 break;
116 default:
117 usage();
118 /* NOTREACHED */
119 }
120 }
121 if (argc != optind)
122 usage();
123
124 /*
125 * When confusion really strikes...
126 */
127 if (check_path(REAL_DAEMON_DIR, &st) < 0) {
128 tcpd_warn("REAL_DAEMON_DIR %s: %m", REAL_DAEMON_DIR);
129 } else if (!S_ISDIR(st.st_mode)) {
130 tcpd_warn("REAL_DAEMON_DIR %s is not a directory", REAL_DAEMON_DIR);
131 }
132
133 /*
134 * Process the inet configuration file (or its moral equivalent). This
135 * information is used later to find references in hosts.allow/deny to
136 * unwrapped services, and other possible problems.
137 */
138 inetcf = inet_cfg(inetcf);
139 if (hosts_access_verbose)
140 printf("Using network configuration file: %s\n", inetcf);
141
142 /*
143 * These are not run from inetd but may have built-in access control.
144 */
145 inet_set("portmap", WR_NOT);
146 inet_set("rpcbind", WR_NOT);
147
148 /*
149 * Check accessibility of access control files.
150 */
151 (void) check_path(hosts_allow_table, &st);
152 (void) check_path(hosts_deny_table, &st);
153
154 /*
155 * Fake up an arbitrary service request.
156 */
157 request_init(&request,
158 RQ_DAEMON, "daemon_name",
159 RQ_SERVER_NAME, "server_hostname",
160 RQ_SERVER_ADDR, "server_addr",
161 RQ_USER, "user_name",
162 RQ_CLIENT_NAME, "client_hostname",
163 RQ_CLIENT_ADDR, "client_addr",
164 RQ_FILE, 1,
165 0);
166
167 /*
168 * Examine all access-control rules.
169 */
170 defl_verdict = PERMIT;
171 parse_table(hosts_allow_table, &request);
172 defl_verdict = DENY;
173 parse_table(hosts_deny_table, &request);
174 return (0);
175 }
176
177 /* usage - explain */
178
179 static void usage()
180 {
181 fprintf(stderr, "usage: %s [-a] [-d] [-i inet_conf] [-v]\n", myname);
182 fprintf(stderr, " -a: report rules with implicit \"ALLOW\" at end\n");
183 fprintf(stderr, " -d: use allow/deny files in current directory\n");
184 fprintf(stderr, " -i: location of inetd.conf file\n");
185 fprintf(stderr, " -v: list all rules\n");
186 exit(1);
187 }
188
189 /* parse_table - like table_match(), but examines _all_ entries */
190
191 static void parse_table(table, request)
192 char *table;
193 struct request_info *request;
194 {
195 FILE *fp;
196 int real_verdict;
197 char sv_list[BUFLEN]; /* becomes list of daemons */
198 char *cl_list; /* becomes list of requests */
199 char *sh_cmd; /* becomes optional shell command */
200 char buf[BUFSIZ];
201 int verdict;
202 struct tcpd_context saved_context;
203
204 saved_context = tcpd_context; /* stupid compilers */
205
206 if (fp = fopen(table, "r")) {
207 tcpd_context.file = table;
208 tcpd_context.line = 0;
209 while (xgets(sv_list, sizeof(sv_list), fp)) {
210 if (sv_list[strlen(sv_list) - 1] != '\n') {
211 tcpd_warn("missing newline or line too long");
212 continue;
213 }
214 if (sv_list[0] == '#' || sv_list[strspn(sv_list, " \t\r\n")] == 0)
215 continue;
216 if ((cl_list = split_at(skip_ipv6_addrs(sv_list), ':')) == 0) {
217 tcpd_warn("missing \":\" separator");
218 continue;
219 }
220 sh_cmd = split_at(skip_ipv6_addrs(cl_list), ':');
221
222 if (hosts_access_verbose)
223 printf("\n>>> Rule %s line %d:\n",
224 tcpd_context.file, tcpd_context.line);
225
226 if (hosts_access_verbose)
227 print_list("daemons: ", sv_list);
228 check_daemon_list(sv_list);
229
230 if (hosts_access_verbose)
231 print_list("clients: ", cl_list);
232 check_client_list(cl_list);
233
234 #ifdef PROCESS_OPTIONS
