1*0Sstevel@tonic-gate /*
2*0Sstevel@tonic-gate * tcpdmatch - explain what tcpd would do in a specific case
3*0Sstevel@tonic-gate *
4*0Sstevel@tonic-gate * usage: tcpdmatch [-d] [-i inet_conf] daemon[@host] [user@]host
5*0Sstevel@tonic-gate *
6*0Sstevel@tonic-gate * -d: use the access control tables in the current directory.
7*0Sstevel@tonic-gate *
8*0Sstevel@tonic-gate * -i: location of inetd.conf file.
9*0Sstevel@tonic-gate *
10*0Sstevel@tonic-gate * All errors are reported to the standard error stream, including the errors
11*0Sstevel@tonic-gate * that would normally be reported via the syslog daemon.
12*0Sstevel@tonic-gate *
13*0Sstevel@tonic-gate * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
14*0Sstevel@tonic-gate */
15*0Sstevel@tonic-gate
16*0Sstevel@tonic-gate #ifndef lint
17*0Sstevel@tonic-gate static char sccsid[] = "@(#) tcpdmatch.c 1.5 96/02/11 17:01:36";
18*0Sstevel@tonic-gate #endif
19*0Sstevel@tonic-gate
20*0Sstevel@tonic-gate /* System libraries. */
21*0Sstevel@tonic-gate
22*0Sstevel@tonic-gate #include <sys/types.h>
23*0Sstevel@tonic-gate #include <sys/stat.h>
24*0Sstevel@tonic-gate #include <sys/socket.h>
25*0Sstevel@tonic-gate #include <netinet/in.h>
26*0Sstevel@tonic-gate #include <arpa/inet.h>
27*0Sstevel@tonic-gate #include <netdb.h>
28*0Sstevel@tonic-gate #include <stdio.h>
29*0Sstevel@tonic-gate #include <syslog.h>
30*0Sstevel@tonic-gate #include <setjmp.h>
31*0Sstevel@tonic-gate #include <string.h>
32*0Sstevel@tonic-gate
33*0Sstevel@tonic-gate extern void exit();
34*0Sstevel@tonic-gate extern int optind;
35*0Sstevel@tonic-gate extern char *optarg;
36*0Sstevel@tonic-gate
37*0Sstevel@tonic-gate #ifndef INADDR_NONE
38*0Sstevel@tonic-gate #define INADDR_NONE (-1) /* XXX should be 0xffffffff */
39*0Sstevel@tonic-gate #endif
40*0Sstevel@tonic-gate
41*0Sstevel@tonic-gate #ifndef S_ISDIR
42*0Sstevel@tonic-gate #define S_ISDIR(m) (((m) & S_IFMT) == S_IFDIR)
43*0Sstevel@tonic-gate #endif
44*0Sstevel@tonic-gate
45*0Sstevel@tonic-gate /* Application-specific. */
46*0Sstevel@tonic-gate
47*0Sstevel@tonic-gate #include "tcpd.h"
48*0Sstevel@tonic-gate #include "inetcf.h"
49*0Sstevel@tonic-gate #include "scaffold.h"
50*0Sstevel@tonic-gate
51*0Sstevel@tonic-gate static void usage();
52*0Sstevel@tonic-gate static void tcpdmatch();
53*0Sstevel@tonic-gate
54*0Sstevel@tonic-gate /* The main program */
55*0Sstevel@tonic-gate
main(argc,argv)56*0Sstevel@tonic-gate int main(argc, argv)
57*0Sstevel@tonic-gate int argc;
58*0Sstevel@tonic-gate char **argv;
59*0Sstevel@tonic-gate {
60*0Sstevel@tonic-gate struct hostent *hp;
61*0Sstevel@tonic-gate char *myname = argv[0];
62*0Sstevel@tonic-gate char *client;
63*0Sstevel@tonic-gate char *server;
64*0Sstevel@tonic-gate char *addr;
65*0Sstevel@tonic-gate char *user;
66*0Sstevel@tonic-gate char *daemon;
67*0Sstevel@tonic-gate struct request_info request;
68*0Sstevel@tonic-gate int ch;
69*0Sstevel@tonic-gate char *inetcf = 0;
70*0Sstevel@tonic-gate int count;
71*0Sstevel@tonic-gate struct sockaddr_gen server_sin;
72*0Sstevel@tonic-gate struct sockaddr_gen client_sin;
73*0Sstevel@tonic-gate struct stat st;
74*0Sstevel@tonic-gate
75*0Sstevel@tonic-gate /*
76*0Sstevel@tonic-gate * Show what rule actually matched.
