Penguin
Recent Changes
Blame: hosts_options(5)
EditPageHistoryDiffInfoLikePages
Annotated edit history of hosts_options(5) version 1, including all changes. View license author blame.
Rev Author # Line
1 perry 1 HOSTS_OPTIONS
2 !!!HOSTS_OPTIONS
3 NAME
4 DESCRIPTION
5 LOGGING
6 ACCESS CONTROL
7 RUNNING OTHER COMMANDS
8 NETWORK OPTIONS
9 USERNAME LOOKUP
10 MISCELLANEOUS
11 DIAGNOSTICS
12 SEE ALSO
13 AUTHOR
14 ----
15 !!NAME
16
17
18 hosts_options - host access control language extensions
19 !!DESCRIPTION
20
21
22 This document describes optional extensions to the language
23 described in the hosts_access(5) document. The extensions
24 are enabled at program build time. For example, by editing
25 the Makefile and turning on the PROCESS_OPTIONS compile-time
26 option.
27
28
29 The extensible language uses the following
30 format:
31
32
33 daemon_list : client_list : option : option ...
34
35
36 The first two fields are described in the hosts_access(5)
37 manual page. The remainder of the rules is a list of zero or
38 more options. Any
39
40
41 An option is of the form
42 !!LOGGING
43
44
45 severity mail.info
46
47
48 severity notice
49
50
51 Change the severity level at which the event will be logged.
52 Facility names (such as mail) are optional, and are not
53 supported on systems with older syslog implementations. The
54 severity option can be used to emphasize or to ignore
55 specific events.
56 !!ACCESS CONTROL
57
58
59 allow
60
61
62 deny
63
64
65 Grant (deny) service. These options must appear at the end
66 of a rule.
67
68
69 The ''allow'' and ''deny'' keywords make it possible
70 to keep all access control rules within a single file, for
71 example in the ''hosts.allow'' file.
72
73
74 To permit access from specific hosts only:
75
76
77 ALL: .friendly.domain: ALLOW ALL: ALL: DENY
78
79
80 To permit access from all hosts except a few trouble
81 makers:
82
83
84 ALL: .bad.domain: DENY ALL: ALL: ALLOW
85
86
87 Notice the leading dot on the domain name
88 patterns.
89 !!RUNNING OTHER COMMANDS
90
91
92 spawn shell_command
93
94
95 Execute, in a child process, the specified shell command,
96 after performing the %
97
98
99 spawn (/usr/sbin/safe_finger -l @%h | /usr/bin/mail root)
100 executes, in a background child process, the shell command
101
102
103 The example uses the
104
105
106 twist shell_command
107
108
109 Replace the current process by an instance of the specified
110 shell command, after performing the %
111
112
113 To send a customized bounce message to the client instead of
114 running the real ftp daemon:
115
116
117 in.ftpd : ... : twist /bin/echo 421 Some bounce message
118 For an alternative way to talk to client processes, see the ''banners'' option below.
119
120
121 To run /some/other/in.telnetd without polluting its
122 command-line array or its process environment:
123
124
125 in.telnetd : ... : twist PATH=/some/other; exec in.telnetd
126 Warning: in case of UDP services, do not twist to commands that use the standard I/O or the read(2)/write(2) routines to communicate with the client process; UDP requires other I/O primitives.
127 !!NETWORK OPTIONS
128
129
130 keepalive
131
132
133 Causes the server to periodically send a message to the
134 client. The connection is considered broken when the client
135 does not respond. The keepalive option can be useful when
136 users turn off their machine while it is still connected to
137 a server. The keepalive option is not useful for datagram
138 (UDP) services.
139
140
141 linger number_of_seconds
142
143
144 Specifies how long the kernel will try to deliver not-yet
145 delivered data after the server process closes a
146 connection.
147 !!USERNAME LOOKUP
148
149
150 rfc931 [[ timeout_in_seconds ]
151
152
153 Look up the client user name with the RFC 931 (TAP, IDENT,
154 RFC 1413) protocol. This option is silently ignored in case
155 of services based on transports other than TCP. It requires
156 that the client system runs an RFC 931 (IDENT, etc.)
157 -compliant daemon, and may cause noticeable delays with
158 connections from non-UNIX clients. The timeout period is
159 optional. If no timeout is specified a compile-time defined
160 default value is taken.
161 !!MISCELLANEOUS
162
163
164 banners /some/directory
165
166
167 Look for a file in `/some/directory' with the same name as
168 the daemon process (for example in.telnetd for the telnet
169 service), and copy its contents to the client. Newline
170 characters are replaced by carriage-return newline, and
171 %
172
173
174 The tcp wrappers source code distribution provides a sample
175 makefile (Banners.Makefile) for convenient banner
176 maintenance.
177
178
179 Warning: banners are supported for connection-oriented (TCP)
180 network services only.
181
182
183 nice [[ number ]
184
185
186 Change the nice value of the process (default 10). Specify a
187 positive value to spend more CPU resources on other
188 processes.
189
190
191 setenv name value
192
193
194 Place a (name, value) pair into the process environment. The
195 value is subjected to %
196
197
198 Warning: many network daemons reset their environment before
199 spawning a login or shell process.
200
201
202 umask 022
203
204
205 Like the umask command that is built into the shell. An
206 umask of 022 prevents the creation of files with group and
207 world write permission. The umask argument should be an
208 octal number.
209
210
211 user nobody
212
213
214 user nobody.kmem
215
216
217 Assume the privileges of the
218 !!DIAGNOSTICS
219
220
221 When a syntax error is found in an access control rule, the
222 error is reported to the syslog daemon; further options will
223 be ignored, and service is denied.
224 !!SEE ALSO
225
226
227 hosts_access(5), the default access control
228 language
229 !!AUTHOR
230
231
232 Wietse Venema (wietse@wzv.win.tue.nl)
233 Department of Mathematics and Computing Science
234 Eindhoven University of Technology
235 Den Dolech 2, P.O. Box 513,
236 5600 MB Eindhoven, The Netherlands
237 ----
This page is a man page (or other imported legacy content). We are unable to automatically determine the license status of this page.