1142675Sphantom /* 2142675Sphantom * tcpdchk - examine all tcpd access control rules and inetd.conf entries 3142675Sphantom * 4142675Sphantom * Usage: tcpdchk [-a] [-d] [-i inet_conf] [-v] 5142675Sphantom * 6142675Sphantom * -a: complain about implicit "allow" at end of rule. 7142675Sphantom * 8142675Sphantom * -d: rules in current directory. 9142675Sphantom * 10142675Sphantom * -i: location of inetd.conf file. 11142675Sphantom * 12142675Sphantom * -v: show all rules. 13142675Sphantom * 14142675Sphantom * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. 15142675Sphantom * 16142675Sphantom * $FreeBSD$ 17142675Sphantom */ 18142675Sphantom 19142675Sphantom#ifndef lint 20142675Sphantomstatic char sccsid[] = "@(#) tcpdchk.c 1.8 97/02/12 02:13:25"; 21142675Sphantom#endif 22142675Sphantom 23142675Sphantom/* System libraries. */ 24142675Sphantom 25142675Sphantom#include <sys/types.h> 26142675Sphantom#include <sys/stat.h> 27142675Sphantom#ifdef INET6 28142675Sphantom#include <sys/socket.h> 29142675Sphantom#endif 30142675Sphantom#include <netinet/in.h> 31142675Sphantom#include <arpa/inet.h> 32142675Sphantom#include <stdio.h> 33142675Sphantom#include <syslog.h> 34142675Sphantom#include <setjmp.h> 35142675Sphantom#include <errno.h> 36142675Sphantom#include <netdb.h> 37142675Sphantom#include <string.h> 38142675Sphantom 39142675Sphantomextern int errno; 40142675Sphantomextern void exit(); 41142675Sphantomextern int optind; 42142675Sphantomextern char *optarg; 43142675Sphantom 44142675Sphantom#ifndef INADDR_NONE 45142675Sphantom#define INADDR_NONE (-1) /* XXX should be 0xffffffff */ 46142675Sphantom#endif 47142675Sphantom 48142675Sphantom#ifndef S_ISDIR 49142675Sphantom#define S_ISDIR(m) (((m) & S_IFMT) == S_IFDIR) 50142675Sphantom#endif 51142675Sphantom 52142675Sphantom/* Application-specific. */ 53142675Sphantom 54142675Sphantom#include "tcpd.h" 55142675Sphantom#include "inetcf.h" 56142675Sphantom#include "scaffold.h" 57142675Sphantom 58142675Sphantom /* 59142675Sphantom * Stolen from hosts_access.c... 60142675Sphantom */ 61142675Sphantomstatic char sep[] = ", \t\n"; 62142675Sphantom 63142675Sphantom#define BUFLEN 2048 64142675Sphantom 65142675Sphantomint resident = 0; 66142675Sphantomint hosts_access_verbose = 0; 67142675Sphantomchar *hosts_allow_table = HOSTS_ALLOW; 68142675Sphantomchar *hosts_deny_table = HOSTS_DENY; 69142675Sphantomextern jmp_buf tcpd_buf; 70142675Sphantom 71142675Sphantom /* 72142675Sphantom * Local stuff. 73142675Sphantom */ 74142675Sphantomstatic void usage(); 75142675Sphantomstatic void parse_table(); 76142675Sphantomstatic void print_list(); 77142675Sphantomstatic void check_daemon_list(); 78142675Sphantomstatic void check_client_list(); 79142675Sphantomstatic void check_daemon(); 80142675Sphantomstatic void check_user(); 81142675Sphantomstatic int check_host(); 82142675Sphantomstatic int reserved_name(); 83142675Sphantom 84142675Sphantom#define PERMIT 1 85142675Sphantom#define DENY 0 86142675Sphantom 87142675Sphantom#define YES 1 88142675Sphantom#define NO 0 89142675Sphantom 90142675Sphantomstatic int defl_verdict; 91142675Sphantomstatic char *myname; 92142675Sphantomstatic int allow_check; 93142675Sphantomstatic char *inetcf; 94142675Sphantom 95142675Sphantomint main(argc, argv) 96142675Sphantomint argc; 97142675Sphantomchar **argv; 98142675Sphantom{ 99142675Sphantom struct request_info request; 100142675Sphantom struct stat st; 101142675Sphantom int c; 102142675Sphantom 