2005-05-02 15:01:42 +02:00
|
|
|
.TH SERVXCHECK 3
|
|
|
|
.SH NAME
|
|
|
|
servxcheck \- Internet service access check
|
|
|
|
.SH SYNOPSIS
|
|
|
|
.ft B
|
|
|
|
.nf
|
|
|
|
#define _MINIX_SOURCE 1
|
|
|
|
#include </net/gen/netdb.h>
|
|
|
|
|
|
|
|
int servxcheck(ipaddr_t \fIpeer\fP, const char *\fIservice\fP,
|
|
|
|
void (*\fIlogf\fP)(int \fIpass\fP, const char *\fIname\fP));
|
|
|
|
char *servxfile(const char *\fIfile\fP);
|
|
|
|
.fi
|
|
|
|
.ft R
|
|
|
|
.SH DESCRIPTION
|
|
|
|
.B Servxcheck()
|
|
|
|
is used by programs like
|
|
|
|
.B inetd
|
|
|
|
to perform an access check on the host connected to the other end of the TCP
|
|
|
|
channel that has IP address
|
|
|
|
.IR peer .
|
|
|
|
.PP
|
|
|
|
.B Servxcheck()
|
|
|
|
translates the IP address to the
|
|
|
|
associated host name if necessary, and checks if the host is granted access
|
|
|
|
as guided by the file
|
|
|
|
.BR /etc/serv.access .
|
|
|
|
(See
|
|
|
|
.BR serv.access (5).)
|
|
|
|
The service name used to search the access file is passed by the caller as
|
|
|
|
.IR service .
|
|
|
|
These names should be the same as the service names in
|
|
|
|
.BR /etc/services .
|
|
|
|
.PP
|
|
|
|
The caller should use the NWIOGTCPCONF ioctl() call to find out what the
|
|
|
|
IP address of the remote end is. It is wise to bypass the
|
|
|
|
.B servxcheck()
|
|
|
|
call if the remote end happens to be the local machine (remaddr == locaddr),
|
|
|
|
so that local connections aren't impeded by slow checks.
|
|
|
|
.B Servxcheck()
|
|
|
|
will itself allow connections from 127.0.0.1/8 immediately, so you
|
|
|
|
don't have to check for that. Example of use:
|
|
|
|
.PP
|
|
|
|
.RS
|
|
|
|
.nf
|
|
|
|
.ta +4n +4n +4n
|
|
|
|
if (ioctl(fd, NWIOGTCPCONF, &tcpconf) < 0
|
|
|
|
|| tcpconf.nwtc_remaddr == tcpconf.nwtc_locaddr
|
|
|
|
|| servxcheck(tcpconf.nwtc_remaddr, service_name, NULL)
|
|
|
|
) {
|
|
|
|
serve();
|
|
|
|
}
|
|
|
|
.fi
|
|
|
|
.RE
|
|
|
|
.PP
|
|
|
|
An attempt to connect to a service is logged if the access is denied. You
|
|
|
|
can use the special checkword "\fBlog\fP" to also log if access is granted.
|
|
|
|
Logging will be done with
|
|
|
|
.B syslog()
|
|
|
|
at the
|
|
|
|
.B warning
|
|
|
|
level.
|
|
|
|
A syntax error in the access file may be logged under the
|
|
|
|
.B err
|
|
|
|
level.
|
|
|
|
The caller must use
|
|
|
|
.B openlog()
|
|
|
|
to set the appropriate logging facility. One may do one's own logging by
|
|
|
|
supplying a
|
|
|
|
.I logf
|
|
|
|
function that will be called by
|
|
|
|
.B servxcheck
|
|
|
|
with a first argument that is true if access is granted, false if
|
|
|
|
denied, and a second argument that is the name of the remote host whose
|
|
|
|
access has been checked.
|
|
|
|
.PP
|
|
|
|
The default is to fail the check unless the access file says otherwise.
|
|
|
|
Strange errors make the check succeed. (We do not want
|
|
|
|
remote access to fail because of some system error.) Note that this
|
|
|
|
function is not meant to check access to the system, that's what
|
|
|
|
passwords and such are for, but only to limit access to those who are
|
|
|
|
allowed to use the services the system offers.
|
|
|
|
.PP
|
|
|
|
Connections from a machine to itself are accepted immediately. No further
|
|
|
|
checks, no logging.
|
|
|
|
.PP
|
|
|
|
.B Servxfile()
|
|
|
|
may be used to specify a file other than the default
|
|
|
|
.BR /etc/serv.access .
|
|
|
|
This is useful for programs started from
|
|
|
|
.B inetd
|
|
|
|
that want to handle the access check themselves, using a private access file.
|
|
|
|
The return value of
|
|
|
|
.B servxfile()
|
|
|
|
is the pathname of the old access file. Only a pointer to the new path is
|
|
|
|
saved, the caller must keep the string it points to intact.
|
|
|
|
.SH FILES
|
|
|
|
.TP 25n
|
|
|
|
.B /etc/serv.access
|
|
|
|
Default access check file.
|
|
|
|
.SH "SEE ALSO"
|
|
|
|
.BR syslog (3),
|
|
|
|
.BR serv.access (5),
|
|
|
|
.BR services (5),
|
|
|
|
.BR inetd (8).
|
|
|
|
.SH DIAGNOSTICS
|
|
|
|
.B Servxcheck()
|
|
|
|
returns 0 if the access is denied, 1 if granted.
|
|
|
|
.PP
|
|
|
|
Typical syslog message:
|
|
|
|
.PP
|
|
|
|
.RS
|
|
|
|
Jan 10 20:27:20 flotsam inetd[174]: service 'shell' granted to jetsam.cs.vu.nl
|
|
|
|
.RE
|
|
|
|
.SH BUGS
|
|
|
|
IP and DNS based access checks will stop most crackers, but not the really
|
2005-08-22 14:56:02 +02:00
|
|
|
determined ones. Luckily MINIX 3 is sufficiently strange to thwart the well
|
2005-05-02 15:01:42 +02:00
|
|
|
known cracking schemes. But don't ever allow yourself to feel secure.
|
|
|
|
.SH AUTHOR
|
|
|
|
Kees J. Bot <kjb@cs.vu.nl>
|