tcpdchk.c revision 1.8
1 /* $NetBSD: tcpdchk.c,v 1.8 1999/08/27 16:07:23 itojun Exp $ */ 2 3 /* 4 * tcpdchk - examine all tcpd access control rules and inetd.conf entries 5 * 6 * Usage: tcpdchk [-a] [-d] [-i inet_conf] [-v] 7 * 8 * -a: complain about implicit "allow" at end of rule. 9 * 10 * -d: rules in current directory. 11 * 12 * -i: location of inetd.conf file. 13 * 14 * -v: show all rules. 15 * 16 * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. 17 */ 18 19 #include <sys/cdefs.h> 20 #ifndef lint 21 #if 0 22 static char sccsid[] = "@(#) tcpdchk.c 1.8 97/02/12 02:13:25"; 23 #else 24 __RCSID("$NetBSD: tcpdchk.c,v 1.8 1999/08/27 16:07:23 itojun Exp $"); 25 #endif 26 #endif 27 28 /* System libraries. */ 29 30 #include <sys/types.h> 31 #include <sys/stat.h> 32 #include <netinet/in.h> 33 #include <arpa/inet.h> 34 #include <stdio.h> 35 #include <syslog.h> 36 #include <setjmp.h> 37 #include <errno.h> 38 #include <netdb.h> 39 #include <string.h> 40 #include <stdlib.h> 41 #include <unistd.h> 42 43 #ifndef INADDR_NONE 44 #define INADDR_NONE (-1) /* XXX should be 0xffffffff */ 45 #endif 46 47 #ifndef S_ISDIR 48 #define S_ISDIR(m) (((m) & S_IFMT) == S_IFDIR) 49 #endif 50 51 /* Application-specific. */ 52 53 #include "tcpd.h" 54 #include "inetcf.h" 55 #include "scaffold.h" 56 57 #ifdef NO_NETGRENT 58 /* SCO has no *netgrent() support */ 59 #else 60 # ifdef NETGROUP 61 # include <netgroup.h> 62 # endif 63 #endif 64 65 /* 66 * Stolen from hosts_access.c... 67 */ 68 static char sep[] = ", \t\n"; 69 70 #define BUFLEN 2048 71 72 int resident = 0; 73 int hosts_access_verbose = 0; 74 char *hosts_allow_table = HOSTS_ALLOW; 75 char *hosts_deny_table = HOSTS_DENY; 76 extern jmp_buf tcpd_buf; 77 78 /* 79 * Local stuff. 80 */ 81 static void usage __P((void)); 82 static void parse_table __P((char *, struct request_info *)); 83 static void print_list __P((char *, char *)); 84 static void check_daemon_list __P((char *)); 85 static void check_client_list __P((char *)); 86 static void check_daemon __P((char *)); 87 static void check_user __P((char *)); 88 static int check_host __P((char *)); 89 static int reserved_name __P((char *)); 90 91 int main __P((int, char **)); 92 93 #define PERMIT 1 94 #define DENY 0 95 96 #define YES 1 97 #define NO 0 98 99 static int defl_verdict; 100 static char *myname; 101 static int allow_check; 102 static char *inetcf; 103 104 int main(argc, argv) 105 int argc; 106 char **argv; 107 { 108 struct request_info request; 109 struct stat st; 110 int c; 111 112 myname = argv[0]; 113 114 /* 115 * Parse the JCL. 116 */ 117 while ((c = getopt(argc, argv, "adi:v")) != -1) { 118 switch (c) { 119 case 'a': 120 allow_check = 1; 121 break; 122 case 'd': 123 hosts_allow_table = "hosts.allow"; 124 hosts_deny_table = "hosts.deny"; 125 break; 126 case 'i': 127 inetcf = optarg; 128 break; 129 case 'v': 130 hosts_access_verbose++; 131 break; 132 default: 133 usage(); 134 /* NOTREACHED */ 135 } 136 } 137 if (argc != optind) 138 usage(); 139 140 /* 141 * When confusion really strikes... 