1: /* 2: * This module implements a simple access control language that is based on 3: * host (or domain) names, NIS (host) netgroup names, IP addresses (or 4: * network numbers) and daemon process names. When a match is found the 5: * search is terminated, and depending on whether PROCESS_OPTIONS is defined, 6: * a list of options is executed or an optional shell command is executed. 7: * 8: * Host and user names are looked up on demand, provided that suitable endpoint 9: * information is available as sockaddr_in structures or TLI netbufs. As a 10: * side effect, the pattern matching process may change the contents of 11: * request structure fields. 12: * 13: * Diagnostics are reported through syslog(3). 14: * 15: * Compile with -DNETGROUP if your library provides support for netgroups. 16: * 17: * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. 18: */ 19: 20: #ifndef lint 21: static char sccsid[] = "@(#) hosts_access.c 1.19 95/01/30 19:51:47"; 22: #endif 23: 24: /* System libraries. */ 25: 26: #include <sys/types.h> 27: #include <sys/param.h> 28: #include <netinet/in.h> 29: #include <arpa/inet.h> 30: #include <stdio.h> 31: #include <syslog.h> 32: #include <ctype.h> 33: #include <errno.h> 34: #include <setjmp.h> 35: #include <string.h> 36: 37: extern char *fgets(); 38: extern int errno; 39: 40: #ifndef INADDR_NONE 41: #define INADDR_NONE (-1) /* XXX should be 0xffffffff */ 42: #endif 43: 44: /* Local stuff. */ 45: 46: #include "tcpd.h" 47: 48: /* Error handling. */ 49: 50: extern jmp_buf tcpd_buf; 51: 52: /* Delimiters for lists of daemons or clients. */ 53: 54: static char sep[] = ", \t\r\n"; 55: 56: /* Constants to be used in assignments only, not in comparisons... */ 57: 58: #define YES 1 59: #define NO 0 60: 61: /* 62: * These variables are globally visible so that they can be redirected in 63: * verification mode. 64: */ 65: 66: char *hosts_allow_table = HOSTS_ALLOW; 67: char *hosts_deny_table = HOSTS_DENY; 68: int hosts_access_verbose = 0; 69: 70: /* Forward declarations. */ 71: 72: static int table_match(); 73: static int list_match(); 74: static int server_match(); 75: static int client_match(); 76: static int host_match(); 77: static int string_match(); 78: static int masked_match(); 79: 80: /* Size of logical line buffer. */ 81: 82: #define BUFLEN 2048 83: 84: /* hosts_access - host access control facility */ 85: 86: int hosts_access(request) 87: struct request_info *request; 88: { 89: int verdict; 90: 91: /* 92: * If the (daemon, client) pair is matched by an entry in the file 93: * /etc/hosts.allow, access is granted. Otherwise, if the (daemon, 94: * client) pair is matched by an entry in the file /etc/hosts.deny, 95: * access is denied. Otherwise, access is granted. A non-existent 96: * access-control file is treated as an empty file. 97: * 98: * After a rule has been matched, the optional language extensions may 99: * decide to grant or refuse service anyway. Or, while a rule is being 100: * processed, a serious error is found, and it seems better to play safe 101: * and deny service. All this is done by jumping back into the 102: * hosts_access() routine, bypassing the regular return from the 103: * table_match() function calls below. 104: */ 105: 106: if ((verdict = setjmp(tcpd_buf)) != 0) 107: return (verdict == AC_PERMIT); 108: if (table_match(hosts_allow_table, request)) 109: return (YES); 110: if (table_match(hosts_deny_table, request)) 111: return (NO); 112: return (YES); 113: } 114: 115: /* table_match - match table entries with (daemon, client) pair */ 116: 117: static int table_match(table, request) 118: char *table; 119: struct request_info *request; 120: { 121: FILE *fp; 122: char sv_list[BUFLEN]; /* becomes list of daemons */ 123: char *cl_list; /* becomes list of clients */ 124: char *sh_cmd; /* becomes optional shell command */ 125: int match = NO; 126: struct tcpd_context saved_context; 127: 128: saved_context = tcpd_context; /* stupid compilers */ 129: 130: /* 131: * Between the fopen() and fclose() calls, avoid jumps that may cause 132: * file descriptor leaks. 