Deleted Added
sdiff udiff text old ( 51495 ) new ( 56977 )
full compact
tcpdchk.c (51495) tcpdchk.c (56977)
1 /*
2 * tcpdchk - examine all tcpd access control rules and inetd.conf entries
3 *
4 * Usage: tcpdchk [-a] [-d] [-i inet_conf] [-v]
5 *
6 * -a: complain about implicit "allow" at end of rule.
7 *
8 * -d: rules in current directory.
9 *
10 * -i: location of inetd.conf file.
11 *
12 * -v: show all rules.
13 *
14 * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
15 *
1 /*
2 * tcpdchk - examine all tcpd access control rules and inetd.conf entries
3 *
4 * Usage: tcpdchk [-a] [-d] [-i inet_conf] [-v]
5 *
6 * -a: complain about implicit "allow" at end of rule.
7 *
8 * -d: rules in current directory.
9 *
10 * -i: location of inetd.conf file.
11 *
12 * -v: show all rules.
13 *
14 * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
15 *
16 * $FreeBSD: head/contrib/tcp_wrappers/tcpdchk.c 51495 1999-09-21 09:09:57Z sheldonh $
16 * $FreeBSD: head/contrib/tcp_wrappers/tcpdchk.c 56977 2000-02-03 10:27:03Z shin $
17 */
18
19#ifndef lint
20static char sccsid[] = "@(#) tcpdchk.c 1.8 97/02/12 02:13:25";
21#endif
22
23/* System libraries. */
24
25#include <sys/types.h>
26#include <sys/stat.h>
17 */
18
19#ifndef lint
20static char sccsid[] = "@(#) tcpdchk.c 1.8 97/02/12 02:13:25";
21#endif
22
23/* System libraries. */
24
25#include <sys/types.h>
26#include <sys/stat.h>
27#ifdef INET6
28#include <sys/socket.h>
29#endif
27#include <netinet/in.h>
28#include <arpa/inet.h>
29#include <stdio.h>
30#include <syslog.h>
31#include <setjmp.h>
32#include <errno.h>
33#include <netdb.h>
34#include <string.h>
35
36extern int errno;
37extern void exit();
38extern int optind;
39extern char *optarg;
40
41#ifndef INADDR_NONE
42#define INADDR_NONE (-1) /* XXX should be 0xffffffff */
43#endif
44
45#ifndef S_ISDIR
46#define S_ISDIR(m) (((m) & S_IFMT) == S_IFDIR)
47#endif
48
49/* Application-specific. */
50
51#include "tcpd.h"
52#include "inetcf.h"
53#include "scaffold.h"
54
55 /*
56 * Stolen from hosts_access.c...
57 */
58static char sep[] = ", \t\n";
59
60#define BUFLEN 2048
61
62int resident = 0;
63int hosts_access_verbose = 0;
64char *hosts_allow_table = HOSTS_ALLOW;
65char *hosts_deny_table = HOSTS_DENY;
66extern jmp_buf tcpd_buf;
67
68 /*
69 * Local stuff.
70 */
71static void usage();
72static void parse_table();
73static void print_list();
74static void check_daemon_list();
75static void check_client_list();
76static void check_daemon();
77static void check_user();
78static int check_host();
79static int reserved_name();
80
81#define PERMIT 1
82#define DENY 0
83
84#define YES 1
85#define NO 0
86
87static int defl_verdict;
88static char *myname;
89static int allow_check;
90static char *inetcf;
91
92int main(argc, argv)
93int argc;
94char **argv;
95{
96 struct request_info request;
97 struct stat st;
98 int c;
99
100 myname = argv[0];
101
102 /*
103 * Parse the JCL.
104 */
105 while ((c = getopt(argc, argv, "adi:v")) != EOF) {
106 switch (c) {
107 case 'a':
108 allow_check = 1;
109 break;
110 case 'd':
111 hosts_allow_table = "hosts.allow";
112 hosts_deny_table = "hosts.deny";
113 break;
114 case 'i':
115 inetcf = optarg;
116 break;
117 case 'v':
118 hosts_access_verbose++;
119 break;
120 default:
121 usage();
122 /* NOTREACHED */
123 }
124 }
125 if (argc != optind)
126 usage();
127
128 /*
129 * When confusion really strikes...
