99abb2876d
be used as a valid pattern in the access control language. Patch obtained from ftp://ftp.porcupine.org/pub/security/ . Requested by: markm
489 lines
12 KiB
C
489 lines
12 KiB
C
/*
|
|
* tcpdchk - examine all tcpd access control rules and inetd.conf entries
|
|
*
|
|
* Usage: tcpdchk [-a] [-d] [-i inet_conf] [-v]
|
|
*
|
|
* -a: complain about implicit "allow" at end of rule.
|
|
*
|
|
* -d: rules in current directory.
|
|
*
|
|
* -i: location of inetd.conf file.
|
|
*
|
|
* -v: show all rules.
|
|
*
|
|
* Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
|
|
*
|
|
* $FreeBSD$
|
|
*/
|
|
|
|
#ifndef lint
|
|
static char sccsid[] = "@(#) tcpdchk.c 1.8 97/02/12 02:13:25";
|
|
#endif
|
|
|
|
/* System libraries. */
|
|
|
|
#include <sys/types.h>
|
|
#include <sys/stat.h>
|
|
#include <netinet/in.h>
|
|
#include <arpa/inet.h>
|
|
#include <stdio.h>
|
|
#include <syslog.h>
|
|
#include <setjmp.h>
|
|
#include <errno.h>
|
|
#include <netdb.h>
|
|
#include <string.h>
|
|
|
|
extern int errno;
|
|
extern void exit();
|
|
extern int optind;
|
|
extern char *optarg;
|
|
|
|
#ifndef INADDR_NONE
|
|
#define INADDR_NONE (-1) /* XXX should be 0xffffffff */
|
|
#endif
|
|
|
|
#ifndef S_ISDIR
|
|
#define S_ISDIR(m) (((m) & S_IFMT) == S_IFDIR)
|
|
#endif
|
|
|
|
/* Application-specific. */
|
|
|
|
#include "tcpd.h"
|
|
#include "inetcf.h"
|
|
#include "scaffold.h"
|
|
|
|
/*
|
|
* Stolen from hosts_access.c...
|
|
*/
|
|
static char sep[] = ", \t\n";
|
|
|
|
#define BUFLEN 2048
|
|
|
|
int resident = 0;
|
|
int hosts_access_verbose = 0;
|
|
char *hosts_allow_table = HOSTS_ALLOW;
|
|
char *hosts_deny_table = HOSTS_DENY;
|
|
extern jmp_buf tcpd_buf;
|
|
|
|
/*
|
|
* Local stuff.
|
|
*/
|
|
static void usage();
|
|
static void parse_table();
|
|
static void print_list();
|
|
static void check_daemon_list();
|
|
static void check_client_list();
|
|
static void check_daemon();
|
|
static void check_user();
|
|
static int check_host();
|
|
static int reserved_name();
|
|
|
|
#define PERMIT 1
|
|
#define DENY 0
|
|
|
|
#define YES 1
|
|
#define NO 0
|
|
|
|
static int defl_verdict;
|
|
static char *myname;
|
|
static int allow_check;
|
|
static char *inetcf;
|
|
|
|
int main(argc, argv)
|
|
int argc;
|
|
char **argv;
|
|
{
|
|
struct request_info request;
|
|
struct stat st;
|
|
int c;
|
|
|
|
myname = argv[0];
|
|
|
|
/*
|
|
* Parse the JCL.
|
|
*/
|
|
while ((c = getopt(argc, argv, "adi:v")) != EOF) {
|
|
switch (c) {
|
|
case 'a':
|
|
allow_check = 1;
|
|
break;
|
|
case 'd':
|
|
hosts_allow_table = "hosts.allow";
|
|
hosts_deny_table = "hosts.deny";
|
|
break;
|
|
case 'i':
|
|
inetcf = optarg;
|
|
break;
|
|
case 'v':
|
|
hosts_access_verbose++;
|
|
break;
|
|
default:
|
|
usage();
|
|
/* NOTREACHED */
|
|
}
|
|
}
|
|
if (argc != optind)
|
|
usage();
|
|
|
|
/*
|
|
* When confusion really strikes...
|
|
*/
|
|
if (check_path(REAL_DAEMON_DIR, &st) < 0) {
|
|
tcpd_warn("REAL_DAEMON_DIR %s: %m", REAL_DAEMON_DIR);
|
|
} else if (!S_ISDIR(st.st_mode)) {
|
|
tcpd_warn("REAL_DAEMON_DIR %s is not a directory", REAL_DAEMON_DIR);
|
|
}
|
|
|
|
/*
|
|
* Process the inet configuration file (or its moral equivalent). This
|
|
* information is used later to find references in hosts.allow/deny to
|
|
* unwrapped services, and other possible problems.
