1 /* 2 * tcpdchk - examine all tcpd access control rules and inetd.conf entries 3 * 4 * Usage: tcpdchk [-a] [-d] [-i inet_conf] [-v] 5 * 6 * -a: complain about implicit "allow" at end of rule. 7 * 8 * -d: rules in current directory. 9 * 10 * -i: location of inetd.conf file. 11 * 12 * -v: show all rules. 13 * 14 * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. 15 * 16 * $FreeBSD$ 17 */ 18 19 #ifndef lint 20 static char sccsid[] = "@(#) tcpdchk.c 1.8 97/02/12 02:13:25"; 21 #endif 22 23 /* System libraries. */ 24 25 #include <sys/types.h> 26 #include <sys/stat.h> 27 #ifdef INET6 28 #include <sys/socket.h> 29 #endif 30 #include <netinet/in.h> 31 #include <arpa/inet.h> 32 #include <stdio.h> 33 #include <syslog.h> 34 #include <setjmp.h> 35 #include <errno.h> 36 #include <netdb.h> 37 #include <string.h> 38 #include <unistd.h> 39 #include <stdlib.h> 40 41 extern int errno; 42 extern void exit(); 43 extern int optind; 44 extern char *optarg; 45 46 #ifndef INADDR_NONE 47 #define INADDR_NONE (-1) /* XXX should be 0xffffffff */ 48 #endif 49 50 #ifndef S_ISDIR 51 #define S_ISDIR(m) (((m) & S_IFMT) == S_IFDIR) 52 #endif 53 54 /* Application-specific. */ 55 56 #include "tcpd.h" 57 #include "inetcf.h" 58 #include "scaffold.h" 59 60 /* 61 * Stolen from hosts_access.c... 62 */ 63 static char sep[] = ", \t\n"; 64 65 #define BUFLEN 2048 66 67 int resident = 0; 68 int hosts_access_verbose = 0; 69 char *hosts_allow_table = HOSTS_ALLOW; 70 char *hosts_deny_table = HOSTS_DENY; 71 extern jmp_buf tcpd_buf; 72 73 /* 74 * Local stuff. 75 */ 76 static void usage(); 77 static void parse_table(); 78 static void print_list(); 79 static void check_daemon_list(); 80 static void check_client_list(); 81 static void check_daemon(); 82 static void check_user(); 83 static int check_host(); 84 static int reserved_name(); 85 86 #define PERMIT 1 87 #define DENY 0 88 89 #define YES 1 90 #define NO 0 91 92 static int defl_verdict; 93 static char *myname; 94 static int allow_check; 95 static char *inetcf; 96 97 int main(argc, argv) 98 int argc; 99 char **argv; 100 { 101 struct request_info request; 102 struct stat st; 103 int c; 104 105 myname = argv[0]; 106 107 /* 108 * Parse the JCL. 109 */ 110 while ((c = getopt(argc, argv, "adi:v")) != EOF) { 111 switch (c) { 112 case 'a': 113 allow_check = 1; 114 break; 115 case 'd': 116 hosts_allow_table = "hosts.allow"; 117 hosts_deny_table = "hosts.deny"; 118 break; 119 case 'i': 120 inetcf = optarg; 121 break; 122 case 'v': 123 hosts_access_verbose++; 124 break; 125 default: 126 usage(); 127 /* NOTREACHED */ 128 } 129 } 130 if (argc != optind) 131 usage(); 132 133 /* 134 * When confusion really strikes... 135 */ 136 if (check_path(REAL_DAEMON_DIR, &st) < 0) { 137 tcpd_warn("REAL_DAEMON_DIR %s: %m", REAL_DAEMON_DIR); 138 } else if (!S_ISDIR(st.st_mode)) { 139 tcpd_warn("REAL_DAEMON_DIR %s is not a directory", REAL_DAEMON_DIR); 140 } 141 142 /* 143 * Process the inet configuration file (or its moral equivalent). This 144 * information is used later to find references in hosts.allow/deny to 145 * unwrapped services, and other possible problems. 146 */ 147 inetcf = inet_cfg(inetcf); 148 if (hosts_access_verbose) 149 printf("Using network configuration file: %s\n", inetcf); 150 151 /* 152 * These are not run from inetd but may have built-in access control. 153 */ 154 inet_set("portmap", WR_NOT); 155 inet_set("rpcbind", WR_NOT); 156 157 /* 158 * Check accessibility of access control files. 