27#include <netinet/in.h> 28#include <arpa/inet.h> 29#include <stdio.h> 30#include <syslog.h> 31#include <setjmp.h> 32#include <errno.h> 33#include <netdb.h> 34#include <string.h> 35 36extern int errno; 37extern void exit(); 38extern int optind; 39extern char *optarg; 40 41#ifndef INADDR_NONE 42#define INADDR_NONE (-1) /* XXX should be 0xffffffff */ 43#endif 44 45#ifndef S_ISDIR 46#define S_ISDIR(m) (((m) & S_IFMT) == S_IFDIR) 47#endif 48 49/* Application-specific. */ 50 51#include "tcpd.h" 52#include "inetcf.h" 53#include "scaffold.h" 54 55 /* 56 * Stolen from hosts_access.c... 57 */ 58static char sep[] = ", \t\n"; 59 60#define BUFLEN 2048 61 62int resident = 0; 63int hosts_access_verbose = 0; 64char *hosts_allow_table = HOSTS_ALLOW; 65char *hosts_deny_table = HOSTS_DENY; 66extern jmp_buf tcpd_buf; 67 68 /* 69 * Local stuff. 70 */ 71static void usage(); 72static void parse_table(); 73static void print_list(); 74static void check_daemon_list(); 75static void check_client_list(); 76static void check_daemon(); 77static void check_user(); 78static int check_host(); 79static int reserved_name(); 80 81#define PERMIT 1 82#define DENY 0 83 84#define YES 1 85#define NO 0 86 87static int defl_verdict; 88static char *myname; 89static int allow_check; 90static char *inetcf; 91 92int main(argc, argv) 93int argc; 94char **argv; 95{ 96 struct request_info request; 97 struct stat st; 98 int c; 99 100 myname = argv[0]; 101 102 /* 103 * Parse the JCL. 104 */ 105 while ((c = getopt(argc, argv, "adi:v")) != EOF) { 106 switch (c) { 107 case 'a': 108 allow_check = 1; 109 break; 110 case 'd': 111 hosts_allow_table = "hosts.allow"; 112 hosts_deny_table = "hosts.deny"; 113 break; 114 case 'i': 115 inetcf = optarg; 116 break; 117 case 'v': 118 hosts_access_verbose++; 119 break; 120 default: 121 usage(); 122 /* NOTREACHED */ 123 } 124 } 125 if (argc != optind) 126 usage(); 127 128 /* 129 * When confusion really strikes... 130 */ 131 if (check_path(REAL_DAEMON_DIR, &st) < 0) { 132 tcpd_warn("REAL_DAEMON_DIR %s: %m", REAL_DAEMON_DIR); 133 } else if (!S_ISDIR(st.st_mode)) { 134 tcpd_warn("REAL_DAEMON_DIR %s is not a directory", REAL_DAEMON_DIR); 135 } 136 137 /* 138 * Process the inet configuration file (or its moral equivalent). This 139 * information is used later to find references in hosts.allow/deny to 140 * unwrapped services, and other possible problems. 141 */ 142 inetcf = inet_cfg(inetcf); 143 if (hosts_access_verbose) 144 printf("Using network configuration file: %s\n", inetcf); 145 146 /* 147 * These are not run from inetd but may have built-in access control. 148 */ 149 inet_set("portmap", WR_NOT); 150 inet_set("rpcbind", WR_NOT); 151 152 /* 153 * Check accessibility of access control files. 154 */ 155 (void) check_path(hosts_allow_table, &st); 156 (void) check_path(hosts_deny_table, &st); 157 158 /* 159 * Fake up an arbitrary service request. 160 */ 161 request_init(&request, 162 RQ_DAEMON, "daemon_name", 163 RQ_SERVER_NAME, "server_hostname", 164 RQ_SERVER_ADDR, "server_addr", 165 RQ_USER, "user_name", 166 RQ_CLIENT_NAME, "client_hostname", 167 RQ_CLIENT_ADDR, "client_addr", 168 RQ_FILE, 1, 169 0); 170 171 /* 172 * Examine all access-control rules. 