2 * tcpdchk - examine all tcpd access control rules and inetd.conf entries
4 * Usage: tcpdchk [-a] [-d] [-i inet_conf] [-v]
6 * -a: complain about implicit "allow" at end of rule.
8 * -d: rules in current directory.
10 * -i: location of inetd.conf file.
14 * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
20 static char sccsid[] = "@(#) tcpdchk.c 1.8 97/02/12 02:13:25";
23 /* System libraries. */
25 #include <sys/types.h>
28 #include <sys/socket.h>
30 #include <netinet/in.h>
31 #include <arpa/inet.h>
42 #define INADDR_NONE (-1) /* XXX should be 0xffffffff */
46 #define S_ISDIR(m) (((m) & S_IFMT) == S_IFDIR)
49 /* Application-specific. */
56 * Stolen from hosts_access.c...
58 static char sep[] = ", \t\n";
63 int hosts_access_verbose = 0;
64 char *hosts_allow_table = HOSTS_ALLOW;
65 char *hosts_deny_table = HOSTS_DENY;
66 extern jmp_buf tcpd_buf;
71 static void usage(void);
72 static void parse_table(char *table, struct request_info *request);
73 static void print_list(char *title, char *list);
74 static void check_daemon_list(char *list);
75 static void check_client_list(char *list);
76 static void check_daemon(char *pat);
77 static void check_user(char *pat);
78 static int check_host(char *pat);
79 static int reserved_name(char *pat);
87 static int defl_verdict;
89 static int allow_check;
92 int main(int argc, char **argv)
94 struct request_info request;
103 while ((c = getopt(argc, argv, "adi:v")) != EOF) {
109 hosts_allow_table = "hosts.allow";
110 hosts_deny_table = "hosts.deny";
116 hosts_access_verbose++;
127 * When confusion really strikes...
129 if (check_path(REAL_DAEMON_DIR, &st) < 0) {
130 tcpd_warn("REAL_DAEMON_DIR %s: %m", REAL_DAEMON_DIR);
131 } else if (!S_ISDIR(st.st_mode)) {
132 tcpd_warn("REAL_DAEMON_DIR %s is not a directory", REAL_DAEMON_DIR);
136 * Process the inet configuration file (or its moral equivalent). This
137 * information is used later to find references in hosts.allow/deny to
138 * unwrapped services, and other possible problems.
140 inetcf = inet_cfg(inetcf);
141 if (hosts_access_verbose)
142 printf("Using network configuration file: %s\n", inetcf);
145 * These are not run from inetd but may have built-in access control.
147 inet_set("portmap", WR_NOT);
148 inet_set("rpcbind", WR_NOT);
151 * Check accessibility of access control files.
153 (void) check_path(hosts_allow_table, &st);
154 (void) check_path(hosts_deny_table, &st);
157 * Fake up an arbitrary service request.
159 request_init(&request,
160 RQ_DAEMON, "daemon_name",
161 RQ_SERVER_NAME, "server_hostname",
162 RQ_SERVER_ADDR, "server_addr",
163 RQ_USER, "user_name",
164 RQ_CLIENT_NAME, "client_hostname",
165 RQ_CLIENT_ADDR, "client_addr",
170 * Examine all access-control rules.
