1/*	$NetBSD: tcpdchk.c,v 1.10 2002/06/06 21:28:51 itojun Exp $	*/
2
3 /*
4  * tcpdchk - examine all tcpd access control rules and inetd.conf entries
5  *
6  * Usage: tcpdchk [-a] [-d] [-i inet_conf] [-v]
7  *
8  * -a: complain about implicit "allow" at end of rule.
9  *
10  * -d: rules in current directory.
11  *
12  * -i: location of inetd.conf file.
13  *
14  * -v: show all rules.
15  *
16  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
17  */
18
19#include <sys/cdefs.h>
20#ifndef lint
21#if 0
22static char sccsid[] = "@(#) tcpdchk.c 1.8 97/02/12 02:13:25";
23#else
24__RCSID("$NetBSD: tcpdchk.c,v 1.10 2002/06/06 21:28:51 itojun Exp $");
25#endif
26#endif
27
28/* System libraries. */
29
30#include <sys/types.h>
31#include <sys/stat.h>
32#include <netinet/in.h>
33#include <arpa/inet.h>
34#include <stdio.h>
35#include <syslog.h>
36#include <setjmp.h>
37#include <errno.h>
38#include <netdb.h>
39#include <string.h>
40#include <stdlib.h>
41#include <unistd.h>
42
43#ifndef INADDR_NONE
44#define INADDR_NONE     (-1)		/* XXX should be 0xffffffff */
45#endif
46
47#ifndef S_ISDIR
48#define S_ISDIR(m)	(((m) & S_IFMT) == S_IFDIR)
49#endif
50
51/* Application-specific. */
52
53#include "tcpd.h"
54#include "inetcf.h"
55#include "scaffold.h"
56
57#ifdef NO_NETGRENT
58	/* SCO has no *netgrent() support */
59#else
60# ifdef NETGROUP
61#  include <netgroup.h>
62# endif
63#endif
64
65 /*
66  * Stolen from hosts_access.c...
67  */
68static char sep[] = ", \t\n";
69
70#define	BUFLEN 2048
71
72int     resident = 0;
73int     hosts_access_verbose = 0;
74char   *hosts_allow_table = HOSTS_ALLOW;
75char   *hosts_deny_table = HOSTS_DENY;
76extern jmp_buf tcpd_buf;
77
78 /*
79  * Local stuff.
80  */
81static void usage __P((void));
82static void parse_table __P((char *, struct request_info *));
83static void print_list __P((char *, char *));
84static void check_daemon_list __P((char *));
85static void check_client_list __P((char *));
86static void check_daemon __P((char *));
87static void check_user __P((char *));
88#ifdef INET6
89static int check_inet_addr __P((char *));
90#endif
91static int check_host __P((char *));
92static int reserved_name __P((char *));
93
94int main __P((int, char **));
95
96#define PERMIT	1
97#define DENY	0
98
99#define YES	1
100#define	NO	0
101
102static int defl_verdict;
103static char *myname;
104static int allow_check;
105static char *inetcf;
106
107int     main(argc, argv)
108int     argc;
109char  **argv;
110{
111    struct request_info request;
112    struct stat st;
113    int     c;
114
115    myname = argv[0];
116
117    /*
118     * Parse the JCL.
119     */
120    while ((c = getopt(argc, argv, "adi:v")) != -1) {
121	switch (c) {
122	case 'a':
123	    allow_check = 1;
124	    break;
125	case 'd':
126	    hosts_allow_table = "hosts.allow";
127	    hosts_deny_table = "hosts.deny";
128	    break;
129	case 'i':
130	    inetcf = optarg;
131	    break;
132	case 'v':
133	    hosts_access_verbose++;
134	    break;
135	default:
136	    usage();
137	    /* NOTREACHED */
138	}
139    }
140    if (argc != optind)
141	usage();
142
143    /*
144     * When confusion really strikes...
145     */
146    if (check_path(REAL_DAEMON_DIR, &st) < 0) {
147	tcpd_warn("REAL_DAEMON_DIR %s: %m", REAL_DAEMON_DIR);
148    } else if (!S_ISDIR(st.st_mode)) {
149	tcpd_warn("REAL_DAEMON_DIR %s is not a directory", REAL_DAEMON_DIR);
150    }
151
152    /*
153     * Process the inet configuration file (or its moral equivalent). This
154     * information is used later to find references in hosts.allow/deny to
155     * unwrapped services, and other possible problems.