130 */
131 if (check_path(REAL_DAEMON_DIR, &st) < 0) {
132 tcpd_warn("REAL_DAEMON_DIR %s: %m", REAL_DAEMON_DIR);
133 } else if (!S_ISDIR(st.st_mode)) {
134 tcpd_warn("REAL_DAEMON_DIR %s is not a directory", REAL_DAEMON_DIR);
135 }
136
137 /*
138 * Process the inet configuration file (or its moral equivalent). This
139 * information is used later to find references in hosts.allow/deny to
140 * unwrapped services, and other possible problems.
141 */
142 inetcf = inet_cfg(inetcf);
143 if (hosts_access_verbose)
144 printf("Using network configuration file: %s\n", inetcf);
145
146 /*
147 * These are not run from inetd but may have built-in access control.
148 */
149 inet_set("portmap", WR_NOT);
150 inet_set("rpcbind", WR_NOT);
151
152 /*
153 * Check accessibility of access control files.
154 */
155 (void) check_path(hosts_allow_table, &st);
156 (void) check_path(hosts_deny_table, &st);
157
158 /*
159 * Fake up an arbitrary service request.
160 */
161 request_init(&request,
162 RQ_DAEMON, "daemon_name",
163 RQ_SERVER_NAME, "server_hostname",
164 RQ_SERVER_ADDR, "server_addr",
165 RQ_USER, "user_name",
166 RQ_CLIENT_NAME, "client_hostname",
167 RQ_CLIENT_ADDR, "client_addr",
168 RQ_FILE, 1,
169 0);
170
171 /*
172 * Examine all access-control rules.
173 */
174 defl_verdict = PERMIT;
175 parse_table(hosts_allow_table, &request);
176 defl_verdict = DENY;
177 parse_table(hosts_deny_table, &request);
178 return (0);
179}
180
181/* usage - explain */
182
183static void usage()
184{
185 fprintf(stderr, "usage: %s [-a] [-d] [-i inet_conf] [-v]\n", myname);
186 fprintf(stderr, " -a: report rules with implicit \"ALLOW\" at end\n");
187 fprintf(stderr, " -d: use allow/deny files in current directory\n");
188 fprintf(stderr, " -i: location of inetd.conf file\n");
189 fprintf(stderr, " -v: list all rules\n");
190 exit(1);
191}
192
193/* parse_table - like table_match(), but examines _all_ entries */
194
195static void parse_table(table, request)
196char *table;
197struct request_info *request;
198{
199 FILE *fp;
200 int real_verdict;
201 char sv_list[BUFLEN]; /* becomes list of daemons */
202 char *cl_list; /* becomes list of requests */
203 char *sh_cmd; /* becomes optional shell command */
204 char buf[BUFSIZ];
205 int verdict;
206 struct tcpd_context saved_context;
207
208 saved_context = tcpd_context; /* stupid compilers */
209
210 if (fp = fopen(table, "r")) {
211 tcpd_context.file = table;
212 tcpd_context.line = 0;
213 while (xgets(sv_list, sizeof(sv_list), fp)) {
214 if (sv_list[strlen(sv_list) - 1] != '\n') {
215 tcpd_warn("missing newline or line too long");
216 continue;
217 }
218 if (sv_list[0] == '#' || sv_list[strspn(sv_list, " \t\r\n")] == 0)
219 continue;
220 if ((cl_list = split_at(sv_list, ':')) == 0) {
221 tcpd_warn("missing \":\" separator");
222 continue;
223 }
224 sh_cmd = split_at(cl_list, ':');
225
226 if (hosts_access_verbose)
227 printf("\n>>> Rule %s line %d:\n",
228 tcpd_context.file, tcpd_context.line);
229
230 if (hosts_access_verbose)
231 print_list("daemons: ", sv_list);
232 check_daemon_list(sv_list);
233
234 if (hosts_access_verbose)
235 print_list("clients: ", cl_list);
236 check_client_list(cl_list);
237
238#ifdef PROCESS_OPTIONS
239 real_verdict = defl_verdict;
240 if (sh_cmd) {
241 verdict = setjmp(tcpd_buf);
242 if (verdict != 0) {
243 real_verdict = (verdict == AC_PERMIT);
244 } else {