133: */ 134: 135: if ((fp = fopen(table, "r")) != 0) { 136: tcpd_context.file = table; 137: tcpd_context.line = 0; 138: while (match == NO && xgets(sv_list, sizeof(sv_list), fp) != 0) { 139: if (sv_list[strlen(sv_list) - 1] != '\n') { 140: tcpd_warn("missing newline or line too long"); 141: continue; 142: } 143: if (sv_list[0] == '#' || sv_list[strspn(sv_list, " \t\r\n")] == 0) 144: continue; 145: if ((cl_list = split_at(sv_list, ':')) == 0) { 146: tcpd_warn("missing \":\" separator"); 147: continue; 148: } 149: sh_cmd = split_at(cl_list, ':'); 150: match = list_match(sv_list, request, server_match) 151: && list_match(cl_list, request, client_match); 152: } 153: (void) fclose(fp); 154: } else if (errno != ENOENT) { 155: tcpd_warn("cannot open %s: %m", table); 156: } 157: if (match) { 158: if (hosts_access_verbose > 1) 159: syslog(LOG_DEBUG, "matched: %s line %d", 160: tcpd_context.file, tcpd_context.line); 161: if (sh_cmd) { 162: #ifdef PROCESS_OPTIONS 163: process_options(sh_cmd, request); 164: #else 165: char cmd[BUFSIZ]; 166: shell_cmd(percent_x(cmd, sizeof(cmd), sh_cmd, request)); 167: #endif 168: } 169: } 170: tcpd_context = saved_context; 171: return (match); 172: } 173: 174: /* list_match - match a request against a list of patterns with exceptions */ 175: 176: static int list_match(list, request, match_fn) 177: char *list; 178: struct request_info *request; 179: int (*match_fn) (); 180: { 181: char *tok; 182: 183: /* 184: * Process tokens one at a time. We have exhausted all possible matches 185: * when we reach an "EXCEPT" token or the end of the list. If we do find 186: * a match, look for an "EXCEPT" list and recurse to determine whether 187: * the match is affected by any exceptions. 188: */ 189: 190: for (tok = strtok(list, sep); tok != 0; tok = strtok((char *) 0, sep)) { 191: if (STR_EQ(tok, "EXCEPT")) /* EXCEPT: give up */ 192: return (NO); 193: if (match_fn(tok, request)) { /* YES: look for exceptions */ 194: while ((tok = strtok((char *) 0, sep)) && STR_NE(tok, "EXCEPT")) 195: /* VOID */ ; 196: return (tok == 0 || list_match((char *) 0, request, match_fn) == 0); 197: } 198: } 199: return (NO); 200: } 201: 202: /* server_match - match server information */ 203: 204: static int server_match(tok, request) 205: char *tok; 206: struct request_info *request; 207: { 208: char *host; 209: 210: if ((host = split_at(tok + 1, '@')) == 0) { /* plain daemon */ 211: return (string_match(tok, eval_daemon(request))); 212: } else { /* daemon@host */ 213: return (string_match(tok, eval_daemon(request)) 214: && host_match(host, request->server)); 215: } 216: } 217: 218: /* client_match - match client information */ 219: 220: static int client_match(tok, request) 221: char *tok; 222: struct request_info *request; 223: { 224: char *host; 225: 226: if ((host = split_at(tok + 1, '@')) == 0) { /* plain host */ 227: return (host_match(tok, request->client)); 228: } else { /* user@host */ 229: return (host_match(host, request->client) 230: && string_match(tok, eval_user(request))); 231: } 232: } 233: 234: /* host_match - match host name and/or address against pattern */ 235: 236: static int host_match(tok, host) 237: char *tok; 238: struct host_info *host; 239: { 240: char *mask; 241: 242: /* 243: * This code looks a little hairy because we want to avoid unnecessary 244: * hostname lookups. 