103142675Sphantom myname = argv[0]; 104142675Sphantom 105142675Sphantom /* 106142675Sphantom * Parse the JCL. 107142675Sphantom */ 108142675Sphantom while ((c = getopt(argc, argv, "adi:v")) != EOF) { 109142675Sphantom switch (c) { 110142675Sphantom case 'a': 111142675Sphantom allow_check = 1; 112142675Sphantom break; 113142675Sphantom case 'd': 114142675Sphantom hosts_allow_table = "hosts.allow"; 115142675Sphantom hosts_deny_table = "hosts.deny"; 116142675Sphantom break; 117190196Smaxim case 'i': 118142675Sphantom inetcf = optarg; 119142675Sphantom break; 120142675Sphantom case 'v': 121142675Sphantom hosts_access_verbose++; 122142675Sphantom break; 123142675Sphantom default: 124142675Sphantom usage(); 125142675Sphantom /* NOTREACHED */ 126142675Sphantom } 127142675Sphantom } 128142675Sphantom if (argc != optind) 129142675Sphantom usage(); 130142675Sphantom 131142675Sphantom /* 132142675Sphantom * When confusion really strikes... 133142675Sphantom */ 134142675Sphantom if (check_path(REAL_DAEMON_DIR, &st) < 0) { 135142675Sphantom tcpd_warn("REAL_DAEMON_DIR %s: %m", REAL_DAEMON_DIR); 136142675Sphantom } else if (!S_ISDIR(st.st_mode)) { 137142675Sphantom tcpd_warn("REAL_DAEMON_DIR %s is not a directory", REAL_DAEMON_DIR); 138142675Sphantom } 139142675Sphantom 140142675Sphantom /* 141142675Sphantom * Process the inet configuration file (or its moral equivalent). This 142142675Sphantom * information is used later to find references in hosts.allow/deny to 143142675Sphantom * unwrapped services, and other possible problems. 144142675Sphantom */ 145142675Sphantom inetcf = inet_cfg(inetcf); 146142675Sphantom if (hosts_access_verbose) 147142675Sphantom printf("Using network configuration file: %s\n", inetcf); 148142675Sphantom 149190196Smaxim /* 150142675Sphantom * These are not run from inetd but may have built-in access control. 151142675Sphantom */ 152142675Sphantom inet_set("portmap", WR_NOT); 153142675Sphantom inet_set("rpcbind", WR_NOT); 154142675Sphantom 155142675Sphantom /* 156142675Sphantom * Check accessibility of access control files. 157142675Sphantom */ 158142675Sphantom (void) check_path(hosts_allow_table, &st); 159142675Sphantom (void) check_path(hosts_deny_table, &st); 160142675Sphantom 161142675Sphantom /* 162142675Sphantom * Fake up an arbitrary service request. 163142675Sphantom */ 164142675Sphantom request_init(&request, 165142675Sphantom RQ_DAEMON, "daemon_name", 166142675Sphantom RQ_SERVER_NAME, "server_hostname", 167142675Sphantom RQ_SERVER_ADDR, "server_addr", 168142675Sphantom RQ_USER, "user_name", 169142675Sphantom RQ_CLIENT_NAME, "client_hostname", 170142675Sphantom RQ_CLIENT_ADDR, "client_addr", 171142675Sphantom RQ_FILE, 1, 172142675Sphantom 0); 173142675Sphantom 174142675Sphantom /* 175142675Sphantom * Examine all access-control rules. 176142675Sphantom */ 177142675Sphantom defl_verdict = PERMIT; 178142675Sphantom parse_table(hosts_allow_table, &request); 179142675Sphantom defl_verdict = DENY; 180142675Sphantom parse_table(hosts_deny_table, &request); 181142675Sphantom return (0); 182142675Sphantom} 183190196Smaxim 184142675Sphantom/* usage - explain */ 185190196Smaxim 186209360Smaximstatic void usage() 187209360Smaxim{ 188209360Smaxim fprintf(stderr, "usage: %s [-a] [-d] [-i inet_conf] [-v]\n", myname); 189209360Smaxim fprintf(stderr, " -a: report rules with implicit \"ALLOW\" at end\n"); 190209360Smaxim fprintf(stderr, " -d: use allow/deny files in current directory\n"); 