1 /* $NetBSD: hosts_access.c,v 1.11 2000/01/21 17:08:34 mycroft Exp $ */ 2 3 /* 4 * This module implements a simple access control language that is based on 5 * host (or domain) names, NIS (host) netgroup names, IP addresses (or 6 * network numbers) and daemon process names. When a match is found the 7 * search is terminated, and depending on whether PROCESS_OPTIONS is defined, 8 * a list of options is executed or an optional shell command is executed. 9 * 10 * Host and user names are looked up on demand, provided that suitable endpoint 11 * information is available as sockaddr_in structures or TLI netbufs. As a 12 * side effect, the pattern matching process may change the contents of 13 * request structure fields. 14 * 15 * Diagnostics are reported through syslog(3). 16 * 17 * Compile with -DNETGROUP if your library provides support for netgroups. 18 * 19 * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. 20 */ 21 22 #include <sys/cdefs.h> 23 #ifndef lint 24 #if 0 25 static char sccsid[] = "@(#) hosts_access.c 1.21 97/02/12 02:13:22"; 26 #else 27 __RCSID("$NetBSD: hosts_access.c,v 1.11 2000/01/21 17:08:34 mycroft Exp $"); 28 #endif 29 #endif 30 31 /* System libraries. */ 32 33 #include <sys/types.h> 34 #include <sys/param.h> 35 #ifdef INET6 36 #include <sys/socket.h> 37 #endif 38 #include <netinet/in.h> 39 #include <arpa/inet.h> 40 #include <stdio.h> 41 #include <stdlib.h> 42 #include <syslog.h> 43 #include <ctype.h> 44 #include <errno.h> 45 #include <setjmp.h> 46 #include <string.h> 47 #include <netdb.h> 48 #ifdef NETGROUP 49 #include <netgroup.h> 50 #include <rpcsvc/ypclnt.h> 51 #endif 52 53 #ifndef INADDR_NONE 54 #define INADDR_NONE (-1) /* XXX should be 0xffffffff */ 55 #endif 56 57 /* Local stuff. */ 58 59 #include "tcpd.h" 60 61 /* Error handling. */ 62 63 extern jmp_buf tcpd_buf; 64 65 /* Delimiters for lists of daemons or clients. */ 66 67 static char sep[] = ", \t\r\n"; 68 69 /* Constants to be used in assignments only, not in comparisons... */ 70 71 #define YES 1 72 #define NO 0 73 74 /* 75 * These variables are globally visible so that they can be redirected in 76 * verification mode. 77 */ 78 79 char *hosts_allow_table = HOSTS_ALLOW; 80 char *hosts_deny_table = HOSTS_DENY; 81 int hosts_access_verbose = 0; 82 83 /* 84 * In a long-running process, we are not at liberty to just go away. 85 */ 86 87 int resident = (-1); /* -1, 0: unknown; +1: yes */ 88 89 /* Forward declarations. */ 90 91 static int table_match __P((char *, struct request_info *)); 92 static int list_match __P((char *, struct request_info *, 93 int (*)(char *, struct request_info *))); 94 static int server_match __P((char *, struct request_info *)); 95 static int client_match __P((char *, struct request_info *)); 96 static int host_match __P((char *, struct host_info *)); 97 static int rbl_match __P((char *, char *)); 98 static int string_match __P((char *, char *)); 99 static int masked_match __P((char *, char *, char *)); 100 static int masked_match4 __P((char *, char *, char *)); 101 #ifdef INET6 102 static int masked_match6 __P((char *, char *, char *)); 103 #endif 104 105 /* Size of logical line buffer. */ 106 107 #define BUFLEN 2048 108 109 /* hosts_access - host access control facility */ 110 111 int hosts_access(request) 112 struct request_info *request; 113 { 114 int verdict; 115 116 /* 117 * If the (daemon, client) pair is matched by an entry in the file 118 * /etc/hosts.allow, access is granted. Otherwise, if the (daemon, 119 * client) pair is matched by an entry in the file /etc/hosts.deny, 120 * access is denied. Otherwise, access is granted. A non-existent 121 * access-control file is treated as an empty file. 122 * 123 * After a rule has been matched, the optional language extensions may 124 * decide to grant or refuse service anyway. Or, while a rule is being 125 * processed, a serious error is found, and it seems better to play safe 126 * and deny service. All this is done by jumping back into the 127 * hosts_access() routine, bypassing the regular return from the 128 * table_match() function calls below. 