1:  /*
   2:   * This module implements a simple access control language that is based on
   3:   * host (or domain) names, NIS (host) netgroup names, IP addresses (or
   4:   * network numbers) and daemon process names. When a match is found the
   5:   * search is terminated, and depending on whether PROCESS_OPTIONS is defined,
   6:   * a list of options is executed or an optional shell command is executed.
   7:   *
   8:   * Host and user names are looked up on demand, provided that suitable endpoint
   9:   * information is available as sockaddr_in structures or TLI netbufs. As a
  10:   * side effect, the pattern matching process may change the contents of
  11:   * request structure fields.
  12:   *
  13:   * Diagnostics are reported through syslog(3).
  14:   *
  15:   * Compile with -DNETGROUP if your library provides support for netgroups.
  16:   *
  17:   * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
  18:   */
  19: 
  20: #ifndef lint
  21: static char sccsid[] = "@(#) hosts_access.c 1.19 95/01/30 19:51:47";
  22: #endif
  23: 
  24: /* System libraries. */
  25: 
  26: #include <sys/types.h>
  27: #include <sys/param.h>
  28: #include <netinet/in.h>
  29: #include <arpa/inet.h>
  30: #include <stdio.h>
  31: #include <syslog.h>
  32: #include <ctype.h>
  33: #include <errno.h>
  34: #include <setjmp.h>
  35: #include <string.h>
  36: 
  37: extern char *fgets();
  38: extern int errno;
  39: 
  40: #ifndef INADDR_NONE
  41: #define INADDR_NONE (-1)        /* XXX should be 0xffffffff */
  42: #endif
  43: 
  44: /* Local stuff. */
  45: 
  46: #include "tcpd.h"
  47: 
  48: /* Error handling. */
  49: 
  50: extern jmp_buf tcpd_buf;
  51: 
  52: /* Delimiters for lists of daemons or clients. */
  53: 
  54: static char sep[] = ", \t\r\n";
  55: 
  56: /* Constants to be used in assignments only, not in comparisons... */
  57: 
  58: #define YES     1
  59: #define NO      0
  60: 
  61:  /*
  62:   * These variables are globally visible so that they can be redirected in
  63:   * verification mode.
  64:   */
  65: 
  66: char   *hosts_allow_table = HOSTS_ALLOW;
  67: char   *hosts_deny_table = HOSTS_DENY;
  68: int     hosts_access_verbose = 0;
  69: 
  70: /* Forward declarations. */
  71: 
  72: static int table_match();
  73: static int list_match();
  74: static int server_match();
  75: static int client_match();
  76: static int host_match();
  77: static int string_match();
  78: static int masked_match();
  79: 
  80: /* Size of logical line buffer. */
  81: 
  82: #define BUFLEN 2048
  83: 
  84: /* hosts_access - host access control facility */
  85: 
  86: int     hosts_access(request)
  87: struct request_info *request;
  88: {
  89:     int     verdict;
  90: 
  91:     /*
  92:      * If the (daemon, client) pair is matched by an entry in the file
  93:      * /etc/hosts.allow, access is granted. Otherwise, if the (daemon,
  94:      * client) pair is matched by an entry in the file /etc/hosts.deny,
  95:      * access is denied. Otherwise, access is granted. A non-existent
  96:      * access-control file is treated as an empty file.
  97:      *
  98:      * After a rule has been matched, the optional language extensions may
  99:      * decide to grant or refuse service anyway. Or, while a rule is being
 100:      * processed, a serious error is found, and it seems better to play safe
 101:      * and deny service. All this is done by jumping back into the
 102:      * hosts_access() routine, bypassing the regular return from the
 103:      * table_match() function calls below.
 104:      */
 105: 
 106:     if ((verdict = setjmp(tcpd_buf)) != 0)
 107:     return (verdict == AC_PERMIT);
 108:     if (table_match(hosts_allow_table, request))
 109:     return (YES);
 110:     if (table_match(hosts_deny_table, request))
 111:     return (NO);
 112:     return (YES);
 113: }
 114: 
 115: /* table_match - match table entries with (daemon, client) pair */
 116: 
 117: static int table_match(table, request)
 118: char   *table;
 119: struct request_info *request;
 120: {
 121:     FILE   *fp;
 122:     char    sv_list[BUFLEN];        /* becomes list of daemons */
 123:     char   *cl_list;            /* becomes list of clients */