191209360Smaxim fprintf(stderr, " -i: location of inetd.conf file\n"); 192209360Smaxim fprintf(stderr, " -v: list all rules\n"); 193209360Smaxim exit(1); 194209360Smaxim} 195209360Smaxim 196142675Sphantom/* parse_table - like table_match(), but examines _all_ entries */ 197142675Sphantom 198142675Sphantomstatic void parse_table(table, request) 199142675Sphantomchar *table; 200142675Sphantomstruct request_info *request; 201142675Sphantom{ 202142675Sphantom FILE *fp; 203142675Sphantom int real_verdict; 204142675Sphantom char sv_list[BUFLEN]; /* becomes list of daemons */ 205142675Sphantom char *cl_list; /* becomes list of requests */ 206142675Sphantom char *sh_cmd; /* becomes optional shell command */ 207142675Sphantom char buf[BUFSIZ]; 208142675Sphantom int verdict; 209142675Sphantom struct tcpd_context saved_context; 210142675Sphantom 211142675Sphantom saved_context = tcpd_context; /* stupid compilers */ 212142675Sphantom 213142675Sphantom if (fp = fopen(table, "r")) { 214142675Sphantom tcpd_context.file = table; 215142675Sphantom tcpd_context.line = 0; 216142675Sphantom while (xgets(sv_list, sizeof(sv_list), fp)) { 217142675Sphantom if (sv_list[strlen(sv_list) - 1] != '\n') { 218142675Sphantom tcpd_warn("missing newline or line too long"); 219142675Sphantom continue; 220142675Sphantom } 221142675Sphantom if (sv_list[0] == '#' || sv_list[strspn(sv_list, " \t\r\n")] == 0) 222142675Sphantom continue; 223142675Sphantom if ((cl_list = split_at(sv_list, ':')) == 0) { 224142675Sphantom tcpd_warn("missing \":\" separator"); 225142675Sphantom continue; 226142675Sphantom } 227142675Sphantom sh_cmd = split_at(cl_list, ':'); 228142675Sphantom 229142675Sphantom if (hosts_access_verbose) 230142675Sphantom printf("\n>>> Rule %s line %d:\n", 231142675Sphantom tcpd_context.file, tcpd_context.line); 232142675Sphantom 233142675Sphantom if (hosts_access_verbose) 234142675Sphantom print_list("daemons: ", sv_list); 235142675Sphantom check_daemon_list(sv_list); 236142675Sphantom 237142675Sphantom if (hosts_access_verbose) 238142675Sphantom print_list("clients: ", cl_list); 239142675Sphantom check_client_list(cl_list); 240142675Sphantom 241142675Sphantom#ifdef PROCESS_OPTIONS 242142675Sphantom real_verdict = defl_verdict; 243142675Sphantom if (sh_cmd) { 244142675Sphantom verdict = setjmp(tcpd_buf); 245142675Sphantom if (verdict != 0) { 246142675Sphantom real_verdict = (verdict == AC_PERMIT); 247142675Sphantom } else { 248142675Sphantom dry_run = 1; 249142675Sphantom process_options(sh_cmd, request); 250142675Sphantom if (dry_run == 1 && real_verdict && allow_check) 251142675Sphantom tcpd_warn("implicit \"allow\" at end of rule"); 252142675Sphantom } 253142675Sphantom } else if (defl_verdict && allow_check) { 254142675Sphantom tcpd_warn("implicit \"allow\" at end of rule"); 255142675Sphantom } 256142675Sphantom if (hosts_access_verbose) 257142675Sphantom printf("access: %s\n", real_verdict ? "granted" : "denied"); 258142675Sphantom#else 259142675Sphantom if (sh_cmd) 260142675Sphantom shell_cmd(percent_x(buf, sizeof(buf), sh_cmd, request)); 261142675Sphantom if (hosts_access_verbose) 262142675Sphantom printf("access: %s\n", defl_verdict ? "granted" : "denied"); 263142675Sphantom#endif 264142675Sphantom } 265142675Sphantom (void) fclose(fp); 266142675Sphantom } else if (errno != ENOENT) { 267 tcpd_warn("cannot open %s: %m", table); 268 } 269 tcpd_context = saved_context; 270} 271 272/* print_list - pretty-print a list */ 273 274static void print_list(title, list) 275char *title; 276char *list; 277{ 278 char buf[BUFLEN]; 279 char *cp; 280 char *next; 281 282 fputs(title, stdout); 283 strcpy(buf, list); 284 285 for (cp = strtok(buf, sep); cp != 0; cp = next) { 286 fputs(cp, stdout); 287 next = strtok((char *) 0, sep); 288 if (next != 0) 289 fputs(" ", stdout); 290 } 291 fputs("\n", stdout); 292} 293 294/* check_daemon_list - criticize daemon list */ 295 296static void check_daemon_list(list) 297char *list; 298{ 299 char buf[BUFLEN]; 300 char *cp; 301 char *host; 302 int daemons = 0; 303 304 strcpy(buf, list); 305 306 for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) { 307 if (STR_EQ(cp, "EXCEPT")) { 308 daemons = 0; 309 } else { 310 daemons++; 311 if ((host = split_at(cp + 1, '@')) != 0 && check_host(host) > 1) { 312 tcpd_warn("host %s has more than one address", host); 313 tcpd_warn("(consider using an address instead)"); 314 } 315 check_daemon(cp); 316 } 317 } 318 if (daemons == 0) 319 tcpd_warn("daemon list is empty or ends in EXCEPT"); 320} 321 322/* check_client_list - criticize client list */ 323 324static void check_client_list(list) 325char *list; 326{ 327 char buf[BUFLEN]; 328 char *cp; 329 char *host; 330 int clients = 0; 331 332 strcpy(buf, list); 333 334 for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) { 335 if (STR_EQ(cp, "EXCEPT")) { 336 clients = 0; 337 } else { 338 clients++; 339 if (host = split_at(cp + 1, '@')) { /* user@host */ 340 check_user(cp); 341 check_host(host); 342 } else { 343 check_host(cp); 344 } 345 } 346 } 347 if (clients == 0) 348 tcpd_warn("client list is empty or ends in EXCEPT"); 349} 350 351/* check_daemon - criticize daemon pattern */ 352 353static void check_daemon(pat) 354char *pat; 355{ 356 if (pat[0] == '@') { 357 tcpd_warn("%s: daemon name begins with \"@\"", pat); 358 } else if (pat[0] == '/') { 359 tcpd_warn("%s: daemon name begins with \"/\"", pat); 360 } else if (pat[0] == '.') { 361 tcpd_warn("%s: daemon name begins with dot", pat); 362 } else if (pat[strlen(pat) - 1] == '.') { 363 tcpd_warn("%s: daemon name ends in dot", pat); 364 } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown)) { 365 /* void */ ; 366 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */ 367 tcpd_warn("FAIL is no longer recognized"); 368 tcpd_warn("(use EXCEPT or DENY instead)"); 369 } else if (reserved_name(pat)) { 370 tcpd_warn("%s: daemon name may be reserved word", pat); 371 } else { 372 switch (inet_get(pat)) { 373 case WR_UNKNOWN: 374 tcpd_warn("%s: no such process name in %s", pat, inetcf); 375 inet_set(pat, WR_YES); /* shut up next time */ 376 break; 377 case WR_NOT: 378 tcpd_warn("%s: service possibly not wrapped", pat); 379 inet_set(pat, WR_YES); 380 break; 381 } 382 } 383} 384 385/* check_user - criticize user pattern */ 386 387static void check_user(pat) 388char *pat; 389{ 390 if (pat[0] == '@') { /* @netgroup */ 391 tcpd_warn("%s: user name begins with \"@\"", pat); 392 } else if (pat[0] == '/') { 393 tcpd_warn("%s: user name begins with \"/\"", pat); 394 } else if (pat[0] == '.') { 395 tcpd_warn("%s: user name begins with dot", pat); 396 } else if (pat[strlen(pat) - 1] == '.') { 397 tcpd_warn("%s: user name ends in dot", pat); 398 } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown) 399 || STR_EQ(pat, "KNOWN")) { 400 /* void */ ; 401 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */ 402 tcpd_warn("FAIL is no longer recognized"); 403 