77*0Sstevel@tonic-gate */
78*0Sstevel@tonic-gate hosts_access_verbose = 2;
79*0Sstevel@tonic-gate
80*0Sstevel@tonic-gate /*
81*0Sstevel@tonic-gate * Parse the JCL.
82*0Sstevel@tonic-gate */
83*0Sstevel@tonic-gate while ((ch = getopt(argc, argv, "di:")) != EOF) {
84*0Sstevel@tonic-gate switch (ch) {
85*0Sstevel@tonic-gate case 'd':
86*0Sstevel@tonic-gate hosts_allow_table = "hosts.allow";
87*0Sstevel@tonic-gate hosts_deny_table = "hosts.deny";
88*0Sstevel@tonic-gate break;
89*0Sstevel@tonic-gate case 'i':
90*0Sstevel@tonic-gate inetcf = optarg;
91*0Sstevel@tonic-gate break;
92*0Sstevel@tonic-gate default:
93*0Sstevel@tonic-gate usage(myname);
94*0Sstevel@tonic-gate /* NOTREACHED */
95*0Sstevel@tonic-gate }
96*0Sstevel@tonic-gate }
97*0Sstevel@tonic-gate if (argc != optind + 2)
98*0Sstevel@tonic-gate usage(myname);
99*0Sstevel@tonic-gate
100*0Sstevel@tonic-gate /*
101*0Sstevel@tonic-gate * When confusion really strikes...
102*0Sstevel@tonic-gate */
103*0Sstevel@tonic-gate if (check_path(REAL_DAEMON_DIR, &st) < 0) {
104*0Sstevel@tonic-gate tcpd_warn("REAL_DAEMON_DIR %s: %m", REAL_DAEMON_DIR);
105*0Sstevel@tonic-gate } else if (!S_ISDIR(st.st_mode)) {
106*0Sstevel@tonic-gate tcpd_warn("REAL_DAEMON_DIR %s is not a directory", REAL_DAEMON_DIR);
107*0Sstevel@tonic-gate }
108*0Sstevel@tonic-gate
109*0Sstevel@tonic-gate /*
110*0Sstevel@tonic-gate * Default is to specify a daemon process name. When daemon@host is
111*0Sstevel@tonic-gate * specified, separate the two parts.
112*0Sstevel@tonic-gate */
113*0Sstevel@tonic-gate if ((server = split_at(argv[optind], '@')) == 0)
114*0Sstevel@tonic-gate server = unknown;
115*0Sstevel@tonic-gate if (argv[optind][0] == '/') {
116*0Sstevel@tonic-gate daemon = strrchr(argv[optind], '/') + 1;
117*0Sstevel@tonic-gate tcpd_warn("%s: daemon name normalized to: %s", argv[optind], daemon);
118*0Sstevel@tonic-gate } else {
119*0Sstevel@tonic-gate daemon = argv[optind];
120*0Sstevel@tonic-gate }
121*0Sstevel@tonic-gate
122*0Sstevel@tonic-gate /*
123*0Sstevel@tonic-gate * Default is to specify a client hostname or address. When user@host is
124*0Sstevel@tonic-gate * specified, separate the two parts.
125*0Sstevel@tonic-gate */
126*0Sstevel@tonic-gate if ((client = split_at(argv[optind + 1], '@')) != 0) {
127*0Sstevel@tonic-gate user = argv[optind + 1];
128*0Sstevel@tonic-gate } else {
129*0Sstevel@tonic-gate client = argv[optind + 1];
130*0Sstevel@tonic-gate user = unknown;
131*0Sstevel@tonic-gate }
132*0Sstevel@tonic-gate
133*0Sstevel@tonic-gate /*
134*0Sstevel@tonic-gate * Analyze the inetd (or tlid) configuration file, so that we can warn
135*0Sstevel@tonic-gate * the user about services that may not be wrapped, services that are not
136*0Sstevel@tonic-gate * configured, or services that are wrapped in an incorrect manner. Allow
137*0Sstevel@tonic-gate * for services that are not run from inetd, or that have tcpd access
138*0Sstevel@tonic-gate * control built into them.