245 dry_run = 1;
246 process_options(sh_cmd, request);
247 if (dry_run == 1 && real_verdict && allow_check)
248 tcpd_warn("implicit \"allow\" at end of rule");
249 }
250 } else if (defl_verdict && allow_check) {
251 tcpd_warn("implicit \"allow\" at end of rule");
252 }
253 if (hosts_access_verbose)
254 printf("access: %s\n", real_verdict ? "granted" : "denied");
255#else
256 if (sh_cmd)
257 shell_cmd(percent_x(buf, sizeof(buf), sh_cmd, request));
258 if (hosts_access_verbose)
259 printf("access: %s\n", defl_verdict ? "granted" : "denied");
260#endif
261 }
262 (void) fclose(fp);
263 } else if (errno != ENOENT) {
264 tcpd_warn("cannot open %s: %m", table);
265 }
266 tcpd_context = saved_context;
267}
268
269/* print_list - pretty-print a list */
270
271static void print_list(title, list)
272char *title;
273char *list;
274{
275 char buf[BUFLEN];
276 char *cp;
277 char *next;
278
279 fputs(title, stdout);
280 strcpy(buf, list);
281
282 for (cp = strtok(buf, sep); cp != 0; cp = next) {
283 fputs(cp, stdout);
284 next = strtok((char *) 0, sep);
285 if (next != 0)
286 fputs(" ", stdout);
287 }
288 fputs("\n", stdout);
289}
290
291/* check_daemon_list - criticize daemon list */
292
293static void check_daemon_list(list)
294char *list;
295{
296 char buf[BUFLEN];
297 char *cp;
298 char *host;
299 int daemons = 0;
300
301 strcpy(buf, list);
302
303 for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) {
304 if (STR_EQ(cp, "EXCEPT")) {
305 daemons = 0;
306 } else {
307 daemons++;
308 if ((host = split_at(cp + 1, '@')) != 0 && check_host(host) > 1) {
309 tcpd_warn("host %s has more than one address", host);
310 tcpd_warn("(consider using an address instead)");
311 }
312 check_daemon(cp);
313 }
314 }
315 if (daemons == 0)
316 tcpd_warn("daemon list is empty or ends in EXCEPT");
317}
318
319/* check_client_list - criticize client list */
320
321static void check_client_list(list)
322char *list;
323{
324 char buf[BUFLEN];
325 char *cp;
326 char *host;
327 int clients = 0;
328
329 strcpy(buf, list);
330
331 for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) {
332 if (STR_EQ(cp, "EXCEPT")) {
333 clients = 0;
334 } else {
335 clients++;
336 if (host = split_at(cp + 1, '@')) { /* user@host */
337 check_user(cp);
338 check_host(host);
339 } else {
340 check_host(cp);
341 }
342 }
343 }
344 if (clients == 0)
345 tcpd_warn("client list is empty or ends in EXCEPT");
346}
347
348/* check_daemon - criticize daemon pattern */
349
350static void check_daemon(pat)
351char *pat;
352{
353 if (pat[0] == '@') {
354 tcpd_warn("%s: daemon name begins with \"@\"", pat);
355 } else if (pat[0] == '/') {
356 tcpd_warn("%s: daemon name begins with \"/\"", pat);
357 } else if (pat[0] == '.') {
358 tcpd_warn("%s: daemon name begins with dot", pat);
359 } else if (pat[strlen(pat) - 1] == '.') {
360 tcpd_warn("%s: daemon name ends in dot", pat);
361 } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown)) {
362 /* void */ ;
363 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */
364 tcpd_warn("FAIL is no longer recognized");
365 tcpd_warn("(use EXCEPT or DENY instead)");
366 } else if (reserved_name(pat)) {
367 tcpd_warn("%s: daemon name may be reserved word", pat);
368 } else {
369 switch (inet_get(pat)) {
370 case WR_UNKNOWN:
371 tcpd_warn("%s: no such process name in %s", pat, inetcf);
372 inet_set(pat, WR_YES); /* shut up next time */