tcpd_warn("(use EXCEPT or DENY instead)"); 404 } else if (reserved_name(pat)) { 405 tcpd_warn("%s: user name may be reserved word", pat); 406 } 407} 408 409#ifdef INET6 410static int is_inet6_addr(pat) 411 char *pat; 412{ 413 struct addrinfo hints, *res; 414 int len, ret; 415 char ch; 416 417 if (*pat != '[') 418 return (0); 419 len = strlen(pat); 420 if ((ch = pat[len - 1]) != ']') 421 return (0); 422 pat[len - 1] = '\0'; 423 memset(&hints, 0, sizeof(hints)); 424 hints.ai_family = AF_INET6; 425 hints.ai_socktype = SOCK_STREAM; 426 hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; 427 if ((ret = getaddrinfo(pat + 1, NULL, &hints, &res)) == 0) 428 freeaddrinfo(res); 429 pat[len - 1] = ch; 430 return (ret == 0); 431} 432#endif 433 434/* check_host - criticize host pattern */ 435 436static int check_host(pat) 437char *pat; 438{ 439 char buf[BUFSIZ]; 440 char *mask; 441 int addr_count = 1; 442 FILE *fp; 443 struct tcpd_context saved_context; 444 char *cp; 445 char *wsp = " \t\r\n"; 446 447 if (pat[0] == '@') { /* @netgroup */ 448#ifdef NO_NETGRENT 449 /* SCO has no *netgrent() support */ 450#else 451#ifdef NETGROUP 452 char *machinep; 453 char *userp; 454 char *domainp; 455 456 setnetgrent(pat + 1); 457 if (getnetgrent(&machinep, &userp, &domainp) == 0) 458 tcpd_warn("%s: unknown or empty netgroup", pat + 1); 459 endnetgrent(); 460#else 461 tcpd_warn("netgroup support disabled"); 462#endif 463#endif 464 } else if (pat[0] == '/') { /* /path/name */ 465 if ((fp = fopen(pat, "r")) != 0) { 466 saved_context = tcpd_context; 467 tcpd_context.file = pat; 468 tcpd_context.line = 0; 469 while (fgets(buf, sizeof(buf), fp)) { 470 tcpd_context.line++; 471 for (cp = strtok(buf, wsp); cp; cp = strtok((char *) 0, wsp)) 472 check_host(cp); 473 } 474 tcpd_context = saved_context; 475 fclose(fp); 476 } else if (errno != ENOENT) { 477 tcpd_warn("open %s: %m", pat); 478 } 479 } else if (mask = split_at(pat, '/')) { /* network/netmask */ 480#ifdef INET6 481 int mask_len; 482 483 if ((dot_quad_addr(pat) == INADDR_NONE 484 || dot_quad_addr(mask) == INADDR_NONE) 485 && (!is_inet6_addr(pat) 486 || ((mask_len = atoi(mask)) < 0 || mask_len > 128))) 487#else 488 if (dot_quad_addr(pat) == INADDR_NONE 489 || dot_quad_addr(mask) == INADDR_NONE) 490#endif 491 tcpd_warn("%s/%s: bad net/mask pattern", pat, mask); 492 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */ 493 tcpd_warn("FAIL is no longer recognized"); 494 tcpd_warn("(use EXCEPT or DENY instead)"); 495 } else if (reserved_name(pat)) { /* other reserved */ 496 /* void */ ; 497#ifdef INET6 498 } else if (is_inet6_addr(pat)) { /* IPv6 address */ 499 addr_count = 1; 500#endif 501 } else if (NOT_INADDR(pat)) { /* internet name */ 502 if (pat[strlen(pat) - 1] == '.') { 503 tcpd_warn("%s: domain or host name ends in dot", pat); 504 } else if (pat[0] != '.') { 505 addr_count = check_dns(pat); 506 } 507 } else { /* numeric form */ 508 if (STR_EQ(pat, "0.0.0.0") || STR_EQ(pat, "255.255.255.255")) { 509 /* void */ ; 510 } else if (pat[0] == '.') { 511 tcpd_warn("%s: network number begins with dot", pat); 512 } else if (pat[strlen(pat) - 1] != '.') { 513 check_dns(pat); 514 } 515 } 516 return (addr_count); 517} 518 519/* reserved_name - determine if name is reserved */ 520 521static int reserved_name(pat) 522char *pat; 523{ 524 return (STR_EQ(pat, unknown) 525 || STR_EQ(pat, "KNOWN") 526 || STR_EQ(pat, paranoid) 527 || STR_EQ(pat, "ALL") 528 || STR_EQ(pat, "LOCAL")); 529} 530