139*0Sstevel@tonic-gate */
140*0Sstevel@tonic-gate inetcf = inet_cfg(inetcf);
141*0Sstevel@tonic-gate inet_set("portmap", WR_NOT);
142*0Sstevel@tonic-gate inet_set("rpcbind", WR_NOT);
143*0Sstevel@tonic-gate switch (inet_get(daemon)) {
144*0Sstevel@tonic-gate case WR_UNKNOWN:
145*0Sstevel@tonic-gate tcpd_warn("%s: no such process name in %s", daemon, inetcf);
146*0Sstevel@tonic-gate break;
147*0Sstevel@tonic-gate case WR_NOT:
148*0Sstevel@tonic-gate tcpd_warn("%s: service possibly not wrapped", daemon);
149*0Sstevel@tonic-gate break;
150*0Sstevel@tonic-gate }
151*0Sstevel@tonic-gate
152*0Sstevel@tonic-gate /*
153*0Sstevel@tonic-gate * Check accessibility of access control files.
154*0Sstevel@tonic-gate */
155*0Sstevel@tonic-gate (void) check_path(hosts_allow_table, &st);
156*0Sstevel@tonic-gate (void) check_path(hosts_deny_table, &st);
157*0Sstevel@tonic-gate
158*0Sstevel@tonic-gate /*
159*0Sstevel@tonic-gate * Fill in what we have figured out sofar. Use socket and DNS routines
160*0Sstevel@tonic-gate * for address and name conversions. We attach stdout to the request so
161*0Sstevel@tonic-gate * that banner messages will become visible.
162*0Sstevel@tonic-gate */
163*0Sstevel@tonic-gate request_init(&request, RQ_DAEMON, daemon, RQ_USER, user, RQ_FILE, 1, 0);
164*0Sstevel@tonic-gate sock_methods(&request);
165*0Sstevel@tonic-gate
166*0Sstevel@tonic-gate /*
167*0Sstevel@tonic-gate * If a server hostname is specified, insist that the name maps to at
168*0Sstevel@tonic-gate * most one address. eval_hostname() warns the user about name server
169*0Sstevel@tonic-gate * problems, while using the request.server structure as a cache for host
170*0Sstevel@tonic-gate * address and name conversion results.
171*0Sstevel@tonic-gate */
172*0Sstevel@tonic-gate if (NOT_INADDR(server) == 0 || HOSTNAME_KNOWN(server)) {
173*0Sstevel@tonic-gate if ((hp = find_inet_addr(server)) == 0)
174*0Sstevel@tonic-gate exit(1);
175*0Sstevel@tonic-gate memset((char *) &server_sin, 0, sizeof(server_sin));
176*0Sstevel@tonic-gate server_sin.sg_family = hp->h_addrtype;
177*0Sstevel@tonic-gate request_set(&request, RQ_SERVER_SIN, &server_sin, 0);
178*0Sstevel@tonic-gate
179*0Sstevel@tonic-gate for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) {
180*0Sstevel@tonic-gate memcpy((char *) SGADDRP(&server_sin), addr, hp->h_length);
181*0Sstevel@tonic-gate
182*0Sstevel@tonic-gate /*
183*0Sstevel@tonic-gate * Force evaluation of server host name and address. Host name
184*0Sstevel@tonic-gate * conflicts will be reported while eval_hostname() does its job.
185*0Sstevel@tonic-gate */
186*0Sstevel@tonic-gate request_set(&request, RQ_SERVER_NAME, "", RQ_SERVER_ADDR, "", 0);
187*0Sstevel@tonic-gate if (STR_EQ(eval_hostname(request.server), unknown))
188*0Sstevel@tonic-gate tcpd_warn("host address %s->name lookup failed",
189*0Sstevel@tonic-gate eval_hostaddr(request.server));
190*0Sstevel@tonic-gate }
191*0Sstevel@tonic-gate if (count > 1) {
192*0Sstevel@tonic-gate fprintf(stderr, "Error: %s has more than one address\n", server);
193*0Sstevel@tonic-gate fprintf(stderr, "Please specify an address instead\n");
194*0Sstevel@tonic-gate exit(1);
195*0Sstevel@tonic-gate }
196*0Sstevel@tonic-gate free((char *) hp);
197*0Sstevel@tonic-gate } else {
198*0Sstevel@tonic-gate request_set(&request, RQ_SERVER_NAME, server, 0);
199*0Sstevel@tonic-gate }
200*0Sstevel@tonic-gate
201*0Sstevel@tonic-gate /*
202*0Sstevel@tonic-gate * If a client address is specified, we simulate the effect of client
203*0Sstevel@tonic-gate * hostname lookup failure.
