xref: /netbsd-src/lib/libwrap/hosts_access.c (revision 2a399c6883d870daece976daec6ffa7bb7f934ce) 
1 /*	$NetBSD: hosts_access.c,v 1.3 1997/10/26 20:49:32 christos Exp $	*/
2 
3  /*
4   * This module implements a simple access control language that is based on
5   * host (or domain) names, NIS (host) netgroup names, IP addresses (or
6   * network numbers) and daemon process names. When a match is found the
7   * search is terminated, and depending on whether PROCESS_OPTIONS is defined,
8   * a list of options is executed or an optional shell command is executed.
9   *
10   * Host and user names are looked up on demand, provided that suitable endpoint
11   * information is available as sockaddr_in structures or TLI netbufs. As a
12   * side effect, the pattern matching process may change the contents of
13   * request structure fields.
14   *
15   * Diagnostics are reported through syslog(3).
16   *
17   * Compile with -DNETGROUP if your library provides support for netgroups.
18   *
19   * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
20   */
21 
22 #include <sys/cdefs.h>
23 #ifndef lint
24 #if 0
25 static char sccsid[] = "@(#) hosts_access.c 1.20 96/02/11 17:01:27";
26 #else
27 __RCSID("$NetBSD: hosts_access.c,v 1.3 1997/10/26 20:49:32 christos Exp $");
28 #endif
29 #endif
30 
31 /* System libraries. */
32 
33 #include <sys/types.h>
34 #include <sys/param.h>
35 #include <netinet/in.h>
36 #include <arpa/inet.h>
37 #include <stdio.h>
38 #include <syslog.h>
39 #include <ctype.h>
40 #include <errno.h>
41 #include <setjmp.h>
42 #include <string.h>
43 #ifdef  NETGROUP
44 #include <netgroup.h>
45 #include <rpcsvc/ypclnt.h>
46 #endif
47 
48 extern int errno;
49 
50 #ifndef	INADDR_NONE
51 #define	INADDR_NONE	(-1)		/* XXX should be 0xffffffff */
52 #endif
53 
54 /* Local stuff. */
55 
56 #include "tcpd.h"
57 
58 /* Error handling. */
59 
60 extern jmp_buf tcpd_buf;
61 
62 /* Delimiters for lists of daemons or clients. */
63 
64 static char sep[] = ", \t\r\n";
65 
66 /* Constants to be used in assignments only, not in comparisons... */
67 
68 #define	YES		1
69 #define	NO		0
70 
71  /*
72   * These variables are globally visible so that they can be redirected in
73   * verification mode.
74   */
75 
76 char   *hosts_allow_table = HOSTS_ALLOW;
77 char   *hosts_deny_table = HOSTS_DENY;
78 int     hosts_access_verbose = 0;
79 
80  /*
81   * In a long-running process, we are not at liberty to just go away.
82   */
83 
84 int     resident = (-1);		/* -1, 0: unknown; +1: yes */
85 
86 /* Forward declarations. */
87 
88 static int table_match __P((char *, struct request_info *));
89 static int list_match __P((char *, struct request_info *,
90     int (*)(char *, struct request_info *)));
91 static int server_match __P((char *, struct request_info *));
92 static int client_match __P((char *, struct request_info *));
93 static int host_match __P((char *, struct host_info *));
94 static int string_match __P((char *, char *));
95 static int masked_match __P((char *, char *, char *));
96 
97 /* Size of logical line buffer. */
98 
99 #define	BUFLEN 2048
100 
101 /* hosts_access - host access control facility */
102 
103 int     hosts_access(request)
104 struct request_info *request;
105 {
106     int     verdict;
107 
108     /*
109      * If the (daemon, client) pair is matched by an entry in the file
110      * /etc/hosts.allow, access is granted. Otherwise, if the (daemon,
111      * client) pair is matched by an entry in the file /etc/hosts.deny,
112      * access is denied. Otherwise, access is granted. A non-existent
113      * access-control file is treated as an empty file.
114      *
115      * After a rule has been matched, the optional language extensions may
116      * decide to grant or refuse service anyway. Or, while a rule is being
117      * processed, a serious error is found, and it seems better to play safe
118      * and deny service. All this is done by jumping back into the
119      * hosts_access() routine, bypassing the regular return from the
120      * table_match() function calls below.
