inetcf.c revision 1.5
1 /* $NetBSD: inetcf.c,v 1.5 1999/08/27 16:07:23 itojun Exp $ */ 2 3 /* 4 * Routines to parse an inetd.conf or tlid.conf file. This would be a great 5 * job for a PERL script. 6 * 7 * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. 8 */ 9 10 #include <sys/cdefs.h> 11 #ifndef lint 12 #if 0 13 static char sccsid[] = "@(#) inetcf.c 1.7 97/02/12 02:13:23"; 14 #else 15 __RCSID("$NetBSD: inetcf.c,v 1.5 1999/08/27 16:07:23 itojun Exp $"); 16 #endif 17 #endif 18 19 #include <sys/types.h> 20 #include <sys/stat.h> 21 #include <stdio.h> 22 #include <errno.h> 23 #include <string.h> 24 #include <stdlib.h> 25 26 #include "tcpd.h" 27 #include "inetcf.h" 28 #include "percent_m.h" 29 #include "scaffold.h" 30 31 static void inet_chk __P((char *, char *, char *, char *)); 32 static char *base_name __P((char *)); 33 34 /* 35 * Programs that use libwrap directly are not in inetd.conf, and so must 36 * be added here in a similar format. (We pretend we found them in 37 * /etc/inetd.conf.) Each one is a set of three strings that correspond 38 * to fields in /etc/inetd.conf: 39 * protocol (field 3), path (field 6), arg0 (field 7) 40 * The last entry should be a NULL. 41 */ 42 char *uses_libwrap[] = { 43 "tcp", "/usr/sbin/sendmail", "sendmail", 44 (char *) NULL 45 }; 46 47 /* 48 * Network configuration files may live in unusual places. Here are some 49 * guesses. Shorter names follow longer ones. 50 */ 51 char *inet_files[] = { 52 "/private/etc/inetd.conf", /* NEXT */ 53 "/etc/inet/inetd.conf", /* SYSV4 */ 54 "/usr/etc/inetd.conf", /* IRIX?? */ 55 "/etc/inetd.conf", /* BSD */ 56 "/etc/net/tlid.conf", /* SYSV4?? */ 57 "/etc/saf/tlid.conf", /* SYSV4?? */ 58 "/etc/tlid.conf", /* SYSV4?? */ 59 0, 60 }; 61 62 /* 63 * Structure with everything we know about a service. 64 */ 65 struct inet_ent { 66 struct inet_ent *next; 67 int type; 68 char name[1]; 69 }; 70 71 static struct inet_ent *inet_list = 0; 72 73 static char whitespace[] = " \t\r\n"; 74 75 /* inet_conf - read in and examine inetd.conf (or tlid.conf) entries */ 76 77 char *inet_cfg(conf) 78 char *conf; 79 { 80 char buf[BUFSIZ]; 81 FILE *fp = NULL; 82 char **wrapped; 83 char *service; 84 char *protocol; 85 char *user; 86 char *path; 87 char *arg0; 88 char *arg1; 89 struct tcpd_context saved_context; 90 int i; 91 struct stat st; 92 93 saved_context = tcpd_context; 94 95 /* 96 * The inetd.conf (or tlid.conf) information is so useful that we insist 97 * on its availability. When no file is given run a series of educated 98 * guesses. 99 */ 100 if (conf != 0) { 101 if ((fp = fopen(conf, "r")) == 0) { 102 fprintf(stderr, percent_m(buf, "open %s: %m\n"), conf); 103 exit(1); 104 } 105 } else { 106 for (i = 0; inet_files[i] && (fp = fopen(inet_files[i], "r")) == 0; i++) 107 /* void */ ; 108 if (fp == 0) { 109 fprintf(stderr, "Cannot find your inetd.conf or tlid.conf file.\n"); 110 fprintf(stderr, "Please specify its location.\n"); 111 exit(1); 112 } 113 conf = inet_files[i]; 114 check_path(conf, &st); 115 } 116 117 /* 118 * Process the list of programs that use libwrap directly. 