172 defl_verdict = PERMIT;
173 parse_table(hosts_allow_table, &request);
175 parse_table(hosts_deny_table, &request);
179 /* usage - explain */
181 static void usage(void)
183 fprintf(stderr, "usage: %s [-a] [-d] [-i inet_conf] [-v]\n", myname);
184 fprintf(stderr, " -a: report rules with implicit \"ALLOW\" at end\n");
185 fprintf(stderr, " -d: use allow/deny files in current directory\n");
186 fprintf(stderr, " -i: location of inetd.conf file\n");
187 fprintf(stderr, " -v: list all rules\n");
191 /* parse_table - like table_match(), but examines _all_ entries */
193 static void parse_table(char *table, struct request_info *request)
197 char sv_list[BUFLEN]; /* becomes list of daemons */
198 char *cl_list; /* becomes list of requests */
199 char *sh_cmd; /* becomes optional shell command */
202 struct tcpd_context saved_context;
204 saved_context = tcpd_context; /* stupid compilers */
206 if (fp = fopen(table, "r")) {
207 tcpd_context.file = table;
208 tcpd_context.line = 0;
209 while (xgets(sv_list, sizeof(sv_list), fp)) {
210 if (sv_list[strlen(sv_list) - 1] != '\n') {
211 tcpd_warn("missing newline or line too long");
214 if (sv_list[0] == '#' || sv_list[strspn(sv_list, " \t\r\n")] == 0)
216 if ((cl_list = split_at(sv_list, ':')) == 0) {
217 tcpd_warn("missing \":\" separator");
220 sh_cmd = split_at(cl_list, ':');
222 if (hosts_access_verbose)
223 printf("\n>>> Rule %s line %d:\n",
224 tcpd_context.file, tcpd_context.line);
226 if (hosts_access_verbose)
227 print_list("daemons: ", sv_list);
228 check_daemon_list(sv_list);
230 if (hosts_access_verbose)
231 print_list("clients: ", cl_list);
232 check_client_list(cl_list);
234 #ifdef PROCESS_OPTIONS
235 real_verdict = defl_verdict;
237 verdict = setjmp(tcpd_buf);
239 real_verdict = (verdict == AC_PERMIT);
242 process_options(sh_cmd, request);
243 if (dry_run == 1 && real_verdict && allow_check)
244 tcpd_warn("implicit \"allow\" at end of rule");
246 } else if (defl_verdict && allow_check) {
247 tcpd_warn("implicit \"allow\" at end of rule");
249 if (hosts_access_verbose)
250 printf("access: %s\n", real_verdict ? "granted" : "denied");
253 shell_cmd(percent_x(buf, sizeof(buf), sh_cmd, request));
254 if (hosts_access_verbose)
255 printf("access: %s\n", defl_verdict ? "granted" : "denied");
259 } else if (errno != ENOENT) {
260 tcpd_warn("cannot open %s: %m", table);
262 tcpd_context = saved_context;
265 /* print_list - pretty-print a list */
267 static void print_list(char *title, char *list)
273 fputs(title, stdout);
276 for (cp = strtok(buf, sep); cp != 0; cp = next) {
278 next = strtok((char *) 0, sep);
285 /* check_daemon_list - criticize daemon list */
287 static void check_daemon_list(char *list)
296 for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) {
297 if (STR_EQ(cp, "EXCEPT")) {
301 if ((host = split_at(cp + 1, '@')) != 0 && check_host(host) > 1) {
302 tcpd_warn("host %s has more than one address", host);
303 tcpd_warn("(consider using an address instead)");
309 tcpd_warn("daemon list is empty or ends in EXCEPT");
312 /* check_client_list - criticize client list */
314 static void check_client_list(char *list)
323 for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) {
324 if (STR_EQ(cp, "EXCEPT")) {
328 if (host = split_at(cp + 1, '@')) { /* user@host */
337 tcpd_warn("client list is empty or ends in EXCEPT");
340 /* check_daemon - criticize daemon pattern */
342 static void check_daemon(char *pat)
345 tcpd_warn("%s: daemon name begins with \"@\"", pat);
346 } else if (pat[0] == '/') {
347 tcpd_warn("%s: daemon name begins with \"/\"", pat);
348 } else if (pat[0] == '.') {
349 tcpd_warn("%s: daemon name begins with dot", pat);
350 } else if (pat[strlen(pat) - 1] == '.') {
351 tcpd_warn("%s: daemon name ends in dot", pat);
