| 1 | Everything you ever wanted to know about access.cnf and more |
|---|
| 2 | |
|---|
| 3 | |
|---|
| 4 | The file "access.cnf" in the game/ subdirectory controls access to the |
|---|
| 5 | MUSH. It's used to restrict which sites can conect to players or guests, |
|---|
| 6 | create players, or register players by email. It can also flag a site |
|---|
| 7 | as suspect; all players who connect from suspect sites have their |
|---|
| 8 | SUSPECT flag set. |
|---|
| 9 | |
|---|
| 10 | This file replaces the older lockout.cnf and sites.cnf file; |
|---|
| 11 | typing 'make access' will create a new access.cnf file from your |
|---|
| 12 | lockout.cnf and sites.cnf files. |
|---|
| 13 | |
|---|
| 14 | FILE SYNTAX |
|---|
| 15 | |
|---|
| 16 | The syntax of the file is simple. Each line gives information about |
|---|
| 17 | a host or host-pattern: |
|---|
| 18 | |
|---|
| 19 | [user@]host [dbref] [options] [# comment] |
|---|
| 20 | |
|---|
| 21 | host - the only required file, this is a hostname or a wildcard pattern |
|---|
| 22 | to match. Examples: |
|---|
| 23 | berkeley.edu - matches hostname berkeley.edu |
|---|
| 24 | *.berkeley.edu - matches hostname <anystring>.berkeley.edu |
|---|
| 25 | *berkeley.edu - matches either of the above |
|---|
| 26 | * - matches all hosts |
|---|
| 27 | user@ - if the host supports ident, and you trust the ident response, |
|---|
| 28 | and you're sure that the link is fast enough that you'll always |
|---|
| 29 | get an ident response in time, you can match for specific |
|---|
| 30 | users. Example: johnq@netcom.com |
|---|
| 31 | dbref - The dbref of a character to restrict the rule too. |
|---|
| 32 | (Only makes sense for connect rules). Leave it out |
|---|
| 33 | or use '-2' to match all characters. Leave out the '#' |
|---|
| 34 | in the dbref. |
|---|
| 35 | options - A space-separated list of options which apply to connections |
|---|
| 36 | from the host. Described in detail below. |
|---|
| 37 | comment - an optional comment |
|---|
| 38 | |
|---|
| 39 | Everything in the file is separate by a single space - don't use tabs. |
|---|
| 40 | |
|---|
| 41 | The file is read line-by-line, and the first match is used. This |
|---|
| 42 | means that the order in which hosts are listed is very important. |
|---|
| 43 | |
|---|
| 44 | Also, since both hostnames and IPs are checked, some rules must take |
|---|
| 45 | both into account. |
|---|
| 46 | |
|---|
| 47 | There is one special line in the file, which looks like this: |
|---|
| 48 | |
|---|
| 49 | @sitelock |
|---|
| 50 | |
|---|
| 51 | This line indicates where @sitelock'd sites will be inserted in |
|---|
| 52 | the file. Hosts listed after this line can have their access |
|---|
| 53 | options superseded by using @sitelock on-line. Hosts listed before |
|---|
| 54 | this line can not have their access options overriden by @sitelock. |
|---|
| 55 | If the line doesn't appear in the file, it will be added to the end |
|---|
| 56 | of the file at startup. |
|---|
| 57 | |
|---|
| 58 | |
|---|
| 59 | READING AND WRITING THE FILE |
|---|
| 60 | |
|---|
| 61 | The access.cnf file is read and cached at startup, and whenever the MUSH |
|---|
| 62 | receives a HUP signal. |
|---|
| 63 | |
|---|
| 64 | The access.cnf file is written back to disk whenever @sitelock is used. |
|---|
| 65 | |
|---|
| 66 | |
|---|
| 67 | OPTIONS |
|---|
| 68 | |
|---|
| 69 | The following options are available for each host in the file: |
|---|
| 70 | |
|---|
| 71 | create - People connecting from this host may 'create' players. |
|---|
| 72 | !create - People connecting from this host may NOT 'create' players. |
|---|
| 73 | connect - People may connect to their existing non-guest players. |
|---|
| 74 | !connect - People may NOT connect to their existing non-guest players. |
|---|
| 75 | guest - People may connect to guest players from this host. |
|---|
| 76 | !guest - People may NOT connect to guest players from this host. |
|---|
| 77 | none - shorthand for: !create !connect !guest |
|---|
| 78 | default - shorthand for: create connect guest |
|---|
| 79 | !god - God cannot connect from this host. |
|---|
| 80 | !wizard - Wizards cannot connect from this host. |
|---|
| 81 | !admin - Wizards and Royalty cannot connect from this host. |
|---|
| 82 | register - People may use the 'register' command from this host. |
|---|
| 83 | suspect - All players connected to from this host will be set SUSPECT |
|---|
| 84 | deny_silent - Don't log failed create/connect/guest/register attempts |
|---|
