1 /* $NetBSD: tcpdchk.c,v 1.9 1999/08/31 13:58:58 itojun Exp $ */ 2 3 /* 4 * tcpdchk - examine all tcpd access control rules and inetd.conf entries 5 * 6 * Usage: tcpdchk [-a] [-d] [-i inet_conf] [-v] 7 * 8 * -a: complain about implicit "allow" at end of rule. 9 * 10 * -d: rules in current directory. 11 * 12 * -i: location of inetd.conf file. 13 * 14 * -v: show all rules. 15 * 16 * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. 17 */ 18 19 #include <sys/cdefs.h> 20 #ifndef lint 21 #if 0 22 static char sccsid[] = "@(#) tcpdchk.c 1.8 97/02/12 02:13:25"; 23 #else 24 __RCSID("$NetBSD: tcpdchk.c,v 1.9 1999/08/31 13:58:58 itojun Exp $"); 25 #endif 26 #endif 27 28 /* System libraries. */ 29 30 #include <sys/types.h> 31 #include <sys/stat.h> 32 #ifdef INET6 33 #include <sys/socket.h> 34 #endif 35 #include <netinet/in.h> 36 #include <arpa/inet.h> 37 #include <stdio.h> 38 #include <syslog.h> 39 #include <setjmp.h> 40 #include <errno.h> 41 #include <netdb.h> 42 #include <string.h> 43 #include <stdlib.h> 44 #include <unistd.h> 45 46 #ifndef INADDR_NONE 47 #define INADDR_NONE (-1) /* XXX should be 0xffffffff */ 48 #endif 49 50 #ifndef S_ISDIR 51 #define S_ISDIR(m) (((m) & S_IFMT) == S_IFDIR) 52 #endif 53 54 /* Application-specific. */ 55 56 #include "tcpd.h" 57 #include "inetcf.h" 58 #include "scaffold.h" 59 60 #ifdef NO_NETGRENT 61 /* SCO has no *netgrent() support */ 62 #else 63 # ifdef NETGROUP 64 # include <netgroup.h> 65 # endif 66 #endif 67 68 /* 69 * Stolen from hosts_access.c... 70 */ 71 static char sep[] = ", \t\n"; 72 73 #define BUFLEN 2048 74 75 int resident = 0; 76 int hosts_access_verbose = 0; 77 char *hosts_allow_table = HOSTS_ALLOW; 78 char *hosts_deny_table = HOSTS_DENY; 79 extern jmp_buf tcpd_buf; 80 81 /* 82 * Local stuff. 83 */ 84 static void usage __P((void)); 85 static void parse_table __P((char *, struct request_info *)); 86 static void print_list __P((char *, char *)); 87 static void check_daemon_list __P((char *)); 88 static void check_client_list __P((char *)); 89 static void check_daemon __P((char *)); 90 static void check_user __P((char *)); 91 static int check_host __P((char *)); 92 static int reserved_name __P((char *)); 93 94 int main __P((int, char **)); 95 96 #define PERMIT 1 97 #define DENY 0 98 99 #define YES 1 100 #define NO 0 101 102 static int defl_verdict; 103 static char *myname; 104 static int allow_check; 105 static char *inetcf; 106 107 int main(argc, argv) 108 int argc; 109 char **argv; 110 { 111 struct request_info request; 112 struct stat st; 113 int c; 114 115 myname = argv[0]; 116 117 /* 118 * Parse the JCL. 119 */ 120 while ((c = getopt(argc, argv, "adi:v")) != -1) { 121 switch (c) { 122 case 'a': 123 allow_check = 1; 124 break; 125 case 'd': 126 hosts_allow_table = "hosts.allow"; 127 hosts_deny_table = "hosts.deny"; 128 break; 129 case 'i': 130 inetcf = optarg; 131 break; 132 case 'v': 133 hosts_access_verbose++; 134 break; 135 default: 136 usage(); 137 /* NOTREACHED */ 138 } 139 } 140 if (argc != optind) 141 usage(); 142 143 /* 144 * When confusion really strikes... 145 */ 146 if (check_path(REAL_DAEMON_DIR, &st) < 0) { 147 tcpd_warn("REAL_DAEMON_DIR %s: %m", REAL_DAEMON_DIR); 148 } else if (!S_ISDIR(st.st_mode)) { 149 tcpd_warn("REAL_DAEMON_DIR %s is not a directory", REAL_DAEMON_DIR); 150 } 151 152 /* 153 * Process the inet configuration file (or its moral equivalent). This 154 * information is used later to find references in hosts.allow/deny to 155 * unwrapped services, and other possible problems. 