tcpdmatch.c revision 44744 
1 /*
2  * tcpdmatch - explain what tcpd would do in a specific case
3  *
4  * usage: tcpdmatch [-d] [-i inet_conf] daemon[@host] [user@]host
5  *
6  * -d: use the access control tables in the current directory.
7  *
8  * -i: location of inetd.conf file.
9  *
10  * All errors are reported to the standard error stream, including the errors
11  * that would normally be reported via the syslog daemon.
12  *
13  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
14  */
15
16#ifndef lint
17static char sccsid[] = "@(#) tcpdmatch.c 1.5 96/02/11 17:01:36";
18#endif
19
20/* System libraries. */
21
22#include <sys/types.h>
23#include <sys/stat.h>
24#include <sys/socket.h>
25#include <netinet/in.h>
26#include <arpa/inet.h>
27#include <netdb.h>
28#include <stdio.h>
29#include <syslog.h>
30#include <setjmp.h>
31#include <string.h>
32
33extern void exit();
34extern int optind;
35extern char *optarg;
36
37#ifndef	INADDR_NONE
38#define	INADDR_NONE	(-1)		/* XXX should be 0xffffffff */
39#endif
40
41#ifndef S_ISDIR
42#define S_ISDIR(m)	(((m) & S_IFMT) == S_IFDIR)
43#endif
44
45/* Application-specific. */
46
47#include "tcpd.h"
48#include "inetcf.h"
49#include "scaffold.h"
50
51static void usage();
52static void tcpdmatch();
53
54/* The main program */
55
56int     main(argc, argv)
57int     argc;
58char  **argv;
59{
60    struct hostent *hp;
61    char   *myname = argv[0];
62    char   *client;
63    char   *server;
64    char   *addr;
65    char   *user;
66    char   *daemon;
67    struct request_info request;
68    int     ch;
69    char   *inetcf = 0;
70    int     count;
71    struct sockaddr_in server_sin;
72    struct sockaddr_in client_sin;
73    struct stat st;
74
75    /*
76     * Show what rule actually matched.
77     */
78    hosts_access_verbose = 2;
79
80    /*
81     * Parse the JCL.
82     */
83    while ((ch = getopt(argc, argv, "di:")) != EOF) {
84	switch (ch) {
85	case 'd':
86	    hosts_allow_table = "hosts.allow";
87	    hosts_deny_table = "hosts.deny";
88	    break;
89	case 'i':
90	    inetcf = optarg;
91	    break;
92	default:
93	    usage(myname);
94	    /* NOTREACHED */
95	}
96    }
97    if (argc != optind + 2)
98	usage(myname);
99
100    /*
101     * When confusion really strikes...
102     */
103    if (check_path(REAL_DAEMON_DIR, &st) < 0) {
104	tcpd_warn("REAL_DAEMON_DIR %s: %m", REAL_DAEMON_DIR);
105    } else if (!S_ISDIR(st.st_mode)) {
106	tcpd_warn("REAL_DAEMON_DIR %s is not a directory", REAL_DAEMON_DIR);
107    }
108
109    /*
110     * Default is to specify a daemon process name. When daemon@host is
111     * specified, separate the two parts.
112     */
113    if ((server = split_at(argv[optind], '@')) == 0)
114	server = unknown;
115    if (argv[optind][0] == '/') {
116	daemon = strrchr(argv[optind], '/') + 1;
117	tcpd_warn("%s: daemon name normalized to: %s", argv[optind], daemon);
118    } else {
119	daemon = argv[optind];
120    }
121
122    /*
123     * Default is to specify a client hostname or address. When user@host is
124     * specified, separate the two parts.
125     */
126    if ((client = split_at(argv[optind + 1], '@')) != 0) {
127	user = argv[optind + 1];
128    } else {
129	client = argv[optind + 1];
130	user = unknown;
131    }
132
133    /*
134     * Analyze the inetd (or tlid) configuration file, so that we can warn
135     * the user about services that may not be wrapped, services that are not
136     * configured, or services that are wrapped in an incorrect manner. Allow
137     * for services that are not run from inetd, or that have tcpd access
138     * control built into them.
139     */
140    inetcf = inet_cfg(inetcf);
141    inet_set("portmap", WR_NOT);
142    inet_set("rpcbind", WR_NOT);
143    switch (inet_get(daemon)) {
144    case WR_UNKNOWN:
145	tcpd_warn("%s: no such process name in %s", daemon, inetcf);
146	break;
147    case WR_NOT:
148	tcpd_warn("%s: service possibly not wrapped", daemon);
149	break;
150    }
151
152    /*
153     * Check accessibility of access control files.
154     */
155    (void) check_path(hosts_allow_table, &st);
156    (void) check_path(hosts_deny_table, &st);
157
158    /*
159     * Fill in what we have figured out sofar. Use socket and DNS routines
160     * for address and name conversions. We attach stdout to the request so
161     * that banner messages will become visible.
162     */
163    request_init(&request, RQ_DAEMON, daemon, RQ_USER, user, RQ_FILE, 1, 0);
164    sock_methods(&request);
165
166    /*
167     * If a server hostname is specified, insist that the name maps to at
168     * most one address. eval_hostname() warns the user about name server
169     * problems, while using the request.server structure as a cache for host
170     * address and name conversion results.
