tcpdchk.c revision 1.2
1 /* $NetBSD: tcpdchk.c,v 1.2 1997/10/11 21:41:46 christos Exp $ */ 2 3 /* 4 * tcpdchk - examine all tcpd access control rules and inetd.conf entries 5 * 6 * Usage: tcpdchk [-a] [-d] [-i inet_conf] [-v] 7 * 8 * -a: complain about implicit "allow" at end of rule. 9 * 10 * -d: rules in current directory. 11 * 12 * -i: location of inetd.conf file. 13 * 14 * -v: show all rules. 15 * 16 * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. 17 */ 18 19 #include <sys/cdefs.h> 20 #ifndef lint 21 #if 0 22 static char sccsid[] = "@(#) tcpdchk.c 1.7 96/02/11 17:01:34"; 23 #else 24 __RCSID("$NetBSD: tcpdchk.c,v 1.2 1997/10/11 21:41:46 christos Exp $"); 25 #endif 26 #endif 27 28 /* System libraries. */ 29 30 #include <sys/types.h> 31 #include <sys/stat.h> 32 #include <netinet/in.h> 33 #include <arpa/inet.h> 34 #include <stdio.h> 35 #include <syslog.h> 36 #include <setjmp.h> 37 #include <errno.h> 38 #include <netdb.h> 39 #include <string.h> 40 #include <stdlib.h> 41 #include <unistd.h> 42 43 #ifndef INADDR_NONE 44 #define INADDR_NONE (-1) /* XXX should be 0xffffffff */ 45 #endif 46 47 #ifndef S_ISDIR 48 #define S_ISDIR(m) (((m) & S_IFMT) == S_IFDIR) 49 #endif 50 51 /* Application-specific. */ 52 53 #include "tcpd.h" 54 #include "inetcf.h" 55 #include "scaffold.h" 56 57 /* 58 * Stolen from hosts_access.c... 59 */ 60 static char sep[] = ", \t\n"; 61 62 #define BUFLEN 2048 63 64 int resident = 0; 65 int hosts_access_verbose = 0; 66 char *hosts_allow_table = HOSTS_ALLOW; 67 char *hosts_deny_table = HOSTS_DENY; 68 extern jmp_buf tcpd_buf; 69 70 /* 71 * Local stuff. 72 */ 73 static void usage __P((void)); 74 static void parse_table __P((char *, struct request_info *)); 75 static void print_list __P((char *, char *)); 76 static void check_daemon_list __P((char *)); 77 static void check_client_list __P((char *)); 78 static void check_daemon __P((char *)); 79 static void check_user __P((char *)); 80 static int check_host __P((char *)); 81 static int reserved_name __P((char *)); 82 83 int main __P((int, char **)); 84 85 #define PERMIT 1 86 #define DENY 0 87 88 #define YES 1 89 #define NO 0 90 91 static int defl_verdict; 92 static char *myname; 93 static int allow_check; 94 static char *inetcf; 95 96 int main(argc, argv) 97 int argc; 98 char **argv; 99 { 100 struct request_info request; 101 struct stat st; 102 int c; 103 104 myname = argv[0]; 105 106 /* 107 * Parse the JCL. 108 */ 109 while ((c = getopt(argc, argv, "adi:v")) != EOF) { 110 switch (c) { 111 case 'a': 112 allow_check = 1; 113 break; 114 case 'd': 115 hosts_allow_table = "hosts.allow"; 116 hosts_deny_table = "hosts.deny"; 117 break; 118 case 'i': 119 inetcf = optarg; 120 break; 121 case 'v': 122 hosts_access_verbose++; 123 break; 124 default: 125 usage(); 126 /* NOTREACHED */ 127 } 128 } 129 if (argc != optind) 130 usage(); 131 132 /* 133 * When confusion really strikes... 