1 /* 2 * tcpdchk - examine all tcpd access control rules and inetd.conf entries 3 * 4 * Usage: tcpdchk [-a] [-d] [-i inet_conf] [-v] 5 * 6 * -a: complain about implicit "allow" at end of rule. 7 * 8 * -d: rules in current directory. 9 * 10 * -i: location of inetd.conf file. 11 * 12 * -v: show all rules. 13 * 14 * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. 15 * 16 * $FreeBSD$ 17 */ 18 19#ifndef lint 20static char sccsid[] = "@(#) tcpdchk.c 1.8 97/02/12 02:13:25"; 21#endif 22 23/* System libraries. */ 24 25#include <sys/types.h> 26#include <sys/stat.h> 27#ifdef INET6 28#include <sys/socket.h> 29#endif 30#include <netinet/in.h> 31#include <arpa/inet.h> 32#include <stdio.h> 33#include <syslog.h> 34#include <setjmp.h> 35#include <errno.h> 36#include <netdb.h> 37#include <stdlib.h> 38#include <string.h> 39#include <unistd.h> 40 41#ifndef INADDR_NONE 42#define INADDR_NONE (-1) /* XXX should be 0xffffffff */ 43#endif 44 45#ifndef S_ISDIR 46#define S_ISDIR(m) (((m) & S_IFMT) == S_IFDIR) 47#endif 48 49/* Application-specific. */ 50 51#include "tcpd.h" 52#include "inetcf.h" 53#include "scaffold.h" 54 55 /* 56 * Stolen from hosts_access.c... 57 */ 58static char sep[] = ", \t\n"; 59 60#define BUFLEN 2048 61 62int resident = 0; 63int hosts_access_verbose = 0; 64char *hosts_allow_table = HOSTS_ALLOW; 65char *hosts_deny_table = HOSTS_DENY; 66extern jmp_buf tcpd_buf; 67 68 /* 69 * Local stuff. 70 */ 71static void usage(void); 72static void parse_table(char *table, struct request_info *request); 73static void print_list(char *title, char *list); 74static void check_daemon_list(char *list); 75static void check_client_list(char *list); 76static void check_daemon(char *pat); 77static void check_user(char *pat); 78static int check_host(char *pat); 79static int reserved_name(char *pat); 80 81#define PERMIT 1 82#define DENY 0 83 84#define YES 1 85#define NO 0 86 87static int defl_verdict; 88static char *myname; 89static int allow_check; 90static char *inetcf; 91 92int main(int argc, char **argv) 93{ 94 struct request_info request; 95 struct stat st; 96 int c; 97 98 myname = argv[0]; 99 100 /* 101 * Parse the JCL. 102 */ 103 while ((c = getopt(argc, argv, "adi:v")) != EOF) { 104 switch (c) { 105 case 'a': 106 allow_check = 1; 107 break; 108 case 'd': 109 hosts_allow_table = "hosts.allow"; 110 hosts_deny_table = "hosts.deny"; 111 break; 112 case 'i': 113 inetcf = optarg; 114 break; 115 case 'v': 116 hosts_access_verbose++; 117 break; 118 default: 119 usage(); 120 /* NOTREACHED */ 121 } 122 } 123 if (argc != optind) 124 usage(); 125 126 /* 127 * When confusion really strikes... 128 */ 129 if (check_path(REAL_DAEMON_DIR, &st) < 0) { 130 tcpd_warn("REAL_DAEMON_DIR %s: %m", REAL_DAEMON_DIR); 131 } else if (!S_ISDIR(st.st_mode)) { 132 tcpd_warn("REAL_DAEMON_DIR %s is not a directory", REAL_DAEMON_DIR); 133 } 134 135 /* 136 * Process the inet configuration file (or its moral equivalent). This 137 * information is used later to find references in hosts.allow/deny to 138 * unwrapped services, and other possible problems. 139 */ 140 inetcf = inet_cfg(inetcf); 141 if (hosts_access_verbose) 142 printf("Using network configuration file: %s\n", inetcf); 143 144 /* 145 * These are not run from inetd but may have built-in access control. 146 */ 147 inet_set("portmap", WR_NOT); 148 inet_set("rpcbind", WR_NOT); 149 150 /* 151 * Check accessibility of access control files. 