version 1.7, 2002/02/08 01:28:25 |
version 1.8, 2002/10/01 19:38:46 |
|
|
hosts_options \- host access control language extensions |
hosts_options \- host access control language extensions |
.SH DESCRIPTION |
.SH DESCRIPTION |
This document describes optional extensions to the language described |
This document describes optional extensions to the language described |
in the hosts_access(5) document. The extensions are enabled at program |
in the hosts_access(5) document. |
build time. For example, by editing the Makefile and turning on the |
The extensions are enabled at program build time. |
|
For example, by editing the Makefile and turning on the |
PROCESS_OPTIONS compile-time option. |
PROCESS_OPTIONS compile-time option. |
.PP |
.PP |
The extensible language uses the following format: |
The extensible language uses the following format: |
Line 15 The extensible language uses the followi |
|
Line 16 The extensible language uses the followi |
|
daemon_list : client_list : option : option ... |
daemon_list : client_list : option : option ... |
.PP |
.PP |
The first two fields are described in the hosts_access(5) manual page. |
The first two fields are described in the hosts_access(5) manual page. |
The remainder of the rules is a list of zero or more options. Any ":" |
The remainder of the rules is a list of zero or more options. |
characters within options should be protected with a backslash. |
Any ":" characters within options should be protected with a backslash. |
.PP |
.PP |
An option is of the form "keyword" or "keyword value". Options are |
An option is of the form "keyword" or "keyword value". |
processed in the specified order. Some options are subjected to |
Options are processed in the specified order. |
%\*[Lt]letter\*[Gt] substitutions. For the sake of backwards compatibility with |
Some options are subjected to |
|
%\*[Lt]letter\*[Gt] substitutions. |
|
For the sake of backwards compatibility with |
earlier versions, an "=" is permitted between keyword and value. |
earlier versions, an "=" is permitted between keyword and value. |
.SH LOGGING |
.SH LOGGING |
.IP "severity mail.info" |
.IP "severity mail.info" |
.IP "severity notice" |
.IP "severity notice" |
Change the severity level at which the event will be logged. Facility |
Change the severity level at which the event will be logged. |
names (such as mail) are optional, and are not supported on systems |
Facility names (such as mail) are optional, and are not supported on systems |
with older syslog implementations. The severity option can be used |
with older syslog implementations. |
to emphasize or to ignore specific events. |
The severity option can be used to emphasize or to ignore specific events. |
.SH ACCESS CONTROL |
.SH ACCESS CONTROL |
.IP "allow" |
.IP "allow" |
.IP "deny" |
.IP "deny" |
Grant (deny) service. These options must appear at the end of a rule. |
Grant (deny) service. |
|
These options must appear at the end of a rule. |
.PP |
.PP |
The \fIallow\fR and \fIdeny\fR keywords make it possible to keep all |
The \fIallow\fR and \fIdeny\fR keywords make it possible to keep all |
access control rules within a single file, for example in the |
access control rules within a single file, for example in the |
Line 59 Notice the leading dot on the domain nam |
|
Line 63 Notice the leading dot on the domain nam |
|
.IP "spawn shell_command" |
.IP "spawn shell_command" |
Execute, in a child process, the specified shell command, after |
Execute, in a child process, the specified shell command, after |
performing the %\*[Lt]letter\*[Gt] expansions described in the hosts_access(5) |
performing the %\*[Lt]letter\*[Gt] expansions described in the hosts_access(5) |
manual page. The command is executed with stdin, stdout and stderr |
manual page. |
|
The command is executed with stdin, stdout and stderr |
connected to the null device, so that it won\'t mess up the |
connected to the null device, so that it won\'t mess up the |
conversation with the client host. Example: |
conversation with the client host. |
|
Example: |
.sp |
.sp |
.nf |
.nf |
.ti +3 |
.ti +3 |
Line 73 executes, in a background child process, |
|
Line 79 executes, in a background child process, |
|
remote host. |
remote host. |
.sp |
.sp |
The example uses the "safe_finger" command instead of the regular |
The example uses the "safe_finger" command instead of the regular |
"finger" command, to limit possible damage from data sent by the finger |
"finger" command, to limit possible damage from data sent by the finger server. |
server. The "safe_finger" command is part of the daemon wrapper |
The "safe_finger" command is part of the daemon wrapper |
package; it is a wrapper around the regular finger command that filters |
package; it is a wrapper around the regular finger command that filters |
the data sent by the remote host. |
the data sent by the remote host. |
.IP "twist shell_command" |
.IP "twist shell_command" |
Replace the current process by an instance of the specified shell |
Replace the current process by an instance of the specified shell |
command, after performing the %\*[Lt]letter\*[Gt] expansions described in the |
command, after performing the %\*[Lt]letter\*[Gt] expansions described in the |
hosts_access(5) manual page. Stdin, stdout and stderr are connected to |
hosts_access(5) manual page. |
the client process. This option must appear at the end of a rule. |
Stdin, stdout and stderr are connected to the client process. |
|
This option must appear at the end of a rule. |
.sp |
.sp |
To send a customized bounce message to the client instead of |
To send a customized bounce message to the client instead of |
running the real ftp daemon: |
running the real ftp daemon: |
