1 /*
2 * tcpdmatch - explain what tcpd would do in a specific case
3 *
4 * usage: tcpdmatch [-d] [-i inet_conf] daemon[@host] [user@]host
5 *
6 * -d: use the access control tables in the current directory.
7 *
8 * -i: location of inetd.conf file.
9 *
10 * All errors are reported to the standard error stream, including the errors
11 * that would normally be reported via the syslog daemon.
12 *
13 * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
| 1 /*
2 * tcpdmatch - explain what tcpd would do in a specific case
3 *
4 * usage: tcpdmatch [-d] [-i inet_conf] daemon[@host] [user@]host
5 *
6 * -d: use the access control tables in the current directory.
7 *
8 * -i: location of inetd.conf file.
9 *
10 * All errors are reported to the standard error stream, including the errors
11 * that would normally be reported via the syslog daemon.
12 *
13 * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
|
| 14 *
15 * $FreeBSD: head/contrib/tcp_wrappers/tcpdmatch.c 56977 2000-02-03 10:27:03Z shin $
|
14 */
15
16#ifndef lint
17static char sccsid[] = "@(#) tcpdmatch.c 1.5 96/02/11 17:01:36";
18#endif
19
20/* System libraries. */
21
22#include <sys/types.h>
23#include <sys/stat.h>
24#include <sys/socket.h>
25#include <netinet/in.h>
26#include <arpa/inet.h>
27#include <netdb.h>
28#include <stdio.h>
29#include <syslog.h>
30#include <setjmp.h>
31#include <string.h>
32
33extern void exit();
34extern int optind;
35extern char *optarg;
36
37#ifndef INADDR_NONE
38#define INADDR_NONE (-1) /* XXX should be 0xffffffff */
39#endif
40
41#ifndef S_ISDIR
42#define S_ISDIR(m) (((m) & S_IFMT) == S_IFDIR)
43#endif
44
45/* Application-specific. */
46
47#include "tcpd.h"
48#include "inetcf.h"
49#include "scaffold.h"
50
51static void usage();
52static void tcpdmatch();
53
54/* The main program */
55
56int main(argc, argv)
57int argc;
58char **argv;
59{
60 struct hostent *hp;
61 char *myname = argv[0];
62 char *client;
63 char *server;
64 char *addr;
65 char *user;
66 char *daemon;
67 struct request_info request;
68 int ch;
69 char *inetcf = 0;
70 int count;
| 16 */
17
18#ifndef lint
19static char sccsid[] = "@(#) tcpdmatch.c 1.5 96/02/11 17:01:36";
20#endif
21
22/* System libraries. */
23
24#include <sys/types.h>
25#include <sys/stat.h>
26#include <sys/socket.h>
27#include <netinet/in.h>
28#include <arpa/inet.h>
29#include <netdb.h>
30#include <stdio.h>
31#include <syslog.h>
32#include <setjmp.h>
33#include <string.h>
34
35extern void exit();
36extern int optind;
37extern char *optarg;
38
39#ifndef INADDR_NONE
40#define INADDR_NONE (-1) /* XXX should be 0xffffffff */
41#endif
42
43#ifndef S_ISDIR
44#define S_ISDIR(m) (((m) & S_IFMT) == S_IFDIR)
45#endif
46
47/* Application-specific. */
48
49#include "tcpd.h"
50#include "inetcf.h"
51#include "scaffold.h"
52
53static void usage();
54static void tcpdmatch();
55
56/* The main program */
57
58int main(argc, argv)
59int argc;
60char **argv;
61{
62 struct hostent *hp;
63 char *myname = argv[0];
64 char *client;
65 char *server;
66 char *addr;
67 char *user;
68 char *daemon;
69 struct request_info request;
70 int ch;
71 char *inetcf = 0;
72 int count;
|
| 73#ifdef INET6
74 struct sockaddr_storage server_sin;
75 struct sockaddr_storage client_sin;
76 char *ap;
77 int alen;
78#else
|
71 struct sockaddr_in server_sin;
72 struct sockaddr_in client_sin;
| 79 struct sockaddr_in server_sin;
80 struct sockaddr_in client_sin;
|
| 81#endif
|
73 struct stat st;
74
75 /*
76 * Show what rule actually matched.
