From 625c4d3660c09808a926e44bfe859f049449be7c Mon Sep 17 00:00:00 2001 From: Jeffrey Hutzelman Date: Tue, 13 Jun 2000 17:44:19 -0400 Subject: Add IP-address and negative ACL entries This allows ACLs to grant access based on the IP address of a client instead of its principal name. This is done using ACL entries with the syntax "@a.b.c.d". Currently, only IPv4 addresses are supported. A single entry may match all hosts on a particular subnet by using CIDR notation, written as @a.b.c.d/nn. If no length is given, 32 is assumed. Host and principal entries can be freely mixed within the same ACL; the ACL matches if any entry matches the client. Note that this means that ACLs can now match unauthenticated clients (however, this does not lift the general constraint that only authenticated clients can subscribe at all). Additionally, support for negative ACL entries is added. These entries are indicated by a leading '!', which may be applied to both principal and host entries. Negative entries are applied in the style of AFS ACLs; that is, a matching negative entry overrides any positive entry and thus guarantees that matching clients will be denied access. (edited slightly for style by kcr@1TS.ORG) --- server/subscr.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'server/subscr.c') diff --git a/server/subscr.c b/server/subscr.c index 8a06813..d276958 100644 --- a/server/subscr.c +++ b/server/subscr.c @@ -142,14 +142,14 @@ add_subscriptions(Client *who, } acl = class_get_acl(subs->dest.classname); if (acl && !realm) { - if (!access_check(sender->string, acl, SUBSCRIBE)) { + if (!access_check(sender->string, &who->addr, acl, SUBSCRIBE)) { syslog(LOG_WARNING, "subscr unauth %s class %s", sender->string, subs->dest.classname->string); free_subscription(subs); /* free this one - denied */ continue; /* the for loop */ } if (wildcard_instance == subs->dest.inst) { - if (!access_check(sender->string, acl, INSTWILD)) { + if (!access_check(sender->string, &who->addr, acl, INSTWILD)) { syslog(LOG_WARNING, "subscr unauth %s class %s wild inst", sender->string, subs->dest.classname->string); @@ -1156,13 +1156,13 @@ subscr_check_foreign_subs(ZNotice_t *notice, return ZSRV_CLASSRESTRICTED; } } - if (!access_check(sender->string, acl, SUBSCRIBE)) { + if (!access_check(sender->string, who, acl, SUBSCRIBE)) { syslog(LOG_WARNING, "subscr unauth %s class %s", sender->string, subs->dest.classname->string); continue; /* the for loop */ } if (wildcard_instance == subs->dest.inst) { - if (!access_check(sender->string, acl, INSTWILD)) { + if (!access_check(sender->string, who, acl, INSTWILD)) { syslog(LOG_WARNING, "subscr unauth %s class %s wild inst", sender->string, subs->dest.classname->string); -- cgit v1.2.3