1 /* 2 * tcpdmatch - explain what tcpd would do in a specific case 3 * 4 * usage: tcpdmatch [-d] [-i inet_conf] daemon[@host] [user@]host 5 * 6 * -d: use the access control tables in the current directory. 7 * 8 * -i: location of inetd.conf file. 9 * 10 * All errors are reported to the standard error stream, including the errors 11 * that would normally be reported via the syslog daemon. 12 * 13 * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. 14 * 15 * $FreeBSD$ 16 */ 17 18 #ifndef lint 19 static char sccsid[] = "@(#) tcpdmatch.c 1.5 96/02/11 17:01:36"; 20 #endif 21 22 /* System libraries. */ 23 24 #include <sys/types.h> 25 #include <sys/stat.h> 26 #include <sys/socket.h> 27 #include <netinet/in.h> 28 #include <arpa/inet.h> 29 #include <netdb.h> 30 #include <stdio.h> 31 #include <syslog.h> 32 #include <setjmp.h> 33 #include <string.h> 34 #include <unistd.h> 35 36 extern void exit(); 37 extern int optind; 38 extern char *optarg; 39 40 #ifndef INADDR_NONE 41 #define INADDR_NONE (-1) /* XXX should be 0xffffffff */ 42 #endif 43 44 #ifndef S_ISDIR 45 #define S_ISDIR(m) (((m) & S_IFMT) == S_IFDIR) 46 #endif 47 48 /* Application-specific. */ 49 50 #include "tcpd.h" 51 #include "inetcf.h" 52 #include "scaffold.h" 53 54 static void usage(); 55 static void tcpdmatch(); 56 57 /* The main program */ 58 59 int main(argc, argv) 60 int argc; 61 char **argv; 62 { 63 #ifdef INET6 64 struct addrinfo hints, *hp, *res; 65 #else 66 struct hostent *hp; 67 #endif 68 char *myname = argv[0]; 69 char *client; 70 char *server; 71 char *addr; 72 char *user; 73 char *daemon; 74 struct request_info request; 75 int ch; 76 char *inetcf = 0; 77 int count; 78 #ifdef INET6 79 struct sockaddr_storage server_sin; 80 struct sockaddr_storage client_sin; 81 #else 82 struct sockaddr_in server_sin; 83 struct sockaddr_in client_sin; 84 #endif 85 struct stat st; 86 87 /* 88 * Show what rule actually matched. 89 */ 90 hosts_access_verbose = 2; 91 92 /* 93 * Parse the JCL. 94 */ 95 while ((ch = getopt(argc, argv, "di:")) != EOF) { 96 switch (ch) { 97 case 'd': 98 hosts_allow_table = "hosts.allow"; 99 hosts_deny_table = "hosts.deny"; 100 break; 101 case 'i': 102 inetcf = optarg; 103 break; 104 default: 105 usage(myname); 106 /* NOTREACHED */ 107 } 108 } 109 if (argc != optind + 2) 110 usage(myname); 111 112 /* 113 * When confusion really strikes... 114 */ 115 if (check_path(REAL_DAEMON_DIR, &st) < 0) { 116 tcpd_warn("REAL_DAEMON_DIR %s: %m", REAL_DAEMON_DIR); 117 } else if (!S_ISDIR(st.st_mode)) { 118 tcpd_warn("REAL_DAEMON_DIR %s is not a directory", REAL_DAEMON_DIR); 119 } 120 121 /* 122 * Default is to specify a daemon process name. When daemon@host is 123 * specified, separate the two parts. 124 */ 125 if ((server = split_at(argv[optind], '@')) == 0) 126 server = unknown; 127 if (argv[optind][0] == '/') { 128 daemon = strrchr(argv[optind], '/') + 1; 129 tcpd_warn("%s: daemon name normalized to: %s", argv[optind], daemon); 130 } else { 131 daemon = argv[optind]; 132 } 133 134 /* 135 * Default is to specify a client hostname or address. When user@host is 136 * specified, separate the two parts. 137 */ 138 if ((client = split_at(argv[optind + 1], '@')) != 0) { 139 user = argv[optind + 1]; 140 } else { 141 client = argv[optind + 1]; 142 user = unknown; 143 } 144 145 /* 146 * Analyze the inetd (or tlid) configuration file, so that we can warn 147 * the user about services that may not be wrapped, services that are not 148 * configured, or services that are wrapped in an incorrect manner. Allow 149 * for services that are not run from inetd, or that have tcpd access 150 * control built into them. 151 */ 152 inetcf = inet_cfg(inetcf); 153 inet_set("portmap", WR_NOT); 154 inet_set("rpcbind", WR_NOT); 155 switch (inet_get(daemon)) { 156 case WR_UNKNOWN: 157 tcpd_warn("%s: no such process name in %s", daemon, inetcf); 158 break; 159 case WR_NOT: 160 tcpd_warn("%s: service possibly not wrapped", daemon); 161 break; 162 } 163 164 /* 165 * Check accessibility of access control files. 