245: * 246: * The KNOWN pattern requires that both address AND name be known; some 247: * patterns are specific to host names or to host addresses; all other 248: * patterns are satisfied when either the address OR the name match. 249: */ 250: 251: if (tok[0] == '@') { /* netgroup: look it up */ 252: #ifdef NETGROUP 253: static char *mydomain = 0; 254: if (mydomain == 0) 255: yp_get_default_domain(&mydomain); 256: return (innetgr(tok + 1, eval_hostname(host), (char *) 0, mydomain)); 257: #else 258: tcpd_warn("netgroup support is disabled"); /* not tcpd_jump() */ 259: return (NO); 260: #endif 261: } else if (STR_EQ(tok, "KNOWN")) { /* check address and name */ 262: char *name = eval_hostname(host); 263: return (STR_NE(eval_hostaddr(host), unknown) && HOSTNAME_KNOWN(name)); 264: } else if (STR_EQ(tok, "LOCAL")) { /* local: no dots in name */ 265: char *name = eval_hostname(host); 266: return (strchr(name, '.') == 0 && HOSTNAME_KNOWN(name)); 267: } else if ((mask = split_at(tok, '/')) != 0) { /* net/mask */ 268: return (masked_match(tok, mask, eval_hostaddr(host))); 269: } else { /* anything else */ 270: return (string_match(tok, eval_hostaddr(host)) 271: || (NOT_INADDR(tok) && string_match(tok, eval_hostname(host)))); 272: } 273: } 274: 275: /* string_match - match string against pattern */ 276: 277: static int string_match(tok, string) 278: char *tok; 279: char *string; 280: { 281: int n; 282: 283: if (tok[0] == '.') { /* suffix */ 284: n = strlen(string) - strlen(tok); 285: return (n > 0 && STR_EQ(tok, string + n)); 286: } else if (STR_EQ(tok, "ALL")) { /* all: match any */ 287: return (YES); 288: } else if (STR_EQ(tok, "KNOWN")) { /* not unknown */ 289: return (STR_NE(string, unknown)); 290: } else if (tok[(n = strlen(tok)) - 1] == '.') { /* prefix */ 291: return (STRN_EQ(tok, string, n)); 292: } else { /* exact match */ 293: return (STR_EQ(tok, string)); 294: } 295: } 296: 297: /* masked_match - match address against netnumber/netmask */ 298: 299: static int masked_match(net_tok, mask_tok, string) 300: char *net_tok; 301: char *mask_tok; 302: char *string; 303: { 304: unsigned long net; 305: unsigned long mask; 306: unsigned long addr; 307: 308: /* 309: * Disallow forms other than dotted quad: the treatment that inet_addr() 310: * gives to forms with less than four components is inconsistent with the 311: * access control language. John P. Rouillard <rouilj@cs.umb.edu>. 312: */ 313: 314: if ((addr = dot_quad_addr(string)) == INADDR_NONE) 315: return (NO); 316: if ((net = dot_quad_addr(net_tok)) == INADDR_NONE 317: || (mask = dot_quad_addr(mask_tok)) == INADDR_NONE) { 318: tcpd_warn("bad net/mask expression: %s/%s", net_tok, mask_tok); 319: return (NO); /* not tcpd_jump() */ 320: } 321: return ((addr & mask) == net); 322: }
Defined functions
hosts_access
defined in line 86; used 5 times
- in /usr/src/libexec/tcpd/hosts_ctl.c line 32
- in /usr/src/libexec/tcpd/miscd.c line 107
- in /usr/src/libexec/tcpd/tcpd.c line 117
- in /usr/src/libexec/tcpd/tcpd.h line 69
- in /usr/src/libexec/tcpd/tcpdmatch.c line 311
Defined variables
hosts_access_verbose
defined in line 68; used 9 times
- in line 158
- in /usr/src/libexec/tcpd/tcpdchk.c line 111, 127, 210-218(3), 236-241(2)
- in /usr/src/libexec/tcpd/tcpdmatch.c line 74
hosts_allow_table
defined in line 66; used 6 times
- in line 108
- in /usr/src/libexec/tcpd/tcpdchk.c line 104, 139, 159
- in /usr/src/libexec/tcpd/tcpdmatch.c line 82, 142
hosts_deny_table
defined in line 67; used 6 times
- in line 110
- in /usr/src/libexec/tcpd/tcpdchk.c line 105, 140, 161
- in /usr/src/libexec/tcpd/tcpdmatch.c line 83, 143
Defined macros
|
Last modified: 1995-01-30
Generated: 2016-12-26 |
Generated by src2html V0.67
page hit count: 3694 |
|