xref: /freebsd/contrib/tcp_wrappers/tcpdchk.c (revision ec4deee4e4f2aef1b97d9424f25d04e91fd7dc10)
1  /*
2   * tcpdchk - examine all tcpd access control rules and inetd.conf entries
3   *
4   * Usage: tcpdchk [-a] [-d] [-i inet_conf] [-v]
5   *
6   * -a: complain about implicit "allow" at end of rule.
7   *
8   * -d: rules in current directory.
9   *
10   * -i: location of inetd.conf file.
11   *
12   * -v: show all rules.
13   *
14   * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
15   *
16   * $FreeBSD$
17   */
18 
19 #ifndef lint
20 static char sccsid[] = "@(#) tcpdchk.c 1.8 97/02/12 02:13:25";
21 #endif
22 
23 /* System libraries. */
24 
25 #include <sys/types.h>
26 #include <sys/stat.h>
27 #ifdef INET6
28 #include <sys/socket.h>
29 #endif
30 #include <netinet/in.h>
31 #include <arpa/inet.h>
32 #include <stdio.h>
33 #include <syslog.h>
34 #include <setjmp.h>
35 #include <errno.h>
36 #include <netdb.h>
37 #include <stdlib.h>
38 #include <string.h>
39 #include <unistd.h>
40 
41 #ifndef INADDR_NONE
42 #define INADDR_NONE     (-1)		/* XXX should be 0xffffffff */
43 #endif
44 
45 #ifndef S_ISDIR
46 #define S_ISDIR(m)	(((m) & S_IFMT) == S_IFDIR)
47 #endif
48 
49 /* Application-specific. */
50 
51 #include "tcpd.h"
52 #include "inetcf.h"
53 #include "scaffold.h"
54 
55  /*
56   * Stolen from hosts_access.c...
57   */
58 static char sep[] = ", \t\n";
59 
60 #define	BUFLEN 2048
61 
62 int     resident = 0;
63 int     hosts_access_verbose = 0;
64 char   *hosts_allow_table = HOSTS_ALLOW;
65 char   *hosts_deny_table = HOSTS_DENY;
66 extern jmp_buf tcpd_buf;
67 
68  /*
69   * Local stuff.
70   */
71 static void usage(void);
72 static void parse_table(char *table, struct request_info *request);
73 static void print_list(char *title, char *list);
74 static void check_daemon_list(char *list);
75 static void check_client_list(char *list);
76 static void check_daemon(char *pat);
77 static void check_user(char *pat);
78 static int check_host(char *pat);
79 static int reserved_name(char *pat);
80 
81 #define PERMIT	1
82 #define DENY	0
83 
84 #define YES	1
85 #define	NO	0
86 
87 static int defl_verdict;
88 static char *myname;
89 static int allow_check;
90 static char *inetcf;
91 
92 int     main(argc, argv)
93 int     argc;
94 char  **argv;
95 {
96     struct request_info request;
97     struct stat st;
98     int     c;
99 
100     myname = argv[0];
101 
102     /*
103      * Parse the JCL.
104      */
105     while ((c = getopt(argc, argv, "adi:v")) != EOF) {
106 	switch (c) {
107 	case 'a':
108 	    allow_check = 1;
109 	    break;
110 	case 'd':
111 	    hosts_allow_table = "hosts.allow";
112 	    hosts_deny_table = "hosts.deny";
113 	    break;
114 	case 'i':
115 	    inetcf = optarg;
116 	    break;
117 	case 'v':
118 	    hosts_access_verbose++;
119 	    break;
120 	default:
121 	    usage();
122 	    /* NOTREACHED */
123 	}
124     }
125     if (argc != optind)
126 	usage();
127 
128     /*
129      * When confusion really strikes...
130      */
131     if (check_path(REAL_DAEMON_DIR, &st) < 0) {
132 	tcpd_warn("REAL_DAEMON_DIR %s: %m", REAL_DAEMON_DIR);
133     } else if (!S_ISDIR(st.st_mode)) {
134 	tcpd_warn("REAL_DAEMON_DIR %s is not a directory", REAL_DAEMON_DIR);
135     }
136 
137     /*
138      * Process the inet configuration file (or its moral equivalent). This
139      * information is used later to find references in hosts.allow/deny to
140      * unwrapped services, and other possible problems.
141      */
142     inetcf = inet_cfg(inetcf);
143     if (hosts_access_verbose)
144 	printf("Using network configuration file: %s\n", inetcf);
145 
146     /*
147      * These are not run from inetd but may have built-in access control.
148      */
149     inet_set("portmap", WR_NOT);
150     inet_set("rpcbind", WR_NOT);
151 
152     /*
153      * Check accessibility of access control files.