173 */ 174 defl_verdict = PERMIT; 175 parse_table(hosts_allow_table, &request); 176 defl_verdict = DENY; 177 parse_table(hosts_deny_table, &request); 178 return (0); 179} 180 181/* usage - explain */ 182 183static void usage() 184{ 185 fprintf(stderr, "usage: %s [-a] [-d] [-i inet_conf] [-v]\n", myname); 186 fprintf(stderr, " -a: report rules with implicit \"ALLOW\" at end\n"); 187 fprintf(stderr, " -d: use allow/deny files in current directory\n"); 188 fprintf(stderr, " -i: location of inetd.conf file\n"); 189 fprintf(stderr, " -v: list all rules\n"); 190 exit(1); 191} 192 193/* parse_table - like table_match(), but examines _all_ entries */ 194 195static void parse_table(table, request) 196char *table; 197struct request_info *request; 198{ 199 FILE *fp; 200 int real_verdict; 201 char sv_list[BUFLEN]; /* becomes list of daemons */ 202 char *cl_list; /* becomes list of requests */ 203 char *sh_cmd; /* becomes optional shell command */ 204 char buf[BUFSIZ]; 205 int verdict; 206 struct tcpd_context saved_context; 207 208 saved_context = tcpd_context; /* stupid compilers */ 209 210 if (fp = fopen(table, "r")) { 211 tcpd_context.file = table; 212 tcpd_context.line = 0; 213 while (xgets(sv_list, sizeof(sv_list), fp)) { 214 if (sv_list[strlen(sv_list) - 1] != '\n') { 215 tcpd_warn("missing newline or line too long"); 216 continue; 217 } 218 if (sv_list[0] == '#' || sv_list[strspn(sv_list, " \t\r\n")] == 0) 219 continue; 220 if ((cl_list = split_at(sv_list, ':')) == 0) { 221 tcpd_warn("missing \":\" separator"); 222 continue; 223 } 224 sh_cmd = split_at(cl_list, ':'); 225 226 if (hosts_access_verbose) 227 printf("\n>>> Rule %s line %d:\n", 228 tcpd_context.file, tcpd_context.line); 229 230 if (hosts_access_verbose) 231 print_list("daemons: ", sv_list); 232 check_daemon_list(sv_list); 233 234 if (hosts_access_verbose) 235 print_list("clients: ", cl_list); 236 check_client_list(cl_list); 237 238#ifdef PROCESS_OPTIONS 239 real_verdict = defl_verdict; 240 if (sh_cmd) { 241 verdict = setjmp(tcpd_buf); 242 if (verdict != 0) { 243 real_verdict = (verdict == AC_PERMIT); 244 } else { 245 dry_run = 1; 246 process_options(sh_cmd, request); 247 if (dry_run == 1 && real_verdict && allow_check) 248 tcpd_warn("implicit \"allow\" at end of rule"); 249 } 250 } else if (defl_verdict && allow_check) { 251 tcpd_warn("implicit \"allow\" at end of rule"); 252 } 253 if (hosts_access_verbose) 254 printf("access: %s\n", real_verdict ? "granted" : "denied"); 255#else 256 if (sh_cmd) 257 shell_cmd(percent_x(buf, sizeof(buf), sh_cmd, request)); 258 if (hosts_access_verbose) 259 printf("access: %s\n", defl_verdict ? "granted" : "denied"); 260#endif 261 } 262 (void) fclose(fp); 263 } else if (errno != ENOENT) { 264 tcpd_warn("cannot open %s: %m", table); 265 } 266 tcpd_context = saved_context; 267} 268 269/* print_list - pretty-print a list */ 270 271static void print_list(title, list) 272char *title; 273char *list; 274{ 275 char buf[BUFLEN]; 276 char *cp; 277 char *next; 278 279 fputs(title, stdout); 280 strcpy(buf, list); 281 282 for (cp = strtok(buf, sep); cp != 0; cp = next) { 283 fputs(cp, stdout); 284 next = strtok((char *) 0, sep); 285 if (next != 0) 286 fputs(" ", stdout); 287 } 288 fputs("\n", stdout); 289} 290 