From f1fab66e7dda396e0a899dafaddb9c3ac4edfcfe Mon Sep 17 00:00:00 2001 From: David van Moolenbroek Date: Fri, 17 Feb 2017 11:40:49 +0000 Subject: [PATCH] Import NetBSD libwrap Change-Id: Ib8b979fb9a96c2048b8ea93038944c743048bff4 --- distrib/sets/lists/minix-base/mi | 3 + distrib/sets/lists/minix-comp/mi | 4 + distrib/sets/lists/minix-debug/mi | 2 + distrib/sets/lists/minix-man/mi | 8 + lib/Makefile | 2 +- lib/libwrap/DISCLAIMER | 17 + lib/libwrap/Makefile | 22 ++ lib/libwrap/Makefile.cflags | 23 ++ lib/libwrap/clean_exit.c | 49 +++ lib/libwrap/diag.c | 93 +++++ lib/libwrap/eval.c | 143 +++++++ lib/libwrap/fix_options.c | 146 +++++++ lib/libwrap/hosts_access.3 | 96 +++++ lib/libwrap/hosts_access.5 | 424 ++++++++++++++++++++ lib/libwrap/hosts_access.c | 569 +++++++++++++++++++++++++++ lib/libwrap/hosts_ctl.c | 42 ++ lib/libwrap/hosts_options.5 | 189 +++++++++ lib/libwrap/libwrap2netbsd | 56 +++ lib/libwrap/misc.c | 92 +++++ lib/libwrap/mystdarg.h | 18 + lib/libwrap/options.c | 634 ++++++++++++++++++++++++++++++ lib/libwrap/percent_x.c | 92 +++++ lib/libwrap/refuse.c | 39 ++ lib/libwrap/rfc931.c | 237 +++++++++++ lib/libwrap/shell_cmd.c | 98 +++++ lib/libwrap/shlib_version | 5 + lib/libwrap/socket.c | 291 ++++++++++++++ lib/libwrap/tcpd.h | 209 ++++++++++ lib/libwrap/update.c | 128 ++++++ 29 files changed, 3730 insertions(+), 1 deletion(-) create mode 100644 lib/libwrap/DISCLAIMER create mode 100644 lib/libwrap/Makefile create mode 100644 lib/libwrap/Makefile.cflags create mode 100644 lib/libwrap/clean_exit.c create mode 100644 lib/libwrap/diag.c create mode 100644 lib/libwrap/eval.c create mode 100644 lib/libwrap/fix_options.c create mode 100644 lib/libwrap/hosts_access.3 create mode 100644 lib/libwrap/hosts_access.5 create mode 100644 lib/libwrap/hosts_access.c create mode 100644 lib/libwrap/hosts_ctl.c create mode 100644 lib/libwrap/hosts_options.5 create mode 100755 lib/libwrap/libwrap2netbsd create mode 100644 lib/libwrap/misc.c create mode 100644 lib/libwrap/mystdarg.h create mode 100644 lib/libwrap/options.c create mode 100644 lib/libwrap/percent_x.c create mode 100644 lib/libwrap/refuse.c create mode 100644 lib/libwrap/rfc931.c create mode 100644 lib/libwrap/shell_cmd.c create mode 100644 lib/libwrap/shlib_version create mode 100644 lib/libwrap/socket.c create mode 100644 lib/libwrap/tcpd.h create mode 100644 lib/libwrap/update.c diff --git a/distrib/sets/lists/minix-base/mi b/distrib/sets/lists/minix-base/mi index 691020628..d08cca0e7 100644 --- a/distrib/sets/lists/minix-base/mi +++ b/distrib/sets/lists/minix-base/mi @@ -936,6 +936,9 @@ ./usr/lib/libutil.so.7 minix-base ./usr/lib/libutil.so.7.21 minix-base obsolete ./usr/lib/libutil.so.7.23 minix-base +./usr/lib/libwrap.so minix-base +./usr/lib/libwrap.so.1 minix-base +./usr/lib/libwrap.so.1.0 minix-base ./usr/lib/libz.so minix-base ./usr/lib/libz.so.1 minix-base ./usr/lib/libz.so.1.0 minix-base diff --git a/distrib/sets/lists/minix-comp/mi b/distrib/sets/lists/minix-comp/mi index cb3a3be9e..0fa3ef24a 100644 --- a/distrib/sets/lists/minix-comp/mi +++ b/distrib/sets/lists/minix-comp/mi @@ -1789,6 +1789,7 @@ ./usr/include/sysexits.h minix-comp ./usr/include/syslog.h minix-comp ./usr/include/tar.h minix-comp +./usr/include/tcpd.h minix-comp ./usr/include/term.h minix-comp ./usr/include/termcap.h minix-comp ./usr/include/termios.h minix-comp @@ -1944,6 +1945,7 @@ ./usr/lib/bc/libvboxfs.a minix-comp bitcode ./usr/lib/bc/libvirtio.a minix-comp bitcode ./usr/lib/bc/libvtreefs.a minix-comp bitcode +./usr/lib/bc/libwrap.a minix-comp bitcode ./usr/lib/bc/libz.a minix-comp bitcode ./usr/lib/i18n/bc minix-comp bitcode ./usr/lib/i18n/bc/libBIG5.a minix-comp bitcode @@ -2117,6 +2119,8 @@ ./usr/lib/libutil_pic.a minix-comp ./usr/lib/libvtreefs.a minix-comp ./usr/lib/libvtreefs_pic.a minix-comp +./usr/lib/libwrap.a minix-comp +./usr/lib/libwrap_pic.a minix-comp ./usr/lib/libz.a minix-comp ./usr/lib/libz_pic.a minix-comp ./usr/libexec/cc1 minix-comp gcccmds diff --git a/distrib/sets/lists/minix-debug/mi b/distrib/sets/lists/minix-debug/mi index f49295b07..dfa0f6a1b 100644 --- a/distrib/sets/lists/minix-debug/mi +++ b/distrib/sets/lists/minix-debug/mi @@ -110,6 +110,7 @@ ./usr/lib/libusb_g.a minix-debug debuglib ./usr/lib/libutil_g.a minix-debug debuglib ./usr/lib/libvtreefs_g.a minix-debug debuglib +./usr/lib/libwrap_g.a minix-debug debuglib ./usr/lib/libz_g.a minix-debug debuglib ./usr/libdata minix-debug ./usr/libdata/debug minix-debug @@ -567,6 +568,7 @@ ./usr/libdata/debug/usr/lib/libsys.so.0.0.debug minix-debug debug ./usr/libdata/debug/usr/lib/libterminfo.so.1.0.debug minix-debug debug ./usr/libdata/debug/usr/lib/libutil.so.7.23.debug minix-debug debug +./usr/libdata/debug/usr/lib/libwrap.so.1.0.debug minix-debug debug ./usr/libdata/debug/usr/lib/libz.so.1.0.debug minix-debug debug ./usr/libdata/debug/usr/libexec minix-debug ./usr/libdata/debug/usr/libexec/atf-check.debug minix-debug debug diff --git a/distrib/sets/lists/minix-man/mi b/distrib/sets/lists/minix-man/mi index 84642640f..a957cab59 100644 --- a/distrib/sets/lists/minix-man/mi +++ b/distrib/sets/lists/minix-man/mi @@ -1920,6 +1920,8 @@ ./usr/man/man3/history_init.3 minix-man ./usr/man/man3/hline.3 minix-man ./usr/man/man3/hostalias.3 minix-man +./usr/man/man3/hosts_access.3 minix-man +./usr/man/man3/hosts_ctl.3 minix-man ./usr/man/man3/hsearch.3 minix-man ./usr/man/man3/hsearch_r.3 minix-man ./usr/man/man3/hstrerror.3 minix-man @@ -2671,6 +2673,8 @@ ./usr/man/man3/remque.3 minix-man ./usr/man/man3/remquo.3 minix-man ./usr/man/man3/remquof.3 minix-man +./usr/man/man3/request_init.3 minix-man +./usr/man/man3/request_set.3 minix-man ./usr/man/man3/res_close.3 minix-man ./usr/man/man3/res_findzonecut.3 minix-man ./usr/man/man3/res_getservers.3 minix-man @@ -3285,6 +3289,10 @@ ./usr/man/man5/gettytab.5 minix-man ./usr/man/man5/group.5 minix-man ./usr/man/man5/hosts.5 minix-man +./usr/man/man5/hosts.allow.5 minix-man +./usr/man/man5/hosts.deny.5 minix-man +./usr/man/man5/hosts_access.5 minix-man +./usr/man/man5/hosts_options.5 minix-man ./usr/man/man5/http_status.5 minix-man obsolete ./usr/man/man5/httpd.conf.5 minix-man obsolete ./usr/man/man5/info.5 minix-man diff --git a/lib/Makefile b/lib/Makefile index 3d30851d5..d46144741 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -81,7 +81,7 @@ SUBDIR+= \ libpci libprop \ libpuffs librmt \ libterminfo \ - libutil libz + libutil libwrap libz .if !defined(BSD_MK_COMPAT_FILE) #SUBDIR+= libkern diff --git a/lib/libwrap/DISCLAIMER b/lib/libwrap/DISCLAIMER new file mode 100644 index 000000000..17780ab79 --- /dev/null +++ b/lib/libwrap/DISCLAIMER @@ -0,0 +1,17 @@ +/* $NetBSD: DISCLAIMER,v 1.3 2001/06/02 05:20:56 itojun Exp $ */ +/************************************************************************ +* Copyright 1995 by Wietse Venema. All rights reserved. Some individual +* files may be covered by other copyrights. +* +* This material was originally written and compiled by Wietse Venema at +* Eindhoven University of Technology, The Netherlands, in 1990, 1991, +* 1992, 1993, 1994 and 1995. +* +* Redistribution and use in source and binary forms, with or without +* modification, are permitted provided that this entire copyright notice +* is duplicated in all such copies. +* +* This software is provided "as is" and without any expressed or implied +* warranties, including, without limitation, the implied warranties of +* merchantibility and fitness for any particular purpose. +************************************************************************/ diff --git a/lib/libwrap/Makefile b/lib/libwrap/Makefile new file mode 100644 index 000000000..f1387e1c8 --- /dev/null +++ b/lib/libwrap/Makefile @@ -0,0 +1,22 @@ +# $NetBSD: Makefile,v 1.10 2007/05/28 12:06:22 tls Exp $ + +USE_FORT?= yes # network server + +LIB= wrap + +SRCS= hosts_access.c options.c shell_cmd.c rfc931.c eval.c hosts_ctl.c \ + refuse.c percent_x.c clean_exit.c fix_options.c socket.c \ + update.c misc.c diag.c +MAN= hosts_access.3 hosts_access.5 hosts_options.5 +MLINKS+=hosts_access.5 hosts.allow.5 +MLINKS+=hosts_access.5 hosts.deny.5 +MLINKS+=hosts_access.3 hosts_ctl.3 +MLINKS+=hosts_access.3 request_init.3 +MLINKS+=hosts_access.3 request_set.3 + +INCS= tcpd.h +INCSDIR=/usr/include + +.include "Makefile.cflags" + +.include diff --git a/lib/libwrap/Makefile.cflags b/lib/libwrap/Makefile.cflags new file mode 100644 index 000000000..fc3c6a0ea --- /dev/null +++ b/lib/libwrap/Makefile.cflags @@ -0,0 +1,23 @@ +# $NetBSD: Makefile.cflags,v 1.8 2005/01/10 02:58:58 lukem Exp $ + +.include + +CPPFLAGS+=-DFACILITY=LOG_AUTHPRIV -DSEVERITY=LOG_INFO +CPPFLAGS+=-DREAL_DAEMON_DIR=\"/usr/libexec\" -DHOSTS_ACCESS -DDAEMON_UMASK=022 +CPPFLAGS+=-DRFC931_TIMEOUT=10 -DALWAYS_HOSTNAME +CPPFLAGS+=-DHOSTS_ALLOW=\"/etc/hosts.allow\" -DHOSTS_DENY=\"/etc/hosts.deny\" +CPPFLAGS+=-DPROCESS_OPTIONS + +.if (${USE_YP} != "no") +CPPFLAGS+=-DNETGROUP +.endif + +# -DPARANOID is not used by libwrap, only by programs that use it. +# in this case inetd does not use it (probably rightly so) and so +# we don't want to use it in wrapper-related utilities (such as +# tcpdmatch) that include this file. +#CPPFLAGS+=-DPARANOID + +.if (${USE_INET6} != "no") +CPPFLAGS+=-DINET6 +.endif diff --git a/lib/libwrap/clean_exit.c b/lib/libwrap/clean_exit.c new file mode 100644 index 000000000..467ba9333 --- /dev/null +++ b/lib/libwrap/clean_exit.c @@ -0,0 +1,49 @@ +/* $NetBSD: clean_exit.c,v 1.5 2012/03/21 10:10:37 matt Exp $ */ + + /* + * clean_exit() cleans up and terminates the program. It should be called + * instead of exit() when for some reason the real network daemon will not or + * cannot be run. Reason: in the case of a datagram-oriented service we must + * discard the not-yet received data from the client. Otherwise, inetd will + * see the same datagram again and again, and go into a loop. + * + * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. + */ + +#include +#ifndef lint +#if 0 +static char sccsid[] = "@(#) clean_exit.c 1.4 94/12/28 17:42:19"; +#else +__RCSID("$NetBSD: clean_exit.c,v 1.5 2012/03/21 10:10:37 matt Exp $"); +#endif +#endif + +#include +#include +#include + +#include "tcpd.h" + +/* clean_exit - clean up and exit */ + +void +clean_exit(struct request_info *request) +{ + + /* + * In case of unconnected protocols we must eat up the not-yet received + * data or inetd will loop. + */ + + if (request->sink) + request->sink(request->fd); + + /* + * Be kind to the inetd. We already reported the problem via the syslogd, + * and there is no need for additional garbage in the logfile. + */ + + sleep(5); + exit(0); +} diff --git a/lib/libwrap/diag.c b/lib/libwrap/diag.c new file mode 100644 index 000000000..caacb72cc --- /dev/null +++ b/lib/libwrap/diag.c @@ -0,0 +1,93 @@ +/* $NetBSD: diag.c,v 1.10 2012/03/22 22:58:15 joerg Exp $ */ + + /* + * Routines to report various classes of problems. Each report is decorated + * with the current context (file name and line number), if available. + * + * tcpd_warn() reports a problem and proceeds. + * + * tcpd_jump() reports a problem and jumps. + * + * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. + */ + +#include +#ifndef lint +#if 0 +static char sccsid[] = "@(#) diag.c 1.1 94/12/28 17:42:20"; +#else +__RCSID("$NetBSD: diag.c,v 1.10 2012/03/22 22:58:15 joerg Exp $"); +#endif +#endif + +/* System libraries */ + +#include +#include +#include +#include +#include +#include +#include + +/* Local stuff */ + +#include "tcpd.h" + +struct tcpd_context tcpd_context; +jmp_buf tcpd_buf; + +static void tcpd_diag(int, const char *, const char *, va_list) + __printflike(3,0); + +/* tcpd_diag - centralize error reporter */ + +static void +tcpd_diag(int severity, const char *tag, const char *fmt, va_list ap) +{ + char *buf; + int oerrno; + + /* save errno in case we need it */ + oerrno = errno; + + if (vasprintf(&buf, fmt, ap) == -1) + buf = __UNCONST(fmt); + + errno = oerrno; + + /* contruct the tag for the log entry */ + if (tcpd_context.file) + syslog(severity, "%s: %s, line %d: %s", + tag, tcpd_context.file, tcpd_context.line, buf); + else + syslog(severity, "%s: %s", tag, buf); + + if (buf != fmt) + free(buf); +} + +/* tcpd_warn - report problem of some sort and proceed */ + +void +tcpd_warn(const char *format, ...) +{ + va_list ap; + + va_start(ap, format); + tcpd_diag(LOG_ERR, "warning", format, ap); + va_end(ap); +} + +/* tcpd_jump - report serious problem and jump */ + +void +tcpd_jump(const char *format, ...) +{ + va_list ap; + + va_start(ap, format); + tcpd_diag(LOG_ERR, "error", format, ap); + va_end(ap); + longjmp(tcpd_buf, AC_ERROR); +} diff --git a/lib/libwrap/eval.c b/lib/libwrap/eval.c new file mode 100644 index 000000000..db10d588a --- /dev/null +++ b/lib/libwrap/eval.c @@ -0,0 +1,143 @@ +/* $NetBSD: eval.c,v 1.7 2012/03/21 10:10:37 matt Exp $ */ + + /* + * Routines for controlled evaluation of host names, user names, and so on. + * They are, in fact, wrappers around the functions that are specific for + * the sockets or TLI programming interfaces. The request_info and host_info + * structures are used for result cacheing. + * + * These routines allows us to postpone expensive operations until their + * results are really needed. Examples are hostname lookups and double + * checks, or username lookups. Information that cannot be retrieved is + * given the value "unknown" ("paranoid" in case of hostname problems). + * + * When ALWAYS_HOSTNAME is off, hostname lookup is done only when required by + * tcpd paranoid mode, by access control patterns, or by %letter expansions. + * + * When ALWAYS_RFC931 mode is off, user lookup is done only when required by + * access control patterns or %letter expansions. + * + * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. + */ + +#include +#ifndef lint +#if 0 +static char sccsid[] = "@(#) eval.c 1.3 95/01/30 19:51:45"; +#else +__RCSID("$NetBSD: eval.c,v 1.7 2012/03/21 10:10:37 matt Exp $"); +#endif +#endif + +/* System libraries. */ + +#include +#include + +/* Local stuff. */ + +#include "tcpd.h" + + /* + * When a string has the value STRING_UNKNOWN, it means: don't bother, I + * tried to look up the data but it was unavailable for some reason. When a + * host name has the value STRING_PARANOID it means there was a name/address + * conflict. + */ +char unknown[] = STRING_UNKNOWN; +char paranoid[] = STRING_PARANOID; + +/* eval_user - look up user name */ + +char * +eval_user(struct request_info *request) +{ + if (request->user[0] == 0) { + (void)strlcpy(request->user, unknown, sizeof(request->user)); + if (request->sink == 0 && request->client->sin && request->server->sin) + rfc931(request->client->sin, request->server->sin, request->user); + } + return (request->user); +} + +/* eval_hostaddr - look up printable address */ + +char * +eval_hostaddr(struct host_info *host) +{ + if (host->addr[0] == 0) { + (void)strlcpy(host->addr, unknown, sizeof(host->addr)); + if (host->request->hostaddr != 0) + host->request->hostaddr(host); + } + return (host->addr); +} + +/* eval_hostname - look up host name */ + +char * +eval_hostname(struct host_info *host) +{ + if (host->name[0] == 0) { + (void)strlcpy(host->name, unknown, sizeof(host->name)); + if (host->request->hostname != 0) + host->request->hostname(host); + } + return (host->name); +} + +/* eval_hostinfo - return string with host name (preferred) or address */ + +char * +eval_hostinfo(struct host_info *host) +{ + char *hostname; + +#ifndef ALWAYS_HOSTNAME /* no implicit host lookups */ + if (host->name[0] == 0) + return (eval_hostaddr(host)); +#endif + hostname = eval_hostname(host); + if (HOSTNAME_KNOWN(hostname)) { + return (host->name); + } else { + return (eval_hostaddr(host)); + } +} + +/* eval_client - return string with as much about the client as we know */ + +char * +eval_client(struct request_info *request) +{ + static char both[2 * STRING_LENGTH]; + char *hostinfo = eval_hostinfo(request->client); + +#ifndef ALWAYS_RFC931 /* no implicit user lookups */ + if (request->user[0] == 0) + return (hostinfo); +#endif + if (STR_NE(eval_user(request), unknown)) { + (void)snprintf(both, sizeof both, "%s@%s", request->user, hostinfo); + return (both); + } else { + return (hostinfo); + } +} + +/* eval_server - return string with as much about the server as we know */ + +char * +eval_server(struct request_info *request) +{ + static char both[2 * STRING_LENGTH]; + char *host = eval_hostinfo(request->server); + char *daemon = eval_daemon(request); + + if (STR_NE(host, unknown)) { + (void)snprintf(both, sizeof both, "%s@%s", daemon, host); + return (both); + } else { + return (daemon); + } +} diff --git a/lib/libwrap/fix_options.c b/lib/libwrap/fix_options.c new file mode 100644 index 000000000..51f24d0be --- /dev/null +++ b/lib/libwrap/fix_options.c @@ -0,0 +1,146 @@ +/* $NetBSD: fix_options.c,v 1.11 2012/03/21 10:10:37 matt Exp $ */ + + /* + * Routine to disable IP-level socket options. This code was taken from 4.4BSD + * rlogind and kernel source, but all mistakes in it are my fault. + * + * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. + */ + +#include +#ifndef lint +#if 0 +static char sccsid[] = "@(#) fix_options.c 1.6 97/04/08 02:29:19"; +#else +__RCSID("$NetBSD: fix_options.c,v 1.11 2012/03/21 10:10:37 matt Exp $"); +#endif +#endif + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#ifndef IPOPT_OPTVAL +#define IPOPT_OPTVAL 0 +#define IPOPT_OLEN 1 +#endif + +#include "tcpd.h" + +#define BUFFER_SIZE 512 /* Was: BUFSIZ */ + +/* fix_options - get rid of IP-level socket options */ + +void +fix_options(struct request_info *request) +{ +#ifdef IP_OPTIONS + unsigned char optbuf[BUFFER_SIZE / 3], *cp; + char lbuf[BUFFER_SIZE], *lp; + int ipproto; + socklen_t optsize = sizeof(optbuf); + struct protoent *ip; + int fd = request->fd; + int len = sizeof lbuf; + unsigned int opt; + int optlen; + struct in_addr dummy; + struct sockaddr_storage ss; + socklen_t sslen; + + /* + * check if this is AF_INET socket + * XXX IPv6 support? + */ + sslen = sizeof(ss); + if (getsockname(fd, (struct sockaddr *)(void *)&ss, &sslen) < 0) { + syslog(LOG_ERR, "getsockname: %m"); + clean_exit(request); + } + if (ss.ss_family != AF_INET) + return; + + if ((ip = getprotobyname("ip")) != 0) + ipproto = ip->p_proto; + else + ipproto = IPPROTO_IP; + + if (getsockopt(fd, ipproto, IP_OPTIONS, optbuf, &optsize) == 0 + && optsize != 0) { + + /* + * Horror! 4.[34] BSD getsockopt() prepends the first-hop destination + * address to the result IP options list when source routing options + * are present (see ), but produces no output for + * other IP options. Solaris 2.x getsockopt() does produce output for + * non-routing IP options, and uses the same format as BSD even when + * the space for the destination address is unused. The code below + * does the right thing with 4.[34]BSD derivatives and Solaris 2, but + * may occasionally miss source routing options on incompatible + * systems such as Linux. Their choice. + * + * Look for source routing options. Drop the connection when one is + * found. Just wiping the IP options is insufficient: we would still + * help the attacker by providing a real TCP sequence number, and the + * attacker would still be able to send packets (blind spoofing). I + * discussed this attack with Niels Provos, half a year before the + * attack was described in open mailing lists. + * + * It would be cleaner to just return a yes/no reply and let the caller + * decide how to deal with it. Resident servers should not terminate. + * However I am not prepared to make changes to internal interfaces + * on short notice. + */ +#define ADDR_LEN sizeof(dummy.s_addr) + + for (cp = optbuf + ADDR_LEN; cp < optbuf + optsize; cp += optlen) { + opt = cp[IPOPT_OPTVAL]; + if (opt == IPOPT_LSRR || opt == IPOPT_SSRR) { + syslog(LOG_WARNING, + "refused connect from %s with IP source routing options", + eval_client(request)); + shutdown(fd, 2); + return; + } + if (opt == IPOPT_EOL) + break; + if (opt == IPOPT_NOP) { + optlen = 1; + } else if (&cp[IPOPT_OLEN] < optbuf + optsize) { + optlen = cp[IPOPT_OLEN]; + if (optlen < 2 || cp + optlen >= optbuf + optsize) { + syslog(LOG_WARNING, + "refused connect from %s with malformed IP options", + eval_client(request)); + shutdown(fd, 2); + return; + } + } else { + syslog(LOG_WARNING, + "refused connect from %s with malformed IP options", + eval_client(request)); + shutdown(fd, 2); + return; + } + } + lp = lbuf; + for (cp = optbuf; optsize > 0; cp++, optsize--, lp += 3) + len -= snprintf(lp, len, " %2.2x", *cp); + syslog(LOG_NOTICE, + "connect from %s with IP options (ignored):%s", + eval_client(request), lbuf); + if (setsockopt(fd, ipproto, IP_OPTIONS, (char *) 0, optsize) != 0) { + syslog(LOG_ERR, "setsockopt IP_OPTIONS NULL: %m"); + shutdown(fd, 2); + } + } +#endif +} diff --git a/lib/libwrap/hosts_access.3 b/lib/libwrap/hosts_access.3 new file mode 100644 index 000000000..684a73776 --- /dev/null +++ b/lib/libwrap/hosts_access.3 @@ -0,0 +1,96 @@ +.\" $NetBSD: hosts_access.3,v 1.7 2002/10/01 19:38:46 wiz Exp $ +.\" +.TH HOSTS_ACCESS 3 +.SH NAME +hosts_access, hosts_ctl, request_init, request_set \- access control library +.SH SYNOPSIS +.nf +#include "tcpd.h" + +extern int allow_severity; +extern int deny_severity; + +struct request_info *request_init(request, key, value, ..., 0) +struct request_info *request; + +struct request_info *request_set(request, key, value, ..., 0) +struct request_info *request; + +int hosts_access(request) +struct request_info *request; + +int hosts_ctl(daemon, client_name, client_addr, client_user) +char *daemon; +char *client_name; +char *client_addr; +char *client_user; +.fi +.SH DESCRIPTION +The routines described in this document are part +of the \fIlibwrap.a\fR library. +They implement a rule-based access control language with +optional shell commands that are executed when a rule fires. +.PP +request_init() initializes a structure with +information about a client request. +request_set() updates an already initialized request structure. +Both functions take a variable-length list of key-value +pairs and return their first argument. +The argument lists are terminated with a zero key value. +All string-valued arguments are copied. +The expected keys (and corresponding value types) are: +.IP "RQ_FILE (int)" +The file descriptor associated with the request. +.IP "RQ_CLIENT_NAME (char *)" +The client host name. +.IP "RQ_CLIENT_ADDR (char *)" +A printable representation of the client network address. +.IP "RQ_CLIENT_SIN (struct sockaddr_in *)" +An internal representation of the client network address and port. +The contents of the structure are not copied. +.IP "RQ_SERVER_NAME (char *)" +The hostname associated with the server endpoint address. +.IP "RQ_SERVER_ADDR (char *)" +A printable representation of the server endpoint address. +.IP "RQ_SERVER_SIN (struct sockaddr_in *)" +An internal representation of the server endpoint address and port. +The contents of the structure are not copied. +.IP "RQ_DAEMON (char *)" +The name of the daemon process running on the server host. +.IP "RQ_USER (char *)" +The name of the user on whose behalf the client host makes the request. +.PP +hosts_access() consults the access control tables described in the +\fIhosts_access(5)\fR manual page. +When internal endpoint information is available, host names +and client user names are looked up on demand, +using the request structure as a cache. +hosts_access() returns zero if access should be denied. +.PP +hosts_ctl() is a wrapper around the request_init() and hosts_access() +routines with a perhaps more convenient interface (though it does not +pass on enough information to support automated client username lookups). +The client host address, client host name and username +arguments should contain valid data or STRING_UNKNOWN. +hosts_ctl() returns zero if access should be denied. +.PP +The \fIallow_severity\fR and \fIdeny_severity\fR variables determine +how accepted and rejected requests may be logged. +They must be provided by the caller and may be modified +by rules in the access control tables. +.SH DIAGNOSTICS +Problems are reported via the syslog daemon. +.SH SEE ALSO +hosts_access(5), format of the access control tables. +hosts_options(5), optional extensions to the base language. +.SH FILES +/etc/hosts.allow, /etc/hosts.deny, access control tables. +.SH AUTHOR +.na +.nf +Wietse Venema (wietse@wzv.win.tue.nl) +Department of Mathematics and Computing Science +Eindhoven University of Technology +Den Dolech 2, P.O. Box 513, +5600 MB Eindhoven, The Netherlands +\" @(#) hosts_access.3 1.8 96/02/11 17:01:26 diff --git a/lib/libwrap/hosts_access.5 b/lib/libwrap/hosts_access.5 new file mode 100644 index 000000000..97ce5f2b9 --- /dev/null +++ b/lib/libwrap/hosts_access.5 @@ -0,0 +1,424 @@ +.TH HOSTS_ACCESS 5 +.SH NAME +hosts_access, +hosts.allow, +hosts.deny \- format of host access control files +.SH DESCRIPTION +This manual page describes a simple access control language that is +based on client (host name/address, user name), and server (process +name, host name/address) patterns. +Examples are given at the end. +The impatient reader is encouraged to skip to the EXAMPLES section for a +quick introduction. +.PP +Note that in a `stock' installation of the tcp_wrappers package, a +program called \fItcpd\fR is called from \fI/etc/inetd.conf\fR, and +this program performs the wrapper checks and then executes the daemon. +In NetBSD \fIinetd\fR(8) has been modified to perform this check +internally, and so tcpd is neither used nor supplied. +.PP +Also note that libwrap under NetBSD uses the extensions to the access +control language as described in the \fIhosts_options\fR(5). +.PP +In the following text, \fIdaemon\fR is the process name of a +network daemon process, and \fIclient\fR is the name and/or address of +a host requesting service. +Network daemon process names are specified in the inetd configuration file. +.SH "ACCESS CONTROL FILES" +The access control software consults two files. +The search stops at the first match: +.IP \(bu +Access will be granted when a (daemon,client) pair matches an entry in +the \fI/etc/hosts.allow\fR file. +.IP \(bu +Otherwise, access will be denied when a (daemon,client) pair matches an +entry in the \fI/etc/hosts.deny\fR file. +.IP \(bu +Otherwise, access will be granted. +.PP +A non-existing access control file is treated as if it were an empty +file. +Thus, access control can be turned off by providing no access +control files. +.SH "ACCESS CONTROL RULES" +Each access control file consists of zero or more lines of text. +These lines are processed in order of appearance. +The search terminates when a match is found. +.IP \(bu +A newline character is ignored when it is preceded by a backslash character. +This permits you to break up long lines so that they are easier to edit. +\fBWARNING:\fP The total length of an entry can be no +more than 2047 characters long including the final newline. +.IP \(bu +Blank lines or lines that begin with a `#\' character are ignored. +This permits you to insert comments and whitespace so that the tables +are easier to read. +.IP \(bu +All other lines should satisfy the following format, things between [] +being optional: +.sp +.ti +3 +daemon_list : client_list : option : option ... +.PP +\fIdaemon_list\fR is a list of one or more daemon process names +(argv[0] values) or wildcards (see below). +.PP +\fIclient_list\fR is a list +of one or more host names, host addresses, patterns or wildcards (see +below) that will be matched against the client host name or address. +When a client_list item needs to include colon character (for IPv6 addresses), +the item needs to be wrapped with square bracket. +.PP +The more complex forms \fIdaemon@host\fR and \fIuser@host\fR are +explained in the sections on server endpoint patterns and on client +username lookups, respectively. +.PP +List elements should be separated by blanks and/or commas. +.PP +With the exception of NIS (YP) netgroup lookups, all access control +checks are case insensitive. +.ne 4 +.SH PATTERNS +The access control language implements the following patterns: +.IP \(bu +A string that begins with a `.\' character. +A host name is matched if +the last components of its name match the specified pattern. +For example, the pattern `.tue.nl\' matches the host name +`wzv.win.tue.nl\'. +.IP \(bu +A string that ends with a `.\' character. +A host address is matched if +its first numeric fields match the given string. +For example, the +pattern `131.155.