121      */
122 
123     if (resident <= 0)
124 	resident++;
125     if ((verdict = setjmp(tcpd_buf)) != 0)
126 	return (verdict == AC_PERMIT);
127     if (table_match(hosts_allow_table, request))
128 	return (YES);
129     if (table_match(hosts_deny_table, request))
130 	return (NO);
131     return (YES);
132 }
133 
134 /* table_match - match table entries with (daemon, client) pair */
135 
136 static int table_match(table, request)
137 char   *table;
138 struct request_info *request;
139 {
140     FILE   *fp;
141     char    sv_list[BUFLEN];		/* becomes list of daemons */
142     char   *cl_list;			/* becomes list of clients */
143     char   *sh_cmd = NULL;		/* becomes optional shell command */
144     int     match = NO;
145     struct tcpd_context saved_context;
146 
147     saved_context = tcpd_context;		/* stupid compilers */
148 
149     /*
150      * Between the fopen() and fclose() calls, avoid jumps that may cause
151      * file descriptor leaks.
152      */
153 
154     if ((fp = fopen(table, "r")) != 0) {
155 	tcpd_context.file = table;
156 	tcpd_context.line = 0;
157 	while (match == NO && xgets(sv_list, sizeof(sv_list), fp) != 0) {
158 	    if (sv_list[strlen(sv_list) - 1] != '\n') {
159 		tcpd_warn("missing newline or line too long");
160 		continue;
161 	    }
162 	    if (sv_list[0] == '#' || sv_list[strspn(sv_list, " \t\r\n")] == 0)
163 		continue;
164 	    if ((cl_list = split_at(sv_list, ':')) == 0) {
165 		tcpd_warn("missing \":\" separator");
166 		continue;
167 	    }
168 	    sh_cmd = split_at(cl_list, ':');
169 	    match = list_match(sv_list, request, server_match)
170 		&& list_match(cl_list, request, client_match);
171 	}
172 	(void) fclose(fp);
173     } else if (errno != ENOENT) {
174 	tcpd_warn("cannot open %s: %m", table);
175     }
176     if (match) {
177 	if (hosts_access_verbose > 1)
178 	    syslog(LOG_DEBUG, "matched:  %s line %d",
179 		   tcpd_context.file, tcpd_context.line);
180 	if (sh_cmd) {
181 #ifdef PROCESS_OPTIONS
182 	    process_options(sh_cmd, request);
183 #else
184 	    char    cmd[BUFSIZ];
185 	    shell_cmd(percent_x(cmd, sizeof(cmd), sh_cmd, request));
186 #endif
187 	}
188     }
189     tcpd_context = saved_context;
190     return (match);
191 }
192 
193 /* list_match - match a request against a list of patterns with exceptions */
194 
195 static int list_match(list, request, match_fn)
196 char   *list;
197 struct request_info *request;
198 int   (*match_fn) __P((char *, struct request_info *));
199 {
200     char   *tok;
201 
202     /*
203      * Process tokens one at a time. We have exhausted all possible matches
204      * when we reach an "EXCEPT" token or the end of the list. If we do find
205      * a match, look for an "EXCEPT" list and recurse to determine whether
206      * the match is affected by any exceptions.
207      */
208 
209     for (tok = strtok(list, sep); tok != 0; tok = strtok((char *) 0, sep)) {
210 	if (STR_EQ(tok, "EXCEPT"))		/* EXCEPT: give up */
211 	    return (NO);
212 	if (match_fn(tok, request)) {		/* YES: look for exceptions */
213 	    while ((tok = strtok((char *) 0, sep)) && STR_NE(tok, "EXCEPT"))
214 		 /* VOID */ ;
215 	    return (tok == 0 || list_match((char *) 0, request, match_fn) == 0);
216 	}
217     }
218     return (NO);
219 }
220 
221 /* server_match - match server information */
222 
223 static int server_match(tok, request)
224 char   *tok;
225 struct request_info *request;
226 {
227     char   *host;
228 
229     if ((host = split_at(tok + 1, '@')) == 0) {	/* plain daemon */
230 	return (string_match(tok, eval_daemon(request)));
231     } else {					/* daemon@host */
232 	return (string_match(tok, eval_daemon(request))
233 		&& host_match(host, request->server));
234     }
235 }
236 
237 /* client_match - match client information */
238 
239 static int client_match(tok, request)
240 char   *tok;
241 struct request_info *request;
242 {
243     char   *host;
244 
245     if ((host = split_at(tok + 1, '@')) == 0) {	/* plain host */
246 	return (host_match(tok, request->client));
247     } else {					/* user@host */
248 	return (host_match(host, request->client)
249 		&& string_match(tok, eval_user(request)));
250     }
251 }
252 
253 /* host_match - match host name and/or address against pattern */
254 
255 static int host_match(tok, host)
256 char   *tok;
257 struct host_info *host;
258 {
259     char   *mask;
260 
261     /*
262      * This code looks a little hairy because we want to avoid unnecessary
263      * hostname lookups.
