1133-1134.html

linux-unix130.linux.and.unix.ebooks130 linux and unix ebookslinuxLearning Linux - Collection of 12 E

<HTML>
<HEAD>
<TITLE>Linux Complete Command Reference:File Formats:EarthWeb Inc.-</TITLE>
</HEAD>
<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">
<SCRIPT>
<!--
function displayWindow(url, width, height) {
        var Win = window.open(url,"displayWindow",'width=' + width +
',height=' + height + ',resizable=1,scrollbars=yes');
}
//-->
</SCRIPT>
</HEAD>

 -->


<!-- ISBN=0672311046 //-->
<!-- TITLE=Linux Complete Command Reference//-->
<!-- AUTHOR=Red Hat//-->
<!-- PUBLISHER=Macmillan Computer Publishing//-->
<!-- IMPRINT=Sams//-->
<!-- CHAPTER=05 //-->
<!-- PAGES=1103-1208 //-->
<!-- UNASSIGNED1 //-->
<!-- UNASSIGNED2 //-->

<P><CENTER>
<a href="1131-1132.html">Previous</A> | <a href="../ewtoc.html">Table of Contents</A> | <a href="1135-1135.html">Next</A></CENTER></P>



<A NAME="PAGENUM-1133"><P>Page 1133</P></A>



<P><B>
HISTORY
</B></P>

<P>Written by Rich $alz (rsalz@uunet.uu.net) for InterNetNews.
</P>

<P><B>
SEE ALSO
</B></P>

<P>ctlinnd(8), innd(8), nnrpd(8)
</P>

<H3><A NAME="ch05_ 22">
hosts_access
</A></H3>

<P>hosts_access&#151;Format of host access control files.
</P>

<P><B>
DESCRIPTION
</B></P>

<P>This manual page describes a simple access control language that is based on client (hostname/address, username) and
server (process name) patterns. Examples are given at the end. The impatient reader can skip to the &quot;Examples&quot; section for a
quick introduction.
</P>

<P>In the following text, daemon is the process name of a network daemon process, and client is the name or address of a
host requesting service. Network daemon process names are specified in the
inetd configuration file.
</P>

<P><B>
ACCESS CONTROL FILES
</B></P>

<P>The access control software consults two files. The search stops at the first match:
</P>

<P>Access will be granted when a (daemon,client) pair matches an entry in the
/etc/hosts.allow file.
</P>

<P>Otherwise, access will be denied when a
(daemon,client) pair matches an entry in the
/etc/hosts.deny file.
</P>

<P>
Otherwise, access will be granted.
</P>

<P>A non-existing access control file is treated as if it were an empty file. Thus, access control can be turned off by providing
no access control files.
</P>

<P><B>
ACCESS CONTROL RULES
</B></P>

<P>Each access control file consists of zero or more lines of text. These lines are processed in order of appearance. The
search terminates when a match is found.
</P>

<P>A newline character is ignored when it is preceded by a backslash character.
</P>

<P>Blank lines or lines that begin with a # character are ignored.
</P>

<P>All other lines should satisfy the following format, things between
[] being optional:
</P>

<!-- CODE SNIP //-->
<PRE>
daemon_list : client_list [ : shell_command ]
</PRE>
<!-- END CODE SNIP //-->

<P>daemon_list is a list of one or more daemon process names
(argv[0] values) or wildcards.
</P>

<P>client_list is a list of one or more hostnames, host addresses, patterns, or wildcards that will be matched against the
remote hostname or address.
</P>

<P>List elements should be separated by blanks or commas.
</P>

<P>With the exception of NIS (YP) netgroup lookups, all access control checks are case insensitive.
</P>

<P><B>
PATTERNS
</B></P>

<P>The access control language implements the following patterns:
</P>

<P>A string that begins with a . character: A client name or address is matched if its last components match the
specified pattern. For example, the pattern
.tue.nl matches the hostname wzv.win.tue.nl.
</P>

<P>A string that ends with a . character: A client name or address is matched if its first fields match the given string.
For example, the pattern 131.155. matches the address of (almost) every host on the Eindhoven University
network (131.155.x.x).
</P>

<A NAME="PAGENUM-1134"><P>Page 1134</P></A>


<P>A string that begins with a @ character is treated as a netgroup name: Netgroups are usually supported on systems with
NIS (formerly YP) databases. A client hostname is matched if it is a (host) member of the specified netgroup.
</P>