134 */ 135 if (check_path(REAL_DAEMON_DIR, &st) < 0) { 136 tcpd_warn("REAL_DAEMON_DIR %s: %m", REAL_DAEMON_DIR); 137 } else if (!S_ISDIR(st.st_mode)) { 138 tcpd_warn("REAL_DAEMON_DIR %s is not a directory", REAL_DAEMON_DIR); 139 } 140 141 /* 142 * Process the inet configuration file (or its moral equivalent). This 143 * information is used later to find references in hosts.allow/deny to 144 * unwrapped services, and other possible problems. 145 */ 146 inetcf = inet_cfg(inetcf); 147 if (hosts_access_verbose) 148 printf("Using network configuration file: %s\n", inetcf); 149 150 /* 151 * These are not run from inetd but may have built-in access control. 152 */ 153 inet_set("portmap", WR_NOT); 154 inet_set("rpcbind", WR_NOT); 155 156 /* 157 * Check accessibility of access control files. 158 */ 159 (void) check_path(hosts_allow_table, &st); 160 (void) check_path(hosts_deny_table, &st); 161 162 /* 163 * Fake up an arbitrary service request. 164 */ 165 request_init(&request, 166 RQ_DAEMON, "daemon_name", 167 RQ_SERVER_NAME, "server_hostname", 168 RQ_SERVER_ADDR, "server_addr", 169 RQ_USER, "user_name", 170 RQ_CLIENT_NAME, "client_hostname", 171 RQ_CLIENT_ADDR, "client_addr", 172 RQ_FILE, 1, 173 0); 174 175 /* 176 * Examine all access-control rules. 177 */ 178 defl_verdict = PERMIT; 179 parse_table(hosts_allow_table, &request); 180 defl_verdict = DENY; 181 parse_table(hosts_deny_table, &request); 182 return (0); 183 } 184 185 /* usage - explain */ 186 187 static void usage() 188 { 189 fprintf(stderr, "usage: %s [-a] [-d] [-i inet_conf] [-v]\n", myname); 190 fprintf(stderr, " -a: report rules with implicit \"ALLOW\" at end\n"); 191 fprintf(stderr, " -d: use allow/deny files in current directory\n"); 192 fprintf(stderr, " -i: location of inetd.conf file\n"); 193 fprintf(stderr, " -v: list all rules\n"); 194 exit(1); 195 } 196 197 /* parse_table - like table_match(), but examines _all_ entries */ 198 199 static void parse_table(table, request) 200 char *table; 201 struct request_info *request; 202 { 203 FILE *fp; 204 int real_verdict; 205 char sv_list[BUFLEN]; /* becomes list of daemons */ 206 char *cl_list; /* becomes list of requests */ 207 char *sh_cmd; /* becomes optional shell command */ 208 int verdict; 209 struct tcpd_context saved_context; 210 #ifdef __GNUC__ 211 (void) &real_verdict; 212 #endif 213 214 saved_context = tcpd_context; /* stupid compilers */ 215 216 if ((fp = fopen(table, "r")) != NULL) { 217 tcpd_context.file = table; 218 tcpd_context.line = 0; 219 while (xgets(sv_list, sizeof(sv_list), fp)) { 220 if (sv_list[strlen(sv_list) - 1] != '\n') { 221 tcpd_warn("missing newline or line too long"); 222 continue; 223 } 224 if (sv_list[0] == '#' || sv_list[strspn(sv_list, " \t\r\n")] == 0) 225 continue; 226 if ((cl_list = split_at(sv_list, ':')) == 0) { 227 tcpd_warn("missing \":\" separator"); 228 continue; 229 } 230 sh_cmd = split_at(cl_list, ':'); 231 232 if (hosts_access_verbose) 233 printf("\n>>> Rule %s line %d:\n", 234 tcpd_context.file, tcpd_context.line); 235 236 if (hosts_access_verbose) 237 print_list("daemons: ", sv_list); 238 check_daemon_list(sv_list); 239 240 if (hosts_access_verbose) 241 print_list("clients: ", cl_list); 242 check_client_list(cl_list); 243 244 #ifdef PROCESS_OPTIONS 245 real_verdict = defl_verdict; 246 if (sh_cmd) { 