Index: head/contrib/tcp_wrappers/inetcf.c =================================================================== --- head/contrib/tcp_wrappers/inetcf.c (revision 350099) +++ head/contrib/tcp_wrappers/inetcf.c (revision 350100) @@ -1,324 +1,321 @@ /* $FreeBSD$ */ /* * Routines to parse an inetd.conf or tlid.conf file. This would be a great * job for a PERL script. * * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. */ #ifndef lint static char sccsid[] = "@(#) inetcf.c 1.7 97/02/12 02:13:23"; #endif #include #include #include #include -#include #include - -extern int errno; -extern void exit(); +#include #include "tcpd.h" #include "inetcf.h" #include "scaffold.h" /* * Network configuration files may live in unusual places. Here are some * guesses. Shorter names follow longer ones. */ char *inet_files[] = { "/private/etc/inetd.conf", /* NEXT */ "/etc/inet/inetd.conf", /* SYSV4 */ "/usr/etc/inetd.conf", /* IRIX?? */ "/etc/inetd.conf", /* BSD */ "/etc/net/tlid.conf", /* SYSV4?? */ "/etc/saf/tlid.conf", /* SYSV4?? */ "/etc/tlid.conf", /* SYSV4?? */ 0, }; static void inet_chk(char *protocol, char *path, char *arg0, char *arg1); static char *base_name(char *path); extern char *percent_m(char *obuf, char *ibuf); /* * Structure with everything we know about a service. */ struct inet_ent { struct inet_ent *next; int type; char name[1]; }; static struct inet_ent *inet_list = 0; static char whitespace[] = " \t\r\n"; /* inet_conf - read in and examine inetd.conf (or tlid.conf) entries */ char *inet_cfg(conf) char *conf; { char buf[BUFSIZ]; FILE *fp; char *service; char *protocol; char *user; char *path; char *arg0; char *arg1; struct tcpd_context saved_context; int i; struct stat st; saved_context = tcpd_context; /* * The inetd.conf (or tlid.conf) information is so useful that we insist * on its availability. When no file is given run a series of educated * guesses. */ if (conf != 0) { if ((fp = fopen(conf, "r")) == 0) { fprintf(stderr, percent_m(buf, "open %s: %m\n"), conf); exit(1); } } else { for (i = 0; inet_files[i] && (fp = fopen(inet_files[i], "r")) == 0; i++) /* void */ ; if (fp == 0) { fprintf(stderr, "Cannot find your inetd.conf or tlid.conf file.\n"); fprintf(stderr, "Please specify its location.\n"); exit(1); } conf = inet_files[i]; check_path(conf, &st); } /* * Process the file. After the 7.0 wrapper release it became clear that * there are many more inetd.conf formats than the 8 systems that I had * studied. EP/IX uses a two-line specification for rpc services; HP-UX * permits long lines to be broken with backslash-newline. */ tcpd_context.file = conf; tcpd_context.line = 0; while (xgets(buf, sizeof(buf), fp)) { service = strtok(buf, whitespace); /* service */ if (service == 0 || *service == '#') continue; if (STR_NE(service, "stream") && STR_NE(service, "dgram")) strtok((char *) 0, whitespace); /* endpoint */ protocol = strtok((char *) 0, whitespace); (void) strtok((char *) 0, whitespace); /* wait */ if ((user = strtok((char *) 0, whitespace)) == 0) continue; if (user[0] == '/') { /* user */ path = user; } else { /* path */ if ((path = strtok((char *) 0, whitespace)) == 0) continue; } if (path[0] == '?') /* IRIX optional service */ path++; if (STR_EQ(path, "internal")) continue; if (path[strspn(path, "-0123456789")] == 0) { /* * ConvexOS puts RPC version numbers before path names. Jukka * Ukkonen . */ if ((path = strtok((char *) 0, whitespace)) == 0) continue; } if ((arg0 = strtok((char *) 0, whitespace)) == 0) { tcpd_warn("incomplete line"); continue; } if (arg0[strspn(arg0, "0123456789")] == 0) { /* * We're reading a tlid.conf file, the format is: * * ...stuff... path arg_count arguments mod_count modules */ if ((arg0 = strtok((char *) 0, whitespace)) == 0) { tcpd_warn("incomplete line"); continue; } } if ((arg1 = strtok((char *) 0, whitespace)) == 0) arg1 = ""; inet_chk(protocol, path, arg0, arg1); } fclose(fp); tcpd_context = saved_context; return (conf); } /* inet_chk - examine one inetd.conf (tlid.conf?) entry */ static void inet_chk(protocol, path, arg0, arg1) char *protocol; char *path; char *arg0; char *arg1; { char daemon[BUFSIZ]; struct stat st; int wrap_status = WR_MAYBE; char *base_name_path = base_name(path); char *tcpd_proc_name = (arg0[0] == '/' ? base_name(arg0) : arg0); /* * Always warn when the executable does not exist or when it is not * executable. */ if (check_path(path, &st) < 0) { tcpd_warn("%s: not found: %m", path); } else if ((st.st_mode & 0100) == 0) { tcpd_warn("%s: not executable", path); } /* * Cheat on the miscd tests, nobody uses it anymore. */ if (STR_EQ(base_name_path, "miscd")) { inet_set(arg0, WR_YES); return; } /* * While we are here... */ if (STR_EQ(tcpd_proc_name, "rexd") || STR_EQ(tcpd_proc_name, "rpc.rexd")) tcpd_warn("%s may be an insecure service", tcpd_proc_name); /* * The tcpd program gets most of the attention. */ if (STR_EQ(base_name_path, "tcpd")) { if (STR_EQ(tcpd_proc_name, "tcpd")) tcpd_warn("%s is recursively calling itself", tcpd_proc_name); wrap_status = WR_YES; /* * Check: some sites install the wrapper set-uid. */ if ((st.st_mode & 06000) != 0) tcpd_warn("%s: file is set-uid or set-gid", path); /* * Check: some sites insert tcpd in inetd.conf, instead of replacing * the daemon pathname. */ if (arg0[0] == '/' && STR_EQ(tcpd_proc_name, base_name(arg1))) tcpd_warn("%s inserted before %s", path, arg0); /* * Check: make sure files exist and are executable. On some systems * the network daemons are set-uid so we cannot complain. Note that * tcpd takes the basename only in case of absolute pathnames. */ if (arg0[0] == '/') { /* absolute path */ if (check_path(arg0, &st) < 0) { tcpd_warn("%s: not found: %m", arg0); } else if ((st.st_mode & 0100) == 0) { tcpd_warn("%s: not executable", arg0); } } else { /* look in REAL_DAEMON_DIR */ sprintf(daemon, "%s/%s", REAL_DAEMON_DIR, arg0); if (check_path(daemon, &st) < 0) { tcpd_warn("%s: not found in %s: %m", arg0, REAL_DAEMON_DIR); } else if ((st.st_mode & 0100) == 0) { tcpd_warn("%s: not executable", daemon); } } } else { /* * No tcpd program found. Perhaps they used the "simple installation" * recipe. Look for a file with the same basename in REAL_DAEMON_DIR. * Draw some conservative conclusions when a distinct file is found. */ sprintf(daemon, "%s/%s", REAL_DAEMON_DIR, arg0); if (STR_EQ(path, daemon)) { #ifdef __FreeBSD__ wrap_status = WR_MAYBE; #else wrap_status = WR_NOT; #endif } else if (check_path(daemon, &st) >= 0) { wrap_status = WR_MAYBE; } else if (errno == ENOENT) { wrap_status = WR_NOT; } else { tcpd_warn("%s: file lookup: %m", daemon); wrap_status = WR_MAYBE; } } /* * Alas, we cannot wrap rpc/tcp services. */ if (wrap_status == WR_YES && STR_EQ(protocol, "rpc/tcp")) tcpd_warn("%s: cannot wrap rpc/tcp services", tcpd_proc_name); inet_set(tcpd_proc_name, wrap_status); } /* inet_set - remember service status */ void inet_set(name, type) char *name; int type; { struct inet_ent *ip = (struct inet_ent *) malloc(sizeof(struct inet_ent) + strlen(name)); if (ip == 0) { fprintf(stderr, "out of memory\n"); exit(1); } ip->next = inet_list; strcpy(ip->name, name); ip->type = type; inet_list = ip; } /* inet_get - look up service status */ int inet_get(name) char *name; { struct inet_ent *ip; if (inet_list == 0) return (WR_MAYBE); for (ip = inet_list; ip; ip = ip->next) if (STR_EQ(ip->name, name)) return (ip->type); return (-1); } /* base_name - compute last pathname component */ static char *base_name(path) char *path; { char *cp; if ((cp = strrchr(path, '/')) != 0) path = cp + 1; return (path); } Index: head/contrib/tcp_wrappers/scaffold.c =================================================================== --- head/contrib/tcp_wrappers/scaffold.c (revision 350099) +++ head/contrib/tcp_wrappers/scaffold.c (revision 350100) @@ -1,259 +1,260 @@ /* * Routines for testing only. Not really industrial strength. * * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. * * $FreeBSD$ */ #ifndef lint static char sccs_id[] = "@(#) scaffold.c 1.6 97/03/21 19:27:24"; #endif /* System libraries. */ #include #include #include #include #include #include #include #include #include +#include #include #include #ifndef INADDR_NONE #define INADDR_NONE (-1) /* XXX should be 0xffffffff */ #endif /* Application-specific. */ #include "tcpd.h" #include "scaffold.h" /* * These are referenced by the options module and by rfc931.c. */ int allow_severity = SEVERITY; int deny_severity = LOG_WARNING; int rfc931_timeout = RFC931_TIMEOUT; #ifndef INET6 /* dup_hostent - create hostent in one memory block */ static struct hostent *dup_hostent(hp) struct hostent *hp; { struct hostent_block { struct hostent host; char *addr_list[1]; }; struct hostent_block *hb; int count; char *data; char *addr; for (count = 0; hp->h_addr_list[count] != 0; count++) /* void */ ; if ((hb = (struct hostent_block *) malloc(sizeof(struct hostent_block) + (hp->h_length + sizeof(char *)) * count)) == 0) { fprintf(stderr, "Sorry, out of memory\n"); exit(1); } memset((char *) &hb->host, 0, sizeof(hb->host)); hb->host.h_length = hp->h_length; hb->host.h_addr_list = hb->addr_list; hb->host.h_addr_list[count] = 0; data = (char *) (hb->host.h_addr_list + count + 1); for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) { hb->host.h_addr_list[count] = data + hp->h_length * count; memcpy(hb->host.h_addr_list[count], addr, hp->h_length); } return (&hb->host); } #endif /* find_inet_addr - find all addresses for this host, result to free() */ #ifdef INET6 struct addrinfo *find_inet_addr(host) char *host; { struct addrinfo hints, *res; memset(&hints, 0, sizeof(hints)); hints.ai_family = PF_UNSPEC; hints.ai_socktype = SOCK_STREAM; hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; if (getaddrinfo(host, NULL, &hints, &res) == 0) return (res); memset(&hints, 0, sizeof(hints)); hints.ai_family = PF_UNSPEC; hints.ai_socktype = SOCK_STREAM; hints.ai_flags = AI_PASSIVE | AI_CANONNAME; if (getaddrinfo(host, NULL, &hints, &res) != 0) { tcpd_warn("%s: host not found", host); return (0); } if (res->ai_family != AF_INET6 && res->ai_family != AF_INET) { tcpd_warn("%d: not an internet host", res->ai_family); freeaddrinfo(res); return (0); } if (!res->ai_canonname) { tcpd_warn("%s: hostname alias", host); tcpd_warn("(cannot obtain official name)", res->ai_canonname); } else if (STR_NE(host, res->ai_canonname)) { tcpd_warn("%s: hostname alias", host); tcpd_warn("(official name: %.