1 /* $NetBSD: tcpdmatch.c,v 1.4 1998/03/05 18:23:31 christos Exp $ */ 2 3 /* 4 * tcpdmatch - explain what tcpd would do in a specific case 5 * 6 * usage: tcpdmatch [-d] [-i inet_conf] daemon[@host] [user@]host 7 * 8 * -d: use the access control tables in the current directory. 9 * 10 * -i: location of inetd.conf file. 11 * 12 * All errors are reported to the standard error stream, including the errors 13 * that would normally be reported via the syslog daemon. 14 * 15 * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. 16 */ 17 18 #include <sys/cdefs.h> 19 #ifndef lint 20 #if 0 21 static char sccsid[] = "@(#) tcpdmatch.c 1.5 96/02/11 17:01:36"; 22 #else 23 __RCSID("$NetBSD: tcpdmatch.c,v 1.4 1998/03/05 18:23:31 christos Exp $"); 24 #endif 25 #endif 26 27 /* System libraries. */ 28 29 #include <sys/types.h> 30 #include <sys/stat.h> 31 #include <sys/socket.h> 32 #include <netinet/in.h> 33 #include <arpa/inet.h> 34 #include <netdb.h> 35 #include <stdio.h> 36 #include <syslog.h> 37 #include <setjmp.h> 38 #include <string.h> 39 #include <stdlib.h> 40 #include <unistd.h> 41 42 #ifndef INADDR_NONE 43 #define INADDR_NONE (-1) /* XXX should be 0xffffffff */ 44 #endif 45 46 #ifndef S_ISDIR 47 #define S_ISDIR(m) (((m) & S_IFMT) == S_IFDIR) 48 #endif 49 50 /* Application-specific. */ 51 52 #include "tcpd.h" 53 #include "inetcf.h" 54 #include "scaffold.h" 55 56 static void usage __P((char *)); 57 static void expand __P((char *, char *, struct request_info *)); 58 static void tcpdmatch __P((struct request_info *)); 59 int main __P((int, char **)); 60 61 /* The main program */ 62 63 int main(argc, argv) 64 int argc; 65 char **argv; 66 { 67 struct hostent *hp; 68 char *myname = argv[0]; 69 char *client; 70 char *server; 71 char *addr; 72 char *user; 73 char *daemon; 74 struct request_info request; 75 int ch; 76 char *inetcf = 0; 77 int count; 78 struct sockaddr_in server_sin; 79 struct sockaddr_in client_sin; 80 struct stat st; 81 82 /* 83 * Show what rule actually matched. 84 */ 85 hosts_access_verbose = 2; 86 87 /* 88 * Parse the JCL. 89 */ 90 while ((ch = getopt(argc, argv, "di:")) != -1) { 91 switch (ch) { 92 case 'd': 93 hosts_allow_table = "hosts.allow"; 94 hosts_deny_table = "hosts.deny"; 95 break; 96 case 'i': 97 inetcf = optarg; 98 break; 99 default: 100 usage(myname); 101 /* NOTREACHED */ 102 } 103 } 104 if (argc != optind + 2) 105 usage(myname); 106 107 /* 108 * When confusion really strikes... 109 */ 110 if (check_path(REAL_DAEMON_DIR, &st) < 0) { 111 tcpd_warn("REAL_DAEMON_DIR %s: %m", REAL_DAEMON_DIR); 112 } else if (!S_ISDIR(st.st_mode)) { 113 tcpd_warn("REAL_DAEMON_DIR %s is not a directory", REAL_DAEMON_DIR); 114 } 115 116 /* 117 * Default is to specify a daemon process name. When daemon@host is 118 * specified, separate the two parts. 119 */ 120 if ((server = split_at(argv[optind], '@')) == 0) 121 server = unknown; 122 if (argv[optind][0] == '/') { 123 daemon = strrchr(argv[optind], '/') + 1; 124 tcpd_warn("%s: daemon name normalized to: %s", argv[optind], daemon); 125 } else { 126 daemon = argv[optind]; 127 } 128 129 /* 130 * Default is to specify a client hostname or address. When user@host is 131 * specified, separate the two parts. 132 */ 133 if ((client = split_at(argv[optind + 1], '@')) != 0) { 134 user = argv[optind + 1]; 135 } else { 136 client = argv[optind + 1]; 137 user = unknown; 138 } 139 140 /* 141 * Analyze the inetd (or tlid) configuration file, so that we can warn 142 * the user about services that may not be wrapped, services that are not 143 * configured, or services that are wrapped in an incorrect manner. Allow 144 * for services that are not run from inetd, or that have tcpd access 145 * control built into them. 146 */ 147 inetcf = inet_cfg(inetcf); 148 inet_set("portmap", WR_NOT); 149 inet_set("rpcbind", WR_NOT); 150 switch (inet_get(daemon)) { 151 case WR_UNKNOWN: 152 tcpd_warn("%s: no such process name in %s", daemon, inetcf); 153 break; 154 case WR_NOT: 155 tcpd_warn("%s: service possibly not wrapped", daemon); 156 break; 157 } 158 159 /* 160 * Check accessibility of access control files. 161 */ 162 (void) check_path(hosts_allow_table, &st); 163 (void) check_path(hosts_deny_table, &st); 164 165 /* 166 * Fill in what we have figured out sofar. Use socket and DNS routines 167 * for address and name conversions. We attach stdout to the request so 168 * that banner messages will become visible. 169 */ 170 request_init(&request, RQ_DAEMON, daemon, RQ_USER, user, RQ_FILE, 1, 0); 171 sock_methods(&request); 172 173 /* 174 * If a server hostname is specified, insist that the name maps to at 175 * most one address. eval_hostname() warns the user about name server 176 * problems, while using the request.server structure as a cache for host 177 * address and name conversion results. 