291/* check_daemon_list - criticize daemon list */ 292 293static void check_daemon_list(list) 294char *list; 295{ 296 char buf[BUFLEN]; 297 char *cp; 298 char *host; 299 int daemons = 0; 300 301 strcpy(buf, list); 302 303 for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) { 304 if (STR_EQ(cp, "EXCEPT")) { 305 daemons = 0; 306 } else { 307 daemons++; 308 if ((host = split_at(cp + 1, '@')) != 0 && check_host(host) > 1) { 309 tcpd_warn("host %s has more than one address", host); 310 tcpd_warn("(consider using an address instead)"); 311 } 312 check_daemon(cp); 313 } 314 } 315 if (daemons == 0) 316 tcpd_warn("daemon list is empty or ends in EXCEPT"); 317} 318 319/* check_client_list - criticize client list */ 320 321static void check_client_list(list) 322char *list; 323{ 324 char buf[BUFLEN]; 325 char *cp; 326 char *host; 327 int clients = 0; 328 329 strcpy(buf, list); 330 331 for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) { 332 if (STR_EQ(cp, "EXCEPT")) { 333 clients = 0; 334 } else { 335 clients++; 336 if (host = split_at(cp + 1, '@')) { /* user@host */ 337 check_user(cp); 338 check_host(host); 339 } else { 340 check_host(cp); 341 } 342 } 343 } 344 if (clients == 0) 345 tcpd_warn("client list is empty or ends in EXCEPT"); 346} 347 348/* check_daemon - criticize daemon pattern */ 349 350static void check_daemon(pat) 351char *pat; 352{ 353 if (pat[0] == '@') { 354 tcpd_warn("%s: daemon name begins with \"@\"", pat); 355 } else if (pat[0] == '/') { 356 tcpd_warn("%s: daemon name begins with \"/\"", pat); 357 } else if (pat[0] == '.') { 358 tcpd_warn("%s: daemon name begins with dot", pat); 359 } else if (pat[strlen(pat) - 1] == '.') { 360 tcpd_warn("%s: daemon name ends in dot", pat); 361 } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown)) { 362 /* void */ ; 363 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */ 364 tcpd_warn("FAIL is no longer recognized"); 365 tcpd_warn("(use EXCEPT or DENY instead)"); 366 } else if (reserved_name(pat)) { 367 tcpd_warn("%s: daemon name may be reserved word", pat); 368 } else { 369 switch (inet_get(pat)) { 370 case WR_UNKNOWN: 371 tcpd_warn("%s: no such process name in %s", pat, inetcf); 372 inet_set(pat, WR_YES); /* shut up next time */ 373 break; 374 case WR_NOT: 375 tcpd_warn("%s: service possibly not wrapped", pat); 376 inet_set(pat, WR_YES); 377 break; 378 } 379 } 380} 381 382/* check_user - criticize user pattern */ 383 384static void check_user(pat) 385char *pat; 386{ 387 if (pat[0] == '@') { /* @netgroup */ 388 tcpd_warn("%s: user name begins with \"@\"", pat); 389 } else if (pat[0] == '/') { 390 tcpd_warn("%s: user name begins with \"/\"", pat); 391 } else if (pat[0] == '.') { 392 tcpd_warn("%s: user name begins with dot", pat); 393 } else if (pat[strlen(pat) - 1] == '.') { 394 tcpd_warn("%s: user name ends in dot", pat); 395 } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown) 396 || STR_EQ(pat, "KNOWN")) { 397 /* void */ ; 398 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */ 399 tcpd_warn("FAIL is no longer recognized"); 400 tcpd_warn("(use EXCEPT or DENY instead)"); 401 } else if (reserved_name(pat)) { 402 tcpd_warn("%s: user name may be reserved word", pat); 403 } 404} 405
