2 * tcpdmatch - explain what tcpd would do in a specific case
4 * usage: tcpdmatch [-d] [-i inet_conf] daemon[@host] [user@]host
6 * -d: use the access control tables in the current directory.
8 * -i: location of inetd.conf file.
10 * All errors are reported to the standard error stream, including the errors
11 * that would normally be reported via the syslog daemon.
13 * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
19 static char sccsid[] = "@(#) tcpdmatch.c 1.5 96/02/11 17:01:36";
22 /* System libraries. */
24 #include <sys/types.h>
26 #include <sys/socket.h>
27 #include <netinet/in.h>
28 #include <arpa/inet.h>
40 #define INADDR_NONE (-1) /* XXX should be 0xffffffff */
44 #define S_ISDIR(m) (((m) & S_IFMT) == S_IFDIR)
47 /* Application-specific. */
54 static void tcpdmatch();
56 /* The main program */
63 struct addrinfo hints, *hp, *res;
67 char *myname = argv[0];
73 struct request_info request;
78 struct sockaddr_storage server_sin;
79 struct sockaddr_storage client_sin;
81 struct sockaddr_in server_sin;
82 struct sockaddr_in client_sin;
87 * Show what rule actually matched.
89 hosts_access_verbose = 2;
94 while ((ch = getopt(argc, argv, "di:")) != EOF) {
97 hosts_allow_table = "hosts.allow";
98 hosts_deny_table = "hosts.deny";
108 if (argc != optind + 2)
112 * When confusion really strikes...
114 if (check_path(REAL_DAEMON_DIR, &st) < 0) {
115 tcpd_warn("REAL_DAEMON_DIR %s: %m", REAL_DAEMON_DIR);
116 } else if (!S_ISDIR(st.st_mode)) {
117 tcpd_warn("REAL_DAEMON_DIR %s is not a directory", REAL_DAEMON_DIR);
121 * Default is to specify a daemon process name. When daemon@host is
122 * specified, separate the two parts.
124 if ((server = split_at(argv[optind], '@')) == 0)
126 if (argv[optind][0] == '/') {
127 daemon = strrchr(argv[optind], '/') + 1;
128 tcpd_warn("%s: daemon name normalized to: %s", argv[optind], daemon);
130 daemon = argv[optind];
134 * Default is to specify a client hostname or address. When user@host is
135 * specified, separate the two parts.
137 if ((client = split_at(argv[optind + 1], '@')) != 0) {
138 user = argv[optind + 1];
140 client = argv[optind + 1];
145 * Analyze the inetd (or tlid) configuration file, so that we can warn
146 * the user about services that may not be wrapped, services that are not
147 * configured, or services that are wrapped in an incorrect manner. Allow
148 * for services that are not run from inetd, or that have tcpd access
149 * control built into them.
151 inetcf = inet_cfg(inetcf);
152 inet_set("portmap", WR_NOT);
153 inet_set("rpcbind", WR_NOT);
154 switch (inet_get(daemon)) {
156 tcpd_warn("%s: no such process name in %s", daemon, inetcf);
159 tcpd_warn("%s: service possibly not wrapped", daemon);
164 * Check accessibility of access control files.
166 (void) check_path(hosts_allow_table, &st);
167 (void) check_path(hosts_deny_table, &st);
170 * Fill in what we have figured out sofar. Use socket and DNS routines
171 * for address and name conversions. We attach stdout to the request so
172 * that banner messages will become visible.
174 request_init(&request, RQ_DAEMON, daemon, RQ_USER, user, RQ_FILE, 1, 0);
175 sock_methods(&request);
178 * If a server hostname is specified, insist that the name maps to at
179 * most one address. eval_hostname() warns the user about name server
180 * problems, while using the request.server structure as a cache for host
181 * address and name conversion results.
183 if (NOT_INADDR(server) == 0 || HOSTNAME_KNOWN(server)) {
184 if ((hp = find_inet_addr(server)) == 0)
187 memset((char *) &server_sin, 0, sizeof(server_sin));
188 server_sin.sin_family = AF_INET;
190 request_set(&request, RQ_SERVER_SIN, &server_sin, 0);
193 for (res = hp, count = 0; res; res = res->ai_next, count++) {
194 memcpy(&server_sin, res->ai_addr, res->ai_addrlen);
196 for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) {
197 memcpy((char *) &server_sin.sin_addr, addr,
198 sizeof(server_sin.sin_addr));
202 * Force evaluation of server host name and address. Host name
203 * conflicts will be reported while eval_hostname() does its job.
205 request_set(&request, RQ_SERVER_NAME, "", RQ_SERVER_ADDR, "", 0);
206 if (STR_EQ(eval_hostname(request.server), unknown))
207 tcpd_warn("host address %s->name lookup failed",
208 eval_hostaddr(request.server));
211 fprintf(stderr, "Error: %s has more than one address\n", server);
212 fprintf(stderr, "Please specify an address instead\n");
221 request_set(&request, RQ_SERVER_NAME, server, 0);
225 * If a client address is specified, we simulate the effect of client
226 * hostname lookup failure.
