search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
No empty .Rs/.Re
[netbsd-mini2440.git] / usr.sbin / tcpdchk / tcpdchk.c
blob35fedb976cd417b3803bf3556eafb8d0687082ff
1 /* $NetBSD: tcpdchk.c,v 1.10 2002/06/06 21:28:51 itojun Exp $ */
2
3 /*
4 * tcpdchk - examine all tcpd access control rules and inetd.conf entries
5 *
6 * Usage: tcpdchk [-a] [-d] [-i inet_conf] [-v]
7 *
8 * -a: complain about implicit "allow" at end of rule.
9 *
10 * -d: rules in current directory.
11 *
12 * -i: location of inetd.conf file.
13 *
14 * -v: show all rules.
15 *
16 * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
17 */
18
19 #include <sys/cdefs.h>
20 #ifndef lint
21 #if 0
22 static char sccsid[] = "@(#) tcpdchk.c 1.8 97/02/12 02:13:25";
23 #else
24 __RCSID("$NetBSD: tcpdchk.c,v 1.10 2002/06/06 21:28:51 itojun Exp $");
25 #endif
26 #endif
27
28 /* System libraries. */
29
30 #include <sys/types.h>
31 #include <sys/stat.h>
32 #include <netinet/in.h>
33 #include <arpa/inet.h>
34 #include <stdio.h>
35 #include <syslog.h>
36 #include <setjmp.h>
37 #include <errno.h>
38 #include <netdb.h>
39 #include <string.h>
40 #include <stdlib.h>
41 #include <unistd.h>
42
43 #ifndef INADDR_NONE
44 #define INADDR_NONE (-1) /* XXX should be 0xffffffff */
45 #endif
46
47 #ifndef S_ISDIR
48 #define S_ISDIR(m) (((m) & S_IFMT) == S_IFDIR)
49 #endif
50
51 /* Application-specific. */
52
53 #include "tcpd.h"
54 #include "inetcf.h"
55 #include "scaffold.h"
56
57 #ifdef NO_NETGRENT
58 /* SCO has no *netgrent() support */
59 #else
60 # ifdef NETGROUP
61 # include <netgroup.h>
62 # endif
63 #endif
64
65 /*
66 * Stolen from hosts_access.c...
67 */
68 static char sep[] = ", \t\n";
69
70 #define BUFLEN 2048
71
72 int resident = 0;
73 int hosts_access_verbose = 0;
74 char *hosts_allow_table = HOSTS_ALLOW;
75 char *hosts_deny_table = HOSTS_DENY;
76 extern jmp_buf tcpd_buf;
77
78 /*
79 * Local stuff.
80 */
81 static void usage __P((void));
82 static void parse_table __P((char *, struct request_info *));
83 static void print_list __P((char *, char *));
84 static void check_daemon_list __P((char *));
85 static void check_client_list __P((char *));
86 static void check_daemon __P((char *));
87 static void check_user __P((char *));
88 #ifdef INET6
89 static int check_inet_addr __P((char *));
90 #endif
91 static int check_host __P((char *));
92 static int reserved_name __P((char *));
93
94 int main __P((int, char **));
95
96 #define PERMIT 1
97 #define DENY 0
98
99 #define YES 1
100 #define NO 0
101
102 static int defl_verdict;
103 static char *myname;
104 static int allow_check;
105 static char *inetcf;
106
107 int main(argc, argv)
108 int argc;
109 char **argv;
110 {
111 struct request_info request;
112 struct stat st;
113 int c;
114
115 myname = argv[0];
116
117 /*
118 * Parse the JCL.
119 */
120 while ((c = getopt(argc, argv, "adi:v")) != -1) {
121 switch (c) {
122 case 'a':
123 allow_check = 1;
124 break;
125 case 'd':
126 hosts_allow_table = "hosts.allow";
127 hosts_deny_table = "hosts.deny";
128 break;
129 case 'i':
130 inetcf = optarg;
131 break;
132 case 'v':
133 hosts_access_verbose++;
134 break;
135 default:
136 usage();
137 /* NOTREACHED */
138 }
139 }
140 if (argc != optind)
141 usage();
142
143 /*
144 * When confusion really strikes...