156     */
157    inetcf = inet_cfg(inetcf);
158    if (hosts_access_verbose)
159	printf("Using network configuration file: %s\n", inetcf);
160
161    /*
162     * These are not run from inetd but may have built-in access control.
163     */
164    inet_set("portmap", WR_NOT);
165    inet_set("rpcbind", WR_NOT);
166
167    /*
168     * Check accessibility of access control files.
169     */
170    (void) check_path(hosts_allow_table, &st);
171    (void) check_path(hosts_deny_table, &st);
172
173    /*
174     * Fake up an arbitrary service request.
175     */
176    request_init(&request,
177		 RQ_DAEMON, "daemon_name",
178		 RQ_SERVER_NAME, "server_hostname",
179		 RQ_SERVER_ADDR, "server_addr",
180		 RQ_USER, "user_name",
181		 RQ_CLIENT_NAME, "client_hostname",
182		 RQ_CLIENT_ADDR, "client_addr",
183		 RQ_FILE, 1,
184		 0);
185
186    /*
187     * Examine all access-control rules.
188     */
189    defl_verdict = PERMIT;
190    parse_table(hosts_allow_table, &request);
191    defl_verdict = DENY;
192    parse_table(hosts_deny_table, &request);
193    return (0);
194}
195
196/* usage - explain */
197
198static void usage()
199{
200    fprintf(stderr, "usage: %s [-a] [-d] [-i inet_conf] [-v]\n", myname);
201    fprintf(stderr, "	-a: report rules with implicit \"ALLOW\" at end\n");
202    fprintf(stderr, "	-d: use allow/deny files in current directory\n");
203    fprintf(stderr, "	-i: location of inetd.conf file\n");
204    fprintf(stderr, "	-v: list all rules\n");
205    exit(1);
206}
207
208/* parse_table - like table_match(), but examines _all_ entries */
209
210static void parse_table(table, request)
211char   *table;
212struct request_info *request;
213{
214    FILE   *fp;
215    int     real_verdict;
216    char    sv_list[BUFLEN];		/* becomes list of daemons */
217    char   *cl_list;			/* becomes list of requests */
218    char   *sh_cmd;			/* becomes optional shell command */
219    int     verdict;
220    struct tcpd_context saved_context;
221#ifdef __GNUC__
222    /* XXX hack to avoid gcc warnings */
223    (void) &real_verdict;
224    (void) &saved_context;
225#endif
226
227    saved_context = tcpd_context;		/* stupid compilers */
228
229    if ((fp = fopen(table, "r")) != NULL) {
230	tcpd_context.file = table;
231	tcpd_context.line = 0;
232	while (xgets(sv_list, sizeof(sv_list), fp)) {
233	    if (sv_list[strlen(sv_list) - 1] != '\n') {
234		tcpd_warn("missing newline or line too long");
235		continue;
236	    }
237	    if (sv_list[0] == '#' || sv_list[strspn(sv_list, " \t\r\n")] == 0)
238		continue;
239	    if ((cl_list = split_at(sv_list, ':')) == 0) {
240		tcpd_warn("missing \":\" separator");
241		continue;
242	    }
243	    sh_cmd = split_at(cl_list, ':');
244
245	    if (hosts_access_verbose)
246		printf("\n>>> Rule %s line %d:\n",
247		       tcpd_context.file, tcpd_context.line);
248
249	    if (hosts_access_verbose)
250		print_list("daemons:  ", sv_list);
251	    check_daemon_list(sv_list);
252
253	    if (hosts_access_verbose)
254		print_list("clients:  ", cl_list);
255	    check_client_list(cl_list);
256
257#ifdef PROCESS_OPTIONS
258	    real_verdict = defl_verdict;
259	    if (sh_cmd) {
260		verdict = setjmp(tcpd_buf);
261		if (verdict != 0) {
262		    real_verdict = (verdict == AC_PERMIT);
263		} else {
264		    dry_run = 1;
265		    process_options(sh_cmd, request);
266		    if (dry_run == 1 && real_verdict && allow_check)
267			tcpd_warn("implicit \"allow\" at end of rule");
268		}