166 */ 167 (void) check_path(hosts_allow_table, &st); 168 (void) check_path(hosts_deny_table, &st); 169 170 /* 171 * Fill in what we have figured out sofar. Use socket and DNS routines 172 * for address and name conversions. We attach stdout to the request so 173 * that banner messages will become visible. 174 */ 175 request_init(&request, RQ_DAEMON, daemon, RQ_USER, user, RQ_FILE, 1, 0); 176 sock_methods(&request); 177 178 /* 179 * If a server hostname is specified, insist that the name maps to at 180 * most one address. eval_hostname() warns the user about name server 181 * problems, while using the request.server structure as a cache for host 182 * address and name conversion results. 183 */ 184 if (NOT_INADDR(server) == 0 || HOSTNAME_KNOWN(server)) { 185 if ((hp = find_inet_addr(server)) == 0) 186 exit(1); 187 #ifndef INET6 188 memset((char *) &server_sin, 0, sizeof(server_sin)); 189 server_sin.sin_family = AF_INET; 190 #endif 191 request_set(&request, RQ_SERVER_SIN, &server_sin, 0); 192 193 #ifdef INET6 194 for (res = hp, count = 0; res; res = res->ai_next, count++) { 195 memcpy(&server_sin, res->ai_addr, res->ai_addrlen); 196 #else 197 for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) { 198 memcpy((char *) &server_sin.sin_addr, addr, 199 sizeof(server_sin.sin_addr)); 200 #endif 201 202 /* 203 * Force evaluation of server host name and address. Host name 204 * conflicts will be reported while eval_hostname() does its job. 205 */ 206 request_set(&request, RQ_SERVER_NAME, "", RQ_SERVER_ADDR, "", 0); 207 if (STR_EQ(eval_hostname(request.server), unknown)) 208 tcpd_warn("host address %s->name lookup failed", 209 eval_hostaddr(request.server)); 210 } 211 if (count > 1) { 212 fprintf(stderr, "Error: %s has more than one address\n", server); 213 fprintf(stderr, "Please specify an address instead\n"); 214 exit(1); 215 } 216 #ifdef INET6 217 freeaddrinfo(hp); 218 #else 219 free((char *) hp); 220 #endif 221 } else { 222 request_set(&request, RQ_SERVER_NAME, server, 0); 223 } 224 225 /* 226 * If a client address is specified, we simulate the effect of client 227 * hostname lookup failure. 228 */ 229 if (dot_quad_addr(client) != INADDR_NONE) { 230 request_set(&request, RQ_CLIENT_ADDR, client, 0); 231 tcpdmatch(&request); 232 exit(0); 233 } 234 #ifdef INET6 235 memset(&hints, 0, sizeof(hints)); 236 hints.ai_family = AF_INET6; 237 hints.ai_socktype = SOCK_STREAM; 238 hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; 239 if (getaddrinfo(client, NULL, &hints, &res) == 0) { 240 freeaddrinfo(res); 241 request_set(&request, RQ_CLIENT_ADDR, client, 0); 242 tcpdmatch(&request); 243 exit(0); 244 } 245 #endif 246 247 /* 248 * Perhaps they are testing special client hostname patterns that aren't 249 * really host names at all. 250 */ 251 if (NOT_INADDR(client) && HOSTNAME_KNOWN(client) == 0) { 252 request_set(&request, RQ_CLIENT_NAME, client, 0); 253 tcpdmatch(&request); 254 exit(0); 255 } 256 257 /* 258 * Otherwise, assume that a client hostname is specified, and insist that 259 * the address can be looked up. The reason for this requirement is that 260 * in real life the client address is available (at least with IP). Let 261 * eval_hostname() figure out if this host is properly registered, while 262 * using the request.client structure as a cache for host name and 263 * address conversion results. 