|
|
*/
|
|
inetcf = inet_cfg(inetcf);
|
|
if (hosts_access_verbose)
|
|
printf("Using network configuration file: %s\n", inetcf);
|
|
|
|
/*
|
|
* These are not run from inetd but may have built-in access control.
|
|
*/
|
|
inet_set("portmap", WR_NOT);
|
|
inet_set("rpcbind", WR_NOT);
|
|
|
|
/*
|
|
* Check accessibility of access control files.
|
|
*/
|
|
(void) check_path(hosts_allow_table, &st);
|
|
(void) check_path(hosts_deny_table, &st);
|
|
|
|
/*
|
|
* Fake up an arbitrary service request.
|
|
*/
|
|
request_init(&request,
|
|
RQ_DAEMON, "daemon_name",
|
|
RQ_SERVER_NAME, "server_hostname",
|
|
RQ_SERVER_ADDR, "server_addr",
|
|
RQ_USER, "user_name",
|
|
RQ_CLIENT_NAME, "client_hostname",
|
|
RQ_CLIENT_ADDR, "client_addr",
|
|
RQ_FILE, 1,
|
|
0);
|
|
|
|
/*
|
|
* Examine all access-control rules.
|
|
*/
|
|
defl_verdict = PERMIT;
|
|
parse_table(hosts_allow_table, &request);
|
|
defl_verdict = DENY;
|
|
parse_table(hosts_deny_table, &request);
|
|
return (0);
|
|
}
|
|
|
|
/* usage - explain */
|
|
|
|
static void usage()
|
|
{
|
|
fprintf(stderr, "usage: %s [-a] [-d] [-i inet_conf] [-v]\n", myname);
|
|
fprintf(stderr, " -a: report rules with implicit \"ALLOW\" at end\n");
|
|
fprintf(stderr, " -d: use allow/deny files in current directory\n");
|
|
fprintf(stderr, " -i: location of inetd.conf file\n");
|
|
fprintf(stderr, " -v: list all rules\n");
|
|
exit(1);
|
|
}
|
|
|
|
/* parse_table - like table_match(), but examines _all_ entries */
|
|
|
|
static void parse_table(table, request)
|
|
char *table;
|
|
struct request_info *request;
|
|
{
|
|
FILE *fp;
|
|
int real_verdict;
|
|
char sv_list[BUFLEN]; /* becomes list of daemons */
|
|
char *cl_list; /* becomes list of requests */
|
|
char *sh_cmd; /* becomes optional shell command */
|
|
char buf[BUFSIZ];
|
|
int verdict;
|
|
struct tcpd_context saved_context;
|
|
|
|
saved_context = tcpd_context; /* stupid compilers */
|
|
|
|
if (fp = fopen(table, "r")) {
|
|
tcpd_context.file = table;
|
|
tcpd_context.line = 0;
|
|
while (xgets(sv_list, sizeof(sv_list), fp)) {
|
|
if (sv_list[strlen(sv_list) - 1] != '\n') {
|
|
tcpd_warn("missing newline or line too long");
|
|
continue;
|
|
}
|
|
if (sv_list[0] == '#' || sv_list[strspn(sv_list, " \t\r\n")] == 0)
|
|
continue;
|
|
if ((cl_list = split_at(sv_list, ':')) == 0) {
|
|
tcpd_warn("missing \":\" separator");
|
|
continue;
|
|
}
|
|
sh_cmd = split_at(cl_list, ':');
|
|
|
|
if (hosts_access_verbose)
|
|
printf("\n>>> Rule %s line %d:\n",
|
|
tcpd_context.file, tcpd_context.line);
|
|
|
|
if (hosts_access_verbose)
|
|
print_list("daemons: ", sv_list);
|
|
check_daemon_list(sv_list);
|
|
|
|
if (hosts_access_verbose)
|
|
print_list("clients: ", cl_list);
|
|
check_client_list(cl_list);
|
|
|
|
#ifdef PROCESS_OPTIONS
|
|
real_verdict = defl_verdict;
|
|
if (sh_cmd) {
|
|
verdict = setjmp(tcpd_buf);
|
|
if (verdict != 0) {
|
|
real_verdict = (verdict == AC_PERMIT);
|
|
} else {
|
|
dry_run = 1;
|
|
process_options(sh_cmd, request);
|
|
if (dry_run == 1 && real_verdict && allow_check)
|
|
tcpd_warn("implicit \"allow\" at end of rule");
|
|
}
|
|
} else if (defl_verdict && allow_check) {
|
|
tcpd_warn("implicit \"allow\" at end of rule");
|
|
}
|
|
if (hosts_access_verbose)
|
|