\' matches the address of (almost) every host on the +Eind\%hoven University network (131.155.x.x). +.IP \(bu +A string that begins with an `@\' character is treated as an NIS +(formerly YP) netgroup name. +A host name is matched if it is a host member of the specified netgroup. +Netgroup matches are not supported +for daemon process names or for client user names. +.IP \(bu +An expression of the form `n.n.n.n/m.m.m.m\' is interpreted as a +`net/mask\' pair. +A host address is matched if `net\' is equal to the +bitwise AND of the address and the `mask\'. +For example, the net/mask +pattern `131.155.72.0/255.255.254.0\' matches every address in the +range `131.155.72.0\' through `131.155.73.255\'. +Note that `m.m.m.m\' portion must always be specified. +.IP \(bu +An expression of the form `ipv6-addr/ipv6-mask\' is interpreted as +masked IPv6 address match, just like masked IPv4 address match (see above). +Note that `ipv6-mask\' portion must always be specified. +.IP \(bu +An expression of the form `ipv6-addr/prefixlen\' is interpreted as +masked IPv6 address match (with mask specified by numeric prefixlen), +just like masked IPv4 address match (see above). +Note that `prefixlen\' portion must always be specified. +.IP \(bu +A string that begins with a `/\' character is treated as a file +name. A host name or address is matched if it matches any host name +or address pattern listed in the named file. The file format is +zero or more lines with zero or more host name or address patterns +separated by whitespace. A file name pattern can be used anywhere +a host name or address pattern can be used. +.SH WILDCARDS +The access control language supports explicit wildcards: +.IP ALL +The universal wildcard, always matches. +.IP LOCAL +Matches any host whose name does not contain a dot character. +.IP UNKNOWN +Matches any user whose name is unknown, and matches any host whose name +\fIor\fR address are unknown. +This pattern should be used with care: +host names may be unavailable due to temporary name server problems. +A network address will be unavailable when the software cannot figure out +what type of network it is talking to. +.IP KNOWN +Matches any user whose name is known, and matches any host whose name +\fIand\fR address are known. +This pattern should be used with care: +host names may be unavailable due to temporary name server problems. +A network address will be unavailable when the software cannot figure out +what type of network it is talking to. +.IP PARANOID +Matches any host whose name does not match its address. +Note that unlike the default mode of \fItcpd\fR, NetBSD \fIinetd\fR +does not automatically drop these requests; you must explicitly +drop them in your \fI/etc/hosts.allow\fR or \fI/etc/hosts.deny\fR file. +.IP "{RBL}.\fIdomain\fR" +Matches any host whose reversed address appears in the DNS under +\fIdomain\fR. +The primary such domain used for blocking unsolicited +commercial e-mail (spam) is `.rbl.maps.vix.com\'. +.ne 6 +.SH OPERATORS +.IP EXCEPT +Intended use is of the form: `list_1 EXCEPT list_2\'; this construct +matches anything that matches \fIlist_1\fR unless it matches +\fIlist_2\fR. +The EXCEPT operator can be used in daemon_lists and in client_lists. +The EXCEPT operator can be nested: if the control +language would permit the use of parentheses, `a EXCEPT b EXCEPT c\' +would parse as `(a EXCEPT (b EXCEPT c))\'. +.br +.ne 6 +.SH % EXPANSIONS +The following expansions are available within some options: +.IP "%a (%A)" +The client (server) host address. +.IP %c +Client information: user@host, user@address, a host name, or just an +address, depending on how much information is available. +.IP %d +The daemon process name (argv[0] value). +.IP "%h (%H)" +The client (server) host name or address, if the host name is +unavailable. +.IP "%n (%N)" +The client (server) host name (or "unknown" or "paranoid"). +.IP %p +The daemon process id. +.IP %s +Server information: daemon@host, daemon@address, or just a daemon name, +depending on how much information is available. +.IP %u +The client user name (or "unknown"). +.IP %% +Expands to a single `%\' character. +.PP +Characters in % expansions that may confuse the shell are replaced by +underscores. +.SH "SERVER ENDPOINT PATTERNS" +In order to distinguish clients by the network address that they +connect to, use patterns of the form: +.sp +.ti +3 +process_name@host_pattern : client_list ... +.sp +Patterns like these can be used when the machine has different internet +addresses with different internet hostnames. +Service providers can use +this facility to offer FTP, GOPHER or WWW archives with internet names +that may even belong to different organizations. +See also the `twist' option in the hosts_options(5) document. +Some systems (Solaris, FreeBSD, NetBSD) can have more than one +internet address on one physical interface; with other systems +you may have to resort to SLIP or PPP pseudo interfaces that +live in a dedicated network address space. +.sp +The host_pattern obeys the same syntax rules as host names and +addresses in client_list context. +Usually, server endpoint information +is available only with connection-oriented services. +.SH "CLIENT USERNAME LOOKUP" +When the client host supports the RFC 931 protocol or one of its +descendants (TAP, IDENT, RFC 1413) the wrapper programs can retrieve +additional information about the owner of a connection. +Client username information, when available, +is logged together with the client host +name, and can be used to match patterns like: +.PP +.ti +3 +daemon_list : ... user_pattern@host_pattern ... +.PP +The daemon wrappers can be configured at compile time to perform +rule-driven username lookups (default) or to always interrogate the +client host. +In the case of rule-driven username lookups, the above +rule would cause username lookup only when both the \fIdaemon_list\fR +and the \fIhost_pattern\fR match. +.PP +A user pattern has the same syntax as a daemon process pattern, so the +same wildcards apply (netgroup membership is not supported). +One should not get carried away with username lookups, though. +.IP \(bu +The client username information cannot be trusted when it is needed +most, i.e. when the client system has been compromised. +In general, +ALL and (UN)KNOWN are the only user name patterns that make sense. +.IP \(bu +Username lookups are possible only with TCP-based services, and only +when the client host runs a suitable daemon; in all other cases the +result is "unknown". +.IP \(bu +A well-known UNIX kernel bug may cause loss of service when username +lookups are blocked by a firewall. +The wrapper README document +describes a procedure to find out if your kernel has this bug. +.IP \(bu +Username lookups may cause noticeable delays for non-UNIX users. +The default timeout for username lookups is 10 seconds: too short to cope +with slow networks, but long enough to irritate PC users. +.PP +Selective username lookups can alleviate the last problem. +For example, a rule like: +.PP +.ti +3 +daemon_list : @pcnetgroup ALL@ALL +.PP +would match members of the pc netgroup without doing username lookups, +but would perform username lookups with all other systems. +.SH "DETECTING ADDRESS SPOOFING ATTACKS" +A flaw in the sequence number generator of many TCP/IP implementations +allows intruders to easily impersonate trusted hosts and to break in +via, for example, the remote shell service. +The IDENT (RFC 931 etc.) service can be used to detect such and +other host address spoofing attacks. +.PP +Before accepting a client request, the wrappers can use the IDENT +service to find out that the client did not send the request at all. +When the client host provides IDENT service, a negative IDENT lookup +result (the client matches `UNKNOWN@host') is strong evidence of a host +spoofing attack. +.PP +A positive IDENT lookup result (the client matches `KNOWN@host') is +less trustworthy. +It is possible for an intruder to spoof both the +client connection and the IDENT lookup, although doing so is much +harder than spoofing just a client connection. +It may also be that the client\'s IDENT server is lying. +.PP +Note: IDENT lookups don\'t work with UDP services. +.SH EXAMPLES +The language is flexible enough that different types of access control +policy can be expressed with a minimum of fuss. +Although the language +uses two access control tables, the most common policies can be +implemented with one of the tables being trivial or even empty. +.PP +When reading the examples below it is important to realize that the +allow table is scanned before the deny table, that the search +terminates when a match is found, and that access is granted when no +match is found at all. +.PP +The examples use host and domain names. +They can be improved by +including address and/or network/netmask information, to reduce the +impact of temporary name server lookup failures. +.SH "MOSTLY CLOSED" +In this case, access is denied by default. +Only explicitly authorized hosts are permitted access. +.PP +The default policy (no access) is implemented with a trivial deny file: +.PP +.ne 2 +/etc/hosts.deny: +.in +3 +ALL: ALL +.PP +This denies all service to all hosts, unless they are permitted access +by entries in the allow file. +.PP +The explicitly authorized hosts are listed in the allow file. +For example: +.PP +.ne 2 +/etc/hosts.allow: +.in +3 +ALL: LOCAL @some_netgroup +.br +ALL: .foobar.edu EXCEPT terminalserver.foobar.edu +.PP +The first rule permits access from hosts in the local domain (no `.\' +in the host name) and from members of the \fIsome_netgroup\fP netgroup. +The second rule permits access from all hosts in the +\fIfoobar.edu\fP domain (notice the leading dot), with the exception of +\fIterminalserver.foobar.edu\fP. +.SH "MOSTLY OPEN" +Here, access is granted by default; only explicitly specified hosts are +refused service. +.PP +The default policy (access granted) makes the allow file redundant so +that it can be omitted. +The explicitly non-authorized hosts are listed in the deny file. +For example: +.PP +/etc/hosts.deny: +.in +3 +ALL: some.host.name, .some.domain +.br +ALL EXCEPT in.fingerd: other.host.name, .other.domain +.PP +The first rule denies some hosts and domains all services; the second +rule still permits finger requests from other hosts and domains. +.SH "BOOBY TRAPS" +The next example permits tftp requests from hosts in the local domain +(notice the leading dot). +Requests from any other hosts are denied. +Instead of the requested file, a finger probe is sent to the offending host. +The result is mailed to the superuser. +.PP +.ne 2 +/etc/hosts.allow: +.in +3 +.nf +in.tftpd: LOCAL, .my.domain +.PP +.ne 2 +/etc/hosts.deny: +.in +3 +.nf +in.tftpd: ALL: spawn (/some/where/safe_finger -l @%h | \\ + /usr/ucb/mail -s %d-%h root) \*[Am] +.fi +.PP +(The safe_finger command can be gotten from the tcp_wrappers package and +installed in a suitable place. +It limits possible damage from data sent by the remote finger server. +It gives better protection than the standard finger command.) +.PP +The expansion of the %h (client host) and %d (service name) sequences +is described in the section on shell commands. +.PP +Warning: do not booby-trap your finger daemon, unless you are prepared +for infinite finger loops. +.PP +On network firewall systems this trick can be carried even further. +The typical network firewall only provides a limited set of services to +the outer world. +All other services can be "bugged" just like the above tftp example. +The result is an excellent early-warning system. +.br +.ne 4 +.SH DIAGNOSTICS +An error is reported when a syntax error is found in a host access +control rule; when the length of an access control rule exceeds the +capacity of an internal buffer; when an access control rule is not +terminated by a newline character; when the result of %\*[Lt]letter\*[Gt] +expansion would overflow an internal buffer; when a system call fails +that shouldn\'t. +All problems are reported via the syslog daemon. +.SH FILES +.na +.nf +/etc/hosts.allow, (daemon,client) pairs that are granted access. +/etc/hosts.deny, (daemon,client) pairs that are denied access. +.ad +.fi +.SH "SEE ALSO" +.nf +hosts_options(5), hosts_access(3) +tcpdchk(8), tcpdmatch(8), test programs. +.SH BUGS +If a name server lookup times out, the host name will not be available +to the access control software, even though the host is registered. +.PP +Domain name server lookups are case insensitive; NIS (formerly YP) +netgroup lookups are case sensitive. +.PP +The total length of an entry can be no more than 2047 characters long, +including the final newline. +.SH AUTHOR +.na +.nf +Wietse Venema (wietse@wzv.win.tue.nl) +Department of Mathematics and Computing Science +Eindhoven University of Technology +Den Dolech 2, P.O. Box 513, +5600 MB Eindhoven, The Netherlands +.\" @(#) hosts_access.5 1.20 95/01/30 19:51:46 +.\" $NetBSD: hosts_access.5,v 1.16 2008/12/18 20:16:52 christos Exp $ diff --git a/lib/libwrap/hosts_access.c b/lib/libwrap/hosts_access.c new file mode 100644 index 000000000..441b7f16c --- /dev/null +++ b/lib/libwrap/hosts_access.c @@ -0,0 +1,569 @@ +/* $NetBSD: hosts_access.c,v 1.20 2012/03/21 10:10:37 matt Exp $ */ + + /* + * This module implements a simple access control language that is based on + * host (or domain) names, NIS (host) netgroup names, IP addresses (or + * network numbers) and daemon process names. When a match is found the + * search is terminated, and depending on whether PROCESS_OPTIONS is defined, + * a list of options is executed or an optional shell command is executed. + * + * Host and user names are looked up on demand, provided that suitable endpoint + * information is available as sockaddr_in structures or TLI netbufs. As a + * side effect, the pattern matching process may change the contents of + * request structure fields. + * + * Diagnostics are reported through syslog(3). + * + * Compile with -DNETGROUP if your library provides support for netgroups. + * + * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. + */ + +#include +#ifndef lint +#if 0 +static char sccsid[] = "@(#) hosts_access.c 1.21 97/02/12 02:13:22"; +#else +__RCSID("$NetBSD: hosts_access.c,v 1.20 2012/03/21 10:10:37 matt Exp $"); +#endif +#endif + +/* System libraries. */ + +#include +#include +#ifdef INET6 +#include +#endif +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#ifdef NETGROUP +#include +#include +#endif + +/* Local stuff. */ + +#include "tcpd.h" + +/* Error handling. */ + +extern jmp_buf tcpd_buf; + +/* Delimiters for lists of daemons or clients. */ + +static char sep[] = ", \t\r\n"; + +/* Constants to be used in assignments only, not in comparisons... */ + +#define YES 1 +#define NO 0 + + /* + * These variables are globally visible so that they can be redirected in + * verification mode. + */ + +const char *hosts_allow_table = HOSTS_ALLOW; +const char *hosts_deny_table = HOSTS_DENY; +int hosts_access_verbose = 0; + + /* + * In a long-running process, we are not at liberty to just go away. + */ + +int resident = (-1); /* -1, 0: unknown; +1: yes */ + +/* Forward declarations. */ + +static int table_match(const char *, struct