77 */
78 hosts_access_verbose = 2;
79
80 /*
81 * Parse the JCL.
82 */
83 while ((ch = getopt(argc, argv, "di:")) != EOF) {
84 switch (ch) {
85 case 'd':
86 hosts_allow_table = "hosts.allow";
87 hosts_deny_table = "hosts.deny";
88 break;
89 case 'i':
90 inetcf = optarg;
91 break;
92 default:
93 usage(myname);
94 /* NOTREACHED */
95 }
96 }
97 if (argc != optind + 2)
98 usage(myname);
99
100 /*
101 * When confusion really strikes...
102 */
103 if (check_path(REAL_DAEMON_DIR, &st) < 0) {
104 tcpd_warn("REAL_DAEMON_DIR %s: %m", REAL_DAEMON_DIR);
105 } else if (!S_ISDIR(st.st_mode)) {
106 tcpd_warn("REAL_DAEMON_DIR %s is not a directory", REAL_DAEMON_DIR);
107 }
108
109 /*
110 * Default is to specify a daemon process name. When daemon@host is
111 * specified, separate the two parts.
112 */
113 if ((server = split_at(argv[optind], '@')) == 0)
114 server = unknown;
115 if (argv[optind][0] == '/') {
116 daemon = strrchr(argv[optind], '/') + 1;
117 tcpd_warn("%s: daemon name normalized to: %s", argv[optind], daemon);
118 } else {
119 daemon = argv[optind];
120 }
121
122 /*
123 * Default is to specify a client hostname or address. When user@host is
124 * specified, separate the two parts.
125 */
126 if ((client = split_at(argv[optind + 1], '@')) != 0) {
127 user = argv[optind + 1];
128 } else {
129 client = argv[optind + 1];
130 user = unknown;
131 }
132
133 /*
134 * Analyze the inetd (or tlid) configuration file, so that we can warn
135 * the user about services that may not be wrapped, services that are not
136 * configured, or services that are wrapped in an incorrect manner. Allow
137 * for services that are not run from inetd, or that have tcpd access
138 * control built into them.
139 */
140 inetcf = inet_cfg(inetcf);
141 inet_set("portmap", WR_NOT);
142 inet_set("rpcbind", WR_NOT);
143 switch (inet_get(daemon)) {
144 case WR_UNKNOWN:
145 tcpd_warn("%s: no such process name in %s", daemon, inetcf);
146 break;
147 case WR_NOT:
148 tcpd_warn("%s: service possibly not wrapped", daemon);
149 break;
150 }
151
152 /*
153 * Check accessibility of access control files.
154 */
155 (void) check_path(hosts_allow_table, &st);
156 (void) check_path(hosts_deny_table, &st);
157
158 /*
159 * Fill in what we have figured out sofar. Use socket and DNS routines
160 * for address and name conversions. We attach stdout to the request so
161 * that banner messages will become visible.
162 */
163 request_init(&request, RQ_DAEMON, daemon, RQ_USER, user, RQ_FILE, 1, 0);
164 sock_methods(&request);
165
166 /*
167 * If a server hostname is specified, insist that the name maps to at
168 * most one address. eval_hostname() warns the user about name server
169 * problems, while using the request.server structure as a cache for host
170 * address and name conversion results.
171 */
172 if (NOT_INADDR(server) == 0 || HOSTNAME_KNOWN(server)) {
173 if ((hp = find_inet_addr(server)) == 0)
174 exit(1);
175 memset((char *) &server_sin, 0, sizeof(server_sin));
| 82 struct stat st;
83
84 /*
85 * Show what rule actually matched.
