1 | .TH HOSTS_ACCESS 5 |
---|
2 | .SH NAME |
---|
3 | hosts_access \- format of host access control files |
---|
4 | .SH DESCRIPTION |
---|
5 | This manual page describes a simple access control language that is |
---|
6 | based on client (host name/address, user name), and server (process |
---|
7 | name, host name/address) patterns. Examples are given at the end. The |
---|
8 | impatient reader is encouraged to skip to the EXAMPLES section for a |
---|
9 | quick introduction. |
---|
10 | .PP |
---|
11 | An extended version of the access control language is described in the |
---|
12 | \fIhosts_options\fR(5) document. The extensions are turned on at |
---|
13 | program build time by building with -DPROCESS_OPTIONS. |
---|
14 | .PP |
---|
15 | In the following text, \fIdaemon\fR is the the process name of a |
---|
16 | network daemon process, and \fIclient\fR is the name and/or address of |
---|
17 | a host requesting service. Network daemon process names are specified |
---|
18 | in the inetd configuration file. |
---|
19 | .SH ACCESS CONTROL FILES |
---|
20 | The access control software consults two files. The search stops |
---|
21 | at the first match: |
---|
22 | .IP \(bu |
---|
23 | Access will be granted when a (daemon,client) pair matches an entry in |
---|
24 | the \fI/etc/hosts.allow\fR file. |
---|
25 | .IP \(bu |
---|
26 | Otherwise, access will be denied when a (daemon,client) pair matches an |
---|
27 | entry in the \fI/etc/hosts.deny\fR file. |
---|
28 | .IP \(bu |
---|
29 | Otherwise, access will be granted. |
---|
30 | .PP |
---|
31 | A non-existing access control file is treated as if it were an empty |
---|
32 | file. Thus, access control can be turned off by providing no access |
---|
33 | control files. |
---|
34 | .SH ACCESS CONTROL RULES |
---|
35 | Each access control file consists of zero or more lines of text. These |
---|
36 | lines are processed in order of appearance. The search terminates when a |
---|
37 | match is found. |
---|
38 | .IP \(bu |
---|
39 | A newline character is ignored when it is preceded by a backslash |
---|
40 | character. This permits you to break up long lines so that they are |
---|
41 | easier to edit. |
---|
42 | .IP \(bu |
---|
43 | Blank lines or lines that begin with a `#\' character are ignored. |
---|
44 | This permits you to insert comments and whitespace so that the tables |
---|
45 | are easier to read. |
---|
46 | .IP \(bu |
---|
47 | All other lines should satisfy the following format, things between [] |
---|
48 | being optional: |
---|
49 | .sp |
---|
50 | .ti +3 |
---|
51 | daemon_list : client_list [ : shell_command ] |
---|
52 | .PP |
---|
53 | \fIdaemon_list\fR is a list of one or more daemon process names |
---|
54 | (argv[0] values) or wildcards (see below). |
---|
55 | .PP |
---|
56 | \fIclient_list\fR is a list |
---|
57 | of one or more host names, host addresses, patterns or wildcards (see |
---|
58 | below) that will be matched against the client host name or address. |
---|
59 | .PP |
---|
60 | The more complex forms \fIdaemon@host\fR and \fIuser@host\fR are |
---|
61 | explained in the sections on server endpoint patterns and on client |
---|
62 | username lookups, respectively. |
---|
63 | .PP |
---|
64 | List elements should be separated by blanks and/or commas. |
---|
65 | .PP |
---|
66 | With the exception of NIS (YP) netgroup lookups, all access control |
---|
67 | checks are case insensitive. |
---|
68 | .ne 4 |
---|
69 | .SH PATTERNS |
---|
70 | The access control language implements the following patterns: |
---|
71 | .IP \(bu |
---|
72 | A string that begins with a `.\' character. A host name is matched if |
---|
73 | the last components of its name match the specified pattern. For |
---|
74 | example, the pattern `.tue.nl\' matches the host name |
---|
75 | `wzv.win.tue.nl\'. |
---|
76 | .IP \(bu |
---|
77 | A string that ends with a `.\' character. A host address is matched if |
---|
78 | its first numeric fields match the given string. For example, the |