request_info *); +static int list_match(char *, struct request_info *, + int (*)(char *, struct request_info *)); +static int server_match(char *, struct request_info *); +static int client_match(char *, struct request_info *); +static int host_match(char *, struct host_info *); +static int hostfile_match(char *, struct host_info *); +static int rbl_match(char *, char *); +static int string_match(char *, char *); +static int masked_match(char *, char *, char *); +static int masked_match4(char *, char *, char *); +#ifdef INET6 +static int masked_match6(char *, char *, char *); +#endif + +/* Size of logical line buffer. */ + +#define BUFLEN 2048 + +/* hosts_access - host access control facility */ + +int +hosts_access(struct request_info *request) +{ + int verdict; + + /* + * If the (daemon, client) pair is matched by an entry in the file + * /etc/hosts.allow, access is granted. Otherwise, if the (daemon, + * client) pair is matched by an entry in the file /etc/hosts.deny, + * access is denied. Otherwise, access is granted. A non-existent + * access-control file is treated as an empty file. + * + * After a rule has been matched, the optional language extensions may + * decide to grant or refuse service anyway. Or, while a rule is being + * processed, a serious error is found, and it seems better to play safe + * and deny service. All this is done by jumping back into the + * hosts_access() routine, bypassing the regular return from the + * table_match() function calls below. + */ + + if (resident <= 0) + resident++; + verdict = setjmp(tcpd_buf); + if (verdict != 0) + return (verdict == AC_PERMIT); + if (table_match(hosts_allow_table, request)) + return (YES); + if (table_match(hosts_deny_table, request)) + return (NO); + return (YES); +} + +/* table_match - match table entries with (daemon, client) pair */ + +static int +table_match(const char *table, struct request_info *request) +{ + FILE *fp; + char sv_list[BUFLEN]; /* becomes list of daemons */ + char *cl_list; /* becomes list of clients */ + char *sh_cmd = NULL; /* becomes optional shell command */ + int match = NO; + struct tcpd_context saved_context; + + saved_context = tcpd_context; /* stupid compilers */ + + /* + * Between the fopen() and fclose() calls, avoid jumps that may cause + * file descriptor leaks. + */ + + if ((fp = fopen(table, "r")) != 0) { + tcpd_context.file = table; + tcpd_context.line = 0; + while (match == NO && xgets(sv_list, sizeof(sv_list), fp) != 0) { + if (sv_list[strlen(sv_list) - 1] != '\n') { + tcpd_warn("missing newline or line too long"); + continue; + } + if (sv_list[0] == '#' || sv_list[strspn(sv_list, " \t\r\n")] == 0) + continue; + if ((cl_list = split_at(sv_list, ':')) == 0) { + tcpd_warn("missing \":\" separator"); + continue; + } + sh_cmd = split_at(cl_list, ':'); + match = list_match(sv_list, request, server_match) + && list_match(cl_list, request, client_match); + } + (void) fclose(fp); + } else if (errno != ENOENT) { + tcpd_warn("cannot open %s: %m", table); + } + if (match) { + if (hosts_access_verbose > 1) + syslog(LOG_DEBUG, "matched: %s line %d", + tcpd_context.file, tcpd_context.line); + if (sh_cmd) { +#ifdef PROCESS_OPTIONS + process_options(sh_cmd, request); +#else + char cmd[BUFSIZ]; + shell_cmd(percent_x(cmd, sizeof(cmd), sh_cmd, request)); +#endif + } + } + tcpd_context = saved_context; + return (match); +} + +/* list_match - match a request against a list of patterns with exceptions */ + +static int +list_match(char *list, struct request_info *request, + int (*match_fn)(char *, struct request_info *)) +{ + char *tok; + static char *last; + int l; + + /* + * Process tokens one at a time. We have exhausted all possible matches + * when we reach an "EXCEPT" token or the end of the list. If we do find + * a match, look for an "EXCEPT" list and recurse to determine whether + * the match is affected by any exceptions. + */ + + for (tok = strtok_r(list, sep, &last); tok != 0; + tok = strtok_r(NULL, sep, &last)) { + if (STR_EQ(tok, "EXCEPT")) /* EXCEPT: give up */ + return (NO); + l = strlen(tok); + if (*tok == '[' && tok[l - 1] == ']') { + tok[l - 1] = '\0'; + tok++; + } + if (match_fn(tok, request)) { /* YES: look for exceptions */ + while ((tok = strtok_r(NULL, sep, &last)) && STR_NE(tok, "EXCEPT")) + /* VOID */ ; + return (tok == 0 || list_match(NULL, request, match_fn) == 0); + } + } + return (NO); +} + +/* server_match - match server information */ + +static int +server_match(char *tok, struct request_info *request) +{ + char *host; + + if ((host = split_at(tok + 1, '@')) == 0) { /* plain daemon */ + return (string_match(tok, eval_daemon(request))); + } else { /* daemon@host */ + return (string_match(tok, eval_daemon(request)) + && host_match(host, request->server)); + } +} + +/* client_match - match client information */ + +static int +client_match(char *tok, struct request_info *request) +{ + char *host; + + if ((host = split_at(tok + 1, '@')) == 0) { /* plain host */ + return (host_match(tok, request->client)); + } else { /* user@host */ + return (host_match(host, request->client) + && string_match(tok, eval_user(request))); + } +} + +/* host_match - match host name and/or address against pattern */ + +static int +host_match(char *tok, struct host_info *host) +{ + char *mask; + + /* + * This code looks a little hairy because we want to avoid unnecessary + * hostname lookups. + * + * The KNOWN pattern requires that both address AND name be known; some + * patterns are specific to host names or to host addresses; all other + * patterns are satisfied when either the address OR the name match. + */ + + if (tok[0] == '@') { /* netgroup: look it up */ +#ifdef NETGROUP + static char *mydomain = 0; + if (mydomain == 0) + yp_get_default_domain(&mydomain); + return (innetgr(tok + 1, eval_hostname(host), NULL, mydomain)); +#else + tcpd_warn("netgroup support is disabled"); /* not tcpd_jump() */ + return (NO); +#endif + } else if (tok[0] == '/') { /* /file hack */ + return (hostfile_match(tok, host)); + } else if (STR_EQ(tok, "KNOWN")) { /* check address and name */ + char *name = eval_hostname(host); + return (STR_NE(eval_hostaddr(host), unknown) && HOSTNAME_KNOWN(name)); + } else if (STR_EQ(tok, "LOCAL")) { /* local: no dots in name */ + char *name = eval_hostname(host); + return (strchr(name, '.') == 0 && HOSTNAME_KNOWN(name)); + } else if (strncmp(tok, "{RBL}.", 6) == 0) { /* RBL lookup in domain */ + return rbl_match(tok+6, eval_hostaddr(host)); + } else if ((mask = split_at(tok, '/')) != 0) { /* net/mask */ + return (masked_match(tok, mask, eval_hostaddr(host))); + } else { /* anything else */ + return (string_match(tok, eval_hostaddr(host)) + || (NOT_INADDR(tok) && string_match(tok, eval_hostname(host)))); + } +} + +/* hostfile_match - look up host patterns from file */ + +static int +hostfile_match(char *path, struct host_info *host) +{ + char tok[BUFSIZ]; + int match = NO; + FILE *fp; + + if ((fp = fopen(path, "r")) != 0) { + while (fscanf(fp, "%s", tok) == 1 && !(match = host_match(tok, host))) + /* void */ ; + fclose(fp); + } else if (errno != ENOENT) { + tcpd_warn("open %s: %m", path); + } + return (match); +} + +/* rbl_match() - match host by looking up in RBL domain */ + +static int +rbl_match( + char *rbl_domain, /* RBL domain */ + char *rbl_hostaddr) /* hostaddr */ +{ + char *rbl_name; + unsigned long host_address; + int ret = NO; + size_t len = strlen(rbl_domain) + (4 * 4) + 2; + + if (dot_quad_addr(rbl_hostaddr, &host_address) != 0) { + tcpd_warn("unable to convert %s to address", rbl_hostaddr); + return (NO); + } + host_address = ntohl(host_address); + /* construct the rbl name to look up */ + if ((rbl_name = malloc(len)) == NULL) { + tcpd_jump("not enough memory to build RBL name for %s in %s", rbl_hostaddr, rbl_domain); + /* NOTREACHED */ + } + snprintf(rbl_name, len, "%u.%u.%u.%u.%s", + (unsigned int) ((host_address) & 0xff), + (unsigned int) ((host_address >> 8) & 0xff), + (unsigned int) ((host_address >> 16) & 0xff), + (unsigned int) ((host_address >> 24) & 0xff), + rbl_domain); + /* look it up */ + if (gethostbyname(rbl_name) != NULL) { + /* successful lookup - they're on the RBL list */ + ret = YES; + } + free(rbl_name); + + return ret; +} + +/* string_match - match string against pattern */ + +static int +string_match(char *tok, char *string) +{ + int n; + + if (tok[0] == '.') { /* suffix */ + n = strlen(string) - strlen(tok); + return (n > 0 && STR_EQ(tok, string + n)); + } else if (STR_EQ(tok, "ALL")) { /* all: match any */ + return (YES); + } else if (STR_EQ(tok, "KNOWN")) { /* not unknown */ + return (STR_NE(string, unknown)); + } else if (tok[(n = strlen(tok)) - 1] == '.') { /* prefix */ + return (STRN_EQ(tok, string, n)); + } else { /* exact match */ + return (STR_EQ(tok, string)); + } +} + +/* masked_match - match address against netnumber/netmask */ + +static int +masked_match(char *net_tok, char *mask_tok, char *string) +{ +#ifndef INET6 + return masked_match4(net_tok, mask_tok, string); +#else + /* + * masked_match4() is kept just for supporting shortened IPv4 address form. + * If we could get rid of shortened IPv4 form, we could just always use + * masked_match6(). + */ + if (dot_quad_addr(net_tok, NULL) != -1 && + dot_quad_addr(mask_tok, NULL) != -1 && + dot_quad_addr(string, NULL) != -1) { + return masked_match4(net_tok, mask_tok, string); + } else + return masked_match6(net_tok, mask_tok, string); +#endif +} + +static int +masked_match4(char *net_tok, char *mask_tok, char *string) +{ + unsigned long net; + unsigned long mask; + unsigned long addr; + + /* + * Disallow forms other than dotted quad: the treatment that inet_addr() + * gives to forms with less than four components is inconsistent with the + * access control language. John P. Rouillard . + */ + + if (dot_quad_addr(string, &addr) != 0) + return (NO); + if (dot_quad_addr(net_tok, &net) != 0 || + dot_quad_addr(mask_tok, &mask) != 0) { + tcpd_warn("bad net/mask expression: %s/%s", net_tok, mask_tok); + return (NO); /* not tcpd_jump() */ + } + + if ((net & ~mask) != 0) + tcpd_warn("host bits not all zero in %s/%s", net_tok, mask_tok); + + return ((addr & mask) == net); +} + +#ifdef INET6 +static int +masked_match6(char *net_tok, char *mask_tok, char *string) +{ + union { + struct sockaddr sa; + struct sockaddr_in sin; + struct sockaddr_in6 sin6; + } net, mask, addr; + struct addrinfo hints, *res; + unsigned long masklen; + char *ep; + size_t i; + char *np, *mp, *ap; + size_t alen; + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = SOCK_DGRAM; /*dummy*/ + hints.ai_flags = AI_NUMERICHOST; + if (getaddrinfo(net_tok, "0", &hints, &res) == 0) { + if (res->ai_addrlen > sizeof(net) || res->ai_next) { + freeaddrinfo(res); + return NO; + } + memcpy(&net, res->ai_addr, res->ai_addrlen); + freeaddrinfo(res); + } else + return NO; + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = net.sa.sa_family; + hints.ai_socktype = SOCK_DGRAM; /*dummy*/ + hints.ai_flags = AI_NUMERICHOST; + ep = NULL; + if (getaddrinfo(mask_tok, "0", &hints, &res) == 0) { + if (res->ai_family == AF_INET6 && + ((struct sockaddr_in6 *)res->ai_addr)->sin6_scope_id) { + freeaddrinfo(res); + return NO; + } + if (res->ai_addrlen > sizeof(mask) || res->ai_next) { + freeaddrinfo(res); + return NO; + } + memcpy(&mask, res->ai_addr, res->ai_addrlen); + freeaddrinfo(res); + } else { + ep = NULL; + masklen = strtoul(mask_tok, &ep, 10); + if (ep && !*ep) { + memset(&mask, 0, sizeof(mask)); + mask.sa.sa_family = net.sa.sa_family; + mask.sa.sa_len = net.sa.sa_len; + switch (mask.sa.sa_family) { + case AF_INET: + mp = (char *)&mask.sin.sin_addr; + alen = sizeof(mask.sin.sin_addr); + break; + case AF_INET6: + mp = (char *)&mask.sin6.sin6_addr; + alen = sizeof(mask.sin6.sin6_addr); + break; + default: + return NO; + } + if (masklen / 8 > alen) + return NO; + memset(mp, 0xff, masklen / 8); + if (masklen % 8) + mp[masklen / 8] = 0xff00 >> (masklen % 8); + } else + return NO; + } + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = SOCK_DGRAM; /*dummy*/ + hints.ai_flags = AI_NUMERICHOST; + if (getaddrinfo(string, "0", &hints, &res) == 0) { + if (res->ai_addrlen > sizeof(addr) || res->ai_next) { + freeaddrinfo(res); + return NO; + } + /* special case - IPv4 mapped address */ + if (net.sa.sa_family == AF_INET && res->ai_family == AF_INET6 && + IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr)) { + memset(&addr, 0, sizeof(addr)); + addr.sa.sa_family = net.sa.sa_family; + addr.sa.sa_len = net.sa.sa_len; + memcpy(&addr.sin.sin_addr, + &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr.s6_addr[12], + sizeof(addr.sin.sin_addr)); + } else + memcpy(&addr, res->ai_addr, res->ai_addrlen); + freeaddrinfo(res); + } else + return NO; + + if (net.sa.sa_family != mask.sa.sa_family || + net.sa.sa_family != addr.sa.sa_family) { + return NO; + } + + switch (net.sa.sa_family) { + case AF_INET: + np = (char *)&net.sin.sin_addr; + mp = (char *)&mask.sin.sin_addr; + ap = (char *)&addr.sin.sin_addr; + alen = sizeof(net.sin.sin_addr); + break; + case AF_INET6: + np = (char *)&net.sin6.sin6_addr; + mp = (char *)&mask.sin6.sin6_addr; + ap = (char *)&addr.sin6.sin6_addr; + alen = sizeof(net.sin6.sin6_addr); + break; + default: + return NO; + } + + for (i = 0; i < alen; i++) + if (np[i] & ~mp[i]) { + tcpd_warn("host bits not all zero in %s/%s", net_tok, mask_tok); + break; + } + + for (i = 0; i < alen; i++) + ap[i] &= mp[i]; + + if (addr.sa.sa_family == AF_INET6 && addr.sin6.sin6_scope_id && + addr.sin6.sin6_scope_id != net.sin6.sin6_scope_id) + return NO; + return (memcmp(ap, np, alen) == 0); +} +#endif diff --git a/lib/libwrap/hosts_ctl.c b/lib/libwrap/hosts_ctl.c new file mode 100644 index 000000000..0bc10208d --- /dev/null +++ b/lib/libwrap/hosts_ctl.c @@ -0,0 +1,42 @@ +/* $NetBSD: hosts_ctl.c,v 1.5 2012/03/21 10:10:37 matt Exp $ */ + + /* + * hosts_ctl() combines common applications of the host access control + * library routines. It bundles its arguments then calls the hosts_access() + * access control checker. The host name and user name arguments should be + * empty strings, STRING_UNKNOWN or real data. If a match is found, the + * optional shell command is executed. + * + * Restriction: this interface does not pass enough information to support + * selective remote username lookups or selective hostname double checks. + * + * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. + */ + +#include +#ifndef lint +#if 0 +static char sccsid[] = "@(#) hosts_ctl.c 1.4 94/12/28 17:42:27"; +#else +__RCSID("$NetBSD: hosts_ctl.c,v 1.5 2012/03/21 10:10:37 matt Exp $"); +#endif +#endif + +#include + +#include "tcpd.h" + +/* hosts_ctl - limited interface to the hosts_access() routine */ + +int +hosts_ctl(char *daemon, char *name, char *addr, char *user) +{ + struct request_info request; + + return (hosts_access(request_init(&request, + RQ_DAEMON, daemon, + RQ_CLIENT_NAME, name, + RQ_CLIENT_ADDR, addr, + RQ_USER, user, + 0))); +} diff --git a/lib/libwrap/hosts_options.5 b/lib/libwrap/hosts_options.5 new file mode 100644 index 000000000..f8fb3bd6c --- /dev/null +++ b/lib/libwrap/hosts_options.5 @@ -0,0 +1,189 @@ +.