228 if (dot_quad_addr(client) != INADDR_NONE) {
229 request_set(&request, RQ_CLIENT_ADDR, client, 0);
234 memset(&hints, 0, sizeof(hints));
235 hints.ai_family = AF_INET6;
236 hints.ai_socktype = SOCK_STREAM;
237 hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
238 if (getaddrinfo(client, NULL, &hints, &res) == 0) {
240 request_set(&request, RQ_CLIENT_ADDR, client, 0);
247 * Perhaps they are testing special client hostname patterns that aren't
248 * really host names at all.
250 if (NOT_INADDR(client) && HOSTNAME_KNOWN(client) == 0) {
251 request_set(&request, RQ_CLIENT_NAME, client, 0);
257 * Otherwise, assume that a client hostname is specified, and insist that
258 * the address can be looked up. The reason for this requirement is that
259 * in real life the client address is available (at least with IP). Let
260 * eval_hostname() figure out if this host is properly registered, while
261 * using the request.client structure as a cache for host name and
262 * address conversion results.
264 if ((hp = find_inet_addr(client)) == 0)
267 request_set(&request, RQ_CLIENT_SIN, &client_sin, 0);
269 for (res = hp, count = 0; res; res = res->ai_next, count++) {
270 memcpy(&client_sin, res->ai_addr, res->ai_addrlen);
273 * getnameinfo() doesn't do reverse lookup against link-local
274 * address. So, we pass through host name evaluation against
277 if (res->ai_family != AF_INET6 ||
278 !IN6_IS_ADDR_LINKLOCAL(&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr)) {
280 * Force evaluation of client host name and address. Host name
281 * conflicts will be reported while eval_hostname() does its job.
283 request_set(&request, RQ_CLIENT_NAME, "", RQ_CLIENT_ADDR, "", 0);
284 if (STR_EQ(eval_hostname(request.client), unknown))
285 tcpd_warn("host address %s->name lookup failed",
286 eval_hostaddr(request.client));
294 memset((char *) &client_sin, 0, sizeof(client_sin));
295 client_sin.sin_family = AF_INET;
296 request_set(&request, RQ_CLIENT_SIN, &client_sin, 0);
298 for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) {
299 memcpy((char *) &client_sin.sin_addr, addr,
300 sizeof(client_sin.sin_addr));
303 * Force evaluation of client host name and address. Host name
304 * conflicts will be reported while eval_hostname() does its job.
306 request_set(&request, RQ_CLIENT_NAME, "", RQ_CLIENT_ADDR, "", 0);
307 if (STR_EQ(eval_hostname(request.client), unknown))
308 tcpd_warn("host address %s->name lookup failed",
309 eval_hostaddr(request.client));
311 if (hp->h_addr_list[count + 1])
319 /* Explain how to use this program */
321 static void usage(myname)
324 fprintf(stderr, "usage: %s [-d] [-i inet_conf] daemon[@host] [user@]host\n",
326 fprintf(stderr, " -d: use allow/deny files in current directory\n");
327 fprintf(stderr, " -i: location of inetd.conf file\n");
331 /* Print interesting expansions */
333 static void expand(text, pattern, request)
336 struct request_info *request;
340 if (STR_NE(percent_x(buf, sizeof(buf), pattern, request), unknown))
341 printf("%s %s\n", text, buf);
344 /* Try out a (server,client) pair */
346 static void tcpdmatch(request)
347 struct request_info *request;
352 * Show what we really know. Suppress uninteresting noise.
354 expand("client: hostname", "%n", request);
355 expand("client: address ", "%a", request);
356 expand("client: username", "%u", request);
357 expand("server: hostname", "%N", request);
358 expand("server: address ", "%A", request);
359 expand("server: process ", "%d", request);
362 * Reset stuff that might be changed by options handlers. In dry-run
363 * mode, extension language routines that would not return should inform
364 * us of their plan, by clearing the dry_run flag. This is a bit clumsy
365 * but we must be able to verify hosts with more than one network
368 rfc931_timeout = RFC931_TIMEOUT;
369 allow_severity = SEVERITY;
370 deny_severity = LOG_WARNING;
374 * When paranoid mode is enabled, access is rejected no matter what the
375 * access control rules say.
378 if (STR_EQ(eval_hostname(request->client), paranoid)) {
379 printf("access: denied (PARANOID mode)\n\n");
385 * Report the access control verdict.
387 verdict = hosts_access(request);
388 printf("access: %s\n",
389 dry_run == 0 ? "delegated" :
390 verdict ? "granted" : "denied");