142 */ 143 if (check_path(REAL_DAEMON_DIR, &st) < 0) { 144 tcpd_warn("REAL_DAEMON_DIR %s: %m", REAL_DAEMON_DIR); 145 } else if (!S_ISDIR(st.st_mode)) { 146 tcpd_warn("REAL_DAEMON_DIR %s is not a directory", REAL_DAEMON_DIR); 147 } 148 149 /* 150 * Process the inet configuration file (or its moral equivalent). This 151 * information is used later to find references in hosts.allow/deny to 152 * unwrapped services, and other possible problems. 153 */ 154 inetcf = inet_cfg(inetcf); 155 if (hosts_access_verbose) 156 printf("Using network configuration file: %s\n", inetcf); 157 158 /* 159 * These are not run from inetd but may have built-in access control. 160 */ 161 inet_set("portmap", WR_NOT); 162 inet_set("rpcbind", WR_NOT); 163 164 /* 165 * Check accessibility of access control files. 166 */ 167 (void) check_path(hosts_allow_table, &st); 168 (void) check_path(hosts_deny_table, &st); 169 170 /* 171 * Fake up an arbitrary service request. 172 */ 173 request_init(&request, 174 RQ_DAEMON, "daemon_name", 175 RQ_SERVER_NAME, "server_hostname", 176 RQ_SERVER_ADDR, "server_addr", 177 RQ_USER, "user_name", 178 RQ_CLIENT_NAME, "client_hostname", 179 RQ_CLIENT_ADDR, "client_addr", 180 RQ_FILE, 1, 181 0); 182 183 /* 184 * Examine all access-control rules. 185 */ 186 defl_verdict = PERMIT; 187 parse_table(hosts_allow_table, &request); 188 defl_verdict = DENY; 189 parse_table(hosts_deny_table, &request); 190 return (0); 191 } 192 193 /* usage - explain */ 194 195 static void usage() 196 { 197 fprintf(stderr, "usage: %s [-a] [-d] [-i inet_conf] [-v]\n", myname); 198 fprintf(stderr, " -a: report rules with implicit \"ALLOW\" at end\n"); 199 fprintf(stderr, " -d: use allow/deny files in current directory\n"); 200 fprintf(stderr, " -i: location of inetd.conf file\n"); 201 fprintf(stderr, " -v: list all rules\n"); 202 exit(1); 203 } 204 205 /* parse_table - like table_match(), but examines _all_ entries */ 206 207 static void parse_table(table, request) 208 char *table; 209 struct request_info *request; 210 { 211 FILE *fp; 212 int real_verdict; 213 char sv_list[BUFLEN]; /* becomes list of daemons */ 214 char *cl_list; /* becomes list of requests */ 215 char *sh_cmd; /* becomes optional shell command */ 216 int verdict; 217 struct tcpd_context saved_context; 218 #ifdef __GNUC__ 219 /* XXX hack to avoid gcc warnings */ 220 (void) &real_verdict; 221 (void) &saved_context; 222 #endif 223 224 saved_context = tcpd_context; /* stupid compilers */ 225 226 if ((fp = fopen(table, "r")) != NULL) { 227 tcpd_context.file = table; 228 tcpd_context.line = 0; 229 while (xgets(sv_list, sizeof(sv_list), fp)) { 230 if (sv_list[strlen(sv_list) - 1] != '\n') { 231 tcpd_warn("missing newline or line too long"); 232 continue; 233 } 234 if (sv_list[0] == '#' || sv_list[strspn(sv_list, " \t\r\n")] == 0) 235 continue; 236 if ((cl_list = split_at(sv_list, ':')) == 0) { 237 tcpd_warn("missing \":\" separator"); 238 continue; 239 } 240 sh_cmd = split_at(cl_list, ':'); 241 242 if (hosts_access_verbose) 243 printf("\n>>> Rule %s line %d:\n", 244 tcpd_context.file, tcpd_context.line); 245 246 if (hosts_access_verbose) 247 print_list("daemons: ", sv_list); 248 check_daemon_list(sv_list); 249 250 if (hosts_access_verbose) 251 print_list("clients: ", cl_list); 252 