178 */ 179 if (NOT_INADDR(server) == 0 || HOSTNAME_KNOWN(server)) { 180 if ((hp = find_inet_addr(server)) == 0) 181 exit(1); 182 memset((char *) &server_sin, 0, sizeof(server_sin)); 183 server_sin.sin_family = AF_INET; 184 request_set(&request, RQ_SERVER_SIN, &server_sin, 0); 185 186 for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) { 187 memcpy((char *) &server_sin.sin_addr, addr, 188 sizeof(server_sin.sin_addr)); 189 190 /* 191 * Force evaluation of server host name and address. Host name 192 * conflicts will be reported while eval_hostname() does its job. 193 */ 194 request_set(&request, RQ_SERVER_NAME, "", RQ_SERVER_ADDR, "", 0); 195 if (STR_EQ(eval_hostname(request.server), unknown)) 196 tcpd_warn("host address %s->name lookup failed", 197 eval_hostaddr(request.server)); 198 } 199 if (count > 1) { 200 fprintf(stderr, "Error: %s has more than one address\n", server); 201 fprintf(stderr, "Please specify an address instead\n"); 202 exit(1); 203 } 204 free((char *) hp); 205 } else { 206 request_set(&request, RQ_SERVER_NAME, server, 0); 207 } 208 209 /* 210 * If a client address is specified, we simulate the effect of client 211 * hostname lookup failure. 212 */ 213 if (dot_quad_addr(client) != INADDR_NONE) { 214 request_set(&request, RQ_CLIENT_ADDR, client, 0); 215 tcpdmatch(&request); 216 exit(0); 217 } 218 219 /* 220 * Perhaps they are testing special client hostname patterns that aren't 221 * really host names at all. 222 */ 223 if (NOT_INADDR(client) && HOSTNAME_KNOWN(client) == 0) { 224 request_set(&request, RQ_CLIENT_NAME, client, 0); 225 tcpdmatch(&request); 226 exit(0); 227 } 228 229 /* 230 * Otherwise, assume that a client hostname is specified, and insist that 231 * the address can be looked up. The reason for this requirement is that 232 * in real life the client address is available (at least with IP). Let 233 * eval_hostname() figure out if this host is properly registered, while 234 * using the request.client structure as a cache for host name and 235 * address conversion results. 236 */ 237 if ((hp = find_inet_addr(client)) == 0) 238 exit(1); 239 memset((char *) &client_sin, 0, sizeof(client_sin)); 240 client_sin.sin_family = AF_INET; 241 request_set(&request, RQ_CLIENT_SIN, &client_sin, 0); 242 243 for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) { 244 memcpy((char *) &client_sin.sin_addr, addr, 245 sizeof(client_sin.sin_addr)); 246 247 /* 248 * Force evaluation of client host name and address. Host name 249 * conflicts will be reported while eval_hostname() does its job. 250 */ 251 request_set(&request, RQ_CLIENT_NAME, "", RQ_CLIENT_ADDR, "", 0); 252 if (STR_EQ(eval_hostname(request.client), unknown)) 253 tcpd_warn("host address %s->name lookup failed", 254 eval_hostaddr(request.client)); 255 tcpdmatch(&request); 256 if (hp->h_addr_list[count + 1]) 257 printf("\n"); 258 } 259 free((char *) hp); 260 exit(0); 261 } 262 263 /* Explain how to use this program */ 264 265 static void usage(myname) 266 char *myname; 267 { 268 fprintf(stderr, "usage: %s [-d] [-i inet_conf] daemon[@host] [user@]host\n", 269 myname); 270 fprintf(stderr, " -d: use allow/deny files in current directory\n"); 271 fprintf(stderr, " -i: location of inetd.conf file\n"); 272 exit(1); 273 } 274 275 /* Print interesting expansions */ 276 277 static void expand(text, pattern, request) 278 char *text; 279 char *pattern; 280 struct request_info *request; 281 { 282 char buf[BUFSIZ]; 283 284 if (STR_NE(percent_x(buf, sizeof(buf), pattern, request), unknown)) 285 printf("%s %s\n", text, buf); 286 } 287 288 /* Try out a (server,client) pair */ 289 290 static void tcpdmatch(request) 291 struct request_info *request; 292 { 293 int verdict; 294 295 /* 296 * Show what we really know. Suppress uninteresting noise. 297 */ 298 expand("client: hostname", "%n", request); 299 expand("client: address ", "%a", request); 300 expand("client: username", "%u", request); 301 expand("server: hostname", "%N", request); 302 expand("server: address ", "%A", request); 303 expand("server: process ", "%d", request); 304 305 /* 306 * Reset stuff that might be changed by options handlers. In dry-run 307 * mode, extension language routines that would not return should inform 308 * us of their plan, by clearing the dry_run flag. This is a bit clumsy 309 * but we must be able to verify hosts with more than one network 310 * address. 311 */ 312 rfc931_timeout = RFC931_TIMEOUT; 313 allow_severity = SEVERITY; 314 deny_severity = LOG_WARNING; 315 dry_run = 1; 316 317 /* 318 * When paranoid mode is enabled, access is rejected no matter what the 319 * access control rules say. 320 */ 321 #ifdef PARANOID 322 if (STR_EQ(eval_hostname(request->client), paranoid)) { 323 printf("access: denied (PARANOID mode)\n\n"); 324 return; 325 } 326 #endif 327 328 /* 329 * Report the access control verdict. 330 */ 331 verdict = hosts_access(request); 332 printf("access: %s\n", 333 dry_run == 0 ? "delegated" : 334 verdict ? "granted" : "denied"); 335 } 336