1135-1135.html

linux-unix130.linux.and.unix.ebooks130 linux and unix ebookslinuxLearning Linux - Collection of 12 E

<HTML>
<HEAD>
<TITLE>Linux Complete Command Reference:File Formats:EarthWeb Inc.-</TITLE>
</HEAD>
<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">
<SCRIPT>
<!--
function displayWindow(url, width, height) {
        var Win = window.open(url,"displayWindow",'width=' + width +
',height=' + height + ',resizable=1,scrollbars=yes');
}
//-->
</SCRIPT>
</HEAD>

 -->


<!-- ISBN=0672311046 //-->
<!-- TITLE=Linux Complete Command Reference//-->
<!-- AUTHOR=Red Hat//-->
<!-- PUBLISHER=Macmillan Computer Publishing//-->
<!-- IMPRINT=Sams//-->
<!-- CHAPTER=05 //-->
<!-- PAGES=1103-1208 //-->
<!-- UNASSIGNED1 //-->
<!-- UNASSIGNED2 //-->

<P><CENTER>
<a href="1133-1134.html">Previous</A> | <a href="../ewtoc.html">Table of Contents</A> | <a href="1136-1138.html">Next</A></CENTER></P>



<A NAME="PAGENUM-1135"><P>Page 1135</P></A>


<P>
The daemon wrappers can be configured at compile time to perform rule-driven username lookups (default) or to
always interrogate the client host. In the case of rule-driven username lookups, the preceding rule would cause username
lookup only when both the daemon_list and the
host_pattern match.
</P>

<P>A user pattern has the same syntax as a daemon process name, hostname, or host address pattern, so the same wildcards
and so on apply (but netgroup membership of users is not supported). One should not get carried away with username
lookups, however.
</P>

<P>The remote username information cannot be trusted when it is needed most&#151;that is, when the remote system has
been compromised. In general, ALL and (UN)KNOWN are the only username patterns that make sense.
</P>

<P>Username lookups are possible only with TCP-based services and only when the client host runs a suitable daemon; in
all other cases the result is unknown.
</P>

<P>A well-known UNIX kernel bug may cause loss of service when username lookups are blocked by a firewall. The
wrapper README document describes a procedure to find out if your kernel has this bug.
</P>

<P>Username lookups cause noticeable delays for PC users. The default time-out for username lookups is ten seconds: too
short to cope with slow networks but long enough to irritate PC users.
</P>

<P>Selective username lookups can alleviate the last problem. For example, a rule like
</P>

<!-- CODE SNIP //-->
<PRE>
daemon_list : @pcnetgroup ALL@ALL
</PRE>
<!-- END CODE SNIP //-->

<P>would match members of the pcnetgroup without doing username lookups but would perform username lookups with
all other systems.
</P>

<P><B>
EXAMPLES
</B></P>

<P>The language is flexible enough that different types of access control policy can be expressed with a minimum of
fuss. Although the language uses two access control tables, the most common policies can be implemented with one of the
tables being trivial or even empty.
</P>

<P>When reading the following examples, it is important to realize that the allow table is scanned before the deny table, that
the search terminates when a match is found, and that access is granted when no match is found at all.
</P>

<P>The examples use host and domain names. They can be improved by including address or network/netmask information
to reduce the impact of temporary nameserver lookup failures.
</P>

<P><B>
MOSTLY CLOSED
</B></P>

<P>In this case, access is denied by default. Only explicitly authorized hosts are permitted access.
</P>

<P>The default policy (no access) is implemented with a trivial deny file:
</P>

<!-- CODE SNIP //-->
<PRE>
/etc/hosts.deny:

ALL: ALL
</PRE>
<!-- END CODE SNIP //-->

<P>
This denies all service to all hosts, unless they are permitted access by entries in the allow file.
</P>

<P>The explicitly authorized hosts are listed in the
allow file:
</P>

<!-- CODE SNIP //-->
<PRE>
/etc/hosts.allow:

ALL: LOCAL @some_netgroup
ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
</PRE>
<!-- END CODE SNIP //-->

<P>The first rule permits access to all services from hosts in the local domain (no
. in the hostname) and from members of the
some_netgroup netgroup. The second rule permits access to all services from all hosts in the
.foobar.edu domain, with the exception of
terminalserver.foobar.edu.
</P>

<P><B>
MOSTLY OPEN
</B></P>

<P>Here, access is granted by default; only explicitly specified hosts are refused service.
</P>


<P><CENTER>
<a href="1133-1134.html">Previous</A> | <a href="../ewtoc.html">Table of Contents</A> | <a href="1136-1138.html">Next</A></CENTER></P>



</td>
</tr>
</table>
<!-- begin footer information -->




</body></html>