247 if ((verdict = setjmp(tcpd_buf)) != 0) { 248 real_verdict = (verdict == AC_PERMIT); 249 } else { 250 dry_run = 1; 251 process_options(sh_cmd, request); 252 if (dry_run == 1 && real_verdict && allow_check) 253 tcpd_warn("implicit \"allow\" at end of rule"); 254 } 255 } else if (defl_verdict && allow_check) { 256 tcpd_warn("implicit \"allow\" at end of rule"); 257 } 258 if (hosts_access_verbose) 259 printf("access: %s\n", real_verdict ? "granted" : "denied"); 260 #else 261 if (sh_cmd) 262 shell_cmd(percent_x(buf, sizeof(buf), sh_cmd, request)); 263 if (hosts_access_verbose) 264 printf("access: %s\n", defl_verdict ? "granted" : "denied"); 265 #endif 266 } 267 (void) fclose(fp); 268 } else if (errno != ENOENT) { 269 tcpd_warn("cannot open %s: %m", table); 270 } 271 tcpd_context = saved_context; 272 } 273 274 /* print_list - pretty-print a list */ 275 276 static void print_list(title, list) 277 char *title; 278 char *list; 279 { 280 char buf[BUFLEN]; 281 char *cp; 282 char *next; 283 284 fputs(title, stdout); 285 strcpy(buf, list); 286 287 for (cp = strtok(buf, sep); cp != 0; cp = next) { 288 fputs(cp, stdout); 289 next = strtok((char *) 0, sep); 290 if (next != 0) 291 fputs(" ", stdout); 292 } 293 fputs("\n", stdout); 294 } 295 296 /* check_daemon_list - criticize daemon list */ 297 298 static void check_daemon_list(list) 299 char *list; 300 { 301 char buf[BUFLEN]; 302 char *cp; 303 char *host; 304 int daemons = 0; 305 306 strcpy(buf, list); 307 308 for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) { 309 if (STR_EQ(cp, "EXCEPT")) { 310 daemons = 0; 311 } else { 312 daemons++; 313 if ((host = split_at(cp + 1, '@')) != 0 && check_host(host) > 1) { 314 tcpd_warn("host %s has more than one address", host); 315 tcpd_warn("(consider using an address instead)"); 316 } 317 check_daemon(cp); 318 } 319 } 320 if (daemons == 0) 321 tcpd_warn("daemon list is empty or ends in EXCEPT"); 322 } 323 324 /* check_client_list - criticize client list */ 325 326 static void check_client_list(list) 327 char *list; 328 { 329 char buf[BUFLEN]; 330 char *cp; 331 char *host; 332 int clients = 0; 333 334 strcpy(buf, list); 335 336 for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) { 337 if (STR_EQ(cp, "EXCEPT")) { 338 clients = 0; 339 } else { 340 clients++; 341 if ((host = split_at(cp + 1, '@')) != NULL) { /* user@host */ 342 check_user(cp); 343 check_host(host); 344 } else { 345 check_host(cp); 346 } 347 } 348 } 349 if (clients == 0) 350 tcpd_warn("client list is empty or ends in EXCEPT"); 351 } 352 353 /* check_daemon - criticize daemon pattern */ 354 355 static void check_daemon(pat) 356 char *pat; 357 { 358 if (pat[0] == '@') { 359 tcpd_warn("%s: daemon name begins with \"@\"", pat); 360 } else if (pat[0] == '.') { 361 tcpd_warn("%s: daemon name begins with dot", pat); 362 } else if (pat[strlen(pat) - 1] == '.') { 363 tcpd_warn("%s: daemon name ends in dot", pat); 364 } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown)) { 365 /* void */ ; 366 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */ 367 tcpd_warn("FAIL is no longer recognized"); 