 124:     char   *sh_cmd;         /* becomes optional shell command */
 125:     int     match = NO;
 126:     struct tcpd_context saved_context;
 127: 
 128:     saved_context = tcpd_context;       /* stupid compilers */
 129: 
 130:     /*
 131:      * Between the fopen() and fclose() calls, avoid jumps that may cause
 132:      * file descriptor leaks.
 133:      */
 134: 
 135:     if ((fp = fopen(table, "r")) != 0) {
 136:     tcpd_context.file = table;
 137:     tcpd_context.line = 0;
 138:     while (match == NO && xgets(sv_list, sizeof(sv_list), fp) != 0) {
 139:         if (sv_list[strlen(sv_list) - 1] != '\n') {
 140:         tcpd_warn("missing newline or line too long");
 141:         continue;
 142:         }
 143:         if (sv_list[0] == '#' || sv_list[strspn(sv_list, " \t\r\n")] == 0)
 144:         continue;
 145:         if ((cl_list = split_at(sv_list, ':')) == 0) {
 146:         tcpd_warn("missing \":\" separator");
 147:         continue;
 148:         }
 149:         sh_cmd = split_at(cl_list, ':');
 150:         match = list_match(sv_list, request, server_match)
 151:         && list_match(cl_list, request, client_match);
 152:     }
 153:     (void) fclose(fp);
 154:     } else if (errno != ENOENT) {
 155:     tcpd_warn("cannot open %s: %m", table);
 156:     }
 157:     if (match) {
 158:     if (hosts_access_verbose > 1)
 159:         syslog(LOG_DEBUG, "matched:  %s line %d",
 160:            tcpd_context.file, tcpd_context.line);
 161:     if (sh_cmd) {
 162: #ifdef PROCESS_OPTIONS
 163:         process_options(sh_cmd, request);
 164: #else
 165:         char    cmd[BUFSIZ];
 166:         shell_cmd(percent_x(cmd, sizeof(cmd), sh_cmd, request));
 167: #endif
 168:     }
 169:     }
 170:     tcpd_context = saved_context;
 171:     return (match);
 172: }
 173: 
 174: /* list_match - match a request against a list of patterns with exceptions */
 175: 
 176: static int list_match(list, request, match_fn)
 177: char   *list;
 178: struct request_info *request;
 179: int   (*match_fn) ();
 180: {
 181:     char   *tok;
 182: 
 183:     /*
 184:      * Process tokens one at a time. We have exhausted all possible matches
 185:      * when we reach an "EXCEPT" token or the end of the list. If we do find
 186:      * a match, look for an "EXCEPT" list and recurse to determine whether
 187:      * the match is affected by any exceptions.
 188:      */
 189: 
 190:     for (tok = strtok(list, sep); tok != 0; tok = strtok((char *) 0, sep)) {
 191:     if (STR_EQ(tok, "EXCEPT"))      /* EXCEPT: give up */
 192:         return (NO);
 193:     if (match_fn(tok, request)) {       /* YES: look for exceptions */
 194:         while ((tok = strtok((char *) 0, sep)) && STR_NE(tok, "EXCEPT"))
 195:          /* VOID */ ;
 196:         return (tok == 0 || list_match((char *) 0, request, match_fn) == 0);
 197:     }
 198:     }
 199:     return (NO);
 200: }
 201: 
 202: /* server_match - match server information */
 203: 
 204: static int server_match(tok, request)
 205: char   *tok;
 206: struct request_info *request;
 207: {
 208:     char   *host;
 209: 
 210:     if ((host = split_at(tok + 1, '@')) == 0) { /* plain daemon */
 211:     return (string_match(tok, eval_daemon(request)));
 212:     } else {                    /* daemon@host */
 213:     return (string_match(tok, eval_daemon(request))
 214:         && host_match(host, request->server));
 215:     }
 216: }
 217: 
 218: /* client_match - match client information */
 219: 
 220: static int client_match(tok, request)
 221: char   *tok;
 222: struct request_info *request;
 223: {
 224:     char   *host;
 225: 
 226:     if ((host = split_at(tok + 1, '@')) == 0) { /* plain host */
 227:     return (host_match(tok, request->client));
 228:     } else {                    /* user@host */
 229:     return (host_match(host, request->client)
 230:         && string_match(tok, eval_user(request)));
 231:     }
 232: }
 233: 
 234: /* host_match - match host name and/or address against pattern */
 235: 
 236: static int host_match(tok, host)
 237: char   *tok;
 238: struct host_info *host;
 239: {
 240:     char   *mask;
 241: 
 242:     /*
