tcpdmatch.c revision 1.1.1.1
1 1.1 cjs /* 2 1.1 cjs * tcpdmatch - explain what tcpd would do in a specific case 3 1.1 cjs * 4 1.1 cjs * usage: tcpdmatch [-d] [-i inet_conf] daemon[@host] [user@]host 5 1.1 cjs * 6 1.1 cjs * -d: use the access control tables in the current directory. 7 1.1 cjs * 8 1.1 cjs * -i: location of inetd.conf file. 9 1.1 cjs * 10 1.1 cjs * All errors are reported to the standard error stream, including the errors 11 1.1 cjs * that would normally be reported via the syslog daemon. 12 1.1 cjs * 13 1.1 cjs * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. 14 1.1 cjs */ 15 1.1 cjs 16 1.1 cjs #ifndef lint 17 1.1 cjs static char sccsid[] = "@(#) tcpdmatch.c 1.5 96/02/11 17:01:36"; 18 1.1 cjs #endif 19 1.1 cjs 20 1.1 cjs /* System libraries. */ 21 1.1 cjs 22 1.1 cjs #include <sys/types.h> 23 1.1 cjs #include <sys/stat.h> 24 1.1 cjs #include <sys/socket.h> 25 1.1 cjs #include <netinet/in.h> 26 1.1 cjs #include <arpa/inet.h> 27 1.1 cjs #include <netdb.h> 28 1.1 cjs #include <stdio.h> 29 1.1 cjs #include <syslog.h> 30 1.1 cjs #include <setjmp.h> 31 1.1 cjs #include <string.h> 32 1.1 cjs 33 1.1 cjs extern void exit(); 34 1.1 cjs extern int optind; 35 1.1 cjs extern char *optarg; 36 1.1 cjs 37 1.1 cjs #ifndef INADDR_NONE 38 1.1 cjs #define INADDR_NONE (-1) /* XXX should be 0xffffffff */ 39 1.1 cjs #endif 40 1.1 cjs 41 1.1 cjs #ifndef S_ISDIR 42 1.1 cjs #define S_ISDIR(m) (((m) & S_IFMT) == S_IFDIR) 43 1.1 cjs #endif 44 1.1 cjs 45 1.1 cjs /* Application-specific. */ 46 1.1 cjs 47 1.1 cjs #include "tcpd.h" 48 1.1 cjs #include "inetcf.h" 49 1.1 cjs #include "scaffold.h" 50 1.1 cjs 51 1.1 cjs static void usage(); 52 1.1 cjs static void tcpdmatch(); 53 1.1 cjs 54 1.1 cjs /* The main program */ 55 1.1 cjs 56 1.1 cjs int main(argc, argv) 57 1.1 cjs int argc; 58 1.1 cjs char **argv; 59 1.1 cjs { 60 1.1 cjs struct hostent *hp; 61 1.1 cjs char *myname = argv[0]; 62 1.1 cjs char *client; 63 1.1 cjs char *server; 64 1.1 cjs char *addr; 65 1.1 cjs char *user; 66 1.1 cjs char *daemon; 67 1.1 cjs struct request_info request; 68 1.1 cjs int ch; 69 1.1 cjs char *inetcf = 0; 70 1.1 cjs int count; 71 1.1 cjs struct sockaddr_in server_sin; 72 1.1 cjs struct sockaddr_in client_sin; 73 1.1 cjs struct stat st; 74 1.1 cjs 75 1.1 cjs /* 76 1.1 cjs * Show what rule actually matched. 77 1.1 cjs */ 78 1.1 cjs hosts_access_verbose = 2; 79 1.1 cjs 80 1.1 cjs /* 81 1.1 cjs * Parse the JCL. 82 1.1 cjs */ 83 1.1 cjs while ((ch = getopt(argc, argv, "di:")) != EOF) { 84 1.1 cjs switch (ch) { 85 1.1 cjs case 'd': 86 1.1 cjs hosts_allow_table = "hosts.allow"; 87 1.1 cjs hosts_deny_table = "hosts.deny"; 88 1.1 cjs break; 89 1.1 cjs case 'i': 90 1.1 cjs inetcf = optarg; 91 1.1 cjs break; 92 1.1 cjs default: 93 1.1 cjs usage(myname); 94 1.1 cjs /* NOTREACHED */ 95 1.1 cjs } 96 1.1 cjs } 97 1.1 cjs if (argc != optind + 2) 98 1.1 cjs usage(myname); 99 1.1 cjs 100 1.1 cjs /* 101 1.1 cjs * When confusion really strikes... 