\" $NetBSD: hosts_options.5,v 1.8 2002/10/01 19:38:46 wiz Exp $ +.\" +.TH HOSTS_OPTIONS 5 +.SH NAME +hosts_options \- host access control language extensions +.SH DESCRIPTION +This document describes optional extensions to the language described +in the hosts_access(5) document. +The extensions are enabled at program build time. +For example, by editing the Makefile and turning on the +PROCESS_OPTIONS compile-time option. +.PP +The extensible language uses the following format: +.sp +.ti +3 +daemon_list : client_list : option : option ... +.PP +The first two fields are described in the hosts_access(5) manual page. +The remainder of the rules is a list of zero or more options. +Any ":" characters within options should be protected with a backslash. +.PP +An option is of the form "keyword" or "keyword value". +Options are processed in the specified order. +Some options are subjected to +%\*[Lt]letter\*[Gt] substitutions. +For the sake of backwards compatibility with +earlier versions, an "=" is permitted between keyword and value. +.SH LOGGING +.IP "severity mail.info" +.IP "severity notice" +Change the severity level at which the event will be logged. +Facility names (such as mail) are optional, and are not supported on systems +with older syslog implementations. +The severity option can be used to emphasize or to ignore specific events. +.SH ACCESS CONTROL +.IP "allow" +.IP "deny" +Grant (deny) service. +These options must appear at the end of a rule. +.PP +The \fIallow\fR and \fIdeny\fR keywords make it possible to keep all +access control rules within a single file, for example in the +\fIhosts.allow\fR file. +.sp +To permit access from specific hosts only: +.sp +.ne 2 +.ti +3 +ALL: .friendly.domain: ALLOW +.ti +3 +ALL: ALL: DENY +.sp +To permit access from all hosts except a few trouble makers: +.sp +.ne 2 +.ti +3 +ALL: .bad.domain: DENY +.ti +3 +ALL: ALL: ALLOW +.sp +Notice the leading dot on the domain name patterns. +.SH RUNNING OTHER COMMANDS +.IP "spawn shell_command" +Execute, in a child process, the specified shell command, after +performing the %\*[Lt]letter\*[Gt] expansions described in the hosts_access(5) +manual page. +The command is executed with stdin, stdout and stderr +connected to the null device, so that it won\'t mess up the +conversation with the client host. +Example: +.sp +.nf +.ti +3 +spawn (/some/where/safe_finger -l @%h | /usr/ucb/mail root) \*[Am] +.fi +.sp +executes, in a background child process, the shell command "safe_finger +-l @%h | mail root" after replacing %h by the name or address of the +remote host. +.sp +The example uses the "safe_finger" command instead of the regular +"finger" command, to limit possible damage from data sent by the finger server. +The "safe_finger" command is part of the daemon wrapper +package; it is a wrapper around the regular finger command that filters +the data sent by the remote host. +.IP "twist shell_command" +Replace the current process by an instance of the specified shell +command, after performing the %\*[Lt]letter\*[Gt] expansions described in the +hosts_access(5) manual page. +Stdin, stdout and stderr are connected to the client process. +This option must appear at the end of a rule. +.sp +To send a customized bounce message to the client instead of +running the real ftp daemon: +.sp +.nf +.ti +3 +in.ftpd : ... : twist /bin/echo 421 Some bounce message +.fi +.sp +For an alternative way to talk to client processes, see the +\fIbanners\fR option below. +.sp +To run /some/other/in.telnetd without polluting its command-line +array or its process environment: +.sp +.nf +.ti +3 +in.telnetd : ... : twist PATH=/some/other; exec in.telnetd +.fi +.sp +Warning: in case of UDP services, do not twist to commands that use +the standard I/O or the read(2)/write(2) routines to communicate with +the client process; UDP requires other I/O primitives. +.SH NETWORK OPTIONS +.IP "keepalive" +Causes the server to periodically send a message to the client. +The connection is considered broken when the client does not respond. +The keepalive option can be useful when users turn off their +machine while it is still connected to a server. +The keepalive option is not useful for datagram (UDP) services. +.IP "linger number_of_seconds" +Specifies how long the kernel will try to deliver not-yet delivered +data after the server process closes a connection. +.SH USERNAME LOOKUP +.IP "rfc931 [ timeout_in_seconds ]" +Look up the client user name with the RFC 931 (TAP, IDENT, RFC 1413) +protocol. +This option is silently ignored in case of services based on +transports other than TCP. +It requires that the client system runs an RFC 931 (IDENT, etc.) +-compliant daemon, and may cause noticeable +delays with connections from non-UNIX clients. +The timeout period is optional. +If no timeout is specified a compile-time defined default +value is taken. +.SH MISCELLANEOUS +.IP "banners /some/directory" +Look for a file in `/some/directory' with the same name as the daemon +process (for example in.telnetd for the telnet service), and copy its +contents to the client. +Newline characters are replaced by carriage-return newline, +and %\*[Lt]letter\*[Gt] sequences are expanded (see +the hosts_access(5) manual page). +.sp +The tcp wrappers source code distribution provides a sample makefile +(Banners.Makefile) for convenient banner maintenance. +.sp +Warning: banners are supported for connection-oriented (TCP) network +services only. +.IP "nice [ number ]" +Change the nice value of the process (default 10). +Specify a positive value to spend more CPU resources on other processes. +.IP "setenv name value" +Place a (name, value) pair into the process environment. +The value is subjected to %\*[Lt]letter\*[Gt] expansions and +may contain whitespace (but leading and trailing blanks are stripped off). +.sp +Warning: many network daemons reset their environment before spawning a +login or shell process. +.IP "umask 022" +Like the umask command that is built into the shell. +An umask of 022 prevents the creation of files with group +and world write permission. +The umask argument should be an octal number. +.IP "user nobody" +.IP "user nobody.kmem" +Assume the privileges of the "nobody" userid (or user "nobody", group +"kmem"). +The first form is useful with inetd implementations that run +all services with root privilege. +The second form is useful for services that need +special group privileges only. +.SH DIAGNOSTICS +When a syntax error is found in an access control rule, the error +is reported to the syslog daemon; further options will be ignored, +and service is denied. +.SH SEE ALSO +hosts_access(3) +hosts_access(5), the default access control language +.SH AUTHOR +.na +.nf +Wietse Venema (wietse@wzv.win.tue.nl) +Department of Mathematics and Computing Science +Eindhoven University of Technology +Den Dolech 2, P.O. Box 513, +5600 MB Eindhoven, The Netherlands +\" @(#) hosts_options.5 1.10 94/12/28 17:42:28 diff --git a/lib/libwrap/libwrap2netbsd b/lib/libwrap/libwrap2netbsd new file mode 100755 index 000000000..1364cbca8 --- /dev/null +++ b/lib/libwrap/libwrap2netbsd @@ -0,0 +1,56 @@ +#! /bin/sh +# +# $NetBSD: libwrap2netbsd,v 1.6 2008/05/29 14:51:25 mrg Exp $ +# +# Copyright (c) 1996 Matthew R. Green +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED +# AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. + +# libwrap2netbsd: convert a libwrap tcp_wrappers source tree into a +# netbsd libwrap source tree, ready for importing. + +if [ $# -ne 2 ]; then echo "libwrap2netbsd src dest"; exit 1; fi + +r=$1 +d=$2/libwrap + + +echo preparing directory $d +rm -rf $d +mkdir -p $d + +# lame to have these files duplicated. but, what the hell. +echo copying tree from $r into $d +cd $r +src='hosts_access.c options.c shell_cmd.c rfc931.c eval.c hosts_ctl.c +refuse.c percent_x.c clean_exit.c fix_options.c socket.c workarounds.c +update.c misc.c diag.c' +man='hosts_access.3 hosts_access.5 hosts_options.5' +inc='tcpd.h mystdarg.h' +misc='DISCLAIMER' +pax -rvw $src $man $inc $misc $d + +cd $d + +echo done +exit 0 diff --git a/lib/libwrap/misc.c b/lib/libwrap/misc.c new file mode 100644 index 000000000..c3d901620 --- /dev/null +++ b/lib/libwrap/misc.c @@ -0,0 +1,92 @@ +/* $NetBSD: misc.c,v 1.10 2012/03/21 10:10:37 matt Exp $ */ + + /* + * Misc routines that are used by tcpd and by tcpdchk. + * + * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. + */ + +#include +#ifndef lint +#if 0 +static char sccsic[] = "@(#) misc.c 1.2 96/02/11 17:01:29"; +#else +__RCSID("$NetBSD: misc.c,v 1.10 2012/03/21 10:10:37 matt Exp $"); +#endif +#endif + +#include +#include +#include +#include +#include +#include + +#include "tcpd.h" + +/* xgets - fgets() with backslash-newline stripping */ + +char * +xgets(char *ptr, int len, FILE *fp) +{ + int got; + char *start = ptr; + + while (len > 1 && fgets(ptr, len, fp)) { + got = strlen(ptr); + if (got >= 1 && ptr[got - 1] == '\n') { + tcpd_context.line++; + if (got >= 2 && ptr[got - 2] == '\\') { + got -= 2; + } else { + return (start); + } + } + ptr += got; + len -= got; + ptr[0] = 0; + } + return (ptr > start ? start : 0); +} + +/* split_at - break string at delimiter or return NULL */ + +char * +split_at(char *string, int delimiter) +{ + char *cp; + int bracket; + + bracket = 0; + for (cp = string; cp && *cp; cp++) { + switch (*cp) { + case '[': + bracket++; + break; + case ']': + bracket--; + break; + default: + if (bracket == 0 && *cp == delimiter) { + *cp++ = 0; + return cp; + } + break; + } + } + return NULL; +} + +/* dot_quad_addr - convert dotted quad to internal form */ + +int +dot_quad_addr(char *str, unsigned long *addr) +{ + struct in_addr a; + + if (!inet_aton(str, &a)) + return -1; + if (addr) + *addr = a.s_addr; + return 0; +} diff --git a/lib/libwrap/mystdarg.h b/lib/libwrap/mystdarg.h new file mode 100644 index 000000000..f22969dea --- /dev/null +++ b/lib/libwrap/mystdarg.h @@ -0,0 +1,18 @@ +/* $NetBSD: mystdarg.h,v 1.2 1997/10/09 21:20:37 christos Exp $ */ + + /* + * What follows is an attempt to unify varargs.h and stdarg.h. I'd rather + * have this than #ifdefs all over the code. + */ + +#ifdef __STDC__ +#include +#define VARARGS(func,type,arg) func(type arg, ...) +#define VASTART(ap,type,name) va_start(ap,name) +#define VAEND(ap) va_end(ap) +#else +#include +#define VARARGS(func,type,arg) func(va_alist) va_dcl +#define VASTART(ap,type,name) {type name; va_start(ap); name = va_arg(ap, type) +#define VAEND(ap) va_end(ap);} +#endif diff --git a/lib/libwrap/options.c b/lib/libwrap/options.c new file mode 100644 index 000000000..1350dc4c9 --- /dev/null +++ b/lib/libwrap/options.c @@ -0,0 +1,634 @@ +/* $NetBSD: options.c,v 1.16 2012/03/22 22:59:43 joerg Exp $ */ + + /* + * General skeleton for adding options to the access control language. The + * features offered by this module are documented in the hosts_options(5) + * manual page (source file: hosts_options.5, "nroff -man" format). + * + * Notes and warnings for those who want to add features: + * + * In case of errors, abort options processing and deny access. There are too + * many irreversible side effects to make error recovery feasible. For + * example, it makes no sense to continue after we have already changed the + * userid. + * + * In case of errors, do not terminate the process: the routines might be + * called from a long-running daemon that should run forever. Instead, call + * tcpd_jump() which does a non-local goto back into the hosts_access() + * routine. + * + * In case of severe errors, use clean_exit() instead of directly calling + * exit(), or the inetd may loop on an UDP request. + * + * In verification mode (for example, with the "tcpdmatch" command) the + * "dry_run" flag is set. In this mode, an option function should just "say" + * what it is going to do instead of really doing it. + * + * Some option functions do not return (for example, the twist option passes + * control to another program). In verification mode (dry_run flag is set) + * such options should clear the "dry_run" flag to inform the caller of this + * course of action. + */ + +#include +#ifndef lint +#if 0 +static char sccsid[] = "@(#) options.c 1.17 96/02/11 17:01:31"; +#else +__RCSID("$NetBSD: options.c,v 1.16 2012/03/22 22:59:43 joerg Exp $"); +#endif +#endif + +/* System libraries. */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +/* Local stuff. */ + +#include "tcpd.h" + +/* Options runtime support. */ + +int dry_run = 0; /* flag set in verification mode */ +extern jmp_buf tcpd_buf; /* tcpd_jump() support */ + +/* Options parser support. */ + +static char whitespace_eq[] = "= \t\r\n"; +#define whitespace (whitespace_eq + 1) + +static char *get_field /* chew :-delimited field off string */ + (char *); +static char *chop_string /* strip leading and trailing blanks */ + (char *); +struct syslog_names; +static int severity_map + (const struct syslog_names *, char *); + +/* List of functions that implement the options. Add yours here. */ + +static void user_option /* execute "user name.group" option */ + (char *, struct request_info *); +static void group_option /* execute "group name" option */ + (char *, struct request_info *); +static void umask_option /* execute "umask mask" option */ + (char *, struct request_info *); +static void linger_option /* execute "linger time" option */ + (char *, struct request_info *); +static void keepalive_option /* execute "keepalive" option */ + (char *, struct request_info *); +static void spawn_option /* execute "spawn command" option */ + (char *, struct request_info *); +static void twist_option /* execute "twist command" option */ + (char *, struct request_info *); +static void rfc931_option /* execute "rfc931" option */ + (char *, struct request_info *); +static void setenv_option /* execute "setenv name value" */ + (char *, struct request_info *); +static void nice_option /* execute "nice" option */ + (char *, struct request_info *); +static void severity_option /* execute "severity value" */ + (char *, struct request_info *); +__dead static void