264 */ 265 if ((hp = find_inet_addr(client)) == 0) 266 exit(1); 267 #ifdef INET6 268 request_set(&request, RQ_CLIENT_SIN, &client_sin, 0); 269 270 for (res = hp, count = 0; res; res = res->ai_next, count++) { 271 memcpy(&client_sin, res->ai_addr, res->ai_addrlen); 272 273 /* 274 * getnameinfo() doesn't do reverse lookup against link-local 275 * address. So, we pass through host name evaluation against 276 * such addresses. 277 */ 278 if (res->ai_family != AF_INET6 || 279 !IN6_IS_ADDR_LINKLOCAL(&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr)) { 280 /* 281 * Force evaluation of client host name and address. Host name 282 * conflicts will be reported while eval_hostname() does its job. 283 */ 284 request_set(&request, RQ_CLIENT_NAME, "", RQ_CLIENT_ADDR, "", 0); 285 if (STR_EQ(eval_hostname(request.client), unknown)) 286 tcpd_warn("host address %s->name lookup failed", 287 eval_hostaddr(request.client)); 288 } 289 tcpdmatch(&request); 290 if (res->ai_next) 291 printf("\n"); 292 } 293 freeaddrinfo(hp); 294 #else 295 memset((char *) &client_sin, 0, sizeof(client_sin)); 296 client_sin.sin_family = AF_INET; 297 request_set(&request, RQ_CLIENT_SIN, &client_sin, 0); 298 299 for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) { 300 memcpy((char *) &client_sin.sin_addr, addr, 301 sizeof(client_sin.sin_addr)); 302 303 /* 304 * Force evaluation of client host name and address. Host name 305 * conflicts will be reported while eval_hostname() does its job. 306 */ 307 request_set(&request, RQ_CLIENT_NAME, "", RQ_CLIENT_ADDR, "", 0); 308 if (STR_EQ(eval_hostname(request.client), unknown)) 309 tcpd_warn("host address %s->name lookup failed", 310 eval_hostaddr(request.client)); 311 tcpdmatch(&request); 312 if (hp->h_addr_list[count + 1]) 313 printf("\n"); 314 } 315 free((char *) hp); 316 #endif 317 exit(0); 318 } 319 320 /* Explain how to use this program */ 321 322 static void usage(myname) 323 char *myname; 324 { 325 fprintf(stderr, "usage: %s [-d] [-i inet_conf] daemon[@host] [user@]host\n", 326 myname); 327 fprintf(stderr, " -d: use allow/deny files in current directory\n"); 328 fprintf(stderr, " -i: location of inetd.conf file\n"); 329 exit(1); 330 } 331 332 /* Print interesting expansions */ 333 334 static void expand(text, pattern, request) 335 char *text; 336 char *pattern; 337 struct request_info *request; 338 { 339 char buf[BUFSIZ]; 340 341 if (STR_NE(percent_x(buf, sizeof(buf), pattern, request), unknown)) 342 printf("%s %s\n", text, buf); 343 } 344 345 /* Try out a (server,client) pair */ 346 347 static void tcpdmatch(request) 348 struct request_info *request; 349 { 350 int verdict; 351 352 /* 353 * Show what we really know. Suppress uninteresting noise. 354 */ 355 expand("client: hostname", "%n", request); 356 expand("client: address ", "%a", request); 357 expand("client: username", "%u", request); 358 expand("server: hostname", "%N", request); 359 expand("server: address ", "%A", request); 360 expand("server: process ", "%d", request); 361 362 /* 363 * Reset stuff that might be changed by options handlers. In dry-run 364 * mode, extension language routines that would not return should inform 365 * us of their plan, by clearing the dry_run flag. This is a bit clumsy 366 * but we must be able to verify hosts with more than one network 367 * address. 368 */ 369 rfc931_timeout = RFC931_TIMEOUT; 370 allow_severity = SEVERITY; 371 deny_severity = LOG_WARNING; 372 dry_run = 1; 373 374 /* 375 * When paranoid mode is enabled, access is rejected no matter what the 376 * access control rules say. 377 */ 378 #ifdef PARANOID 379 if (STR_EQ(eval_hostname(request->client), paranoid)) { 380 printf("access: denied (PARANOID mode)\n\n"); 381 return; 382 } 383 #endif 384 385 /* 386 * Report the access control verdict. 387 */ 388 verdict = hosts_access(request); 389 printf("access: %s\n", 390 dry_run == 0 ? "delegated" : 391 verdict ? "granted" : "denied"); 392 } 393