printf("access: %s\n", real_verdict ? "granted" : "denied");
|
|
#else
|
|
if (sh_cmd)
|
|
shell_cmd(percent_x(buf, sizeof(buf), sh_cmd, request));
|
|
if (hosts_access_verbose)
|
|
printf("access: %s\n", defl_verdict ? "granted" : "denied");
|
|
#endif
|
|
}
|
|
(void) fclose(fp);
|
|
} else if (errno != ENOENT) {
|
|
tcpd_warn("cannot open %s: %m", table);
|
|
}
|
|
tcpd_context = saved_context;
|
|
}
|
|
|
|
/* print_list - pretty-print a list */
|
|
|
|
static void print_list(title, list)
|
|
char *title;
|
|
char *list;
|
|
{
|
|
char buf[BUFLEN];
|
|
char *cp;
|
|
char *next;
|
|
|
|
fputs(title, stdout);
|
|
strcpy(buf, list);
|
|
|
|
for (cp = strtok(buf, sep); cp != 0; cp = next) {
|
|
fputs(cp, stdout);
|
|
next = strtok((char *) 0, sep);
|
|
if (next != 0)
|
|
fputs(" ", stdout);
|
|
}
|
|
fputs("\n", stdout);
|
|
}
|
|
|
|
/* check_daemon_list - criticize daemon list */
|
|
|
|
static void check_daemon_list(list)
|
|
char *list;
|
|
{
|
|
char buf[BUFLEN];
|
|
char *cp;
|
|
char *host;
|
|
int daemons = 0;
|
|
|
|
strcpy(buf, list);
|
|
|
|
for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) {
|
|
if (STR_EQ(cp, "EXCEPT")) {
|
|
daemons = 0;
|
|
} else {
|
|
daemons++;
|
|
if ((host = split_at(cp + 1, '@')) != 0 && check_host(host) > 1) {
|
|
tcpd_warn("host %s has more than one address", host);
|
|
tcpd_warn("(consider using an address instead)");
|
|
}
|
|
check_daemon(cp);
|
|
}
|
|
}
|
|
if (daemons == 0)
|
|
tcpd_warn("daemon list is empty or ends in EXCEPT");
|
|
}
|
|
|
|
/* check_client_list - criticize client list */
|
|
|
|
static void check_client_list(list)
|
|
char *list;
|
|
{
|
|
char buf[BUFLEN];
|
|
char *cp;
|
|
char *host;
|
|
int clients = 0;
|
|
|
|
strcpy(buf, list);
|
|
|
|
for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) {
|
|
if (STR_EQ(cp, "EXCEPT")) {
|
|
clients = 0;
|
|
} else {
|
|
clients++;
|
|
if (host = split_at(cp + 1, '@')) { /* user@host */
|
|
check_user(cp);
|
|
check_host(host);
|
|
} else {
|
|
check_host(cp);
|
|
}
|
|
}
|
|
}
|
|
if (clients == 0)
|
|
tcpd_warn("client list is empty or ends in EXCEPT");
|
|
}
|
|
|
|
/* check_daemon - criticize daemon pattern */
|
|
|
|
static void check_daemon(pat)
|
|
char *pat;
|
|
{
|
|
if (pat[0] == '@') {
|
|
tcpd_warn("%s: daemon name begins with \"@\"", pat);
|
|
} else if (pat[0] == '/') {
|
|
tcpd_warn("%s: daemon name begins with \"/\"", pat);
|
|
} else if (pat[0] == '.') {
|
|
tcpd_warn("%s: daemon name begins with dot", pat);
|
|
} else if (pat[strlen(pat) - 1] == '.') {
|
|
tcpd_warn("%s: daemon name ends in dot", pat);
|
|
} else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown)) {
|
|
/* void */ ;
|
|
} else if (STR_EQ(pat, "FAIL")) { /* obsolete */
|
|
tcpd_warn("FAIL is no longer recognized");
|
|
tcpd_warn("(use EXCEPT or DENY instead)");
|
|
} else if (reserved_name(pat)) {
|
|
tcpd_warn("%s: daemon name may be reserved word", pat);
|
|
} else {
|
|
switch (inet_get(pat)) {
|
|
case WR_UNKNOWN:
|
|
tcpd_warn("%s: no such process name in %s", pat, inetcf);
|
|
inet_set(pat, WR_YES); /* shut up next time */
|
|
break;
|
|
case WR_NOT:
|
|
tcpd_warn("%s: service possibly not wrapped", pat);
|
|
inet_set(pat, WR_YES);
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