154      */
155     (void) check_path(hosts_allow_table, &st);
156     (void) check_path(hosts_deny_table, &st);
157 
158     /*
159      * Fake up an arbitrary service request.
160      */
161     request_init(&request,
162 		 RQ_DAEMON, "daemon_name",
163 		 RQ_SERVER_NAME, "server_hostname",
164 		 RQ_SERVER_ADDR, "server_addr",
165 		 RQ_USER, "user_name",
166 		 RQ_CLIENT_NAME, "client_hostname",
167 		 RQ_CLIENT_ADDR, "client_addr",
168 		 RQ_FILE, 1,
169 		 0);
170 
171     /*
172      * Examine all access-control rules.
173      */
174     defl_verdict = PERMIT;
175     parse_table(hosts_allow_table, &request);
176     defl_verdict = DENY;
177     parse_table(hosts_deny_table, &request);
178     return (0);
179 }
180 
181 /* usage - explain */
182 
183 static void usage(void)
184 {
185     fprintf(stderr, "usage: %s [-a] [-d] [-i inet_conf] [-v]\n", myname);
186     fprintf(stderr, "	-a: report rules with implicit \"ALLOW\" at end\n");
187     fprintf(stderr, "	-d: use allow/deny files in current directory\n");
188     fprintf(stderr, "	-i: location of inetd.conf file\n");
189     fprintf(stderr, "	-v: list all rules\n");
190     exit(1);
191 }
192 
193 /* parse_table - like table_match(), but examines _all_ entries */
194 
195 static void parse_table(table, request)
196 char   *table;
197 struct request_info *request;
198 {
199     FILE   *fp;
200     int     real_verdict;
201     char    sv_list[BUFLEN];		/* becomes list of daemons */
202     char   *cl_list;			/* becomes list of requests */
203     char   *sh_cmd;			/* becomes optional shell command */
204     char    buf[BUFSIZ];
205     int     verdict;
206     struct tcpd_context saved_context;
207 
208     saved_context = tcpd_context;		/* stupid compilers */
209 
210     if (fp = fopen(table, "r")) {
211 	tcpd_context.file = table;
212 	tcpd_context.line = 0;
213 	while (xgets(sv_list, sizeof(sv_list), fp)) {
214 	    if (sv_list[strlen(sv_list) - 1] != '\n') {
215 		tcpd_warn("missing newline or line too long");
216 		continue;
217 	    }
218 	    if (sv_list[0] == '#' || sv_list[strspn(sv_list, " \t\r\n")] == 0)
219 		continue;
220 	    if ((cl_list = split_at(sv_list, ':')) == 0) {
221 		tcpd_warn("missing \":\" separator");
222 		continue;
223 	    }
224 	    sh_cmd = split_at(cl_list, ':');
225 
226 	    if (hosts_access_verbose)
227 		printf("\n>>> Rule %s line %d:\n",
228 		       tcpd_context.file, tcpd_context.line);
229 
230 	    if (hosts_access_verbose)
231 		print_list("daemons:  ", sv_list);
232 	    check_daemon_list(sv_list);
233 
234 	    if (hosts_access_verbose)
235 		print_list("clients:  ", cl_list);
236 	    check_client_list(cl_list);
237 
238 #ifdef PROCESS_OPTIONS
239 	    real_verdict = defl_verdict;
240 	    if (sh_cmd) {
241 		verdict = setjmp(tcpd_buf);
242 		if (verdict != 0) {
243 		    real_verdict = (verdict == AC_PERMIT);
244 		} else {
245 		    dry_run = 1;
246 		    process_options(sh_cmd, request);
247 		    if (dry_run == 1 && real_verdict && allow_check)
248 			tcpd_warn("implicit \"allow\" at end of rule");
249 		}
250 	    } else if (defl_verdict && allow_check) {
251 		tcpd_warn("implicit \"allow\" at end of rule");
252 	    }
253 	    if (hosts_access_verbose)
254 		printf("access:   %s\n", real_verdict ? "granted" : "denied");
255 #else
256 	    if (sh_cmd)
257 		shell_cmd(percent_x(buf, sizeof(buf), sh_cmd, request));
258 	    if (hosts_access_verbose)
259 		printf("access:   %s\n", defl_verdict ? "granted" : "denied");
260 #endif
261 	}
262 	(void) fclose(fp);
263     } else if (errno != ENOENT) {
264 	tcpd_warn("cannot open %s: %m", table);
265     }
266     tcpd_context = saved_context;
267 }
268 
269 /* print_list - pretty-print a list */
270 
271 static void print_list(title, list)
272 char   *title;
