97 lines
3.5 KiB
Groff
97 lines
3.5 KiB
Groff
.\" $NetBSD: hosts_access.3,v 1.7 2002/10/01 19:38:46 wiz Exp $
|
|
.\"
|
|
.TH HOSTS_ACCESS 3
|
|
.SH NAME
|
|
hosts_access, hosts_ctl, request_init, request_set \- access control library
|
|
.SH SYNOPSIS
|
|
.nf
|
|
#include "tcpd.h"
|
|
|
|
extern int allow_severity;
|
|
extern int deny_severity;
|
|
|
|
struct request_info *request_init(request, key, value, ..., 0)
|
|
struct request_info *request;
|
|
|
|
struct request_info *request_set(request, key, value, ..., 0)
|
|
struct request_info *request;
|
|
|
|
int hosts_access(request)
|
|
struct request_info *request;
|
|
|
|
int hosts_ctl(daemon, client_name, client_addr, client_user)
|
|
char *daemon;
|
|
char *client_name;
|
|
char *client_addr;
|
|
char *client_user;
|
|
.fi
|
|
.SH DESCRIPTION
|
|
The routines described in this document are part
|
|
of the \fIlibwrap.a\fR library.
|
|
They implement a rule-based access control language with
|
|
optional shell commands that are executed when a rule fires.
|
|
.PP
|
|
request_init() initializes a structure with
|
|
information about a client request.
|
|
request_set() updates an already initialized request structure.
|
|
Both functions take a variable-length list of key-value
|
|
pairs and return their first argument.
|
|
The argument lists are terminated with a zero key value.
|
|
All string-valued arguments are copied.
|
|
The expected keys (and corresponding value types) are:
|
|
.IP "RQ_FILE (int)"
|
|
The file descriptor associated with the request.
|
|
.IP "RQ_CLIENT_NAME (char *)"
|
|
The client host name.
|
|
.IP "RQ_CLIENT_ADDR (char *)"
|
|
A printable representation of the client network address.
|
|
.IP "RQ_CLIENT_SIN (struct sockaddr_in *)"
|
|
An internal representation of the client network address and port.
|
|
The contents of the structure are not copied.
|
|
.IP "RQ_SERVER_NAME (char *)"
|
|
The hostname associated with the server endpoint address.
|
|
.IP "RQ_SERVER_ADDR (char *)"
|
|
A printable representation of the server endpoint address.
|
|
.IP "RQ_SERVER_SIN (struct sockaddr_in *)"
|
|
An internal representation of the server endpoint address and port.
|
|
The contents of the structure are not copied.
|
|
.IP "RQ_DAEMON (char *)"
|
|
The name of the daemon process running on the server host.
|
|
.IP "RQ_USER (char *)"
|
|
The name of the user on whose behalf the client host makes the request.
|
|
.PP
|
|
hosts_access() consults the access control tables described in the
|
|
\fIhosts_access(5)\fR manual page.
|
|
When internal endpoint information is available, host names
|
|
and client user names are looked up on demand,
|
|
using the request structure as a cache.
|
|
hosts_access() returns zero if access should be denied.
|
|
.PP
|
|
hosts_ctl() is a wrapper around the request_init() and hosts_access()
|
|
routines with a perhaps more convenient interface (though it does not
|
|
pass on enough information to support automated client username lookups).
|
|
The client host address, client host name and username
|
|
arguments should contain valid data or STRING_UNKNOWN.
|
|
hosts_ctl() returns zero if access should be denied.
|
|
.PP
|
|
The \fIallow_severity\fR and \fIdeny_severity\fR variables determine
|
|
how accepted and rejected requests may be logged.
|
|
They must be provided by the caller and may be modified
|
|
by rules in the access control tables.
|
|
.SH DIAGNOSTICS
|
|
Problems are reported via the syslog daemon.
|
|
.SH SEE ALSO
|
|
hosts_access(5), format of the access control tables.
|
|
hosts_options(5), optional extensions to the base language.
|
|
.SH FILES
|
|
/etc/hosts.allow, /etc/hosts.deny, access control tables.
|
|
.SH AUTHOR
|
|
.na
|
|
.nf
|
|
Wietse Venema (wietse@wzv.win.tue.nl)
|
|
Department of Mathematics and Computing Science
|
|
Eindhoven University of Technology
|
|
Den Dolech 2, P.O. Box 513,
|
|
5600 MB Eindhoven, The Netherlands
|
|
\" @(#) hosts_access.3 1.8 96/02/11 17:01:26
|