145 */
146 if (check_path(REAL_DAEMON_DIR, &st) < 0) {
147 tcpd_warn("REAL_DAEMON_DIR %s: %m", REAL_DAEMON_DIR);
148 } else if (!S_ISDIR(st.st_mode)) {
149 tcpd_warn("REAL_DAEMON_DIR %s is not a directory", REAL_DAEMON_DIR);
150 }
151
152 /*
153 * Process the inet configuration file (or its moral equivalent). This
154 * information is used later to find references in hosts.allow/deny to
155 * unwrapped services, and other possible problems.
156 */
157 inetcf = inet_cfg(inetcf);
158 if (hosts_access_verbose)
159 printf("Using network configuration file: %s\n", inetcf);
160
161 /*
162 * These are not run from inetd but may have built-in access control.
163 */
164 inet_set("portmap", WR_NOT);
165 inet_set("rpcbind", WR_NOT);
166
167 /*
168 * Check accessibility of access control files.
169 */
170 (void) check_path(hosts_allow_table, &st);
171 (void) check_path(hosts_deny_table, &st);
172
173 /*
174 * Fake up an arbitrary service request.
175 */
176 request_init(&request,
177 RQ_DAEMON, "daemon_name",
178 RQ_SERVER_NAME, "server_hostname",
179 RQ_SERVER_ADDR, "server_addr",
180 RQ_USER, "user_name",
181 RQ_CLIENT_NAME, "client_hostname",
182 RQ_CLIENT_ADDR, "client_addr",
183 RQ_FILE, 1,
184 0);
185
186 /*
187 * Examine all access-control rules.
188 */
189 defl_verdict = PERMIT;
190 parse_table(hosts_allow_table, &request);
191 defl_verdict = DENY;
192 parse_table(hosts_deny_table, &request);
193 return (0);
194 }
195
196 /* usage - explain */
197
198 static void usage()
199 {
200 fprintf(stderr, "usage: %s [-a] [-d] [-i inet_conf] [-v]\n", myname);
201 fprintf(stderr, " -a: report rules with implicit \"ALLOW\" at end\n");
202 fprintf(stderr, " -d: use allow/deny files in current directory\n");
203 fprintf(stderr, " -i: location of inetd.conf file\n");
204 fprintf(stderr, " -v: list all rules\n");
205 exit(1);
206 }
207
208 /* parse_table - like table_match(), but examines _all_ entries */
209
210 static void parse_table(table, request)
211 char *table;
212 struct request_info *request;
213 {
214 FILE *fp;
215 int real_verdict;
216 char sv_list[BUFLEN]; /* becomes list of daemons */
217 char *cl_list; /* becomes list of requests */
218 char *sh_cmd; /* becomes optional shell command */
219 int verdict;
220 struct tcpd_context saved_context;
221 #ifdef __GNUC__
222 /* XXX hack to avoid gcc warnings */
223 (void) &real_verdict;
224 (void) &saved_context;
225 #endif
226
227 saved_context = tcpd_context; /* stupid compilers */
228
229 if ((fp = fopen(table, "r")) != NULL) {
230 tcpd_context.file = table;
231 tcpd_context.line = 0;
232 while (xgets(sv_list, sizeof(sv_list), fp)) {
233 if (sv_list[strlen(sv_list) - 1] != '\n') {
234 tcpd_warn("missing newline or line too long");
235 continue;
236 }
237 if (sv_list[0] == '#' || sv_list[strspn(sv_list, " \t\r\n")] == 0)
238 continue;
239 if ((cl_list = split_at(sv_list, ':')) == 0) {
240 tcpd_warn("missing \":\" separator");
241 continue;
242 }
243 sh_cmd = split_at(cl_list, ':');
244
245 if (hosts_access_verbose)
246 printf("\n>>> Rule %s line %d:\n",
247 tcpd_context.file, tcpd_context.line);
248
249 if (hosts_access_verbose)
250 print_list("daemons: ", sv_list);
251 check_daemon_list(sv_list);
252
253 if (hosts_access_verbose)
254 print_list("clients: ", cl_list);
255 check_client_list(cl_list);
256
257 #ifdef PROCESS_OPTIONS
258 real_verdict = defl_verdict;
259 if (sh_cmd) {
260 verdict = setjmp(tcpd_buf);
261 if (verdict != 0) {