86 */
87 hosts_access_verbose = 2;
88
89 /*
90 * Parse the JCL.
91 */
92 while ((ch = getopt(argc, argv, "di:")) != EOF) {
93 switch (ch) {
94 case 'd':
95 hosts_allow_table = "hosts.allow";
96 hosts_deny_table = "hosts.deny";
97 break;
98 case 'i':
99 inetcf = optarg;
100 break;
101 default:
102 usage(myname);
103 /* NOTREACHED */
104 }
105 }
106 if (argc != optind + 2)
107 usage(myname);
108
109 /*
110 * When confusion really strikes...
111 */
112 if (check_path(REAL_DAEMON_DIR, &st) < 0) {
113 tcpd_warn("REAL_DAEMON_DIR %s: %m", REAL_DAEMON_DIR);
114 } else if (!S_ISDIR(st.st_mode)) {
115 tcpd_warn("REAL_DAEMON_DIR %s is not a directory", REAL_DAEMON_DIR);
116 }
117
118 /*
119 * Default is to specify a daemon process name. When daemon@host is
120 * specified, separate the two parts.
121 */
122 if ((server = split_at(argv[optind], '@')) == 0)
123 server = unknown;
124 if (argv[optind][0] == '/') {
125 daemon = strrchr(argv[optind], '/') + 1;
126 tcpd_warn("%s: daemon name normalized to: %s", argv[optind], daemon);
127 } else {
128 daemon = argv[optind];
129 }
130
131 /*
132 * Default is to specify a client hostname or address. When user@host is
133 * specified, separate the two parts.
134 */
135 if ((client = split_at(argv[optind + 1], '@')) != 0) {
136 user = argv[optind + 1];
137 } else {
138 client = argv[optind + 1];
139 user = unknown;
140 }
141
142 /*
143 * Analyze the inetd (or tlid) configuration file, so that we can warn
144 * the user about services that may not be wrapped, services that are not
145 * configured, or services that are wrapped in an incorrect manner. Allow
146 * for services that are not run from inetd, or that have tcpd access
147 * control built into them.
148 */
149 inetcf = inet_cfg(inetcf);
150 inet_set("portmap", WR_NOT);
151 inet_set("rpcbind", WR_NOT);
152 switch (inet_get(daemon)) {
153 case WR_UNKNOWN:
154 tcpd_warn("%s: no such process name in %s", daemon, inetcf);
155 break;
156 case WR_NOT:
157 tcpd_warn("%s: service possibly not wrapped", daemon);
158 break;
159 }
160
161 /*
162 * Check accessibility of access control files.
163 */
164 (void) check_path(hosts_allow_table, &st);
165 (void) check_path(hosts_deny_table, &st);
166
167 /*
168 * Fill in what we have figured out sofar. Use socket and DNS routines
169 * for address and name conversions. We attach stdout to the request so
170 * that banner messages will become visible.
171 */
172 request_init(&request, RQ_DAEMON, daemon, RQ_USER, user, RQ_FILE, 1, 0);
173 sock_methods(&request);
174
175 /*
176 * If a server hostname is specified, insist that the name maps to at
177 * most one address. eval_hostname() warns the user about name server
178 * problems, while using the request.server structure as a cache for host
179 * address and name conversion results.