119 */ 120 wrapped = uses_libwrap; 121 while (*wrapped != NULL) { 122 inet_chk(wrapped[0], wrapped[1], wrapped[2], ""); 123 wrapped += 3; 124 } 125 126 /* 127 * Process the file. After the 7.0 wrapper release it became clear that 128 * there are many more inetd.conf formats than the 8 systems that I had 129 * studied. EP/IX uses a two-line specification for rpc services; HP-UX 130 * permits long lines to be broken with backslash-newline. 131 */ 132 tcpd_context.file = conf; 133 tcpd_context.line = 0; 134 while (xgets(buf, sizeof(buf), fp)) { 135 service = strtok(buf, whitespace); /* service */ 136 if (service == 0 || *service == '#') 137 continue; 138 if (STR_NE(service, "stream") && STR_NE(service, "dgram")) 139 strtok((char *) 0, whitespace); /* endpoint */ 140 protocol = strtok((char *) 0, whitespace); 141 (void) strtok((char *) 0, whitespace); /* wait */ 142 if ((user = strtok((char *) 0, whitespace)) == 0) 143 continue; 144 if (user[0] == '/') { /* user */ 145 path = user; 146 } else { /* path */ 147 if ((path = strtok((char *) 0, whitespace)) == 0) 148 continue; 149 } 150 if (path[0] == '?') /* IRIX optional service */ 151 path++; 152 if (STR_EQ(path, "internal")) 153 continue; 154 if (path[strspn(path, "-0123456789")] == 0) { 155 156 /* 157 * ConvexOS puts RPC version numbers before path names. Jukka 158 * Ukkonen <ukkonen (at) csc.fi>. 159 */ 160 if ((path = strtok((char *) 0, whitespace)) == 0) 161 continue; 162 } 163 if ((arg0 = strtok((char *) 0, whitespace)) == 0) { 164 tcpd_warn("incomplete line"); 165 continue; 166 } 167 if (arg0[strspn(arg0, "0123456789")] == 0) { 168 169 /* 170 * We're reading a tlid.conf file, the format is: 171 * 172 * ...stuff... path arg_count arguments mod_count modules 173 */ 174 if ((arg0 = strtok((char *) 0, whitespace)) == 0) { 175 tcpd_warn("incomplete line"); 176 continue; 177 } 178 } 179 if ((arg1 = strtok((char *) 0, whitespace)) == 0) 180 arg1 = ""; 181 182 inet_chk(protocol, path, arg0, arg1); 183 } 184 fclose(fp); 185 tcpd_context = saved_context; 186 return (conf); 187 } 188 189 /* inet_chk - examine one inetd.conf (tlid.conf?) entry */ 190 191 static void inet_chk(protocol, path, arg0, arg1) 192 char *protocol; 193 char *path; 194 char *arg0; 195 char *arg1; 196 { 197 char daemon[BUFSIZ]; 198 struct stat st; 199 int wrap_status = WR_MAYBE; 200 char *base_name_path = base_name(path); 201 char *tcpd_proc_name = (arg0[0] == '/' ? base_name(arg0) : arg0); 202 203 /* 204 * Always warn when the executable does not exist or when it is not 205 * executable. 206 */ 207 if (check_path(path, &st) < 0) { 208 tcpd_warn("%s: not found: %m", path); 209 } else if ((st.st_mode & 0100) == 0) { 210 tcpd_warn("%s: not executable", path); 211 } 212 213 /* 214 * Cheat on the miscd tests, nobody uses it anymore. 215 */ 216 if (STR_EQ(base_name_path, "miscd")) { 217 inet_set(arg0, WR_YES); 218 return; 219 } 220 221 /* 222 * While we are here... 223 */ 224 if (STR_EQ(tcpd_proc_name, "rexd") || STR_EQ(tcpd_proc_name, "rpc.rexd")) 225 tcpd_warn("%s may be an insecure service", tcpd_proc_name); 226 227 /* 228 * The tcpd program gets most of the attention. 