273 char   *list;
274 {
275     char    buf[BUFLEN];
276     char   *cp;
277     char   *next;
278 
279     fputs(title, stdout);
280     strcpy(buf, list);
281 
282     for (cp = strtok(buf, sep); cp != 0; cp = next) {
283 	fputs(cp, stdout);
284 	next = strtok((char *) 0, sep);
285 	if (next != 0)
286 	    fputs(" ", stdout);
287     }
288     fputs("\n", stdout);
289 }
290 
291 /* check_daemon_list - criticize daemon list */
292 
293 static void check_daemon_list(list)
294 char   *list;
295 {
296     char    buf[BUFLEN];
297     char   *cp;
298     char   *host;
299     int     daemons = 0;
300 
301     strcpy(buf, list);
302 
303     for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) {
304 	if (STR_EQ(cp, "EXCEPT")) {
305 	    daemons = 0;
306 	} else {
307 	    daemons++;
308 	    if ((host = split_at(cp + 1, '@')) != 0 && check_host(host) > 1) {
309 		tcpd_warn("host %s has more than one address", host);
310 		tcpd_warn("(consider using an address instead)");
311 	    }
312 	    check_daemon(cp);
313 	}
314     }
315     if (daemons == 0)
316 	tcpd_warn("daemon list is empty or ends in EXCEPT");
317 }
318 
319 /* check_client_list - criticize client list */
320 
321 static void check_client_list(list)
322 char   *list;
323 {
324     char    buf[BUFLEN];
325     char   *cp;
326     char   *host;
327     int     clients = 0;
328 
329     strcpy(buf, list);
330 
331     for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) {
332 	if (STR_EQ(cp, "EXCEPT")) {
333 	    clients = 0;
334 	} else {
335 	    clients++;
336 	    if (host = split_at(cp + 1, '@')) {	/* user@host */
337 		check_user(cp);
338 		check_host(host);
339 	    } else {
340 		check_host(cp);
341 	    }
342 	}
343     }
344     if (clients == 0)
345 	tcpd_warn("client list is empty or ends in EXCEPT");
346 }
347 
348 /* check_daemon - criticize daemon pattern */
349 
350 static void check_daemon(pat)
351 char   *pat;
352 {
353     if (pat[0] == '@') {
354 	tcpd_warn("%s: daemon name begins with \"@\"", pat);
355     } else if (pat[0] == '/') {
356 	tcpd_warn("%s: daemon name begins with \"/\"", pat);
357     } else if (pat[0] == '.') {
358 	tcpd_warn("%s: daemon name begins with dot", pat);
359     } else if (pat[strlen(pat) - 1] == '.') {
360 	tcpd_warn("%s: daemon name ends in dot", pat);
361     } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown)) {
362 	 /* void */ ;
363     } else if (STR_EQ(pat, "FAIL")) {		/* obsolete */
364 	tcpd_warn("FAIL is no longer recognized");
365 	tcpd_warn("(use EXCEPT or DENY instead)");
366     } else if (reserved_name(pat)) {
367 	tcpd_warn("%s: daemon name may be reserved word", pat);
368     } else {
369 	switch (inet_get(pat)) {
370 	case WR_UNKNOWN:
371 	    tcpd_warn("%s: no such process name in %s", pat, inetcf);
372 	    inet_set(pat, WR_YES);		/* shut up next time */
373 	    break;
374 	case WR_NOT:
375 	    tcpd_warn("%s: service possibly not wrapped", pat);
376 	    inet_set(pat, WR_YES);
377 	    break;
378 	}
379     }
380 }
381 
382 /* check_user - criticize user pattern */
383 
384 static void check_user(pat)
385 char   *pat;
386 {
387     if (pat[0] == '@') {			/* @netgroup */
388 	tcpd_warn("%s: user name begins with \"@\"", pat);
389     } else if (pat[0] == '/') {
390 	tcpd_warn("%s: user name begins with \"/\"", pat);
391     } else if (pat[0] == '.') {
392 	tcpd_warn("%s: user name begins with dot", pat);
393     } else if (pat[strlen(pat) - 1] == '.') {
394 	tcpd_warn("%s: user name ends in dot", pat);
395     } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown)
396 	       || STR_EQ(pat, "KNOWN")) {
397 	 /* void */ ;
398     } else if (STR_EQ(pat, "FAIL")) {		/* obsolete */
399 	tcpd_warn("FAIL is no longer recognized");
400 	tcpd_warn("(use EXCEPT or DENY instead)");