152 */ 153 (void) check_path(hosts_allow_table, &st); 154 (void) check_path(hosts_deny_table, &st); 155 156 /* 157 * Fake up an arbitrary service request. 158 */ 159 request_init(&request, 160 RQ_DAEMON, "daemon_name", 161 RQ_SERVER_NAME, "server_hostname", 162 RQ_SERVER_ADDR, "server_addr", 163 RQ_USER, "user_name", 164 RQ_CLIENT_NAME, "client_hostname", 165 RQ_CLIENT_ADDR, "client_addr", 166 RQ_FILE, 1, 167 0); 168 169 /* 170 * Examine all access-control rules. 171 */ 172 defl_verdict = PERMIT; 173 parse_table(hosts_allow_table, &request); 174 defl_verdict = DENY; 175 parse_table(hosts_deny_table, &request); 176 return (0); 177} 178 179/* usage - explain */ 180 181static void usage(void) 182{ 183 fprintf(stderr, "usage: %s [-a] [-d] [-i inet_conf] [-v]\n", myname); 184 fprintf(stderr, " -a: report rules with implicit \"ALLOW\" at end\n"); 185 fprintf(stderr, " -d: use allow/deny files in current directory\n"); 186 fprintf(stderr, " -i: location of inetd.conf file\n"); 187 fprintf(stderr, " -v: list all rules\n"); 188 exit(1); 189} 190 191/* parse_table - like table_match(), but examines _all_ entries */ 192 193static void parse_table(char *table, struct request_info *request) 194{ 195 FILE *fp; 196 int real_verdict; 197 char sv_list[BUFLEN]; /* becomes list of daemons */ 198 char *cl_list; /* becomes list of requests */ 199 char *sh_cmd; /* becomes optional shell command */ 200 char buf[BUFSIZ]; 201 int verdict; 202 struct tcpd_context saved_context; 203 204 saved_context = tcpd_context; /* stupid compilers */ 205 206 if (fp = fopen(table, "r")) { 207 tcpd_context.file = table; 208 tcpd_context.line = 0; 209 while (xgets(sv_list, sizeof(sv_list), fp)) { 210 if (sv_list[strlen(sv_list) - 1] != '\n') { 211 tcpd_warn("missing newline or line too long"); 212 continue; 213 } 214 if (sv_list[0] == '#' || sv_list[strspn(sv_list, " \t\r\n")] == 0) 215 continue; 216 if ((cl_list = split_at(sv_list, ':')) == 0) { 217 tcpd_warn("missing \":\" separator"); 218 continue; 219 } 220 sh_cmd = split_at(cl_list, ':'); 221 222 if (hosts_access_verbose) 223 printf("\n>>> Rule %s line %d:\n", 224 tcpd_context.file, tcpd_context.line); 225 226 if (hosts_access_verbose) 227 print_list("daemons: ", sv_list); 228 check_daemon_list(sv_list); 229 230 if (hosts_access_verbose) 231 print_list("clients: ", cl_list); 232 check_client_list(cl_list); 233 234#ifdef PROCESS_OPTIONS 235 real_verdict = defl_verdict; 236 if (sh_cmd) { 237 verdict = setjmp(tcpd_buf); 238 if (verdict != 0) { 239 real_verdict = (verdict == AC_PERMIT); 240 } else { 241 dry_run = 1; 242 process_options(sh_cmd, request); 243 if (dry_run == 1 && real_verdict && allow_check) 244 tcpd_warn("implicit \"allow\" at end of rule"); 245 } 246 } else if (defl_verdict && allow_check) { 247 tcpd_warn("implicit \"allow\" at end of rule"); 248 } 249 if (hosts_access_verbose) 250 printf("access: %s\n", real_verdict ? "granted" : "denied"); 251#else 252 if (sh_cmd) 253 shell_cmd(percent_x(buf, sizeof(buf), sh_cmd, request)); 254 if (hosts_access_verbose) 255 printf("access: %s\n", defl_verdict ? "granted" : "denied"); 256#endif 257 } 258 (void) fclose(fp); 259 } else if (errno != ENOENT) { 260 tcpd_warn("cannot open %s: %m", table); 261 } 262 tcpd_context = saved_context; 263} 264 265/* print_list - pretty-print a list */ 266 267static void print_list(char *title, char *list) 268{ 