171     */
172    if (NOT_INADDR(server) == 0 || HOSTNAME_KNOWN(server)) {
173	if ((hp = find_inet_addr(server)) == 0)
174	    exit(1);
175	memset((char *) &server_sin, 0, sizeof(server_sin));
176	server_sin.sin_family = AF_INET;
177	request_set(&request, RQ_SERVER_SIN, &server_sin, 0);
178
179	for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) {
180	    memcpy((char *) &server_sin.sin_addr, addr,
181		   sizeof(server_sin.sin_addr));
182
183	    /*
184	     * Force evaluation of server host name and address. Host name
185	     * conflicts will be reported while eval_hostname() does its job.
186	     */
187	    request_set(&request, RQ_SERVER_NAME, "", RQ_SERVER_ADDR, "", 0);
188	    if (STR_EQ(eval_hostname(request.server), unknown))
189		tcpd_warn("host address %s->name lookup failed",
190			  eval_hostaddr(request.server));
191	}
192	if (count > 1) {
193	    fprintf(stderr, "Error: %s has more than one address\n", server);
194	    fprintf(stderr, "Please specify an address instead\n");
195	    exit(1);
196	}
197	free((char *) hp);
198    } else {
199	request_set(&request, RQ_SERVER_NAME, server, 0);
200    }
201
202    /*
203     * If a client address is specified, we simulate the effect of client
204     * hostname lookup failure.
205     */
206    if (dot_quad_addr(client) != INADDR_NONE) {
207	request_set(&request, RQ_CLIENT_ADDR, client, 0);
208	tcpdmatch(&request);
209	exit(0);
210    }
211
212    /*
213     * Perhaps they are testing special client hostname patterns that aren't
214     * really host names at all.
215     */
216    if (NOT_INADDR(client) && HOSTNAME_KNOWN(client) == 0) {
217	request_set(&request, RQ_CLIENT_NAME, client, 0);
218	tcpdmatch(&request);
219	exit(0);
220    }
221
222    /*
223     * Otherwise, assume that a client hostname is specified, and insist that
224     * the address can be looked up. The reason for this requirement is that
225     * in real life the client address is available (at least with IP). Let
226     * eval_hostname() figure out if this host is properly registered, while
227     * using the request.client structure as a cache for host name and
228     * address conversion results.
229     */
230    if ((hp = find_inet_addr(client)) == 0)
231	exit(1);
232    memset((char *) &client_sin, 0, sizeof(client_sin));
233    client_sin.sin_family = AF_INET;
234    request_set(&request, RQ_CLIENT_SIN, &client_sin, 0);
235
236    for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) {
237	memcpy((char *) &client_sin.sin_addr, addr,
238	       sizeof(client_sin.sin_addr));
239
240	/*
241	 * Force evaluation of client host name and address. Host name
242	 * conflicts will be reported while eval_hostname() does its job.
243	 */
244	request_set(&request, RQ_CLIENT_NAME, "", RQ_CLIENT_ADDR, "", 0);
245	if (STR_EQ(eval_hostname(request.client), unknown))
246	    tcpd_warn("host address %s->name lookup failed",
247		      eval_hostaddr(request.client));
248	tcpdmatch(&request);
249	if (hp->h_addr_list[count + 1])
250	    printf("\n");
251    }
252    free((char *) hp);
253    exit(0);
254}
255
256/* Explain how to use this program */
257
258static void usage(myname)
259char   *myname;
260{
261    fprintf(stderr, "usage: %s [-d] [-i inet_conf] daemon[@host] [user@]host\n",
262	    myname);
263    fprintf(stderr, "	-d: use allow/deny files in current directory\n");
264    fprintf(stderr, "	-i: location of inetd.conf file\n");
265    exit(1);
266}
267
268/* Print interesting expansions */
269
270static void expand(text, pattern, request)
271char   *text;
272char   *pattern;
273struct request_info *request;
274{
275    char    buf[BUFSIZ];
276
277    if (STR_NE(percent_x(buf, sizeof(buf), pattern, request), unknown))
278	printf("%s %s\n", text, buf);
279}
280
281/* Try out a (server,client) pair */
282
283static void tcpdmatch(request)
284struct request_info *request;
285{
286    int     verdict;
287
288    /*
289     * Show what we really know. Suppress uninteresting noise.
290     */
291    expand("client:   hostname", "%n", request);
292    expand("client:   address ", "%a", request);
293    expand("client:   username", "%u", request);
294    expand("server:   hostname", "%N", request);
295    expand("server:   address ", "%A", request);
296    expand("server:   process ", "%d", request);
297
298    /*
299     * Reset stuff that might be changed by options handlers. In dry-run
300     * mode, extension language routines that would not return should inform
301     * us of their plan, by clearing the dry_run flag. This is a bit clumsy
302     * but we must be able to verify hosts with more than one network
303     * address.
304     */
305    rfc931_timeout = RFC931_TIMEOUT;
306    allow_severity = SEVERITY;
307    deny_severity = LOG_WARNING;
308    dry_run = 1;
309
310    /*
311     * When paranoid mode is enabled, access is rejected no matter what the
312     * access control rules say.
313     */
314#ifdef PARANOID
315    if (STR_EQ(eval_hostname(request->client), paranoid)) {
316	printf("access:   denied (PARANOID mode)\n\n");
317	return;
318    }
319#endif
320
321    /*
322     * Report the access control verdict.
323     */
324    verdict = hosts_access(request);
325    printf("access:   %s\n",
326	   dry_run == 0 ? "delegated" :
327	   verdict ? "granted" : "denied");
328}
329