Add "@netgroup" names to host matching.

RsyncProject · Jul 13, 2020 · 2f13049 · 2f13049
1 parent af531cf
commit 2f13049
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 8 deletions.
diff --git a/NEWS.md b/NEWS.md
@@ -25,6 +25,9 @@
    `--time-limit=MINS` option accepted as an alias for `--stop-after`).  This
    is an enhanced version of the time-limit patch from the patches repo.
 
+ - Added the ability to specify "@netgroup" names to the `hosts allow` and
+   `hosts deny` daemon parameters.
+
  - Added some compatibility code for HPE NonStop platforms.
 
 ### INTERNAL:

diff --git a/access.c b/access.c
@@ -34,6 +34,11 @@ static int match_hostname(const char **host_ptr, const char *addr, const char *t
 	if (!host || !*host)
 		return 0;
 
+#ifdef HAVE_INNETGR
+	if (*tok == '@' && tok[1])
+		return innetgr(tok + 1, host, NULL, NULL);
+#endif
+
 	/* First check if the reverse-DNS-determined hostname matches. */
 	if (iwildmatch(tok, host))
 		return 1;

diff --git a/configure.ac b/configure.ac
@@ -822,7 +822,7 @@ AC_FUNC_UTIME_NULL
 AC_FUNC_ALLOCA
 AC_CHECK_FUNCS(waitpid wait4 getcwd chown chmod lchmod mknod mkfifo \
     fchmod fstat ftruncate strchr readlink link utime utimes lutimes strftime \
-    chflags getattrlist mktime \
+    chflags getattrlist mktime innetgr \
     memmove lchown vsnprintf snprintf vasprintf asprintf setsid strpbrk \
     strlcat strlcpy strtol mallinfo getgroups setgroups geteuid getegid \
     setlocale setmode open64 lseek64 mkstemp64 mtrace va_copy __va_copy \

diff --git a/rsyncd.conf.5.md b/rsyncd.conf.5.md
@@ -685,7 +685,7 @@ the values of parameters.  See the GLOBAL PARAMETERS section for more details.
     client's hostname and IP address.  If none of the patterns match, then the
     connection is rejected.
 
-    Each pattern can be in one of five forms:
+    Each pattern can be in one of six forms:
 
     - a dotted decimal IPv4 address of the form a.b.c.d, or an IPv6 address of
       the form a:b:c::d:e:f. In this case the incoming machine's IP address
@@ -705,6 +705,8 @@ the values of parameters.  See the GLOBAL PARAMETERS section for more details.
       connecting IP (if "reverse lookup" is enabled), and/or the IP of the
       given hostname is matched against the connecting IP (if "forward lookup"
       is enabled, as it is by default).  Any match will be allowed in.
+    - an '@' followed by a netgroup name, which will match if the reverse DNS
+      of the connecting IP is in the specified netgroup.
 
     Note IPv6 link-local addresses can have a scope in the address
     specification:
@@ -713,12 +715,12 @@ the values of parameters.  See the GLOBAL PARAMETERS section for more details.
     >     fe80::%link1/64
     >     fe80::%link1/ffff:ffff:ffff:ffff::
 
-    You can also combine "hosts allow" with a separate "hosts deny" parameter.
-    If both parameters are specified then the "hosts allow" parameter is
-    checked first and a match results in the client being able to connect. The
-    "hosts deny" parameter is then checked and a match means that the host is
-    rejected. If the host does not match either the "hosts allow" or the
-    "hosts deny" patterns then it is allowed to connect.
+    You can also combine "hosts allow" with "hosts deny" as a way to add
+    exceptions to your deny list.  When both parameters are specified, the
+    "hosts allow" parameter is checked first and a match results in the client
+    being able to connect.  A non-allowed host is then matched against the
+    "hosts deny" list to see if it should be rejected.  A host that does not
+    match either list is allowed to connect.
 
     The default is no "hosts allow" parameter, which means all hosts can
     connect.