235 real_verdict = defl_verdict;
236 if (sh_cmd) {
237 verdict = setjmp(tcpd_buf);
238 if (verdict != 0) {
239 real_verdict = (verdict == AC_PERMIT);
240 } else {
241 dry_run = 1;
242 process_options(sh_cmd, request);
243 if (dry_run == 1 && real_verdict && allow_check)
244 tcpd_warn("implicit \"allow\" at end of rule");
245 }
246 } else if (defl_verdict && allow_check) {
247 tcpd_warn("implicit \"allow\" at end of rule");
248 }
249 if (hosts_access_verbose)
250 printf("access: %s\n", real_verdict ? "granted" : "denied");
251 #else
252 if (sh_cmd)
253 shell_cmd(percent_x(buf, sizeof(buf), sh_cmd, request));
254 if (hosts_access_verbose)
255 printf("access: %s\n", defl_verdict ? "granted" : "denied");
256 #endif
257 }
258 (void) fclose(fp);
259 } else if (errno != ENOENT) {
260 tcpd_warn("cannot open %s: %m", table);
261 }
262 tcpd_context = saved_context;
263 }
264
265 /* print_list - pretty-print a list */
266
267 static void print_list(title, list)
268 char *title;
269 char *list;
270 {
271 char buf[BUFLEN];
272 char *cp;
273 char *next;
274
275 fputs(title, stdout);
276 strcpy(buf, list);
277
278 for (cp = strtok(buf, sep); cp != 0; cp = next) {
279 fputs(cp, stdout);
280 next = strtok(NULL, sep);
281 if (next != 0)
282 fputs(" ", stdout);
283 }
284 fputs("\n", stdout);
285 }
286
287 /* check_daemon_list - criticize daemon list */
288
289 static void check_daemon_list(list)
290 char *list;
291 {
292 char buf[BUFLEN];
293 char *cp;
294 char *host;
295 int daemons = 0;
296
297 strcpy(buf, list);
298
299 for (cp = strtok(buf, sep); cp != 0; cp = strtok(NULL, sep)) {
300 if (STR_EQ(cp, "EXCEPT")) {
301 daemons = 0;
302 } else {
303 daemons++;
304 if ((host = split_at(cp + 1, '@')) != 0 && check_host(host) > 1) {
305 tcpd_warn("host %s has more than one address", host);
306 tcpd_warn("(consider using an address instead)");
307 }
308 check_daemon(cp);
309 }
310 }
311 if (daemons == 0)
312 tcpd_warn("daemon list is empty or ends in EXCEPT");
313 }
314
315 /* check_client_list - criticize client list */
316
317 static void check_client_list(list)
318 char *list;
319 {
320 char buf[BUFLEN];
321 char *cp;
322 char *host;
323 int clients = 0;
324
325 strcpy(buf, list);
326
327 for (cp = strtok(buf, sep); cp != 0; cp = strtok(NULL, sep)) {
328 if (STR_EQ(cp, "EXCEPT")) {
329 clients = 0;
330 } else {
331 clients++;
332 if (host = split_at(cp + 1, '@')) { /* user@host */
333 check_user(cp);
334 check_host(host);
335 } else {
336 check_host(cp);
337 }
338 }
339 }
340 if (clients == 0)
341 tcpd_warn("client list is empty or ends in EXCEPT");
342 }
343
344 /* check_daemon - criticize daemon pattern */
345
346 static void check_daemon(pat)
347 char *pat;
348 {
349 if (pat[0] == '@') {
350 tcpd_warn("%s: daemon name begins with \"@\"", pat);
351 } else if (pat[0] == '.') {
352 tcpd_warn("%s: daemon name begins with dot", pat);
353 } else if (pat[strlen(pat) - 1] == '.') {
354 tcpd_warn("%s: daemon name ends in dot", pat);
355 } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown)) {
356 /* void */ ;
357 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */
358 tcpd_warn("FAIL is no longer recognized");
359 tcpd_warn("(use EXCEPT or DENY instead)");
360 } else if (reserved_name(pat)) {
361 tcpd_warn("%s: daemon name may be reserved word", pat);
362 } else {
363 switch (inet_get(pat)) {
364 case WR_UNKNOWN:
365 tcpd_warn("%s: no such process name in %s", pat, inetcf);
366 inet_set(pat, WR_YES); /* shut up next time */
367 break;
368 case WR_NOT:
369 tcpd_warn("%s: service possibly not wrapped", pat);
370 inet_set(pat, WR_YES);
371 break;
372 }
373 }
374 }
375
376 /* check_user - criticize user pattern */
377
378 static void check_user(pat)
379 char *pat;
380 {
381 if (pat[0] == '@') { /* @netgroup */
382 tcpd_warn("%s: user name begins with \"@\"", pat);
383 } else if (pat[0] == '.') {
384 tcpd_warn("%s: user name begins with dot", pat);
385 } else if (pat[strlen(pat) - 1] == '.') {
386 tcpd_warn("%s: user name ends in dot", pat);
387 } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown)
388 || STR_EQ(pat, "KNOWN")) {
389 /* void */ ;
390 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */
391 tcpd_warn("FAIL is no longer recognized");
392 tcpd_warn("(use EXCEPT or DENY instead)");
393 } else if (reserved_name(pat)) {
394 tcpd_warn("%s: user name may be reserved word", pat);
395 }
396 }
397
398 /* check_host - criticize host pattern */
399
400 static int check_host(pat)
401 char *pat;
402 {
403 char *mask;
404 int addr_count = 1;
405
406 if (pat[0] == '@') { /* @netgroup */
407 #ifdef NO_NETGRENT
408 /* SCO has no *netgrent() support */
409 #else
410 #ifdef NETGROUP
411 char *machinep;
412 char *userp;
413 char *domainp;
414
415 setnetgrent(pat + 1);
416 if (getnetgrent(&machinep, &userp, &domainp) == 0)
417 tcpd_warn("%s: unknown or empty netgroup", pat + 1);
418 endnetgrent();
419 #else
420 tcpd_warn("netgroup support disabled");
421 #endif
422 #endif
423 #ifdef HAVE_IPV6
424 } else if (pat[0] == '[') {
425 struct in6_addr in6;
426 char *cbr = strchr(pat, ']');
427 char *slash = strchr(pat, '/');
428 int err = 0;
429 int mask = IPV6_ABITS;
430
431 if (slash != NULL) {
432 *slash = '\0';
433 mask = atoi(slash + 1);
434 err = mask < 0 || mask > IPV6_ABITS;
435 }
436 if (cbr == NULL)
437 err = 1;
438 else {
439 *cbr = '\0';
440 err += inet_pton(AF_INET6, pat+1, &in6) != 1;
441 }
442 if (slash) *slash = '/';
443 if (cbr) *cbr = ']';
444 if (err)
445 tcpd_warn("bad IP6 address specification: %s", pat);
446 #endif
447 } else if (mask = split_at(pat, '/')) { /* network/netmask */
448 if (dot_quad_addr(pat) == INADDR_NONE
449 || dot_quad_addr(mask) == INADDR_NONE)
450 tcpd_warn("%s/%s: bad net/mask pattern", pat, mask);
451 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */
452 tcpd_warn("FAIL is no longer recognized");
453 tcpd_warn("(use EXCEPT or DENY instead)");
454 } else if (reserved_name(pat)) { /* other reserved */
455 /* void */ ;
456 } else if (NOT_INADDR(pat)) { /* internet name */
457 if (pat[strlen(pat) - 1] == '.') {
458 tcpd_warn("%s: domain or host name ends in dot", pat);
459 } else if (pat[0] != '.') {
460 addr_count = check_dns(pat);
461 }
462 } else { /* numeric form */
463 if (STR_EQ(pat, "0.0.0.0") || STR_EQ(pat, "255.255.255.255")) {
464 /* void */ ;
465 } else if (pat[0] == '.') {
466 tcpd_warn("%s: network number begins with dot", pat);
467 } else if (pat[strlen(pat) - 1] != '.') {
468 check_dns(pat);
469 }
470 }
471 return (addr_count);
472 }
473
474 /* reserved_name - determine if name is reserved */
475
476 static int reserved_name(pat)
477 char *pat;
478 {
479 return (STR_EQ(pat, unknown)
480 || STR_EQ(pat, "KNOWN")
481 || STR_EQ(pat, paranoid)
482 || STR_EQ(pat, "ALL")
483 || STR_EQ(pat, "LOCAL"));
484 }
Unleashed OS