Add the DragonFly cvs id and perform general cleanups on cvs/rcs/sccs ids. Most
[dragonfly.git] / contrib / tcp_wrappers / tcpdchk.c
CommitLineData
984263bc
MD
1 /*
2 * tcpdchk - examine all tcpd access control rules and inetd.conf entries
3 *
4 * Usage: tcpdchk [-a] [-d] [-i inet_conf] [-v]
5 *
6 * -a: complain about implicit "allow" at end of rule.
7 *
8 * -d: rules in current directory.
9 *
10 * -i: location of inetd.conf file.
11 *
12 * -v: show all rules.
13 *
14 * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
15 *
16 * $FreeBSD: src/contrib/tcp_wrappers/tcpdchk.c,v 1.3.2.1 2000/07/18 08:34:55 ume Exp $
1de703da 17 * $DragonFly: src/contrib/tcp_wrappers/tcpdchk.c,v 1.2 2003/06/17 04:24:06 dillon Exp $
984263bc
MD
18 */
19
20#ifndef lint
21static char sccsid[] = "@(#) tcpdchk.c 1.8 97/02/12 02:13:25";
22#endif
23
24/* System libraries. */
25
26#include <sys/types.h>
27#include <sys/stat.h>
28#ifdef INET6
29#include <sys/socket.h>
30#endif
31#include <netinet/in.h>
32#include <arpa/inet.h>
33#include <stdio.h>
34#include <syslog.h>
35#include <setjmp.h>
36#include <errno.h>
37#include <netdb.h>
38#include <string.h>
39
40extern int errno;
41extern void exit();
42extern int optind;
43extern char *optarg;
44
45#ifndef INADDR_NONE
46#define INADDR_NONE (-1) /* XXX should be 0xffffffff */
47#endif
48
49#ifndef S_ISDIR
50#define S_ISDIR(m) (((m) & S_IFMT) == S_IFDIR)
51#endif
52
53/* Application-specific. */
54
55#include "tcpd.h"
56#include "inetcf.h"
57#include "scaffold.h"
58
59 /*
60 * Stolen from hosts_access.c...
61 */
62static char sep[] = ", \t\n";
63
64#define BUFLEN 2048
65
66int resident = 0;
67int hosts_access_verbose = 0;
68char *hosts_allow_table = HOSTS_ALLOW;
69char *hosts_deny_table = HOSTS_DENY;
70extern jmp_buf tcpd_buf;
71
72 /*
73 * Local stuff.
74 */
75static void usage();
76static void parse_table();
77static void print_list();
78static void check_daemon_list();
79static void check_client_list();
80static void check_daemon();
81static void check_user();
82static int check_host();
83static int reserved_name();
84
85#define PERMIT 1
86#define DENY 0
87
88#define YES 1
89#define NO 0
90
91static int defl_verdict;
92static char *myname;
93static int allow_check;
94static char *inetcf;
95
96int main(argc, argv)
97int argc;
98char **argv;
99{
100 struct request_info request;
101 struct stat st;
102 int c;
103
104 myname = argv[0];
105
106 /*
107 * Parse the JCL.
108 */
109 while ((c = getopt(argc, argv, "adi:v")) != EOF) {
110 switch (c) {
111 case 'a':
112 allow_check = 1;
113 break;
114 case 'd':
115 hosts_allow_table = "hosts.allow";
116 hosts_deny_table = "hosts.deny";
117 break;
118 case 'i':
119 inetcf = optarg;
120 break;
121 case 'v':
122 hosts_access_verbose++;
123 break;
124 default:
125 usage();
126 /* NOTREACHED */
127 }
128 }
129 if (argc != optind)
130 usage();
131
132 /*
133 * When confusion really strikes...
134 */
135 if (check_path(REAL_DAEMON_DIR, &st) < 0) {
136 tcpd_warn("REAL_DAEMON_DIR %s: %m", REAL_DAEMON_DIR);
137 } else if (!S_ISDIR(st.st_mode)) {
138 tcpd_warn("REAL_DAEMON_DIR %s is not a directory", REAL_DAEMON_DIR);
139 }
140
141 /*
142 * Process the inet configuration file (or its moral equivalent). This
143 * information is used later to find references in hosts.allow/deny to
144 * unwrapped services, and other possible problems.
