xref: /illumos-gate/usr/src/cmd/tcpd/tcpdchk.c (revision 8b80e8cb6855118d46f605e91b5ed4ce83417395)
1  /*
2   * tcpdchk - examine all tcpd access control rules and inetd.conf entries
3   *
4   * Usage: tcpdchk [-a] [-d] [-i inet_conf] [-v]
5   *
6   * -a: complain about implicit "allow" at end of rule.
7   *
8   * -d: rules in current directory.
9   *
10   * -i: location of inetd.conf file.
11   *
12   * -v: show all rules.
13   *
14   * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
15   */
16 
17 #ifndef lint
18 static char sccsid[] = "@(#) tcpdchk.c 1.8 97/02/12 02:13:25";
19 #endif
20 
21 /* System libraries. */
22 
23 #include <sys/types.h>
24 #include <sys/stat.h>
25 #include <netinet/in.h>
26 #include <arpa/inet.h>
27 #include <stdio.h>
28 #include <syslog.h>
29 #include <setjmp.h>
30 #include <errno.h>
31 #include <netdb.h>
32 #include <string.h>
33 
34 extern int errno;
35 extern void exit();
36 extern int optind;
37 extern char *optarg;
38 
39 #ifndef INADDR_NONE
40 #define INADDR_NONE     (-1)		/* XXX should be 0xffffffff */
41 #endif
42 
43 #ifndef S_ISDIR
44 #define S_ISDIR(m)	(((m) & S_IFMT) == S_IFDIR)
45 #endif
46 
47 /* Application-specific. */
48 
49 #include "tcpd.h"
50 #include "inetcf.h"
51 #include "scaffold.h"
52 
53  /*
54   * Stolen from hosts_access.c...
55   */
56 static char sep[] = ", \t\n";
57 
58 #define	BUFLEN 2048
59 
60 int     resident = 0;
61 int     hosts_access_verbose = 0;
62 char   *hosts_allow_table = HOSTS_ALLOW;
63 char   *hosts_deny_table = HOSTS_DENY;
64 extern jmp_buf tcpd_buf;
65 
66  /*
67   * Local stuff.
68   */
69 static void usage();
70 static void parse_table();
71 static void print_list();
72 static void check_daemon_list();
73 static void check_client_list();
74 static void check_daemon();
75 static void check_user();
76 static int check_host();
77 static int reserved_name();
78 
79 #define PERMIT	1
80 #define DENY	0
81 
82 #define YES	1
83 #define	NO	0
84 
85 static int defl_verdict;
86 static char *myname;
87 static int allow_check;
88 static char *inetcf;
89 
90 int     main(argc, argv)
91 int     argc;
92 char  **argv;
93 {
94     struct request_info request;
95     struct stat st;
96     int     c;
97 
98     myname = argv[0];
99 
100     /*
101      * Parse the JCL.
102      */
103     while ((c = getopt(argc, argv, "adi:v")) != EOF) {
104 	switch (c) {
105 	case 'a':
106 	    allow_check = 1;
107 	    break;
108 	case 'd':
109 	    hosts_allow_table = "hosts.allow";
110 	    hosts_deny_table = "hosts.deny";
111 	    break;
112 	case 'i':
113 	    inetcf = optarg;
114 	    break;
115 	case 'v':
116 	    hosts_access_verbose++;
117 	    break;
118 	default:
119 	    usage();
120 	    /* NOTREACHED */
121 	}
122     }
123     if (argc != optind)
124 	usage();
125 
126     /*
127      * When confusion really strikes...
128      */
129     if (check_path(REAL_DAEMON_DIR, &st) < 0) {
130 	tcpd_warn("REAL_DAEMON_DIR %s: %m", REAL_DAEMON_DIR);
131     } else if (!S_ISDIR(st.st_mode)) {
132 	tcpd_warn("REAL_DAEMON_DIR %s is not a directory", REAL_DAEMON_DIR);
133     }
134 
135     /*
136      * Process the inet configuration file (or its moral equivalent). This
137      * information is used later to find references in hosts.allow/deny to
138      * unwrapped services, and other possible problems.
139      */
140     inetcf = inet_cfg(inetcf);
141     if (hosts_access_verbose)
142 	printf("Using network configuration file: %s\n", inetcf);
143 
144     /*
145      * These are not run from inetd but may have built-in access control.