264      *
265      * The KNOWN pattern requires that both address AND name be known; some
266      * patterns are specific to host names or to host addresses; all other
267      * patterns are satisfied when either the address OR the name match.
268      */
269 
270     if (tok[0] == '@') {			/* netgroup: look it up */
271 #ifdef  NETGROUP
272 	static char *mydomain = 0;
273 	if (mydomain == 0)
274 	    yp_get_default_domain(&mydomain);
275 	return (innetgr(tok + 1, eval_hostname(host), (char *) 0, mydomain));
276 #else
277 	tcpd_warn("netgroup support is disabled");	/* not tcpd_jump() */
278 	return (NO);
279 #endif
280     } else if (STR_EQ(tok, "KNOWN")) {		/* check address and name */
281 	char   *name = eval_hostname(host);
282 	return (STR_NE(eval_hostaddr(host), unknown) && HOSTNAME_KNOWN(name));
283     } else if (STR_EQ(tok, "LOCAL")) {		/* local: no dots in name */
284 	char   *name = eval_hostname(host);
285 	return (strchr(name, '.') == 0 && HOSTNAME_KNOWN(name));
286     } else if ((mask = split_at(tok, '/')) != 0) {	/* net/mask */
287 	return (masked_match(tok, mask, eval_hostaddr(host)));
288     } else {					/* anything else */
289 	return (string_match(tok, eval_hostaddr(host))
290 	    || (NOT_INADDR(tok) && string_match(tok, eval_hostname(host))));
291     }
292 }
293 
294 /* string_match - match string against pattern */
295 
296 static int string_match(tok, string)
297 char   *tok;
298 char   *string;
299 {
300     int     n;
301 
302     if (tok[0] == '.') {			/* suffix */
303 	n = strlen(string) - strlen(tok);
304 	return (n > 0 && STR_EQ(tok, string + n));
305     } else if (STR_EQ(tok, "ALL")) {		/* all: match any */
306 	return (YES);
307     } else if (STR_EQ(tok, "KNOWN")) {		/* not unknown */
308 	return (STR_NE(string, unknown));
309     } else if (tok[(n = strlen(tok)) - 1] == '.') {	/* prefix */
310 	return (STRN_EQ(tok, string, n));
311     } else {					/* exact match */
312 	return (STR_EQ(tok, string));
313     }
314 }
315 
316 /* masked_match - match address against netnumber/netmask */
317 
318 static int masked_match(net_tok, mask_tok, string)
319 char   *net_tok;
320 char   *mask_tok;
321 char   *string;
322 {
323     unsigned long net;
324     unsigned long mask;
325     unsigned long addr;
326 
327     /*
328      * Disallow forms other than dotted quad: the treatment that inet_addr()
329      * gives to forms with less than four components is inconsistent with the
330      * access control language. John P. Rouillard <rouilj@cs.umb.edu>.
331      */
332 
333     if ((addr = dot_quad_addr(string)) == INADDR_NONE)
334 	return (NO);
335     if ((net = dot_quad_addr(net_tok)) == INADDR_NONE
336 	|| (mask = dot_quad_addr(mask_tok)) == INADDR_NONE) {
337 	tcpd_warn("bad net/mask expression: %s/%s", net_tok, mask_tok);
338 	return (NO);				/* not tcpd_jump() */
339     }
340     return ((addr & mask) == net);
341 }
342