1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121
|
#! /usr/bin/perl -w
# fixscript will replace this line with code to load INN::Config
##
## Sample code for the nnrpd Perl access hooks.
## This file is loaded when a perl_access: parameter is reached in
## readers.conf. If it defines a sub named access, which will be
## called during processing of a perl_access: parameter. Attributes
## about the connection are passed to the program in the %attributes
## global variable. It should return a hash containing
## parameter-value pairs for the access group. If there is a problem,
## nnrpd will die and syslog the exact error.
## The default behavior of the following code is to look for nnrp.access
## in INN's configuration file directory and to attempt to implement about
## the same host-based access control as the previous nnrp.access code in
## earlier versions of INN. This may be useful for backward compatibility.
## This file cannot be run as a standalone script, although it would be
## worthwhile to add some code so that it could so that one could test the
## results of various authentication and connection queries from the
## command line. The #! line at the top is just so that fixscript will
## work.
# This function is called when perl_access: is reached in readers.conf.
# For details on all the information passed to it, see
# ~news/doc/hook-perl.
sub access {
&loadnnrp($INN::Config::newsetc . '/nnrp.access');
return &checkhost($attributes{hostname}, $attributes{ipaddress});
}
# Called at startup, this loads the nnrp.access file and converts it into a
# convenient internal format for later queries.
sub loadnnrp {
my $file = shift;
my ($block, $perm, $user, $pass);
open (ACCESS, $file) or die "Could not open $file: $!\n";
local $_;
while (<ACCESS>) {
my %tmp;
chomp;
s/\#.*//;
($block, $perm, $user, $pass, $tmp{groups}) = split /:/;
next unless (defined $tmp{groups});
# We don't support username/password entries, so be safe.
next if ($user || $pass);
# Change the wildmat pattern to a regex (this isn't thorough, as
# some ranges won't be converted properly, but it should be good
# enough for this purpose).
if ($block !~ m%^(?:\d+\.){3}\d+/\d+$%) {
$block =~ s/\./\\./g;
$block =~ s/\?/./g;
$block =~ s/\*/.*/g;
}
$tmp{block} = $block;
$tmp{canread} = ($perm =~ /r/i);
$tmp{canpost} = ($perm =~ /p/i);
unshift(@hosts, { %tmp });
}
close ACCESS;
}
# Given the hostname and IP address of a connecting host, use our @hosts
# array constructed from nnrp.access and see what permissions that host has.
sub checkhost {
my ($host, $ip) = @_;
my %return_hash;
my $key;
for $key (@hosts) {
my ($read, $post) = ($key->{canread}, $key->{canpost});
# First check for CIDR-style blocks.
if ($key->{block} =~ m%^(\d+\.\d+\.\d+\.\d+)/(\d+)$%) {
my $block = unpack('N', pack('C4', split(/\./, $1)));
my $mask = (0xffffffff << (32 - $2)) & 0xffffffff;
$block = $block & $mask;
my $packedip = unpack('N', pack('C4', split(/\./, $ip)));
if (($packedip & $mask) == $block) {
if ($read) {
$return_hash{"read"} = $key->{groups};
}
if ($post) {
$return_hash{"post"} = $key->{groups};
}
return %return_hash;
}
}
if ($ip =~ /^$key->{block}$/) {
if ($read) {
$return_hash{"read"} = $key->{groups};
}
if ($post) {
$return_hash{"post"} = $key->{groups};
}
return %return_hash;
}
if ($host =~ /^$key->{block}$/) {
if ($read) {
$return_hash{"read"} = $key->{groups};
}
if ($post) {
$return_hash{"post"} = $key->{groups};
}
return %return_hash;
}
}
# If we fell through to here, nothing matched, so we should deny
# permissions.
return %return_hash;
}
|