156 */ 157 inetcf = inet_cfg(inetcf); 158 if (hosts_access_verbose) 159 printf("Using network configuration file: %s\n", inetcf); 160 161 /* 162 * These are not run from inetd but may have built-in access control. 163 */ 164 inet_set("portmap", WR_NOT); 165 inet_set("rpcbind", WR_NOT); 166 167 /* 168 * Check accessibility of access control files. 169 */ 170 (void) check_path(hosts_allow_table, &st); 171 (void) check_path(hosts_deny_table, &st); 172 173 /* 174 * Fake up an arbitrary service request. 175 */ 176 request_init(&request, 177 RQ_DAEMON, "daemon_name", 178 RQ_SERVER_NAME, "server_hostname", 179 RQ_SERVER_ADDR, "server_addr", 180 RQ_USER, "user_name", 181 RQ_CLIENT_NAME, "client_hostname", 182 RQ_CLIENT_ADDR, "client_addr", 183 RQ_FILE, 1, 184 0); 185 186 /* 187 * Examine all access-control rules. 188 */ 189 defl_verdict = PERMIT; 190 parse_table(hosts_allow_table, &request); 191 defl_verdict = DENY; 192 parse_table(hosts_deny_table, &request); 193 return (0); 194 } 195 196 /* usage - explain */ 197 198 static void usage() 199 { 200 fprintf(stderr, "usage: %s [-a] [-d] [-i inet_conf] [-v]\n", myname); 201 fprintf(stderr, " -a: report rules with implicit \"ALLOW\" at end\n"); 202 fprintf(stderr, " -d: use allow/deny files in current directory\n"); 203 fprintf(stderr, " -i: location of inetd.conf file\n"); 204 fprintf(stderr, " -v: list all rules\n"); 205 exit(1); 206 } 207 208 /* parse_table - like table_match(), but examines _all_ entries */ 209 210 static void parse_table(table, request) 211 char *table; 212 struct request_info *request; 213 { 214 FILE *fp; 215 int real_verdict; 216 char sv_list[BUFLEN]; /* becomes list of daemons */ 217 char *cl_list; /* becomes list of requests */ 218 char *sh_cmd; /* becomes optional shell command */ 219 int verdict; 220 struct tcpd_context saved_context; 221 #ifdef __GNUC__ 222 /* XXX hack to avoid gcc warnings */ 223 (void) &real_verdict; 224 (void) &saved_context; 225 #endif 226 227 saved_context = tcpd_context; /* stupid compilers */ 228 229 if ((fp = fopen(table, "r")) != NULL) { 230 tcpd_context.file = table; 231 tcpd_context.line = 0; 232 while (xgets(sv_list, sizeof(sv_list), fp)) { 233 if (sv_list[strlen(sv_list) - 1] != '\n') { 234 tcpd_warn("missing newline or line too long"); 235 continue; 236 } 237 if (sv_list[0] == '#' || sv_list[strspn(sv_list, " \t\r\n")] == 0) 238 continue; 239 if ((cl_list = split_at(sv_list, ':')) == 0) { 240 tcpd_warn("missing \":\" separator"); 241 continue; 242 } 243 sh_cmd = split_at(cl_list, ':'); 244 245 if (hosts_access_verbose) 246 printf("\n>>> Rule %s line %d:\n", 247 tcpd_context.file, tcpd_context.line); 248 249 if (hosts_access_verbose) 250 print_list("daemons: ", sv_list); 251 check_daemon_list(sv_list); 252 253 if (hosts_access_verbose) 254 print_list("clients: ", cl_list); 255 check_client_list(cl_list); 256 257 #ifdef PROCESS_OPTIONS 258 real_verdict = defl_verdict; 259 if (sh_cmd) { 260 verdict = setjmp(tcpd_buf); 261 if (verdict != 0) { 262 real_verdict = (verdict == AC_PERMIT); 263 } else { 264 dry_run = 1; 265 