From 625c4d3660c09808a926e44bfe859f049449be7c Mon Sep 17 00:00:00 2001 From: Jeffrey Hutzelman Date: Tue, 13 Jun 2000 17:44:19 -0400 Subject: Add IP-address and negative ACL entries This allows ACLs to grant access based on the IP address of a client instead of its principal name. This is done using ACL entries with the syntax "@a.b.c.d". Currently, only IPv4 addresses are supported. A single entry may match all hosts on a particular subnet by using CIDR notation, written as @a.b.c.d/nn. If no length is given, 32 is assumed. Host and principal entries can be freely mixed within the same ACL; the ACL matches if any entry matches the client. Note that this means that ACLs can now match unauthenticated clients (however, this does not lift the general constraint that only authenticated clients can subscribe at all). Additionally, support for negative ACL entries is added. These entries are indicated by a leading '!', which may be applied to both principal and host entries. Negative entries are applied in the style of AFS ACLs; that is, a matching negative entry overrides any positive entry and thus guarantees that matching clients will be denied access. (edited slightly for style by kcr@1TS.ORG) --- server/access.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'server/access.c') diff --git a/server/access.c b/server/access.c index 8aa2060..918d6e2 100644 --- a/server/access.c +++ b/server/access.c @@ -22,8 +22,9 @@ static const char rcsid_access_c[] = * * External routines: * - * int access_check(notice, acl, accesstype) + * int access_check(notice, who, acl, accesstype) * ZNotice_t *notice; + * struct sockaddr_in *who; * Acl *acl; * Access accesstype; * @@ -58,6 +59,7 @@ static void access_setup(int first); int access_check(char *sender, + struct sockaddr_in *who, Acl *acl, Access accesstype) { @@ -96,10 +98,11 @@ access_check(char *sender, */ retval = acl_load(buf); if (retval < 0) { - syslog(LOG_DEBUG, "Error in acl_load of %s for %s", buf, sender); + syslog(LOG_DEBUG, "Error in acl_load of %s for %s", + buf, sender ? sender : "unauth client"); return 0; } - return acl_check(buf, sender); + return acl_check(buf, sender, who); } static void -- cgit v1.2.3