---|
79 | pattern `131.155.\' matches the address of (almost) every host on the |
---|
80 | Eind\%hoven University network (131.155.x.x). |
---|
81 | .IP \(bu |
---|
82 | A string that begins with an `@\' character is treated as an NIS |
---|
83 | (formerly YP) netgroup name. A host name is matched if it is a host |
---|
84 | member of the specified netgroup. Netgroup matches are not supported |
---|
85 | for daemon process names or for client user names. |
---|
86 | .IP \(bu |
---|
87 | An expression of the form `n.n.n.n/m.m.m.m\' is interpreted as a |
---|
88 | `net/mask\' pair. A host address is matched if `net\' is equal to the |
---|
89 | bitwise AND of the address and the `mask\'. For example, the net/mask |
---|
90 | pattern `131.155.72.0/255.255.254.0\' matches every address in the |
---|
91 | range `131.155.72.0\' through `131.155.73.255\'. |
---|
92 | .SH WILDCARDS |
---|
93 | The access control language supports explicit wildcards: |
---|
94 | .IP ALL |
---|
95 | The universal wildcard, always matches. |
---|
96 | .IP LOCAL |
---|
97 | Matches any host whose name does not contain a dot character. |
---|
98 | .IP UNKNOWN |
---|
99 | Matches any user whose name is unknown, and matches any host whose name |
---|
100 | \fIor\fR address are unknown. This pattern should be used with care: |
---|
101 | host names may be unavailable due to temporary name server problems. A |
---|
102 | network address will be unavailable when the software cannot figure out |
---|
103 | what type of network it is talking to. |
---|
104 | .IP KNOWN |
---|
105 | Matches any user whose name is known, and matches any host whose name |
---|
106 | \fIand\fR address are known. This pattern should be used with care: |
---|
107 | host names may be unavailable due to temporary name server problems. A |
---|
108 | network address will be unavailable when the software cannot figure out |
---|
109 | what type of network it is talking to. |
---|
110 | .IP PARANOID |
---|
111 | Matches any host whose name does not match its address. When tcpd is |
---|
112 | built with -DPARANOID (default mode), it drops requests from such |
---|
113 | clients even before looking at the access control tables. Build |
---|
114 | without -DPARANOID when you want more control over such requests. |
---|
115 | .ne 6 |
---|
116 | .SH OPERATORS |
---|
117 | .IP EXCEPT |
---|
118 | Intended use is of the form: `list_1 EXCEPT list_2\'; this construct |
---|
119 | matches anything that matches \fIlist_1\fR unless it matches |
---|
120 | \fIlist_2\fR. The EXCEPT operator can be used in daemon_lists and in |
---|
121 | client_lists. The EXCEPT operator can be nested: if the control |
---|
122 | language would permit the use of parentheses, `a EXCEPT b EXCEPT c\' |
---|
123 | would parse as `(a EXCEPT (b EXCEPT c))\'. |
---|
124 | .br |
---|
125 | .ne 6 |
---|
126 | .SH SHELL COMMANDS |
---|
127 | If the first-matched access control rule contains a shell command, that |
---|
128 | command is subjected to %<letter> substitutions (see next section). |
---|
129 | The result is executed by a \fI/bin/sh\fR child process with standard |
---|
130 | input, output and error connected to \fI/dev/null\fR. Specify an `&\' |
---|
131 | at the end of the command if you do not want to wait until it has |
---|
132 | completed. |
---|
133 | .PP |
---|
134 | Shell commands should not rely on the PATH setting of the inetd. |
---|
135 | Instead, they should use absolute path names, or they should begin with |
---|
136 | an explicit PATH=whatever statement. |
---|
137 | .PP |
---|
138 | The \fIhosts_options\fR(5) document describes an alternative language |
---|
139 | that uses the shell command field in a different and incompatible way. |
---|
140 | .SH % EXPANSIONS |
---|
141 | The following expansions are available within shell commands: |
---|
142 | .IP "%a (%A)" |
---|
143 | The client (server) host address. |
---|
144 | .IP %c |
---|
145 | Client information: user@host, user@address, a host name, or just an |