process_options(sh_cmd, request); 266 if (dry_run == 1 && real_verdict && allow_check) 267 tcpd_warn("implicit \"allow\" at end of rule"); 268 } 269 } else if (defl_verdict && allow_check) { 270 tcpd_warn("implicit \"allow\" at end of rule"); 271 } 272 if (hosts_access_verbose) 273 printf("access: %s\n", real_verdict ? "granted" : "denied"); 274 #else 275 if (sh_cmd) 276 shell_cmd(percent_x(buf, sizeof(buf), sh_cmd, request)); 277 if (hosts_access_verbose) 278 printf("access: %s\n", defl_verdict ? "granted" : "denied"); 279 #endif 280 } 281 (void) fclose(fp); 282 } else if (errno != ENOENT) { 283 tcpd_warn("cannot open %s: %m", table); 284 } 285 tcpd_context = saved_context; 286 } 287 288 /* print_list - pretty-print a list */ 289 290 static void print_list(title, list) 291 char *title; 292 char *list; 293 { 294 char buf[BUFLEN]; 295 char *cp; 296 char *next; 297 298 fputs(title, stdout); 299 strcpy(buf, list); 300 301 for (cp = strtok(buf, sep); cp != 0; cp = next) { 302 fputs(cp, stdout); 303 next = strtok((char *) 0, sep); 304 if (next != 0) 305 fputs(" ", stdout); 306 } 307 fputs("\n", stdout); 308 } 309 310 /* check_daemon_list - criticize daemon list */ 311 312 static void check_daemon_list(list) 313 char *list; 314 { 315 char buf[BUFLEN]; 316 char *cp; 317 char *host; 318 int daemons = 0; 319 320 strcpy(buf, list); 321 322 for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) { 323 if (STR_EQ(cp, "EXCEPT")) { 324 daemons = 0; 325 } else { 326 daemons++; 327 if ((host = split_at(cp + 1, '@')) != 0 && check_host(host) > 1) { 328 tcpd_warn("host %s has more than one address", host); 329 tcpd_warn("(consider using an address instead)"); 330 } 331 check_daemon(cp); 332 } 333 } 334 if (daemons == 0) 335 tcpd_warn("daemon list is empty or ends in EXCEPT"); 336 } 337 338 /* check_client_list - criticize client list */ 339 340 static void check_client_list(list) 341 char *list; 342 { 343 char buf[BUFLEN]; 344 char *cp; 345 char *host; 346 int clients = 0; 347 #ifdef INET6 348 int l; 349 #endif 350 351 strcpy(buf, list); 352 353 for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) { 354 #ifdef INET6 355 l = strlen(cp); 356 if (cp[0] == '[' && cp[l - 1] == ']') { 357 cp[l - 1] = '\0'; 358 cp++; 359 } 360 #endif 361 if (STR_EQ(cp, "EXCEPT")) { 362 clients = 0; 363 } else { 364 clients++; 365 if ((host = split_at(cp + 1, '@')) != NULL) { /* user@host */ 366 check_user(cp); 367 check_host(host); 368 } else { 369 check_host(cp); 370 } 371 } 372 } 373 if (clients == 0) 374 tcpd_warn("client list is empty or ends in EXCEPT"); 375 } 376 377 /* check_daemon - criticize daemon pattern */ 378 379 static void check_daemon(pat) 380 char *pat; 381 { 382 if (pat[0] == '@') { 383 tcpd_warn("%s: daemon name begins with \"@\"", pat); 384 } else if (pat[0] == '.') { 385 tcpd_warn("%s: daemon name begins with dot", pat); 386 } else if (pat[strlen(pat) - 1] == '.') { 387 tcpd_warn("%s: daemon name ends in dot", pat); 388 } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown)) { 389 /* void */ ; 390 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */ 391 tcpd_warn("FAIL is no longer recognized"); 392 tcpd_warn("(use EXCEPT or DENY instead)"); 393 } else if (reserved_name(pat)) { 394 tcpd_warn("%s: daemon name may be reserved word", pat); 395 } else { 396 switch (inet_get(pat)) { 397 case WR_UNKNOWN: 398 tcpd_warn("%s: no such process name in %s", pat, inetcf); 399 inet_set(pat, WR_YES); /* shut up next time */ 400 break; 401 case WR_NOT: 402 tcpd_warn("%s: service possibly not wrapped", pat); 403 inet_set(pat, WR_YES); 404 break; 405 } 406 } 407 } 408 409 /* check_user - criticize user pattern */ 410 411 static void check_user(pat) 412 char *pat; 413 { 414 if (pat[0] == '@') { /* @netgroup */ 415 tcpd_warn("%s: user name begins with \"@\"", pat); 416 } else if (pat[0] == '.') { 417 tcpd_warn("%s: user name begins with dot", pat); 418 } else if (pat[strlen(pat) - 1] == '.') { 419 tcpd_warn("%s: user name ends in dot", pat); 420 } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown) 421 || STR_EQ(pat, "KNOWN")) { 422 /* void */ ; 423 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */ 424 tcpd_warn("FAIL is no longer recognized"); 425 tcpd_warn("(use EXCEPT or DENY instead)"); 426 } else if (reserved_name(pat)) { 427 tcpd_warn("%s: user name may be reserved word", pat); 428 } 429 } 430 431 /* check_host - criticize host pattern */ 432 433 static int check_host(pat) 434 char *pat; 435 { 436 char *mask; 437 int addr_count = 1; 438 439 if (pat[0] == '@') { /* @netgroup */ 440 #ifdef NO_NETGRENT 441 /* SCO has no *netgrent() support */ 442 #else 443 #ifdef NETGROUP 444 const char *machinep; 445 const char *userp; 446 const char *domainp; 447 448 setnetgrent(pat + 1); 449 if (getnetgrent(&machinep, &userp, &domainp) == 0) 450 tcpd_warn("%s: unknown or empty netgroup", pat + 1); 451 endnetgrent(); 452 #else 453 tcpd_warn("netgroup support disabled"); 454 #endif 455 #endif 456 } else if ((mask = split_at(pat, '/')) != NULL) { /* network/netmask */ 457 #ifdef INET6 458 struct in6_addr in6; 459 #endif 460 if (dot_quad_addr(pat, NULL) != INADDR_NONE 461 || dot_quad_addr(mask, NULL) != INADDR_NONE) 462 ; /*okay*/ 463 #ifdef INET6 464 else if (inet_pton(AF_INET6, pat, &in6) == 1 465 && inet_pton(AF_INET6, mask, &in6) == 1) 466 ; /*okay*/ 467 else if (inet_pton(AF_INET6, pat, &in6) == 1 468 && strchr(mask, ':') == NULL 469 && 0 <= atoi(mask) && atoi(mask) <= 128) 470 ; /*okay*/ 471 #endif 472 else 473 tcpd_warn("%s/%s: bad net/mask pattern", pat, mask); 474 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */ 475 tcpd_warn("FAIL is no longer recognized"); 476 tcpd_warn("(use EXCEPT or DENY instead)"); 477 } else if (reserved_name(pat)) { /* other reserved */ 478 /* void */ ; 479 } else if (NOT_INADDR(pat)) { /* internet name */ 480 if (pat[strlen(pat) - 1] == '.') { 481 tcpd_warn("%s: domain or host name ends in dot", pat); 482 } else if (pat[0] != '.') { 483 addr_count = check_dns(pat); 484 } 485 } else { /* numeric form */ 486 if (STR_EQ(pat, "0.0.0.0") || STR_EQ(pat, "255.255.255.255")) { 487 /* void */ ; 488 } else if (pat[0] == '.') { 489 tcpd_warn("%s: network number begins with dot", pat); 490 } else if (pat[strlen(pat) - 1] != '.') { 491 check_dns(pat); 492 } 493 } 494 return (addr_count); 495 } 496 497 /* reserved_name - determine if name is reserved */ 498 499 static int reserved_name(pat) 500 char *pat; 501 { 502 return (STR_EQ(pat, unknown) 503 || STR_EQ(pat, "KNOWN") 504 || STR_EQ(pat, paranoid) 505 || STR_EQ(pat, "ALL") 506 || STR_EQ(pat, "LOCAL")); 507 } 508