262 real_verdict = (verdict == AC_PERMIT);
263 } else {
264 dry_run = 1;
265 process_options(sh_cmd, request);
266 if (dry_run == 1 && real_verdict && allow_check)
267 tcpd_warn("implicit \"allow\" at end of rule");
268 }
269 } else if (defl_verdict && allow_check) {
270 tcpd_warn("implicit \"allow\" at end of rule");
271 }
272 if (hosts_access_verbose)
273 printf("access: %s\n", real_verdict ? "granted" : "denied");
274 #else
275 if (sh_cmd)
276 shell_cmd(percent_x(buf, sizeof(buf), sh_cmd, request));
277 if (hosts_access_verbose)
278 printf("access: %s\n", defl_verdict ? "granted" : "denied");
279 #endif
280 }
281 (void) fclose(fp);
282 } else if (errno != ENOENT) {
283 tcpd_warn("cannot open %s: %m", table);
284 }
285 tcpd_context = saved_context;
286 }
287
288 /* print_list - pretty-print a list */
289
290 static void print_list(title, list)
291 char *title;
292 char *list;
293 {
294 char buf[BUFLEN];
295 char *cp;
296 char *next;
297
298 fputs(title, stdout);
299 strlcpy(buf, list, sizeof(buf));
300
301 for (cp = strtok(buf, sep); cp != 0; cp = next) {
302 fputs(cp, stdout);
303 next = strtok((char *) 0, sep);
304 if (next != 0)
305 fputs(" ", stdout);
306 }
307 fputs("\n", stdout);
308 }
309
310 /* check_daemon_list - criticize daemon list */
311
312 static void check_daemon_list(list)
313 char *list;
314 {
315 char buf[BUFLEN];
316 char *cp;
317 char *host;
318 int daemons = 0;
319
320 strlcpy(buf, list, sizeof(buf));
321
322 for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) {
323 if (STR_EQ(cp, "EXCEPT")) {
324 daemons = 0;
325 } else {
326 daemons++;
327 if ((host = split_at(cp + 1, '@')) != 0 && check_host(host) > 1) {
328 tcpd_warn("host %s has more than one address", host);
329 tcpd_warn("(consider using an address instead)");
330 }
331 check_daemon(cp);
332 }
333 }
334 if (daemons == 0)
335 tcpd_warn("daemon list is empty or ends in EXCEPT");
336 }
337
338 /* check_client_list - criticize client list */
339
340 static void check_client_list(list)
341 char *list;
342 {
343 char buf[BUFLEN];
344 char *cp;
345 char *host;
346 int clients = 0;
347 #ifdef INET6
348 int l;
349 #endif
350
351 strlcpy(buf, list, sizeof(buf));
352
353 for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) {
354 #ifdef INET6
355 l = strlen(cp);
356 if (cp[0] == '[' && cp[l - 1] == ']') {
357 cp[l - 1] = '\0';
358 cp++;
359 }
360 #endif
361 if (STR_EQ(cp, "EXCEPT")) {
362 clients = 0;
363 } else {
364 clients++;
365 if ((host = split_at(cp + 1, '@')) != NULL) { /* user@host */
366 check_user(cp);
367 check_host(host);
368 } else {
369 check_host(cp);
370 }
371 }
372 }
373 if (clients == 0)
374 tcpd_warn("client list is empty or ends in EXCEPT");
375 }
376
377 /* check_daemon - criticize daemon pattern */
378
379 static void check_daemon(pat)
380 char *pat;
381 {
382 if (pat[0] == '@') {
383 tcpd_warn("%s: daemon name begins with \"@\"", pat);
384 } else if (pat[0] == '.') {
385 tcpd_warn("%s: daemon name begins with dot", pat);
386 } else if (pat[strlen(pat) - 1] == '.') {
387 tcpd_warn("%s: daemon name ends in dot", pat);
388 } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown)) {
389 /* void */ ;
390 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */
391 tcpd_warn("FAIL is no longer recognized");
392 tcpd_warn("(use EXCEPT or DENY instead)");
393 } else if (reserved_name(pat)) {
394 tcpd_warn("%s: daemon name may be reserved word", pat);
395 } else {
396 switch (inet_get(pat)) {
