*nix Documentation Project
·  Home
 +   man pages
·  Linux HOWTOs
·  FreeBSD Tips
·  *niX Forums

  man pages->OpenBSD man pages -> hosts_options (5)              



NAME    [Toc]    [Back]

     hosts_options - tcp wrapper host access control language extensions

DESCRIPTION    [Toc]    [Back]

     This  document describes optional extensions to the language
described in
     the hosts_access(5) document.

     The extensible language uses the following format:

           daemon_list : client_list : option : option ...

     The first two fields are described  in  the  hosts_access(5)
manual page.
     The  remainder  of  the  rules is a list of zero or more options.  Any ":"
     characters within options should be protected with  a  backslash.

     An  option is of the form "keyword" or "keyword value".  Options are processed
 in the specified order.  Some options  are  subjected
to %<letter>
     substitutions.  For the sake of backwards compatibility with
earlier versions,
 an "=" is permitted between keyword and value.

LOGGING    [Toc]    [Back]

     severity mail.info

     severity notice     Change the severity level at  which  the
event will be
                         logged.   Facility  names (such as mail)
are optional,
                         and are not supported  on  systems  with
older syslog
                         implementations.   The  severity  option
can be used to
                         emphasize or to ignore specific  events.

ACCESS CONTROL    [Toc]    [Back]


     deny    Grant  (deny) service.  These options must appear at
the end of a

     The allow and deny keywords make it possible to keep all access control
     rules   within   a   single   file,   for   example  in  the
/etc/hosts.allow file.

     To permit access from specific hosts only:

           ALL: .friendly.domain: ALLOW
           ALL: ALL: DENY

     To permit access from all hosts except a few trouble makers:

           ALL: .bad.domain: DENY
           ALL: ALL: ALLOW

     Notice the leading dot on the domain name patterns.


     spawn shell_command  Execute, in a child process, the specified shell
                          command, after performing the %<letter>
                          described in the hosts_access(5) manual
page.  The
                          command is executed with stdin,  stdout
and stderr
                          connected  to  the null device, so that
it won't mess
                          up the  conversation  with  the  client
host.  Example:

                                spawn (/some/where/safe_finger -l
@%h |                                         /usr/ucb/mail root)

                          executes,  in  a  background child process, the shell
                          command  "safe_finger  -l  @%h  |  mail
root" after replacing
  %h  by  the name or address of
the remote

                          The example uses the "safe_finger" command instead
                          of  the  regular  "finger"  command, to
limit possible
                          damage from data  sent  by  the  finger
server.  The
                          "safe_finger"  command  is  part of the
daemon wrapper
                          package; it is  a  wrapper  around  the
regular finger
                          command  that  filters the data sent by
the remote

     twist shell_command  Replace the current process by  an  instance of the
                          specified shell command, after performing the %<letter>
  expansions   described   in   the
                          manual  page.  Stdin, stdout and stderr
are connected
                          to the  client  process.   This  option
must appear at
                          the end of a rule.

                          To  send a customized bounce message to
the client
                          instead of running the real ftp daemon:

                                ftpd  : ... : twist /bin/echo 421
Some bounce message

                          For  an  alternative  way  to  talk  to
client processes,
                          see the banners option below.

                          To run /some/other/telnetd without polluting its
                          command-line array or its process environment:

                                telnetd    :    ...    :    twist
PATH=/some/other;                                            exec

                          Warning:   in  case of UDP services, do
not twist to
                          commands that use the standard  I/O  or
the read(2) or
                          write(2)  routines  to communicate with
the client
                          process; UDP requires other I/O  primitives.

NETWORK OPTIONS    [Toc]    [Back]

     keepalive                  Causes the server to periodically
send a message
 to the client.   The  connection is considered
  broken  when the client does
not respond.
                               The keepalive option can be useful
when users
                               turn off their machine while it is
still connected
 to a server.  The keepalive
option is
                               not useful for datagram (UDP) services.

     linger number_of_seconds  Specifies how long the kernel will
try to deliver
 not-yet delivered data after
the server
                               process closes a connection.

USERNAME LOOKUP    [Toc]    [Back]

     rfc931 [ timeout_in_seconds ]  Look up the client user  name
with the RFC
                                    931  (TAP,  IDENT,  RFC 1413)
protocol.  This
                                    option is silently ignored in
case of services
   based  on  transports
other than TCP.
                                    It requires that  the  client
system runs an
                                    RFC  931  (IDENT, etc.) -compliant daemon,
                                    and may cause noticeable  delays with connections
     from    non-UNIX
clients.  The timeout
 period is  optional.   If
no timeout is
                                    specified  a compile-time defined default
                                    value is taken.

MISCELLANEOUS    [Toc]    [Back]

     banners /some/directory  Look for a file in  /some/directory
with the same
                              name as the daemon process (for example telnetd
                              for the telnet service),  and  copy
its contents
                              to  the client.  Newline characters
are replaced
                              by  carriage-return  newline,   and
%<letter> sequences
   are   expanded  (see  the
                              manual page).

                              Warning: banners are supported  for
 (TCP) network services only.

     nice [ number ]          Change the nice value of  the  process (default
                              10).   Specify  a positive value to
spend more CPU
                              resources on other processes.

     setenv name value        Place a (name, value) pair into the
process environment.
   The value is subjected
to %<letter>
                              expansions and may contain  whitespace (but leading
   and   trailing   blanks   are
stripped off).

                              Warning: many network daemons reset
their environment
  before spawning a login or
shell process.

     umask 022                Like  the  umask  command  that  is
built into the
                              shell.   An  umask  of 022 prevents
the creation of
                              files with group  and  world  write
                              The umask argument should be an octal number.

     user nobody

     user nobody.kmem         Assume the privileges of  the  "nobody" userid (or
                              user  "nobody", group "kmem").  The
first form is
                              useful with  inetd  implementations
that run all
                              services  with root privilege.  The
second form
                              is useful for  services  that  need
special group
                              privileges only.

DIAGNOSTICS    [Toc]    [Back]

     When  a syntax error is found in an access control rule, the
error is reported
 to the syslog daemon; further  options  will  be  ignored, and service
     is denied.

SEE ALSO    [Toc]    [Back]


AUTHORS    [Toc]    [Back]

           Wietse Venema (wietse@wzv.win.tue.nl)
           Department of Mathematics and Computing Science
           Eindhoven University of Technology
           Den Dolech 2, P.O. Box 513,
           5600 MB Eindhoven, The Netherlands

OpenBSD      3.6                           June      23,     1997
[ Back ]
 Similar pages
Name OS Title
hosts_options HP-UX host access control language extensions
hosts_options Linux host access control language extensions
hosts_options FreeBSD host access control language extensions
hosts.allow OpenBSD tcp wrapper format of host access control files
hosts.deny OpenBSD tcp wrapper format of host access control files
hosts_access OpenBSD tcp wrapper format of host access control files
request_init OpenBSD tcp wrapper access control library
request_set OpenBSD tcp wrapper access control library
hosts_access OpenBSD tcp wrapper access control library
hosts_ctl OpenBSD tcp wrapper access control library
Copyright © 2004-2005 DeniX Solutions SRL
newsletter delivery service