180 */
181 if (NOT_INADDR(server) == 0 || HOSTNAME_KNOWN(server)) {
182 if ((hp = find_inet_addr(server)) == 0)
183 exit(1);
184 memset((char *) &server_sin, 0, sizeof(server_sin));
|
| 185#ifdef INET6
186 server_sin.ss_family = hp->h_addrtype;
187 switch (hp->h_addrtype) {
188 case AF_INET:
189 ap = (char *)&((struct sockaddr_in *)&server_sin)->sin_addr;
190 alen = sizeof(struct sockaddr_in);
191 break;
192 case AF_INET6:
193 ap = (char *)&((struct sockaddr_in6 *)&server_sin)->sin6_addr;
194 alen = sizeof(struct sockaddr_in6);
195 break;
196 default:
197 exit(1);
198 }
199#ifdef SIN6_LEN
200 server_sin.ss_len = alen;
201#endif
202#else
|
176 server_sin.sin_family = AF_INET;
| 203 server_sin.sin_family = AF_INET;
|
| 204#endif
|
177 request_set(&request, RQ_SERVER_SIN, &server_sin, 0);
178
179 for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) {
| 205 request_set(&request, RQ_SERVER_SIN, &server_sin, 0);
206
207 for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) {
|
| 208#ifdef INET6
209 memcpy(ap, addr, alen);
210#else
|
180 memcpy((char *) &server_sin.sin_addr, addr,
181 sizeof(server_sin.sin_addr));
| 211 memcpy((char *) &server_sin.sin_addr, addr,
212 sizeof(server_sin.sin_addr));
|
| 213#endif
|
182
183 /*
184 * Force evaluation of server host name and address. Host name
185 * conflicts will be reported while eval_hostname() does its job.
186 */
187 request_set(&request, RQ_SERVER_NAME, "", RQ_SERVER_ADDR, "", 0);
188 if (STR_EQ(eval_hostname(request.server), unknown))
189 tcpd_warn("host address %s->name lookup failed",
190 eval_hostaddr(request.server));
191 }
192 if (count > 1) {
193 fprintf(stderr, "Error: %s has more than one address\n", server);
194 fprintf(stderr, "Please specify an address instead\n");
195 exit(1);
196 }
197 free((char *) hp);
198 } else {
199 request_set(&request, RQ_SERVER_NAME, server, 0);
200 }
201
202 /*
203 * If a client address is specified, we simulate the effect of client
204 * hostname lookup failure.
205 */
206 if (dot_quad_addr(client) != INADDR_NONE) {
207 request_set(&request, RQ_CLIENT_ADDR, client, 0);
208 tcpdmatch(&request);
209 exit(0);
210 }
211
212 /*
213 * Perhaps they are testing special client hostname patterns that aren't
214 * really host names at all.
215 */
216 if (NOT_INADDR(client) && HOSTNAME_KNOWN(client) == 0) {
217 request_set(&request, RQ_CLIENT_NAME, client, 0);
218 tcpdmatch(&request);
219 exit(0);
220 }
221
222 /*
223 * Otherwise, assume that a client hostname is specified, and insist that
224 * the address can be looked up. The reason for this requirement is that
225 * in real life the client address is available (at least with IP). Let
226 * eval_hostname() figure out if this host is properly registered, while
227 * using the request.client structure as a cache for host name and
228 * address conversion results.
229 */
230 if ((hp = find_inet_addr(client)) == 0)
231 exit(1);
232 memset((char *) &client_sin, 0, sizeof(client_sin));
| 214
215 /*
216 * Force evaluation of server host name and address. Host name
217 * conflicts will be reported while eval_hostname() does its job.
218 */
219 request_set(&request, RQ_SERVER_NAME, "", RQ_SERVER_ADDR, "", 0);
220 if (STR_EQ(eval_hostname(request.server), unknown))
221 tcpd_warn("host address %s->name lookup failed",
222 eval_hostaddr(request.server));
223 }
224 if (count > 1) {
225 fprintf(stderr, "Error: %s has more than one address\n", server);
226 fprintf(stderr, "Please specify an address instead\n");
227 exit(1);
228 }
229 free((char *) hp);
230 } else {
231 request_set(&request, RQ_SERVER_NAME, server, 0);
232 }
233
234 /*
235 * If a client address is specified, we simulate the effect of client
236 * hostname lookup failure.
237 */
238 if (dot_quad_addr(client) != INADDR_NONE) {
239 request_set(&request, RQ_CLIENT_ADDR, client, 0);
240 tcpdmatch(&request);
241 exit(0);
242 }
243
244 /*
245 * Perhaps they are testing special client hostname patterns that aren't
246 * really host names at all.