| 85 | regexp - Use regexp match rather than glob matching for the pattern |
|---|
| 86 | |
|---|
| 87 | If no options are given, the host is treated as if option "none" |
|---|
| 88 | were used. If at least one option is listed, it's assumed that |
|---|
| 89 | hosts can do anything (create, connect, guest) that they are |
|---|
| 90 | not prohibited from. |
|---|
| 91 | |
|---|
| 92 | |
|---|
| 93 | EXAMPLE SCENARIOS |
|---|
| 94 | |
|---|
| 95 | Here are some typical ways you might want to set up your file: |
|---|
| 96 | |
|---|
| 97 | 1. Totally ban specific sites, allow all others |
|---|
| 98 | |
|---|
| 99 | *badsite.com -2 none |
|---|
| 100 | *.twink.edu -2 none |
|---|
| 101 | |
|---|
| 102 | This will totally lock out those sites (like lockout.cnf) |
|---|
| 103 | |
|---|
| 104 | |
|---|
| 105 | 2. Allow specific sites and no others. Note that you must list both |
|---|
| 106 | hostname-matching patterns and ip address-matching patterns, because |
|---|
| 107 | if either fails to match a rule that allows connection, the connection |
|---|
| 108 | will be refused. This is true in general when writing positive rules. |
|---|
| 109 | |
|---|
| 110 | *.berkeley.edu -2 default |
|---|
| 111 | 128.32.* -2 default |
|---|
| 112 | * -2 none |
|---|
| 113 | |
|---|
| 114 | People may connect from .berkeley.edu (128.32.) sites only. |
|---|
| 115 | |
|---|
| 116 | |
|---|
| 117 | 3. Allow connection but not creation from some sites |
|---|
| 118 | |
|---|
| 119 | *.twink.edu -2 !create |
|---|
| 120 | |
|---|
| 121 | This is equivalent to the former function of sites.cnf |
|---|
| 122 | |
|---|
| 123 | |
|---|
| 124 | 4. Allow connection but not creation or guest-connection from some sites |
|---|
| 125 | |
|---|
| 126 | *.twink.edu -2 !guest !create |
|---|
| 127 | |
|---|
| 128 | |
|---|
| 129 | 5. Require that a given site use the 'register' command to register |
|---|
| 130 | players by email. |
|---|
| 131 | |
|---|
| 132 | *.twink.edu -2 !create register |
|---|
| 133 | |
|---|
| 134 | Using !create prevents people from using the usual create command. |
|---|
| 135 | Adding register allows them to uset the register command. |
|---|
| 136 | |
|---|
| 137 | |
|---|
| 138 | 6. Disable creation from twink.edu sites, and don't let Wizards |
|---|
| 139 | override this rule with @sitelock |
|---|
| 140 | |
|---|
| 141 | *.twink.edu -2 !create |
|---|
| 142 | @sitelock |
|---|
| 143 | |
|---|
| 144 | Because the rule appears above "@sitelock", and @sitelock rules appear |
|---|
| 145 | below "@sitelock", the rule will always be checked before any |
|---|
| 146 | @sitelock rules. |
|---|
| 147 | |
|---|
| 148 | |
|---|
| 149 | 7. Disable creation from twink.edu sites, but allow Wizards to |
|---|
| 150 | later override this rule with @sitelock |
|---|
| 151 | |
|---|
| 152 | @sitelock |
|---|
| 153 | *.twink.edu -2 !create |
|---|
| 154 | |
|---|
| 155 | Because the rule appears below "@sitelock", new @sitelock rules |
|---|
| 156 | (which will be added immediately following "@sitelock") will precede |
|---|
| 157 | it, and will be checked first. |
|---|
| 158 | |
|---|
| 159 | 8. God can only be connected to from one specific account on the |
|---|
| 160 | server, and nowhere else. Wizards cannot override it. This requires |
|---|
| 161 | you to connect to 'localhost <port>' from a given account on the |
|---|
| 162 | same server the mush runs on. If the server doesn't support ident, |
|---|
| 163 | remove 'username@' so that anyone on the server can connect. |
|---|
| 164 | |
|---|
| 165 | username@localhost 1 connect |
|---|
| 166 | username@127.0.0.1 1 connect |
|---|
| 167 | * -2 !god |
|---|
| 168 | @sitelock |
|---|
| 169 | |
|---|
| 170 | 9. A complex example: |
|---|
| 171 | |
|---|
| 172 | a) Allow anybody from localhost.berkeley.edu complete access |
|---|
| 173 | b) Force people from *.twink.edu to use registration, and set their |
|---|
| 174 | players SUSPECT |
|---|
| 175 | c) Completely ban *badsite.com, and don't log attempts to connect |
|---|
| 176 | d) Don't allow jerk@netcom.com to connect to Guests |
|---|
| 177 | e) Allow people from somesite.org to connect to Guests only. |
|---|
| 178 | f) Allow @sitelock to override c-e above |
|---|
| 179 | |
|---|
| 180 | localhost.berkeley.edu -2 default |
|---|
| 181 | 127.0.0.1 -2 default |
|---|
| 182 | *.twink.edu -2 !create register suspect |
|---|
| 183 | @sitelock |
|---|
| 184 | *badsite.com -2 none deny_silent |
|---|
| 185 | jerk@netcom.com -2 !guest |
|---|
| 186 | somesite.org -2 !connect !create guest |
|---|
| 187 | |
|---|
| 188 | |
|---|
