diff options
author | Jeffrey Hutzelman <jhutz@cmu.edu> | 2000-06-13 17:44:19 -0400 |
---|---|---|
committer | Karl Ramm <kcr@1ts.org> | 2013-01-19 15:38:24 -0500 |
commit | 625c4d3660c09808a926e44bfe859f049449be7c (patch) | |
tree | 5c3e37dd2c440adb949c184bdcb5fe5b1b883eef /server/access.c | |
parent | 5465266334ece0ed4137053eef3a7c06453df71e (diff) |
Add IP-address and negative ACL entries
This allows ACLs to grant access based on the IP address of a client
instead of its principal name. This is done using ACL entries with the
syntax "@a.b.c.d". Currently, only IPv4 addresses are supported. A single
entry may match all hosts on a particular subnet by using CIDR notation,
written as @a.b.c.d/nn. If no length is given, 32 is assumed.
Host and principal entries can be freely mixed within the same ACL; the ACL
matches if any entry matches the client. Note that this means that ACLs can
now match unauthenticated clients (however, this does not lift the general
constraint that only authenticated clients can subscribe at all).
Additionally, support for negative ACL entries is added. These entries are
indicated by a leading '!', which may be applied to both principal and host
entries. Negative entries are applied in the style of AFS ACLs; that is,
a matching negative entry overrides any positive entry and thus guarantees
that matching clients will be denied access.
(edited slightly for style by kcr@1TS.ORG)
Diffstat (limited to 'server/access.c')
-rw-r--r-- | server/access.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/server/access.c b/server/access.c index 8aa2060..918d6e2 100644 --- a/server/access.c +++ b/server/access.c @@ -22,8 +22,9 @@ static const char rcsid_access_c[] = * * External routines: * - * int access_check(notice, acl, accesstype) + * int access_check(notice, who, acl, accesstype) * ZNotice_t *notice; + * struct sockaddr_in *who; * Acl *acl; * Access accesstype; * @@ -58,6 +59,7 @@ static void access_setup(int first); int access_check(char *sender, + struct sockaddr_in *who, Acl *acl, Access accesstype) { @@ -96,10 +98,11 @@ access_check(char *sender, */ retval = acl_load(buf); if (retval < 0) { - syslog(LOG_DEBUG, "Error in acl_load of %s for %s", buf, sender); + syslog(LOG_DEBUG, "Error in acl_load of %s for %s", + buf, sender ? sender : "unauth client"); return 0; } - return acl_check(buf, sender); + return acl_check(buf, sender, who); } static void |