/* check_user - criticize user pattern */
|
|
|
|
static void check_user(pat)
|
|
char *pat;
|
|
{
|
|
if (pat[0] == '@') { /* @netgroup */
|
|
tcpd_warn("%s: user name begins with \"@\"", pat);
|
|
} else if (pat[0] == '/') {
|
|
tcpd_warn("%s: user name begins with \"/\"", pat);
|
|
} else if (pat[0] == '.') {
|
|
tcpd_warn("%s: user name begins with dot", pat);
|
|
} else if (pat[strlen(pat) - 1] == '.') {
|
|
tcpd_warn("%s: user name ends in dot", pat);
|
|
} else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown)
|
|
|| STR_EQ(pat, "KNOWN")) {
|
|
/* void */ ;
|
|
} else if (STR_EQ(pat, "FAIL")) { /* obsolete */
|
|
tcpd_warn("FAIL is no longer recognized");
|
|
tcpd_warn("(use EXCEPT or DENY instead)");
|
|
} else if (reserved_name(pat)) {
|
|
tcpd_warn("%s: user name may be reserved word", pat);
|
|
}
|
|
}
|
|
|
|
/* check_host - criticize host pattern */
|
|
|
|
static int check_host(pat)
|
|
char *pat;
|
|
{
|
|
char buf[BUFSIZ];
|
|
char *mask;
|
|
int addr_count = 1;
|
|
FILE *fp;
|
|
struct tcpd_context saved_context;
|
|
char *cp;
|
|
char *wsp = " \t\r\n";
|
|
|
|
if (pat[0] == '@') { /* @netgroup */
|
|
#ifdef NO_NETGRENT
|
|
/* SCO has no *netgrent() support */
|
|
#else
|
|
#ifdef NETGROUP
|
|
char *machinep;
|
|
char *userp;
|
|
char *domainp;
|
|
|
|
setnetgrent(pat + 1);
|
|
if (getnetgrent(&machinep, &userp, &domainp) == 0)
|
|
tcpd_warn("%s: unknown or empty netgroup", pat + 1);
|
|
endnetgrent();
|
|
#else
|
|
tcpd_warn("netgroup support disabled");
|
|
#endif
|
|
#endif
|
|
} else if (pat[0] == '/') { /* /path/name */
|
|
if ((fp = fopen(pat, "r")) != 0) {
|
|
saved_context = tcpd_context;
|
|
tcpd_context.file = pat;
|
|
tcpd_context.line = 0;
|
|
while (fgets(buf, sizeof(buf), fp)) {
|
|
tcpd_context.line++;
|
|
for (cp = strtok(buf, wsp); cp; cp = strtok((char *) 0, wsp))
|
|
check_host(cp);
|
|
}
|
|
tcpd_context = saved_context;
|
|
fclose(fp);
|
|
} else if (errno != ENOENT) {
|
|
tcpd_warn("open %s: %m", pat);
|
|
}
|
|
} else if (mask = split_at(pat, '/')) { /* network/netmask */
|
|
if (dot_quad_addr(pat) == INADDR_NONE
|
|
|| dot_quad_addr(mask) == INADDR_NONE)
|
|
tcpd_warn("%s/%s: bad net/mask pattern", pat, mask);
|
|
} else if (STR_EQ(pat, "FAIL")) { /* obsolete */
|
|
tcpd_warn("FAIL is no longer recognized");
|
|
tcpd_warn("(use EXCEPT or DENY instead)");
|
|
} else if (reserved_name(pat)) { /* other reserved */
|
|
/* void */ ;
|
|
} else if (NOT_INADDR(pat)) { /* internet name */
|
|
if (pat[strlen(pat) - 1] == '.') {
|
|
tcpd_warn("%s: domain or host name ends in dot", pat);
|
|
} else if (pat[0] != '.') {
|
|
addr_count = check_dns(pat);
|
|
}
|
|
} else { /* numeric form */
|
|
if (STR_EQ(pat, "0.0.0.0") || STR_EQ(pat, "255.255.255.255")) {
|
|
/* void */ ;
|
|
} else if (pat[0] == '.') {
|
|
tcpd_warn("%s: network number begins with dot", pat);
|
|
} else if (pat[strlen(pat) - 1] != '.') {
|
|
check_dns(pat);
|
|
}
|
|
}
|
|
return (addr_count);
|
|
}
|
|
|
|
/* reserved_name - determine if name is reserved */
|
|
|
|
static int reserved_name(pat)
|
|
char *pat;
|
|
{
|
|
return (STR_EQ(pat, unknown)
|
|
|| STR_EQ(pat, "KNOWN")
|
|
|| STR_EQ(pat, paranoid)
|
|
|| STR_EQ(pat, "ALL")
|
|
|| STR_EQ(pat, "LOCAL"));
|
|
}
|