.\"	$OpenBSD: hosts_access.3,v 1.15 2007/05/31 19:19:39 jmc Exp $
.\"
.\" Copyright (c) 1997, Jason Downs.  All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS
.\" OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
.\" DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT,
.\" INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
.\" SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
.\" CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.Dd $Mdocdate: May 31 2007 $
.Dt HOSTS_ACCESS 3
.Os
.Sh NAME
.Nm hosts_access ,
.Nm hosts_ctl ,
.Nm request_init ,
.Nm request_set
.Nd tcp wrapper access control library
.Sh SYNOPSIS
.Fd #include <sys/types.h>
.Fd #include <tcpd.h>
.Vt extern int allow_severity;
.Vt extern int deny_severity;
.Ft struct request_info *
.Fn request_init "struct request_info *request" "int key" value ... 0
.Ft struct request_info *
.Fn request_set "struct request_info *request" "int key" value ... 0
.Ft int
.Fn hosts_access "struct request_info *request"
.Ft int
.Fn hosts_ctl "char *daemon" "char *client_name" "char *client_addr" "char *client_user"
.Sh DESCRIPTION
The routines described in this document are part of the
.Nm libwrap.a
library.
They implement a rule-based access control language with
optional shell commands that are executed when a rule fires.
.Pp
.Fn request_init
initializes a structure with information about a client
request.
.Fn request_set
updates an already initialized request structure.
Both functions take a
variable-length list of key-value pairs and return their first argument.
The argument lists are terminated with a zero key value.
All string-valued arguments are copied.
The expected keys (and corresponding value types) are:
.Bl -tag -width XXXXXXXXXXXXXXXXXXXXXXXX
.It "RQ_FILE (int)"
The file descriptor associated with the request.
.It "RQ_CLIENT_NAME (char *)"
The client host name.
.It "RQ_CLIENT_ADDR (char *)"
A printable representation of the client network address.
.It "RQ_CLIENT_SIN (struct sockaddr_in *)"
An internal representation of the client network address and port.
The contents of the structure are not copied.
.It "RQ_SERVER_NAME (char *)"
The hostname associated with the server endpoint address.
.It "RQ_SERVER_ADDR (char *)"
A printable representation of the server endpoint address.
.It "RQ_SERVER_SIN (struct sockaddr_in *)"
An internal representation of the server endpoint address and port.
The contents of the structure are not copied.
.It "RQ_DAEMON (char *)"
The name of the daemon process running on the server host.
.It "RQ_USER (char *)"
The name of the user on whose behalf the client host makes the request.
.El
.Pp
.Fn hosts_access
consults the access control tables described in the
.Xr hosts_access 5
manual page.
When internal endpoint information is available, host names
and client user names are looked up on demand, using the request structure
as a cache.
.Fn hosts_access
returns zero if access should be denied.
.Pp
.Fn hosts_ctl
is a wrapper around the
.Fn request_init
and
.Fn hosts_access
routines with a perhaps more convenient interface (though it does not
pass on enough information to support automated client username
lookups).
The client host address, client host name and username
arguments should contain valid data or STRING_UNKNOWN.
.Fn hosts_ctl
returns zero if access should be denied.
.Pp
The
.Fa allow_severity
and
.Fa deny_severity
variables determine
how accepted and rejected requests may be logged.
They must be provided
by the caller and may be modified by rules in the access control tables.
.Sh FILES
.Bl -tag -width /etc/hosts.allow -compact
.It Pa /etc/hosts.allow
Access control table (allow list)
.It Pa /etc/hosts.deny
Access control table (deny list)
.El
.Sh DIAGNOSTICS
Problems are reported via the syslog daemon.
.Sh SEE ALSO
.Xr hosts_access 5 ,
.Xr hosts_options 5
.Sh AUTHORS
.Bd -unfilled -offset indent
Wietse Venema (wietse@wzv.win.tue.nl)
Department of Mathematics and Computing Science
Eindhoven University of Technology
Den Dolech 2, P.O. Box 513,
5600 MB Eindhoven, The Netherlands
.Ed
.\" @(#) hosts_access.3 1.8 96/02/11 17:01:26