Line 107 the standard I/O or the read(2)/write(2) |
|
Line 114 the standard I/O or the read(2)/write(2) |
|
the client process; UDP requires other I/O primitives. |
the client process; UDP requires other I/O primitives. |
.SH NETWORK OPTIONS |
.SH NETWORK OPTIONS |
.IP "keepalive" |
.IP "keepalive" |
Causes the server to periodically send a message to the client. The |
Causes the server to periodically send a message to the client. |
connection is considered broken when the client does not respond. The |
The connection is considered broken when the client does not respond. |
keepalive option can be useful when users turn off their machine while |
The keepalive option can be useful when users turn off their |
it is still connected to a server. The keepalive option is not useful |
machine while it is still connected to a server. |
for datagram (UDP) services. |
The keepalive option is not useful for datagram (UDP) services. |
.IP "linger number_of_seconds" |
.IP "linger number_of_seconds" |
Specifies how long the kernel will try to deliver not-yet delivered |
Specifies how long the kernel will try to deliver not-yet delivered |
data after the server process closes a connection. |
data after the server process closes a connection. |
.SH USERNAME LOOKUP |
.SH USERNAME LOOKUP |
.IP "rfc931 [ timeout_in_seconds ]" |
.IP "rfc931 [ timeout_in_seconds ]" |
Look up the client user name with the RFC 931 (TAP, IDENT, RFC 1413) |
Look up the client user name with the RFC 931 (TAP, IDENT, RFC 1413) |
protocol. This option is silently ignored in case of services based on |
protocol. |
transports other than TCP. It requires that the client system runs an |
This option is silently ignored in case of services based on |
RFC 931 (IDENT, etc.) -compliant daemon, and may cause noticeable |
transports other than TCP. |
delays with connections from non-UNIX clients. The timeout period is |
It requires that the client system runs an RFC 931 (IDENT, etc.) |
optional. If no timeout is specified a compile-time defined default |
-compliant daemon, and may cause noticeable |
|
delays with connections from non-UNIX clients. |
|
The timeout period is optional. |
|
If no timeout is specified a compile-time defined default |
value is taken. |
value is taken. |
.SH MISCELLANEOUS |
.SH MISCELLANEOUS |
.IP "banners /some/directory" |
.IP "banners /some/directory" |
Look for a file in `/some/directory' with the same name as the daemon |
Look for a file in `/some/directory' with the same name as the daemon |
process (for example in.telnetd for the telnet service), and copy its |
process (for example in.telnetd for the telnet service), and copy its |
contents to the client. Newline characters are replaced by |
contents to the client. |
carriage-return newline, and %\*[Lt]letter\*[Gt] sequences are expanded (see |
Newline characters are replaced by carriage-return newline, |
|
and %\*[Lt]letter\*[Gt] sequences are expanded (see |
the hosts_access(5) manual page). |
the hosts_access(5) manual page). |
.sp |
.sp |
The tcp wrappers source code distribution provides a sample makefile |
The tcp wrappers source code distribution provides a sample makefile |
Line 138 The tcp wrappers source code distributio |
|
Line 149 The tcp wrappers source code distributio |
|
Warning: banners are supported for connection-oriented (TCP) network |
Warning: banners are supported for connection-oriented (TCP) network |
services only. |
services only. |
.IP "nice [ number ]" |
.IP "nice [ number ]" |
Change the nice value of the process (default 10). Specify a positive |
Change the nice value of the process (default 10). |
value to spend more CPU resources on other processes. |
Specify a positive value to spend more CPU resources on other processes. |
.IP "setenv name value" |
.IP "setenv name value" |
Place a (name, value) pair into the process environment. The value is |
Place a (name, value) pair into the process environment. |
subjected to %\*[Lt]letter\*[Gt] expansions and may contain whitespace (but |
The value is subjected to %\*[Lt]letter\*[Gt] expansions and |
leading and trailing blanks are stripped off). |
may contain whitespace (but leading and trailing blanks are stripped off). |
.sp |
.sp |
Warning: many network daemons reset their environment before spawning a |
Warning: many network daemons reset their environment before spawning a |
login or shell process. |
login or shell process. |
.IP "umask 022" |
.IP "umask 022" |
Like the umask command that is built into the shell. An umask of 022 |
Like the umask command that is built into the shell. |
prevents the creation of files with group and world write permission. |
An umask of 022 prevents the creation of files with group |
|
and world write permission. |
The umask argument should be an octal number. |
The umask argument should be an octal number. |
.IP "user nobody" |
.IP "user nobody" |
.IP "user nobody.kmem" |
.IP "user nobody.kmem" |
Assume the privileges of the "nobody" userid (or user "nobody", group |
Assume the privileges of the "nobody" userid (or user "nobody", group |
"kmem"). The first form is useful with inetd implementations that run |
"kmem"). |
all services with root privilege. The second form is useful for |
The first form is useful with inetd implementations that run |
services that need special group privileges only. |
all services with root privilege. |
|
The second form is useful for services that need |
|
special group privileges only. |
.SH DIAGNOSTICS |
.SH DIAGNOSTICS |
When a syntax error is found in an access control rule, the error |
When a syntax error is found in an access control rule, the error |
is reported to the syslog daemon; further options will be ignored, |
is reported to the syslog daemon; further options will be ignored, |