check_client_list(cl_list); 253 254 #ifdef PROCESS_OPTIONS 255 real_verdict = defl_verdict; 256 if (sh_cmd) { 257 verdict = setjmp(tcpd_buf); 258 if (verdict != 0) { 259 real_verdict = (verdict == AC_PERMIT); 260 } else { 261 dry_run = 1; 262 process_options(sh_cmd, request); 263 if (dry_run == 1 && real_verdict && allow_check) 264 tcpd_warn("implicit \"allow\" at end of rule"); 265 } 266 } else if (defl_verdict && allow_check) { 267 tcpd_warn("implicit \"allow\" at end of rule"); 268 } 269 if (hosts_access_verbose) 270 printf("access: %s\n", real_verdict ? "granted" : "denied"); 271 #else 272 if (sh_cmd) 273 shell_cmd(percent_x(buf, sizeof(buf), sh_cmd, request)); 274 if (hosts_access_verbose) 275 printf("access: %s\n", defl_verdict ? "granted" : "denied"); 276 #endif 277 } 278 (void) fclose(fp); 279 } else if (errno != ENOENT) { 280 tcpd_warn("cannot open %s: %m", table); 281 } 282 tcpd_context = saved_context; 283 } 284 285 /* print_list - pretty-print a list */ 286 287 static void print_list(title, list) 288 char *title; 289 char *list; 290 { 291 char buf[BUFLEN]; 292 char *cp; 293 char *next; 294 295 fputs(title, stdout); 296 strcpy(buf, list); 297 298 for (cp = strtok(buf, sep); cp != 0; cp = next) { 299 fputs(cp, stdout); 300 next = strtok((char *) 0, sep); 301 if (next != 0) 302 fputs(" ", stdout); 303 } 304 fputs("\n", stdout); 305 } 306 307 /* check_daemon_list - criticize daemon list */ 308 309 static void check_daemon_list(list) 310 char *list; 311 { 312 char buf[BUFLEN]; 313 char *cp; 314 char *host; 315 int daemons = 0; 316 317 strcpy(buf, list); 318 319 for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) { 320 if (STR_EQ(cp, "EXCEPT")) { 321 daemons = 0; 322 } else { 323 daemons++; 324 if ((host = split_at(cp + 1, '@')) != 0 && check_host(host) > 1) { 325 tcpd_warn("host %s has more than one address", host); 326 tcpd_warn("(consider using an address instead)"); 327 } 328 check_daemon(cp); 329 } 330 } 331 if (daemons == 0) 332 tcpd_warn("daemon list is empty or ends in EXCEPT"); 333 } 334 335 /* check_client_list - criticize client list */ 336 337 static void check_client_list(list) 338 char *list; 339 { 340 char buf[BUFLEN]; 341 char *cp; 342 char *host; 343 int clients = 0; 344 345 strcpy(buf, list); 346 347 for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) { 348 if (STR_EQ(cp, "EXCEPT")) { 349 clients = 0; 350 } else { 351 clients++; 352 if ((host = split_at(cp + 1, '@')) != NULL) { /* user@host */ 353 check_user(cp); 354 check_host(host); 355 } else { 356 check_host(cp); 357 } 358 } 359 } 360 if (clients == 0) 361 tcpd_warn("client list is empty or ends in EXCEPT"); 362 } 363 364 /* check_daemon - criticize daemon pattern */ 365 366 static void check_daemon(pat) 367 char *pat; 368 { 369 if (pat[0] == '@') { 370 tcpd_warn("%s: daemon name begins with \"@\"", pat); 371 } else if (pat[0] == '.') { 372 tcpd_warn("%s: daemon name begins with dot", pat); 373 } else if (pat[strlen(pat) - 1] == '.') { 374 tcpd_warn("%s: daemon name ends in dot", pat); 375 } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown)) { 376 /* void */ ; 377 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */ 378 tcpd_warn("FAIL is no longer recognized"); 379 tcpd_warn("(use EXCEPT or DENY instead)"); 380 } else if (reserved_name(pat)) { 381 tcpd_warn("%s: daemon name may be reserved word", pat); 382 } else { 383 switch (inet_get(pat)) { 384 case WR_UNKNOWN: 385 tcpd_warn("%s: no such process name in %s", pat, inetcf); 386 inet_set(pat, WR_YES); /* shut up next time */ 387 break; 388 case WR_NOT: 389 tcpd_warn("%s: service possibly not wrapped", pat); 390 inet_set(pat, WR_YES); 391 break; 392 } 393 } 394 } 395 396 /* check_user - criticize user pattern */ 397 398 static void check_user(pat) 399 char *pat; 400 { 401 if (pat[0] == '@') { /* @netgroup */ 402 tcpd_warn("%s: user name begins with \"@\"", pat); 403 } else if (pat[0] == '.') { 404 tcpd_warn("%s: user name begins with dot", pat); 405 } else if (pat[strlen(pat) - 1] == '.') { 406 tcpd_warn("%s: user name ends in dot", pat); 407 } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown) 408 || STR_EQ(pat, "KNOWN")) { 409 /* void */ ; 410 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */ 411 tcpd_warn("FAIL is no longer recognized"); 412 tcpd_warn("(use EXCEPT or DENY instead)"); 413 } else if (reserved_name(pat)) { 414 tcpd_warn("%s: user name may be reserved word", pat); 415 } 416 } 417 418 /* check_host - criticize host pattern */ 419 420 static int check_host(pat) 421 char *pat; 422 { 423 char *mask; 424 int addr_count = 1; 425 426 if (pat[0] == '@') { /* @netgroup */ 427 #ifdef NO_NETGRENT 428 /* SCO has no *netgrent() support */ 429 #else 430 #ifdef NETGROUP 431 const char *machinep; 432 const char *userp; 433 const char *domainp; 434 435 setnetgrent(pat + 1); 436 if (getnetgrent(&machinep, &userp, &domainp) == 0) 437 tcpd_warn("%s: unknown or empty netgroup", pat + 1); 438 endnetgrent(); 439 #else 440 tcpd_warn("netgroup support disabled"); 441 #endif 442 #endif 443 } else if ((mask = split_at(pat, '/')) != NULL) { /* network/netmask */ 444 if (dot_quad_addr(pat, NULL) != 0 445 || dot_quad_addr(mask, NULL) != 0) 446 tcpd_warn("%s/%s: bad net/mask pattern", pat, mask); 447 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */ 448 tcpd_warn("FAIL is no longer recognized"); 449 tcpd_warn("(use EXCEPT or DENY instead)"); 450 } else if (reserved_name(pat)) { /* other reserved */ 451 /* void */ ; 452 } else if (NOT_INADDR(pat)) { /* internet name */ 453 if (pat[strlen(pat) - 1] == '.') { 454 tcpd_warn("%s: domain or host name ends in dot", pat); 455 } else if (pat[0] != '.') { 456 addr_count = check_dns(pat); 457 } 458 } else { /* numeric form */ 459 if (STR_EQ(pat, "0.0.0.0") || STR_EQ(pat, "255.255.255.255")) { 460 /* void */ ; 461 } else if (pat[0] == '.') { 462 tcpd_warn("%s: network number begins with dot", pat); 463 } else if (pat[strlen(pat) - 1] != '.') { 464 check_dns(pat); 465 } 466 } 467 return (addr_count); 468 } 469 470 /* reserved_name - determine if name is reserved */ 471 472 static int reserved_name(pat) 473 char *pat; 474 { 475 return (STR_EQ(pat, unknown) 476 || STR_EQ(pat, "KNOWN") 477 || STR_EQ(pat, paranoid) 478 || STR_EQ(pat, "ALL") 479 || STR_EQ(pat, "LOCAL")); 480 } 481
Indexes created Mon Sep 22 05:09:51 GMT 2025