129 */ 130 131 if (resident <= 0) 132 resident++; 133 verdict = setjmp(tcpd_buf); 134 if (verdict != 0) 135 return (verdict == AC_PERMIT); 136 if (table_match(hosts_allow_table, request)) 137 return (YES); 138 if (table_match(hosts_deny_table, request)) 139 return (NO); 140 return (YES); 141 } 142 143 /* table_match - match table entries with (daemon, client) pair */ 144 145 static int table_match(table, request) 146 char *table; 147 struct request_info *request; 148 { 149 FILE *fp; 150 char sv_list[BUFLEN]; /* becomes list of daemons */ 151 char *cl_list; /* becomes list of clients */ 152 char *sh_cmd = NULL; /* becomes optional shell command */ 153 int match = NO; 154 struct tcpd_context saved_context; 155 156 saved_context = tcpd_context; /* stupid compilers */ 157 158 /* 159 * Between the fopen() and fclose() calls, avoid jumps that may cause 160 * file descriptor leaks. 161 */ 162 163 if ((fp = fopen(table, "r")) != 0) { 164 tcpd_context.file = table; 165 tcpd_context.line = 0; 166 while (match == NO && xgets(sv_list, sizeof(sv_list), fp) != 0) { 167 if (sv_list[strlen(sv_list) - 1] != '\n') { 168 tcpd_warn("missing newline or line too long"); 169 continue; 170 } 171 if (sv_list[0] == '#' || sv_list[strspn(sv_list, " \t\r\n")] == 0) 172 continue; 173 if ((cl_list = split_at(sv_list, ':')) == 0) { 174 tcpd_warn("missing \":\" separator"); 175 continue; 176 } 177 sh_cmd = split_at(cl_list, ':'); 178 match = list_match(sv_list, request, server_match) 179 && list_match(cl_list, request, client_match); 180 } 181 (void) fclose(fp); 182 } else if (errno != ENOENT) { 183 tcpd_warn("cannot open %s: %m", table); 184 } 185 if (match) { 186 if (hosts_access_verbose > 1) 187 syslog(LOG_DEBUG, "matched: %s line %d", 188 tcpd_context.file, tcpd_context.line); 189 if (sh_cmd) { 190 #ifdef PROCESS_OPTIONS 191 process_options(sh_cmd, request); 192 #else 193 char cmd[BUFSIZ]; 194 shell_cmd(percent_x(cmd, sizeof(cmd), sh_cmd, request)); 195 #endif 196 } 197 } 198 tcpd_context = saved_context; 199 return (match); 200 } 201 202 /* list_match - match a request against a list of patterns with exceptions */ 203 204 static int list_match(list, request, match_fn) 205 char *list; 206 struct request_info *request; 207 int (*match_fn) __P((char *, struct request_info *)); 208 { 209 char *tok; 210 int l; 211 212 /* 213 * Process tokens one at a time. We have exhausted all possible matches 214 * when we reach an "EXCEPT" token or the end of the list. If we do find 215 * a match, look for an "EXCEPT" list and recurse to determine whether 216 * the match is affected by any exceptions. 217 */ 218 219 for (tok = strtok(list, sep); tok != 0; tok = strtok((char *) 0, sep)) { 220 if (STR_EQ(tok, "EXCEPT")) /* EXCEPT: give up */ 221 return (NO); 222 l = strlen(tok); 223 if (*tok == '[' && tok[l - 1] == ']') { 224 tok[l - 1] = '\0'; 225 tok++; 226 } 227 if (match_fn(tok, request)) { /* YES: look for exceptions */ 228 while ((tok = strtok((char *) 0, sep)) && STR_NE(tok, "EXCEPT")) 229 /* VOID */ ; 230 return (tok == 0 || list_match((char *) 0, request, match_fn) == 0); 231 } 232 } 233 return (NO); 234 } 235 236 /* server_match - match server information */ 237 238 static int server_match(tok, request) 239 char *tok; 240 struct