102 1.1 cjs */ 103 1.1 cjs if (check_path(REAL_DAEMON_DIR, &st) < 0) { 104 1.1 cjs tcpd_warn("REAL_DAEMON_DIR %s: %m", REAL_DAEMON_DIR); 105 1.1 cjs } else if (!S_ISDIR(st.st_mode)) { 106 1.1 cjs tcpd_warn("REAL_DAEMON_DIR %s is not a directory", REAL_DAEMON_DIR); 107 1.1 cjs } 108 1.1 cjs 109 1.1 cjs /* 110 1.1 cjs * Default is to specify a daemon process name. When daemon@host is 111 1.1 cjs * specified, separate the two parts. 112 1.1 cjs */ 113 1.1 cjs if ((server = split_at(argv[optind], '@')) == 0) 114 1.1 cjs server = unknown; 115 1.1 cjs if (argv[optind][0] == '/') { 116 1.1 cjs daemon = strrchr(argv[optind], '/') + 1; 117 1.1 cjs tcpd_warn("%s: daemon name normalized to: %s", argv[optind], daemon); 118 1.1 cjs } else { 119 1.1 cjs daemon = argv[optind]; 120 1.1 cjs } 121 1.1 cjs 122 1.1 cjs /* 123 1.1 cjs * Default is to specify a client hostname or address. When user@host is 124 1.1 cjs * specified, separate the two parts. 125 1.1 cjs */ 126 1.1 cjs if ((client = split_at(argv[optind + 1], '@')) != 0) { 127 1.1 cjs user = argv[optind + 1]; 128 1.1 cjs } else { 129 1.1 cjs client = argv[optind + 1]; 130 1.1 cjs user = unknown; 131 1.1 cjs } 132 1.1 cjs 133 1.1 cjs /* 134 1.1 cjs * Analyze the inetd (or tlid) configuration file, so that we can warn 135 1.1 cjs * the user about services that may not be wrapped, services that are not 136 1.1 cjs * configured, or services that are wrapped in an incorrect manner. Allow 137 1.1 cjs * for services that are not run from inetd, or that have tcpd access 138 1.1 cjs * control built into them. 139 1.1 cjs */ 140 1.1 cjs inetcf = inet_cfg(inetcf); 141 1.1 cjs inet_set("portmap", WR_NOT); 142 1.1 cjs inet_set("rpcbind", WR_NOT); 143 1.1 cjs switch (inet_get(daemon)) { 144 1.1 cjs case WR_UNKNOWN: 145 1.1 cjs tcpd_warn("%s: no such process name in %s", daemon, inetcf); 146 1.1 cjs break; 147 1.1 cjs case WR_NOT: 148 1.1 cjs tcpd_warn("%s: service possibly not wrapped", daemon); 149 1.1 cjs break; 150 1.1 cjs } 151 1.1 cjs 152 1.1 cjs /* 153 1.1 cjs * Check accessibility of access control files. 154 1.1 cjs */ 155 1.1 cjs (void) check_path(hosts_allow_table, &st); 156 1.1 cjs (void) check_path(hosts_deny_table, &st); 157 1.1 cjs 158 1.1 cjs /* 159 1.1 cjs * Fill in what we have figured out sofar. Use socket and DNS routines 160 1.1 cjs * for address and name conversions. We attach stdout to the request so 161 1.1 cjs * that banner messages will become visible. 162 1.1 cjs */ 163 1.1 cjs request_init(&request, RQ_DAEMON, daemon, RQ_USER, user, RQ_FILE, 1, 0); 164 1.1 cjs sock_methods(&request); 165 1.1 cjs 166 1.1 cjs /* 167 1.1 cjs * If a server hostname is specified, insist that the name maps to at 168 1.1 cjs * most one address. eval_hostname() warns the user about name server 169 1.1 cjs * problems, while using the request.server structure as a cache for host 170 1.1 cjs * address and name conversion results. 