---|
146 | address, depending on how much information is available. |
---|
147 | .IP %d |
---|
148 | The daemon process name (argv[0] value). |
---|
149 | .IP "%h (%H)" |
---|
150 | The client (server) host name or address, if the host name is |
---|
151 | unavailable. |
---|
152 | .IP "%n (%N)" |
---|
153 | The client (server) host name (or "unknown" or "paranoid"). |
---|
154 | .IP %p |
---|
155 | The daemon process id. |
---|
156 | .IP %s |
---|
157 | Server information: daemon@host, daemon@address, or just a daemon name, |
---|
158 | depending on how much information is available. |
---|
159 | .IP %u |
---|
160 | The client user name (or "unknown"). |
---|
161 | .IP %% |
---|
162 | Expands to a single `%\' character. |
---|
163 | .PP |
---|
164 | Characters in % expansions that may confuse the shell are replaced by |
---|
165 | underscores. |
---|
166 | .SH SERVER ENDPOINT PATTERNS |
---|
167 | In order to distinguish clients by the network address that they |
---|
168 | connect to, use patterns of the form: |
---|
169 | .sp |
---|
170 | .ti +3 |
---|
171 | process_name@host_pattern : client_list ... |
---|
172 | .sp |
---|
173 | Patterns like these can be used when the machine has different internet |
---|
174 | addresses with different internet hostnames. Service providers can use |
---|
175 | this facility to offer FTP, GOPHER or WWW archives with internet names |
---|
176 | that may even belong to different organizations. See also the `twist' |
---|
177 | option in the hosts_options(5) document. Some systems (Solaris, |
---|
178 | FreeBSD) can have more than one internet address on one physical |
---|
179 | interface; with other systems you may have to resort to SLIP or PPP |
---|
180 | pseudo interfaces that live in a dedicated network address space. |
---|
181 | .sp |
---|
182 | The host_pattern obeys the same syntax rules as host names and |
---|
183 | addresses in client_list context. Usually, server endpoint information |
---|
184 | is available only with connection-oriented services. |
---|
185 | .SH CLIENT USERNAME LOOKUP |
---|
186 | When the client host supports the RFC 931 protocol or one of its |
---|
187 | descendants (TAP, IDENT, RFC 1413) the wrapper programs can retrieve |
---|
188 | additional information about the owner of a connection. Client username |
---|
189 | information, when available, is logged together with the client host |
---|
190 | name, and can be used to match patterns like: |
---|
191 | .PP |
---|
192 | .ti +3 |
---|
193 | daemon_list : ... user_pattern@host_pattern ... |
---|
194 | .PP |
---|
195 | The daemon wrappers can be configured at compile time to perform |
---|
196 | rule-driven username lookups (default) or to always interrogate the |
---|
197 | client host. In the case of rule-driven username lookups, the above |
---|
198 | rule would cause username lookup only when both the \fIdaemon_list\fR |
---|
199 | and the \fIhost_pattern\fR match. |
---|
200 | .PP |
---|
201 | A user pattern has the same syntax as a daemon process pattern, so the |
---|
202 | same wildcards apply (netgroup membership is not supported). One |
---|
203 | should not get carried away with username lookups, though. |
---|
204 | .IP \(bu |
---|
205 | The client username information cannot be trusted when it is needed |
---|
206 | most, i.e. when the client system has been compromised. In general, |
---|
207 | ALL and (UN)KNOWN are the only user name patterns that make sense. |
---|
208 | .IP \(bu |
---|
209 | Username lookups are possible only with TCP-based services, and only |
---|
210 | when the client host runs a suitable daemon; in all other cases the |
---|
211 | result is "unknown". |
---|
212 | .IP \(bu |
---|
213 | A well-known UNIX kernel bug may cause loss of service when username |
---|
214 | lookups are blocked by a firewall. The wrapper README document |
---|
215 | describes a procedure to find out if your kernel has this bug. |
---|
216 | .IP \(bu |
---|
