1 /* 2 * tcpdchk - examine all tcpd access control rules and inetd.conf entries 3 * 4 * Usage: tcpdchk [-a] [-d] [-i inet_conf] [-v] 5 * 6 * -a: complain about implicit "allow" at end of rule. 7 * 8 * -d: rules in current directory. 9 * 10 * -i: location of inetd.conf file. 11 * 12 * -v: show all rules. 13 * 14 * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. 15 * 16 * $FreeBSD: src/contrib/tcp_wrappers/tcpdchk.c,v 1.3.2.1 2000/07/18 08:34:55 ume Exp $ 17 * $DragonFly: src/contrib/tcp_wrappers/tcpdchk.c,v 1.2 2003/06/17 04:24:06 dillon Exp $ 18 */ 19 20 #ifndef lint 21 static char sccsid[] = "@(#) tcpdchk.c 1.8 97/02/12 02:13:25"; 22 #endif 23 24 /* System libraries. */ 25 26 #include <sys/types.h> 27 #include <sys/stat.h> 28 #ifdef INET6 29 #include <sys/socket.h> 30 #endif 31 #include <netinet/in.h> 32 #include <arpa/inet.h> 33 #include <stdio.h> 34 #include <syslog.h> 35 #include <setjmp.h> 36 #include <errno.h> 37 #include <netdb.h> 38 #include <string.h> 39 40 extern int errno; 41 extern void exit(); 42 extern int optind; 43 extern char *optarg; 44 45 #ifndef INADDR_NONE 46 #define INADDR_NONE (-1) /* XXX should be 0xffffffff */ 47 #endif 48 49 #ifndef S_ISDIR 50 #define S_ISDIR(m) (((m) & S_IFMT) == S_IFDIR) 51 #endif 52 53 /* Application-specific. */ 54 55 #include "tcpd.h" 56 #include "inetcf.h" 57 #include "scaffold.h" 58 59 /* 60 * Stolen from hosts_access.c... 61 */ 62 static char sep[] = ", \t\n"; 63 64 #define BUFLEN 2048 65 66 int resident = 0; 67 int hosts_access_verbose = 0; 68 char *hosts_allow_table = HOSTS_ALLOW; 69 char *hosts_deny_table = HOSTS_DENY; 70 extern jmp_buf tcpd_buf; 71 72 /* 73 * Local stuff. 74 */ 75 static void usage(); 76 static void parse_table(); 77 static void print_list(); 78 static void check_daemon_list(); 79 static void check_client_list(); 80 static void check_daemon(); 81 static void check_user(); 82 static int check_host(); 83 static int reserved_name(); 84 85 #define PERMIT 1 86 #define DENY 0 87 88 #define YES 1 89 #define NO 0 90 91 static int defl_verdict; 92 static char *myname; 93 static int allow_check; 94 static char *inetcf; 95 96 int main(argc, argv) 97 int argc; 98 char **argv; 99 { 100 struct request_info request; 101 struct stat st; 102 int c; 103 104 myname = argv[0]; 105 106 /* 107 * Parse the JCL. 108 */ 109 while ((c = getopt(argc, argv, "adi:v")) != EOF) { 110 switch (c) { 111 case 'a': 112 allow_check = 1; 113 break; 114 case 'd': 115 hosts_allow_table = "hosts.allow"; 116 hosts_deny_table = "hosts.deny"; 117 break; 118 case 'i': 119 inetcf = optarg; 120 break; 121 case 'v': 122 hosts_access_verbose++; 123 break; 124 default: 125 usage(); 126 /* NOTREACHED */ 127 } 128 } 129 if (argc != optind) 130 usage(); 131 132 /* 133 * When confusion really strikes... 134 */ 135 if (check_path(REAL_DAEMON_DIR, &st) < 0) { 136 tcpd_warn("REAL_DAEMON_DIR %s: %m", REAL_DAEMON_DIR); 137 } else if (!S_ISDIR(st.st_mode)) { 138 tcpd_warn("REAL_DAEMON_DIR %s is not a directory", REAL_DAEMON_DIR); 139 } 140 141 /* 142 * Process the inet configuration file (or its moral equivalent). This 143 * information is used later to find references in hosts.allow/deny to 144 * unwrapped services, and other possible problems. 145 */ 146 inetcf = inet_cfg(inetcf); 147 if (hosts_access_verbose) 148 printf("Using network configuration file: %s\n", inetcf); 149 150 /* 151 * These are not run from inetd but may have built-in access control. 