xref: /freebsd/contrib/tcp_wrappers/tcpdchk.c (revision b9f654b163bce26de79705e77b872427c9f2afa1) 
1  /*
2   * tcpdchk - examine all tcpd access control rules and inetd.conf entries
3   *
4   * Usage: tcpdchk [-a] [-d] [-i inet_conf] [-v]
5   *
6   * -a: complain about implicit "allow" at end of rule.
7   *
8   * -d: rules in current directory.
9   *
10   * -i: location of inetd.conf file.
11   *
12   * -v: show all rules.
13   *
14   * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
15   *
16   * $FreeBSD$
17   */
18 
19 #ifndef lint
20 static char sccsid[] = "@(#) tcpdchk.c 1.8 97/02/12 02:13:25";
21 #endif
22 
23 /* System libraries. */
24 
25 #include <sys/types.h>
26 #include <sys/stat.h>
27 #ifdef INET6
28 #include <sys/socket.h>
29 #endif
30 #include <netinet/in.h>
31 #include <arpa/inet.h>
32 #include <stdio.h>
33 #include <syslog.h>
34 #include <setjmp.h>
35 #include <errno.h>
36 #include <netdb.h>
37 #include <string.h>
38 #include <unistd.h>
39 #include <stdlib.h>
40 
41 extern int errno;
42 extern void exit();
43 extern int optind;
44 extern char *optarg;
45 
46 #ifndef INADDR_NONE
47 #define INADDR_NONE     (-1)		/* XXX should be 0xffffffff */
48 #endif
49 
50 #ifndef S_ISDIR
51 #define S_ISDIR(m)	(((m) & S_IFMT) == S_IFDIR)
52 #endif
53 
54 /* Application-specific. */
55 
56 #include "tcpd.h"
57 #include "inetcf.h"
58 #include "scaffold.h"
59 
60  /*
61   * Stolen from hosts_access.c...
62   */
63 static char sep[] = ", \t\n";
64 
65 #define	BUFLEN 2048
66 
67 int     resident = 0;
68 int     hosts_access_verbose = 0;
69 char   *hosts_allow_table = HOSTS_ALLOW;
70 char   *hosts_deny_table = HOSTS_DENY;
71 extern jmp_buf tcpd_buf;
72 
73  /*
74   * Local stuff.
75   */
76 static void usage();
77 static void parse_table();
78 static void print_list();
79 static void check_daemon_list();
80 static void check_client_list();
81 static void check_daemon();
82 static void check_user();
83 static int check_host();
84 static int reserved_name();
85 
86 #define PERMIT	1
87 #define DENY	0
88 
89 #define YES	1
90 #define	NO	0
91 
92 static int defl_verdict;
93 static char *myname;
94 static int allow_check;
95 static char *inetcf;
96 
97 int     main(argc, argv)
98 int     argc;
99 char  **argv;
100 {
101     struct request_info request;
102     struct stat st;
103     int     c;
104 
105     myname = argv[0];
106 
107     /*
108      * Parse the JCL.
109      */
110     while ((c = getopt(argc, argv, "adi:v")) != EOF) {
111 	switch (c) {
112 	case 'a':
113 	    allow_check = 1;
114 	    break;
115 	case 'd':
116 	    hosts_allow_table = "hosts.allow";
117 	    hosts_deny_table = "hosts.deny";
118 	    break;
119 	case 'i':
120 	    inetcf = optarg;
121 	    break;
122 	case 'v':
123 	    hosts_access_verbose++;
124 	    break;
125 	default:
126 	    usage();
127 	    /* NOTREACHED */
128 	}
129     }
130     if (argc != optind)
131 	usage();
132 
133     /*
134      * When confusion really strikes...
135      */
136     if (check_path(REAL_DAEMON_DIR, &st) < 0) {
137 	tcpd_warn("REAL_DAEMON_DIR %s: %m", REAL_DAEMON_DIR);
138     } else if (!S_ISDIR(st.st_mode)) {
139 	tcpd_warn("REAL_DAEMON_DIR %s is not a directory", REAL_DAEMON_DIR);
140     }
141 
142     /*
143      * Process the inet configuration file (or its moral equivalent). This
144      * information is used later to find references in hosts.allow/deny to
145      * unwrapped services, and other possible problems.
146      */
147     inetcf = inet_cfg(inetcf);
148     if (hosts_access_verbose)
149 	printf("Using network configuration file: %s\n", inetcf);
150 
151     /*
152      * These are not run from inetd but may have built-in access control.
153      */
154     inet_set("portmap", WR_NOT);
155     inet_set("rpcbind", WR_NOT);
156 
157     /*
158      * Check accessibility of access control files.