373 break;
374 case WR_NOT:
375 tcpd_warn("%s: service possibly not wrapped", pat);
376 inet_set(pat, WR_YES);
377 break;
378 }
379 }
380}
381
382/* check_user - criticize user pattern */
383
384static void check_user(pat)
385char *pat;
386{
387 if (pat[0] == '@') { /* @netgroup */
388 tcpd_warn("%s: user name begins with \"@\"", pat);
389 } else if (pat[0] == '/') {
390 tcpd_warn("%s: user name begins with \"/\"", pat);
391 } else if (pat[0] == '.') {
392 tcpd_warn("%s: user name begins with dot", pat);
393 } else if (pat[strlen(pat) - 1] == '.') {
394 tcpd_warn("%s: user name ends in dot", pat);
395 } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown)
396 || STR_EQ(pat, "KNOWN")) {
397 /* void */ ;
398 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */
399 tcpd_warn("FAIL is no longer recognized");
400 tcpd_warn("(use EXCEPT or DENY instead)");
401 } else if (reserved_name(pat)) {
402 tcpd_warn("%s: user name may be reserved word", pat);
403 }
404}
405
30#include <netinet/in.h>
31#include <arpa/inet.h>
32#include <stdio.h>
33#include <syslog.h>
34#include <setjmp.h>
35#include <errno.h>
36#include <netdb.h>
37#include <string.h>
38
39extern int errno;
40extern void exit();
41extern int optind;
42extern char *optarg;
43
44#ifndef INADDR_NONE
45#define INADDR_NONE (-1) /* XXX should be 0xffffffff */
46#endif
47
48#ifndef S_ISDIR
49#define S_ISDIR(m) (((m) & S_IFMT) == S_IFDIR)
50#endif
51
52/* Application-specific. */
53
54#include "tcpd.h"
55#include "inetcf.h"
56#include "scaffold.h"
57
58 /*
59 * Stolen from hosts_access.c...
60 */
61static char sep[] = ", \t\n";
62
63#define BUFLEN 2048
64
65int resident = 0;
66int hosts_access_verbose = 0;
67char *hosts_allow_table = HOSTS_ALLOW;
68char *hosts_deny_table = HOSTS_DENY;
69extern jmp_buf tcpd_buf;
70
71 /*
72 * Local stuff.
73 */
74static void usage();
75static void parse_table();
76static void print_list();
77static void check_daemon_list();
78static void check_client_list();
79static void check_daemon();
80static void check_user();
81static int check_host();
82static int reserved_name();
83
84#define PERMIT 1
85#define DENY 0
86
87#define YES 1
88#define NO 0
89
90static int defl_verdict;
91static char *myname;
92static int allow_check;
93static char *inetcf;
94
95int main(argc, argv)
96int argc;
97char **argv;
98{
99 struct request_info request;
100 struct stat st;
101 int c;
102
103 myname = argv[0];
104
105 /*
106 * Parse the JCL.
107 */
108 while ((c = getopt(argc, argv, "adi:v")) != EOF) {
109 switch (c) {
110 case 'a':
111 allow_check = 1;
112 break;
113 case 'd':
114 hosts_allow_table = "hosts.allow";
115 hosts_deny_table = "hosts.deny";
116 break;
117 case 'i':
118 inetcf = optarg;
119 break;
120 case 'v':
121 hosts_access_verbose++;
122 break;
123 default:
124 usage();
125 /* NOTREACHED */
126 }
127 }
128 if (argc != optind)
129 usage();
130
131 /*
132 * When confusion really strikes...
133 */
134 if (check_path(REAL_DAEMON_DIR, &st) < 0) {
135 tcpd_warn("REAL_DAEMON_DIR %s: %m", REAL_DAEMON_DIR);
136 } else if (!S_ISDIR(st.st_mode)) {
137 tcpd_warn("REAL_DAEMON_DIR %s is not a directory", REAL_DAEMON_DIR);
138 }
139
140 /*
141 * Process the inet configuration file (or its moral equivalent). This
142 * information is used later to find references in hosts.allow/deny to
143 * unwrapped services, and other possible problems.