<P>
An expression of the form n.n.n.n/m.m.m.m is interpreted as a
net/mask pair. A client address is matched if net is equal to
the bitwise AND of the address and the mask. For example, the
net/mask pattern 131.155.72.0/255.255.254.0 matches every
address in the range 131.155.72.0 through
131.155.73.255.
</P>

<P><B>
WILDCARDS
</B></P>

<P>The access control language supports explicit wildcards:
</P>

<TABLE>

<TR><TD>
ALL
</TD><TD>
If this token appears in a daemon list, it matches all network daemon process names. If the
ALL token appears in a client list, it matches all client names and addresses.
</TD></TR><TR><TD>
LOCAL
</TD><TD>
Matches any string that does not contain a dot character. Typical use is in client lists.
</TD></TR><TR><TD>
UNKNOWN
</TD><TD>
Matches any host whose name or address are unknown. Should be used with care:
Hostnames may be unavailable due to temporary nameserver problems. A network address will
be unavailable when the software cannot figure out what type of network it is talking to.
</TD></TR><TR><TD>
KNOWN
</TD><TD>
Matches any host whose name and address are known. Should be used with care:
Hostnames may be unavailable due to temporary nameserver problems. A network address will
be unavailable when the software cannot figure out what type of network it is talking to.
</TD></TR><TR><TD>
FAIL
</TD><TD>
Like the ALL wildcard but causes the software to pretend that the scan of the current
access control table fails. FAIL is being phased out; it will become an undocumented feature.
The EXCEPT operator is a much cleaner alternative.
</TD></TR></TABLE>

<P><B>
OPERATORS
</B></P>

<TABLE>

<TR><TD>
EXCEPT
</TD><TD>
Intended use is of the form: list_1 EXCEPT list_2; this construct matches anything that matches
list_1 unless it matches list_2. This construct can be used in daemon lists and in client lists. The EXCEPT operator can be nested: If the control language would permit the use <BR>
of parentheses, a EXCEPT b EXCEPT c would parse as (a EXCEPT (b EXCEPT c)).
</TD></TR></TABLE>

<P><B>
SHELL COMMANDS
</B></P>

<P>If the first-matched access control rule contains a shell command, that command is subjected to the following substitutions:
</P>

<TABLE>

<TR><TD>
%a
</TD><TD>
Expands to the remote host address.
</TD></TR><TR><TD>
%c
</TD><TD>
Expands to client information: user@host,
user@address, a hostname, or just an address, depending on how much information is available.
</TD></TR><TR><TD>
%h
</TD><TD>
Expands to the remote hostname (or address, if the hostname is unavailable).
</TD></TR><TR><TD>
%d
</TD><TD>
Expands to the daemon process name
(argv[0] value).
</TD></TR><TR><TD>
%p
</TD><TD>
Expands to the daemon process ID.
</TD></TR><TR><TD>
%u
</TD><TD>
Expands to the remote username (or
unknown).
</TD></TR><TR><TD>
%%
</TD><TD>
Expands to a single % character.
</TD></TR></TABLE>

<P>Characters in % expansions that may confuse the shell are replaced by underscores. The result is executed by a
/bin/sh child process with standard input, output, and error connected to
/dev/null. Specify an &amp; at the end of the command if you do
not want to wait until it has completed.
</P>

<P>Shell commands should not rely on the PATH setting of the
inetd. Instead, they should use absolute pathnames, or
they should begin with an explicit PATH=whatever statement.
</P>

<P><B>
REMOTE USERNAME LOOKUP
</B></P>

<P>When the client host supports the RFC 931 protocol or one of its descendants
(TAP, IDENT) the wrapper programs can retrieve additional information about the owner of a connection. When available, remote username information is
logged together with the client hostname and can be used to match patterns like
</P>

<!-- CODE SNIP //-->
<PRE>
daemon_list : ... user_pattern@host_pattern ...
</PRE>
<!-- END CODE SNIP //-->



<P><CENTER>
<a href="1131-1132.html">Previous</A> | <a href="../ewtoc.html">Table of Contents</A> | <a href="1135-1135.html">Next</A></CENTER></P>



</td>
</tr>
</table>
<!-- begin footer information -->




</body></html>