Context Navigation

source: branches/samba-3.5.x/source3/lib/access.c@ 832

Visit:

Last change on this file since 832 was 599, checked in by Herwig Bauernfeind, 14 years ago
Samba 3.5: Update trunk to 3.5.9
File size: 10.9 KB

Line
1	/*
2	This module is an adaption of code from the tcpd-1.4 package written
3	by Wietse Venema, Eindhoven University of Technology, The Netherlands.
4
5	The code is used here with permission.
6
7	The code has been considerably changed from the original. Bug reports
8	should be sent to samba@samba.org
9
10	Updated for IPv6 by Jeremy Allison (C) 2007.
11	*/
12
13	#include "includes.h"
14
15	#define NAME_INDEX 0
16	#define ADDR_INDEX 1
17
18	/* masked_match - match address against netnumber/netmask */
19	static bool masked_match(const char tok, const char slash, const char *s)
20	{
21	struct sockaddr_storage ss_mask;
22	struct sockaddr_storage ss_tok;
23	struct sockaddr_storage ss_host;
24	char *tok_copy = NULL;
25
26	if (!interpret_string_addr(&ss_host, s, 0)) {
27	return false;
28	}
29
30	if (*tok == '[') {
31	/* IPv6 address - remove braces. */
32	tok_copy = SMB_STRDUP(tok+1);
33	if (!tok_copy) {
34	return false;
35	}
36	/* Remove the terminating ']' */
37	tok_copy[PTR_DIFF(slash,tok)-1] = '\0';
38	} else {
39	tok_copy = SMB_STRDUP(tok);
40	if (!tok_copy) {
41	return false;
42	}
43	/* Remove the terminating '/' */
44	tok_copy[PTR_DIFF(slash,tok)] = '\0';
45	}
46
47	if (!interpret_string_addr(&ss_tok, tok_copy, 0)) {
48	SAFE_FREE(tok_copy);
49	return false;
50	}
51
52	SAFE_FREE(tok_copy);
53
54	if (strlen(slash + 1) > 2) {
55	if (!interpret_string_addr(&ss_mask, slash+1, 0)) {
56	return false;
57	}
58	} else {
59	char *endp = NULL;
60	unsigned long val = strtoul(slash+1, &endp, 0);
61	if (slash+1 == endp \|\| (endp && *endp != '\0')) {
62	return false;
63	}
64	if (!make_netmask(&ss_mask, &ss_tok, val)) {
65	return false;
66	}
67	}
68
69	return same_net((struct sockaddr )&ss_host, (struct sockaddr )&ss_tok, (struct sockaddr *)&ss_mask);
70	}
71
72	/* string_match - match string s against token tok */
73	static bool string_match(const char tok,const char s)
74	{
75	size_t tok_len;
76	size_t str_len;
77	const char *cut;
78
79	/* Return true if a token has the magic value "ALL". Return
80	* true if the token is "FAIL". If the token starts with a "."
81	* (domain name), return true if it matches the last fields of
82	* the string. If the token has the magic value "LOCAL",
83	* return true if the string does not contain a "."
84	* character. If the token ends on a "." (network number),
85	* return true if it matches the first fields of the
86	* string. If the token begins with a "@" (netgroup name),
87	* return true if the string is a (host) member of the
88	* netgroup. Return true if the token fully matches the
89	* string. If the token is a netnumber/netmask pair, return
90	* true if the address is a member of the specified subnet.