146      */
147     inet_set("portmap", WR_NOT);
148     inet_set("rpcbind", WR_NOT);
149 
150     /*
151      * Check accessibility of access control files.
152      */
153     (void) check_path(hosts_allow_table, &st);
154     (void) check_path(hosts_deny_table, &st);
155 
156     /*
157      * Fake up an arbitrary service request.
158      */
159     request_init(&request,
160 		 RQ_DAEMON, "daemon_name",
161 		 RQ_SERVER_NAME, "server_hostname",
162 		 RQ_SERVER_ADDR, "server_addr",
163 		 RQ_USER, "user_name",
164 		 RQ_CLIENT_NAME, "client_hostname",
165 		 RQ_CLIENT_ADDR, "client_addr",
166 		 RQ_FILE, 1,
167 		 0);
168 
169     /*
170      * Examine all access-control rules.
171      */
172     defl_verdict = PERMIT;
173     parse_table(hosts_allow_table, &request);
174     defl_verdict = DENY;
175     parse_table(hosts_deny_table, &request);
176     return (0);
177 }
178 
179 /* usage - explain */
180 
181 static void usage()
182 {
183     fprintf(stderr, "usage: %s [-a] [-d] [-i inet_conf] [-v]\n", myname);
184     fprintf(stderr, "	-a: report rules with implicit \"ALLOW\" at end\n");
185     fprintf(stderr, "	-d: use allow/deny files in current directory\n");
186     fprintf(stderr, "	-i: location of inetd.conf file\n");
187     fprintf(stderr, "	-v: list all rules\n");
188     exit(1);
189 }
190 
191 /* parse_table - like table_match(), but examines _all_ entries */
192 
193 static void parse_table(table, request)
194 char   *table;
195 struct request_info *request;
196 {
197     FILE   *fp;
198     int     real_verdict;
199     char    sv_list[BUFLEN];		/* becomes list of daemons */
200     char   *cl_list;			/* becomes list of requests */
201     char   *sh_cmd;			/* becomes optional shell command */
202     char    buf[BUFSIZ];
203     int     verdict;
204     struct tcpd_context saved_context;
205 
206     saved_context = tcpd_context;		/* stupid compilers */
207 
208     if (fp = fopen(table, "r")) {
209 	tcpd_context.file = table;
210 	tcpd_context.line = 0;
211 	while (xgets(sv_list, sizeof(sv_list), fp)) {
212 	    if (sv_list[strlen(sv_list) - 1] != '\n') {
213 		tcpd_warn("missing newline or line too long");
214 		continue;
215 	    }
216 	    if (sv_list[0] == '#' || sv_list[strspn(sv_list, " \t\r\n")] == 0)
217 		continue;
218 	    if ((cl_list = split_at(skip_ipv6_addrs(sv_list), ':')) == 0) {
219 		tcpd_warn("missing \":\" separator");
220 		continue;
221 	    }
222 	    sh_cmd = split_at(skip_ipv6_addrs(cl_list), ':');
223 
224 	    if (hosts_access_verbose)
225 		printf("\n>>> Rule %s line %d:\n",
226 		       tcpd_context.file, tcpd_context.line);
227 
228 	    if (hosts_access_verbose)
229 		print_list("daemons:  ", sv_list);
230 	    check_daemon_list(sv_list);
231 
232 	    if (hosts_access_verbose)
233 		print_list("clients:  ", cl_list);
234 	    check_client_list(cl_list);
235 
236 #ifdef PROCESS_OPTIONS
237 	    real_verdict = defl_verdict;
238 	    if (sh_cmd) {
239 		verdict = setjmp(tcpd_buf);
240 		if (verdict != 0) {
241 		    real_verdict = (verdict == AC_PERMIT);
242 		} else {
243 		    dry_run = 1;
244 		    process_options(sh_cmd, request);
245 		    if (dry_run == 1 && real_verdict && allow_check)
246 			tcpd_warn("implicit \"allow\" at end of rule");
247 		}
248 	    } else if (defl_verdict && allow_check) {
249 		tcpd_warn("implicit \"allow\" at end of rule");
250 	    }
251 	    if (hosts_access_verbose)
