The daemon wrappers can be configured at compile time to perform rule-driven username lookups (default) or to always interrogate the client host. In the case of rule-driven username lookups, the preceding rule would cause username lookup only when both the daemon_list and the host_pattern match.

A user pattern has the same syntax as a daemon process name, hostname, or host address pattern, so the same wildcards and so on apply (but netgroup membership of users is not supported). One should not get carried away with username lookups, however.

The remote username information cannot be trusted when it is needed most—that is, when the remote system has been compromised. In general, ALL and (UN)KNOWN are the only username patterns that make sense.

Username lookups are possible only with TCP-based services and only when the client host runs a suitable daemon; in all other cases the result is unknown.

A well-known UNIX kernel bug may cause loss of service when username lookups are blocked by a firewall. The wrapper README document describes a procedure to find out if your kernel has this bug.

Username lookups cause noticeable delays for PC users. The default time-out for username lookups is ten seconds: too short to cope with slow networks but long enough to irritate PC users.

Selective username lookups can alleviate the last problem. For example, a rule like

daemon_list : @pcnetgroup ALL@ALL

would match members of the pcnetgroup without doing username lookups but would perform username lookups with all other systems.

EXAMPLES

The language is flexible enough that different types of access control policy can be expressed with a minimum of fuss. Although the language uses two access control tables, the most common policies can be implemented with one of the tables being trivial or even empty.

When reading the following examples, it is important to realize that the allow table is scanned before the deny table, that the search terminates when a match is found, and that access is granted when no match is found at all.

The examples use host and domain names. They can be improved by including address or network/netmask information to reduce the impact of temporary nameserver lookup failures.

MOSTLY CLOSED

In this case, access is denied by default. Only explicitly authorized hosts are permitted access.

The default policy (no access) is implemented with a trivial deny file:

/etc/hosts.deny:



ALL: ALL

This denies all service to all hosts, unless they are permitted access by entries in the allow file.

The explicitly authorized hosts are listed in the allow file:

/etc/hosts.allow:



ALL: LOCAL @some_netgroup

ALL: .foobar.edu EXCEPT terminalserver.foobar.edu

The first rule permits access to all services from hosts in the local domain (no . in the hostname) and from members of the some_netgroup netgroup. The second rule permits access to all services from all hosts in the .foobar.edu domain, with the exception of terminalserver.foobar.edu.

MOSTLY OPEN

Here, access is granted by default; only explicitly specified hosts are refused service.