hosts_options.5 (2010 09)
h
hosts_options(5) hosts_options(5)
NAME
hosts_options - host access control language extensions
DESCRIPTION
This manual page describes the optional extensions to the language described in hosts_access(5).
The extensible language uses the following format:
daemon_list
: client_list : option : option ...
The first two fields are described in hosts_access(5). Briefly, daemon_list is a list of one or more daemon
process names or wildcards. client_list is a list of one or more host names, host addresses, patterns or
wildcards that will be matched against the client host name or address.
The remainder of the rules is a list of zero or more options. Any ":" characters within options must be
protected with a backslash "\".
An option is of the form "keyword" or "keyword value". Options are processed in the specified order.
Some options are subjected to
%letter substitutions. For the sake of backwards compatibility with earlier
versions, an equals sign "=" is permitted between keyword and value.
Logging Options
severity mail.info
severity notice
Change the severity level at which the event will be logged. Facility names (such as mail) are optional
and are not supported on systems with older syslog implementations. See syslog (3C) related to facili-
ties. The severity option can be used to emphasize or to ignore specific events.
Access Control Options
allow
deny
Grant or deny the service for allow and deny options respectively. These options must appear at the
end of a rule.
The
allow and deny keywords make it possible to keep all access control rules within a single file, for
example in the hosts.allow file. Examples are as follows:
To permit access from specific hosts only:
ALL: .friendly.domain: ALLOW
ALL: ALL: DENY
To permit access from all hosts except a few trouble-makers:
ALL: .bad.domain: DENY
ALL: ALL: ALLOW
Notice the leading dot (.) on the domain name patterns.
Running Other Commands
spawn shell_command
Execute, in a child process, the specified shell command, after performing the %letter expansions
described in hosts_access(5). The command is executed with stdin, stdout and stderr con-
nected to the null device, so that it will not mess up the conversation with the client host. For exam-
ple:
spawn (/usr/bin/sffinger -l @%h | \
/usr/bin/mailx -s "alert" root) &
executes, in a background child process, the shell command
sffinger -l @%h | mail root
after replacing %h by the name or address of the remote host.
The example uses the
sffinger command instead of the regular finger command to limit possi-
ble damage from data sent by the finger server. The sffinger command is part of the daemon
wrapper package. It is a wrapper around the regular finger command that filters the data sent
by the remote host.
HP-UX 11i Version 3: September 2010 − 1 − Hewlett-Packard Company 1