252 		printf("access:   %s\n", real_verdict ? "granted" : "denied");
253 #else
254 	    if (sh_cmd)
255 		shell_cmd(percent_x(buf, sizeof(buf), sh_cmd, request));
256 	    if (hosts_access_verbose)
257 		printf("access:   %s\n", defl_verdict ? "granted" : "denied");
258 #endif
259 	}
260 	(void) fclose(fp);
261     } else if (errno != ENOENT) {
262 	tcpd_warn("cannot open %s: %m", table);
263     }
264     tcpd_context = saved_context;
265 }
266 
267 /* print_list - pretty-print a list */
268 
269 static void print_list(title, list)
270 char   *title;
271 char   *list;
272 {
273     char    buf[BUFLEN];
274     char   *cp;
275     char   *next;
276 
277     fputs(title, stdout);
278     strcpy(buf, list);
279 
280     for (cp = strtok(buf, sep); cp != 0; cp = next) {
281 	fputs(cp, stdout);
282 	next = strtok((char *) 0, sep);
283 	if (next != 0)
284 	    fputs(" ", stdout);
285     }
286     fputs("\n", stdout);
287 }
288 
289 /* check_daemon_list - criticize daemon list */
290 
291 static void check_daemon_list(list)
292 char   *list;
293 {
294     char    buf[BUFLEN];
295     char   *cp;
296     char   *host;
297     int     daemons = 0;
298 
299     strcpy(buf, list);
300 
301     for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) {
302 	if (STR_EQ(cp, "EXCEPT")) {
303 	    daemons = 0;
304 	} else {
305 	    daemons++;
306 	    if ((host = split_at(cp + 1, '@')) != 0 && check_host(host) > 1) {
307 		tcpd_warn("host %s has more than one address", host);
308 		tcpd_warn("(consider using an address instead)");
309 	    }
310 	    check_daemon(cp);
311 	}
312     }
313     if (daemons == 0)
314 	tcpd_warn("daemon list is empty or ends in EXCEPT");
315 }
316 
317 /* check_client_list - criticize client list */
318 
319 static void check_client_list(list)
320 char   *list;
321 {
322     char    buf[BUFLEN];
323     char   *cp;
324     char   *host;
325     int     clients = 0;
326 
327     strcpy(buf, list);
328 
329     for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) {
330 	if (STR_EQ(cp, "EXCEPT")) {
331 	    clients = 0;
332 	} else {
333 	    clients++;
334 	    if (host = split_at(cp + 1, '@')) {	/* user@host */
335 		check_user(cp);
336 		check_host(host);
337 	    } else {
338 		check_host(cp);
339 	    }
340 	}
341     }
342     if (clients == 0)
343 	tcpd_warn("client list is empty or ends in EXCEPT");
344 }
345 
346 /* check_daemon - criticize daemon pattern */
347 
348 static void check_daemon(pat)
349 char   *pat;
350 {
351     if (pat[0] == '@') {
352 	tcpd_warn("%s: daemon name begins with \"@\"", pat);
353     } else if (pat[0] == '.') {
354 	tcpd_warn("%s: daemon name begins with dot", pat);
355     } else if (pat[strlen(pat) - 1] == '.') {
356 	tcpd_warn("%s: daemon name ends in dot", pat);
357     } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown)) {
358 	 /* void */ ;
359     } else if (STR_EQ(pat, "FAIL")) {		/* obsolete */
360 	tcpd_warn("FAIL is no longer recognized");
361 	tcpd_warn("(use EXCEPT or DENY instead)");
362     } else if (reserved_name(pat)) {
363 	tcpd_warn("%s: daemon name may be reserved word", pat);
364     } else {
365 	switch (inet_get(pat)) {
366 	case WR_UNKNOWN:
367 	    tcpd_warn("%s: no such process name in %s", pat, inetcf);
368 	    inet_set(pat, WR_YES);		/* shut up next time */
369 	    break;
370 	case WR_NOT:
371 	    tcpd_warn("%s: service possibly not wrapped", pat);
372 	    inet_set(pat, WR_YES);
373 	    break;
374 	}