*s)", STRING_LENGTH, res->ai_canonname); } return (res); } #else struct hostent *find_inet_addr(host) char *host; { struct in_addr addr; struct hostent *hp; static struct hostent h; static char *addr_list[2]; /* * Host address: translate it to internal form. */ if ((addr.s_addr = dot_quad_addr(host)) != INADDR_NONE) { h.h_addr_list = addr_list; h.h_addr_list[0] = (char *) &addr; h.h_length = sizeof(addr); return (dup_hostent(&h)); } /* * Map host name to a series of addresses. Watch out for non-internet * forms or aliases. The NOT_INADDR() is here in case gethostbyname() has * been "enhanced" to accept numeric addresses. Make a copy of the * address list so that later gethostbyXXX() calls will not clobber it. */ if (NOT_INADDR(host) == 0) { tcpd_warn("%s: not an internet address", host); return (0); } if ((hp = gethostbyname(host)) == 0) { tcpd_warn("%s: host not found", host); return (0); } if (hp->h_addrtype != AF_INET) { tcpd_warn("%d: not an internet host", hp->h_addrtype); return (0); } if (STR_NE(host, hp->h_name)) { tcpd_warn("%s: hostname alias", host); tcpd_warn("(official name: %.*s)", STRING_LENGTH, hp->h_name); } return (dup_hostent(hp)); } #endif /* check_dns - give each address thorough workout, return address count */ int check_dns(host) char *host; { struct request_info request; #ifdef INET6 struct sockaddr_storage sin; struct addrinfo *hp, *res; #else struct sockaddr_in sin; struct hostent *hp; #endif int count; char *addr; if ((hp = find_inet_addr(host)) == 0) return (0); request_init(&request, RQ_CLIENT_SIN, &sin, 0); sock_methods(&request); #ifndef INET6 memset((char *) &sin, 0, sizeof(sin)); sin.sin_family = AF_INET; #endif #ifdef INET6 for (res = hp, count = 0; res; res = res->ai_next, count++) { memcpy(&sin, res->ai_addr, res->ai_addrlen); #else for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) { memcpy((char *) &sin.sin_addr, addr, sizeof(sin.sin_addr)); #endif /* * Force host name and address conversions. Use the request structure * as a cache. Detect hostname lookup problems. Any name/name or * name/address conflicts will be reported while eval_hostname() does * its job. */ request_set(&request, RQ_CLIENT_ADDR, "", RQ_CLIENT_NAME, "", 0); if (STR_EQ(eval_hostname(request.client), unknown)) tcpd_warn("host address %s->name lookup failed", eval_hostaddr(request.client)); } #ifdef INET6 freeaddrinfo(hp); #else free((char *) hp); #endif return (count); } /* dummy function to intercept the real shell_cmd() */ /* ARGSUSED */ void shell_cmd(command) char *command; { if (hosts_access_verbose) printf("command: %s", command); } /* dummy function to intercept the real clean_exit() */ /* ARGSUSED */ void clean_exit(request) struct request_info *request; { exit(0); } /* check_path - examine accessibility */ int check_path(path, st) char *path; struct stat *st; { struct stat stbuf; char buf[BUFSIZ]; if (stat(path, st) < 0) return (-1); #ifdef notdef if (st->st_uid != 0) tcpd_warn("%s: not owned by root", path); if (st->st_mode & 020) tcpd_warn("%s: group writable", path); #endif if (st->st_mode & 002) tcpd_warn("%s: world writable", path); if (path[0] == '/' && path[1] != 0) { strrchr(strcpy(buf, path), '/')[0] = 0; (void) check_path(buf[0] ? buf : "/", &stbuf); } return (0); } Index: head/contrib/tcp_wrappers/tcpd.c =================================================================== --- head/contrib/tcp_wrappers/tcpd.c (revision 350099) +++ head/contrib/tcp_wrappers/tcpd.c (revision 350100) @@ -1,136 +1,137 @@ /* * General front end for stream and datagram IP services. This program logs * the remote host name and then invokes the real daemon. For example, * install as /usr/etc/{tftpd,fingerd,telnetd,ftpd,rlogind,rshd,rexecd}, * after saving the real daemons in the directory specified with the * REAL_DAEMON_DIR macro. This arrangement requires that the network daemons * are started by inetd or something similar. Connections and diagnostics * are logged through syslog(3). * * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. * * $FreeBSD$ */ #ifndef lint static char sccsid[] = "@(#) tcpd.c 1.10 96/02/11 17:01:32"; #endif /* System libraries. */ #include #include #include #include #include #include #include #include +#include #ifndef MAXPATHNAMELEN #define MAXPATHNAMELEN BUFSIZ #endif #ifndef STDIN_FILENO #define STDIN_FILENO 0 #endif /* Local stuff. */ #include "patchlevel.h" #include "tcpd.h" int allow_severity = SEVERITY; /* run-time adjustable */ int deny_severity = LOG_WARNING; /* ditto */ main(argc, argv) int argc; char **argv; { struct request_info request; char path[MAXPATHNAMELEN]; /* Attempt to prevent the creation of world-writable files. */ #ifdef DAEMON_UMASK umask(DAEMON_UMASK); #endif /* * If argv[0] is an absolute path name, ignore REAL_DAEMON_DIR, and strip * argv[0] to its basename. */ if (argv[0][0] == '/') { strlcpy(path, argv[0], sizeof(path)); argv[0] = strrchr(argv[0], '/') + 1; } else { snprintf(path, sizeof(path), "%s/%s", REAL_DAEMON_DIR, argv[0]); } /* * Open a channel to the syslog daemon. Older versions of openlog() * require only two arguments. */ #ifdef LOG_MAIL (void) openlog(argv[0], LOG_PID, FACILITY); #else (void) openlog(argv[0], LOG_PID); #endif /* * Find out the endpoint addresses of this conversation. Host name * lookups and double checks will be done on demand. */ request_init(&request, RQ_DAEMON, argv[0], RQ_FILE, STDIN_FILENO, 0); fromhost(&request); /* * Optionally look up and double check the remote host name. Sites * concerned with security may choose to refuse connections from hosts * that pretend to have someone elses host name. */ #ifdef PARANOID if (STR_EQ(eval_hostname(request.client), paranoid)) refuse(&request); #endif /* * The BSD rlogin and rsh daemons that came out after 4.3 BSD disallow * socket options at the IP level. They do so for a good reason. * Unfortunately, we cannot use this with SunOS 4.1.x because the * getsockopt() system call can panic the system. */ #ifdef KILL_IP_OPTIONS fix_options(&request); #endif /* * Check whether this host can access the service in argv[0]. The * access-control code invokes optional shell commands as specified in * the access-control tables. */ #ifdef HOSTS_ACCESS if (!hosts_access(&request)) refuse(&request); #endif /* Report request and invoke the real daemon program. */ #ifdef INET6 syslog(allow_severity, "connect from %s (%s)", eval_client(&request), eval_hostaddr(request.client)); #else syslog(allow_severity, "connect from %s", eval_client(&request)); #endif closelog(); (void) execv(path, argv); syslog(LOG_ERR, "error: cannot execute %s: %m", path); clean_exit(&request); /* NOTREACHED */ } Index: head/contrib/tcp_wrappers/tcpdchk.c =================================================================== --- head/contrib/tcp_wrappers/tcpdchk.c (revision 350099) +++ head/contrib/tcp_wrappers/tcpdchk.c (revision 350100) @@ -1,531 +1,526 @@ /* * tcpdchk - examine all tcpd access control rules and inetd.conf entries * * Usage: tcpdchk [-a] [-d] [-i inet_conf] [-v] * * -a: complain about implicit "allow" at end of rule. * * -d: rules in current directory. * * -i: location of inetd.conf file. * * -v: show all rules. * * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. * * $FreeBSD$ */ #ifndef lint static char sccsid[] = "@(#) tcpdchk.c 1.8 97/02/12 02:13:25"; #endif /* System libraries. */ #include #include #ifdef INET6 #include #endif #include #include #include #include #include #include #include +#include #include #include -#include - -extern int errno; -extern void exit(); -extern int optind; -extern char *optarg; #ifndef INADDR_NONE #define INADDR_NONE (-1) /* XXX should be 0xffffffff */ #endif #ifndef S_ISDIR #define S_ISDIR(m) (((m) & S_IFMT) == S_IFDIR) #endif /* Application-specific. */ #include "tcpd.h" #include "inetcf.h" #include "scaffold.h" /* * Stolen from hosts_access.c... */ static char sep[] = ", \t\n"; #define BUFLEN 2048 int resident = 0; int hosts_access_verbose = 0; char *hosts_allow_table = HOSTS_ALLOW; char *hosts_deny_table = HOSTS_DENY; extern jmp_buf tcpd_buf; /* * Local stuff. */ static void usage(void); static void parse_table(char *table, struct request_info *request); static void print_list(char *title, char *list); static void check_daemon_list(char *list); static void check_client_list(char *list); static void check_daemon(char *pat); static void check_user(char *pat); static int check_host(char *pat); static int reserved_name(char *pat); #define PERMIT 1 #define DENY 0 #define YES 1 #define NO 0 static int defl_verdict; static char *myname; static int allow_check; static char *inetcf; int main(argc, argv) int argc; char **argv; { struct request_info request; struct stat st; int c; myname = argv[0]; /* * Parse the JCL. */ while ((c = getopt(argc, argv, "adi:v")) != EOF) { switch (c) { case 'a': allow_check = 1; break; case 'd': hosts_allow_table = "hosts.allow"; hosts_deny_table = "hosts.deny"; break; case 'i': inetcf = optarg; break; case 'v': hosts_access_verbose++; break; default: usage(); /* NOTREACHED */ } } if (argc != optind) usage(); /* * When confusion really strikes... */ if (check_path(REAL_DAEMON_DIR, &st) < 0) { tcpd_warn("REAL_DAEMON_DIR %s: %m", REAL_DAEMON_DIR); } else if (!S_ISDIR(st.st_mode)) { tcpd_warn("REAL_DAEMON_DIR %s is not a directory", REAL_DAEMON_DIR); } /* * Process the inet configuration file (or its moral equivalent). This * information is used later to find references in hosts.allow/deny to * unwrapped services, and other possible problems. */ inetcf = inet_cfg(inetcf); if (hosts_access_verbose) printf("Using network configuration file: %s\n", inetcf); /* * These are not run from inetd but may have built-in access control. */ inet_set("portmap", WR_NOT); inet_set("rpcbind", WR_NOT); /* * Check accessibility of access control files. */ (void) check_path(hosts_allow_table, &st); (void) check_path(hosts_deny_table, &st); /* * Fake up an arbitrary service request. */ request_init(&request, RQ_DAEMON, "daemon_name", RQ_SERVER_NAME, "server_hostname", RQ_SERVER_ADDR, "server_addr", RQ_USER, "user_name", RQ_CLIENT_NAME, "client_hostname", RQ_CLIENT_ADDR, "client_addr", RQ_FILE, 1, 0); /* * Examine all access-control rules. */ defl_verdict = PERMIT; parse_table(hosts_allow_table, &request); defl_verdict = DENY; parse_table(hosts_deny_table, &request); return (0); } /* usage - explain */ static void usage(void) { fprintf(stderr, "usage: %s [-a] [-d] [-i inet_conf] [-v]\n", myname); fprintf(stderr, " -a: report rules with implicit \"ALLOW\" at end\n"); fprintf(stderr, " -d: use allow/deny files in current directory\n"); fprintf(stderr, " -i: location of inetd.conf file\n"); fprintf(stderr, " -v: list all rules\n"); exit(1); } /* parse_table - like table_match(), but examines _all_ entries */ static void parse_table(table, request) char *table; struct request_info *request; { FILE *fp; int real_verdict; char sv_list[BUFLEN]; /* becomes list of daemons */ char *cl_list; /* becomes list of requests */ char *sh_cmd; /* becomes optional shell command */ char buf[BUFSIZ]; int verdict; struct tcpd_context saved_context; saved_context = tcpd_context; /* stupid compilers */ if (fp = fopen(table, "r")) { tcpd_context.file = table; tcpd_context.line = 0; while (xgets(sv_list, sizeof(sv_list), fp)) { if (sv_list[strlen(sv_list) - 1] != '\n') { tcpd_warn("missing newline or line too long"); continue; } if (sv_list[0] == '#' || sv_list[strspn(sv_list, " \t\r\n")] == 0) continue; if ((cl_list = split_at(sv_list, ':')) == 0) { tcpd_warn("missing \":\" separator"); continue; } sh_cmd = split_at(cl_list, ':'); if (hosts_access_verbose) printf("\n>>> Rule %s line %d:\n", tcpd_context.file, tcpd_context.line); if (hosts_access_verbose) print_list("daemons: ", sv_list); check_daemon_list(sv_list); if (hosts_access_verbose) print_list("clients: ", cl_list); check_client_list(cl_list); #ifdef PROCESS_OPTIONS real_verdict = defl_verdict; if (sh_cmd) { verdict = setjmp(tcpd_buf); if (verdict != 0) { real_verdict = (verdict == AC_PERMIT); } else { dry_run = 1; process_options(sh_cmd, request); if (dry_run == 1 && real_verdict && allow_check) tcpd_warn("implicit \"allow\" at end of rule"); } } else if (defl_verdict && allow_check) { tcpd_warn("implicit \"allow\" at end of rule"); } if (hosts_access_verbose) printf("access: %s\n", real_verdict ? "granted" : "denied"); #else if (sh_cmd) shell_cmd(percent_x(buf, sizeof(buf), sh_cmd, request)); if (hosts_access_verbose) printf("access: %s\n", defl_verdict ? "granted" : "denied"); #endif } (void) fclose(fp); } else if (errno != ENOENT) { tcpd_warn("cannot open %s: %m", table); } tcpd_context = saved_context; } /* print_list - pretty-print a list */ static void print_list(title, list) char *title; char *list; { char buf[BUFLEN]; char *cp; char *next; fputs(title, stdout); strcpy(buf, list); for (cp = strtok(buf, sep); cp != 0; cp = next) { fputs(cp, stdout); next = strtok((char *) 0, sep); if (next != 0) fputs(" ", stdout); } fputs("\n", stdout); } /* check_daemon_list - criticize daemon list */ static void check_daemon_list(list) char *list; { char buf[BUFLEN]; char *cp; char *host; int daemons = 0; strcpy(buf, list); for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) { if (STR_EQ(cp, "EXCEPT")) { daemons = 0; } else { daemons++; if ((host = split_at(cp + 1, '@')) != 0 && check_host(host) > 1) { tcpd_warn("host %s has more than one address", host); tcpd_warn("(consider using an address instead)"); } check_daemon(cp); } } if (daemons == 0) tcpd_warn("daemon list is empty or ends in EXCEPT"); } /* check_client_list - criticize client list */ static void check_client_list(list) char *list; { char buf[BUFLEN]; char *cp; char *host; int clients = 0; strcpy(buf, list); for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) { if (STR_EQ(cp, "EXCEPT")) { clients = 0; } else { clients++; if (host = split_at(cp + 1, '@')) { /* user@host */ check_user(cp); check_host(host); } else { check_host(cp); } } } if (clients == 0) tcpd_warn("client list is empty or ends in EXCEPT"); } /* check_daemon - criticize daemon pattern */ static void check_daemon(pat) char *pat; { if (pat[0] == '@') { tcpd_warn("%s: daemon name begins with \"@\"", pat); } else if (pat[0] == '/') { tcpd_warn("%s: daemon name begins with \"/\"", pat); } else if (pat[0] == '.') { tcpd_warn("%s: daemon name begins with dot", pat); } else if (pat[strlen(pat) - 1] == '.') { tcpd_warn("%s: daemon name ends in dot", pat); } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown)) { /* void */ ; } else if (STR_EQ(pat, "FAIL")) { /* obsolete */ tcpd_warn("FAIL is no longer recognized"); tcpd_warn("(use EXCEPT or DENY instead)"); } else if (reserved_name(pat)) { tcpd_warn("%s: daemon name may be reserved word", pat); } else { switch (inet_get(pat)) { case WR_UNKNOWN: tcpd_warn("%s: no such process name in %s", pat, inetcf); inet_set(pat, WR_YES); /* shut up next time */ break; case WR_NOT: tcpd_warn("%s: service possibly not wrapped", pat); inet_set(pat, WR_YES); break; } } } /* check_user - criticize user pattern */ static void check_user(pat) char *pat; { if (pat[0] == '@') { /* @netgroup */ tcpd_warn("%s: user name begins with \"@\"", pat); } else if (pat[0] == '/') { tcpd_warn("%s: user name begins with \"/\"", pat); } else if (pat[0] == '.') { tcpd_warn("%s: user name begins with dot", pat); } else if (pat[strlen(pat) - 1] == '.') { tcpd_warn("%s: user name ends in dot", pat); } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown) || STR_EQ(pat, "KNOWN")) { /* void */ ; } else if (STR_EQ(pat, "FAIL")) { /* obsolete */ tcpd_warn("FAIL is no longer recognized"); tcpd_warn("(use EXCEPT or DENY instead)"); } else if (reserved_name(pat)) { tcpd_warn("%s: user name may be reserved word", pat); } } #ifdef INET6 static int is_inet6_addr(pat) char *pat; { struct addrinfo hints, *res; int len, ret; char ch; if (*pat != '[') return (0); len = strlen(pat); if ((ch = pat[len - 1]) != ']') return (0); pat[len - 1] = '\0'; memset(&hints, 0, sizeof(hints)); hints.ai_family = AF_INET6; hints.ai_socktype = SOCK_STREAM; hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; if ((ret = getaddrinfo(pat + 1, NULL, &hints, &res)) == 0) freeaddrinfo(res); pat[len - 1] = ch; return (ret == 0); } #endif /* check_host - criticize host pattern */ static int check_host(pat) char *pat; { char buf[BUFSIZ]; char *mask; int addr_count = 1; FILE *fp; struct tcpd_context saved_context; char *cp; char *wsp = " \t\r\n"; if (pat[0] == '@') { /* @netgroup */ #ifdef NO_NETGRENT /* SCO has no *netgrent() support */ #else #ifdef NETGROUP char *machinep; char *userp; char *domainp; setnetgrent(pat + 1); if (getnetgrent(&machinep, &userp, &domainp) == 0) tcpd_warn("%s: unknown or empty netgroup", pat + 1); endnetgrent(); #else tcpd_warn("netgroup support disabled"); #endif #endif } else if (pat[0] == '/') { /* /path/name */ if ((fp = fopen(pat, "r")) != 0) { saved_context = tcpd_context; tcpd_context.file = pat; tcpd_context.line = 0; while (fgets(buf, sizeof(buf), fp)) { tcpd_context.line++; for (cp = strtok(buf, wsp); cp; cp = strtok((char *) 0, wsp)) check_host(cp); } tcpd_context = saved_context; fclose(fp); } else if (errno != ENOENT) { tcpd_warn("open %s: %m", pat); } } else if (mask = split_at(pat, '/')) { /* network/netmask */ #ifdef INET6 int mask_len; if ((dot_quad_addr(pat) == INADDR_NONE || dot_quad_addr(mask) == INADDR_NONE) && (!is_inet6_addr(pat) || ((mask_len = atoi(mask)) < 0 || mask_len > 128))) #else if (dot_quad_addr(pat) == INADDR_NONE || dot_quad_addr(mask) == INADDR_NONE) #endif tcpd_warn("%s/%s: bad net/mask pattern", pat, mask); } else if (STR_EQ(pat, "FAIL")) { /* obsolete */ tcpd_warn("FAIL is no longer recognized"); tcpd_warn("(use EXCEPT or DENY instead)"); } else if (reserved_name(pat)) { /* other reserved */ /* void */ ; #ifdef INET6 } else if (is_inet6_addr(pat)) { /* IPv6 address */ addr_count = 1; #endif } else if (NOT_INADDR(pat)) { /* internet name */ if (pat[strlen(pat) - 1] == '.') { tcpd_warn("%s: domain or host name ends in dot", pat); } else if (pat[0] != '.') { addr_count = check_dns(pat); } } else { /* numeric form */ if (STR_EQ(pat, "0.0.0.0") || STR_EQ(pat, "255.255.255.255")) { /* void */ ; } else if (pat[0] == '.') { tcpd_warn("%s: network number begins with dot", pat); } else if (pat[strlen(pat) - 1] != '.') { check_dns(pat); } } return (addr_count); } /* reserved_name - determine if name is reserved */ static int reserved_name(pat) char *pat; { return (STR_EQ(pat, unknown) || STR_EQ(pat, "KNOWN") || STR_EQ(pat, paranoid) || STR_EQ(pat, "ALL") || STR_EQ(pat, "LOCAL")); } Index: head/contrib/tcp_wrappers/tcpdmatch.c =================================================================== --- head/contrib/tcp_wrappers/tcpdmatch.c (revision 350099) +++ head/contrib/tcp_wrappers/tcpdmatch.c (revision 350100) @@ -1,392 +1,389 @@ /* * tcpdmatch - explain what tcpd would do in a specific case * * usage: tcpdmatch [-d] [-i inet_conf] daemon[@host] [user@]host * * -d: use the access control tables in the current directory. * * -i: location of inetd.conf file. * * All errors are reported to the standard error stream, including the errors * that would normally be reported via the syslog daemon. * * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. * * $FreeBSD$ */ #ifndef lint static char sccsid[] = "@(#) tcpdmatch.c 1.5 96/02/11 17:01:36"; #endif /* System libraries. */ #include #include #include #include #include #include #include #include #include +#include #include #include - -extern void exit(); -extern int optind; -extern char *optarg; #ifndef INADDR_NONE #define INADDR_NONE (-1) /* XXX should be 0xffffffff */ #endif #ifndef S_ISDIR #define S_ISDIR(m) (((m) & S_IFMT) == S_IFDIR) #endif /* Application-specific. */ #include "tcpd.h" #include "inetcf.h" #include "scaffold.h" static void usage(char *myname); static void tcpdmatch(struct request_info *request); /* The main program */ int main(argc, argv) int argc; char **argv; { #ifdef INET6 struct addrinfo hints, *hp, *res; #else struct hostent *hp; #endif char *myname = argv[0]; char *client; char *server; char *addr; char *user; char *daemon; struct request_info request; int ch; char *inetcf = 0; int count; #ifdef INET6 struct sockaddr_storage server_sin; struct sockaddr_storage client_sin; #else struct sockaddr_in server_sin; struct sockaddr_in client_sin; #endif struct stat st; /* * Show what rule actually matched. */ hosts_access_verbose = 2; /* * Parse the JCL. */ while ((ch = getopt(argc, argv, "di:")) != EOF) { switch (ch) { case 'd': hosts_allow_table = "hosts.allow"; hosts_deny_table = "hosts.deny"; break; case 'i': inetcf = optarg; break; default: usage(myname); /* NOTREACHED */ } } if (argc != optind + 2) usage(myname); /* * When confusion really strikes... */ if (check_path(REAL_DAEMON_DIR, &st) < 0) { tcpd_warn("REAL_DAEMON_DIR %s: %m", REAL_DAEMON_DIR); } else if (!S_ISDIR(st.st_mode)) { tcpd_warn("REAL_DAEMON_DIR %s is not a directory", REAL_DAEMON_DIR); } /* * Default is to specify a daemon process name. When daemon@host is * specified, separate the two parts. */ if ((server = split_at(argv[optind], '@')) == 0) server = unknown; if (argv[optind][0] == '/') { daemon = strrchr(argv[optind], '/') + 1; tcpd_warn("%s: daemon name normalized to: %s", argv[optind], daemon); } else { daemon = argv[optind]; } /* * Default is to specify a client hostname or address. When user@host is * specified, separate the two parts. */ if ((client = split_at(argv[optind + 1], '@')) != 0) { user = argv[optind + 1]; } else { client = argv[optind + 1]; user = unknown; } /* * Analyze the inetd (or tlid) configuration file, so that we can warn * the user about services that may not be wrapped, services that are not * configured, or services that are wrapped in an incorrect manner. Allow * for services that are not run from inetd, or that have tcpd access * control built into them. */ inetcf = inet_cfg(inetcf); inet_set("portmap", WR_NOT); inet_set("rpcbind", WR_NOT); switch (inet_get(daemon)) { case WR_UNKNOWN: tcpd_warn("%s: no such process name in %s", daemon, inetcf); break; case WR_NOT: tcpd_warn("%s: service possibly not wrapped", daemon); break; } /* * Check accessibility of access control files. */ (void) check_path(hosts_allow_table, &st); (void) check_path(hosts_deny_table, &st); /* * Fill in what we have figured out sofar. Use socket and DNS routines * for address and name conversions. We attach stdout to the request so * that banner messages will become visible. */ request_init(&request, RQ_DAEMON, daemon, RQ_USER, user, RQ_FILE, 1, 0); sock_methods(&request); /* * If a server hostname is specified, insist that the name maps to at * most one address. eval_hostname() warns the user about name server * problems, while using the request.server structure as a cache for host * address and name conversion results. */ if (NOT_INADDR(server) == 0 || HOSTNAME_KNOWN(server)) { if ((hp = find_inet_addr(server)) == 0) exit(1); #ifndef INET6 memset((char *) &server_sin, 0, sizeof(server_sin)); server_sin.sin_family = AF_INET; #endif request_set(&request, RQ_SERVER_SIN, &server_sin, 0); #ifdef INET6 for (res = hp, count = 0; res; res = res->ai_next, count++) { memcpy(&server_sin, res->ai_addr, res->ai_addrlen); #else for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) { memcpy((char *) &server_sin.sin_addr, addr, sizeof(server_sin.sin_addr)); #endif /* * Force evaluation of server host name and address. Host name * conflicts will be reported while eval_hostname() does its job. */ request_set(&request, RQ_SERVER_NAME, "", RQ_SERVER_ADDR, "", 0); if (STR_EQ(eval_hostname(request.server), unknown)) tcpd_warn("host address %s->name lookup failed", eval_hostaddr(request.server)); } if (count > 1) { fprintf(stderr, "Error: %s has more than one address\n", server); fprintf(stderr, "Please specify an address instead\n"); exit(1); } #ifdef INET6 freeaddrinfo(hp); #else free((char *) hp); #endif } else { request_set(&request, RQ_SERVER_NAME, server, 0); } /* * If a client address is specified, we simulate the effect of client * hostname lookup failure. */ if (dot_quad_addr(client) != INADDR_NONE) { request_set(&request, RQ_CLIENT_ADDR, client, 0); tcpdmatch(&request); exit(0); } #ifdef INET6 memset(&hints, 0, sizeof(hints)); hints.ai_family = AF_INET6; hints.ai_socktype = SOCK_STREAM; hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; if (getaddrinfo(client, NULL, &hints, &res) == 0) { freeaddrinfo(res); request_set(&request, RQ_CLIENT_ADDR, client, 0); tcpdmatch(&request); exit(0); } #endif /* * Perhaps they are testing special client hostname patterns that aren't * really host names at all. */ if (NOT_INADDR(client) && HOSTNAME_KNOWN(client) == 0) { request_set(&request, RQ_CLIENT_NAME, client, 0); tcpdmatch(&request); exit(0); } /* * Otherwise, assume that a client hostname is specified, and insist that * the address can be looked up. The reason for this requirement is that * in real life the client address is available (at least with IP). Let * eval_hostname() figure out if this host is properly registered, while * using the request.client structure as a cache for host name and * address conversion results. */ if ((hp = find_inet_addr(client)) == 0) exit(1); #ifdef INET6 request_set(&request, RQ_CLIENT_SIN, &client_sin, 0); for (res = hp, count = 0; res; res = res->ai_next, count++) { memcpy(&client_sin, res->ai_addr, res->ai_addrlen); /* * getnameinfo() doesn't do reverse lookup against link-local * address. So, we pass through host name evaluation against * such addresses. */ if (res->ai_family != AF_INET6 || !IN6_IS_ADDR_LINKLOCAL(&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr)) { /* * Force evaluation of client host name and address. Host name * conflicts will be reported while eval_hostname() does its job. */ request_set(&request, RQ_CLIENT_NAME, "", RQ_CLIENT_ADDR, "", 0); if (STR_EQ(eval_hostname(request.client), unknown)) tcpd_warn("host address %s->name lookup failed", eval_hostaddr(request.client)); } tcpdmatch(&request); if (res->ai_next) printf("\n"); } freeaddrinfo(hp); #else memset((char *) &client_sin, 0, sizeof(client_sin)); client_sin.sin_family = AF_INET; request_set(&request, RQ_CLIENT_SIN, &client_sin, 0); for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) { memcpy((char *) &client_sin.sin_addr, addr, sizeof(client_sin.sin_addr)); /* * Force evaluation of client host name and address. Host name * conflicts will be reported while eval_hostname() does its job. */ request_set(&request, RQ_CLIENT_NAME, "", RQ_CLIENT_ADDR, "", 0); if (STR_EQ(eval_hostname(request.client), unknown)) tcpd_warn("host address %s->name lookup failed", eval_hostaddr(request.client)); tcpdmatch(&request); if (hp->h_addr_list[count + 1]) printf("\n"); } free((char *) hp); #endif exit(0); } /* Explain how to use this program */ static void usage(myname) char *myname; { fprintf(stderr, "usage: %s [-d] [-i inet_conf] daemon[@host] [user@]host\n", myname); fprintf(stderr, " -d: use allow/deny files in current directory\n"); fprintf(stderr, " -i: location of inetd.conf file\n"); exit(1); } /* Print interesting expansions */ static void expand(text, pattern, request) char *text; char *pattern; struct request_info *request; { char buf[BUFSIZ]; if (STR_NE(percent_x(buf, sizeof(buf), pattern, request), unknown)) printf("%s %s\n", text, buf); } /* Try out a (server,client) pair */ static void tcpdmatch(request) struct request_info *request; { int verdict; /* * Show what we really know. Suppress uninteresting noise. */ expand("client: hostname", "%n", request); expand("client: address ", "%a", request); expand("client: username", "%u", request); expand("server: hostname", "%N", request); expand("server: address ", "%A", request); expand("server: process ", "%d", request); /* * Reset stuff that might be changed by options handlers. In dry-run * mode, extension language routines that would not return should inform * us of their plan, by clearing the dry_run flag. This is a bit clumsy * but we must be able to verify hosts with more than one network * address. */ rfc931_timeout = RFC931_TIMEOUT; allow_severity = SEVERITY; deny_severity = LOG_WARNING; dry_run = 1; /* * When paranoid mode is enabled, access is rejected no matter what the * access control rules say. */ #ifdef PARANOID if (STR_EQ(eval_hostname(request->client), paranoid)) { printf("access: denied (PARANOID mode)\n\n"); return; } #endif /* * Report the access control verdict. */ verdict = hosts_access(request); printf("access: %s\n", dry_run == 0 ? "delegated" : verdict ? "granted" : "denied"); }