204*0Sstevel@tonic-gate */
205*0Sstevel@tonic-gate if (numeric_addr(client, NULL, NULL, NULL) == 0) {
206*0Sstevel@tonic-gate request_set(&request, RQ_CLIENT_ADDR, client, 0);
207*0Sstevel@tonic-gate tcpdmatch(&request);
208*0Sstevel@tonic-gate exit(0);
209*0Sstevel@tonic-gate }
210*0Sstevel@tonic-gate
211*0Sstevel@tonic-gate /*
212*0Sstevel@tonic-gate * Perhaps they are testing special client hostname patterns that aren't
213*0Sstevel@tonic-gate * really host names at all.
214*0Sstevel@tonic-gate */
215*0Sstevel@tonic-gate if (NOT_INADDR(client) && HOSTNAME_KNOWN(client) == 0) {
216*0Sstevel@tonic-gate request_set(&request, RQ_CLIENT_NAME, client, 0);
217*0Sstevel@tonic-gate tcpdmatch(&request);
218*0Sstevel@tonic-gate exit(0);
219*0Sstevel@tonic-gate }
220*0Sstevel@tonic-gate
221*0Sstevel@tonic-gate /*
222*0Sstevel@tonic-gate * Otherwise, assume that a client hostname is specified, and insist that
223*0Sstevel@tonic-gate * the address can be looked up. The reason for this requirement is that
224*0Sstevel@tonic-gate * in real life the client address is available (at least with IP). Let
225*0Sstevel@tonic-gate * eval_hostname() figure out if this host is properly registered, while
226*0Sstevel@tonic-gate * using the request.client structure as a cache for host name and
227*0Sstevel@tonic-gate * address conversion results.
228*0Sstevel@tonic-gate */
229*0Sstevel@tonic-gate if ((hp = find_inet_addr(client)) == 0)
230*0Sstevel@tonic-gate exit(1);
231*0Sstevel@tonic-gate memset((char *) &client_sin, 0, sizeof(client_sin));
232*0Sstevel@tonic-gate client_sin.sg_family = hp->h_addrtype;
233*0Sstevel@tonic-gate request_set(&request, RQ_CLIENT_SIN, &client_sin, 0);
234*0Sstevel@tonic-gate
235*0Sstevel@tonic-gate for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) {
236*0Sstevel@tonic-gate memcpy((char *) SGADDRP(&client_sin), addr, hp->h_length);
237*0Sstevel@tonic-gate
238*0Sstevel@tonic-gate /*
239*0Sstevel@tonic-gate * Force evaluation of client host name and address. Host name
240*0Sstevel@tonic-gate * conflicts will be reported while eval_hostname() does its job.
241*0Sstevel@tonic-gate */
242*0Sstevel@tonic-gate request_set(&request, RQ_CLIENT_NAME, "", RQ_CLIENT_ADDR, "", 0);
243*0Sstevel@tonic-gate if (STR_EQ(eval_hostname(request.client), unknown))
244*0Sstevel@tonic-gate tcpd_warn("host address %s->name lookup failed",
245*0Sstevel@tonic-gate eval_hostaddr(request.client));
246*0Sstevel@tonic-gate tcpdmatch(&request);
247*0Sstevel@tonic-gate if (hp->h_addr_list[count + 1])
248*0Sstevel@tonic-gate printf("\n");
249*0Sstevel@tonic-gate }
250*0Sstevel@tonic-gate free((char *) hp);
251*0Sstevel@tonic-gate exit(0);
252*0Sstevel@tonic-gate }
253*0Sstevel@tonic-gate
254*0Sstevel@tonic-gate /* Explain how to use this program */
255*0Sstevel@tonic-gate
usage(myname)256*0Sstevel@tonic-gate static void usage(myname)
257*0Sstevel@tonic-gate char *myname;
258*0Sstevel@tonic-gate {
259*0Sstevel@tonic-gate fprintf(stderr, "usage: %s [-d] [-i inet_conf] daemon[@host] [user@]host\n",
260*0Sstevel@tonic-gate myname);
261*0Sstevel@tonic-gate fprintf(stderr, " -d: use allow/deny files in current directory\n");