| 30#include <netinet/in.h> 31#include <arpa/inet.h> 32#include <stdio.h> 33#include <syslog.h> 34#include <setjmp.h> 35#include <errno.h> 36#include <netdb.h> 37#include <string.h> 38 39extern int errno; 40extern void exit(); 41extern int optind; 42extern char *optarg; 43 44#ifndef INADDR_NONE 45#define INADDR_NONE (-1) /* XXX should be 0xffffffff */ 46#endif 47 48#ifndef S_ISDIR 49#define S_ISDIR(m) (((m) & S_IFMT) == S_IFDIR) 50#endif 51 52/* Application-specific. */ 53 54#include "tcpd.h" 55#include "inetcf.h" 56#include "scaffold.h" 57 58 /* 59 * Stolen from hosts_access.c... 60 */ 61static char sep[] = ", \t\n"; 62 63#define BUFLEN 2048 64 65int resident = 0; 66int hosts_access_verbose = 0; 67char *hosts_allow_table = HOSTS_ALLOW; 68char *hosts_deny_table = HOSTS_DENY; 69extern jmp_buf tcpd_buf; 70 71 /* 72 * Local stuff. 73 */ 74static void usage(); 75static void parse_table(); 76static void print_list(); 77static void check_daemon_list(); 78static void check_client_list(); 79static void check_daemon(); 80static void check_user(); 81static int check_host(); 82static int reserved_name(); 83 84#define PERMIT 1 85#define DENY 0 86 87#define YES 1 88#define NO 0 89 90static int defl_verdict; 91static char *myname; 92static int allow_check; 93static char *inetcf; 94 95int main(argc, argv) 96int argc; 97char **argv; 98{ 99 struct request_info request; 100 struct stat st; 101 int c; 102 103 myname = argv[0]; 104 105 /* 106 * Parse the JCL. 107 */ 108 while ((c = getopt(argc, argv, "adi:v")) != EOF) { 109 switch (c) { 110 case 'a': 111 allow_check = 1; 112 break; 113 case 'd': 114 hosts_allow_table = "hosts.allow"; 115 hosts_deny_table = "hosts.deny"; 116 break; 117 case 'i': 118 inetcf = optarg; 119 break; 120 case 'v': 121 hosts_access_verbose++; 122 break; 123 default: 124 usage(); 125 /* NOTREACHED */ 126 } 127 } 128 if (argc != optind) 129 usage(); 130 131 /* 132 * When confusion really strikes... 133 */ 134 if (check_path(REAL_DAEMON_DIR, &st) < 0) { 135 tcpd_warn("REAL_DAEMON_DIR %s: %m", REAL_DAEMON_DIR); 136 } else if (!S_ISDIR(st.st_mode)) { 137 tcpd_warn("REAL_DAEMON_DIR %s is not a directory", REAL_DAEMON_DIR); 138 } 139 140 /* 141 * Process the inet configuration file (or its moral equivalent). This 142 * information is used later to find references in hosts.allow/deny to 143 * unwrapped services, and other possible problems. 144 */ 145 inetcf = inet_cfg(inetcf); 146 if (hosts_access_verbose) 147 printf("Using network configuration file: %s\n", inetcf); 148 149 /* 150 * These are not run from inetd but may have built-in access control. 151 */ 152 inet_set("portmap", WR_NOT); 153 inet_set("rpcbind", WR_NOT); 154 155 /* 156 * Check accessibility of access control files. 157 */ 158 (void) check_path(hosts_allow_table, &st); 159 (void) check_path(hosts_deny_table, &st); 160 161 /* 162 * Fake up an arbitrary service request. 163 */ 164 request_init(&request, 165 RQ_DAEMON, "daemon_name", 166 RQ_SERVER_NAME, "server_hostname", 167 RQ_SERVER_ADDR, "server_addr", 168 RQ_USER, "user_name", 169 RQ_CLIENT_NAME, "client_hostname", 170 RQ_CLIENT_ADDR, "client_addr", 171 RQ_FILE, 1, 172 0); 173 174 /* 175 * Examine all access-control rules. 