ProFTPD module mod_wrap_file


This mod_wrap submodule is contained in the mod_wrap_file.c, and is found as part of the mod_wrap-2.0 package available here, and is not compiled by default. See the mod_wrap installation instructions.

This submodule provides the file-specific "driver" for storing IP/DNS-based access control information in files.

Many programs will automatically add entries in the common hosts.allow/hosts.deny files, and use of this module will allow a proftpd daemon running in standalone mode to adapt as these entries are added. The portsentry program does this, for example: when illegal access is attempted, it will add hosts to the /etc/hosts.deny file.

Author

Please contact TJ Saunders <tj at castaglia.org> with any questions, concerns, or suggestions regarding this module.

File Access Tables

Using file-based access tables (source-type of "file") the data will be stored in the familiar hosts.allow, hosts.deny file format.

The mod_wrap_file module supports the "file" string for the source-type parameter of the WrapUserTables, WrapGroupTables, and WrapTables, configuration directives. If the "file" source-type is used, then the source-info parameter must be the full path to the file table. Both file names are required. Also, the paths to both files must be the full path, with two exceptions: if the path starts with ~/, the check of that path will be delayed until a user requests a connection, at which time the path will be resolved to that user's home directory; or if the path starts with ~user/, where user is some system user. In this latter case, mod_wrap will attempt to resolve and verify the given user's home directory on start-up.

Examples: 

  # Using file-based access tables
  WrapTables file:/etc/hosts.allow file:/etc/hosts.deny
Example: 
  # server-wide access files
  TCPAccessFiles /etc/ftpd.allow /etc/ftpd.deny

  # per-user access files, which are to be found in the user's home directory
  TCPAccessFiles ~/my.allow ~/my.deny




Example File Tables


format as described in hosts_access(5) page, under "ACCESS CONTROL RULES"

MOSTLY CLOSED
       In this case, access is denied by default. Only explicitly
       authorized hosts are permitted access.

       The default policy (no access) is implemented with a triv-
       ial deny file:

       /etc/hosts.deny:
          ALL: ALL

       This denies all service to all hosts, unless they are per-
       mitted access by entries in the allow file.

       The  explicitly  authorized  hosts are listed in the allow
       file.  For example:

       /etc/hosts.allow:
          ALL: LOCAL @some_netgroup
          ALL: .foobar.edu EXCEPT terminalserver.foobar.edu

       The first rule permits access  from  hosts  in  the  local
       domain  (no  `.' in the host name) and from members of the
       some_netgroup netgroup.  The second  rule  permits  access
       from  all hosts in the foobar.edu domain (notice the lead-
       ing dot), with the exception of terminalserver.foobar.edu.

MOSTLY OPEN
       Here, access is granted by default; only explicitly speci-
       fied hosts are refused service.

       The default policy (access granted) makes the  allow  file
       redundant  so that it can be omitted.  The explicitly non-
       authorized hosts are listed in the deny file. For example:

       /etc/hosts.deny:
          ALL: some.host.name, .some.domain
          ALL EXCEPT in.fingerd: other.host.name, .other.domain

       The first rule denies some hosts and domains all services;
       the second rule still permits finger requests  from  other
       hosts and domains.









Author: $Author: tj $

Last Updated: $Date: 2002/12/02 23:44:05 $






© Copyright 2000-2002 TJ Saunders

 All Rights Reserved