375     }
376 }
377 
378 /* check_user - criticize user pattern */
379 
380 static void check_user(pat)
381 char   *pat;
382 {
383     if (pat[0] == '@') {			/* @netgroup */
384 	tcpd_warn("%s: user name begins with \"@\"", pat);
385     } else if (pat[0] == '.') {
386 	tcpd_warn("%s: user name begins with dot", pat);
387     } else if (pat[strlen(pat) - 1] == '.') {
388 	tcpd_warn("%s: user name ends in dot", pat);
389     } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown)
390 	       || STR_EQ(pat, "KNOWN")) {
391 	 /* void */ ;
392     } else if (STR_EQ(pat, "FAIL")) {		/* obsolete */
393 	tcpd_warn("FAIL is no longer recognized");
394 	tcpd_warn("(use EXCEPT or DENY instead)");
395     } else if (reserved_name(pat)) {
396 	tcpd_warn("%s: user name may be reserved word", pat);
397     }
398 }
399 
400 /* check_host - criticize host pattern */
401 
402 static int check_host(pat)
403 char   *pat;
404 {
405     char   *mask;
406     int     addr_count = 1;
407 
408     if (pat[0] == '@') {			/* @netgroup */
409 #ifdef NO_NETGRENT
410 	/* SCO has no *netgrent() support */
411 #else
412 #ifdef NETGROUP
413 	char   *machinep;
414 	char   *userp;
415 	char   *domainp;
416 
417 	setnetgrent(pat + 1);
418 	if (getnetgrent(&machinep, &userp, &domainp) == 0)
419 	    tcpd_warn("%s: unknown or empty netgroup", pat + 1);
420 	endnetgrent();
421 #else
422 	tcpd_warn("netgroup support disabled");
423 #endif
424 #endif
425 #ifdef HAVE_IPV6
426     } else if (pat[0] == '[') {
427 	    struct in6_addr in6;
428 	    char *cbr = strchr(pat, ']');
429 	    char *slash = strchr(pat, '/');
430 	    int err = 0;
431 	    int mask = IPV6_ABITS;
432 
433 	    if (slash != NULL) {
434 		*slash = '\0';
435 		mask = atoi(slash + 1);
436 		err = mask < 0 || mask > IPV6_ABITS;
437 	    }
438 	    if (cbr == NULL)
439 		err = 1;
440 	    else {
441 		*cbr = '\0';
442 		err += inet_pton(AF_INET6, pat+1, &in6) != 1;
443 	    }
444 	    if (slash) *slash = '/';
445 	    if (cbr) *cbr = ']';
446 	    if (err)
447 		tcpd_warn("bad IP6 address specification: %s", pat);
448 #endif
449     } else if (mask = split_at(pat, '/')) {	/* network/netmask */
450 	if (dot_quad_addr(pat) == INADDR_NONE
451 	    || dot_quad_addr(mask) == INADDR_NONE)
452 	    tcpd_warn("%s/%s: bad net/mask pattern", pat, mask);
453     } else if (STR_EQ(pat, "FAIL")) {		/* obsolete */
454 	tcpd_warn("FAIL is no longer recognized");
455 	tcpd_warn("(use EXCEPT or DENY instead)");
456     } else if (reserved_name(pat)) {		/* other reserved */
457 	 /* void */ ;
458     } else if (NOT_INADDR(pat)) {		/* internet name */
459 	if (pat[strlen(pat) - 1] == '.') {
460 	    tcpd_warn("%s: domain or host name ends in dot", pat);
461 	} else if (pat[0] != '.') {
462 	    addr_count = check_dns(pat);
463 	}
464     } else {					/* numeric form */
465 	if (STR_EQ(pat, "0.0.0.0") || STR_EQ(pat, "255.255.255.255")) {
466 	    /* void */ ;
467 	} else if (pat[0] == '.') {
468 	    tcpd_warn("%s: network number begins with dot", pat);
469 	} else if (pat[strlen(pat) - 1] != '.') {
470 	    check_dns(pat);
471 	}
472     }
473     return (addr_count);
474 }
475 
476 /* reserved_name - determine if name is reserved */
477 
478 static int reserved_name(pat)
479 char   *pat;
480 {
481     return (STR_EQ(pat, unknown)
482 	    || STR_EQ(pat, "KNOWN")
483 	    || STR_EQ(pat, paranoid)
484 	    || STR_EQ(pat, "ALL")
485 	    || STR_EQ(pat, "LOCAL"));
486 }
487