152 */ 153 inet_set("portmap", WR_NOT); 154 inet_set("rpcbind", WR_NOT); 155 156 /* 157 * Check accessibility of access control files. 158 */ 159 (void) check_path(hosts_allow_table, &st); 160 (void) check_path(hosts_deny_table, &st); 161 162 /* 163 * Fake up an arbitrary service request. 164 */ 165 request_init(&request, 166 RQ_DAEMON, "daemon_name", 167 RQ_SERVER_NAME, "server_hostname", 168 RQ_SERVER_ADDR, "server_addr", 169 RQ_USER, "user_name", 170 RQ_CLIENT_NAME, "client_hostname", 171 RQ_CLIENT_ADDR, "client_addr", 172 RQ_FILE, 1, 173 0); 174 175 /* 176 * Examine all access-control rules. 177 */ 178 defl_verdict = PERMIT; 179 parse_table(hosts_allow_table, &request); 180 defl_verdict = DENY; 181 parse_table(hosts_deny_table, &request); 182 return (0); 183 } 184 185 /* usage - explain */ 186 187 static void usage() 188 { 189 fprintf(stderr, "usage: %s [-a] [-d] [-i inet_conf] [-v]\n", myname); 190 fprintf(stderr, " -a: report rules with implicit \"ALLOW\" at end\n"); 191 fprintf(stderr, " -d: use allow/deny files in current directory\n"); 192 fprintf(stderr, " -i: location of inetd.conf file\n"); 193 fprintf(stderr, " -v: list all rules\n"); 194 exit(1); 195 } 196 197 /* parse_table - like table_match(), but examines _all_ entries */ 198 199 static void parse_table(table, request) 200 char *table; 201 struct request_info *request; 202 { 203 FILE *fp; 204 int real_verdict; 205 char sv_list[BUFLEN]; /* becomes list of daemons */ 206 char *cl_list; /* becomes list of requests */ 207 char *sh_cmd; /* becomes optional shell command */ 208 char buf[BUFSIZ]; 209 int verdict; 210 struct tcpd_context saved_context; 211 212 saved_context = tcpd_context; /* stupid compilers */ 213 214 if (fp = fopen(table, "r")) { 215 tcpd_context.file = table; 216 tcpd_context.line = 0; 217 while (xgets(sv_list, sizeof(sv_list), fp)) { 218 if (sv_list[strlen(sv_list) - 1] != '\n') { 219 tcpd_warn("missing newline or line too long"); 220 continue; 221 } 222 if (sv_list[0] == '#' || sv_list[strspn(sv_list, " \t\r\n")] == 0) 223 continue; 224 if ((cl_list = split_at(sv_list, ':')) == 0) { 225 tcpd_warn("missing \":\" separator"); 226 continue; 227 } 228 sh_cmd = split_at(cl_list, ':'); 229 230 if (hosts_access_verbose) 231 printf("\n>>> Rule %s line %d:\n", 232 tcpd_context.file, tcpd_context.line); 233 234 if (hosts_access_verbose) 235 print_list("daemons: ", sv_list); 236 check_daemon_list(sv_list); 237 238 if (hosts_access_verbose) 239 print_list("clients: ", cl_list); 240 check_client_list(cl_list); 241 242 #ifdef PROCESS_OPTIONS 243 real_verdict = defl_verdict; 244 if (sh_cmd) { 245 verdict = setjmp(tcpd_buf); 246 if (verdict != 0) { 247 real_verdict = (verdict == AC_PERMIT); 248 } else { 249 dry_run = 1; 250 process_options(sh_cmd, request); 251 if (dry_run == 1 && real_verdict && allow_check) 252 tcpd_warn("implicit \"allow\" at end of rule"); 253 } 254 } else if (defl_verdict && allow_check) { 255 tcpd_warn("implicit \"allow\" at end of rule"); 256 } 257 if (hosts_access_verbose) 258 printf("access: %s\n", real_verdict ? "granted" : "denied"); 259 #else 260 if (sh_cmd) 261 shell_cmd(percent_x(buf, sizeof(buf), sh_cmd, request)); 262 if (hosts_access_verbose) 263 printf("access: %s\n", defl_verdict ? "granted" : "denied"); 264 #endif 265 } 266 (void) fclose(fp); 267 } else if (errno != ENOENT) { 268 tcpd_warn("cannot open %s: %m", table); 269 } 270 tcpd_context = saved_context; 271 } 272 273 /* print_list - pretty-print a list */ 274 275 static void