1 /*
2 * Copyright 2004 Sun Microsystems, Inc. All rights reserved.
3 * Use is subject to license terms.
4 */
5
6 #pragma ident "%Z%%M% %I% %E% SMI"
7
8 /*
9 * General skeleton for adding options to the access control language. The
10 * features offered by this module are documented in the hosts_options(5)
11 * manual page (source file: hosts_options.5, "nroff -man" format).
12 *
13 * Notes and warnings for those who want to add features:
14 *
15 * In case of errors, abort options processing and deny access. There are too
16 * many irreversible side effects to make error recovery feasible. For
17 * example, it makes no sense to continue after we have already changed the
18 * userid.
19 *
20 * In case of errors, do not terminate the process: the routines might be
21 * called from a long-running daemon that should run forever. Instead, call
22 * tcpd_jump() which does a non-local goto back into the hosts_access()
23 * routine.
24 *
25 * In case of severe errors, use clean_exit() instead of directly calling
26 * exit(), or the inetd may loop on an UDP request.
27 *
28 * In verification mode (for example, with the "tcpdmatch" command) the
29 * "dry_run" flag is set. In this mode, an option function should just "say"
30 * what it is going to do instead of really doing it.
31 *
32 * Some option functions do not return (for example, the twist option passes
33 * control to another program). In verification mode (dry_run flag is set)
34 * such options should clear the "dry_run" flag to inform the caller of this
35 * course of action.
36 */
37
38 #ifndef lint
39 static char sccsid[] = "@(#) options.c 1.17 96/02/11 17:01:31";
40 #endif
41
42 /* System libraries. */
43
44 #include <sys/types.h>
45 #include <sys/param.h>
46 #include <sys/socket.h>
47 #include <sys/stat.h>
48 #include <netinet/in.h>
49 #include <netdb.h>
50 #include <stdio.h>
51 #include <stdlib.h>
52 #include <unistd.h>
53 #include <syslog.h>
54 #include <pwd.h>
55 #include <grp.h>
56 #include <ctype.h>
57 #include <setjmp.h>
58 #include <string.h>
59
60 #ifndef MAXPATHNAMELEN
61 #define MAXPATHNAMELEN BUFSIZ
62 #endif
63
64 /* Local stuff. */
65
66 #include "tcpd.h"
67
68 /* Options runtime support. */
69
70 int dry_run = 0; /* flag set in verification mode */
71 extern jmp_buf tcpd_buf; /* tcpd_jump() support */
72
73 /* Options parser support. */
74
75 static char whitespace_eq[] = "= \t\r\n";
76 #define whitespace (whitespace_eq + 1)
77
78 static char *get_field(); /* chew :-delimited field off string */
79 static char *chop_string(); /* strip leading and trailing blanks */
80
81 /* List of functions that implement the options. Add yours here. */
82
83 static void user_option(); /* execute "user name.group" option */
84 static void group_option(); /* execute "group name" option */
85 static void umask_option(); /* execute "umask mask" option */
86 static void linger_option(); /* execute "linger time" option */
87 static void keepalive_option(); /* execute "keepalive" option */
88 static void spawn_option(); /* execute "spawn command" option */
89 static void twist_option(); /* execute "twist command" option */
90 static void rfc931_option(); /* execute "rfc931" option */
91 static void setenv_option(); /* execute "setenv name value" */
92 static void nice_option(); /* execute "nice" option */
93 static void severity_option(); /* execute "severity value" */