269	    } else if (defl_verdict && allow_check) {
270		tcpd_warn("implicit \"allow\" at end of rule");
271	    }
272	    if (hosts_access_verbose)
273		printf("access:   %s\n", real_verdict ? "granted" : "denied");
274#else
275	    if (sh_cmd)
276		shell_cmd(percent_x(buf, sizeof(buf), sh_cmd, request));
277	    if (hosts_access_verbose)
278		printf("access:   %s\n", defl_verdict ? "granted" : "denied");
279#endif
280	}
281	(void) fclose(fp);
282    } else if (errno != ENOENT) {
283	tcpd_warn("cannot open %s: %m", table);
284    }
285    tcpd_context = saved_context;
286}
287
288/* print_list - pretty-print a list */
289
290static void print_list(title, list)
291char   *title;
292char   *list;
293{
294    char    buf[BUFLEN];
295    char   *cp;
296    char   *next;
297
298    fputs(title, stdout);
299    strlcpy(buf, list, sizeof(buf));
300
301    for (cp = strtok(buf, sep); cp != 0; cp = next) {
302	fputs(cp, stdout);
303	next = strtok((char *) 0, sep);
304	if (next != 0)
305	    fputs(" ", stdout);
306    }
307    fputs("\n", stdout);
308}
309
310/* check_daemon_list - criticize daemon list */
311
312static void check_daemon_list(list)
313char   *list;
314{
315    char    buf[BUFLEN];
316    char   *cp;
317    char   *host;
318    int     daemons = 0;
319
320    strlcpy(buf, list, sizeof(buf));
321
322    for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) {
323	if (STR_EQ(cp, "EXCEPT")) {
324	    daemons = 0;
325	} else {
326	    daemons++;
327	    if ((host = split_at(cp + 1, '@')) != 0 && check_host(host) > 1) {
328		tcpd_warn("host %s has more than one address", host);
329		tcpd_warn("(consider using an address instead)");
330	    }
331	    check_daemon(cp);
332	}
333    }
334    if (daemons == 0)
335	tcpd_warn("daemon list is empty or ends in EXCEPT");
336}
337
338/* check_client_list - criticize client list */
339
340static void check_client_list(list)
341char   *list;
342{
343    char    buf[BUFLEN];
344    char   *cp;
345    char   *host;
346    int     clients = 0;
347#ifdef INET6
348    int l;
349#endif
350
351    strlcpy(buf, list, sizeof(buf));
352
353    for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) {
354#ifdef INET6
355	l = strlen(cp);
356	if (cp[0] == '[' && cp[l - 1] == ']') {
357	    cp[l - 1] = '\0';
358	    cp++;
359	}
360#endif
361	if (STR_EQ(cp, "EXCEPT")) {
362	    clients = 0;
363	} else {
364	    clients++;
365	    if ((host = split_at(cp + 1, '@')) != NULL) {	/* user@host */
366		check_user(cp);
367		check_host(host);
368	    } else {
369		check_host(cp);
370	    }
371	}
372    }
373    if (clients == 0)
374	tcpd_warn("client list is empty or ends in EXCEPT");
375}
376
377/* check_daemon - criticize daemon pattern */
378
379static void check_daemon(pat)
380char   *pat;
381{
382    if (pat[0] == '@') {
383	tcpd_warn("%s: daemon name begins with \"@\"", pat);
384    } else if (pat[0] == '.') {
385	tcpd_warn("%s: daemon name begins with dot", pat);
386    } else if (pat[strlen(pat) - 1] == '.') {
387	tcpd_warn("%s: daemon name ends in dot", pat);
388    } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown)) {
389	 /* void */ ;
390    } else if (STR_EQ(pat, "FAIL")) {		/* obsolete */
391	tcpd_warn("FAIL is no longer recognized");
392	tcpd_warn("(use EXCEPT or DENY instead)");
393    } else if (reserved_name(pat)) {
394	tcpd_warn("%s: daemon name may be reserved word", pat);
395    } else {
396	switch (inet_get(pat)) {
397	case WR_UNKNOWN:
398	    tcpd_warn("%s: no such process name in %s", pat, inetcf);