 243:      * This code looks a little hairy because we want to avoid unnecessary
 244:      * hostname lookups.
 245:      *
 246:      * The KNOWN pattern requires that both address AND name be known; some
 247:      * patterns are specific to host names or to host addresses; all other
 248:      * patterns are satisfied when either the address OR the name match.
 249:      */
 250: 
 251:     if (tok[0] == '@') {            /* netgroup: look it up */
 252: #ifdef  NETGROUP
 253:     static char *mydomain = 0;
 254:     if (mydomain == 0)
 255:         yp_get_default_domain(&mydomain);
 256:     return (innetgr(tok + 1, eval_hostname(host), (char *) 0, mydomain));
 257: #else
 258:     tcpd_warn("netgroup support is disabled");  /* not tcpd_jump() */
 259:     return (NO);
 260: #endif
 261:     } else if (STR_EQ(tok, "KNOWN")) {      /* check address and name */
 262:     char   *name = eval_hostname(host);
 263:     return (STR_NE(eval_hostaddr(host), unknown) && HOSTNAME_KNOWN(name));
 264:     } else if (STR_EQ(tok, "LOCAL")) {      /* local: no dots in name */
 265:     char   *name = eval_hostname(host);
 266:     return (strchr(name, '.') == 0 && HOSTNAME_KNOWN(name));
 267:     } else if ((mask = split_at(tok, '/')) != 0) {  /* net/mask */
 268:     return (masked_match(tok, mask, eval_hostaddr(host)));
 269:     } else {                    /* anything else */
 270:     return (string_match(tok, eval_hostaddr(host))
 271:         || (NOT_INADDR(tok) && string_match(tok, eval_hostname(host))));
 272:     }
 273: }
 274: 
 275: /* string_match - match string against pattern */
 276: 
 277: static int string_match(tok, string)
 278: char   *tok;
 279: char   *string;
 280: {
 281:     int     n;
 282: 
 283:     if (tok[0] == '.') {            /* suffix */
 284:     n = strlen(string) - strlen(tok);
 285:     return (n > 0 && STR_EQ(tok, string + n));
 286:     } else if (STR_EQ(tok, "ALL")) {        /* all: match any */
 287:     return (YES);
 288:     } else if (STR_EQ(tok, "KNOWN")) {      /* not unknown */
 289:     return (STR_NE(string, unknown));
 290:     } else if (tok[(n = strlen(tok)) - 1] == '.') { /* prefix */
 291:     return (STRN_EQ(tok, string, n));
 292:     } else {                    /* exact match */
 293:     return (STR_EQ(tok, string));
 294:     }
 295: }
 296: 
 297: /* masked_match - match address against netnumber/netmask */
 298: 
 299: static int masked_match(net_tok, mask_tok, string)
 300: char   *net_tok;
 301: char   *mask_tok;
 302: char   *string;
 303: {
 304:     unsigned long net;
 305:     unsigned long mask;
 306:     unsigned long addr;
 307: 
 308:     /*
 309:      * Disallow forms other than dotted quad: the treatment that inet_addr()
 310:      * gives to forms with less than four components is inconsistent with the
 311:      * access control language. John P. Rouillard <rouilj@cs.umb.edu>.
 312:      */
 313: 
 314:     if ((addr = dot_quad_addr(string)) == INADDR_NONE)
 315:     return (NO);
 316:     if ((net = dot_quad_addr(net_tok)) == INADDR_NONE
 317:     || (mask = dot_quad_addr(mask_tok)) == INADDR_NONE) {
 318:     tcpd_warn("bad net/mask expression: %s/%s", net_tok, mask_tok);
 319:     return (NO);                /* not tcpd_jump() */
 320:     }
 321:     return ((addr & mask) == net);
 322: }

Defined functions

client_match defined in line 220; used 2 times
host_match defined in line 236; used 4 times
list_match defined in line 176; used 4 times
masked_match defined in line 299; used 2 times
server_match defined in line 204; used 2 times
string_match defined in line 277; used 6 times
table_match defined in line 117; used 3 times

Defined variables

hosts_access_verbose defined in line 68; used 9 times
hosts_allow_table defined in line 66; used 6 times
hosts_deny_table defined in line 67; used 6 times
sccsid defined in line 21; never used
sep defined in line 54; used 3 times

Defined macros

BUFLEN defined in line 82; used 1 times
INADDR_NONE defined in line 41; used 4 times
NO defined in line 59; used 8 times
YES defined in line 58; used 3 times
Last modified: 1995-01-30
Generated: 2016-12-26
Generated by src2html V0.67
page hit count: 3642
Valid CSS Valid XHTML 1.0 Strict