144 */
145 inetcf = inet_cfg(inetcf);
146 if (hosts_access_verbose)
147 printf("Using network configuration file: %s\n", inetcf);
148
149 /*
150 * These are not run from inetd but may have built-in access control.
151 */
152 inet_set("portmap", WR_NOT);
153 inet_set("rpcbind", WR_NOT);
154
155 /*
156 * Check accessibility of access control files.
157 */
158 (void) check_path(hosts_allow_table, &st);
159 (void) check_path(hosts_deny_table, &st);
160
161 /*
162 * Fake up an arbitrary service request.
163 */
164 request_init(&request,
165 RQ_DAEMON, "daemon_name",
166 RQ_SERVER_NAME, "server_hostname",
167 RQ_SERVER_ADDR, "server_addr",
168 RQ_USER, "user_name",
169 RQ_CLIENT_NAME, "client_hostname",
170 RQ_CLIENT_ADDR, "client_addr",
171 RQ_FILE, 1,
172 0);
173
174 /*
175 * Examine all access-control rules.
176 */
177 defl_verdict = PERMIT;
178 parse_table(hosts_allow_table, &request);
179 defl_verdict = DENY;
180 parse_table(hosts_deny_table, &request);
181 return (0);
182}
183
184/* usage - explain */
185
186static void usage()
187{
188 fprintf(stderr, "usage: %s [-a] [-d] [-i inet_conf] [-v]\n", myname);
189 fprintf(stderr, " -a: report rules with implicit \"ALLOW\" at end\n");
190 fprintf(stderr, " -d: use allow/deny files in current directory\n");
191 fprintf(stderr, " -i: location of inetd.conf file\n");
192 fprintf(stderr, " -v: list all rules\n");
193 exit(1);
194}
195
196/* parse_table - like table_match(), but examines _all_ entries */
197
198static void parse_table(table, request)
199char *table;
200struct request_info *request;
201{
202 FILE *fp;
203 int real_verdict;
204 char sv_list[BUFLEN]; /* becomes list of daemons */
205 char *cl_list; /* becomes list of requests */
206 char *sh_cmd; /* becomes optional shell command */
207 char buf[BUFSIZ];
208 int verdict;
209 struct tcpd_context saved_context;
210
211 saved_context = tcpd_context; /* stupid compilers */
212
213 if (fp = fopen(table, "r")) {
214 tcpd_context.file = table;
215 tcpd_context.line = 0;
216 while (xgets(sv_list, sizeof(sv_list), fp)) {
217 if (sv_list[strlen(sv_list) - 1] != '\n') {
218 tcpd_warn("missing newline or line too long");
219 continue;
220 }
221 if (sv_list[0] == '#' || sv_list[strspn(sv_list, " \t\r\n")] == 0)
222 continue;
223 if ((cl_list = split_at(sv_list, ':')) == 0) {
224 tcpd_warn("missing \":\" separator");
225 continue;
226 }
227 sh_cmd = split_at(cl_list, ':');
228
229 if (hosts_access_verbose)
230 printf("\n>>> Rule %s line %d:\n",
231 tcpd_context.file, tcpd_context.line);
232
233 if (hosts_access_verbose)
234 print_list("daemons: ", sv_list);
235 check_daemon_list(sv_list);
236
237 if (hosts_access_verbose)
238 print_list("clients: ", cl_list);
239 check_client_list(cl_list);
240
241#ifdef PROCESS_OPTIONS
242 real_verdict = defl_verdict;
243 if (sh_cmd) {
244 verdict = setjmp(tcpd_buf);
245 if (verdict != 0) {
246 real_verdict = (verdict == AC_PERMIT);
247 } else {
248 dry_run = 1;
249 process_options(sh_cmd, request);
250 if (dry_run == 1 && real_verdict && allow_check)
251 tcpd_warn("implicit \"allow\" at end of rule");
252 }
253 } else if (defl_verdict && allow_check) {
254 tcpd_warn("implicit \"allow\" at end of rule");
