[syslinux] tftp-hpa features?
H. Peter Anvin
hpa at zytor.com
Mon Jan 11 08:28:32 PST 2016
On 01/11/16 08:09, Matt Zagrabelny via Syslinux wrote:
>
> I would like to propose a feature request of adding filespace ACLs to tftpd-hpa.
>
> Example:
>
> I serve data out of /srv/tftp. I only want clients 192.168.1.0/24 to
> have read access to /srv/tftp/data_1 and only want clients
> 192.168.2.0/24 to have read access to /srv/tftp/data_2.
>
> Configuration:
>
> One could create a new config file and command-line option, but I
> believe it could also be done as an extension to the map-file.
>
> Add a new operation letter:
>
> c - indicate an extra client field in this rule
>
> map-file contents:
>
> ec 192.168.1.0/24 ^data_1/
> a ^data_1/
> ec 192.168.2.0/24 ^data_2/
> a ^data_2/
>
> What do you think?
>
> Thanks for your consideration.
>
This is actually already possible, but it is definitely awkward:
r ^ \i/
r ^192\.168\.1\.\[0-9]+/\(/data_1/\) \1
r ^192\.168\.2\.\[0-9]+/\(/data_2/\) \1
a ^/ Permission denied
The first rule puts the IP address of the client at the beginning of the
file name, and then the ACL rule strip it off if and only if the
filename matches.
If the IP address is still there when we get to the "a" rule, the
filename doesn't start with a / and we reject the request.
-hpa
More information about the Syslinux
mailing list