.\" $OpenBSD: hosts_access.3,v 1.7 2001/09/06 15:04:34 mpech Exp $ .\" .\" Copyright (c) 1997, Jason Downs. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" 3. All advertising materials mentioning features or use of this software .\" must display the following acknowledgement: .\" This product includes software developed by Jason Downs for the .\" OpenBSD system. .\" 4. Neither the name(s) of the author(s) nor the name OpenBSD .\" may be used to endorse or promote products derived from this software .\" without specific prior written permission. .\" .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS .\" OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED .\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE .\" DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, .\" INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES .\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR .\" SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER .\" CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" .Dd June 23, 1997 .Dt HOSTS_ACCESS 3 .Os .Sh NAME .Nm hosts_access , .Nm hosts_ctl , .Nm request_init , .Nm request_set .Nd tcp wrapper access control library .Sh SYNOPSIS .Fd #include .Vt extern int allow_severity; .Vt extern int deny_severity; .Ft struct request_info * .Fn request_init "struct request_info *request" "int key" value ... 0 .Ft struct request_info * .Fn request_set "struct request_info *request" "int key" value ... 0 .Ft int .Fn hosts_access "struct request_info *request" .Ft int .Fn hosts_ctl "char *daemon" "char *client_name" "char *client_addr" "char *client_user" .Sh DESCRIPTION The routines described in this document are part of the .Nm libwrap.a library. They implement a rule-based access control language with optional shell commands that are executed when a rule fires. .Pp .Fn request_init initializes a structure with information about a client request. .Fn request_set updates an already initialized request structure. Both functions take a variable-length list of key-value pairs and return their first argument. The argument lists are terminated with a zero key value. All string-valued arguments are copied. The expected keys (and corresponding value types) are: .Bl -tag -width XXXXXXXXXXXXXXXXXXXXXXXX .It "RQ_FILE (int)" The file descriptor associated with the request. .It "RQ_CLIENT_NAME (char *)" The client host name. .It "RQ_CLIENT_ADDR (char *)" A printable representation of the client network address. .It "RQ_CLIENT_SIN (struct sockaddr_in *)" An internal representation of the client network address and port. The contents of the structure are not copied. .It "RQ_SERVER_NAME (char *)" The hostname associated with the server endpoint address. .It "RQ_SERVER_ADDR (char *)" A printable representation of the server endpoint address. .It "RQ_SERVER_SIN (struct sockaddr_in *)" An internal representation of the server endpoint address and port. The contents of the structure are not copied. .It "RQ_DAEMON (char *)" The name of the daemon process running on the server host. .It "RQ_USER (char *)" The name of the user on whose behalf the client host makes the request. .El .Pp .Fn hosts_access consults the access control tables described in the .Xr hosts_access 5 manual page. When internal endpoint information is available, host names and client user names are looked up on demand, using the request structure as a cache. .Fn hosts_access returns zero if access should be denied. .Pp .Fn hosts_ctl is a wrapper around the .Fn request_init and .Fn hosts_access routines with a perhaps more convenient interface (though it does not pass on enough information to support automated client username lookups). The client host address, client host name and username arguments should contain valid data or STRING_UNKNOWN. .Fn hosts_ctl returns zero if access should be denied. .Pp The .Fa allow_severity and .Fa deny_severity variables determine how accepted and rejected requests may be logged. They must be provided by the caller and may be modified by rules in the access control tables. .Sh DIAGNOSTICS Problems are reported via the syslog daemon. .Sh SEE ALSO .Xr hosts_access 5 , .Xr hosts_options 5 .Sh FILES .Bl -tag -width /etc/hosts.allow -compact .It Pa /etc/hosts.allow Access control table (allow list) .It Pa /etc/hosts.deny Access control table (deny list) .El .Sh BUGS .Fn hosts_access uses the .Fn strtok library function. This may interfere with other code that relies on .Fn strtok . .Sh AUTHORS .Bd -unfilled -offset indent Wietse Venema (wietse@wzv.win.tue.nl) Department of Mathematics and Computing Science Eindhoven University of Technology Den Dolech 2, P.O. Box 513, 5600 MB Eindhoven, The Netherlands .Ed \" @(#) hosts_access.3 1.8 96/02/11 17:01:26