247 */
248 if (NOT_INADDR(client) && HOSTNAME_KNOWN(client) == 0) {
249 request_set(&request, RQ_CLIENT_NAME, client, 0);
250 tcpdmatch(&request);
251 exit(0);
252 }
253
254 /*
255 * Otherwise, assume that a client hostname is specified, and insist that
256 * the address can be looked up. The reason for this requirement is that
257 * in real life the client address is available (at least with IP). Let
258 * eval_hostname() figure out if this host is properly registered, while
259 * using the request.client structure as a cache for host name and
260 * address conversion results.
261 */
262 if ((hp = find_inet_addr(client)) == 0)
263 exit(1);
264 memset((char *) &client_sin, 0, sizeof(client_sin));
|
| 265#ifdef INET6
266 client_sin.ss_family = hp->h_addrtype;
267 switch (hp->h_addrtype) {
268 case AF_INET:
269 ap = (char *)&((struct sockaddr_in *)&client_sin)->sin_addr;
270 alen = sizeof(struct sockaddr_in);
271 break;
272 case AF_INET6:
273 ap = (char *)&((struct sockaddr_in6 *)&client_sin)->sin6_addr;
274 alen = sizeof(struct sockaddr_in6);
275 break;
276 default:
277 exit(1);
278 }
279#ifdef SIN6_LEN
280 client_sin.ss_len = alen;
281#endif
282#else
|
233 client_sin.sin_family = AF_INET;
| 283 client_sin.sin_family = AF_INET;
|
| 284#endif
|
234 request_set(&request, RQ_CLIENT_SIN, &client_sin, 0);
235
236 for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) {
| 285 request_set(&request, RQ_CLIENT_SIN, &client_sin, 0);
286
287 for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) {
|
| 288#ifdef INET6
289 memcpy(ap, addr, alen);
290#else
|
237 memcpy((char *) &client_sin.sin_addr, addr,
238 sizeof(client_sin.sin_addr));
| 291 memcpy((char *) &client_sin.sin_addr, addr,
292 sizeof(client_sin.sin_addr));
|
| 293#endif
|
239
240 /*
241 * Force evaluation of client host name and address. Host name
242 * conflicts will be reported while eval_hostname() does its job.
243 */
244 request_set(&request, RQ_CLIENT_NAME, "", RQ_CLIENT_ADDR, "", 0);
245 if (STR_EQ(eval_hostname(request.client), unknown))
246 tcpd_warn("host address %s->name lookup failed",
247 eval_hostaddr(request.client));
248 tcpdmatch(&request);
249 if (hp->h_addr_list[count + 1])
250 printf("\n");
251 }
252 free((char *) hp);
253 exit(0);
254}
255
256/* Explain how to use this program */
257
258static void usage(myname)
259char *myname;
260{
261 fprintf(stderr, "usage: %s [-d] [-i inet_conf] daemon[@host] [user@]host\n",
262 myname);
263 fprintf(stderr, " -d: use allow/deny files in current directory\n");
264 fprintf(stderr, " -i: location of inetd.conf file\n");
265 exit(1);
266}
267
268/* Print interesting expansions */
269
270static void expand(text, pattern, request)
271char *text;
272char *pattern;
273struct request_info *request;
274{
275 char buf[BUFSIZ];
276
277 if (STR_NE(percent_x(buf, sizeof(buf), pattern, request), unknown))
278 printf("%s %s\n", text, buf);
279}
280
281/* Try out a (server,client) pair */
282
283static void tcpdmatch(request)
284struct request_info *request;
285{
286 int verdict;
287
288 /*
289 * Show what we really know. Suppress uninteresting noise.
