1 /*
2 * tcpdchk - examine all tcpd access control rules and inetd.conf entries
3 *
4 * Usage: tcpdchk [-a] [-d] [-i inet_conf] [-v]
5 *
6 * -a: complain about implicit "allow" at end of rule.
7 *
8 * -d: rules in current directory.
9 *
10 * -i: location of inetd.conf file.
11 *
12 * -v: show all rules.
13 *
14 * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
15 */
16
17 #ifndef lint
18 static char sccsid[] = "@(#) tcpdchk.c 1.8 97/02/12 02:13:25";
19 #endif
20
21 /* System libraries. */
22
23 #include <sys/types.h>
24 #include <sys/stat.h>
25 #include <netinet/in.h>
26 #include <arpa/inet.h>
27 #include <stdio.h>
28 #include <syslog.h>
29 #include <setjmp.h>
30 #include <errno.h>
31 #include <netdb.h>
32 #include <string.h>
33
34 extern int errno;
35 extern void exit();
36 extern int optind;
37 extern char *optarg;
38
39 #ifndef INADDR_NONE
40 #define INADDR_NONE (-1) /* XXX should be 0xffffffff */
41 #endif
42
43 #ifndef S_ISDIR
44 #define S_ISDIR(m) (((m) & S_IFMT) == S_IFDIR)
45 #endif
46
47 /* Application-specific. */
48
49 #include "tcpd.h"
50 #include "inetcf.h"
51 #include "scaffold.h"
52
53 /*
54 * Stolen from hosts_access.c...
55 */
56 static char sep[] = ", \t\n";
57
58 #define BUFLEN 2048
59
60 int resident = 0;
61 int hosts_access_verbose = 0;
62 char *hosts_allow_table = HOSTS_ALLOW;
63 char *hosts_deny_table = HOSTS_DENY;
64 extern jmp_buf tcpd_buf;
65
66 /*
67 * Local stuff.
68 */
69 static void usage();
70 static void parse_table();
71 static void print_list();
72 static void check_daemon_list();
73 static void check_client_list();
74 static void check_daemon();
75 static void check_user();
76 static int check_host();
77 static int reserved_name();
78
79 #define PERMIT 1
80 #define DENY 0
81
82 #define YES 1
83 #define NO 0
84
85 static int defl_verdict;
86 static char *myname;
87 static int allow_check;
88 static char *inetcf;
89
main(argc,argv)90 int main(argc, argv)
91 int argc;
92 char **argv;
93 {
94 struct request_info request;
95 struct stat st;
96 int c;
97
98 myname = argv[0];
99
100 /*
101 * Parse the JCL.
102 */
103 while ((c = getopt(argc, argv, "adi:v")) != EOF) {
104 switch (c) {
105 case 'a':
106 allow_check = 1;
107 break;
108 case 'd':
109 hosts_allow_table = "hosts.allow";
110 hosts_deny_table = "hosts.deny";
111 break;
112 case 'i':
113 inetcf = optarg;
114 break;
115 case 'v':
116 hosts_access_verbose++;
117 break;
118 default:
119 usage();
120 /* NOTREACHED */
121 }
122 }
123 if (argc != optind)
124 usage();
125
126 /*
127 * When confusion really strikes...
128 */
129 if (check_path(REAL_DAEMON_DIR, &st) < 0) {
130 tcpd_warn("REAL_DAEMON_DIR %s: %m", REAL_DAEMON_DIR);
131 } else if (!S_ISDIR(st.st_mode)) {
132 tcpd_warn("REAL_DAEMON_DIR %s is not a directory", REAL_DAEMON_DIR);
133 }
134
135 /*
136 * Process the inet configuration file (or its moral equivalent). This
137 * information is used later to find references in hosts.allow/deny to
138 * unwrapped services, and other possible problems.
139 */
140 inetcf = inet_cfg(inetcf);
141 if (hosts_access_verbose)
142 printf("Using network configuration file: %s\n", inetcf);
143
144 /*
145 * These are not run from inetd but may have built-in access control.