91	*/
92
93	if (tok[0] == '.') { /* domain: match last fields */
94	if ((str_len = strlen(s)) > (tok_len = strlen(tok))
95	&& strequal(tok, s + str_len - tok_len)) {
96	return true;
97	}
98	} else if (tok[0] == '@') { /* netgroup: look it up */
99	#ifdef HAVE_NETGROUP
100	DATA_BLOB tmp;
101	char *mydomain = NULL;
102	char *hostname = NULL;
103	bool netgroup_ok = false;
104
105	if (memcache_lookup(
106	NULL, SINGLETON_CACHE,
107	data_blob_string_const_null("yp_default_domain"),
108	&tmp)) {
109
110	SMB_ASSERT(tmp.length > 0);
111	mydomain = (tmp.data[0] == '\0')
112	? NULL : (char *)tmp.data;
113	}
114	else {
115	yp_get_default_domain(&mydomain);
116
117	memcache_add(
118	NULL, SINGLETON_CACHE,
119	data_blob_string_const_null("yp_default_domain"),
120	data_blob_string_const_null(mydomain?mydomain:""));
121	}
122
123	if (!mydomain) {
124	DEBUG(0,("Unable to get default yp domain. "
125	"Try without it.\n"));
126	}
127	if (!(hostname = SMB_STRDUP(s))) {
128	DEBUG(1,("out of memory for strdup!\n"));
129	return false;
130	}
131
132	netgroup_ok = innetgr(tok + 1, hostname, (char *) 0, mydomain);
133
134	DEBUG(5,("looking for %s of domain %s in netgroup %s gave %s\n",
135	hostname,
136	mydomain?mydomain:"(ANY)",
137	tok+1,
138	BOOLSTR(netgroup_ok)));
139
140	SAFE_FREE(hostname);
141
142	if (netgroup_ok)
143	return true;
144	#else
145	DEBUG(0,("access: netgroup support is not configured\n"));
146	return false;
147	#endif
148	} else if (strequal(tok, "ALL")) { /* all: match any */
149	return true;
150	} else if (strequal(tok, "FAIL")) { /* fail: match any */
151	return true;
152	} else if (strequal(tok, "LOCAL")) { /* local: no dots */
153	if (strchr_m(s, '.') == 0 && !strequal(s, "unknown")) {
154	return true;
155	}
156	} else if (strequal(tok, s)) { /* match host name or address */
157	return true;
158	} else if (tok[(tok_len = strlen(tok)) - 1] == '.') { /* network */
159	if (strncmp(tok, s, tok_len) == 0) {
160	return true;
161	}
162	} else if ((cut = strchr_m(tok, '/')) != 0) { /* netnumber/netmask */
163	if ((isdigit(s[0]) && strchr_m(tok, '.') != NULL) \|\|
164	(tok[0] == '[' && cut > tok && cut[-1] == ']') \|\|
165	((isxdigit(s[0]) \|\| s[0] == ':') &&
166	strchr_m(tok, ':') != NULL)) {
167	/* IPv4/netmask or
168	* [IPv6:addr]/netmask or IPv6:addr/netmask */
169	return masked_match(tok, cut, s);
170	}
171	} else if (strchr_m(tok, '*') != 0 \|\| strchr_m(tok, '?')) {
172	return unix_wild_match(tok, s);
173	}
174	return false;
175	}
176
177	/* client_match - match host name and address against token */
178	bool client_match(const char tok, const void item)
179	{
180	const char client = (const char )item;
181	const char *tok_addr = tok;
182	const char *cli_addr = client[ADDR_INDEX];
183
184	/*
185	* tok and client[ADDR_INDEX] can be an IPv4 mapped to IPv6,
186	* we try and match the IPv4 part of address only.
187	* Bug #5311 and #7383.
188	*/
189
190	if (strnequal(tok_addr, "::ffff:",7)) {
191	tok_addr += 7;
192	}
193
194	if (strnequal(cli_addr,"::ffff:",7)) {
195	cli_addr += 7;
196	}
197
198	/*
199	* Try to match the address first. If that fails, try to match the host
200	* name if available.
201	*/
202
203	if (string_match(tok_addr, cli_addr)) {
204	return true;
205	}
206
207	if (client[NAME_INDEX][0] != 0) {
208	if (string_match(tok, client[NAME_INDEX])) {
209	return true;
210	}
211	}
212
213	return false;
214	}
215
216	/* list_match - match an item against a list of tokens with exceptions */
217	bool list_match(const char *list,const void item,
218	bool (match_fn)(const char , const void *))
219	{
220	bool match = false;
221
222	if (!list) {
223	return false;
224	}
225
226	/*
227	* Process tokens one at a time. We have exhausted all possible matches
228	* when we reach an "EXCEPT" token or the end of the list. If we do find
229	* a match, look for an "EXCEPT" list and recurse to determine whether
230	* the match is affected by any exceptions.
231	*/
232
233	for (; *list ; list++) {
234	if (strequal(*list, "EXCEPT")) {
235	/* EXCEPT: give up */
236	break;
237	}
238	if ((match = (match_fn) (list, item))) {
239	/* true or FAIL */
240	break;
241	}
242	}
243	/* Process exceptions to true or FAIL matches. */
244
245	if (match != false) {
246	while (list && !strequal(list, "EXCEPT")) {
247	list++;
248	}
249
250	for (; *list; list++) {
251	if ((match_fn) (list, item)) {
252	/* Exception Found */
253	return false;
254	}
255	}
256	}
257
258	return match;
259	}
260
261	/* return true if access should be allowed */
262	static bool allow_access_internal(const char **deny_list,
263	const char **allow_list,
264	const char *cname,
265	const char *caddr)
266	{
267	const char *client[2];
268
269	client[NAME_INDEX] = cname;
270	client[ADDR_INDEX] = caddr;
271
272	/* if it is loopback then always allow unless specifically denied */
273	if (strcmp(caddr, "127.0.0.1") == 0 \|\| strcmp(caddr, "::1") == 0) {
274	/*
275	* If 127.0.0.1 matches both allow and deny then allow.