217 | Username lookups may cause noticeable delays for non-UNIX users. The |
---|
218 | default timeout for username lookups is 10 seconds: too short to cope |
---|
219 | with slow networks, but long enough to irritate PC users. |
---|
220 | .PP |
---|
221 | Selective username lookups can alleviate the last problem. For example, |
---|
222 | a rule like: |
---|
223 | .PP |
---|
224 | .ti +3 |
---|
225 | daemon_list : @pcnetgroup ALL@ALL |
---|
226 | .PP |
---|
227 | would match members of the pc netgroup without doing username lookups, |
---|
228 | but would perform username lookups with all other systems. |
---|
229 | .SH DETECTING ADDRESS SPOOFING ATTACKS |
---|
230 | A flaw in the sequence number generator of many TCP/IP implementations |
---|
231 | allows intruders to easily impersonate trusted hosts and to break in |
---|
232 | via, for example, the remote shell service. The IDENT (RFC931 etc.) |
---|
233 | service can be used to detect such and other host address spoofing |
---|
234 | attacks. |
---|
235 | .PP |
---|
236 | Before accepting a client request, the wrappers can use the IDENT |
---|
237 | service to find out that the client did not send the request at all. |
---|
238 | When the client host provides IDENT service, a negative IDENT lookup |
---|
239 | result (the client matches `UNKNOWN@host') is strong evidence of a host |
---|
240 | spoofing attack. |
---|
241 | .PP |
---|
242 | A positive IDENT lookup result (the client matches `KNOWN@host') is |
---|
243 | less trustworthy. It is possible for an intruder to spoof both the |
---|
244 | client connection and the IDENT lookup, although doing so is much |
---|
245 | harder than spoofing just a client connection. It may also be that |
---|
246 | the client\'s IDENT server is lying. |
---|
247 | .PP |
---|
248 | Note: IDENT lookups don\'t work with UDP services. |
---|
249 | .SH EXAMPLES |
---|
250 | The language is flexible enough that different types of access control |
---|
251 | policy can be expressed with a minimum of fuss. Although the language |
---|
252 | uses two access control tables, the most common policies can be |
---|
253 | implemented with one of the tables being trivial or even empty. |
---|
254 | .PP |
---|
255 | When reading the examples below it is important to realize that the |
---|
256 | allow table is scanned before the deny table, that the search |
---|
257 | terminates when a match is found, and that access is granted when no |
---|
258 | match is found at all. |
---|
259 | .PP |
---|
260 | The examples use host and domain names. They can be improved by |
---|
261 | including address and/or network/netmask information, to reduce the |
---|
262 | impact of temporary name server lookup failures. |
---|
263 | .SH MOSTLY CLOSED |
---|
264 | In this case, access is denied by default. Only explicitly authorized |
---|
265 | hosts are permitted access. |
---|
266 | .PP |
---|
267 | The default policy (no access) is implemented with a trivial deny |
---|
268 | file: |
---|
269 | .PP |
---|
270 | .ne 2 |
---|
271 | /etc/hosts.deny: |
---|
272 | .in +3 |
---|
273 | ALL: ALL |
---|
274 | .PP |
---|
275 | This denies all service to all hosts, unless they are permitted access |
---|
276 | by entries in the allow file. |
---|
277 | .PP |
---|
278 | The explicitly authorized hosts are listed in the allow file. |
---|
279 | For example: |
---|
280 | .PP |
---|
281 | .ne 2 |
---|
282 | /etc/hosts.allow: |
---|
283 | .in +3 |
---|
284 | ALL: LOCAL @some_netgroup |
---|
285 | .br |
---|
286 | ALL: .foobar.edu EXCEPT terminalserver.foobar.edu |
---|
287 | .PP |
---|
288 | The first rule permits access from hosts in the local domain (no `.\' |
---|
289 | in the host name) and from members of the \fIsome_netgroup\fP |
---|
290 | netgroup. The second rule permits access from all hosts in the |
---|
291 | \fIfoobar.edu\fP domain (notice the leading dot), with the exception of |
---|
292 | \fIterminalserver.foobar.edu\fP. |
---|
293 | .SH MOSTLY OPEN |
---|