145 */
146 inetcf = inet_cfg(inetcf);
147 if (hosts_access_verbose)
148 printf("Using network configuration file: %s\n", inetcf);
149
150 /*
151 * These are not run from inetd but may have built-in access control.
152 */
153 inet_set("portmap", WR_NOT);
154 inet_set("rpcbind", WR_NOT);
155
156 /*
157 * Check accessibility of access control files.
158 */
159 (void) check_path(hosts_allow_table, &st);
160 (void) check_path(hosts_deny_table, &st);
161
162 /*
163 * Fake up an arbitrary service request.
164 */
165 request_init(&request,
166 RQ_DAEMON, "daemon_name",
167 RQ_SERVER_NAME, "server_hostname",
168 RQ_SERVER_ADDR, "server_addr",
169 RQ_USER, "user_name",
170 RQ_CLIENT_NAME, "client_hostname",
171 RQ_CLIENT_ADDR, "client_addr",
172 RQ_FILE, 1,
173 0);
174
175 /*
176 * Examine all access-control rules.
177 */
178 defl_verdict = PERMIT;
179 parse_table(hosts_allow_table, &request);
180 defl_verdict = DENY;
181 parse_table(hosts_deny_table, &request);
182 return (0);
183}
184
185/* usage - explain */
186
187static void usage()
188{
189 fprintf(stderr, "usage: %s [-a] [-d] [-i inet_conf] [-v]\n", myname);
190 fprintf(stderr, " -a: report rules with implicit \"ALLOW\" at end\n");
191 fprintf(stderr, " -d: use allow/deny files in current directory\n");
192 fprintf(stderr, " -i: location of inetd.conf file\n");
193 fprintf(stderr, " -v: list all rules\n");
194 exit(1);
195}
196
197/* parse_table - like table_match(), but examines _all_ entries */
198
199static void parse_table(table, request)
200char *table;
201struct request_info *request;
202{
203 FILE *fp;
204 int real_verdict;
205 char sv_list[BUFLEN]; /* becomes list of daemons */
206 char *cl_list; /* becomes list of requests */
207 char *sh_cmd; /* becomes optional shell command */
208 char buf[BUFSIZ];
209 int verdict;
210 struct tcpd_context saved_context;
211
212 saved_context = tcpd_context; /* stupid compilers */
213
214 if (fp = fopen(table, "r")) {
215 tcpd_context.file = table;
216 tcpd_context.line = 0;
217 while (xgets(sv_list, sizeof(sv_list), fp)) {
218 if (sv_list[strlen(sv_list) - 1] != '\n') {
219 tcpd_warn("missing newline or line too long");
220 continue;
221 }
222 if (sv_list[0] == '#' || sv_list[strspn(sv_list, " \t\r\n")] == 0)
223 continue;
224 if ((cl_list = split_at(sv_list, ':')) == 0) {
225 tcpd_warn("missing \":\" separator");
226 continue;
227 }
228 sh_cmd = split_at(cl_list, ':');
229
230 if (hosts_access_verbose)
231 printf("\n>>> Rule %s line %d:\n",
232 tcpd_context.file, tcpd_context.line);
233
234 if (hosts_access_verbose)
235 print_list("daemons: ", sv_list);
236 check_daemon_list(sv_list);
237
238 if (hosts_access_verbose)
239 print_list("clients: ", cl_list);
240 check_client_list(cl_list);
241
242#ifdef PROCESS_OPTIONS
243 real_verdict = defl_verdict;
244 if (sh_cmd) {
245 verdict = setjmp(tcpd_buf);
246 if (verdict != 0) {
247 real_verdict = (verdict == AC_PERMIT);
248 } else {
249 dry_run = 1;
250 process_options(sh_cmd, request);
251 if (dry_run == 1 && real_verdict && allow_check)
252 tcpd_warn("implicit \"allow\" at end of rule");
253 }
254 } else if (defl_verdict && allow_check) {
255 tcpd_warn("implicit \"allow\" at end of rule");
256 }
257 if (hosts_access_verbose)
258 printf("access: %s\n", real_verdict ? "granted" : "denied");
259#else
260 if (sh_cmd)
261 shell_cmd(percent_x(buf, sizeof(buf), sh_cmd, request));
262 if (hosts_access_verbose)
263 printf("access: %s\n", defl_verdict ? "granted" : "denied");
264#endif
265 }
266 (void) fclose(fp);
267 } else if (errno != ENOENT) {