399	    inet_set(pat, WR_YES);		/* shut up next time */
400	    break;
401	case WR_NOT:
402	    tcpd_warn("%s: service possibly not wrapped", pat);
403	    inet_set(pat, WR_YES);
404	    break;
405	}
406    }
407}
408
409/* check_user - criticize user pattern */
410
411static void check_user(pat)
412char   *pat;
413{
414    if (pat[0] == '@') {			/* @netgroup */
415	tcpd_warn("%s: user name begins with \"@\"", pat);
416    } else if (pat[0] == '.') {
417	tcpd_warn("%s: user name begins with dot", pat);
418    } else if (pat[strlen(pat) - 1] == '.') {
419	tcpd_warn("%s: user name ends in dot", pat);
420    } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown)
421	       || STR_EQ(pat, "KNOWN")) {
422	 /* void */ ;
423    } else if (STR_EQ(pat, "FAIL")) {		/* obsolete */
424	tcpd_warn("FAIL is no longer recognized");
425	tcpd_warn("(use EXCEPT or DENY instead)");
426    } else if (reserved_name(pat)) {
427	tcpd_warn("%s: user name may be reserved word", pat);
428    }
429}
430
431#ifdef INET6
432static int check_inet_addr(pat)
433char	*pat;
434{
435	struct addrinfo *res;
436
437	res = find_inet_addr(pat, AI_NUMERICHOST);
438	if (res) {
439		freeaddrinfo(res);
440		return 1;
441	} else
442		return 0;
443}
444#endif
445
446/* check_host - criticize host pattern */
447static int check_host(pat)
448char   *pat;
449{
450    char   *mask;
451    int     addr_count = 1;
452
453    if (pat[0] == '@') {			/* @netgroup */
454#ifdef NO_NETGRENT
455	/* SCO has no *netgrent() support */
456#else
457#ifdef NETGROUP
458	const char   *machinep;
459	const char   *userp;
460	const char   *domainp;
461
462	setnetgrent(pat + 1);
463	if (getnetgrent(&machinep, &userp, &domainp) == 0)
464	    tcpd_warn("%s: unknown or empty netgroup", pat + 1);
465	endnetgrent();
466#else
467	tcpd_warn("netgroup support disabled");
468#endif
469#endif
470    } else if ((mask = split_at(pat, '/')) != NULL) {	/* network/netmask */
471#ifdef INET6
472	char *ep;
473#endif
474	if (dot_quad_addr(pat, NULL) != INADDR_NONE
475	    || dot_quad_addr(mask, NULL) != INADDR_NONE)
476	    ; /*okay*/
477#ifdef INET6
478	else if (check_inet_addr(pat) && check_inet_addr(mask))
479	    ; /*okay*/
480	else if (check_inet_addr(pat) &&
481	    (ep = NULL, strtoul(mask, &ep, 10), ep && !*ep))
482	    ; /*okay*/
483#endif
484	else
485	    tcpd_warn("%s/%s: bad net/mask pattern", pat, mask);
486    } else if (STR_EQ(pat, "FAIL")) {		/* obsolete */
487	tcpd_warn("FAIL is no longer recognized");
488	tcpd_warn("(use EXCEPT or DENY instead)");
489    } else if (reserved_name(pat)) {		/* other reserved */
490	 /* void */ ;
491    } else if (NOT_INADDR(pat)) {		/* internet name */
492	if (pat[strlen(pat) - 1] == '.') {
493	    tcpd_warn("%s: domain or host name ends in dot", pat);
494	} else if (pat[0] != '.') {
495	    addr_count = check_dns(pat);
496	}
497    } else {					/* numeric form */
498	if (STR_EQ(pat, "0.0.0.0") || STR_EQ(pat, "255.255.255.255")) {
499	    /* void */ ;
500	} else if (pat[0] == '.') {
501	    tcpd_warn("%s: network number begins with dot", pat);
502	} else if (pat[strlen(pat) - 1] != '.') {
503	    check_dns(pat);
504	}
505    }
506    return (addr_count);
507}
508
509/* reserved_name - determine if name is reserved */
510
511static int reserved_name(pat)
512char   *pat;
513{
514    return (STR_EQ(pat, unknown)
515	    || STR_EQ(pat, "KNOWN")
516	    || STR_EQ(pat, paranoid)
517	    || STR_EQ(pat, "ALL")
518	    || STR_EQ(pat, "LOCAL"));
519}
520