159 */ 160 (void) check_path(hosts_allow_table, &st); 161 (void) check_path(hosts_deny_table, &st); 162 163 /* 164 * Fake up an arbitrary service request. 165 */ 166 request_init(&request, 167 RQ_DAEMON, "daemon_name", 168 RQ_SERVER_NAME, "server_hostname", 169 RQ_SERVER_ADDR, "server_addr", 170 RQ_USER, "user_name", 171 RQ_CLIENT_NAME, "client_hostname", 172 RQ_CLIENT_ADDR, "client_addr", 173 RQ_FILE, 1, 174 0); 175 176 /* 177 * Examine all access-control rules. 178 */ 179 defl_verdict = PERMIT; 180 parse_table(hosts_allow_table, &request); 181 defl_verdict = DENY; 182 parse_table(hosts_deny_table, &request); 183 return (0); 184 } 185 186 /* usage - explain */ 187 188 static void usage() 189 { 190 fprintf(stderr, "usage: %s [-a] [-d] [-i inet_conf] [-v]\n", myname); 191 fprintf(stderr, " -a: report rules with implicit \"ALLOW\" at end\n"); 192 fprintf(stderr, " -d: use allow/deny files in current directory\n"); 193 fprintf(stderr, " -i: location of inetd.conf file\n"); 194 fprintf(stderr, " -v: list all rules\n"); 195 exit(1); 196 } 197 198 /* parse_table - like table_match(), but examines _all_ entries */ 199 200 static void parse_table(table, request) 201 char *table; 202 struct request_info *request; 203 { 204 FILE *fp; 205 int real_verdict; 206 char sv_list[BUFLEN]; /* becomes list of daemons */ 207 char *cl_list; /* becomes list of requests */ 208 char *sh_cmd; /* becomes optional shell command */ 209 char buf[BUFSIZ]; 210 int verdict; 211 struct tcpd_context saved_context; 212 213 saved_context = tcpd_context; /* stupid compilers */ 214 215 if (fp = fopen(table, "r")) { 216 tcpd_context.file = table; 217 tcpd_context.line = 0; 218 while (xgets(sv_list, sizeof(sv_list), fp)) { 219 if (sv_list[strlen(sv_list) - 1] != '\n') { 220 tcpd_warn("missing newline or line too long"); 221 continue; 222 } 223 if (sv_list[0] == '#' || sv_list[strspn(sv_list, " \t\r\n")] == 0) 224 continue; 225 if ((cl_list = split_at(sv_list, ':')) == 0) { 226 tcpd_warn("missing \":\" separator"); 227 continue; 228 } 229 sh_cmd = split_at(cl_list, ':'); 230 231 if (hosts_access_verbose) 232 printf("\n>>> Rule %s line %d:\n", 233 tcpd_context.file, tcpd_context.line); 234 235 if (hosts_access_verbose) 236 print_list("daemons: ", sv_list); 237 check_daemon_list(sv_list); 238 239 if (hosts_access_verbose) 240 print_list("clients: ", cl_list); 241 check_client_list(cl_list); 242 243 #ifdef PROCESS_OPTIONS 244 real_verdict = defl_verdict; 245 if (sh_cmd) { 246 verdict = setjmp(tcpd_buf); 247 if (verdict != 0) { 248 real_verdict = (verdict == AC_PERMIT); 249 } else { 250 dry_run = 1; 251 process_options(sh_cmd, request); 252 if (dry_run == 1 && real_verdict && allow_check) 253 tcpd_warn("implicit \"allow\" at end of rule"); 254 } 255 } else if (defl_verdict && allow_check) { 256 tcpd_warn("implicit \"allow\" at end of rule"); 257 } 258 if (hosts_access_verbose) 259 printf("access: %s\n", real_verdict ? "granted" : "denied"); 260 #else 261 if (sh_cmd) 262 shell_cmd(percent_x(buf, sizeof(buf), sh_cmd, request)); 263 if (hosts_access_verbose) 264 printf("access: %s\n", defl_verdict ? "granted" : "denied"); 265 #endif 266 } 267 (void) fclose(fp); 268 } else if (errno != ENOENT) { 269 tcpd_warn("cannot open %s: %m", table); 270 } 271 tcpd_context = saved_context; 272 } 273 274 /* print_list - pretty-print a list */ 275 276 static void print_list(title, list) 277 char *title; 278 char *list; 279 { 