255 }
256 if (hosts_access_verbose)
257 printf("access: %s\n", real_verdict ? "granted" : "denied");
258#else
259 if (sh_cmd)
260 shell_cmd(percent_x(buf, sizeof(buf), sh_cmd, request));
261 if (hosts_access_verbose)
262 printf("access: %s\n", defl_verdict ? "granted" : "denied");
263#endif
264 }
265 (void) fclose(fp);
266 } else if (errno != ENOENT) {
267 tcpd_warn("cannot open %s: %m", table);
268 }
269 tcpd_context = saved_context;
270}
271
272/* print_list - pretty-print a list */
273
274static void print_list(title, list)
275char *title;
276char *list;
277{
278 char buf[BUFLEN];
279 char *cp;
280 char *next;
281
282 fputs(title, stdout);
283 strcpy(buf, list);
284
285 for (cp = strtok(buf, sep); cp != 0; cp = next) {
286 fputs(cp, stdout);
287 next = strtok((char *) 0, sep);
288 if (next != 0)
289 fputs(" ", stdout);
290 }
291 fputs("\n", stdout);
292}
293
294/* check_daemon_list - criticize daemon list */
295
296static void check_daemon_list(list)
297char *list;
298{
299 char buf[BUFLEN];
300 char *cp;
301 char *host;
302 int daemons = 0;
303
304 strcpy(buf, list);
305
306 for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) {
307 if (STR_EQ(cp, "EXCEPT")) {
308 daemons = 0;
309 } else {
310 daemons++;
311 if ((host = split_at(cp + 1, '@')) != 0 && check_host(host) > 1) {
312 tcpd_warn("host %s has more than one address", host);
313 tcpd_warn("(consider using an address instead)");
314 }
315 check_daemon(cp);
316 }
317 }
318 if (daemons == 0)
319 tcpd_warn("daemon list is empty or ends in EXCEPT");
320}
321
322/* check_client_list - criticize client list */
323
324static void check_client_list(list)
325char *list;
326{
327 char buf[BUFLEN];
328 char *cp;
329 char *host;
330 int clients = 0;
331
332 strcpy(buf, list);
333
334 for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) {
335 if (STR_EQ(cp, "EXCEPT")) {
336 clients = 0;
337 } else {
338 clients++;
339 if (host = split_at(cp + 1, '@')) { /* user@host */
340 check_user(cp);
341 check_host(host);
342 } else {
343 check_host(cp);
344 }
345 }
346 }
347 if (clients == 0)
348 tcpd_warn("client list is empty or ends in EXCEPT");
349}
350
351/* check_daemon - criticize daemon pattern */
352
353static void check_daemon(pat)
354char *pat;
355{
356 if (pat[0] == '@') {
357 tcpd_warn("%s: daemon name begins with \"@\"", pat);
358 } else if (pat[0] == '/') {
359 tcpd_warn("%s: daemon name begins with \"/\"", pat);
360 } else if (pat[0] == '.') {
361 tcpd_warn("%s: daemon name begins with dot", pat);
362 } else if (pat[strlen(pat) - 1] == '.') {
363 tcpd_warn("%s: daemon name ends in dot", pat);
364 } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown)) {
365 /* void */ ;
366 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */
367 tcpd_warn("FAIL is no longer recognized");
368 tcpd_warn("(use EXCEPT or DENY instead)");
369 } else if (reserved_name(pat)) {
370 tcpd_warn("%s: daemon name may be reserved word", pat);
371 } else {
372 switch (inet_get(pat)) {
373 case WR_UNKNOWN:
374 tcpd_warn("%s: no such process name in %s", pat, inetcf);
375 inet_set(pat, WR_YES); /* shut up next time */
376 break;
377 case WR_NOT:
378 tcpd_warn("%s: service possibly not wrapped", pat);