print_list(title, list) 276 char *title; 277 char *list; 278 { 279 char buf[BUFLEN]; 280 char *cp; 281 char *next; 282 283 fputs(title, stdout); 284 strcpy(buf, list); 285 286 for (cp = strtok(buf, sep); cp != 0; cp = next) { 287 fputs(cp, stdout); 288 next = strtok((char *) 0, sep); 289 if (next != 0) 290 fputs(" ", stdout); 291 } 292 fputs("\n", stdout); 293 } 294 295 /* check_daemon_list - criticize daemon list */ 296 297 static void check_daemon_list(list) 298 char *list; 299 { 300 char buf[BUFLEN]; 301 char *cp; 302 char *host; 303 int daemons = 0; 304 305 strcpy(buf, list); 306 307 for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) { 308 if (STR_EQ(cp, "EXCEPT")) { 309 daemons = 0; 310 } else { 311 daemons++; 312 if ((host = split_at(cp + 1, '@')) != 0 && check_host(host) > 1) { 313 tcpd_warn("host %s has more than one address", host); 314 tcpd_warn("(consider using an address instead)"); 315 } 316 check_daemon(cp); 317 } 318 } 319 if (daemons == 0) 320 tcpd_warn("daemon list is empty or ends in EXCEPT"); 321 } 322 323 /* check_client_list - criticize client list */ 324 325 static void check_client_list(list) 326 char *list; 327 { 328 char buf[BUFLEN]; 329 char *cp; 330 char *host; 331 int clients = 0; 332 333 strcpy(buf, list); 334 335 for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) { 336 if (STR_EQ(cp, "EXCEPT")) { 337 clients = 0; 338 } else { 339 clients++; 340 if (host = split_at(cp + 1, '@')) { /* user@host */ 341 check_user(cp); 342 check_host(host); 343 } else { 344 check_host(cp); 345 } 346 } 347 } 348 if (clients == 0) 349 tcpd_warn("client list is empty or ends in EXCEPT"); 350 } 351 352 /* check_daemon - criticize daemon pattern */ 353 354 static void check_daemon(pat) 355 char *pat; 356 { 357 if (pat[0] == '@') { 358 tcpd_warn("%s: daemon name begins with \"@\"", pat); 359 } else if (pat[0] == '/') { 360 tcpd_warn("%s: daemon name begins with \"/\"", pat); 361 } else if (pat[0] == '.') { 362 tcpd_warn("%s: daemon name begins with dot", pat); 363 } else if (pat[strlen(pat) - 1] == '.') { 364 tcpd_warn("%s: daemon name ends in dot", pat); 365 } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown)) { 366 /* void */ ; 367 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */ 368 tcpd_warn("FAIL is no longer recognized"); 369 tcpd_warn("(use EXCEPT or DENY instead)"); 370 } else if (reserved_name(pat)) { 371 tcpd_warn("%s: daemon name may be reserved word", pat); 372 } else { 373 switch (inet_get(pat)) { 374 case WR_UNKNOWN: 375 tcpd_warn("%s: no such process name in %s", pat, inetcf); 376 inet_set(pat, WR_YES); /* shut up next time */ 377 break; 378 case WR_NOT: 379 tcpd_warn("%s: service possibly not wrapped", pat); 380 inet_set(pat, WR_YES); 381 break; 382 } 383 } 384 } 385 386 /* check_user - criticize user pattern */ 387 388 static void check_user(pat) 389 char *pat; 390 { 391 if (pat[0] == '@') { /* @netgroup */ 392 tcpd_warn("%s: user name begins with \"@\"", pat); 393 } else if (pat[0] == '/') { 394 tcpd_warn("%s: user name begins with \"/\"", pat); 395 } else if (pat[0] == '.') { 396 tcpd_warn("%s: user name begins with dot", pat); 397 } else if (pat[strlen(pat) - 1] == '.') { 398 tcpd_warn("%s: user name ends in dot", pat); 399 } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown) 400 || STR_EQ(pat, "KNOWN")) { 401 /* void */ ; 402 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */ 403 tcpd_warn("FAIL is no longer recognized"); 404 tcpd_warn("(use EXCEPT