HOSTS_ACCESS(3)
NAME
hosts_access, hosts_ctl, request_init, request_set -
access control library
SYNOPSIS
#include "tcpd.h"
extern int allow_severity;
extern int deny_severity;
struct request_info *request_init(request, key, value, ..., 0)
struct request_info *request;
struct request_info *request_set(request, key, value, ..., 0)
struct request_info *request;
int hosts_access(request)
struct request_info *request;
int hosts_ctl(daemon, client_name, client_addr, client_user)
char *daemon;
char *client_name;
char *client_addr;
char *client_user;
DESCRIPTION
The routines described in this document are part of the
libwrap.a library. They implement a rule-based access con-
trol language with optional shell commands that are exe-
cuted when a rule fires.
request_init() initializes a structure with information
about a client request. request_set() updates an already
initialized request structure. Both functions take a vari-
able-length list of key-value pairs and return their first
argument. The argument lists are terminated with a zero
key value. All string-valued arguments are copied. The
expected keys (and corresponding value types) are:
RQ_FILE (int)
The file descriptor associated with the request.
RQ_CLIENT_NAME (char *)
The client host name.
RQ_CLIENT_ADDR (char *)
A printable representation of the client network
address.
RQ_CLIENT_SIN (struct sockaddr_in *)
An internal representation of the client network
address and port. The contents of the structure
are not copied.
RQ_SERVER_NAME (char *)
The hostname associated with the server endpoint
address.
RQ_SERVER_ADDR (char *)
A printable representation of the server endpoint
address.
RQ_SERVER_SIN (struct sockaddr_in *)
An internal representation of the server endpoint
address and port. The contents of the structure
are not copied.
RQ_DAEMON (char *)
The name of the daemon process running on the
server host.
RQ_USER (char *)
The name of the user on whose behalf the client
host makes the request.
hosts_access() consults the access control tables
described in the hosts_access(5) manual page. When inter-
nal endpoint information is available, host names and
client user names are looked up on demand, using the
request structure as a cache. hosts_access() returns zero
if access should be denied.
hosts_ctl() is a wrapper around the request_init() and
hosts_access() routines with a perhaps more convenient
interface (though it does not pass on enough information
to support automated client username lookups). The client
host address, client host name and username arguments
should contain valid data or STRING_UNKNOWN. hosts_ctl()
returns zero if access should be denied.
The allow_severity and deny_severity variables determine
how accepted and rejected requests may be logged. They
must be provided by the caller and may be modified by
rules in the access control tables.
DIAGNOSTICS
Problems are reported via the syslog daemon.
SEE ALSO
hosts_access(5) format of the access control tables.
hosts_options(5) optional extensions to the base lan-
guage.
FILES
/etc/hosts.allow, /etc/hosts.deny, access control tables.
BUGS
hosts_access() uses the strtok() library function. This
may interfere with other code that relies on strtok().
AUTHOR
Wietse Venema wietse@wzv.win.tue.nl
Department of Mathematics and Computing Science
Eindhoven University of Technology
Den Dolech 2, P.O. Box 513,
5600 MB Eindhoven, The Netherlands