request_info *request; 241 { 242 char *host; 243 244 if ((host = split_at(tok + 1, '@')) == 0) { /* plain daemon */ 245 return (string_match(tok, eval_daemon(request))); 246 } else { /* daemon@host */ 247 return (string_match(tok, eval_daemon(request)) 248 && host_match(host, request->server)); 249 } 250 } 251 252 /* client_match - match client information */ 253 254 static int client_match(tok, request) 255 char *tok; 256 struct request_info *request; 257 { 258 char *host; 259 260 if ((host = split_at(tok + 1, '@')) == 0) { /* plain host */ 261 return (host_match(tok, request->client)); 262 } else { /* user@host */ 263 return (host_match(host, request->client) 264 && string_match(tok, eval_user(request))); 265 } 266 } 267 268 /* host_match - match host name and/or address against pattern */ 269 270 static int host_match(tok, host) 271 char *tok; 272 struct host_info *host; 273 { 274 char *mask; 275 276 /* 277 * This code looks a little hairy because we want to avoid unnecessary 278 * hostname lookups. 279 * 280 * The KNOWN pattern requires that both address AND name be known; some 281 * patterns are specific to host names or to host addresses; all other 282 * patterns are satisfied when either the address OR the name match. 283 */ 284 285 if (tok[0] == '@') { /* netgroup: look it up */ 286 #ifdef NETGROUP 287 static char *mydomain = 0; 288 if (mydomain == 0) 289 yp_get_default_domain(&mydomain); 290 return (innetgr(tok + 1, eval_hostname(host), (char *) 0, mydomain)); 291 #else 292 tcpd_warn("netgroup support is disabled"); /* not tcpd_jump() */ 293 return (NO); 294 #endif 295 } else if (STR_EQ(tok, "KNOWN")) { /* check address and name */ 296 char *name = eval_hostname(host); 297 return (STR_NE(eval_hostaddr(host), unknown) && HOSTNAME_KNOWN(name)); 298 } else if (STR_EQ(tok, "LOCAL")) { /* local: no dots in name */ 299 char *name = eval_hostname(host); 300 return (strchr(name, '.') == 0 && HOSTNAME_KNOWN(name)); 301 } else if (strncmp(tok, "{RBL}.", 6) == 0) { /* RBL lookup in domain */ 302 return rbl_match(tok+6, eval_hostaddr(host)); 303 } else if ((mask = split_at(tok, '/')) != 0) { /* net/mask */ 304 return (masked_match(tok, mask, eval_hostaddr(host))); 305 } else { /* anything else */ 306 return (string_match(tok, eval_hostaddr(host)) 307 || (NOT_INADDR(tok) && string_match(tok, eval_hostname(host)))); 308 } 309 } 310 311 /* rbl_match() - match host by looking up in RBL domain */ 312 313 static int rbl_match(rbl_domain, rbl_hostaddr) 314 char *rbl_domain; /* RBL domain */ 315 char *rbl_hostaddr; /* hostaddr */ 316 { 317 char *rbl_name; 318 unsigned long host_address; 319 int ret = NO; 320 size_t len = strlen(rbl_domain) + (4 * 4) + 2; 321 322 if (dot_quad_addr(rbl_hostaddr, &host_address) != 0) { 323 tcpd_warn("unable to convert %s to address", rbl_hostaddr); 324 return (NO); 325 } 326 /* construct the rbl name to look up */ 327 if ((rbl_name = malloc(len)) == NULL) { 328 tcpd_jump("not enough memory to build RBL name for %s in %s", rbl_hostaddr, rbl_domain); 329 /* NOTREACHED */ 330 } 331 snprintf(rbl_name, len, "%u.%u.%u.%u.%s", 332 (unsigned int) ((host_address) & 0xff), 333 (unsigned int) ((host_address >> 8) & 0xff), 334 (unsigned int) ((host_address >> 16) & 0xff), 335 (unsigned int) ((host_address >> 24) & 0xff), 336 rbl_domain); 337 /* look it up */ 338 if (gethostbyname(rbl_name) != NULL) { 339 /* successful lookup - they're on the RBL list */ 340 ret = YES; 341 } 342 free(rbl_name); 343 344 return ret; 345 } 346 347 /* string_match - match string against pattern */ 348 349 static int string_match(tok, string) 350 char *tok; 351 char *string; 352 { 353 int n; 354 355 if (tok[0] == '.') { /* suffix */ 356 n = strlen(string) - strlen(tok); 357 return (n > 0 && STR_EQ(tok, string + n)); 358 } else if (STR_EQ(tok, "ALL")) { /* all: match any */ 359 return (YES); 360 } else if (STR_EQ(tok, "KNOWN")) { /* not unknown */ 361 return (STR_NE(string, unknown)); 362 } else if (tok[(n = strlen(tok)) - 1] == '.') { /* prefix */ 363 return (STRN_EQ(tok, string, n)); 364 } else { /* exact match */ 365 return (STR_EQ(tok, string)); 366 } 367 } 368 369 /* masked_match - match address against netnumber/netmask */ 370 371 static int masked_match(net_tok, mask_tok, string) 372 char *net_tok; 373 char *mask_tok; 374 char *string; 375 { 376 #ifndef INET6 377 return masked_match4(net_tok, mask_tok, string); 378 #else 379 if (dot_quad_addr(net_tok, NULL) != INADDR_NONE 380 && dot_quad_addr(mask_tok, NULL) != INADDR_NONE 381 && dot_quad_addr(string, NULL) != INADDR_NONE) { 382 return masked_match4(net_tok, mask_tok, string); 383 } else 384 return masked_match6(net_tok, mask_tok, string); 385 #endif 386 } 387 388 static int masked_match4(net_tok, mask_tok, string) 389 char *net_tok; 390 char *mask_tok; 391 char *string; 392 { 393 unsigned long net; 394 unsigned long mask; 395 unsigned long addr; 396 397 /* 398 * Disallow forms other than dotted quad: the treatment that inet_addr() 399 * gives to forms with less than four components is inconsistent with the 400 * access control language. John P. Rouillard <rouilj@cs.umb.edu>. 401 */ 402 403 if (dot_quad_addr(string, &addr) != 0) 404 return (NO); 405 if (dot_quad_addr(net_tok, &net) != 0 406 || dot_quad_addr(mask_tok, &mask) != 0) { 407 tcpd_warn("bad net/mask expression: %s/%s", net_tok, mask_tok); 408 return (NO); /* not tcpd_jump() */ 409 } 410 return ((addr & mask) == net); 411 } 412 413 #ifdef INET6 414 /* Ugly because it covers IPv4 mapped address. I hate mapped addresses. */ 415 static int masked_match6(net_tok, mask_tok, string) 416 char *net_tok; 417 char *mask_tok; 418 char *string; 419 { 420 struct in6_addr net; 421 struct in6_addr mask; 422 struct in6_addr addr; 423 int masklen; 424 int fail; 425 int i; 426 int maskoff; 427 int netaf; 428 const int sizoff64 = sizeof(struct in6_addr) - sizeof(struct in_addr); 429 430 memset(&addr, 0, sizeof(addr)); 431 if (inet_pton(AF_INET6, string, &addr) == 1) 432 ; /* okay */ 433 else if (inet_pton(AF_INET, string, &addr.s6_addr[sizoff64]) == 1) 434 addr.s6_addr[10] = addr.s6_addr[11] = 0xff; 435 else 436 return NO; 437 438 memset(&net, 0, sizeof(net)); 439 if (inet_pton(AF_INET6, net_tok, &net) == 1) { 440 netaf = AF_INET6; 441 maskoff = 0; 442 } else if (inet_pton(AF_INET, net_tok, &net.s6_addr[sizoff64]) == 1) { 443 netaf = AF_INET; 444 maskoff = sizoff64; 445 net.s6_addr[10] = net.s6_addr[11] = 0xff; 446 } else 447 return NO; 448 449 fail = 0; 450 if (mask_tok[strspn(mask_tok, "0123456789")] == '\0') { 451 masklen = atoi(mask_tok) + maskoff * 8; 452 if (0 <= masklen && masklen <= 128) { 453 memset(&mask, 0, sizeof(mask)); 454 memset(&mask, 0xff, masklen / 8); 455 if (masklen % 8) { 456 ((u_char *)&mask)[masklen / 8] = 457 (0xff00 >> (masklen % 8)) & 0xff; 458 } 459 } else 460 fail++; 461 } else if (netaf == AF_INET6 && inet_pton(AF_INET6, mask_tok, &mask) == 1) 462 ; /* okay */ 463 else if (netaf == AF_INET 464 && inet_pton(AF_INET, mask_tok, &mask.s6_addr[12]) == 1) { 465 memset(&mask, 0xff, sizoff64); 466 } else 467 fail++; 468 if (fail) { 469 tcpd_warn("bad net/mask expression: %s/%s", net_tok, mask_tok); 470 return (NO); /* not tcpd_jump() */ 471 } 472 473 for (i = 0; i < sizeof(addr); i++) 474 addr.s6_addr[i] &= mask.s6_addr[i]; 475 return (memcmp(&addr, &net, sizeof(addr)) == 0); 476 } 477 #endif 478