269 char buf[BUFLEN]; 270 char *cp; 271 char *next; 272 273 fputs(title, stdout); 274 strcpy(buf, list); 275 276 for (cp = strtok(buf, sep); cp != 0; cp = next) { 277 fputs(cp, stdout); 278 next = strtok((char *) 0, sep); 279 if (next != 0) 280 fputs(" ", stdout); 281 } 282 fputs("\n", stdout); 283} 284 285/* check_daemon_list - criticize daemon list */ 286 287static void check_daemon_list(char *list) 288{ 289 char buf[BUFLEN]; 290 char *cp; 291 char *host; 292 int daemons = 0; 293 294 strcpy(buf, list); 295 296 for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) { 297 if (STR_EQ(cp, "EXCEPT")) { 298 daemons = 0; 299 } else { 300 daemons++; 301 if ((host = split_at(cp + 1, '@')) != 0 && check_host(host) > 1) { 302 tcpd_warn("host %s has more than one address", host); 303 tcpd_warn("(consider using an address instead)"); 304 } 305 check_daemon(cp); 306 } 307 } 308 if (daemons == 0) 309 tcpd_warn("daemon list is empty or ends in EXCEPT"); 310} 311 312/* check_client_list - criticize client list */ 313 314static void check_client_list(char *list) 315{ 316 char buf[BUFLEN]; 317 char *cp; 318 char *host; 319 int clients = 0; 320 321 strcpy(buf, list); 322 323 for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) { 324 if (STR_EQ(cp, "EXCEPT")) { 325 clients = 0; 326 } else { 327 clients++; 328 if (host = split_at(cp + 1, '@')) { /* user@host */ 329 check_user(cp); 330 check_host(host); 331 } else { 332 check_host(cp); 333 } 334 } 335 } 336 if (clients == 0) 337 tcpd_warn("client list is empty or ends in EXCEPT"); 338} 339 340/* check_daemon - criticize daemon pattern */ 341 342static void check_daemon(char *pat) 343{ 344 if (pat[0] == '@') { 345 tcpd_warn("%s: daemon name begins with \"@\"", pat); 346 } else if (pat[0] == '/') { 347 tcpd_warn("%s: daemon name begins with \"/\"", pat); 348 } else if (pat[0] == '.') { 349 tcpd_warn("%s: daemon name begins with dot", pat); 350 } else if (pat[strlen(pat) - 1] == '.') { 351 tcpd_warn("%s: daemon name ends in dot", pat); 352 } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown)) { 353 /* void */ ; 354 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */ 355 tcpd_warn("FAIL is no longer recognized"); 356 tcpd_warn("(use EXCEPT or DENY instead)"); 357 } else if (reserved_name(pat)) { 358 tcpd_warn("%s: daemon name may be reserved word", pat); 359 } else { 360 switch (inet_get(pat)) { 361 case WR_UNKNOWN: 362 tcpd_warn("%s: no such process name in %s", pat, inetcf); 363 inet_set(pat, WR_YES); /* shut up next time */ 364 break; 365 case WR_NOT: 366 tcpd_warn("%s: service possibly not wrapped", pat); 367 inet_set(pat, WR_YES); 368 break; 369 } 370 } 371} 372 373/* check_user - criticize user pattern */ 374 375static void check_user(char *pat) 376{ 377 if (pat[0] == '@') { /* @netgroup */ 378 tcpd_warn("%s: user name begins with \"@\"", pat); 379 } else if (pat[0] == '/') { 380 tcpd_warn("%s: user name begins with \"/\"", pat); 381 } else if (pat[0] == '.') { 382 tcpd_warn("%s: user name begins with dot", pat); 383 } else if (pat[strlen(pat) - 1] == '.') { 384 tcpd_warn("%s: user name ends in dot", pat); 385 } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown) 386 || STR_EQ(pat, "KNOWN")) { 387 /* void */ ; 388 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */ 389 tcpd_warn("FAIL is no longer recognized"); 390 tcpd_warn("(use EXCEPT or DENY instead)"); 391 } else if (reserved_name(pat)) { 392 tcpd_warn("%s: user name may be reserved word", pat); 393 } 394} 395 396#ifdef INET6 397static int is_inet6_addr(char *pat) 398{ 399 struct addrinfo hints, *res; 400 int len, ret; 401 char ch; 402 403 if (*pat != '[') 404 return (0); 405 len = strlen(pat); 406 if ((ch = pat[len - 1]) != ']') 407 return (0); 408 pat[len - 1] = '\0'; 409 memset(&hints, 0, sizeof(hints)); 410 hints.ai_family = AF_INET6; 411 hints.ai_socktype = SOCK_STREAM; 412 hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; 413 if ((ret = getaddrinfo(pat + 1, NULL, &hints, &res)) == 0) 414 freeaddrinfo(res); 415 pat[len - 1] = ch; 416 return (ret == 0); 417} 418#endif 419 420/* check_host - criticize host pattern */ 421 422static int check_host(char *pat) 423{ 424 char buf[BUFSIZ]; 425 char *mask; 426 int addr_count = 1; 427 FILE *fp; 428 struct tcpd_context saved_context; 429 char *cp; 430 char *wsp = " \t\r\n"; 431 432 if (pat[0] == '@') { /* @netgroup */ 433#ifdef NO_NETGRENT 434 /* SCO has no *netgrent() support */ 435#else 436#ifdef NETGROUP 437 char *machinep; 438 char *userp; 439 char *domainp; 440 441 setnetgrent(pat + 1); 442 if (getnetgrent(&machinep, &userp, &domainp) == 0) 443 tcpd_warn("%s: unknown or empty netgroup", pat + 1); 444 endnetgrent(); 445#else 446 tcpd_warn("netgroup support disabled"); 447#endif 448#endif 449 } else if (pat[0] == '/') { /* /path/name */ 450 if ((fp = fopen(pat, "r")) != 0) { 451 saved_context = tcpd_context; 452 tcpd_context.file = pat; 453 tcpd_context.line = 0; 454 while (fgets(buf, sizeof(buf), fp)) { 455 tcpd_context.line++; 456 for (cp = strtok(buf, wsp); cp; cp = strtok((char *) 0, wsp)) 457 check_host(cp); 458 } 459 tcpd_context = saved_context; 460 fclose(fp); 461 } else if (errno != ENOENT) { 462 tcpd_warn("open %s: %m", pat); 463 } 464 } else if (mask = split_at(pat, '/')) { /* network/netmask */ 465#ifdef INET6 466 int mask_len; 467 468 if ((dot_quad_addr(pat) == INADDR_NONE 469 || dot_quad_addr(mask) == INADDR_NONE) 470 && (!is_inet6_addr(pat) 471 || ((mask_len = atoi(mask)) < 0 || mask_len > 128))) 472#else 473 if (dot_quad_addr(pat) == INADDR_NONE 474 || dot_quad_addr(mask) == INADDR_NONE) 475#endif 476 tcpd_warn("%s/%s: bad net/mask pattern", pat, mask); 477 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */ 478 tcpd_warn("FAIL is no longer recognized"); 479 tcpd_warn("(use EXCEPT or DENY instead)"); 480 } else if (reserved_name(pat)) { /* other reserved */ 481 /* void */ ; 482#ifdef INET6 483 } else if (is_inet6_addr(pat)) { /* IPv6 address */ 484 addr_count = 1; 485#endif 486 } else if (NOT_INADDR(pat)) { /* internet name */ 487 if (pat[strlen(pat) - 1] == '.') { 488 tcpd_warn("%s: domain or host name ends in dot", pat); 489 } else if (pat[0] != '.') { 490 addr_count = check_dns(pat); 491 } 492 } else { /* numeric form */ 493 if (STR_EQ(pat, "0.0.0.0") || STR_EQ(pat, "255.255.255.255")) { 494 /* void */ ; 495 } else if (pat[0] == '.') { 496 tcpd_warn("%s: network number begins with dot", pat); 497 } else if (pat[strlen(pat) - 1] != '.') { 498 check_dns(pat); 499 } 500 } 501 return (addr_count); 502} 503 504/* reserved_name - determine if name is reserved */ 505 506static int reserved_name(char *pat) 507{ 508 return (STR_EQ(pat, unknown) 509 || STR_EQ(pat, "KNOWN") 510 || STR_EQ(pat, paranoid) 511 || STR_EQ(pat, "ALL") 512 || STR_EQ(pat, "LOCAL")); 513} 514