146 */
147 inet_set("portmap", WR_NOT);
148 inet_set("rpcbind", WR_NOT);
149
150 /*
151 * Check accessibility of access control files.
152 */
153 (void) check_path(hosts_allow_table, &st);
154 (void) check_path(hosts_deny_table, &st);
155
156 /*
157 * Fake up an arbitrary service request.
158 */
159 request_init(&request,
160 RQ_DAEMON, "daemon_name",
161 RQ_SERVER_NAME, "server_hostname",
162 RQ_SERVER_ADDR, "server_addr",
163 RQ_USER, "user_name",
164 RQ_CLIENT_NAME, "client_hostname",
165 RQ_CLIENT_ADDR, "client_addr",
166 RQ_FILE, 1,
167 0);
168
169 /*
170 * Examine all access-control rules.
171 */
172 defl_verdict = PERMIT;
173 parse_table(hosts_allow_table, &request);
174 defl_verdict = DENY;
175 parse_table(hosts_deny_table, &request);
176 return (0);
177 }
178
179 /* usage - explain */
180
usage()181 static void usage()
182 {
183 fprintf(stderr, "usage: %s [-a] [-d] [-i inet_conf] [-v]\n", myname);
184 fprintf(stderr, " -a: report rules with implicit \"ALLOW\" at end\n");
185 fprintf(stderr, " -d: use allow/deny files in current directory\n");
186 fprintf(stderr, " -i: location of inetd.conf file\n");
187 fprintf(stderr, " -v: list all rules\n");
188 exit(1);
189 }
190
191 /* parse_table - like table_match(), but examines _all_ entries */
192
parse_table(table,request)193 static void parse_table(table, request)
194 char *table;
195 struct request_info *request;
196 {
197 FILE *fp;
198 int real_verdict;
199 char sv_list[BUFLEN]; /* becomes list of daemons */
200 char *cl_list; /* becomes list of requests */
201 char *sh_cmd; /* becomes optional shell command */
202 char buf[BUFSIZ];
203 int verdict;
204 struct tcpd_context saved_context;
205
206 saved_context = tcpd_context; /* stupid compilers */
207
208 if (fp = fopen(table, "r")) {
209 tcpd_context.file = table;
210 tcpd_context.line = 0;
211 while (xgets(sv_list, sizeof(sv_list), fp)) {
212 if (sv_list[strlen(sv_list) - 1] != '\n') {
213 tcpd_warn("missing newline or line too long");
214 continue;
215 }
216 if (sv_list[0] == '#' || sv_list[strspn(sv_list, " \t\r\n")] == 0)
217 continue;
218 if ((cl_list = split_at(skip_ipv6_addrs(sv_list), ':')) == 0) {
219 tcpd_warn("missing \":\" separator");
220 continue;
221 }
222 sh_cmd = split_at(skip_ipv6_addrs(cl_list), ':');
223
224 if (hosts_access_verbose)
225 printf("\n>>> Rule %s line %d:\n",
226 tcpd_context.file, tcpd_context.line);
227
228 if (hosts_access_verbose)
229 print_list("daemons: ", sv_list);
230 check_daemon_list(sv_list);
231
232 if (hosts_access_verbose)
233 print_list("clients: ", cl_list);
234 check_client_list(cl_list);
235
236 #ifdef PROCESS_OPTIONS
237 real_verdict = defl_verdict;
238 if (sh_cmd) {
239 verdict = setjmp(tcpd_buf);
240 if (verdict != 0) {
241 real_verdict = (verdict == AC_PERMIT);
242 } else {
243 dry_run = 1;
244 process_options(sh_cmd, request);
245 if (dry_run == 1 && real_verdict && allow_check)
246 tcpd_warn("implicit \"allow\" at end of rule");
247 }
248 } else if (defl_verdict && allow_check) {
249 tcpd_warn("implicit \"allow\" at end of rule");
250 }
251 if (hosts_access_verbose)
252 printf("access: %s\n", real_verdict ? "granted" : "denied");
253 #else
254 if (sh_cmd)