268 tcpd_warn("cannot open %s: %m", table);
269 }
270 tcpd_context = saved_context;
271}
272
273/* print_list - pretty-print a list */
274
275static void print_list(title, list)
276char *title;
277char *list;
278{
279 char buf[BUFLEN];
280 char *cp;
281 char *next;
282
283 fputs(title, stdout);
284 strcpy(buf, list);
285
286 for (cp = strtok(buf, sep); cp != 0; cp = next) {
287 fputs(cp, stdout);
288 next = strtok((char *) 0, sep);
289 if (next != 0)
290 fputs(" ", stdout);
291 }
292 fputs("\n", stdout);
293}
294
295/* check_daemon_list - criticize daemon list */
296
297static void check_daemon_list(list)
298char *list;
299{
300 char buf[BUFLEN];
301 char *cp;
302 char *host;
303 int daemons = 0;
304
305 strcpy(buf, list);
306
307 for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) {
308 if (STR_EQ(cp, "EXCEPT")) {
309 daemons = 0;
310 } else {
311 daemons++;
312 if ((host = split_at(cp + 1, '@')) != 0 && check_host(host) > 1) {
313 tcpd_warn("host %s has more than one address", host);
314 tcpd_warn("(consider using an address instead)");
315 }
316 check_daemon(cp);
317 }
318 }
319 if (daemons == 0)
320 tcpd_warn("daemon list is empty or ends in EXCEPT");
321}
322
323/* check_client_list - criticize client list */
324
325static void check_client_list(list)
326char *list;
327{
328 char buf[BUFLEN];
329 char *cp;
330 char *host;
331 int clients = 0;
332
333 strcpy(buf, list);
334
335 for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) {
336 if (STR_EQ(cp, "EXCEPT")) {
337 clients = 0;
338 } else {
339 clients++;
340 if (host = split_at(cp + 1, '@')) { /* user@host */
341 check_user(cp);
342 check_host(host);
343 } else {
344 check_host(cp);
345 }
346 }
347 }
348 if (clients == 0)
349 tcpd_warn("client list is empty or ends in EXCEPT");
350}
351
352/* check_daemon - criticize daemon pattern */
353
354static void check_daemon(pat)
355char *pat;
356{
357 if (pat[0] == '@') {
358 tcpd_warn("%s: daemon name begins with \"@\"", pat);
359 } else if (pat[0] == '/') {
360 tcpd_warn("%s: daemon name begins with \"/\"", pat);
361 } else if (pat[0] == '.') {
362 tcpd_warn("%s: daemon name begins with dot", pat);
363 } else if (pat[strlen(pat) - 1] == '.') {
364 tcpd_warn("%s: daemon name ends in dot", pat);
365 } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown)) {
366 /* void */ ;
367 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */
368 tcpd_warn("FAIL is no longer recognized");
369 tcpd_warn("(use EXCEPT or DENY instead)");
370 } else if (reserved_name(pat)) {
371 tcpd_warn("%s: daemon name may be reserved word", pat);
372 } else {
373 switch (inet_get(pat)) {
374 case WR_UNKNOWN:
375 tcpd_warn("%s: no such process name in %s", pat, inetcf);
376 inet_set(pat, WR_YES); /* shut up next time */
377 break;
378 case WR_NOT:
379 tcpd_warn("%s: service possibly not wrapped", pat);
380 inet_set(pat, WR_YES);
381 break;
382 }
383 }
384}
385
386/* check_user - criticize user pattern */
387
388static void check_user(pat)
389char *pat;
390{
391 if (pat[0] == '@') { /* @netgroup */
392 tcpd_warn("%s: user name begins with \"@\"", pat);
393 } else if (pat[0] == '/') {
394 tcpd_warn("%s: user name begins with \"/\"", pat);
395 } else if (pat[0] == '.') {
396 tcpd_warn("%s: user name begins with dot", pat);
397 } else if (pat[strlen(pat) - 1] == '.') {
398 tcpd_warn("%s: user name ends in dot", pat);
399 } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown)
400 || STR_EQ(pat, "KNOWN")) {
401 /* void */ ;
402 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */
403 tcpd_warn("FAIL is no longer recognized");
404 tcpd_warn("(use EXCEPT or DENY instead)");
405 } else if (reserved_name(pat)) {
406 tcpd_warn("%s: user name may be reserved word", pat);
407 }
408}
409
410#ifdef INET6
411static int is_inet6_addr(pat)
412 char *pat;
413{
414 struct addrinfo hints, *res;
415 int len, ret;
416 char ch;
417
418 if (*pat != '[')
419 return (0);
420 len = strlen(pat);
421 if ((ch = pat[len - 1]) != ']')
422 return (0);
423 pat[len - 1] = '\0';
424 memset(&hints, 0, sizeof(hints));
425 hints.ai_family = AF_INET6;
426 hints.ai_socktype = SOCK_STREAM;
427 hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
428 if ((ret = getaddrinfo(pat + 1, NULL, &hints, &res)) == 0)
429 freeaddrinfo(res);
430 pat[len - 1] = ch;
431 return (ret == 0);
432}
433#endif
434
435/* check_host - criticize host pattern */
436
437static int check_host(pat)
438char *pat;
439{
440 char buf[BUFSIZ];
441 char *mask;
442 int addr_count = 1;
443 FILE *fp;
444 struct tcpd_context saved_context;
445 char *cp;
446 char *wsp = " \t\r\n";
447
448 if (pat[0] == '@') { /* @netgroup */
449#ifdef NO_NETGRENT
450 /* SCO has no *netgrent() support */
451#else
452#ifdef NETGROUP
453 char *machinep;
454 char *userp;
455 char *domainp;
456
457 setnetgrent(pat + 1);
458 if (getnetgrent(&machinep, &userp, &domainp) == 0)
459 tcpd_warn("%s: unknown or empty netgroup", pat + 1);
460 endnetgrent();
461#else
462 tcpd_warn("netgroup support disabled");
463#endif
464#endif
465 } else if (pat[0] == '/') { /* /path/name */
466 if ((fp = fopen(pat, "r")) != 0) {
467 saved_context = tcpd_context;
468 tcpd_context.file = pat;
469 tcpd_context.line = 0;
470 while (fgets(buf, sizeof(buf), fp)) {
471 tcpd_context.line++;
472 for (cp = strtok(buf, wsp); cp; cp = strtok((char *) 0, wsp))
473 check_host(cp);
474 }
475 tcpd_context = saved_context;
476 fclose(fp);
477 } else if (errno != ENOENT) {
478 tcpd_warn("open %s: %m", pat);
479 }
480 } else if (mask = split_at(pat, '/')) { /* network/netmask */
481#ifdef INET6
482 int mask_len;
483
484 if ((dot_quad_addr(pat) == INADDR_NONE
485 || dot_quad_addr(mask) == INADDR_NONE)
486 && (!is_inet6_addr(pat)
487 || ((mask_len = atoi(mask)) < 0 || mask_len > 128)))
488#else
489 if (dot_quad_addr(pat) == INADDR_NONE
490 || dot_quad_addr(mask) == INADDR_NONE)
491#endif
492 tcpd_warn("%s/%s: bad net/mask pattern", pat, mask);
493 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */
494 tcpd_warn("FAIL is no longer recognized");
495 tcpd_warn("(use EXCEPT or DENY instead)");
496 } else if (reserved_name(pat)) { /* other reserved */
497 /* void */ ;
498#ifdef INET6
499 } else if (is_inet6_addr(pat)) { /* IPv6 address */
500 addr_count = 1;
501#endif
502 } else if (NOT_INADDR(pat)) { /* internet name */
503 if (pat[strlen(pat) - 1] == '.') {
504 tcpd_warn("%s: domain or host name ends in dot", pat);
505 } else if (pat[0] != '.') {
506 addr_count = check_dns(pat);
507 }
508 } else { /* numeric form */
509 if (STR_EQ(pat, "0.0.0.0") || STR_EQ(pat, "255.255.255.255")) {
510 /* void */ ;
511 } else if (pat[0] == '.') {
512 tcpd_warn("%s: network number begins with dot", pat);
513 } else if (pat[strlen(pat) - 1] != '.') {
514 check_dns(pat);
515 }
516 }
517 return (addr_count);
518}
519
520/* reserved_name - determine if name is reserved */
521
522static int reserved_name(pat)
523char *pat;
524{
525 return (STR_EQ(pat, unknown)
526 || STR_EQ(pat, "KNOWN")
527 || STR_EQ(pat, paranoid)
528 || STR_EQ(pat, "ALL")
529 || STR_EQ(pat, "LOCAL"));
530}