176 */ 177 defl_verdict = PERMIT; 178 parse_table(hosts_allow_table, &request); 179 defl_verdict = DENY; 180 parse_table(hosts_deny_table, &request); 181 return (0); 182} 183 184/* usage - explain */ 185 186static void usage() 187{ 188 fprintf(stderr, "usage: %s [-a] [-d] [-i inet_conf] [-v]\n", myname); 189 fprintf(stderr, " -a: report rules with implicit \"ALLOW\" at end\n"); 190 fprintf(stderr, " -d: use allow/deny files in current directory\n"); 191 fprintf(stderr, " -i: location of inetd.conf file\n"); 192 fprintf(stderr, " -v: list all rules\n"); 193 exit(1); 194} 195 196/* parse_table - like table_match(), but examines _all_ entries */ 197 198static void parse_table(table, request) 199char *table; 200struct request_info *request; 201{ 202 FILE *fp; 203 int real_verdict; 204 char sv_list[BUFLEN]; /* becomes list of daemons */ 205 char *cl_list; /* becomes list of requests */ 206 char *sh_cmd; /* becomes optional shell command */ 207 char buf[BUFSIZ]; 208 int verdict; 209 struct tcpd_context saved_context; 210 211 saved_context = tcpd_context; /* stupid compilers */ 212 213 if (fp = fopen(table, "r")) { 214 tcpd_context.file = table; 215 tcpd_context.line = 0; 216 while (xgets(sv_list, sizeof(sv_list), fp)) { 217 if (sv_list[strlen(sv_list) - 1] != '\n') { 218 tcpd_warn("missing newline or line too long"); 219 continue; 220 } 221 if (sv_list[0] == '#' || sv_list[strspn(sv_list, " \t\r\n")] == 0) 222 continue; 223 if ((cl_list = split_at(sv_list, ':')) == 0) { 224 tcpd_warn("missing \":\" separator"); 225 continue; 226 } 227 sh_cmd = split_at(cl_list, ':'); 228 229 if (hosts_access_verbose) 230 printf("\n>>> Rule %s line %d:\n", 231 tcpd_context.file, tcpd_context.line); 232 233 if (hosts_access_verbose) 234 print_list("daemons: ", sv_list); 235 check_daemon_list(sv_list); 236 237 if (hosts_access_verbose) 238 print_list("clients: ", cl_list); 239 check_client_list(cl_list); 240 241#ifdef PROCESS_OPTIONS 242 real_verdict = defl_verdict; 243 if (sh_cmd) { 244 verdict = setjmp(tcpd_buf); 245 if (verdict != 0) { 246 real_verdict = (verdict == AC_PERMIT); 247 } else { 248 dry_run = 1; 249 process_options(sh_cmd, request); 250 if (dry_run == 1 && real_verdict && allow_check) 251 tcpd_warn("implicit \"allow\" at end of rule"); 252 } 253 } else if (defl_verdict && allow_check) { 254 tcpd_warn("implicit \"allow\" at end of rule"); 255 } 256 if (hosts_access_verbose) 257 printf("access: %s\n", real_verdict ? "granted" : "denied"); 258#else 259 if (sh_cmd) 260 shell_cmd(percent_x(buf, sizeof(buf), sh_cmd, request)); 261 if (hosts_access_verbose) 262 printf("access: %s\n", defl_verdict ? "granted" : "denied"); 263#endif 264 } 265 (void) fclose(fp); 266 } else if (errno != ENOENT) { 267 tcpd_warn("cannot open %s: %m", table); 268 } 269 tcpd_context = saved_context; 270} 271 272/* print_list - pretty-print a list */ 273 274static void print_list(title, list) 275char *title; 276char *list; 277{ 278 char buf[BUFLEN]; 279 char *cp; 280 char *next; 281 282 fputs(title, stdout); 283 strcpy(buf, list); 284 285 for (cp = strtok(buf, sep); cp != 0; cp = next) { 286 fputs(cp, stdout); 287 next = strtok((char *) 0, sep); 288 if (next != 0) 289 fputs(" ", stdout); 290 } 291 fputs("\n", stdout); 292} 293 