94 static void allow_option(); /* execute "allow" option */
95 static void deny_option(); /* execute "deny" option */
96 static void banners_option(); /* execute "banners path" option */
97
98 /* Structure of the options table. */
99
100 struct option {
101 char *name; /* keyword name, case is ignored */
102 void (*func) (); /* function that does the real work */
103 int flags; /* see below... */
104 };
105
106 #define NEED_ARG (1<<1) /* option requires argument */
107 #define USE_LAST (1<<2) /* option must be last */
108 #define OPT_ARG (1<<3) /* option has optional argument */
109 #define EXPAND_ARG (1<<4) /* do %x expansion on argument */
110
111 #define need_arg(o) ((o)->flags & NEED_ARG)
112 #define opt_arg(o) ((o)->flags & OPT_ARG)
113 #define permit_arg(o) ((o)->flags & (NEED_ARG | OPT_ARG))
114 #define use_last(o) ((o)->flags & USE_LAST)
115 #define expand_arg(o) ((o)->flags & EXPAND_ARG)
116
117 /* List of known keywords. Add yours here. */
118
119 static struct option option_table[] = {
120 "user", user_option, NEED_ARG,
121 "group", group_option, NEED_ARG,
122 "umask", umask_option, NEED_ARG,
123 "linger", linger_option, NEED_ARG,
124 "keepalive", keepalive_option, 0,
125 "spawn", spawn_option, NEED_ARG | EXPAND_ARG,
126 "twist", twist_option, NEED_ARG | EXPAND_ARG | USE_LAST,
127 "rfc931", rfc931_option, OPT_ARG,
128 "setenv", setenv_option, NEED_ARG | EXPAND_ARG,
129 "nice", nice_option, OPT_ARG,
130 "severity", severity_option, NEED_ARG,
131 "allow", allow_option, USE_LAST,
132 "deny", deny_option, USE_LAST,
133 "banners", banners_option, NEED_ARG,
134 0,
135 };
136
137 /* process_options - process access control options */
138
process_options(options,request)139 void process_options(options, request)
140 char *options;
141 struct request_info *request;
142 {
143 char *key;
144 char *value;
145 char *curr_opt;
146 char *next_opt;
147 struct option *op;
148 char bf[BUFSIZ];
149
150 for (curr_opt = get_field(options); curr_opt; curr_opt = next_opt) {
151 next_opt = get_field((char *) 0);
152
153 /*
154 * Separate the option into name and value parts. For backwards
155 * compatibility we ignore exactly one '=' between name and value.
156 */
157 curr_opt = chop_string(curr_opt);
158 if (*(value = curr_opt + strcspn(curr_opt, whitespace_eq))) {
159 if (*value != '=') {
160 *value++ = 0;
161 value += strspn(value, whitespace);
162 }
163 if (*value == '=') {
164 *value++ = 0;
165 value += strspn(value, whitespace);
166 }
167 }
168 if (*value == 0)
169 value = 0;
170 key = curr_opt;
171
172 /*
173 * Disallow missing option names (and empty option fields).
174 */
175 if (*key == 0)
176 tcpd_jump("missing option name");
177
178 /*
179 * Lookup the option-specific info and do some common error checks.
180 * Delegate option-specific processing to the specific functions.
181 */
182
183 for (op = option_table; op->name && STR_NE(op->name, key); op++)
184 /* VOID */ ;
185 if (op->name == 0)
186 tcpd_jump("bad option name: \"%s\"", key);
187 if (!value && need_arg(op))
188 tcpd_jump("option \"%s\" requires value", key);
189 if (value && !permit_arg(op))
190 tcpd_jump("option \"%s\" requires no value", key);
191 if (next_opt && use_last(op))
192 tcpd_jump("option \"%s\" must be at end", key);
193 if (value && expand_arg(op))
194 value = chop_string(percent_x(bf, sizeof(bf), value, request));
