Page 1136
The default policy (access granted) makes the allow file redundant so that it can be omitted. The explicitly non-authorized hosts are listed in the deny file:
/etc/hosts.deny: ALL: some.host.name, .some.domain ALL EXCEPT in.fingerd: other.host.name, .other.domain
The first rule denies some hosts all services; the second rule still permits finger requests from other hosts.
BOOBY TRAPS
The next example permits tftp requests from hosts in the local domain. Requests from any other hosts are denied. Instead of the requested file, a finger probe is sent to the offending host. The result is mailed to the superuser.
/etc/hosts.allow: in.tftpd: LOCAL, .my.domain /etc/hosts.deny: in.tftpd: ALL: (/some/where/safe_finger -l @%h | \ /usr/ucb/mail -s %d-%h root) &
The safe_finger command comes with the tcpd wrapper and should be installed in a suitable place. It limits possible damage from data sent by the remote finger server. It gives better protection than the standard finger command.
The expansion of the %h (remote host) and %d (service name) sequences is described in the section on shell commands.
Warning: Do not booby-trap your finger daemon, unless you are prepared for infinite finger loops.
On network firewall systems, this trick can be carried even further. The typical network firewall only provides a limited set of services to the outer world. All other services can be "bugged" just like the preceding tftp example. The result is an excellent early-warning system.
DIAGNOSTICS
An error is reported when a syntax error is found in a host access control rule, when the length of an access control rule exceeds the capacity of an internal buffer, when an access control rule is not terminated by a newline character, when the result of %<character> expansion would overflow an internal buffer, and when a system call fails that shouldn't. All problems are reported via the syslog daemon.
FILES
/etc/hosts.allow, (daemon,client) pairs that are granted access.
/etc/hosts.deny, (daemon,client) pairs that are denied access.
SEE ALSO
tcpd(8), TCP/IP daemon wrapper program
BUGS
If a nameserver lookup times out, the hostname will not be available to the access control software, even though the host is registered.
Domain nameserver lookups are case insensitive; NIS (formerly YP) netgroup lookups are case sensitive.
AUTHOR
Wietse Venema (wietse@wzv.win.tue.nl), Department of Mathematics and Computing Science, Eindhoven University of Technology, Den Dolech 2, P.O. Box 513, 5600 MB Eindhoven, The Netherlands.
Page 1137
hosts_options—Host access control language extensions.
DESCRIPTION
This document describes optional extensions to the language described in the hosts_access(5) document. The extensions are enabled at program build time by editing the makefile.
The extensible language uses the following format:
daemon_list : client_list : option : option ...
The first two fields are described in the hosts_access(5) manual page. The remainder of the rules is a list of zero or more options. Any : characters within options should be protected with a backslash.
An option is of the form keyword or keyword = value. Options are processed in the specified order. With some options, the value is subjected to %<character> substitutions.
OPTIONS
| severity = mail.info | Change the severity level at which the event will be logged. Facility names (such as mail) are optional and are not supported on systems with older syslog implementations. The severity option can be used to emphasize or to completely ignore specific events. |
| allow (deny) | Grant (deny) service, even when the matched rule was found in the hosts.deny (hosts.allow) file. These options must appear at the end of a rule. |
With the allow and deny keywords, it is possible to keep all access control rules within a single file—for example, in the hosts.allow file:
ALL: .friendly.domain: allow ALL: ALL: deny
This permits access from specific hosts only. On the other hand,
ALL: .trouble.makers: deny ALL: ALL: allow
This permits access from all hosts except a few troublemakers.
| twist = shell_command | Replace the current process by an instance of the specified shell command, after performing the %<character> expansions described in the hosts_access(5) manual page. stdin, stdout, and stderr are connected to the remote client process. This option must appear at the end of a rule. Examples: |
| in.ftpd : ... : twist = /bin/echo 421 | Some bounce message sends a customized bounce message to the remote client instead of running the real FTP daemon. |
| in.telnetd : ... : twist = PATH=/some/other; exec in.telnetd | Runs /some/other/in.telnetd without polluting its command-line array or its process environment. |
| Warning: In case of UDP services, do not twist into commands that use the standard I/O or the read(2)/write(2) routines to communicate with the client process; UDP requires other I/O primitives. | |
| spawn = shell_command | Execute the shell command in a child process, after performing the %<character> expansions described in the hosts_access(5) manual page. The command |
Page 1138
| is executed with stdin, stdout, and stderr connected to the null device so that it won't mess up the conversation with the remote host. Example: | |
| spawn = (/some/where/safe_finger -l @%h | /usr/ucb/mail root) & | Executes, in a background child process, the shell command safe_finger -l @%h | mail root after replacing %h by the name or address of the remote host. |
| The example uses the safe_finger command instead of the regular finger command to limit possible damage from data sent by the finger server. The safe_finger command is part of the daemon wrapper package; it is a wrapper around the regular finger command that filters the data sent by the remote host. | |
| umask = 022 | Like the umask command that is built into the shell. An umask of 022 prevents the creation of files with group and world write permission. The umask argument should be an octal number. |
| keepalive | Causes the server to periodically send a message to the client. The connection is considered broken when the client does not respond. The keepalive option can be useful when users turn off their machine while it is still connected to a server. The keepalive option is not useful for datagram (UDP) services. |
| linger = number_of_seconds | Specifies how long the kernel will try to deliver not-yet delivered data after the server process closes a connection. |
| nice = niceval | |
| nice (no argument) | Change the nice value of the process (default 10). Specify a positive value to spend more CPU resources on other processes. |
| user = nobody | Assume the privileges of the nobody account. This is useful with inetd implementations that run all services with root privilege. It is good practice to run services such as finger at a reduced privilege level. |
| group = tty | Assume the privileges of the tty group. This is useful mostly in combination with the user option. In order to switch both user and group IDs, switch group ID before switching user ID. |
| setenv = name value | Place a (name, value) pair into the process environment. The value is subjected to %<character> expansions and may contain whitespace (but leading and trailing blanks are stripped off). |
| Warning: Many network daemons reset their environment before spawning a login or shell process. |