diff options
Diffstat (limited to 'usr/src/man/man4/hosts_access.4')
| -rw-r--r-- | usr/src/man/man4/hosts_access.4 | 34 |
1 files changed, 14 insertions, 20 deletions
diff --git a/usr/src/man/man4/hosts_access.4 b/usr/src/man/man4/hosts_access.4 index 20f0a6ef40..9df0d16182 100644 --- a/usr/src/man/man4/hosts_access.4 +++ b/usr/src/man/man4/hosts_access.4 @@ -2,8 +2,8 @@ .\" .\" Modified for Solaris to to add the Solaris stability classification, .\" and to add a note about source availability. -.\" -.TH HOSTS_ACCESS 4 +.\" +.TH HOSTS_ACCESS 4 "Sep 15, 2011" .SH NAME hosts_access \- format of host access control files .SH DESCRIPTION @@ -52,11 +52,10 @@ are easier to read. All other lines should satisfy the following format, things between [] being optional: .sp -.ti +3 daemon_list : client_list [ : shell_command ] .PP \fIdaemon_list\fR is a list of one or more daemon process names -(argv[0] values) or wildcards (see below). +(argv[0] values) or wildcards (see below). .PP \fIclient_list\fR is a list of one or more host names, host addresses, patterns or wildcards (see @@ -66,7 +65,7 @@ The more complex forms \fIdaemon@host\fR and \fIuser@host\fR are explained in the sections on server endpoint patterns and on client username lookups, respectively. .PP -List elements should be separated by blanks and/or commas. +List elements should be separated by blanks and/or commas. .PP With the exception of NIS (YP) netgroup lookups, all access control checks are case insensitive. @@ -74,7 +73,7 @@ checks are case insensitive. .SH HOST ADDRESSES IPv4 client addresses can be denoted in their usual dotted notation, i.e. x.x.x.x, but IPv6 addresses require a square brace around them - e.g. -[::1]. +[::1]. .SH PATTERNS The access control language implements the following patterns: .IP \(bu @@ -178,7 +177,6 @@ underscores. In order to distinguish clients by the network address that they connect to, use patterns of the form: .sp -.ti +3 process_name@host_pattern : client_list ... .sp Patterns like these can be used when the machine has different internet @@ -200,14 +198,13 @@ additional information about the owner of a connection. Client username information, when available, is logged together with the client host name, and can be used to match patterns like: .PP -.ti +3 daemon_list : ... user_pattern@host_pattern ... .PP The daemon wrappers can be configured at compile time to perform rule-driven username lookups (default) or to always interrogate the client host. In the case of rule-driven username lookups, the above rule would cause username lookup only when both the \fIdaemon_list\fR -and the \fIhost_pattern\fR match. +and the \fIhost_pattern\fR match. .PP A user pattern has the same syntax as a daemon process pattern, so the same wildcards apply (netgroup membership is not supported). One @@ -232,7 +229,6 @@ with slow networks, but long enough to irritate PC users. Selective username lookups can alleviate the last problem. For example, a rule like: .PP -.ti +3 daemon_list : @pcnetgroup ALL@ALL .PP would match members of the pc netgroup without doing username lookups, @@ -256,7 +252,7 @@ client connection and the IDENT lookup, although doing so is much harder than spoofing just a client connection. It may also be that the client\'s IDENT server is lying. .PP -Note: IDENT lookups don\'t work with UDP services. +Note: IDENT lookups don\'t work with UDP services. .SH EXAMPLES The language is flexible enough that different types of access control policy can be expressed with a minimum of fuss. Although the language @@ -273,13 +269,13 @@ including address and/or network/netmask information, to reduce the impact of temporary name server lookup failures. .SH MOSTLY CLOSED In this case, access is denied by default. Only explicitly authorized -hosts are permitted access. +hosts are permitted access. .PP The default policy (no access) is implemented with a trivial deny file: .PP .ne 2 -/etc/hosts.deny: +/etc/hosts.deny: .in +3 ALL: ALL .PP @@ -290,7 +286,7 @@ The explicitly authorized hosts are listed in the allow file. For example: .PP .ne 2 -/etc/hosts.allow: +/etc/hosts.allow: .in +3 ALL: LOCAL @some_netgroup .br @@ -303,7 +299,7 @@ netgroup. The second rule permits access from all hosts in the \fIterminalserver.foobar.edu\fP. .SH MOSTLY OPEN Here, access is granted by default; only explicitly specified hosts are -refused service. +refused service. .PP The default policy (access granted) makes the allow file redundant so that it can be omitted. The explicitly non-authorized hosts are listed @@ -332,7 +328,6 @@ in.tftpd: LOCAL, .my.domain .ne 2 /etc/hosts.deny: .in +3 -.nf in.tftpd: ALL: (/some/where/safe_finger -l @%h | \\ /usr/ucb/mail -s %d-%h root) & .fi @@ -380,11 +375,10 @@ Domain name server lookups are case insensitive; NIS (formerly YP) netgroup lookups are case sensitive. .SH AUTHOR .na -.nf Wietse Venema (wietse@wzv.win.tue.nl) Department of Mathematics and Computing Science Eindhoven University of Technology -Den Dolech 2, P.O. Box 513, +Den Dolech 2, P.O. Box 513, 5600 MB Eindhoven, The Netherlands \" @(#) hosts_access.5 1.20 95/01/30 19:51:46 .\" Begin Sun update @@ -395,11 +389,11 @@ for descriptions of the following attributes: .sp .TS box; -cbp-1 | cbp-1 +c | c l | l . ATTRIBUTE TYPE ATTRIBUTE VALUE = Interface Stability Committed -.TE Source for tcp_wrappers is available in the SUNWtcpdS package. +.TE .\" End Sun update |