195 if (hosts_access_verbose)
196 syslog(LOG_DEBUG, "option: %s %s", key, value ? value : "");
197 (*(op->func)) (value, request);
198 }
199 }
200
201 /* allow_option - grant access */
202
203 /* ARGSUSED */
204
allow_option(value,request)205 static void allow_option(value, request)
206 char *value;
207 struct request_info *request;
208 {
209 longjmp(tcpd_buf, AC_PERMIT);
210 }
211
212 /* deny_option - deny access */
213
214 /* ARGSUSED */
215
deny_option(value,request)216 static void deny_option(value, request)
217 char *value;
218 struct request_info *request;
219 {
220 longjmp(tcpd_buf, AC_DENY);
221 }
222
223 /* banners_option - expand %<char>, terminate each line with CRLF */
224
banners_option(value,request)225 static void banners_option(value, request)
226 char *value;
227 struct request_info *request;
228 {
229 char path[MAXPATHNAMELEN];
230 char ibuf[BUFSIZ];
231 char obuf[2 * BUFSIZ];
232 struct stat st;
233 int ch;
234 FILE *fp;
235
236 sprintf(path, "%s/%s", value, eval_daemon(request));
237 if ((fp = fopen(path, "r")) != 0) {
238 while ((ch = fgetc(fp)) == 0)
239 write(request->fd, "", 1);
240 ungetc(ch, fp);
241 while (fgets(ibuf, sizeof(ibuf) - 1, fp)) {
242 if (split_at(ibuf, '\n'))
243 strcat(ibuf, "\r\n");
244 percent_x(obuf, sizeof(obuf), ibuf, request);
245 write(request->fd, obuf, strlen(obuf));
246 }
247 fclose(fp);
248 } else if (stat(value, &st) < 0) {
249 tcpd_warn("%s: %m", value);
250 }
251 }
252
253 /* group_option - switch group id */
254
255 /* ARGSUSED */
256
group_option(value,request)257 static void group_option(value, request)
258 char *value;
259 struct request_info *request;
260 {
261 struct group *grp;
262 struct group *getgrnam();
263
264 if ((grp = getgrnam(value)) == 0)
265 tcpd_jump("unknown group: \"%s\"", value);
266 endgrent();
267
268 if (dry_run == 0 && setgid(grp->gr_gid))
269 tcpd_jump("setgid(%s): %m", value);
270 }
271
272 /* user_option - switch user id */
273
274 /* ARGSUSED */
275
user_option(value,request)276 static void user_option(value, request)
277 char *value;
278 struct request_info *request;
279 {
280 struct passwd *pwd;
281 struct passwd *getpwnam();
282 char *group;
283
284 if ((group = split_at(value, '.')) != 0)
285 group_option(group, request);
286 if ((pwd = getpwnam(value)) == 0)
287 tcpd_jump("unknown user: \"%s\"", value);
288 endpwent();
289
290 if (dry_run == 0 && setuid(pwd->pw_uid))
291 tcpd_jump("setuid(%s): %m", value);
292 }
293
294 /* umask_option - set file creation mask */
295
296 /* ARGSUSED */
297
umask_option(value,request)298 static void umask_option(value, request)
299 char *value;
300 struct request_info *request;
301 {
302 unsigned mask;
303 char junk;
304
305 if (sscanf(value, "%o%c", &mask, &junk) != 1 || (mask & 0777) != mask)
306 tcpd_jump("bad umask value: \"%s\"", value);
307 (void) umask(mask);
308 }
309
310 /* spawn_option - spawn a shell command and wait */
311
312 /* ARGSUSED */
313
spawn_option(value,request)314 static void spawn_option(value, request)
315 char *value;
316 struct request_info *request;
317 {
318 if (dry_run == 0)
319 shell_cmd(value);
320 }
321
322 /* linger_option - set the socket linger time (Marc Boucher <marc@cam.org>) */
323
324 /* ARGSUSED */
325
linger_option(value,request)326 static void linger_option(value, request)
327 char *value;
328 struct request_info *request;
329 {