368 tcpd_warn("(use EXCEPT or DENY instead)"); 369 } else if (reserved_name(pat)) { 370 tcpd_warn("%s: daemon name may be reserved word", pat); 371 } else { 372 switch (inet_get(pat)) { 373 case WR_UNKNOWN: 374 tcpd_warn("%s: no such process name in %s", pat, inetcf); 375 inet_set(pat, WR_YES); /* shut up next time */ 376 break; 377 case WR_NOT: 378 tcpd_warn("%s: service possibly not wrapped", pat); 379 inet_set(pat, WR_YES); 380 break; 381 } 382 } 383 } 384 385 /* check_user - criticize user pattern */ 386 387 static void check_user(pat) 388 char *pat; 389 { 390 if (pat[0] == '@') { /* @netgroup */ 391 tcpd_warn("%s: user name begins with \"@\"", pat); 392 } else if (pat[0] == '.') { 393 tcpd_warn("%s: user name begins with dot", pat); 394 } else if (pat[strlen(pat) - 1] == '.') { 395 tcpd_warn("%s: user name ends in dot", pat); 396 } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown) 397 || STR_EQ(pat, "KNOWN")) { 398 /* void */ ; 399 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */ 400 tcpd_warn("FAIL is no longer recognized"); 401 tcpd_warn("(use EXCEPT or DENY instead)"); 402 } else if (reserved_name(pat)) { 403 tcpd_warn("%s: user name may be reserved word", pat); 404 } 405 } 406 407 /* check_host - criticize host pattern */ 408 409 static int check_host(pat) 410 char *pat; 411 { 412 char *mask; 413 int addr_count = 1; 414 415 if (pat[0] == '@') { /* @netgroup */ 416 #ifdef NO_NETGRENT 417 /* SCO has no *netgrent() support */ 418 #else 419 #ifdef NETGROUP 420 char *machinep; 421 char *userp; 422 char *domainp; 423 424 setnetgrent(pat + 1); 425 if (getnetgrent(&machinep, &userp, &domainp) == 0) 426 tcpd_warn("%s: unknown or empty netgroup", pat + 1); 427 endnetgrent(); 428 #else 429 tcpd_warn("netgroup support disabled"); 430 #endif 431 #endif 432 } else if ((mask = split_at(pat, '/')) != NULL) { /* network/netmask */ 433 if (dot_quad_addr(pat) == INADDR_NONE 434 || dot_quad_addr(mask) == INADDR_NONE) 435 tcpd_warn("%s/%s: bad net/mask pattern", pat, mask); 436 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */ 437 tcpd_warn("FAIL is no longer recognized"); 438 tcpd_warn("(use EXCEPT or DENY instead)"); 439 } else if (reserved_name(pat)) { /* other reserved */ 440 /* void */ ; 441 } else if (NOT_INADDR(pat)) { /* internet name */ 442 if (pat[strlen(pat) - 1] == '.') { 443 tcpd_warn("%s: domain or host name ends in dot", pat); 444 } else if (pat[0] != '.') { 445 addr_count = check_dns(pat); 446 } 447 } else { /* numeric form */ 448 if (STR_EQ(pat, "0.0.0.0") || STR_EQ(pat, "255.255.255.255")) { 449 /* void */ ; 450 } else if (pat[0] == '.') { 451 tcpd_warn("%s: network number begins with dot", pat); 452 } else if (pat[strlen(pat) - 1] != '.') { 453 check_dns(pat); 454 } 455 } 456 return (addr_count); 457 } 458 459 /* reserved_name - determine if name is reserved */ 460 461 static int reserved_name(pat) 462 char *pat; 463 { 464 return (STR_EQ(pat, unknown) 465 || STR_EQ(pat, "KNOWN") 466 || STR_EQ(pat, paranoid) 467 || STR_EQ(pat, "ALL") 468 || STR_EQ(pat, "LOCAL")); 469 } 470
Indexes created Mon Sep 22 13:09:51 GMT 2025