Viewing file:  mod_wrap2_file.html (4.69 KB) -rw-r--r--
Select action/file-type:
 (+) | (+) |  (+) | Code (+) | Session (+) |  (+) | SDB (+) |  (+) |  (+) |  (+) |  (+) |  (+) |
ProFTPD module mod_wrap2_file
ProFTPD module mod_wrap2_file
This submodule provides the file-specific "driver" for storing
IP/DNS-based access control information in files.
Many programs will automatically add entries in the common
hosts.allow/hosts.deny files, and use of this module
will allow a proftpd daemon running in standalone
mode to adapt as these entries are added. The portsentry program
does this, for example: when illegal access is attempted, it will add hosts to
the /etc/hosts.deny file.
This mod_wrap2 submodule is contained in the
mod_wrap2_file.c, and is not compiled by default. See the
mod_wrap2 installation
instructions.
Author
Please contact TJ Saunders <tj at castaglia.org> with any
questions, concerns, or suggestions regarding this module.
Using file-based access tables (source-type of "file") the
data will be stored in the familiar hosts.allow,
hosts.deny file format.
The mod_wrap2_file module supports the "file" string
for the source-type parameter of the
WrapUserTables,
WrapGroupTables,
and
WrapTables,
configuration directives. If the "file" source-type
is used, then the source-info parameter must be the full path to
the file table.
Both file names are required. Also, the paths to both files must be the full
path, with two exceptions: if the path starts with ~/, the check
of that path will be delayed until a user requests a connection, at which time
the path will be resolved to that user's home directory; or if the path starts
with ~user/, where user is some system user. In this latter case,
mod2_wrap will attempt to resolve and verify the given user's home
directory on start-up. The %U variable can also be used in the
paths; it will be resolved to the USER name sent by the client.
The format for the files used by mod_wrap2_file is described
in the host_access(5) man page.
Examples:
# Server-wide access files
WrapTables file:/etc/hosts.allow file:/etc/hosts.deny
# FTP server-specific access files
WrapTables file:/etc/ftpd.allow file:/etc/ftpd.deny
# Per-user access files, which are to be found in the user's home directory
WrapUserTables file:~/my.allow file:~/my.deny
# Per-user access files, which are not found in the user's home.
WrapUserTables file:/etc/ftpd/acls/%U.allow file:/etc/ftpd/acls/%U.deny
The following examples are taken from the hosts_access(5) man page:
Mostly Closed
In this case, access is denied by default. Only explicitly authorized hosts
are permitted access.
The default policy (no access) is implemented with a trivial deny file:
/etc/hosts.deny:
ALL: ALL
This denies all service to all hosts, unless they are permitted access by
entries in the allow file.
The explicitly authorized hosts are listed in the allow file. For example:
/etc/hosts.allow:
ALL: LOCAL @some_netgroup
ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
The first rule permits access from hosts in the local domain (no `.' in the
host name) and from members of the some_netgroup netgroup. The
second rule permits access from all hosts in the .foobar.edu domain
(notice the leading dot), with the exception of
terminalserver.foobar.edu.
Mostly Open
Here, access is granted by default; only explicitly specified hosts are
refused service.
The default policy (access granted) makes the allow file redundant so that it
can be omitted. The explicitly non-authorized hosts are listed in the deny
file. For example:
/etc/hosts.deny:
ALL: some.host.name, .some.domain
ALL EXCEPT in.fingerd: other.host.name, .other.domain
The first rule denies some hosts and domains all services; the second rule
still permits finger requests from other hosts and domains.
© Copyright 2000-2017 TJ Saunders
All Rights Reserved
|