379 inet_set(pat, WR_YES);
380 break;
381 }
382 }
383}
384
385/* check_user - criticize user pattern */
386
387static void check_user(pat)
388char *pat;
389{
390 if (pat[0] == '@') { /* @netgroup */
391 tcpd_warn("%s: user name begins with \"@\"", pat);
392 } else if (pat[0] == '/') {
393 tcpd_warn("%s: user name begins with \"/\"", pat);
394 } else if (pat[0] == '.') {
395 tcpd_warn("%s: user name begins with dot", pat);
396 } else if (pat[strlen(pat) - 1] == '.') {
397 tcpd_warn("%s: user name ends in dot", pat);
398 } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown)
399 || STR_EQ(pat, "KNOWN")) {
400 /* void */ ;
401 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */
402 tcpd_warn("FAIL is no longer recognized");
403 tcpd_warn("(use EXCEPT or DENY instead)");
404 } else if (reserved_name(pat)) {
405 tcpd_warn("%s: user name may be reserved word", pat);
406 }
407}
408
409#ifdef INET6
410static int is_inet6_addr(pat)
411 char *pat;
412{
413 struct in6_addr addr;
414 int len, ret;
415 char ch;
416
417 if (*pat != '[')
418 return (0);
419 len = strlen(pat);
420 if ((ch = pat[len - 1]) != ']')
421 return (0);
422 pat[len - 1] = '\0';
423 ret = inet_pton(AF_INET6, pat + 1, &addr);
424 pat[len - 1] = ch;
425 return (ret == 1);
426}
427#endif
428
406/* check_host - criticize host pattern */
407
408static int check_host(pat)
409char *pat;
410{
411 char buf[BUFSIZ];
412 char *mask;
413 int addr_count = 1;
414 FILE *fp;
415 struct tcpd_context saved_context;
416 char *cp;
417 char *wsp = " \t\r\n";
418
419 if (pat[0] == '@') { /* @netgroup */
420#ifdef NO_NETGRENT
421 /* SCO has no *netgrent() support */
422#else
423#ifdef NETGROUP
424 char *machinep;
425 char *userp;
426 char *domainp;
427
428 setnetgrent(pat + 1);
429 if (getnetgrent(&machinep, &userp, &domainp) == 0)
430 tcpd_warn("%s: unknown or empty netgroup", pat + 1);
431 endnetgrent();
432#else
433 tcpd_warn("netgroup support disabled");
434#endif
435#endif
436 } else if (pat[0] == '/') { /* /path/name */
437 if ((fp = fopen(pat, "r")) != 0) {
438 saved_context = tcpd_context;
439 tcpd_context.file = pat;
440 tcpd_context.line = 0;
441 while (fgets(buf, sizeof(buf), fp)) {
442 tcpd_context.line++;
443 for (cp = strtok(buf, wsp); cp; cp = strtok((char *) 0, wsp))
444 check_host(cp);
445 }
446 tcpd_context = saved_context;
447 fclose(fp);
448 } else if (errno != ENOENT) {
449 tcpd_warn("open %s: %m", pat);
450 }
451 } else if (mask = split_at(pat, '/')) { /* network/netmask */
429/* check_host - criticize host pattern */
430
431static int check_host(pat)
432char *pat;
433{
434 char buf[BUFSIZ];
435 char *mask;
436 int addr_count = 1;
437 FILE *fp;
438 struct tcpd_context saved_context;
439 char *cp;
440 char *wsp = " \t\r\n";
441
442 if (pat[0] == '@') { /* @netgroup */
443#ifdef NO_NETGRENT
444 /* SCO has no *netgrent() support */
445#else
446#ifdef NETGROUP
447 char *machinep;
448 char *userp;
449 char *domainp;
450
451 setnetgrent(pat + 1);
452 if (getnetgrent(&machinep, &userp, &domainp) == 0)
453 tcpd_warn("%s: unknown or empty netgroup", pat + 1);
454 endnetgrent();
455#else
456 tcpd_warn("netgroup support disabled");
457#endif
458#endif