352 } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown)) {
354 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */
355 tcpd_warn("FAIL is no longer recognized");
356 tcpd_warn("(use EXCEPT or DENY instead)");
357 } else if (reserved_name(pat)) {
358 tcpd_warn("%s: daemon name may be reserved word", pat);
360 switch (inet_get(pat)) {
362 tcpd_warn("%s: no such process name in %s", pat, inetcf);
363 inet_set(pat, WR_YES); /* shut up next time */
366 tcpd_warn("%s: service possibly not wrapped", pat);
367 inet_set(pat, WR_YES);
373 /* check_user - criticize user pattern */
375 static void check_user(char *pat)
377 if (pat[0] == '@') { /* @netgroup */
378 tcpd_warn("%s: user name begins with \"@\"", pat);
379 } else if (pat[0] == '/') {
380 tcpd_warn("%s: user name begins with \"/\"", pat);
381 } else if (pat[0] == '.') {
382 tcpd_warn("%s: user name begins with dot", pat);
383 } else if (pat[strlen(pat) - 1] == '.') {
384 tcpd_warn("%s: user name ends in dot", pat);
385 } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown)
386 || STR_EQ(pat, "KNOWN")) {
388 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */
389 tcpd_warn("FAIL is no longer recognized");
390 tcpd_warn("(use EXCEPT or DENY instead)");
391 } else if (reserved_name(pat)) {
392 tcpd_warn("%s: user name may be reserved word", pat);
397 static int is_inet6_addr(char *pat)
399 struct addrinfo hints, *res;
406 if ((ch = pat[len - 1]) != ']')
409 memset(&hints, 0, sizeof(hints));
410 hints.ai_family = AF_INET6;
411 hints.ai_socktype = SOCK_STREAM;
412 hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
413 if ((ret = getaddrinfo(pat + 1, NULL, &hints, &res)) == 0)
420 /* check_host - criticize host pattern */
422 static int check_host(char *pat)
428 struct tcpd_context saved_context;
430 char *wsp = " \t\r\n";
432 if (pat[0] == '@') { /* @netgroup */
434 /* SCO has no *netgrent() support */
441 setnetgrent(pat + 1);
442 if (getnetgrent(&machinep, &userp, &domainp) == 0)
443 tcpd_warn("%s: unknown or empty netgroup", pat + 1);
446 tcpd_warn("netgroup support disabled");
449 } else if (pat[0] == '/') { /* /path/name */
450 if ((fp = fopen(pat, "r")) != 0) {
451 saved_context = tcpd_context;
452 tcpd_context.file = pat;
453 tcpd_context.line = 0;
454 while (fgets(buf, sizeof(buf), fp)) {
456 for (cp = strtok(buf, wsp); cp; cp = strtok((char *) 0, wsp))
459 tcpd_context = saved_context;
461 } else if (errno != ENOENT) {
462 tcpd_warn("open %s: %m", pat);
464 } else if (mask = split_at(pat, '/')) { /* network/netmask */
468 if ((dot_quad_addr(pat) == INADDR_NONE
469 || dot_quad_addr(mask) == INADDR_NONE)
470 && (!is_inet6_addr(pat)
471 || ((mask_len = atoi(mask)) < 0 || mask_len > 128)))
473 if (dot_quad_addr(pat) == INADDR_NONE
474 || dot_quad_addr(mask) == INADDR_NONE)
476 tcpd_warn("%s/%s: bad net/mask pattern", pat, mask);
477 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */
478 tcpd_warn("FAIL is no longer recognized");
479 tcpd_warn("(use EXCEPT or DENY instead)");
480 } else if (reserved_name(pat)) { /* other reserved */
483 } else if (is_inet6_addr(pat)) { /* IPv6 address */
486 } else if (NOT_INADDR(pat)) { /* internet name */
487 if (pat[strlen(pat) - 1] == '.') {
488 tcpd_warn("%s: domain or host name ends in dot", pat);
489 } else if (pat[0] != '.') {
490 addr_count = check_dns(pat);
492 } else { /* numeric form */
493 if (STR_EQ(pat, "0.0.0.0") || STR_EQ(pat, "255.255.255.255")) {
495 } else if (pat[0] == '.') {
496 tcpd_warn("%s: network number begins with dot", pat);
497 } else if (pat[strlen(pat) - 1] != '.') {
504 /* reserved_name - determine if name is reserved */
506 static int reserved_name(char *pat)
508 return (STR_EQ(pat, unknown)
509 || STR_EQ(pat, "KNOWN")
510 || STR_EQ(pat, paranoid)
511 || STR_EQ(pat, "ALL")
512 || STR_EQ(pat, "LOCAL"));