294 | Here, access is granted by default; only explicitly specified hosts are |
---|
295 | refused service. |
---|
296 | .PP |
---|
297 | The default policy (access granted) makes the allow file redundant so |
---|
298 | that it can be omitted. The explicitly non-authorized hosts are listed |
---|
299 | in the deny file. For example: |
---|
300 | .PP |
---|
301 | /etc/hosts.deny: |
---|
302 | .in +3 |
---|
303 | ALL: some.host.name, .some.domain |
---|
304 | .br |
---|
305 | ALL EXCEPT in.fingerd: other.host.name, .other.domain |
---|
306 | .PP |
---|
307 | The first rule denies some hosts and domains all services; the second |
---|
308 | rule still permits finger requests from other hosts and domains. |
---|
309 | .SH BOOBY TRAPS |
---|
310 | The next example permits tftp requests from hosts in the local domain |
---|
311 | (notice the leading dot). Requests from any other hosts are denied. |
---|
312 | Instead of the requested file, a finger probe is sent to the offending |
---|
313 | host. The result is mailed to the superuser. |
---|
314 | .PP |
---|
315 | .ne 2 |
---|
316 | /etc/hosts.allow: |
---|
317 | .in +3 |
---|
318 | .nf |
---|
319 | in.tftpd: LOCAL, .my.domain |
---|
320 | .PP |
---|
321 | .ne 2 |
---|
322 | /etc/hosts.deny: |
---|
323 | .in +3 |
---|
324 | .nf |
---|
325 | in.tftpd: ALL: (/some/where/safe_finger -l @%h | \\ |
---|
326 | /usr/ucb/mail -s %d-%h root) & |
---|
327 | .fi |
---|
328 | .PP |
---|
329 | The safe_finger command comes with the tcpd wrapper and should be |
---|
330 | installed in a suitable place. It limits possible damage from data sent |
---|
331 | by the remote finger server. It gives better protection than the |
---|
332 | standard finger command. |
---|
333 | .PP |
---|
334 | The expansion of the %h (client host) and %d (service name) sequences |
---|
335 | is described in the section on shell commands. |
---|
336 | .PP |
---|
337 | Warning: do not booby-trap your finger daemon, unless you are prepared |
---|
338 | for infinite finger loops. |
---|
339 | .PP |
---|
340 | On network firewall systems this trick can be carried even further. |
---|
341 | The typical network firewall only provides a limited set of services to |
---|
342 | the outer world. All other services can be "bugged" just like the above |
---|
343 | tftp example. The result is an excellent early-warning system. |
---|
344 | .br |
---|
345 | .ne 4 |
---|
346 | .SH DIAGNOSTICS |
---|
347 | An error is reported when a syntax error is found in a host access |
---|
348 | control rule; when the length of an access control rule exceeds the |
---|
349 | capacity of an internal buffer; when an access control rule is not |
---|
350 | terminated by a newline character; when the result of %<letter> |
---|
351 | expansion would overflow an internal buffer; when a system call fails |
---|
352 | that shouldn\'t. All problems are reported via the syslog daemon. |
---|
353 | .SH FILES |
---|
354 | .na |
---|
355 | .nf |
---|
356 | /etc/hosts.allow, (daemon,client) pairs that are granted access. |
---|
357 | /etc/hosts.deny, (daemon,client) pairs that are denied access. |
---|
358 | .ad |
---|
359 | .fi |
---|
360 | .SH SEE ALSO |
---|
361 | .nf |
---|
362 | tcpd(8) tcp/ip daemon wrapper program. |
---|
363 | tcpdchk(8), tcpdmatch(8), test programs. |
---|
364 | .SH BUGS |
---|
365 | If a name server lookup times out, the host name will not be available |
---|
366 | to the access control software, even though the host is registered. |
---|
367 | .PP |
---|
368 | Domain name server lookups are case insensitive; NIS (formerly YP) |
---|
369 | netgroup lookups are case sensitive. |
---|
370 | .SH AUTHOR |
---|
371 | .na |
---|
372 | .nf |
---|
373 | Wietse Venema (wietse@wzv.win.tue.nl) |
---|
374 | Department of Mathematics and Computing Science |
---|
375 | Eindhoven University of Technology |
---|
376 | Den Dolech 2, P.O. Box 513, |
---|
377 | 5600 MB Eindhoven, The Netherlands |
---|
378 | \" @(#) hosts_access.5 1.20 95/01/30 19:51:46 |
---|