159      */
160     (void) check_path(hosts_allow_table, &st);
161     (void) check_path(hosts_deny_table, &st);
162 
163     /*
164      * Fake up an arbitrary service request.
165      */
166     request_init(&request,
167 		 RQ_DAEMON, "daemon_name",
168 		 RQ_SERVER_NAME, "server_hostname",
169 		 RQ_SERVER_ADDR, "server_addr",
170 		 RQ_USER, "user_name",
171 		 RQ_CLIENT_NAME, "client_hostname",
172 		 RQ_CLIENT_ADDR, "client_addr",
173 		 RQ_FILE, 1,
174 		 0);
175 
176     /*
177      * Examine all access-control rules.
178      */
179     defl_verdict = PERMIT;
180     parse_table(hosts_allow_table, &request);
181     defl_verdict = DENY;
182     parse_table(hosts_deny_table, &request);
183     return (0);
184 }
185 
186 /* usage - explain */
187 
188 static void usage()
189 {
190     fprintf(stderr, "usage: %s [-a] [-d] [-i inet_conf] [-v]\n", myname);
191     fprintf(stderr, "	-a: report rules with implicit \"ALLOW\" at end\n");
192     fprintf(stderr, "	-d: use allow/deny files in current directory\n");
193     fprintf(stderr, "	-i: location of inetd.conf file\n");
194     fprintf(stderr, "	-v: list all rules\n");
195     exit(1);
196 }
197 
198 /* parse_table - like table_match(), but examines _all_ entries */
199 
200 static void parse_table(table, request)
201 char   *table;
202 struct request_info *request;
203 {
204     FILE   *fp;
205     int     real_verdict;
206     char    sv_list[BUFLEN];		/* becomes list of daemons */
207     char   *cl_list;			/* becomes list of requests */
208     char   *sh_cmd;			/* becomes optional shell command */
209     char    buf[BUFSIZ];
210     int     verdict;
211     struct tcpd_context saved_context;
212 
213     saved_context = tcpd_context;		/* stupid compilers */
214 
215     if (fp = fopen(table, "r")) {
216 	tcpd_context.file = table;
217 	tcpd_context.line = 0;
218 	while (xgets(sv_list, sizeof(sv_list), fp)) {
219 	    if (sv_list[strlen(sv_list) - 1] != '\n') {
220 		tcpd_warn("missing newline or line too long");
221 		continue;
222 	    }
223 	    if (sv_list[0] == '#' || sv_list[strspn(sv_list, " \t\r\n")] == 0)
224 		continue;
225 	    if ((cl_list = split_at(sv_list, ':')) == 0) {
226 		tcpd_warn("missing \":\" separator");
227 		continue;
228 	    }
229 	    sh_cmd = split_at(cl_list, ':');
230 
231 	    if (hosts_access_verbose)
232 		printf("\n>>> Rule %s line %d:\n",
233 		       tcpd_context.file, tcpd_context.line);
234 
235 	    if (hosts_access_verbose)
236 		print_list("daemons:  ", sv_list);
237 	    check_daemon_list(sv_list);
238 
239 	    if (hosts_access_verbose)
240 		print_list("clients:  ", cl_list);
241 	    check_client_list(cl_list);
242 
243 #ifdef PROCESS_OPTIONS
244 	    real_verdict = defl_verdict;
245 	    if (sh_cmd) {
246 		verdict = setjmp(tcpd_buf);
247 		if (verdict != 0) {
248 		    real_verdict = (verdict == AC_PERMIT);
249 		} else {
250 		    dry_run = 1;
251 		    process_options(sh_cmd, request);
252 		    if (dry_run == 1 && real_verdict && allow_check)
253 			tcpd_warn("implicit \"allow\" at end of rule");
254 		}
255 	    } else if (defl_verdict && allow_check) {
256 		tcpd_warn("implicit \"allow\" at end of rule");
257 	    }
258 	    if (hosts_access_verbose)
259 		printf("access:   %s\n", real_verdict ? "granted" : "denied");
260 #else
261 	    if (sh_cmd)
262 		shell_cmd(percent_x(buf, sizeof(buf), sh_cmd, request));
263 	    if (hosts_access_verbose)
264 		printf("access:   %s\n", defl_verdict ? "granted" : "denied");
265 #endif
266 	}
267 	(void) fclose(fp);
268     } else if (errno != ENOENT) {
269 	tcpd_warn("cannot open %s: %m", table);
270     }
271     tcpd_context = saved_context;
272 }
273 
274 /* print_list - pretty-print a list */
275 
276 static void print_list(title, list)
277 char   *title;