or DENY instead)"); 405 } else if (reserved_name(pat)) { 406 tcpd_warn("%s: user name may be reserved word", pat); 407 } 408 } 409 410 #ifdef INET6 411 static int is_inet6_addr(pat) 412 char *pat; 413 { 414 struct addrinfo hints, *res; 415 int len, ret; 416 char ch; 417 418 if (*pat != '[') 419 return (0); 420 len = strlen(pat); 421 if ((ch = pat[len - 1]) != ']') 422 return (0); 423 pat[len - 1] = '\0'; 424 memset(&hints, 0, sizeof(hints)); 425 hints.ai_family = AF_INET6; 426 hints.ai_socktype = SOCK_STREAM; 427 hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; 428 if ((ret = getaddrinfo(pat + 1, NULL, &hints, &res)) == 0) 429 freeaddrinfo(res); 430 pat[len - 1] = ch; 431 return (ret == 0); 432 } 433 #endif 434 435 /* check_host - criticize host pattern */ 436 437 static int check_host(pat) 438 char *pat; 439 { 440 char buf[BUFSIZ]; 441 char *mask; 442 int addr_count = 1; 443 FILE *fp; 444 struct tcpd_context saved_context; 445 char *cp; 446 char *wsp = " \t\r\n"; 447 448 if (pat[0] == '@') { /* @netgroup */ 449 #ifdef NO_NETGRENT 450 /* SCO has no *netgrent() support */ 451 #else 452 #ifdef NETGROUP 453 char *machinep; 454 char *userp; 455 char *domainp; 456 457 setnetgrent(pat + 1); 458 if (getnetgrent(&machinep, &userp, &domainp) == 0) 459 tcpd_warn("%s: unknown or empty netgroup", pat + 1); 460 endnetgrent(); 461 #else 462 tcpd_warn("netgroup support disabled"); 463 #endif 464 #endif 465 } else if (pat[0] == '/') { /* /path/name */ 466 if ((fp = fopen(pat, "r")) != 0) { 467 saved_context = tcpd_context; 468 tcpd_context.file = pat; 469 tcpd_context.line = 0; 470 while (fgets(buf, sizeof(buf), fp)) { 471 tcpd_context.line++; 472 for (cp = strtok(buf, wsp); cp; cp = strtok((char *) 0, wsp)) 473 check_host(cp); 474 } 475 tcpd_context = saved_context; 476 fclose(fp); 477 } else if (errno != ENOENT) { 478 tcpd_warn("open %s: %m", pat); 479 } 480 } else if (mask = split_at(pat, '/')) { /* network/netmask */ 481 #ifdef INET6 482 int mask_len; 483 484 if ((dot_quad_addr(pat) == INADDR_NONE 485 || dot_quad_addr(mask) == INADDR_NONE) 486 && (!is_inet6_addr(pat) 487 || ((mask_len = atoi(mask)) < 0 || mask_len > 128))) 488 #else 489 if (dot_quad_addr(pat) == INADDR_NONE 490 || dot_quad_addr(mask) == INADDR_NONE) 491 #endif 492 tcpd_warn("%s/%s: bad net/mask pattern", pat, mask); 493 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */ 494 tcpd_warn("FAIL is no longer recognized"); 495 tcpd_warn("(use EXCEPT or DENY instead)"); 496 } else if (reserved_name(pat)) { /* other reserved */ 497 /* void */ ; 498 #ifdef INET6 499 } else if (is_inet6_addr(pat)) { /* IPv6 address */ 500 addr_count = 1; 501 #endif 502 } else if (NOT_INADDR(pat)) { /* internet name */ 503 if (pat[strlen(pat) - 1] == '.') { 504 tcpd_warn("%s: domain or host name ends in dot", pat); 505 } else if (pat[0] != '.') { 506 addr_count = check_dns(pat); 507 } 508 } else { /* numeric form */ 509 if (STR_EQ(pat, "0.0.0.0") || STR_EQ(pat, "255.255.255.255")) { 510 /* void */ ; 511 } else if (pat[0] == '.') { 512 tcpd_warn("%s: network number begins with dot", pat); 513 } else if (pat[strlen(pat) - 1] != '.') { 514 check_dns(pat); 515 } 516 } 517 return (addr_count); 518 } 519 520 /* reserved_name - determine if name is reserved */ 521 522 static int reserved_name(pat) 523 char *pat; 524 { 525 return (STR_EQ(pat, unknown) 526 || STR_EQ(pat, "KNOWN") 527 || STR_EQ(pat, paranoid) 528 || STR_EQ(pat, "ALL") 529 || STR_EQ(pat, "LOCAL")); 530 } 531