330 struct linger linger;
331 char junk;
332
333 if (sscanf(value, "%d%c", &linger.l_linger, &junk) != 1
334 || linger.l_linger < 0)
335 tcpd_jump("bad linger value: \"%s\"", value);
336 if (dry_run == 0) {
337 linger.l_onoff = (linger.l_linger != 0);
338 if (setsockopt(request->fd, SOL_SOCKET, SO_LINGER, (char *) &linger,
339 sizeof(linger)) < 0)
340 tcpd_warn("setsockopt SO_LINGER %d: %m", linger.l_linger);
341 }
342 }
343
344 /* keepalive_option - set the socket keepalive option */
345
346 /* ARGSUSED */
347
keepalive_option(value,request)348 static void keepalive_option(value, request)
349 char *value;
350 struct request_info *request;
351 {
352 static int on = 1;
353
354 if (dry_run == 0 && setsockopt(request->fd, SOL_SOCKET, SO_KEEPALIVE,
355 (char *) &on, sizeof(on)) < 0)
356 tcpd_warn("setsockopt SO_KEEPALIVE: %m");
357 }
358
359 /* nice_option - set nice value */
360
361 /* ARGSUSED */
362
nice_option(value,request)363 static void nice_option(value, request)
364 char *value;
365 struct request_info *request;
366 {
367 int niceval = 10;
368 char junk;
369
370 if (value != 0 && sscanf(value, "%d%c", &niceval, &junk) != 1)
371 tcpd_jump("bad nice value: \"%s\"", value);
372 if (dry_run == 0 && nice(niceval) < 0)
373 tcpd_warn("nice(%d): %m", niceval);
374 }
375
376 /* twist_option - replace process by shell command */
377
twist_option(value,request)378 static void twist_option(value, request)
379 char *value;
380 struct request_info *request;
381 {
382 char *error;
383
384 if (dry_run != 0) {
385 dry_run = 0;
386 } else {
387 if (resident > 0)
388 tcpd_jump("twist option in resident process");
389
390 syslog(deny_severity, "twist %s to %s", eval_client(request), value);
391
392 /* Before switching to the shell, set up stdin, stdout and stderr. */
393
394 #define maybe_dup2(from, to) ((from == to) ? to : (close(to), dup(from)))
395
396 if (maybe_dup2(request->fd, 0) != 0 ||
397 maybe_dup2(request->fd, 1) != 1 ||
398 maybe_dup2(request->fd, 2) != 2) {
399 error = "twist_option: dup: %m";
400 } else {
401 if (request->fd > 2)
402 close(request->fd);
403 (void) execl("/bin/sh", "sh", "-c", value, (char *) 0);
404 error = "twist_option: /bin/sh: %m";
405 }
406
407 /* Something went wrong: we MUST terminate the process. */
408
409 tcpd_warn(error);
410 clean_exit(request);
411 }
412 }
413
414 /* rfc931_option - look up remote user name */
415
rfc931_option(value,request)416 static void rfc931_option(value, request)
417 char *value;
418 struct request_info *request;
419 {
420 int timeout;
421 char junk;
422
423 if (value != 0) {
424 if (sscanf(value, "%d%c", &timeout, &junk) != 1 || timeout <= 0)
425 tcpd_jump("bad rfc931 timeout: \"%s\"", value);
426 rfc931_timeout = timeout;
427 }
428 (void) eval_user(request);
429 }
430
431 /* setenv_option - set environment variable */
432
433 /* ARGSUSED */
434
setenv_option(value,request)435 static void setenv_option(value, request)
436 char *value;
437 struct request_info *request;
438 {
439 extern int setenv(const char *, const char *, int);
440 char *var_value;
441
442 if (*(var_value = value + strcspn(value, whitespace)))
443 *var_value++ = 0;
444 if (setenv(chop_string(value), chop_string(var_value), 1))
445 tcpd_jump("memory allocation failure");
446 }
447
448 /*
449 * The severity option goes last because it comes with a huge amount of ugly
450 * #ifdefs and tables.