276	* Patch from Steve Langasek vorlon@netexpress.net.
277	*/
278	if (deny_list &&
279	list_match(deny_list,client,client_match) &&
280	(!allow_list \|\|
281	!list_match(allow_list,client, client_match))) {
282	return false;
283	}
284	return true;
285	}
286
287	/* if theres no deny list and no allow list then allow access */
288	if ((!deny_list \|\| *deny_list == 0) &&
289	(!allow_list \|\| *allow_list == 0)) {
290	return true;
291	}
292
293	/* if there is an allow list but no deny list then allow only hosts
294	on the allow list */
295	if (!deny_list \|\| *deny_list == 0) {
296	return(list_match(allow_list,client,client_match));
297	}
298
299	/* if theres a deny list but no allow list then allow
300	all hosts not on the deny list */
301	if (!allow_list \|\| *allow_list == 0) {
302	return(!list_match(deny_list,client,client_match));
303	}
304
305	/* if there are both types of list then allow all hosts on the
306	allow list */
307	if (list_match(allow_list,(const char *)client,client_match)) {
308	return true;
309	}
310
311	/* if there are both types of list and it's not on the allow then
312	allow it if its not on the deny */
313	if (list_match(deny_list,(const char *)client,client_match)) {
314	return false;
315	}
316
317	return true;
318	}
319
320	/* return true if access should be allowed */
321	bool allow_access(const char **deny_list,
322	const char **allow_list,
323	const char *cname,
324	const char *caddr)
325	{
326	bool ret;
327	char *nc_cname = smb_xstrdup(cname);
328	char *nc_caddr = smb_xstrdup(caddr);
329
330	ret = allow_access_internal(deny_list, allow_list, nc_cname, nc_caddr);
331
332	SAFE_FREE(nc_cname);
333	SAFE_FREE(nc_caddr);
334	return ret;
335	}
336
337	/* return true if the char* contains ip addrs only. Used to avoid
338	name lookup calls */
339
340	static bool only_ipaddrs_in_list(const char **list)
341	{
342	bool only_ip = true;
343
344	if (!list) {
345	return true;
346	}
347
348	for (; *list ; list++) {
349	/* factor out the special strings */
350	if (strequal(list, "ALL") \|\| strequal(list, "FAIL") \|\|
351	strequal(*list, "EXCEPT")) {
352	continue;
353	}
354
355	if (!is_ipaddress(*list)) {
356	/*
357	* If we failed, make sure that it was not because
358	* the token was a network/netmask pair. Only
359	* network/netmask pairs have a '/' in them.
360	*/
361	if ((strchr_m(*list, '/')) == NULL) {
362	only_ip = false;
363	DEBUG(3,("only_ipaddrs_in_list: list has "
364	"non-ip address (%s)\n",
365	*list));
366	break;
367	}
368	}
369	}
370
371	return only_ip;
372	}
373
374	/* return true if access should be allowed to a service for a socket */
375	bool check_access(int sock, const char allow_list, const char deny_list)
376	{
377	bool ret = false;
378	bool only_ip = false;
379
380	if ((!deny_list \|\| deny_list==0) && (!allow_list \|\| allow_list==0))
381	ret = true;
382
383	if (!ret) {
384	char addr[INET6_ADDRSTRLEN];
385
386	/* Bypass name resolution calls if the lists
387	* only contain IP addrs */
388	if (only_ipaddrs_in_list(allow_list) &&
389	only_ipaddrs_in_list(deny_list)) {
390	only_ip = true;
391	DEBUG (3, ("check_access: no hostnames "
392	"in host allow/deny list.\n"));
393	ret = allow_access(deny_list,
394	allow_list,
395	"",
396	get_peer_addr(sock,addr,sizeof(addr)));
397	} else {
398	DEBUG (3, ("check_access: hostnames in "
399	"host allow/deny list.\n"));
400	ret = allow_access(deny_list,
401	allow_list,
402	get_peer_name(sock,true),
403	get_peer_addr(sock,addr,sizeof(addr)));
404	}
405
406	if (ret) {
407	DEBUG(2,("Allowed connection from %s (%s)\n",
408	only_ip ? "" : get_peer_name(sock,true),
409	get_peer_addr(sock,addr,sizeof(addr))));
410	} else {
411	DEBUG(0,("Denied connection from %s (%s)\n",
412	only_ip ? "" : get_peer_name(sock,true),
413	get_peer_addr(sock,addr,sizeof(addr))));
414	}
415	}
416
417	return(ret);
418	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: