HP-UX Reference (11i v2 04/09) - 5 Miscellaneous Topics (vol 9)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

151

152

153

154

155

156

157

158

159

160

hosts_options(5) hosts_options(5)

NAME

hosts_options - host access control language extensions

DESCRIPTION

This manual page describes the optional extensions to the language described in the hosts_access (5)

manual page.

The extensible language uses the following format:

daemon_list

: client_list : option : option ...

The ﬁrst two ﬁelds are described in the hosts_access (5) manual page. Brieﬂy, daemon_list is a list of one

or more daemon process names or wildcards. client_list is a list of one or more host names, host

addresses, patterns or wildcards that will be matched against the client host name or address.

The remainder of the rules is a list of zero or more options. Any ":" characters within options must be

protected with a backslash "\".

An option is of the form "keyword" or "keyword value". Options are processed in the speciﬁed order.

Some options are subjected to

%letter substitutions. For the sake of backwards compatibility with earlier

versions, an equals sign "=" is permitted between keyword and value.

Logging Options

severity mail.info

severity notice

Change the severity level at which the event will be logged. Facility names (such as mail) are optional

and are not supported on systems with older syslog implementations. See syslog (3C) related to facili-

ties. The severity option can be used to emphasize or to ignore speciﬁc events.

Access Control Options

allow

deny

Grant or deny the service for allow and deny options respectively. These options must appear at the

end of a rule.

The

allow and deny keywords make it possible to keep all access control rules within a single ﬁle, for

example in the hosts.allow ﬁle. Examples are as follows:

To permit access from speciﬁc hosts only:

ALL: .friendly.domain: ALLOW

ALL: ALL: DENY

To permit access from all hosts except a few trouble-makers:

ALL: .bad.domain: DENY

ALL: ALL: ALLOW

Notice the leading dot (.) on the domain name patterns.

Running Other Commands

spawn shell_command

Execute, in a child process, the speciﬁed shell command, after performing the %letter expansions

described in the hosts_access (5) manual page. The command is executed with stdin, stdout and

stderr connected to the null device, so that it will not mess up the conversation with the client

host. For example:

spawn (/usr/bin/sffinger -l @%h | \

/usr/bin/mailx -s "alert" root) &

executes, in a background child process, the shell command

sffinger -l @%h | mail root

after replacing %h by the name or address of the remote host.

The example uses the

sffinger command instead of the regular finger command to limit possi-

ble damage from data sent by the ﬁnger server. The sffinger command is part of the daemon

wrapper package. It is a wrapper around the regular finger command that ﬁlters the data sent

by the remote host.

HP-UX 11i Version 2: September 2004 − 1 − Hewlett-Packard Company Section 5−−141