src/misc-progs/setxtaccess.c

   1 /* SmoothWall helper program - setxtaccess
   2  *
   3  * This program is distributed under the terms of the GNU General Public
   4  * Licence.  See the file COPYING for details.
   5  *
   6  * (c) Daniel Goscomb, 2001
   7  *
   8  * Modifications and improvements by Lawrence Manning.
   9  *
  10  * 10/04/01 Aslak added protocol support
  11  *
  12  * (c) Steve Bootes 2002/04/14 - Added source IP support for aliases
  13  *
  14  * 19/04/03 Robert Kerr Fixed root exploit
  15  *
  16  * $Id: setxtaccess.c,v 1.3.2.1 2005/01/04 17:21:40 eoberlander Exp $
  17  *
  18  */
  19
  20 #include <stdio.h>
  21 #include <stdlib.h>
  22 #include <string.h>
  23 #include "setuid.h"
  24
  25 FILE *ifacefile = NULL;
  26 FILE *fwdfile = NULL;
  27 FILE *ipfile = NULL;
  28
  29 void exithandler(void)
  30 {
  31         if (fwdfile)
  32                 fclose(fwdfile);
  33 }
  34
  35 int main(void)
  36 {
  37         char iface[STRING_SIZE] = "";
  38         char locip[STRING_SIZE] = "";
  39         char s[STRING_SIZE] = "";
  40         int count;
  41         char *protocol;
  42         char *destip;
  43         char *remip;
  44         char *locport;
  45         char *enabled;
  46         char *information;
  47         char *result;
  48         char command[STRING_SIZE];
  49
  50         if (!(initsetuid()))
  51                 exit(1);
  52
  53         atexit(exithandler);
  54
  55         if (!(ipfile = fopen(CONFIG_ROOT "/red/local-ipaddress", "r")))
  56         {
  57                 fprintf(stderr, "Couldn't open local ip file\n");
  58                 exit(1);
  59         }
  60         if (fgets(locip, STRING_SIZE, ipfile))
  61         {
  62                 if (locip[strlen(locip) - 1] == '\n')
  63                         locip[strlen(locip) - 1] = '\0';
  64         }
  65         fclose (ipfile);
  66         if (!VALID_IP(locip))
  67         {
  68                 fprintf(stderr, "Bad local IP: %s\n", locip);
  69                 exit(1);
  70         }
  71
  72         if (!(ifacefile = fopen(CONFIG_ROOT "/red/iface", "r")))
  73         {
  74                 fprintf(stderr, "Couldn't open iface file\n");
  75                 exit(1);
  76         }
  77         if (fgets(iface, STRING_SIZE, ifacefile))
  78         {
  79                 if (iface[strlen(iface) - 1] == '\n')
  80                         iface[strlen(iface) - 1] = '\0';
  81         }
  82                 fclose (ifacefile);
  83         if (!VALID_DEVICE(iface))
  84         {
  85                 fprintf(stderr, "Bad iface: %s\n", iface);
  86                 exit(1);
  87         }
  88
  89         if (!(fwdfile = fopen(CONFIG_ROOT "/xtaccess/config", "r")))
  90         {
  91                 fprintf(stderr, "Couldn't open xtaccess settings file\n");
  92                 exit(1);
  93         }
  94
  95         safe_system("/sbin/iptables -F XTACCESS");
  96
  97         while (fgets(s, STRING_SIZE, fwdfile) != NULL)
  98         {
  99                 if (s[strlen(s) - 1] == '\n')
 100                         s[strlen(s) - 1] = '\0';
 101                 count = 0;
 102                 protocol = NULL;
 103                 remip = NULL;
 104                 destip = NULL;
 105                 locport = NULL;
 106                 enabled = NULL;
 107                 information = NULL;
 108                 result = strtok(s, ",");
 109                 while (result)
 110                 {
 111                         if (count == 0)
 112                                 protocol = result;
 113                         else if (count == 1)
 114                                 remip = result;
 115                         else if (count == 2)
 116                                 locport = result;
 117                         else if (count == 3)
 118                                 enabled = result;
 119                         else if (count == 4)
 120                                 destip = result;
 121                         else
 122                                 information = result;
 123                         count++;
 124                         result = strtok(NULL, ",");
 125                 }
 126
 127                 if (!(protocol && remip && locport && enabled))
 128                         break;
 129
 130                 if (!VALID_PROTOCOL(protocol))
 131                 {
 132                         fprintf(stderr, "Bad protocol: %s\n", protocol);
 133                         exit(1);
 134                 }
 135                 if (!VALID_IP_AND_MASK(remip))
 136                 {
 137                         fprintf(stderr, "Bad remote IP: %s\n", remip);
 138                         exit(1);
 139                 }
 140                 if (!VALID_PORT_RANGE(locport))
 141                 {
 142                         fprintf(stderr, "Bad local port: %s\n", locport);
 143                         exit(1);
 144                 }
 145
 146                 /* check for destination ip in config file. If it's there
 147                  * and it's not 0.0.0.0, use it; else use the current
 148                  * local ip address. (This makes sure we can use old-style
 149                  * config files without the destination ip) */
 150                 if (!destip || !strcmp(destip, "0.0.0.0"))
 151                         destip = locip;
 152                 if (!VALID_IP(destip))
 153                 {
 154                         fprintf(stderr, "Bad destination IP: %s\n", remip);
 155                         exit(1);
 156                 }
 157
 158                 if (strcmp(enabled, "on") == 0)
 159                 {
 160                         memset(command, 0, STRING_SIZE);
 161                         snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A XTACCESS -i %s -p %s -s %s -d %s --dport %s -j ACCEPT",
 162         iface, protocol, remip, destip, locport);
 163                         safe_system(command);
 164                 }
 165         }
 166
 167         return 0;
 168 }