gid = atoi(p);
}
+ p = lp_exclude_from(i);
+ add_exclude_file(p, 1);
+
+ p = lp_exclude_from(i);
+ add_exclude_line(p);
+
if (chroot(lp_path(i))) {
io_printf(fd,"@ERROR: chroot failed\n");
return -1;
void add_exclude_file(char *fname,int fatal)
{
- exclude_list = make_exclude_list(fname,exclude_list,fatal);
+ if (!fname || !*fname) return;
+
+ exclude_list = make_exclude_list(fname,exclude_list,fatal);
}
}
+void add_exclude_line(char *p)
+{
+ char *tok;
+ if (!p || !*p) return;
+ p = strdup(p);
+ if (!p) out_of_memory("add_exclude_line");
+ for (tok=strtok(p," "); tok; tok=strtok(NULL," "))
+ add_exclude(tok);
+ free(p);
+}
+
+
static char *cvs_ignore_list[] = {
"RCS","SCCS","CVS","CVS.adm","RCSLOG","cvslog.*",
"tags","TAGS",".make.state",".nse_depinfo",
add_exclude_file(fname,0);
}
- if ((p=getenv("CVSIGNORE"))) {
- char *tok;
- for (tok=strtok(p," "); tok; tok=strtok(NULL," "))
- add_exclude(tok);
- }
+ add_exclude_line(getenv("CVSIGNORE"));
}
char *hosts_deny;
char *auth_users;
char *secrets_file;
+ char *exclude;
+ char *exclude_from;
} service;
NULL, /* hosts deny */
NULL, /* auth users */
NULL, /* secrets file */
+ NULL, /* exclude */
+ NULL, /* exclude from */
};
{"hosts deny", P_STRING, P_LOCAL, &sDefault.hosts_deny, NULL, 0},
{"auth users", P_STRING, P_LOCAL, &sDefault.auth_users, NULL, 0},
{"secrets file", P_STRING, P_LOCAL, &sDefault.secrets_file,NULL, 0},
+ {"exclude", P_STRING, P_LOCAL, &sDefault.exclude, NULL, 0},
+ {"exclude from", P_STRING, P_LOCAL, &sDefault.exclude_from,NULL, 0},
{NULL, P_BOOL, P_NONE, NULL, NULL, 0}
};
FN_LOCAL_STRING(lp_hosts_deny, hosts_deny)
FN_LOCAL_STRING(lp_auth_users, auth_users)
FN_LOCAL_STRING(lp_secrets_file, secrets_file)
+FN_LOCAL_STRING(lp_exclude, exclude)
+FN_LOCAL_STRING(lp_exclude_from, exclude_from)
/* local prototypes */
static int strwicmp( char *psz1, char *psz2 );
file transfers to and from that module should take place as. This
complements the "uid" option. The default is the group "nobody".
+dit(bf(exclude)) The "exclude" option allows you to specify a space
+separated list of patterns to add to the exclude list. This is
+equivalent to the client specifying these patterns with the --exclude
+option. Note that this option is not designed with strong security in
+mind, it is quite possible that a client may find a way to bypass this
+exclude list. If you want to absolutely ensure that certain files
+cannot be accessed then use the uid/gid options in combination with
+file permissions.
+
+dit(bf(exclude from)) The "exclude from" option specifies a filename
+on the server that contains exclude patterns, one per line. This is
+equivalent to the client specifying the --exclude-from option with a
+equivalent file. See also the note about security for the exclude
+option above.
+
dit(bf(auth users)) The "auth users" option specifies a comma
and space separated list of usernames that will be allowed to connect
to this module. The usernames do not need to exist on the local