278 char   *list;
279 {
280     char    buf[BUFLEN];
281     char   *cp;
282     char   *next;
283 
284     fputs(title, stdout);
285     strcpy(buf, list);
286 
287     for (cp = strtok(buf, sep); cp != 0; cp = next) {
288 	fputs(cp, stdout);
289 	next = strtok((char *) 0, sep);
290 	if (next != 0)
291 	    fputs(" ", stdout);
292     }
293     fputs("\n", stdout);
294 }
295 
296 /* check_daemon_list - criticize daemon list */
297 
298 static void check_daemon_list(list)
299 char   *list;
300 {
301     char    buf[BUFLEN];
302     char   *cp;
303     char   *host;
304     int     daemons = 0;
305 
306     strcpy(buf, list);
307 
308     for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) {
309 	if (STR_EQ(cp, "EXCEPT")) {
310 	    daemons = 0;
311 	} else {
312 	    daemons++;
313 	    if ((host = split_at(cp + 1, '@')) != 0 && check_host(host) > 1) {
314 		tcpd_warn("host %s has more than one address", host);
315 		tcpd_warn("(consider using an address instead)");
316 	    }
317 	    check_daemon(cp);
318 	}
319     }
320     if (daemons == 0)
321 	tcpd_warn("daemon list is empty or ends in EXCEPT");
322 }
323 
324 /* check_client_list - criticize client list */
325 
326 static void check_client_list(list)
327 char   *list;
328 {
329     char    buf[BUFLEN];
330     char   *cp;
331     char   *host;
332     int     clients = 0;
333 
334     strcpy(buf, list);
335 
336     for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) {
337 	if (STR_EQ(cp, "EXCEPT")) {
338 	    clients = 0;
339 	} else {
340 	    clients++;
341 	    if (host = split_at(cp + 1, '@')) {	/* user@host */
342 		check_user(cp);
343 		check_host(host);
344 	    } else {
345 		check_host(cp);
346 	    }
347 	}
348     }
349     if (clients == 0)
350 	tcpd_warn("client list is empty or ends in EXCEPT");
351 }
352 
353 /* check_daemon - criticize daemon pattern */
354 
355 static void check_daemon(pat)
356 char   *pat;
357 {
358     if (pat[0] == '@') {
359 	tcpd_warn("%s: daemon name begins with \"@\"", pat);
360     } else if (pat[0] == '/') {
361 	tcpd_warn("%s: daemon name begins with \"/\"", pat);
362     } else if (pat[0] == '.') {
363 	tcpd_warn("%s: daemon name begins with dot", pat);
364     } else if (pat[strlen(pat) - 1] == '.') {
365 	tcpd_warn("%s: daemon name ends in dot", pat);
366     } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown)) {
367 	 /* void */ ;
368     } else if (STR_EQ(pat, "FAIL")) {		/* obsolete */
369 	tcpd_warn("FAIL is no longer recognized");
370 	tcpd_warn("(use EXCEPT or DENY instead)");
371     } else if (reserved_name(pat)) {
372 	tcpd_warn("%s: daemon name may be reserved word", pat);
373     } else {
374 	switch (inet_get(pat)) {
375 	case WR_UNKNOWN:
376 	    tcpd_warn("%s: no such process name in %s", pat, inetcf);
377 	    inet_set(pat, WR_YES);		/* shut up next time */
378 	    break;
379 	case WR_NOT:
380 	    tcpd_warn("%s: service possibly not wrapped", pat);
381 	    inet_set(pat, WR_YES);
382 	    break;
383 	}
384     }
385 }
386 
387 /* check_user - criticize user pattern */
388 
389 static void check_user(pat)
390 char   *pat;
391 {
392     if (pat[0] == '@') {			/* @netgroup */
393 	tcpd_warn("%s: user name begins with \"@\"", pat);
394     } else if (pat[0] == '/') {
395 	tcpd_warn("%s: user name begins with \"/\"", pat);
396     } else if (pat[0] == '.') {
397 	tcpd_warn("%s: user name begins with dot", pat);
398     } else if (pat[strlen(pat) - 1] == '.') {
399 	tcpd_warn("%s: user name ends in dot", pat);
400     } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown)
401 	       || STR_EQ(pat, "KNOWN")) {
402 	 /* void */ ;
403     } else if (STR_EQ(pat, "FAIL")) {		/* obsolete */
404 	tcpd_warn("FAIL is no longer recognized");
405 	tcpd_warn("(use EXCEPT or DENY instead)");
406     } else if (reserved_name(pat)) {
407 	tcpd_warn("%s: user name may be reserved word", pat);
408     }
409 }
410 
411 #ifdef INET6
412 static int is_inet6_addr(pat)
413     char *pat;
414 {
415     struct addrinfo hints, *res;
416     int len, ret;
417     char ch;
418 
419     if (*pat != '[')
420 	return (0);
421     len = strlen(pat);
422     if ((ch = pat[len - 1]) != ']')
423 	return (0);
424     pat[len - 1] = '\0';
425     memset(&hints, 0, sizeof(hints));
426     hints.ai_family = AF_INET6;
427     hints.ai_socktype = SOCK_STREAM;
428     hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
429     if ((ret = getaddrinfo(pat + 1, NULL, &hints, &res)) == 0)
430 	freeaddrinfo(res);
431     pat[len - 1] = ch;
432     return (ret == 0);
433 }
434 #endif
435 
436 /* check_host - criticize host pattern */
437 
438 static int check_host(pat)
439 char   *pat;
440 {
441     char    buf[BUFSIZ];
442     char   *mask;
443     int     addr_count = 1;
444     FILE   *fp;
445     struct tcpd_context saved_context;
446     char   *cp;
447     char   *wsp = " \t\r\n";
448 
449     if (pat[0] == '@') {			/* @netgroup */
450 #ifdef NO_NETGRENT
451 	/* SCO has no *netgrent() support */
452 #else
453 #ifdef NETGROUP
454 	char   *machinep;
455 	char   *userp;
456 	char   *domainp;
457 
458 	setnetgrent(pat + 1);
459 	if (getnetgrent(&machinep, &userp, &domainp) == 0)
460 	    tcpd_warn("%s: unknown or empty netgroup", pat + 1);
461 	endnetgrent();
462 #else
463 	tcpd_warn("netgroup support disabled");
464 #endif
465 #endif
466     } else if (pat[0] == '/') {			/* /path/name */
467 	if ((fp = fopen(pat, "r")) != 0) {
468 	    saved_context = tcpd_context;
469 	    tcpd_context.file = pat;
470 	    tcpd_context.line = 0;
471 	    while (fgets(buf, sizeof(buf), fp)) {
472 		tcpd_context.line++;
473 		for (cp = strtok(buf, wsp); cp; cp = strtok((char *) 0, wsp))
474 		    check_host(cp);
475 	    }
476 	    tcpd_context = saved_context;
477 	    fclose(fp);
478 	} else if (errno != ENOENT) {
479 	    tcpd_warn("open %s: %m", pat);
480 	}
481     } else if (mask = split_at(pat, '/')) {	/* network/netmask */
482 #ifdef INET6
483 	int mask_len;
484 
485 	if ((dot_quad_addr(pat) == INADDR_NONE
486 	    || dot_quad_addr(mask) == INADDR_NONE)
487 	    && (!is_inet6_addr(pat)
488 		|| ((mask_len = atoi(mask)) < 0 || mask_len > 128)))
489 #else
490 	if (dot_quad_addr(pat) == INADDR_NONE
491 	    || dot_quad_addr(mask) == INADDR_NONE)
492 #endif
493 	    tcpd_warn("%s/%s: bad net/mask pattern", pat, mask);
494     } else if (STR_EQ(pat, "FAIL")) {		/* obsolete */
495 	tcpd_warn("FAIL is no longer recognized");
496 	tcpd_warn("(use EXCEPT or DENY instead)");
497     } else if (reserved_name(pat)) {		/* other reserved */
498 	 /* void */ ;
499 #ifdef INET6
500     } else if (is_inet6_addr(pat)) { /* IPv6 address */
501 	addr_count = 1;
502 #endif
503     } else if (NOT_INADDR(pat)) {		/* internet name */
504 	if (pat[strlen(pat) - 1] == '.') {
505 	    tcpd_warn("%s: domain or host name ends in dot", pat);
506 	} else if (pat[0] != '.') {
507 	    addr_count = check_dns(pat);
508 	}
509     } else {					/* numeric form */
510 	if (STR_EQ(pat, "0.0.0.0") || STR_EQ(pat, "255.255.255.255")) {
511 	    /* void */ ;
512 	} else if (pat[0] == '.') {
513 	    tcpd_warn("%s: network number begins with dot", pat);
514 	} else if (pat[strlen(pat) - 1] != '.') {
515 	    check_dns(pat);
516 	}
517     }
518     return (addr_count);
519 }
520 
521 /* reserved_name - determine if name is reserved */
522 
523 static int reserved_name(pat)
524 char   *pat;
525 {
526     return (STR_EQ(pat, unknown)
527 	    || STR_EQ(pat, "KNOWN")
528 	    || STR_EQ(pat, paranoid)
529 	    || STR_EQ(pat, "ALL")
530 	    || STR_EQ(pat, "LOCAL"));
531 }
532