From 2f130496008394de7436fc3bb17bf37e0d72c4ba Mon Sep 17 00:00:00 2001 From: Wayne Davison Date: Sun, 12 Jul 2020 19:15:50 -0700 Subject: [PATCH] Add "@netgroup" names to host matching. --- NEWS.md | 3 +++ access.c | 5 +++++ configure.ac | 2 +- rsyncd.conf.5.md | 16 +++++++++------- 4 files changed, 18 insertions(+), 8 deletions(-) diff --git a/NEWS.md b/NEWS.md index 30a74128..a545af1f 100644 --- a/NEWS.md +++ b/NEWS.md @@ -25,6 +25,9 @@ `--time-limit=MINS` option accepted as an alias for `--stop-after`). This is an enhanced version of the time-limit patch from the patches repo. + - Added the ability to specify "@netgroup" names to the `hosts allow` and + `hosts deny` daemon parameters. + - Added some compatibility code for HPE NonStop platforms. ### INTERNAL: diff --git a/access.c b/access.c index d7bf01cc..39a7752a 100644 --- a/access.c +++ b/access.c @@ -34,6 +34,11 @@ static int match_hostname(const char **host_ptr, const char *addr, const char *t if (!host || !*host) return 0; +#ifdef HAVE_INNETGR + if (*tok == '@' && tok[1]) + return innetgr(tok + 1, host, NULL, NULL); +#endif + /* First check if the reverse-DNS-determined hostname matches. */ if (iwildmatch(tok, host)) return 1; diff --git a/configure.ac b/configure.ac index fac166c8..d9636962 100644 --- a/configure.ac +++ b/configure.ac @@ -822,7 +822,7 @@ AC_FUNC_UTIME_NULL AC_FUNC_ALLOCA AC_CHECK_FUNCS(waitpid wait4 getcwd chown chmod lchmod mknod mkfifo \ fchmod fstat ftruncate strchr readlink link utime utimes lutimes strftime \ - chflags getattrlist mktime \ + chflags getattrlist mktime innetgr \ memmove lchown vsnprintf snprintf vasprintf asprintf setsid strpbrk \ strlcat strlcpy strtol mallinfo getgroups setgroups geteuid getegid \ setlocale setmode open64 lseek64 mkstemp64 mtrace va_copy __va_copy \ diff --git a/rsyncd.conf.5.md b/rsyncd.conf.5.md index 11f77cb0..8b696b40 100644 --- a/rsyncd.conf.5.md +++ b/rsyncd.conf.5.md @@ -685,7 +685,7 @@ the values of parameters. See the GLOBAL PARAMETERS section for more details. client's hostname and IP address. If none of the patterns match, then the connection is rejected. - Each pattern can be in one of five forms: + Each pattern can be in one of six forms: - a dotted decimal IPv4 address of the form a.b.c.d, or an IPv6 address of the form a:b:c::d:e:f. In this case the incoming machine's IP address @@ -705,6 +705,8 @@ the values of parameters. See the GLOBAL PARAMETERS section for more details. connecting IP (if "reverse lookup" is enabled), and/or the IP of the given hostname is matched against the connecting IP (if "forward lookup" is enabled, as it is by default). Any match will be allowed in. + - an '@' followed by a netgroup name, which will match if the reverse DNS + of the connecting IP is in the specified netgroup. Note IPv6 link-local addresses can have a scope in the address specification: @@ -713,12 +715,12 @@ the values of parameters. See the GLOBAL PARAMETERS section for more details. > fe80::%link1/64 > fe80::%link1/ffff:ffff:ffff:ffff:: - You can also combine "hosts allow" with a separate "hosts deny" parameter. - If both parameters are specified then the "hosts allow" parameter is - checked first and a match results in the client being able to connect. The - "hosts deny" parameter is then checked and a match means that the host is - rejected. If the host does not match either the "hosts allow" or the - "hosts deny" patterns then it is allowed to connect. + You can also combine "hosts allow" with "hosts deny" as a way to add + exceptions to your deny list. When both parameters are specified, the + "hosts allow" parameter is checked first and a match results in the client + being able to connect. A non-allowed host is then matched against the + "hosts deny" list to see if it should be rejected. A host that does not + match either list is allowed to connect. The default is no "hosts allow" parameter, which means all hosts can connect. -- 2.47.2