255 shell_cmd(percent_x(buf, sizeof(buf), sh_cmd, request));
256 if (hosts_access_verbose)
257 printf("access: %s\n", defl_verdict ? "granted" : "denied");
258 #endif
259 }
260 (void) fclose(fp);
261 } else if (errno != ENOENT) {
262 tcpd_warn("cannot open %s: %m", table);
263 }
264 tcpd_context = saved_context;
265 }
266
267 /* print_list - pretty-print a list */
268
print_list(title,list)269 static void print_list(title, list)
270 char *title;
271 char *list;
272 {
273 char buf[BUFLEN];
274 char *cp;
275 char *next;
276
277 fputs(title, stdout);
278 strcpy(buf, list);
279
280 for (cp = strtok(buf, sep); cp != 0; cp = next) {
281 fputs(cp, stdout);
282 next = strtok((char *) 0, sep);
283 if (next != 0)
284 fputs(" ", stdout);
285 }
286 fputs("\n", stdout);
287 }
288
289 /* check_daemon_list - criticize daemon list */
290
check_daemon_list(list)291 static void check_daemon_list(list)
292 char *list;
293 {
294 char buf[BUFLEN];
295 char *cp;
296 char *host;
297 int daemons = 0;
298
299 strcpy(buf, list);
300
301 for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) {
302 if (STR_EQ(cp, "EXCEPT")) {
303 daemons = 0;
304 } else {
305 daemons++;
306 if ((host = split_at(cp + 1, '@')) != 0 && check_host(host) > 1) {
307 tcpd_warn("host %s has more than one address", host);
308 tcpd_warn("(consider using an address instead)");
309 }
310 check_daemon(cp);
311 }
312 }
313 if (daemons == 0)
314 tcpd_warn("daemon list is empty or ends in EXCEPT");
315 }
316
317 /* check_client_list - criticize client list */
318
check_client_list(list)319 static void check_client_list(list)
320 char *list;
321 {
322 char buf[BUFLEN];
323 char *cp;
324 char *host;
325 int clients = 0;
326
327 strcpy(buf, list);
328
329 for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) {
330 if (STR_EQ(cp, "EXCEPT")) {
331 clients = 0;
332 } else {
333 clients++;
334 if (host = split_at(cp + 1, '@')) { /* user@host */
335 check_user(cp);
336 check_host(host);
337 } else {
338 check_host(cp);
339 }
340 }
341 }
342 if (clients == 0)
343 tcpd_warn("client list is empty or ends in EXCEPT");
344 }
345
346 /* check_daemon - criticize daemon pattern */
347
check_daemon(pat)348 static void check_daemon(pat)
349 char *pat;
350 {
351 if (pat[0] == '@') {
352 tcpd_warn("%s: daemon name begins with \"@\"", pat);
353 } else if (pat[0] == '.') {
354 tcpd_warn("%s: daemon name begins with dot", pat);
355 } else if (pat[strlen(pat) - 1] == '.') {
356 tcpd_warn("%s: daemon name ends in dot", pat);
357 } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown)) {
358 /* void */ ;
359 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */
360 tcpd_warn("FAIL is no longer recognized");
361 tcpd_warn("(use EXCEPT or DENY instead)");
362 } else if (reserved_name(pat)) {
363 tcpd_warn("%s: daemon name may be reserved word", pat);
364 } else {
365 switch (inet_get(pat)) {
366 case WR_UNKNOWN:
367 tcpd_warn("%s: no such process name in %s", pat, inetcf);
368 inet_set(pat, WR_YES); /* shut up next time */
369 break;
370 case WR_NOT:
371 tcpd_warn("%s: service possibly not wrapped", pat);
372 inet_set(pat, WR_YES);
373 break;
374 }
375 }
376 }
377