280 char buf[BUFLEN]; 281 char *cp; 282 char *next; 283 284 fputs(title, stdout); 285 strcpy(buf, list); 286 287 for (cp = strtok(buf, sep); cp != 0; cp = next) { 288 fputs(cp, stdout); 289 next = strtok((char *) 0, sep); 290 if (next != 0) 291 fputs(" ", stdout); 292 } 293 fputs("\n", stdout); 294 } 295 296 /* check_daemon_list - criticize daemon list */ 297 298 static void check_daemon_list(list) 299 char *list; 300 { 301 char buf[BUFLEN]; 302 char *cp; 303 char *host; 304 int daemons = 0; 305 306 strcpy(buf, list); 307 308 for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) { 309 if (STR_EQ(cp, "EXCEPT")) { 310 daemons = 0; 311 } else { 312 daemons++; 313 if ((host = split_at(cp + 1, '@')) != 0 && check_host(host) > 1) { 314 tcpd_warn("host %s has more than one address", host); 315 tcpd_warn("(consider using an address instead)"); 316 } 317 check_daemon(cp); 318 } 319 } 320 if (daemons == 0) 321 tcpd_warn("daemon list is empty or ends in EXCEPT"); 322 } 323 324 /* check_client_list - criticize client list */ 325 326 static void check_client_list(list) 327 char *list; 328 { 329 char buf[BUFLEN]; 330 char *cp; 331 char *host; 332 int clients = 0; 333 334 strcpy(buf, list); 335 336 for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) { 337 if (STR_EQ(cp, "EXCEPT")) { 338 clients = 0; 339 } else { 340 clients++; 341 if (host = split_at(cp + 1, '@')) { /* user@host */ 342 check_user(cp); 343 check_host(host); 344 } else { 345 check_host(cp); 346 } 347 } 348 } 349 if (clients == 0) 350 tcpd_warn("client list is empty or ends in EXCEPT"); 351 } 352 353 /* check_daemon - criticize daemon pattern */ 354 355 static void check_daemon(pat) 356 char *pat; 357 { 358 if (pat[0] == '@') { 359 tcpd_warn("%s: daemon name begins with \"@\"", pat); 360 } else if (pat[0] == '/') { 361 tcpd_warn("%s: daemon name begins with \"/\"", pat); 362 } else if (pat[0] == '.') { 363 tcpd_warn("%s: daemon name begins with dot", pat); 364 } else if (pat[strlen(pat) - 1] == '.') { 365 tcpd_warn("%s: daemon name ends in dot", pat); 366 } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown)) { 367 /* void */ ; 368 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */ 369 tcpd_warn("FAIL is no longer recognized"); 370 tcpd_warn("(use EXCEPT or DENY instead)"); 371 } else if (reserved_name(pat)) { 372 tcpd_warn("%s: daemon name may be reserved word", pat); 373 } else { 374 switch (inet_get(pat)) { 375 case WR_UNKNOWN: 376 tcpd_warn("%s: no such process name in %s", pat, inetcf); 377 inet_set(pat, WR_YES); /* shut up next time */ 378 break; 379 case WR_NOT: 380 tcpd_warn("%s: service possibly not wrapped", pat); 381 inet_set(pat, WR_YES); 382 break; 383 } 384 } 385 } 386 387 /* check_user - criticize user pattern */ 388 389 static void check_user(pat) 390 char *pat; 391 { 392 if (pat[0] == '@') { /* @netgroup */ 393 tcpd_warn("%s: user name begins with \"@\"", pat); 394 } else if (pat[0] == '/') { 395 tcpd_warn("%s: user name begins with \"/\"", pat); 396 } else if (pat[0] == '.') { 397 tcpd_warn("%s: user name begins with dot", pat); 398 } else if (pat[strlen(pat) - 1] == '.') { 399 tcpd_warn("%s: user name ends in dot", pat); 400 } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown) 401 || STR_EQ(pat, "KNOWN")) { 402 /* void */ ; 403 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */ 404 tcpd_warn("FAIL is no longer recognized"); 405 tcpd_warn("(use EXCEPT or DENY instead)"); 406 } else if (reserved_name(pat)) { 407 tcpd_warn("%s: user name may be reserved word", pat); 408 } 409 } 410 411 #ifdef INET6 412 static int is_inet6_addr(pat) 413 char *pat; 414 { 415 struct addrinfo hints, *res; 416 int len, ret; 417 char ch; 418 419 if (*pat != '[') 420 return (0); 421 len = strlen(pat); 422 if ((ch = pat[len - 1]) != ']') 423 return (0); 424 pat[len - 1] = '\0'; 425 memset(&hints, 0, sizeof(hints)); 426 hints.ai_family = AF_INET6; 427 hints.ai_socktype = SOCK_STREAM; 428 hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; 429 if ((ret = getaddrinfo(pat + 1, NULL, &hints, &res)) == 0) 430 freeaddrinfo(res); 431 pat[len - 1] = ch; 432 return (ret == 0); 433 } 434 #endif 435 436 /* check_host - criticize host pattern */ 437 438 static int check_host(pat) 439 char *pat; 440 { 441 char buf[BUFSIZ]; 442 char *mask; 443 int addr_count = 1; 444 FILE *fp; 445 struct tcpd_context saved_context; 446 char *cp; 447 char *wsp = " \t\r\n"; 448 449 if (pat[0] == '@') { /* @netgroup */ 450 #ifdef NO_NETGRENT 451 /* SCO has no *netgrent() support */ 452 #else 453 #ifdef NETGROUP 454 char *machinep; 455 char *userp; 456 char *domainp; 457 458 setnetgrent(pat + 1); 459 if (getnetgrent(&machinep, &userp, &domainp) == 0) 460 tcpd_warn("%s: unknown or empty netgroup", pat + 1); 461 endnetgrent(); 462 #else 463 tcpd_warn("netgroup support disabled"); 464 #endif 465 #endif 466 } else if (pat[0] == '/') { /* /path/name */ 467 if ((fp = fopen(pat, "r")) != 0) { 468 saved_context = tcpd_context; 469 tcpd_context.file = pat; 470 tcpd_context.line = 0; 471 while (fgets(buf, sizeof(buf), fp)) { 472 tcpd_context.line++; 473 for (cp = strtok(buf, wsp); cp; cp = strtok((char *) 0, wsp)) 474 check_host(cp); 475 } 476 tcpd_context = saved_context; 477 fclose(fp); 478 } else if (errno != ENOENT) { 479 tcpd_warn("open %s: %m", pat); 480 } 481 } else if (mask = split_at(pat, '/')) { /* network/netmask */ 482 #ifdef INET6 483 int mask_len; 484 485 if ((dot_quad_addr(pat) == INADDR_NONE 486 || dot_quad_addr(mask) == INADDR_NONE) 487 && (!is_inet6_addr(pat) 488 || ((mask_len = atoi(mask)) < 0 || mask_len > 128))) 489 #else 490 if (dot_quad_addr(pat) == INADDR_NONE 491 || dot_quad_addr(mask) == INADDR_NONE) 492 #endif 493 tcpd_warn("%s/%s: bad net/mask pattern", pat, mask); 494 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */ 495 tcpd_warn("FAIL is no longer recognized"); 496 tcpd_warn("(use EXCEPT or DENY instead)"); 497 } else if (reserved_name(pat)) { /* other reserved */ 498 /* void */ ; 499 #ifdef INET6 500 } else if (is_inet6_addr(pat)) { /* IPv6 address */ 501 addr_count = 1; 502 #endif 503 } else if (NOT_INADDR(pat)) { /* internet name */ 504 if (pat[strlen(pat) - 1] == '.') { 505 tcpd_warn("%s: domain or host name ends in dot", pat); 506 } else if (pat[0] != '.') { 507 addr_count = check_dns(pat); 508 } 509 } else { /* numeric form */ 510 if (STR_EQ(pat, "0.0.0.0") || STR_EQ(pat, "255.255.255.255")) { 511 /* void */ ; 512 } else if (pat[0] == '.') { 513 tcpd_warn("%s: network number begins with dot", pat); 514 } else if (pat[strlen(pat) - 1] != '.') { 515 check_dns(pat); 516 } 517 } 518 return (addr_count); 519 } 520 521 /* reserved_name - determine if name is reserved */ 522 523 static int reserved_name(pat) 524 char *pat; 525 { 526 return (STR_EQ(pat, unknown) 527 || STR_EQ(pat, "KNOWN") 528 || STR_EQ(pat, paranoid) 529 || STR_EQ(pat, "ALL") 530 || STR_EQ(pat, "LOCAL")); 531 } 532