HOSTS_ACCESS
Section: File Formats (5)
Index
Return to Main Contents
NAME
hosts_access - format of host access control files
DESCRIPTION
This manual page describes a simple access control language that is
based on client (host name or address) and server (process name)
patterns. Examples are given at the end. The impatient reader can skip
to the EXAMPLES section for a quick introduction.
In the following text, daemon is the the process name of a
network daemon process, and client is the name and/or address of
a host requesting service. Network daemon process names are specified
in the inetd configuration file.
ACCESS CONTROL FILES
The access control software consults two files:
- o
-
Access will be granted when a (daemon,client) pair matches an entry in
the /etc/hosts.allow file.
- o
-
Otherwise, access will be denied when a (daemon,client) pair matches an
entry in the /etc/hosts.deny file.
- o
-
Otherwise, access will be granted.
A non-existing access control file is treated as if it were an empty
file. Thus, access control can be turned off by providing no access
control files.
ACCESS CONTROL RULES
Each access control file consists of zero or more lines of text. These
lines are processed in order of appearance. The search terminates when a
match is found.
- o
-
A newline character is ignored when it is preceded by a backslash
character.
- o
-
Blank lines or lines that begin with a `#' character are ignored.
- o
-
All other lines should satisfy the following format, things between []
being optional:
daemon_list : client_list [ : shell_command ]
daemon_list is a list of one or more daemon process names
(argv[0] values) or wildcards (see below).
client_list is a list
of one or more host names, host addresses, patterns or wildcards (see
below) that will be matched against the remote host name or address.
List elements should be separated by blanks and/or commas.
With the exception of NIS (YP) netgroup lookups, all access control
checks are case insensitive.
PATTERNS
The access control language implements the following patterns:
- o
-
A string that begins with a `.' character. A client name or address
is matched if its last components match the specified pattern. For
example, the pattern `.tue.nl' matches the host name
`wzv.win.tue.nl'.
- o
-
A string that ends with a `.' character. A client name or address is
matched if its first fields match the given string. For example, the
pattern `131.155.' matches the address of (almost) every host on the
Eindhoven University network (131.155.x.x).
- o
-
A string that begins with a `@' character is treated as a netgroup
name. Netgroups are usually supported on systems with NIS (formerly
YP) data bases. A client host name is matched if it is a (host) member
of the specified netgroup.
- o
-
An expression of the form `n.n.n.n/m.m.m.m' is interpreted as a
`net/mask' pair. A client address is matched if `net' is equal to the
bitwise AND of the address and the `mask'. For example, the net/mask
pattern `131.155.72.0/255.255.254.0' matches every address in the
range `131.155.72.0' through `131.155.73.255'.
WILDCARDS
The access control language supports explicit wildcards:
- ALL
-
If this token appears in a daemon_list, it matches all network daemon
process names. If the ALL token appears in a client_list, it matches
all client names and addresses.
- LOCAL
-
Matches any string that does not contain a dot character.
Typical use is in client_lists.
- UNKNOWN
-
Matches any host whose name and/or address lookup failed. Should be
used with care, because host names may also be unavailable due to
temporary name server problems.
- FAIL
-
Like the ALL wildcard, but causes the software to pretend that the scan
of the current access control table fails. FAIL is being phased out; it
will become an undocumented feature. The EXCEPT operator (see below) is
a much cleaner alternative.
OPERATORS
- EXCEPT
-
Intended use is of the form: `list_1 EXCEPT list_2'; this construct
matches anything that matches list_1 unless it matches
list_2. This construct can be used in daemon_lists and in
client_lists. The EXCEPT operator can be nested and is
right-associative (just like C's assignment operator).
SHELL COMMANDS
If the first-matched access control rule contains a shell command, that
command is subjected to the following substitutions:
- %a
-
expands to the remote host address.
- %c
-
expands to client information: user@host, user@address, a host name, or
just an address, depending on how much information is available.
- %h
-
expands to the remote host name (or address, if the host name is
unavailable).
- %d
-
expands to the daemon process name (argv[0] value).
- %p
-
expands to the daemon process id.
- %u
-
expands to the remote user name (or "unknown").
- %%
-
expands to a single `%' character.
Characters in % expansions that may confuse the shell are replaced by
underscores.