397 case WR_UNKNOWN:
398 tcpd_warn("%s: no such process name in %s", pat, inetcf);
399 inet_set(pat, WR_YES); /* shut up next time */
400 break;
401 case WR_NOT:
402 tcpd_warn("%s: service possibly not wrapped", pat);
403 inet_set(pat, WR_YES);
404 break;
405 }
406 }
407 }
408
409 /* check_user - criticize user pattern */
410
411 static void check_user(pat)
412 char *pat;
413 {
414 if (pat[0] == '@') { /* @netgroup */
415 tcpd_warn("%s: user name begins with \"@\"", pat);
416 } else if (pat[0] == '.') {
417 tcpd_warn("%s: user name begins with dot", pat);
418 } else if (pat[strlen(pat) - 1] == '.') {
419 tcpd_warn("%s: user name ends in dot", pat);
420 } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown)
421 || STR_EQ(pat, "KNOWN")) {
422 /* void */ ;
423 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */
424 tcpd_warn("FAIL is no longer recognized");
425 tcpd_warn("(use EXCEPT or DENY instead)");
426 } else if (reserved_name(pat)) {
427 tcpd_warn("%s: user name may be reserved word", pat);
428 }
429 }
430
431 #ifdef INET6
432 static int check_inet_addr(pat)
433 char *pat;
434 {
435 struct addrinfo *res;
436
437 res = find_inet_addr(pat, AI_NUMERICHOST);
438 if (res) {
439 freeaddrinfo(res);
440 return 1;
441 } else
442 return 0;
443 }
444 #endif
445
446 /* check_host - criticize host pattern */
447 static int check_host(pat)
448 char *pat;
449 {
450 char *mask;
451 int addr_count = 1;
452
453 if (pat[0] == '@') { /* @netgroup */
454 #ifdef NO_NETGRENT
455 /* SCO has no *netgrent() support */
456 #else
457 #ifdef NETGROUP
458 const char *machinep;
459 const char *userp;
460 const char *domainp;
461
462 setnetgrent(pat + 1);
463 if (getnetgrent(&machinep, &userp, &domainp) == 0)
464 tcpd_warn("%s: unknown or empty netgroup", pat + 1);
465 endnetgrent();
466 #else
467 tcpd_warn("netgroup support disabled");
468 #endif
469 #endif
470 } else if ((mask = split_at(pat, '/')) != NULL) { /* network/netmask */
471 #ifdef INET6
472 char *ep;
473 #endif
474 if (dot_quad_addr(pat, NULL) != INADDR_NONE
475 || dot_quad_addr(mask, NULL) != INADDR_NONE)
476 ; /*okay*/
477 #ifdef INET6
478 else if (check_inet_addr(pat) && check_inet_addr(mask))
479 ; /*okay*/
480 else if (check_inet_addr(pat) &&
481 (ep = NULL, strtoul(mask, &ep, 10), ep && !*ep))
482 ; /*okay*/
483 #endif
484 else
485 tcpd_warn("%s/%s: bad net/mask pattern", pat, mask);
486 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */
487 tcpd_warn("FAIL is no longer recognized");
488 tcpd_warn("(use EXCEPT or DENY instead)");
489 } else if (reserved_name(pat)) { /* other reserved */
490 /* void */ ;
491 } else if (NOT_INADDR(pat)) { /* internet name */
492 if (pat[strlen(pat) - 1] == '.') {
493 tcpd_warn("%s: domain or host name ends in dot", pat);
494 } else if (pat[0] != '.') {
495 addr_count = check_dns(pat);
496 }
497 } else { /* numeric form */
498 if (STR_EQ(pat, "0.0.0.0") || STR_EQ(pat, "255.255.255.255")) {
499 /* void */ ;
500 } else if (pat[0] == '.') {
501 tcpd_warn("%s: network number begins with dot", pat);
502 } else if (pat[strlen(pat) - 1] != '.') {
503 check_dns(pat);
504 }
505 }
506 return (addr_count);
507 }
508
509 /* reserved_name - determine if name is reserved */
510
511 static int reserved_name(pat)
512 char *pat;
513 {
514 return (STR_EQ(pat, unknown)
515 || STR_EQ(pat, "KNOWN")
516 || STR_EQ(pat, paranoid)
517 || STR_EQ(pat, "ALL")
518 || STR_EQ(pat, "LOCAL"));
519 }
NetBSD on the FriendlyARM MINI2440