262*0Sstevel@tonic-gate fprintf(stderr, " -i: location of inetd.conf file\n");
263*0Sstevel@tonic-gate exit(1);
264*0Sstevel@tonic-gate }
265*0Sstevel@tonic-gate
266*0Sstevel@tonic-gate /* Print interesting expansions */
267*0Sstevel@tonic-gate
expand(text,pattern,request)268*0Sstevel@tonic-gate static void expand(text, pattern, request)
269*0Sstevel@tonic-gate char *text;
270*0Sstevel@tonic-gate char *pattern;
271*0Sstevel@tonic-gate struct request_info *request;
272*0Sstevel@tonic-gate {
273*0Sstevel@tonic-gate char buf[BUFSIZ];
274*0Sstevel@tonic-gate
275*0Sstevel@tonic-gate if (STR_NE(percent_x(buf, sizeof(buf), pattern, request), unknown))
276*0Sstevel@tonic-gate printf("%s %s\n", text, buf);
277*0Sstevel@tonic-gate }
278*0Sstevel@tonic-gate
279*0Sstevel@tonic-gate /* Try out a (server,client) pair */
280*0Sstevel@tonic-gate
tcpdmatch(request)281*0Sstevel@tonic-gate static void tcpdmatch(request)
282*0Sstevel@tonic-gate struct request_info *request;
283*0Sstevel@tonic-gate {
284*0Sstevel@tonic-gate int verdict;
285*0Sstevel@tonic-gate
286*0Sstevel@tonic-gate /*
287*0Sstevel@tonic-gate * Show what we really know. Suppress uninteresting noise.
288*0Sstevel@tonic-gate */
289*0Sstevel@tonic-gate expand("client: hostname", "%n", request);
290*0Sstevel@tonic-gate expand("client: address ", "%a", request);
291*0Sstevel@tonic-gate expand("client: username", "%u", request);
292*0Sstevel@tonic-gate expand("server: hostname", "%N", request);
293*0Sstevel@tonic-gate expand("server: address ", "%A", request);
294*0Sstevel@tonic-gate expand("server: process ", "%d", request);
295*0Sstevel@tonic-gate
296*0Sstevel@tonic-gate /*
297*0Sstevel@tonic-gate * Reset stuff that might be changed by options handlers. In dry-run
298*0Sstevel@tonic-gate * mode, extension language routines that would not return should inform
299*0Sstevel@tonic-gate * us of their plan, by clearing the dry_run flag. This is a bit clumsy
300*0Sstevel@tonic-gate * but we must be able to verify hosts with more than one network
301*0Sstevel@tonic-gate * address.
302*0Sstevel@tonic-gate */
303*0Sstevel@tonic-gate rfc931_timeout = RFC931_TIMEOUT;
304*0Sstevel@tonic-gate allow_severity = SEVERITY;
305*0Sstevel@tonic-gate deny_severity = LOG_WARNING;
306*0Sstevel@tonic-gate dry_run = 1;
307*0Sstevel@tonic-gate
308*0Sstevel@tonic-gate /*
309*0Sstevel@tonic-gate * When paranoid mode is enabled, access is rejected no matter what the
310*0Sstevel@tonic-gate * access control rules say.
311*0Sstevel@tonic-gate */
312*0Sstevel@tonic-gate #ifdef PARANOID
313*0Sstevel@tonic-gate if (STR_EQ(eval_hostname(request->client), paranoid)) {
314*0Sstevel@tonic-gate printf("access: denied (PARANOID mode)\n\n");
315*0Sstevel@tonic-gate return;
316*0Sstevel@tonic-gate }
317*0Sstevel@tonic-gate #endif
318*0Sstevel@tonic-gate
319*0Sstevel@tonic-gate /*
320*0Sstevel@tonic-gate * Report the access control verdict.
321*0Sstevel@tonic-gate */
322*0Sstevel@tonic-gate verdict = hosts_access(request);
323*0Sstevel@tonic-gate printf("access: %s\n",
324*0Sstevel@tonic-gate dry_run == 0 ? "delegated" :
325*0Sstevel@tonic-gate verdict ? "granted" : "denied");
326*0Sstevel@tonic-gate }
327