378 /* check_user - criticize user pattern */
379
check_user(pat)380 static void check_user(pat)
381 char *pat;
382 {
383 if (pat[0] == '@') { /* @netgroup */
384 tcpd_warn("%s: user name begins with \"@\"", pat);
385 } else if (pat[0] == '.') {
386 tcpd_warn("%s: user name begins with dot", pat);
387 } else if (pat[strlen(pat) - 1] == '.') {
388 tcpd_warn("%s: user name ends in dot", pat);
389 } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown)
390 || STR_EQ(pat, "KNOWN")) {
391 /* void */ ;
392 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */
393 tcpd_warn("FAIL is no longer recognized");
394 tcpd_warn("(use EXCEPT or DENY instead)");
395 } else if (reserved_name(pat)) {
396 tcpd_warn("%s: user name may be reserved word", pat);
397 }
398 }
399
400 /* check_host - criticize host pattern */
401
check_host(pat)402 static int check_host(pat)
403 char *pat;
404 {
405 char *mask;
406 int addr_count = 1;
407
408 if (pat[0] == '@') { /* @netgroup */
409 #ifdef NO_NETGRENT
410 /* SCO has no *netgrent() support */
411 #else
412 #ifdef NETGROUP
413 char *machinep;
414 char *userp;
415 char *domainp;
416
417 setnetgrent(pat + 1);
418 if (getnetgrent(&machinep, &userp, &domainp) == 0)
419 tcpd_warn("%s: unknown or empty netgroup", pat + 1);
420 endnetgrent();
421 #else
422 tcpd_warn("netgroup support disabled");
423 #endif
424 #endif
425 #ifdef HAVE_IPV6
426 } else if (pat[0] == '[') {
427 struct in6_addr in6;
428 char *cbr = strchr(pat, ']');
429 char *slash = strchr(pat, '/');
430 int err = 0;
431 int mask = IPV6_ABITS;
432
433 if (slash != NULL) {
434 *slash = '\0';
435 mask = atoi(slash + 1);
436 err = mask < 0 || mask > IPV6_ABITS;
437 }
438 if (cbr == NULL)
439 err = 1;
440 else {
441 *cbr = '\0';
442 err += inet_pton(AF_INET6, pat+1, &in6) != 1;
443 }
444 if (slash) *slash = '/';
445 if (cbr) *cbr = ']';
446 if (err)
447 tcpd_warn("bad IP6 address specification: %s", pat);
448 #endif
449 } else if (mask = split_at(pat, '/')) { /* network/netmask */
450 if (dot_quad_addr(pat) == INADDR_NONE
451 || dot_quad_addr(mask) == INADDR_NONE)
452 tcpd_warn("%s/%s: bad net/mask pattern", pat, mask);
453 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */
454 tcpd_warn("FAIL is no longer recognized");
455 tcpd_warn("(use EXCEPT or DENY instead)");
456 } else if (reserved_name(pat)) { /* other reserved */
457 /* void */ ;
458 } else if (NOT_INADDR(pat)) { /* internet name */
459 if (pat[strlen(pat) - 1] == '.') {
460 tcpd_warn("%s: domain or host name ends in dot", pat);
461 } else if (pat[0] != '.') {
462 addr_count = check_dns(pat);
463 }
464 } else { /* numeric form */
465 if (STR_EQ(pat, "0.0.0.0") || STR_EQ(pat, "255.255.255.255")) {
466 /* void */ ;
467 } else if (pat[0] == '.') {
468 tcpd_warn("%s: network number begins with dot", pat);
469 } else if (pat[strlen(pat) - 1] != '.') {
470 check_dns(pat);
471 }
472 }
473 return (addr_count);
474 }
475
476 /* reserved_name - determine if name is reserved */
477
reserved_name(pat)478 static int reserved_name(pat)
479 char *pat;
480 {
481 return (STR_EQ(pat, unknown)
482 || STR_EQ(pat, "KNOWN")
483 || STR_EQ(pat, paranoid)
484 || STR_EQ(pat, "ALL")
485 || STR_EQ(pat, "LOCAL"));
486 }
487