451 */
452
453 struct syslog_names {
454 char *name;
455 int value;
456 };
457
458 static struct syslog_names log_fac[] = {
459 #ifdef LOG_KERN
460 "kern", LOG_KERN,
461 #endif
462 #ifdef LOG_USER
463 "user", LOG_USER,
464 #endif
465 #ifdef LOG_MAIL
466 "mail", LOG_MAIL,
467 #endif
468 #ifdef LOG_DAEMON
469 "daemon", LOG_DAEMON,
470 #endif
471 #ifdef LOG_AUTH
472 "auth", LOG_AUTH,
473 #endif
474 #ifdef LOG_LPR
475 "lpr", LOG_LPR,
476 #endif
477 #ifdef LOG_NEWS
478 "news", LOG_NEWS,
479 #endif
480 #ifdef LOG_UUCP
481 "uucp", LOG_UUCP,
482 #endif
483 #ifdef LOG_CRON
484 "cron", LOG_CRON,
485 #endif
486 #ifdef LOG_LOCAL0
487 "local0", LOG_LOCAL0,
488 #endif
489 #ifdef LOG_LOCAL1
490 "local1", LOG_LOCAL1,
491 #endif
492 #ifdef LOG_LOCAL2
493 "local2", LOG_LOCAL2,
494 #endif
495 #ifdef LOG_LOCAL3
496 "local3", LOG_LOCAL3,
497 #endif
498 #ifdef LOG_LOCAL4
499 "local4", LOG_LOCAL4,
500 #endif
501 #ifdef LOG_LOCAL5
502 "local5", LOG_LOCAL5,
503 #endif
504 #ifdef LOG_LOCAL6
505 "local6", LOG_LOCAL6,
506 #endif
507 #ifdef LOG_LOCAL7
508 "local7", LOG_LOCAL7,
509 #endif
510 0,
511 };
512
513 static struct syslog_names log_sev[] = {
514 #ifdef LOG_EMERG
515 "emerg", LOG_EMERG,
516 #endif
517 #ifdef LOG_ALERT
518 "alert", LOG_ALERT,
519 #endif
520 #ifdef LOG_CRIT
521 "crit", LOG_CRIT,
522 #endif
523 #ifdef LOG_ERR
524 "err", LOG_ERR,
525 #endif
526 #ifdef LOG_WARNING
527 "warning", LOG_WARNING,
528 #endif
529 #ifdef LOG_NOTICE
530 "notice", LOG_NOTICE,
531 #endif
532 #ifdef LOG_INFO
533 "info", LOG_INFO,
534 #endif
535 #ifdef LOG_DEBUG
536 "debug", LOG_DEBUG,
537 #endif
538 0,
539 };
540
541 /* severity_map - lookup facility or severity value */
542
severity_map(table,name)543 static int severity_map(table, name)
544 struct syslog_names *table;
545 char *name;
546 {
547 struct syslog_names *t;
548
549 for (t = table; t->name; t++)
550 if (STR_EQ(t->name, name))
551 return (t->value);
552 tcpd_jump("bad syslog facility or severity: \"%s\"", name);
553 /* NOTREACHED */
554 }
555
556 /* severity_option - change logging severity for this event (Dave Mitchell) */
557
558 /* ARGSUSED */
559
severity_option(value,request)560 static void severity_option(value, request)
561 char *value;
562 struct request_info *request;
563 {
564 char *level = split_at(value, '.');
565
566 allow_severity = deny_severity = level ?
567 severity_map(log_fac, value) | severity_map(log_sev, level) :
568 severity_map(log_sev, value);
569 }
570
571 /* get_field - return pointer to next field in string */
572
get_field(string)573 static char *get_field(string)
574 char *string;
575 {
576 static char *last = "";
577 char *src;
578 char *dst;
579 char *ret;
580 int ch;
581
582 /*
583 * This function returns pointers to successive fields within a given
584 * string. ":" is the field separator; warn if the rule ends in one. It
585 * replaces a "\:" sequence by ":", without treating the result of
586 * substitution as field terminator. A null argument means resume search
587 * where the previous call terminated. This function destroys its
588 * argument.
589 *
590 * Work from explicit source or from memory. While processing \: we
591 * overwrite the input. This way we do not have to maintain buffers for
592 * copies of input fields.
593 */
594
595 src = dst = ret = (string ? string : last);
596 if (src[0] == 0)
597 return (0);
598
599 while (ch = *src) {
600 if (ch == ':') {
601 if (*++src == 0)
602 tcpd_warn("rule ends in \":\"");
603 break;
604 }
605 if (ch == '\\' && src[1] == ':')
606 src++;
607 *dst++ = *src++;
608 }
609 last = src;
610 *dst = 0;
611 return (ret);
612 }
613
614 /* chop_string - strip leading and trailing blanks from string */
615
chop_string(string)616 static char *chop_string(string)
617 register char *string;
618 {
619 char *start = 0;
620 char *end;
621 char *cp;
622
623 for (cp = string; *cp; cp++) {
624 if (!isspace(*cp)) {
625 if (start == 0)
626 start = cp;
627 end = cp;
628 }
629 }
630 return (start ? (end[1] = 0, start) : cp);
631 }
632