401     } else if (reserved_name(pat)) {
402 	tcpd_warn("%s: user name may be reserved word", pat);
403     }
404 }
405 
406 #ifdef INET6
407 static int is_inet6_addr(pat)
408     char *pat;
409 {
410     struct addrinfo hints, *res;
411     int len, ret;
412     char ch;
413 
414     if (*pat != '[')
415 	return (0);
416     len = strlen(pat);
417     if ((ch = pat[len - 1]) != ']')
418 	return (0);
419     pat[len - 1] = '\0';
420     memset(&hints, 0, sizeof(hints));
421     hints.ai_family = AF_INET6;
422     hints.ai_socktype = SOCK_STREAM;
423     hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
424     if ((ret = getaddrinfo(pat + 1, NULL, &hints, &res)) == 0)
425 	freeaddrinfo(res);
426     pat[len - 1] = ch;
427     return (ret == 0);
428 }
429 #endif
430 
431 /* check_host - criticize host pattern */
432 
433 static int check_host(pat)
434 char   *pat;
435 {
436     char    buf[BUFSIZ];
437     char   *mask;
438     int     addr_count = 1;
439     FILE   *fp;
440     struct tcpd_context saved_context;
441     char   *cp;
442     char   *wsp = " \t\r\n";
443 
444     if (pat[0] == '@') {			/* @netgroup */
445 #ifdef NO_NETGRENT
446 	/* SCO has no *netgrent() support */
447 #else
448 #ifdef NETGROUP
449 	char   *machinep;
450 	char   *userp;
451 	char   *domainp;
452 
453 	setnetgrent(pat + 1);
454 	if (getnetgrent(&machinep, &userp, &domainp) == 0)
455 	    tcpd_warn("%s: unknown or empty netgroup", pat + 1);
456 	endnetgrent();
457 #else
458 	tcpd_warn("netgroup support disabled");
459 #endif
460 #endif
461     } else if (pat[0] == '/') {			/* /path/name */
462 	if ((fp = fopen(pat, "r")) != 0) {
463 	    saved_context = tcpd_context;
464 	    tcpd_context.file = pat;
465 	    tcpd_context.line = 0;
466 	    while (fgets(buf, sizeof(buf), fp)) {
467 		tcpd_context.line++;
468 		for (cp = strtok(buf, wsp); cp; cp = strtok((char *) 0, wsp))
469 		    check_host(cp);
470 	    }
471 	    tcpd_context = saved_context;
472 	    fclose(fp);
473 	} else if (errno != ENOENT) {
474 	    tcpd_warn("open %s: %m", pat);
475 	}
476     } else if (mask = split_at(pat, '/')) {	/* network/netmask */
477 #ifdef INET6
478 	int mask_len;
479 
480 	if ((dot_quad_addr(pat) == INADDR_NONE
481 	    || dot_quad_addr(mask) == INADDR_NONE)
482 	    && (!is_inet6_addr(pat)
483 		|| ((mask_len = atoi(mask)) < 0 || mask_len > 128)))
484 #else
485 	if (dot_quad_addr(pat) == INADDR_NONE
486 	    || dot_quad_addr(mask) == INADDR_NONE)
487 #endif
488 	    tcpd_warn("%s/%s: bad net/mask pattern", pat, mask);
489     } else if (STR_EQ(pat, "FAIL")) {		/* obsolete */
490 	tcpd_warn("FAIL is no longer recognized");
491 	tcpd_warn("(use EXCEPT or DENY instead)");
492     } else if (reserved_name(pat)) {		/* other reserved */
493 	 /* void */ ;
494 #ifdef INET6
495     } else if (is_inet6_addr(pat)) { /* IPv6 address */
496 	addr_count = 1;
497 #endif
498     } else if (NOT_INADDR(pat)) {		/* internet name */
499 	if (pat[strlen(pat) - 1] == '.') {
500 	    tcpd_warn("%s: domain or host name ends in dot", pat);
501 	} else if (pat[0] != '.') {
502 	    addr_count = check_dns(pat);
503 	}
504     } else {					/* numeric form */
505 	if (STR_EQ(pat, "0.0.0.0") || STR_EQ(pat, "255.255.255.255")) {
506 	    /* void */ ;
507 	} else if (pat[0] == '.') {
508 	    tcpd_warn("%s: network number begins with dot", pat);
509 	} else if (pat[strlen(pat) - 1] != '.') {
510 	    check_dns(pat);
511 	}
512     }
513     return (addr_count);
514 }
515 
516 /* reserved_name - determine if name is reserved */
517 
518 static int reserved_name(pat)
519 char   *pat;
520 {
521     return (STR_EQ(pat, unknown)
522 	    || STR_EQ(pat, "KNOWN")
523 	    || STR_EQ(pat, paranoid)
524 	    || STR_EQ(pat, "ALL")
525 	    || STR_EQ(pat, "LOCAL"));
526 }
527