459 } else if (pat[0] == '/') { /* /path/name */
460 if ((fp = fopen(pat, "r")) != 0) {
461 saved_context = tcpd_context;
462 tcpd_context.file = pat;
463 tcpd_context.line = 0;
464 while (fgets(buf, sizeof(buf), fp)) {
465 tcpd_context.line++;
466 for (cp = strtok(buf, wsp); cp; cp = strtok((char *) 0, wsp))
467 check_host(cp);
468 }
469 tcpd_context = saved_context;
470 fclose(fp);
471 } else if (errno != ENOENT) {
472 tcpd_warn("open %s: %m", pat);
473 }
474 } else if (mask = split_at(pat, '/')) { /* network/netmask */
475#ifdef INET6
476 int mask_len;
477
478 if ((dot_quad_addr(pat) == INADDR_NONE
479 || dot_quad_addr(mask) == INADDR_NONE)
480 && (!is_inet6_addr(pat)
481 || ((mask_len = atoi(mask)) < 0 || mask_len > 128)))
482#else
452 if (dot_quad_addr(pat) == INADDR_NONE
453 || dot_quad_addr(mask) == INADDR_NONE)
483 if (dot_quad_addr(pat) == INADDR_NONE
484 || dot_quad_addr(mask) == INADDR_NONE)
485#endif
454 tcpd_warn("%s/%s: bad net/mask pattern", pat, mask);
455 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */
456 tcpd_warn("FAIL is no longer recognized");
457 tcpd_warn("(use EXCEPT or DENY instead)");
458 } else if (reserved_name(pat)) { /* other reserved */
459 /* void */ ;
486 tcpd_warn("%s/%s: bad net/mask pattern", pat, mask);
487 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */
488 tcpd_warn("FAIL is no longer recognized");
489 tcpd_warn("(use EXCEPT or DENY instead)");
490 } else if (reserved_name(pat)) { /* other reserved */
491 /* void */ ;
492#ifdef INET6
493 } else if (is_inet6_addr(pat)) { /* IPv6 address */
494 addr_count = 1;
495#endif
460 } else if (NOT_INADDR(pat)) { /* internet name */
461 if (pat[strlen(pat) - 1] == '.') {
462 tcpd_warn("%s: domain or host name ends in dot", pat);
463 } else if (pat[0] != '.') {
464 addr_count = check_dns(pat);
465 }
466 } else { /* numeric form */
467 if (STR_EQ(pat, "0.0.0.0") || STR_EQ(pat, "255.255.255.255")) {
468 /* void */ ;
469 } else if (pat[0] == '.') {
470 tcpd_warn("%s: network number begins with dot", pat);
471 } else if (pat[strlen(pat) - 1] != '.') {
472 check_dns(pat);
473 }
474 }
475 return (addr_count);
476}
477
478/* reserved_name - determine if name is reserved */
479
480static int reserved_name(pat)
481char *pat;
482{
483 return (STR_EQ(pat, unknown)
484 || STR_EQ(pat, "KNOWN")
485 || STR_EQ(pat, paranoid)
486 || STR_EQ(pat, "ALL")
487 || STR_EQ(pat, "LOCAL"));
488}
496 } else if (NOT_INADDR(pat)) { /* internet name */
497 if (pat[strlen(pat) - 1] == '.') {
498 tcpd_warn("%s: domain or host name ends in dot", pat);
499 } else if (pat[0] != '.') {
500 addr_count = check_dns(pat);
501 }
502 } else { /* numeric form */
503 if (STR_EQ(pat, "0.0.0.0") || STR_EQ(pat, "255.255.255.255")) {
504 /* void */ ;
505 } else if (pat[0] == '.') {
506 tcpd_warn("%s: network number begins with dot", pat);
507 } else if (pat[strlen(pat) - 1] != '.') {
508 check_dns(pat);
509 }
510 }
511 return (addr_count);
512}
513
514/* reserved_name - determine if name is reserved */
515
516static int reserved_name(pat)
517char *pat;
518{
519 return (STR_EQ(pat, unknown)
520 || STR_EQ(pat, "KNOWN")
521 || STR_EQ(pat, paranoid)
522 || STR_EQ(pat, "ALL")
523 || STR_EQ(pat, "LOCAL"));
524}