hosts_access.5 (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

hosts_access(5) hosts_access(5)

• A string that begins with an at (

@) character is treated as an NIS (formerly YP) netgroup name.

A host name is matched if it is a host member of the speciﬁed netgroup. Netgroup matches are

not supported for daemon process names or for client user names.

• An expression of the form n.n.n.n

m.m.m.m is interpreted as a "net/mask" pair. A host address

is matched if "net" is equal to the bit-wise AND of the address and the "mask". For example, the

net/mask pattern

131.155.72.0/255.255.254.0

matches every address in the range

131.155.72.0 through 131.155.73.255

• An expression of the form

[IPv6_address

/preﬁx_length ]

is interpreted as an IPv6 network

preﬁx. A host address is matched if the value of preﬁx_length bits in IPv6_address and the host

address are equal. For example, the pattern

[3ffe::1111:1234/120]

matches every

address in the range

3ffe::1111:0 through 3ffe::1111:ffff

Wildcards

The access control language supports explicit wildcards. They are:

ALL The universal wildcard, always matches.

LOCAL Matches any host whose name does not contain a dot character.

UNKNOWN Matches any user whose name is unknown, and matches any host whose name or address

is unknown. This pattern should be used with care; host names may be unavailable due

to temporary name server problems. A network address will be unavailable when the

software cannot ﬁgure out what type of network it is talking to.

KNOWN Matches any user whose name is known, and matches any host whose name and

addresses are known. This pattern should be used with care; host names may be una-

vailable due to temporary name server problems. A network address will be unavailable

when the software cannot ﬁgure out what type of network it is talking to.

PARANOID Matches any host whose name does not match its address. If the conﬁguration parame-

ter, on_reverselookup_fail in

/etc/tcpd.conf, is set to deny, tcpd drops requests

from such clients even before looking at the access control tables.

Operators

The access control language supports the following operator:

EXCEPT The format of using this operator is as follows:

list_1

EXCEPT list_2

This construct matches anything that matches list_1 , provided it does not match list_2 . The

EXCEPT

operator can be used in daemon_lists and client_lists . The EXCEPT operator can be nested. If the con-

trol language permits the use of parentheses, "a EXCEPT b EXCEPT c" parses as "(a EXCEPT

(b EXCEPT c))" .

Shell Commands

If the ﬁrst-matched access control rule contains a shell command, the command is subjected to %letter

expansions (see next section). The result is executed by a /bin/sh child process with standard input,

output, and error connected to /dev/null. Specify an ampersand (&) at the end of the command if you

do not want to wait until the command has completed.

Shell commands should not rely on the PATH setting of

inetd. Instead, they should use absolute path

names or begin with an explicit PATH=whatever statement .

The hosts_options(5) manual page describes the access control language that uses the shell command

ﬁeld.

% Expansions

The following expansions are available within shell commands:

%a(%A) The client (server) host address.

%c Client information: user@host, user @address, a host name, or just an address, depending on

how much information is available.

%d The daemon process name (argv[0] value ).

%h(%H) The client (server) host name or address, if the host name is not available.

2 Hewlett-Packard Company − 2 − HP-UX 11i Version 3: September 2010