171 1.1 cjs */ 172 1.1 cjs if (NOT_INADDR(server) == 0 || HOSTNAME_KNOWN(server)) { 173 1.1 cjs if ((hp = find_inet_addr(server)) == 0) 174 1.1 cjs exit(1); 175 1.1 cjs memset((char *) &server_sin, 0, sizeof(server_sin)); 176 1.1 cjs server_sin.sin_family = AF_INET; 177 1.1 cjs request_set(&request, RQ_SERVER_SIN, &server_sin, 0); 178 1.1 cjs 179 1.1 cjs for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) { 180 1.1 cjs memcpy((char *) &server_sin.sin_addr, addr, 181 1.1 cjs sizeof(server_sin.sin_addr)); 182 1.1 cjs 183 1.1 cjs /* 184 1.1 cjs * Force evaluation of server host name and address. Host name 185 1.1 cjs * conflicts will be reported while eval_hostname() does its job. 186 1.1 cjs */ 187 1.1 cjs request_set(&request, RQ_SERVER_NAME, "", RQ_SERVER_ADDR, "", 0); 188 1.1 cjs if (STR_EQ(eval_hostname(request.server), unknown)) 189 1.1 cjs tcpd_warn("host address %s->name lookup failed", 190 1.1 cjs eval_hostaddr(request.server)); 191 1.1 cjs } 192 1.1 cjs if (count > 1) { 193 1.1 cjs fprintf(stderr, "Error: %s has more than one address\n", server); 194 1.1 cjs fprintf(stderr, "Please specify an address instead\n"); 195 1.1 cjs exit(1); 196 1.1 cjs } 197 1.1 cjs free((char *) hp); 198 1.1 cjs } else { 199 1.1 cjs request_set(&request, RQ_SERVER_NAME, server, 0); 200 1.1 cjs } 201 1.1 cjs 202 1.1 cjs /* 203 1.1 cjs * If a client address is specified, we simulate the effect of client 204 1.1 cjs * hostname lookup failure. 205 1.1 cjs */ 206 1.1 cjs if (dot_quad_addr(client) != INADDR_NONE) { 207 1.1 cjs request_set(&request, RQ_CLIENT_ADDR, client, 0); 208 1.1 cjs tcpdmatch(&request); 209 1.1 cjs exit(0); 210 1.1 cjs } 211 1.1 cjs 212 1.1 cjs /* 213 1.1 cjs * Perhaps they are testing special client hostname patterns that aren't 214 1.1 cjs * really host names at all. 215 1.1 cjs */ 216 1.1 cjs if (NOT_INADDR(client) && HOSTNAME_KNOWN(client) == 0) { 217 1.1 cjs request_set(&request, RQ_CLIENT_NAME, client, 0); 218 1.1 cjs tcpdmatch(&request); 219 1.1 cjs exit(0); 220 1.1 cjs } 221 1.1 cjs 222 1.1 cjs /* 223 1.1 cjs * Otherwise, assume that a client hostname is specified, and insist that 224 1.1 cjs * the address can be looked up. The reason for this requirement is that 225 1.1 cjs * in real life the client address is available (at least with IP). Let 226 1.1 cjs * eval_hostname() figure out if this host is properly registered, while 227 1.1 cjs * using the request.client structure as a cache for host name and 228 1.1 cjs * address conversion results. 229 1.1 cjs */ 230 1.1 cjs if ((hp = find_inet_addr(client)) == 0) 231 1.1 cjs exit(1); 232 1.1 cjs memset((char *) &client_sin, 0, sizeof(client_sin)); 233 1.1 cjs client_sin.sin_family = AF_INET; 234 1.1 cjs request_set(&request, RQ_CLIENT_SIN, &client_sin, 0); 235 1.1 cjs 236 1.1 cjs for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) { 237 1.1 cjs memcpy((char *) &client_sin.sin_addr, addr, 238 1.1 cjs sizeof(client_sin.sin_addr)); 239 1.1 cjs 240 1.1 cjs /* 241 1.1 cjs * Force evaluation of client host name and address. Host name 242 1.1 cjs * conflicts will be reported while eval_hostname() does its job. 243 1.1 cjs */ 244 1.1 cjs request_set(&request, RQ_CLIENT_NAME, "", RQ_CLIENT_ADDR, "", 0); 245 1.1 cjs if (STR_EQ(eval_hostname(request.client), unknown)) 246 1.1 cjs tcpd_warn("host address %s->name lookup failed", 247 1.1 cjs eval_hostaddr(request.client)); 248 1.1 cjs tcpdmatch(&request); 249 1.1 cjs if (hp->h_addr_list[count + 1]) 250 1.1 cjs printf("\n"); 251 1.1 cjs } 252 1.1 cjs free((char *) hp); 253 1.1 cjs exit(0); 254 1.1 cjs } 255 1.1 cjs 256 1.1 cjs /* Explain how to use this program */ 257 1.1 cjs 258 1.1 cjs static void usage(myname) 259 1.1 cjs char *myname; 260 1.1 cjs { 261 1.1 cjs fprintf(stderr, "usage: %s [-d] [-i inet_conf] daemon[@host] [user@]host\n", 262 1.1 cjs myname); 263 1.1 cjs fprintf(stderr, " -d: use allow/deny files in current directory\n"); 264 1.1 cjs fprintf(stderr, " -i: location of inetd.conf file\n"); 265 1.1 cjs exit(1); 266 1.1 cjs } 267 1.1 cjs 268 1.1 cjs /* Print interesting expansions */ 269 1.1 cjs 270 1.1 cjs static void expand(text, pattern, request) 271 1.1 cjs char *text; 272 1.1 cjs char *pattern; 273 1.1 cjs struct request_info *request; 274 1.1 cjs { 275 1.1 cjs char buf[BUFSIZ]; 276 1.1 cjs 277 1.1 cjs if (STR_NE(percent_x(buf, sizeof(buf), pattern, request), unknown)) 278 1.1 cjs printf("%s %s\n", text, buf); 279 1.1 cjs } 280 1.1 cjs 281 1.1 cjs /* Try out a (server,client) pair */ 282 1.1 cjs 283 1.1 cjs static void tcpdmatch(request) 284 1.1 cjs struct request_info *request; 285 1.1 cjs { 286 1.1 cjs int verdict; 287 1.1 cjs 288 1.1 cjs /* 289 1.1 cjs * Show what we really know. Suppress uninteresting noise. 290 1.1 cjs */ 291 1.1 cjs expand("client: hostname", "%n", request); 292 1.1 cjs expand("client: address ", "%a", request); 293 1.1 cjs expand("client: username", "%u", request); 294 1.1 cjs expand("server: hostname", "%N", request); 295 1.1 cjs expand("server: address ", "%A", request); 296 1.1 cjs expand("server: process ", "%d", request); 297 1.1 cjs 298 1.1 cjs /* 299 1.1 cjs * Reset stuff that might be changed by options handlers. In dry-run 300 1.1 cjs * mode, extension language routines that would not return should inform 301 1.1 cjs * us of their plan, by clearing the dry_run flag. This is a bit clumsy 302 1.1 cjs * but we must be able to verify hosts with more than one network 303 1.1 cjs * address. 304 1.1 cjs */ 305 1.1 cjs rfc931_timeout = RFC931_TIMEOUT; 306 1.1 cjs allow_severity = SEVERITY; 307 1.1 cjs deny_severity = LOG_WARNING; 308 1.1 cjs dry_run = 1; 309 1.1 cjs 310 1.1 cjs /* 311 1.1 cjs * When paranoid mode is enabled, access is rejected no matter what the 312 1.1 cjs * access control rules say. 313 1.1 cjs */ 314 1.1 cjs #ifdef PARANOID 315 1.1 cjs if (STR_EQ(eval_hostname(request->client), paranoid)) { 316 1.1 cjs printf("access: denied (PARANOID mode)\n\n"); 317 1.1 cjs return; 318 1.1 cjs } 319 1.1 cjs #endif 320 1.1 cjs 321 1.1 cjs /* 322 1.1 cjs * Report the access control verdict. 323 1.1 cjs */ 324 1.1 cjs verdict = hosts_access(request); 325 1.1 cjs printf("access: %s\n", 326 1.1 cjs dry_run == 0 ? "delegated" : 327 1.1 cjs verdict ? "granted" : "denied"); 328 1.1 cjs } 329
Indexes created Mon Sep 29 21:09:56 GMT 2025