229 */ 230 if (STR_EQ(base_name_path, "tcpd")) { 231 232 if (STR_EQ(tcpd_proc_name, "tcpd")) 233 tcpd_warn("%s is recursively calling itself", tcpd_proc_name); 234 235 wrap_status = WR_YES; 236 237 /* 238 * Check: some sites install the wrapper set-uid. 239 */ 240 if ((st.st_mode & 06000) != 0) 241 tcpd_warn("%s: file is set-uid or set-gid", path); 242 243 /* 244 * Check: some sites insert tcpd in inetd.conf, instead of replacing 245 * the daemon pathname. 246 */ 247 if (arg0[0] == '/' && STR_EQ(tcpd_proc_name, base_name(arg1))) 248 tcpd_warn("%s inserted before %s", path, arg0); 249 250 /* 251 * Check: make sure files exist and are executable. On some systems 252 * the network daemons are set-uid so we cannot complain. Note that 253 * tcpd takes the basename only in case of absolute pathnames. 254 */ 255 if (arg0[0] == '/') { /* absolute path */ 256 if (check_path(arg0, &st) < 0) { 257 tcpd_warn("%s: not found: %m", arg0); 258 } else if ((st.st_mode & 0100) == 0) { 259 tcpd_warn("%s: not executable", arg0); 260 } 261 } else { /* look in REAL_DAEMON_DIR */ 262 sprintf(daemon, "%s/%s", REAL_DAEMON_DIR, arg0); 263 if (check_path(daemon, &st) < 0) { 264 tcpd_warn("%s: not found in %s: %m", 265 arg0, REAL_DAEMON_DIR); 266 } else if ((st.st_mode & 0100) == 0) { 267 tcpd_warn("%s: not executable", daemon); 268 } 269 } 270 271 } else { 272 273 /* 274 * No tcpd program found. Perhaps they used the "simple installation" 275 * recipe. Look for a file with the same basename in REAL_DAEMON_DIR. 276 * Draw some conservative conclusions when a distinct file is found. 277 */ 278 sprintf(daemon, "%s/%s", REAL_DAEMON_DIR, arg0); 279 if (STR_EQ(path, daemon)) { 280 wrap_status = WR_NOT; 281 } else if (check_path(daemon, &st) >= 0) { 282 wrap_status = WR_MAYBE; 283 } else if (errno == ENOENT) { 284 wrap_status = WR_NOT; 285 } else { 286 tcpd_warn("%s: file lookup: %m", daemon); 287 wrap_status = WR_MAYBE; 288 } 289 } 290 291 /* 292 * Alas, we cannot wrap rpc/tcp services. 293 */ 294 if (wrap_status == WR_YES && STR_EQ(protocol, "rpc/tcp")) 295 tcpd_warn("%s: cannot wrap rpc/tcp services", tcpd_proc_name); 296 297 /* NetBSD inetd wraps all programs */ 298 if (! STR_EQ(protocol, "rpc/tcp")) 299 wrap_status = WR_YES; 300 301 inet_set(tcpd_proc_name, wrap_status); 302 } 303 304 /* inet_set - remember service status */ 305 306 void inet_set(name, type) 307 char *name; 308 int type; 309 { 310 struct inet_ent *ip = 311 (struct inet_ent *) malloc(sizeof(struct inet_ent) + strlen(name)); 312 313 if (ip == 0) { 314 fprintf(stderr, "out of memory\n"); 315 exit(1); 316 } 317 ip->next = inet_list; 318 strcpy(ip->name, name); 319 ip->type = type; 320 inet_list = ip; 321 } 322 323 /* inet_get - look up service status */ 324 325 int inet_get(name) 326 char *name; 327 { 328 struct inet_ent *ip; 329 330 if (inet_list == 0) 331 return (WR_MAYBE); 332 333 for (ip = inet_list; ip; ip = ip->next) 334 if (STR_EQ(ip->name, name)) 335 return (ip->type); 336 337 return (-1); 338 } 339 340 /* base_name - compute last pathname component */ 341 342 static char *base_name(path) 343 char *path; 344 { 345 char *cp; 346 347 if ((cp = strrchr(path, '/')) != 0) 348 path = cp + 1; 349 return (path); 350 } 351
Indexes created Mon Sep 22 05:09:51 GMT 2025