Manualshelf

HP-UX Internet Services Administrator's Guide (May 2010)

ManualsBrandsHP ManualsSoftwareHP-UX 11i v2 Networking Software
41424344454647484950
When an ftp service is requested, inetd spawns the /usr/lbin/ftpd daemon
which is actually the tcpd daemon. Then, tcpd performs access control checks
before invoking the ftpd daemon in the /usr/lbin/wrapper directory.
For more information on tcpd configuration, type man 1M tcpd or man 4
tcpd.conf at the HP-UX prompt.
The libwrap.a Library
The libwrap.a library provides a set of APIs for independent applications to enforce
host access control based on the files /etc/hosts.allow and /etc/hosts.deny
files. The APIs implement a rule-based access control language with optional shell
commands, that are executed when a rule is invoked.
To enforce the host access control in an independent daemon, a service must include
the tcpd.h header file and link with the libwrap.a library APIs. The libwrap.a
library contains the following APIs:
request_init()
Initializes the request_info structure with the client request information.
request_set()
Updates an initialized request_info structure.
Both the APIs request_init() and request_set() accept the request_info
structure and a variable length list of key-value pairs as input parameters; and, they
return the request_info structure defined in the tcpd.h header file. The argument
lists are terminated with a zero key value.
hosts_access()
Reads the ACLs and returns either 1 or 0 indicating the access granted or denied,
respectively.
hosts_ctl()
This API is a wrapper to the functions request_init() and hosts_access().
It accepts the daemon name, client host name, client address, and user name as
input parameters. The client host name, address, and user name arguments must
contain valid data or STRING_UNKNOWN defined in the tcpd.h file. If the
access is denied the hosts_ctl() API returns a value 0.
The following are the methods to implement access control checks in a daemon program:
1. Fill the variable elements in the structure request_info using the routines
request_init() and request_set(), and call the hosts_access() routine
to verify these elements with the ACLs.
2. Call the function hosts_ctl() with appropriate input parameters to check with
the ACLs.
For more information on these APIs, type man 3 hosts_access at the HP-UX prompt.
TCP Wrappers Files 41