diff options
| author |  Jeffrey Hutzelman <jhutz@cmu.edu> | 2000-06-13 17:44:19 -0400 |
|---|---|---|
| committer |  Karl Ramm <kcr@1ts.org> | 2013-01-19 15:38:24 -0500 |
| commit | 625c4d3660c09808a926e44bfe859f049449be7c (patch) | |
| tree | 5c3e37dd2c440adb949c184bdcb5fe5b1b883eef /server/subscr.c | |
| parent | 5465266334ece0ed4137053eef3a7c06453df71e (diff) | |
Add IP-address and negative ACL entries
This allows ACLs to grant access based on the IP address of a client
instead of its principal name. This is done using ACL entries with the
syntax "@a.b.c.d". Currently, only IPv4 addresses are supported. A single
entry may match all hosts on a particular subnet by using CIDR notation,
written as @a.b.c.d/nn. If no length is given, 32 is assumed.
Host and principal entries can be freely mixed within the same ACL; the ACL
matches if any entry matches the client. Note that this means that ACLs can
now match unauthenticated clients (however, this does not lift the general
constraint that only authenticated clients can subscribe at all).
Additionally, support for negative ACL entries is added. These entries are
indicated by a leading '!', which may be applied to both principal and host
entries. Negative entries are applied in the style of AFS ACLs; that is,
a matching negative entry overrides any positive entry and thus guarantees
that matching clients will be denied access.
(edited slightly for style by kcr@1TS.ORG)
Diffstat (limited to 'server/subscr.c')
| -rw-r--r-- | server/subscr.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/server/subscr.c b/server/subscr.c index 8a06813..d276958 100644 --- a/server/subscr.c +++ b/server/subscr.c @@ -142,14 +142,14 @@ add_subscriptions(Client *who, } acl = class_get_acl(subs->dest.classname); if (acl && !realm) { - if (!access_check(sender->string, acl, SUBSCRIBE)) { + if (!access_check(sender->string, &who->addr, acl, SUBSCRIBE)) { syslog(LOG_WARNING, "subscr unauth %s class %s", sender->string, subs->dest.classname->string); free_subscription(subs); /* free this one - denied */ continue; /* the for loop */ } if (wildcard_instance == subs->dest.inst) { - if (!access_check(sender->string, acl, INSTWILD)) { + if (!access_check(sender->string, &who->addr, acl, INSTWILD)) { syslog(LOG_WARNING, "subscr unauth %s class %s wild inst", sender->string, subs->dest.classname->string); @@ -1156,13 +1156,13 @@ subscr_check_foreign_subs(ZNotice_t *notice, return ZSRV_CLASSRESTRICTED; } } - if (!access_check(sender->string, acl, SUBSCRIBE)) { + if (!access_check(sender->string, who, acl, SUBSCRIBE)) { syslog(LOG_WARNING, "subscr unauth %s class %s", sender->string, subs->dest.classname->string); continue; /* the for loop */ } if (wildcard_instance == subs->dest.inst) { - if (!access_check(sender->string, acl, INSTWILD)) { + if (!access_check(sender->string, who, acl, INSTWILD)) { syslog(LOG_WARNING, "subscr unauth %s class %s wild inst", sender->string, subs->dest.classname->string); |