allow_option /* execute "allow" option */ + (char *, struct request_info *); +__dead static void deny_option /* execute "deny" option */ + (char *, struct request_info *); +static void banners_option /* execute "banners path" option */ + (char *, struct request_info *); + +/* Structure of the options table. */ + +struct option { + const char *name; /* keyword name, case is ignored */ + void (*func) /* function that does the real work */ + (char *, struct request_info *); + int flags; /* see below... */ +}; + +#define NEED_ARG (1<<1) /* option requires argument */ +#define USE_LAST (1<<2) /* option must be last */ +#define OPT_ARG (1<<3) /* option has optional argument */ +#define EXPAND_ARG (1<<4) /* do %x expansion on argument */ + +#define need_arg(o) ((o)->flags & NEED_ARG) +#define opt_arg(o) ((o)->flags & OPT_ARG) +#define permit_arg(o) ((o)->flags & (NEED_ARG | OPT_ARG)) +#define use_last(o) ((o)->flags & USE_LAST) +#define expand_arg(o) ((o)->flags & EXPAND_ARG) + +/* List of known keywords. Add yours here. */ + +static struct option option_table[] = { + { "user", user_option, NEED_ARG }, + { "group", group_option, NEED_ARG }, + { "umask", umask_option, NEED_ARG }, + { "linger", linger_option, NEED_ARG }, + { "keepalive", keepalive_option, 0 }, + { "spawn", spawn_option, NEED_ARG | EXPAND_ARG }, + { "twist", twist_option, NEED_ARG | EXPAND_ARG | USE_LAST }, + { "rfc931", rfc931_option, OPT_ARG }, + { "setenv", setenv_option, NEED_ARG | EXPAND_ARG }, + { "nice", nice_option, OPT_ARG }, + { "severity", severity_option, NEED_ARG }, + { "allow", allow_option, USE_LAST }, + { "deny", deny_option, USE_LAST }, + { "banners", banners_option, NEED_ARG }, + { NULL, NULL, 0 } +}; + +/* process_options - process access control options */ + +void +process_options(char *options, struct request_info *request) +{ + char *key; + char *value; + char *curr_opt; + char *next_opt; + struct option *op; + char bf[BUFSIZ]; + + for (curr_opt = get_field(options); curr_opt; curr_opt = next_opt) { + next_opt = get_field((char *) 0); + + /* + * Separate the option into name and value parts. For backwards + * compatibility we ignore exactly one '=' between name and value. + */ + curr_opt = chop_string(curr_opt); + if (*(value = curr_opt + strcspn(curr_opt, whitespace_eq))) { + if (*value != '=') { + *value++ = 0; + value += strspn(value, whitespace); + } + if (*value == '=') { + *value++ = 0; + value += strspn(value, whitespace); + } + } + if (*value == 0) + value = 0; + key = curr_opt; + + /* + * Disallow missing option names (and empty option fields). + */ + if (*key == 0) + tcpd_jump("missing option name"); + + /* + * Lookup the option-specific info and do some common error checks. + * Delegate option-specific processing to the specific functions. + */ + + for (op = option_table; op->name && STR_NE(op->name, key); op++) + /* VOID */ ; + if (op->name == 0) + tcpd_jump("bad option name: \"%s\"", key); + if (!value && need_arg(op)) + tcpd_jump("option \"%s\" requires value", key); + if (value && !permit_arg(op)) + tcpd_jump("option \"%s\" requires no value", key); + if (next_opt && use_last(op)) + tcpd_jump("option \"%s\" must be at end", key); + if (value && expand_arg(op)) + value = chop_string(percent_x(bf, sizeof(bf), value, request)); + if (hosts_access_verbose) + syslog(LOG_DEBUG, "option: %s %s", key, value ? value : ""); + (*(op->func)) (value, request); + } +} + +/* allow_option - grant access */ + +/* ARGSUSED */ + +static void +allow_option(char *value, struct request_info *request) +{ + longjmp(tcpd_buf, AC_PERMIT); +} + +/* deny_option - deny access */ + +/* ARGSUSED */ + +static void +deny_option(char *value, struct request_info *request) +{ + longjmp(tcpd_buf, AC_DENY); +} + +/* banners_option - expand %, terminate each line with CRLF */ + +static void +banners_option(char *value, struct request_info *request) +{ + char path[MAXPATHLEN]; + char ibuf[BUFSIZ]; + char obuf[2 * BUFSIZ]; + struct stat st; + int ch; + FILE *fp; + + (void)snprintf(path, sizeof path, "%s/%s", value, eval_daemon(request)); + if ((fp = fopen(path, "r")) != 0) { + while ((ch = fgetc(fp)) == 0) + write(request->fd, "", 1); + ungetc(ch, fp); + while (fgets(ibuf, sizeof(ibuf) - 2, fp)) { + if (split_at(ibuf, '\n')) + strcat(ibuf, "\r\n"); /* XXX strcat is safe */ + percent_x(obuf, sizeof(obuf), ibuf, request); + write(request->fd, obuf, strlen(obuf)); + } + fclose(fp); + } else if (stat(value, &st) < 0) { + tcpd_warn("%s: %m", value); + } +} + +/* group_option - switch group id */ + +/* ARGSUSED */ + +static void +group_option(char *value, struct request_info *request) +{ + struct group grs, *grp; + char grbuf[1024]; + + (void)getgrnam_r(value, &grs, grbuf, sizeof(grbuf), &grp); + if (grp == NULL) + tcpd_jump("unknown group: \"%s\"", value); + + if (dry_run == 0 && setgid(grp->gr_gid)) + tcpd_jump("setgid(%s): %m", value); +} + +/* user_option - switch user id */ + +/* ARGSUSED */ + +static void +user_option(char *value, struct request_info *request) +{ + struct passwd *pwd, pws; + char *group; + char pwbuf[1024]; + + if ((group = split_at(value, '.')) != 0) + group_option(group, request); + (void)getpwnam_r(value, &pws, pwbuf, sizeof(pwbuf), &pwd); + if (pwd == NULL) + tcpd_jump("unknown user: \"%s\"", value); + + if (dry_run == 0 && setuid(pwd->pw_uid)) + tcpd_jump("setuid(%s): %m", value); +} + +/* umask_option - set file creation mask */ + +/* ARGSUSED */ + +static void +umask_option(char *value, struct request_info *request) +{ + unsigned mask; + char junk; + + if (sscanf(value, "%o%c", &mask, &junk) != 1 || (mask & 0777) != mask) + tcpd_jump("bad umask value: \"%s\"", value); + (void) umask(mask); +} + +/* spawn_option - spawn a shell command and wait */ + +/* ARGSUSED */ + +static void +spawn_option(char *value, struct request_info *request) +{ + if (dry_run == 0) + shell_cmd(value); +} + +/* linger_option - set the socket linger time (Marc Boucher ) */ + +/* ARGSUSED */ + +static void +linger_option(char *value, struct request_info *request) +{ + struct linger linger; + char junk; + + if (sscanf(value, "%d%c", &linger.l_linger, &junk) != 1 + || linger.l_linger < 0) + tcpd_jump("bad linger value: \"%s\"", value); + if (dry_run == 0) { + linger.l_onoff = (linger.l_linger != 0); + if (setsockopt(request->fd, SOL_SOCKET, SO_LINGER, (char *) &linger, + sizeof(linger)) < 0) + tcpd_warn("setsockopt SO_LINGER %d: %m", linger.l_linger); + } +} + +/* keepalive_option - set the socket keepalive option */ + +/* ARGSUSED */ + +static void +keepalive_option(char *value, struct request_info *request) +{ + static int on = 1; + + if (dry_run == 0 && setsockopt(request->fd, SOL_SOCKET, SO_KEEPALIVE, + (char *) &on, sizeof(on)) < 0) + tcpd_warn("setsockopt SO_KEEPALIVE: %m"); +} + +/* nice_option - set nice value */ + +/* ARGSUSED */ + +static void +nice_option(char *value, struct request_info *request) +{ + int niceval = 10; + char junk; + + if (value != 0 && sscanf(value, "%d%c", &niceval, &junk) != 1) + tcpd_jump("bad nice value: \"%s\"", value); + if (dry_run == 0 && nice(niceval) < 0) + tcpd_warn("nice(%d): %m", niceval); +} + +/* twist_option - replace process by shell command */ + +static void +twist_option(char *value, struct request_info *request) +{ + if (dry_run != 0) { + dry_run = 0; + } else { + if (resident > 0) + tcpd_jump("twist option in resident process"); + + syslog(deny_severity, "twist %s to %s", eval_client(request), value); + + /* Before switching to the shell, set up stdin, stdout and stderr. */ + +#define maybe_dup2(from, to) ((from == to) ? to : (close(to), dup(from))) + + if (maybe_dup2(request->fd, 0) != 0 || + maybe_dup2(request->fd, 1) != 1 || + maybe_dup2(request->fd, 2) != 2) { + tcpd_warn("twist_option: dup: %m"); + } else { + if (request->fd > 2) + close(request->fd); + (void) execl("/bin/sh", "sh", "-c", value, (char *) 0); + tcpd_warn("twist_option: /bin/sh: %m"); + } + + /* Something went wrong: we MUST terminate the process. */ + clean_exit(request); + } +} + +/* rfc931_option - look up remote user name */ + +static void +rfc931_option(char *value, struct request_info *request) +{ + int timeout; + char junk; + + if (value != 0) { + if (sscanf(value, "%d%c", &timeout, &junk) != 1 || timeout <= 0) + tcpd_jump("bad rfc931 timeout: \"%s\"", value); + rfc931_timeout = timeout; + } + (void) eval_user(request); +} + +/* setenv_option - set environment variable */ + +/* ARGSUSED */ + +static void +setenv_option(char *value, struct request_info *request) +{ + char *var_value; + + if (*(var_value = value + strcspn(value, whitespace))) + *var_value++ = 0; + if (setenv(chop_string(value), chop_string(var_value), 1)) + tcpd_jump("memory allocation failure"); +} + + /* + * The severity option goes last because it comes with a huge amount of ugly + * #ifdefs and tables. + */ + +struct syslog_names { + const char *name; + int value; +}; + +static const struct syslog_names log_fac[] = { +#ifdef LOG_KERN + { "kern", LOG_KERN }, +#endif +#ifdef LOG_USER + { "user", LOG_USER }, +#endif +#ifdef LOG_MAIL + { "mail", LOG_MAIL }, +#endif +#ifdef LOG_DAEMON + { "daemon", LOG_DAEMON }, +#endif +#ifdef LOG_AUTH + { "auth", LOG_AUTH }, +#endif +#ifdef LOG_LPR + { "lpr", LOG_LPR }, +#endif +#ifdef LOG_NEWS + { "news", LOG_NEWS }, +#endif +#ifdef LOG_UUCP + { "uucp", LOG_UUCP }, +#endif +#ifdef LOG_CRON + { "cron", LOG_CRON }, +#endif +#ifdef LOG_AUTHPRIV + { "authpriv", LOG_AUTHPRIV }, +#endif +#ifdef LOG_FTP + { "ftp", LOG_FTP }, +#endif +#ifdef LOG_LOCAL0 + { "local0", LOG_LOCAL0 }, +#endif +#ifdef LOG_LOCAL1 + { "local1", LOG_LOCAL1 }, +#endif +#ifdef LOG_LOCAL2 + { "local2", LOG_LOCAL2 }, +#endif +#ifdef LOG_LOCAL3 + { "local3", LOG_LOCAL3 }, +#endif +#ifdef LOG_LOCAL4 + { "local4", LOG_LOCAL4 }, +#endif +#ifdef LOG_LOCAL5 + { "local5", LOG_LOCAL5 }, +#endif +#ifdef LOG_LOCAL6 + { "local6", LOG_LOCAL6 }, +#endif +#ifdef LOG_LOCAL7 + { "local7", LOG_LOCAL7 }, +#endif + { NULL, 0 } +}; + +static const struct syslog_names log_sev[] = { +#ifdef LOG_EMERG + { "emerg", LOG_EMERG }, +#endif +#ifdef LOG_ALERT + { "alert", LOG_ALERT }, +#endif +#ifdef LOG_CRIT + { "crit", LOG_CRIT }, +#endif +#ifdef LOG_ERR + { "err", LOG_ERR }, +#endif +#ifdef LOG_WARNING + { "warning", LOG_WARNING }, +#endif +#ifdef LOG_NOTICE + { "notice", LOG_NOTICE }, +#endif +#ifdef LOG_INFO + { "info", LOG_INFO }, +#endif +#ifdef LOG_DEBUG + { "debug", LOG_DEBUG }, +#endif + { NULL, 0 } +}; + +/* severity_map - lookup facility or severity value */ + +static int +severity_map(const struct syslog_names *table, char *name) +{ + const struct syslog_names *t; + + for (t = table; t->name; t++) + if (STR_EQ(t->name, name)) + return (t->value); + tcpd_jump("bad syslog facility or severity: \"%s\"", name); + /* NOTREACHED */ + return -1; +} + +/* severity_option - change logging severity for this event (Dave Mitchell) */ + +/* ARGSUSED */ + +static void +severity_option(char *value, struct request_info *request) +{ + char *level = split_at(value, '.'); + + allow_severity = deny_severity = level ? + severity_map(log_fac, value) | severity_map(log_sev, level) : + severity_map(log_sev, value); +} + +/* get_field - return pointer to next field in string */ + +static char * +get_field(char *string) +{ + static char nul = '\0'; + static char *last = &nul; + char *src; + char *dst; + char *ret; + int ch; + + /* + * This function returns pointers to successive fields within a given + * string. ":" is the field separator; warn if the rule ends in one. It + * replaces a "\:" sequence by ":", without treating the result of + * substitution as field terminator. A null argument means resume search + * where the previous call terminated. This function destroys its + * argument. + * + * Work from explicit source or from memory. While processing \: we + * overwrite the input. This way we do not have to maintain buffers for + * copies of input fields. + */ + + src = dst = ret = (string ? string : last); + if (src[0] == 0) + return (0); + + while ((ch = *src) != '\0') { + if (ch == ':') { + if (*++src == 0) + tcpd_warn("rule ends in \":\""); + break; + } + if (ch == '\\' && src[1] == ':') + src++; + *dst++ = *src++; + } + last = src; + *dst = 0; + return (ret); +} + +/* chop_string - strip leading and trailing blanks from string */ + +static char * +chop_string(register char *string) +{ + char *start = NULL; + char *end = NULL; + char *cp; + + for (cp = string; *cp; cp++) { + if (!isspace((unsigned char) *cp)) { + if (start == 0) + start = cp; + end = cp; + } + } + return (start ? (end[1] = 0, start) : cp); +} diff --git a/lib/libwrap/percent_x.c b/lib/libwrap/percent_x.c new file mode 100644 index 000000000..e9915c256 --- /dev/null +++ b/lib/libwrap/percent_x.c @@ -0,0 +1,92 @@ +/* $NetBSD: percent_x.c,v 1.5 2012/03/21 10:10:37 matt Exp $ */ + + /* + * percent_x() takes a string and performs % expansions. It aborts the + * program when the expansion would overflow the output buffer. The result + * of % expansion may be passed on to a shell process. For this + * reason, characters with a special meaning to shells are replaced by + * underscores. + * + * Diagnostics are reported through syslog(3). + * + * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. + */ + +#include +#ifndef lint +#if 0 +static char sccsid[] = "@(#) percent_x.c 1.4 94/12/28 17:42:37"; +#else +__RCSID("$NetBSD: percent_x.c,v 1.5 2012/03/21 10:10:37 matt Exp $"); +#endif +#endif + +/* System libraries. */ + +#include +#include +#include +#include +#include + +/* Local stuff. */ + +#include "tcpd.h" + +/* percent_x - do % expansion, abort if result buffer is too small */ + +char * +percent_x(char *result, int result_len, char *string, + struct request_info *request) +{ + char *bp = result; + char *end = result + result_len - 1; /* end of result buffer */ + char *expansion; + size_t expansion_len; + static const char ok_chars[] = "1234567890!