The result is executed by a /bin/sh child process with standard
input, output and error connected to /dev/null. Specify an `&'
at the end of the command if you do not want to wait until it has
completed.
Shell commands should not rely on the PATH setting of the inetd.
Instead, they should use absolute path names, or they should begin with
an explicit PATH=whatever statement.
EXAMPLES
The language is flexible enough that different types of access control
policy can be expressed with a minimum of fuss. Although the language
uses two access control tables, the most common policies can be
implemented with one of the tables being trivial or even empty.
When reading the examples below it is important to realize that the
allow table is scanned before the deny table, that the search
terminates when a match is found, and that access is granted when no
match is found at all.
The examples use host and domain names. They can be improved by
including address and/or network/netmask information, to reduce the
impact of temporary name server lookup failures.
MOSTLY CLOSED
In this case, access is denied by default. Only explicitly authorized
hosts are permitted access.
The default policy (no access) is implemented with a trivial deny
file:
/etc/hosts.deny:
ALL: ALL
This denies all service to all hosts, unless they are permitted access
by entries in the allow file.
The explicitly authorized hosts are listed in the allow file.
For example:
/etc/hosts.allow:
ALL: LOCAL @some_netgroup
ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
The first rule permits access to all services from hosts in the local
domain (no `.' in the host name) and from members of the
some_netgroup netgroup. The second rule permits access to all
services from all hosts in the .foobar.edu domain, with the
exception of terminalserver.foobar.edu.
MOSTLY OPEN
Here, access is granted by default; only explicitly specified hosts are
refused service.
The default policy (access granted) makes the allow file redundant so
that it can be omitted. The explicitly non-authorized hosts are listed
in the deny file. For example:
/etc/hosts.deny:
ALL: some.host.name, .some.domain
ALL EXCEPT in.fingerd: other.host.name, .other.domain
The first rule denies some hosts all services; the second rule still
permits finger requests from other hosts.
BOOBY TRAPS
The next example permits tftp requests from hosts in the local domain.
Requests from any other hosts are denied. Instead of the requested
file, a finger probe is sent to the offending host. The result is
mailed to the superuser.
/etc/hosts.allow:
in.tftpd: LOCAL, .my.domain
/etc/hosts.deny:
in.tftpd: ALL: (/usr/ucb/finger -l @%h | /usr/ucb/mail -s %d-%h root) &
The expansion of the %h (remote host) and %d (service name) sequences
is described in the section on shell commands.
Warning: do not booby-trap your finger daemon, unless you are prepared
for infinite finger loops.
On network firewall systems this trick can be carried even further.
The typical network firewall only provides a limited set of services to
the outer world. All other services can be "bugged" just like the above
tftp example. The result is an excellent early-warning system.
DIAGNOSTICS
An error is reported when a syntax error is found in a host access
control rule; when the length of an access control rule exceeds the
capacity of an internal buffer; when an access control rule is not
terminated by a newline character; when the result of %<character>
expansion would overflow an internal buffer; when a system call fails
that shouldn't. All problems are reported via the syslog daemon.
FILES
/etc/hosts.allow, (daemon,client) pairs that are granted access.
/etc/hosts.deny, (daemon,client) pairs that are denied access.
SEE ALSO
tcpd(8) tcp/ip daemon wrapper program.
BUGS
If a name server lookup times out, the host name will not be available
to the access control software, even though the host is registered.
Domain name server lookups are case insensitive; NIS (formerly YP)
netgroup lookups are case sensitive.
AUTHOR
Wietse Venema (wietse@wzv.win.tue.nl)
Department of Mathematics and Computing Science
Eindhoven University of Technology
Den Dolech 2, P.O. Box 513, 5600 MB Eindhoven, The Netherlands
Index
- NAME
-
- DESCRIPTION
-
- ACCESS CONTROL FILES
-
- ACCESS CONTROL RULES
-
- PATTERNS
-
- WILDCARDS
-
- OPERATORS
-
- SHELL COMMANDS
-
- EXAMPLES
-
- MOSTLY CLOSED
-
- MOSTLY OPEN
-
- BOOBY TRAPS
-
- DIAGNOSTICS
-
- FILES
-
- SEE ALSO
-
- BUGS
-
- AUTHOR
-
This document was created by
man2html,
using the manual pages.
Time: 12:50:41 GMT, November 04, 2024