294/* check_daemon_list - criticize daemon list */ 295 296static void check_daemon_list(list) 297char *list; 298{ 299 char buf[BUFLEN]; 300 char *cp; 301 char *host; 302 int daemons = 0; 303 304 strcpy(buf, list); 305 306 for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) { 307 if (STR_EQ(cp, "EXCEPT")) { 308 daemons = 0; 309 } else { 310 daemons++; 311 if ((host = split_at(cp + 1, '@')) != 0 && check_host(host) > 1) { 312 tcpd_warn("host %s has more than one address", host); 313 tcpd_warn("(consider using an address instead)"); 314 } 315 check_daemon(cp); 316 } 317 } 318 if (daemons == 0) 319 tcpd_warn("daemon list is empty or ends in EXCEPT"); 320} 321 322/* check_client_list - criticize client list */ 323 324static void check_client_list(list) 325char *list; 326{ 327 char buf[BUFLEN]; 328 char *cp; 329 char *host; 330 int clients = 0; 331 332 strcpy(buf, list); 333 334 for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) { 335 if (STR_EQ(cp, "EXCEPT")) { 336 clients = 0; 337 } else { 338 clients++; 339 if (host = split_at(cp + 1, '@')) { /* user@host */ 340 check_user(cp); 341 check_host(host); 342 } else { 343 check_host(cp); 344 } 345 } 346 } 347 if (clients == 0) 348 tcpd_warn("client list is empty or ends in EXCEPT"); 349} 350 351/* check_daemon - criticize daemon pattern */ 352 353static void check_daemon(pat) 354char *pat; 355{ 356 if (pat[0] == '@') { 357 tcpd_warn("%s: daemon name begins with \"@\"", pat); 358 } else if (pat[0] == '/') { 359 tcpd_warn("%s: daemon name begins with \"/\"", pat); 360 } else if (pat[0] == '.') { 361 tcpd_warn("%s: daemon name begins with dot", pat); 362 } else if (pat[strlen(pat) - 1] == '.') { 363 tcpd_warn("%s: daemon name ends in dot", pat); 364 } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown)) { 365 /* void */ ; 366 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */ 367 tcpd_warn("FAIL is no longer recognized"); 368 tcpd_warn("(use EXCEPT or DENY instead)"); 369 } else if (reserved_name(pat)) { 370 tcpd_warn("%s: daemon name may be reserved word", pat); 371 } else { 372 switch (inet_get(pat)) { 373 case WR_UNKNOWN: 374 tcpd_warn("%s: no such process name in %s", pat, inetcf); 375 inet_set(pat, WR_YES); /* shut up next time */ 376 break; 377 case WR_NOT: 378 tcpd_warn("%s: service possibly not wrapped", pat); 379 inet_set(pat, WR_YES); 380 break; 381 } 382 } 383} 384 385/* check_user - criticize user pattern */ 386 387static void check_user(pat) 388char *pat; 389{ 390 if (pat[0] == '@') { /* @netgroup */ 391 tcpd_warn("%s: user name begins with \"@\"", pat); 392 } else if (pat[0] == '/') { 393 tcpd_warn("%s: user name begins with \"/\"", pat); 394 } else if (pat[0] == '.') { 395 tcpd_warn("%s: user name begins with dot", pat); 396 } else if (pat[strlen(pat) - 1] == '.') { 397 tcpd_warn("%s: user name ends in dot", pat); 398 } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown) 399 || STR_EQ(pat, "KNOWN")) { 400 /* void */ ; 401 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */ 402 tcpd_warn("FAIL is no longer recognized"); 403 tcpd_warn("(use EXCEPT or DENY instead)"); 404 } else if (reserved_name(pat)) { 405 tcpd_warn("%s: user name may be reserved word", pat); 406 } 407} 408
|