290 */
291 expand("client: hostname", "%n", request);
292 expand("client: address ", "%a", request);
293 expand("client: username", "%u", request);
294 expand("server: hostname", "%N", request);
295 expand("server: address ", "%A", request);
296 expand("server: process ", "%d", request);
297
298 /*
299 * Reset stuff that might be changed by options handlers. In dry-run
300 * mode, extension language routines that would not return should inform
301 * us of their plan, by clearing the dry_run flag. This is a bit clumsy
302 * but we must be able to verify hosts with more than one network
303 * address.
304 */
305 rfc931_timeout = RFC931_TIMEOUT;
306 allow_severity = SEVERITY;
307 deny_severity = LOG_WARNING;
308 dry_run = 1;
309
310 /*
311 * When paranoid mode is enabled, access is rejected no matter what the
312 * access control rules say.
313 */
314#ifdef PARANOID
315 if (STR_EQ(eval_hostname(request->client), paranoid)) {
316 printf("access: denied (PARANOID mode)\n\n");
317 return;
318 }
319#endif
320
321 /*
322 * Report the access control verdict.
323 */
324 verdict = hosts_access(request);
325 printf("access: %s\n",
326 dry_run == 0 ? "delegated" :
327 verdict ? "granted" : "denied");
328}
| 294
295 /*
296 * Force evaluation of client host name and address. Host name
297 * conflicts will be reported while eval_hostname() does its job.
298 */
299 request_set(&request, RQ_CLIENT_NAME, "", RQ_CLIENT_ADDR, "", 0);
300 if (STR_EQ(eval_hostname(request.client), unknown))
301 tcpd_warn("host address %s->name lookup failed",
302 eval_hostaddr(request.client));
303 tcpdmatch(&request);
304 if (hp->h_addr_list[count + 1])
305 printf("\n");
306 }
307 free((char *) hp);
308 exit(0);
309}
310
311/* Explain how to use this program */
312
313static void usage(myname)
314char *myname;
315{
316 fprintf(stderr, "usage: %s [-d] [-i inet_conf] daemon[@host] [user@]host\n",
317 myname);
318 fprintf(stderr, " -d: use allow/deny files in current directory\n");
319 fprintf(stderr, " -i: location of inetd.conf file\n");
320 exit(1);
321}
322
323/* Print interesting expansions */
324
325static void expand(text, pattern, request)
326char *text;
327char *pattern;
328struct request_info *request;
329{
330 char buf[BUFSIZ];
331
332 if (STR_NE(percent_x(buf, sizeof(buf), pattern, request), unknown))
333 printf("%s %s\n", text, buf);
334}
335
336/* Try out a (server,client) pair */
337
338static void tcpdmatch(request)
339struct request_info *request;
340{
341 int verdict;
342
343 /*
344 * Show what we really know. Suppress uninteresting noise.
345 */
346 expand("client: hostname", "%n", request);
347 expand("client: address ", "%a", request);
348 expand("client: username", "%u", request);
349 expand("server: hostname", "%N", request);
350 expand("server: address ", "%A", request);
351 expand("server: process ", "%d", request);
352
353 /*
354 * Reset stuff that might be changed by options handlers. In dry-run
355 * mode, extension language routines that would not return should inform
356 * us of their plan, by clearing the dry_run flag. This is a bit clumsy
357 * but we must be able to verify hosts with more than one network
358 * address.
359 */
360 rfc931_timeout = RFC931_TIMEOUT;
361 allow_severity = SEVERITY;
362 deny_severity = LOG_WARNING;
363 dry_run = 1;
364
365 /*
366 * When paranoid mode is enabled, access is rejected no matter what the
367 * access control rules say.
368 */
369#ifdef PARANOID
370 if (STR_EQ(eval_hostname(request->client), paranoid)) {
371 printf("access: denied (PARANOID mode)\n\n");
372 return;
373 }
374#endif
375
376 /*
377 * Report the access control verdict.
378 */
379 verdict = hosts_access(request);
380 printf("access: %s\n",
381 dry_run == 0 ? "delegated" :
382 verdict ? "granted" : "denied");
383}
|