@%-_=+:,./" + "abcdefghijklmnopqrstuvwxyz" + "ABCDEFGHIJKLMNOPQRSTUVWXYZ"; + char *str = string; + char *cp; + int ch; + + /* + * Warning: we may be called from a child process or after pattern + * matching, so we cannot use clean_exit() or tcpd_jump(). + */ + + while (*str) { + if (*str == '%' && (ch = str[1]) != 0) { + str += 2; + expansion = + ch == 'a' ? eval_hostaddr(request->client) : + ch == 'A' ? eval_hostaddr(request->server) : + ch == 'c' ? eval_client(request) : + ch == 'd' ? eval_daemon(request) : + ch == 'h' ? eval_hostinfo(request->client) : + ch == 'H' ? eval_hostinfo(request->server) : + ch == 'n' ? eval_hostname(request->client) : + ch == 'N' ? eval_hostname(request->server) : + ch == 'p' ? eval_pid(request) : + ch == 's' ? eval_server(request) : + ch == 'u' ? eval_user(request) : + ch == '%' ? __UNCONST("%") + : (tcpd_warn("unrecognized %%%c", ch), __UNCONST("")); + for (cp = expansion; *(cp += strspn(cp, ok_chars)); /* */ ) + *cp = '_'; + expansion_len = cp - expansion; + } else { + expansion = str++; + expansion_len = 1; + } + if (bp + expansion_len >= end) { + tcpd_warn("percent_x: expansion too long: %.30s...", result); + sleep(5); + exit(0); + } + memcpy(bp, expansion, expansion_len); + bp += expansion_len; + } + *bp = 0; + return (result); +} diff --git a/lib/libwrap/refuse.c b/lib/libwrap/refuse.c new file mode 100644 index 000000000..1b5408bcf --- /dev/null +++ b/lib/libwrap/refuse.c @@ -0,0 +1,39 @@ +/* $NetBSD: refuse.c,v 1.5 2012/03/21 10:10:37 matt Exp $ */ + + /* + * refuse() reports a refused connection, and takes the consequences: in + * case of a datagram-oriented service, the unread datagram is taken from + * the input queue (or inetd would see the same datagram again and again); + * the program is terminated. + * + * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. + */ + +#include +#ifndef lint +#if 0 +static char sccsid[] = "@(#) refuse.c 1.5 94/12/28 17:42:39"; +#else +__RCSID("$NetBSD: refuse.c,v 1.5 2012/03/21 10:10:37 matt Exp $"); +#endif +#endif + +/* System libraries. */ + +#include +#include + +/* Local stuff. */ + +#include "tcpd.h" + +/* refuse - refuse request */ + +void +refuse(struct request_info *request) +{ + syslog(deny_severity, "refused connect from %s", eval_client(request)); + clean_exit(request); + /* NOTREACHED */ +} + diff --git a/lib/libwrap/rfc931.c b/lib/libwrap/rfc931.c new file mode 100644 index 000000000..800df7217 --- /dev/null +++ b/lib/libwrap/rfc931.c @@ -0,0 +1,237 @@ +/* $NetBSD: rfc931.c,v 1.10 2012/03/22 22:59:43 joerg Exp $ */ + + /* + * rfc931() speaks a common subset of the RFC 931, AUTH, TAP, IDENT and RFC + * 1413 protocols. It queries an RFC 931 etc. compatible daemon on a remote + * host to look up the owner of a connection. The information should not be + * used for authentication purposes. This routine intercepts alarm signals. + * + * Diagnostics are reported through syslog(3). + * + * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. + */ + +#include +#ifndef lint +#if 0 +static char sccsid[] = "@(#) rfc931.c 1.10 95/01/02 16:11:34"; +#else +__RCSID("$NetBSD: rfc931.c,v 1.10 2012/03/22 22:59:43 joerg Exp $"); +#endif +#endif + +/* System libraries. */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +/* Local stuff. */ + +#include "tcpd.h" + +#define RFC931_PORT 113 /* Semi-well-known port */ +#define ANY_PORT 0 /* Any old port will do */ + +int rfc931_timeout = RFC931_TIMEOUT;/* Global so it can be changed */ + +static jmp_buf timebuf; + +static FILE *fsocket(int, int, int); +static void timeout(int) __dead; + +/* fsocket - open stdio stream on top of socket */ + +static FILE * +fsocket(int domain, int type, int protocol) +{ + int s; + FILE *fp; + + if ((s = socket(domain, type, protocol)) < 0) { + tcpd_warn("socket: %m"); + return (0); + } else { + if ((fp = fdopen(s, "r+")) == 0) { + tcpd_warn("fdopen: %m"); + close(s); + } + return (fp); + } +} + +/* timeout - handle timeouts */ + +static void +timeout(int sig) +{ + longjmp(timebuf, sig); +} + +/* rfc931 - return remote user name, given socket structures */ + +void +rfc931(struct sockaddr *rmt_sin, struct sockaddr *our_sin, char *dest) +{ + unsigned rmt_port; + unsigned our_port; + struct sockaddr_storage rmt_query_sin; + struct sockaddr_storage our_query_sin; + char user[256]; /* XXX */ + char buffer[512]; /* XXX */ + char *cp; + char *result = unknown; + FILE *fp; + volatile int salen; + u_short * volatile rmt_portp; + u_short * volatile our_portp; + + /* address family must be the same */ + if (rmt_sin->sa_family != our_sin->sa_family) { + strlcpy(dest, result, STRING_LENGTH); + return; + } + switch (rmt_sin->sa_family) { + case AF_INET: + salen = sizeof(struct sockaddr_in); + rmt_portp = &(((struct sockaddr_in *)rmt_sin)->sin_port); + break; +#ifdef INET6 + case AF_INET6: + salen = sizeof(struct sockaddr_in6); + rmt_portp = &(((struct sockaddr_in6 *)rmt_sin)->sin6_port); + break; +#endif + default: + strlcpy(dest, result, STRING_LENGTH); + return; + } + switch (our_sin->sa_family) { + case AF_INET: + our_portp = &(((struct sockaddr_in *)our_sin)->sin_port); + break; +#ifdef INET6 + case AF_INET6: + our_portp = &(((struct sockaddr_in6 *)our_sin)->sin6_port); + break; +#endif + default: + strlcpy(dest, result, STRING_LENGTH); + return; + } + +#ifdef __GNUC__ + (void)&result; /* Avoid longjmp clobbering */ + (void)&fp; /* XXX gcc */ +#endif + + /* + * Use one unbuffered stdio stream for writing to and for reading from + * the RFC931 etc. server. This is done because of a bug in the SunOS + * 4.1.x stdio library. The bug may live in other stdio implementations, + * too. When we use a single, buffered, bidirectional stdio stream ("r+" + * or "w+" mode) we read our own output. Such behaviour would make sense + * with resources that support random-access operations, but not with + * sockets. + */ + + if ((fp = fsocket(rmt_sin->sa_family, SOCK_STREAM, 0)) != 0) { + setbuf(fp, (char *) 0); + + /* + * Set up a timer so we won't get stuck while waiting for the server. + */ + + if (setjmp(timebuf) == 0) { + signal(SIGALRM, timeout); + alarm(rfc931_timeout); + + /* + * Bind the local and remote ends of the query socket to the same + * IP addresses as the connection under investigation. We go + * through all this trouble because the local or remote system + * might have more than one network address. The RFC931 etc. + * client sends only port numbers; the server takes the IP + * addresses from the query socket. + */ + + memcpy(&our_query_sin, our_sin, salen); + switch (our_query_sin.ss_family) { + case AF_INET: + ((struct sockaddr_in *)&our_query_sin)->sin_port = + htons(ANY_PORT); + break; +#ifdef INET6 + case AF_INET6: + ((struct sockaddr_in6 *)&our_query_sin)->sin6_port = + htons(ANY_PORT); + break; +#endif + } + memcpy(&rmt_query_sin, rmt_sin, salen); + switch (rmt_query_sin.ss_family) { + case AF_INET: + ((struct sockaddr_in *)&rmt_query_sin)->sin_port = + htons(RFC931_PORT); + break; +#ifdef INET6 + case AF_INET6: + ((struct sockaddr_in6 *)&rmt_query_sin)->sin6_port = + htons(RFC931_PORT); + break; +#endif + } + + if (bind(fileno(fp), (struct sockaddr *) & our_query_sin, + salen) >= 0 && + connect(fileno(fp), (struct sockaddr *) & rmt_query_sin, + salen) >= 0) { + + /* + * Send query to server. Neglect the risk that a 13-byte + * write would have to be fragmented by the local system and + * cause trouble with buggy System V stdio libraries. + */ + + fprintf(fp, "%u,%u\r\n", + ntohs(*rmt_portp), + ntohs(*our_portp)); + fflush(fp); + + /* + * Read response from server. Use fgets()/sscanf() so we can + * work around System V stdio libraries that incorrectly + * assume EOF when a read from a socket returns less than + * requested. + */ + + if (fgets(buffer, sizeof(buffer), fp) != 0 + && ferror(fp) == 0 && feof(fp) == 0 + && sscanf(buffer, "%u , %u : USERID :%*[^:]:%255s", + &rmt_port, &our_port, user) == 3 + && ntohs(*rmt_portp) == rmt_port + && ntohs(*our_portp) == our_port) { + + /* + * Strip trailing carriage return. It is part of the + * protocol, not part of the data. + */ + + if ((cp = strchr(user, '\r')) != NULL) + *cp = '\0'; + result = user; + } + } + alarm(0); + } + fclose(fp); + } + strlcpy(dest, result, STRING_LENGTH); +} diff --git a/lib/libwrap/shell_cmd.c b/lib/libwrap/shell_cmd.c new file mode 100644 index 000000000..8396e22af --- /dev/null +++ b/lib/libwrap/shell_cmd.c @@ -0,0 +1,98 @@ +/* $NetBSD: shell_cmd.c,v 1.7 2012/03/22 22:59:43 joerg Exp $ */ + + /* + * shell_cmd() takes a shell command after % substitutions. The + * command is executed by a /bin/sh child process, with standard input, + * standard output and standard error connected to /dev/null. + * + * Diagnostics are reported through syslog(3). + * + * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. + */ + +#include +#ifndef lint +#if 0 +static char sccsid[] = "@(#) shell_cmd.c 1.5 94/12/28 17:42:44"; +#else +__RCSID("$NetBSD: shell_cmd.c,v 1.7 2012/03/22 22:59:43 joerg Exp $"); +#endif +#endif + +/* System libraries. */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +/* Local stuff. */ + +#include "tcpd.h" + +/* Forward declarations. */ + +static void do_child(char *) __dead; + +/* shell_cmd - execute shell command */ + +void +shell_cmd(char *command) +{ + int child_pid; + int wait_pid; + + /* + * Most of the work is done within the child process, to minimize the + * risk of damage to the parent. + */ + + switch (child_pid = fork()) { + case -1: /* error */ + tcpd_warn("cannot fork: %m"); + break; + case 00: /* child */ + do_child(command); + /* NOTREACHED */ + default: /* parent */ + while ((wait_pid = wait((int *) 0)) != -1 && wait_pid != child_pid) + /* void */ ; + } +} + +/* do_child - exec command with { stdin, stdout, stderr } to /dev/null */ + +static void +do_child(char *command) +{ + int tmp_fd; + + /* + * Systems with POSIX sessions may send a SIGHUP to grandchildren if the + * child exits first. This is sick, sessions were invented for terminals. + */ + + signal(SIGHUP, SIG_IGN); + + /* Set up new stdin, stdout, stderr, and exec the shell command. */ + + for (tmp_fd = 0; tmp_fd < 3; tmp_fd++) + (void) close(tmp_fd); + if (open("/dev/null", 2) != 0) { + tcpd_warn("open /dev/null: %m"); + } else if (dup(0) != 1 || dup(0) != 2) { + tcpd_warn("dup: %m"); + } else { + (void) execl("/bin/sh", "sh", "-c", command, (char *) 0); + tcpd_warn("execl /bin/sh: %m"); + } + + /* Something went wrong. We MUST terminate the child process. */ + _exit(0); +} diff --git a/lib/libwrap/shlib_version b/lib/libwrap/shlib_version new file mode 100644 index 000000000..6c1ff4bec --- /dev/null +++ b/lib/libwrap/shlib_version @@ -0,0 +1,5 @@ +# $NetBSD: shlib_version,v 1.6 2009/01/11 03:07:50 christos Exp $ +# Remember to update distrib/sets/lists/base/shl.* when changing +# +major=1 +minor=0 diff --git a/lib/libwrap/socket.c b/lib/libwrap/socket.c new file mode 100644 index 000000000..3b5129a3e --- /dev/null +++ b/lib/libwrap/socket.c @@ -0,0 +1,291 @@ +/* $NetBSD: socket.c,v 1.19 2012/03/21 10:10:37 matt Exp $ */ + + /* + * This module determines the type of socket (datagram, stream), the client + * socket address and port, the server socket address and port. In addition, + * it provides methods to map a transport address to a printable host name + * or address. Socket address information results are in static memory. + * + * The result from the hostname lookup method is STRING_PARANOID when a host + * pretends to have someone elses name, or when a host name is available but + * could not be verified. + * + * When lookup or conversion fails the result is set to STRING_UNKNOWN. + * + * Diagnostics are reported through syslog(3). + * + * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. + */ + +#include +#ifndef lint +#if 0 +static char sccsid[] = "@(#) socket.c 1.15 97/03/21 19:27:24"; +#else +__RCSID("$NetBSD: socket.c,v 1.19 2012/03/21 10:10:37 matt Exp $"); +#endif +#endif + +/* System libraries. */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +/* Local stuff. */ + +#include "tcpd.h" + +/* Forward declarations. */ + +#ifdef APPEND_DOT +static const char *append_dot __P((const char *)); +#endif +static void sock_sink __P((int)); + +#ifdef APPEND_DOT + /* + * Speed up DNS lookups by terminating the host name with a dot. Should be + * done with care. The speedup can give problems with lookups from sources + * that lack DNS-style trailing dot magic, such as local files or NIS maps. + */ + +static const char * +append_dot(name) +const char *name; +{ + static char hbuf[MAXHOSTNAMELEN + 1]; + + /* + * Don't append dots to unqualified names. Such names are likely to come + * from local hosts files or from NIS. + */ + + if (strchr(name, '.') == 0 || strlen(name) + 2 > sizeof(hbuf)) + strlcpy(hbuf, name, sizeof(hbuf)); + else + (void)snprintf(hbuf, sizeof(hbuf), "%s.", name); + return hbuf; +} +#endif + +/* sock_host - look up endpoint addresses and install conversion methods */ + +void +sock_host(struct request_info *request) +{ + static struct sockaddr_storage client; + static struct sockaddr_storage server; + socklen_t len; + char buf[BUFSIZ]; + int fd = request->fd; + + sock_methods(request); + + /* + * Look up the client host address. Hal R. Brand + * suggested how to get the client host info in case of UDP connections: + * peek at the first message without actually looking at its contents. We + * really should verify that client.sin_family gets the value AF_INET, + * but this program has already caused too much grief on systems with + * broken library code. + * + * XXX the last sentence is untrue as we support AF_INET6 as well :-) + */ + + if (request->client->sin == NULL) { + len = sizeof(client); + if (getpeername(fd, (struct sockaddr *)(void *)& client, &len) < 0) { + request->sink = sock_sink; + len = sizeof(client); + if (recvfrom(fd, buf, sizeof(buf), MSG_PEEK, + (struct sockaddr *) & client, &len) < 0) { + tcpd_warn("can't get client address: %m"); + return; /* give up */ + } +#ifdef really_paranoid + memset(buf, 0, sizeof(buf)); +#endif + } + request->client->sin = (struct sockaddr *)&client; + } + + /* + * Determine the server binding. This is used for client username + * lookups, and for access control rules that trigger on the server + * address or name. + */ + + if (request->server->sin == NULL) { + len = sizeof(server); + if (getsockname(fd, (struct sockaddr *) & server, &len) < 0) { + tcpd_warn("getsockname: %m"); + return; + } + request->server->sin = (struct sockaddr *)&server; + } +} + +/* sock_hostaddr - map endpoint address to printable form */ + +void +sock_hostaddr(struct host_info *host) +{ + struct sockaddr *sa = host->sin; + + if (!sa) + return; + host->addr[0] = '\0'; + getnameinfo(sa, sa->sa_len, host->addr, sizeof(host->addr), + NULL, 0, NI_NUMERICHOST); +} + +/* sock_hostname - map endpoint address to host name */ + +void +sock_hostname(struct host_info *host) +{ + struct sockaddr *sa = host->sin; + char h1[NI_MAXHOST], h2[NI_MAXHOST]; + struct addrinfo hints, *res, *res0; +#ifdef INET6 + struct sockaddr_in tmp; +#endif + + if (!sa) + return; +#ifdef INET6 + /* special case on reverse lookup: mapped addr. I hate it */ + if (sa->sa_family == AF_INET6 && + IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)sa)->sin6_addr)) { + memset(&tmp, 0, sizeof(tmp)); + tmp.sin_family = AF_INET; + tmp.sin_len = sizeof(struct sockaddr_in); + memcpy(&tmp.sin_addr, + &((struct sockaddr_in6 *)sa)->sin6_addr.s6_addr[12], 4); + sa = (struct sockaddr *)&tmp; + } +#endif + if (getnameinfo(sa, sa->sa_len, h1, sizeof(h1), NULL, 0, + NI_NUMERICHOST) != 0) { + return; + } + if (getnameinfo(sa, sa->sa_len, host->name, sizeof(host->name), NULL, 0, + NI_NAMEREQD) == 0) { + /* + * if reverse lookup result looks like a numeric hostname, + * someone is trying to trick us by PTR record like following: + * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 + */ + memset(&hints, 0, sizeof(hints)); + hints.ai_socktype = SOCK_DGRAM; /*dummy*/ + hints.ai_flags = AI_NUMERICHOST; +#ifdef APPEND_DOT + if (getaddrinfo(append_dot(host->name), "0", &hints, &res0) == 0) +#else + if (getaddrinfo(host->name, "0", &hints, &res0) == 0) +#endif + { + tcpd_warn("Nasty PTR record is configured"); + freeaddrinfo(res0); + /* name is bad, clobber it */ + (void)strlcpy(host->name, paranoid, sizeof(host->name)); + return; + } + + /* + * Verify that the address is a member of the address list returned + * by getaddrinfo(hostname). + * + * Verify also that getnameinfo() and getaddrinfo() return the same + * hostname, or rshd and rlogind may still end up being spoofed. + * + * On some sites, getaddrinfo("localhost") returns "localhost.domain". + * This is a DNS artefact. We treat it as a special case. When we + * can't believe the address list from getaddrinfo("localhost") + * we're in big trouble anyway. + */ + memset(&hints, 0, sizeof(hints)); + hints.ai_family = sa->sa_family; + hints.ai_socktype = SOCK_DGRAM; /*dummy*/ + hints.ai_flags = AI_CANONNAME; +#ifdef APPEND_DOT + if (getaddrinfo(append_dot(host->name), "0", &hints, &res0) != 0) +#else + if (getaddrinfo(host->name, "0", &hints, &res0) != 0) +#endif + { + /* + * Unable to verify that the host name matches the address. This + * may be a transient problem or a botched name server setup. + */ + + tcpd_warn("can't verify hostname: getaddrinfo(%s, %d) failed", + host->name, hints.ai_family); + } else if (res0->ai_canonname && + STR_NE(host->name, res0->ai_canonname) && + STR_NE(host->name, "localhost")) { + /* + * The getnameinfo() and getaddrinfo() calls did not return + * the same hostname. This could be a nameserver configuration + * problem. It could also be that someone is trying to spoof us. + */ + + tcpd_warn("host name/name mismatch: %s != %s", + host->name, res0->ai_canonname); + freeaddrinfo(res0); + } else { + /* + * The address should be a member of the address list returned by + * getaddrinfo(). + */ + + for (res = res0; res; res = res->ai_next) { + if (getnameinfo(res->ai_addr, res->ai_addrlen, h2, sizeof(h2), + NULL, 0, NI_NUMERICHOST) != 0) { + continue; + } + if (STR_EQ(h1, h2)) { + freeaddrinfo(res0); + return; + } + } + + /* + * The host name does not map to the initial address. Perhaps + * someone has messed up. Perhaps someone compromised a name + * server. + */ + + tcpd_warn("host name/address mismatch: %s != %s", h1, + res0->ai_canonname ? res0->ai_canonname : "?"); + + freeaddrinfo(res0); + } + /* name is bad, clobber it */ + (void)strlcpy(host->name, paranoid, sizeof(host->name)); + } +} + +/* sock_sink - absorb unreceived IP datagram */ + +static void +sock_sink(int fd) +{ + char buf[BUFSIZ]; + struct sockaddr_storage ss; + socklen_t size = sizeof(ss); + + /* + * Eat up the not-yet received datagram. Some systems insist on a + * non-zero source address argument in the recvfrom() call below. + */ + + (void) recvfrom(fd, buf, sizeof(buf), 0, (struct sockaddr *) & ss, &size); +} diff --git a/lib/libwrap/tcpd.h b/lib/libwrap/tcpd.h new file mode 100644 index 000000000..58a44a0d2 --- /dev/null +++ b/lib/libwrap/tcpd.h @@ -0,0 +1,209 @@ +/* $NetBSD: tcpd.h,v 1.14 2012/03/22 22:59:43 joerg Exp $ */ + /* + * @(#) tcpd.h 1.5 96/03/19 16:22:24 + * + * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. + */ + +#include +#include + +/* Structure to describe one communications endpoint. */ + +#define STRING_LENGTH 128 /* hosts, users, processes */ + +struct host_info { + char name[STRING_LENGTH]; /* access via eval_hostname(host) */ + char addr[STRING_LENGTH]; /* access via eval_hostaddr(host) */ + struct sockaddr *sin; /* socket address or 0 */ + struct t_unitdata *unit; /* TLI transport address or 0 */ + struct request_info *request; /* for shared information */ +}; + +/* Structure to describe what we know about a service request. */ + +struct request_info { + int fd; /* socket handle */ + char user[STRING_LENGTH]; /* access via eval_user(request) */ + char daemon[STRING_LENGTH]; /* access via eval_daemon(request) */ + char pid[10]; /* access via eval_pid(request) */ + struct host_info client[1]; /* client endpoint info */ + struct host_info server[1]; /* server endpoint info */ + void (*sink)(int); /* datagram sink function or 0 */ + void (*hostname)(struct host_info *); /* address to printable hostname */ + void (*hostaddr)(struct host_info *); /* address to printable address */ + void (*cleanup)(void); /* cleanup function or 0 */ + struct netconfig *config; /* netdir handle */ +}; + +/* Common string operations. Less clutter should be more readable. */ + +#define STRN_CPY(d,s,l) { strncpy((d),(s),(l)); (d)[(l)-1] = 0; } + +#define STRN_EQ(x,y,l) (strncasecmp((x),(y),(l)) == 0) +#define STRN_NE(x,y,l) (strncasecmp((x),(y),(l)) != 0) +#define STR_EQ(x,y) (strcasecmp((x),(y)) == 0) +#define STR_NE(x,y) (strcasecmp((x),(y)) != 0) + + /* + * Initially, all above strings have the empty value. Information that + * cannot be determined at runtime is set to "unknown", so that we can + * distinguish between `unavailable' and `not yet looked up'. A hostname + * that we do not believe in is set to "paranoid". + */ + +#define STRING_UNKNOWN "unknown" /* lookup failed */ +#define STRING_PARANOID "paranoid" /* hostname conflict */ + +__BEGIN_DECLS +extern char unknown[]; +extern char paranoid[]; +__END_DECLS + +#define HOSTNAME_KNOWN(s) (STR_NE((s),unknown) && STR_NE((s),paranoid)) + +#define NOT_INADDR(s) (s[strspn(s,"01234567890./")] != 0) + +/* Global functions. */ + +__BEGIN_DECLS +#define fromhost sock_host /* no TLI support needed */ + +extern int hosts_access /* access control */ + (struct request_info *); +extern int hosts_ctl /* limited interface to hosts_access */ + (char *, char *, char *, char *); +extern void shell_cmd /* execute shell command */ + (char *); +extern char *percent_x /* do % expansion */ + (char *, int, char *, struct request_info *); +extern void rfc931 /* client name from RFC 931 daemon */ + (struct sockaddr *, struct sockaddr *, char *); +__dead extern void clean_exit /* clean up and exit */ + (struct request_info *); +__dead extern void refuse /* clean up and exit */ + (struct request_info *); +extern char *xgets /* fgets() on steroids */ + (char *, int, FILE *); +extern char *split_at /* strchr() and split */ + (char *, int); +extern int dot_quad_addr /* restricted inet_aton() */ + (char *, unsigned long *); + +/* Global variables. */ + +extern int allow_severity; /* for connection logging */ +extern int deny_severity; /* for connection logging */ +extern const char *hosts_allow_table; /* for verification mode redirection */ +extern const char *hosts_deny_table; /* for verification mode redirection */ +extern int hosts_access_verbose; /* for verbose matching mode */ +extern int rfc931_timeout; /* user lookup timeout */ +extern int resident; /* > 0 if resident process */ + + /* + * Routines for controlled initialization and update of request structure + * attributes. Each attribute has its own key. + */ + +extern struct request_info *request_init /* initialize request */ + (struct request_info *,...); +extern struct request_info *request_set /* update request structure */ + (struct request_info *,...); + +#define RQ_FILE 1 /* file descriptor */ +#define RQ_DAEMON 2 /* server process (argv[0]) */ +#define RQ_USER 3 /* client user name */ +#define RQ_CLIENT_NAME 4 /* client host name */ +#define RQ_CLIENT_ADDR 5 /* client host address */ +#define RQ_CLIENT_SIN 6 /* client endpoint (internal) */ +#define RQ_SERVER_NAME 7 /* server host name */ +#define RQ_SERVER_ADDR 8 /* server host address */ +#define RQ_SERVER_SIN 9 /* server endpoint (internal) */ + + /* + * Routines for delayed evaluation of request attributes. Each attribute + * type has its own access method. The trivial ones are implemented by + * macros. The other ones are wrappers around the transport-specific host + * name, address, and client user lookup methods. The request_info and + * host_info structures serve as caches for the lookup results. + */ + +extern char *eval_user /* client user */ + (struct request_info *); +extern char *eval_hostname /* printable hostname */ + (struct host_info *); +extern char *eval_hostaddr /* printable host address */ + (struct host_info *); +extern char *eval_hostinfo /* host name or address */ + (struct host_info *); +extern char *eval_client /* whatever is available */ + (struct request_info *); +extern char *eval_server /* whatever is available */ + (struct request_info *); +#define eval_daemon(r) ((r)->daemon) /* daemon process name */ +#define eval_pid(r) ((r)->pid) /* process id */ + +/* Socket-specific methods, including DNS hostname lookups. */ + +extern void sock_host /* look up endpoint addresses */ + (struct request_info *); +extern void sock_hostname /* translate address to hostname */ + (struct host_info *); +extern void sock_hostaddr /* address to printable address */ + (struct host_info *); +#define sock_methods(r) \ + { (r)->hostname = sock_hostname; (r)->hostaddr = sock_hostaddr; } + +/* The System V Transport-Level Interface (TLI) interface. */ + +#if defined(TLI) || defined(PTX) || defined(TLI_SEQUENT) +extern void tli_host /* look up endpoint addresses etc. */ + (struct request_info *); +#endif + + /* + * Problem reporting interface. Additional file/line context is reported + * when available. The jump buffer (tcpd_buf) is not declared here, or + * everyone would have to include . + */ + +/* Report problem and proceed */ +void tcpd_warn(const char *, ...) __printflike(1, 2); + +/* Report problem and jump */ +void tcpd_jump(const char *, ...) __dead __printflike(1, 2); +__END_DECLS + +struct tcpd_context { + const char *file; /* current file */ + int line; /* current line */ +}; +__BEGIN_DECLS +extern struct tcpd_context tcpd_context; +__END_DECLS + + /* + * While processing access control rules, error conditions are handled by + * jumping back into the hosts_access() routine. This is cleaner than + * checking the return value of each and every silly little function. The + * (-1) returns are here because zero is already taken by longjmp(). + */ + +#define AC_PERMIT 1 /* permit access */ +#define AC_DENY (-1) /* deny_access */ +#define AC_ERROR AC_DENY /* XXX */ + + /* + * In verification mode an option function should just say what it would do, + * instead of really doing it. An option function that would not return + * should clear the dry_run flag to inform the caller of this unusual + * behavior. + */ + +__BEGIN_DECLS +extern void process_options /* execute options */ + (char *, struct request_info *); +extern int dry_run; /* verification flag */ +extern void fix_options /* get rid of IP-level socket options */ + (struct request_info *); +__END_DECLS diff --git a/lib/libwrap/update.c b/lib/libwrap/update.c new file mode 100644 index 000000000..42d59fe42 --- /dev/null +++ b/lib/libwrap/update.c @@ -0,0 +1,128 @@ +/* $NetBSD: update.c,v 1.9 2012/03/21 10:10:37 matt Exp $ */ + + /* + * Routines for controlled update/initialization of request structures. + * + * request_init() initializes its argument. Pointers and string-valued members + * are initialized to zero, to indicate that no lookup has been attempted. + * + * request_set() adds information to an already initialized request structure. + * + * Both functions take a variable-length name-value list. + * + * Diagnostics are reported through syslog(3). + * + * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. + */ + +#include +#ifndef lint +#if 0 +static char sccsid[] = "@(#) update.c 1.1 94/12/28 17:42:56"; +#else +__RCSID("$NetBSD: update.c,v 1.9 2012/03/21 10:10:37 matt Exp $"); +#endif +#endif + +/* System libraries */ + +#include +#include +#include +#include + +/* Local stuff. */ + +#include "mystdarg.h" +#include "tcpd.h" + +static struct request_info *request_fill(struct request_info *, va_list); + +/* request_fill - request update engine */ + +static struct request_info * +request_fill(struct request_info *request, va_list ap) +{ + int key; + char *ptr; + + while ((key = va_arg(ap, int)) > 0) { + switch (key) { + default: + tcpd_warn("request_fill: invalid key: %d", key); + return (request); + case RQ_FILE: + request->fd = va_arg(ap, int); + continue; + case RQ_CLIENT_SIN: + request->client->sin = va_arg(ap, struct sockaddr *); + continue; + case RQ_SERVER_SIN: + request->server->sin = va_arg(ap, struct sockaddr *); + continue; + + /* + * All other fields are strings with the same maximal length. + */ + + case RQ_DAEMON: + ptr = request->daemon; + break; + case RQ_USER: + ptr = request->user; + break; + case RQ_CLIENT_NAME: + ptr = request->client->name; + break; + case RQ_CLIENT_ADDR: + ptr = request->client->addr; + break; + case RQ_SERVER_NAME: + ptr = request->server->name; + break; + case RQ_SERVER_ADDR: + ptr = request->server->addr; + break; + } + strlcpy(ptr, va_arg(ap, char *), STRING_LENGTH); + } + return (request); +} + +/* request_init - initialize request structure */ + +struct request_info *VARARGS(request_init, struct request_info *, request) +{ + static struct request_info default_info; + struct request_info *r; + va_list ap; + + /* + * Initialize data members. We do not assign default function pointer + * members, to avoid pulling in the whole socket module when it is not + * really needed. + */ + VASTART(ap, struct request_info *, request); + *request = default_info; + request->fd = -1; + (void)strlcpy(request->daemon, unknown, sizeof(request->daemon)); + (void)snprintf(request->pid, sizeof(request->pid), "%d", getpid()); + request->client->request = request; + request->server->request = request; + r = request_fill(request, ap); + VAEND(ap); + return (r); +} + +/* request_set - update request structure */ + +struct request_info *VARARGS(request_set, struct request_info *, request) +{ + struct request_info *r; + va_list ap; + + VASTART(ap, struct request_info *, request); + r = request_fill(request, ap); + VAEND(ap); + return (r); +} -- 2.44.0