{ "content": [ { "type": "text", "text": "# HOSTS_OPTIONS (man)\n\n## NAME\n\nhostsoptions - host access control language extensions\n\n## DESCRIPTION\n\nThis document describes extensions to the language described in the hostsaccess(5) document.\n\n## Sections\n\n- **NAME**\n- **DESCRIPTION**\n- **LOGGING**\n- **ACCESS CONTROL**\n- **RUNNING OTHER COMMANDS**\n- **NETWORK OPTIONS**\n- **USERNAME LOOKUP**\n- **MISCELLANEOUS**\n- **DIAGNOSTICS**\n- **SEE ALSO**\n- **AUTHOR**\n\nUse structuredContent.sections for detailed options, examples, and full documentation.\n" } ], "structuredContent": { "command": "HOSTS_OPTIONS", "section": "", "mode": "man", "summary": "hostsoptions - host access control language extensions", "synopsis": null, "tldr_summary": null, "tldr_examples": [], "tldr_source": null, "flags": [], "examples": [], "see_also": [ { "name": "hostsaccess", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/hostsaccess/5/json" } ], "section_outline": [ { "name": "NAME", "lines": 2, "subsections": [] }, { "name": "DESCRIPTION", "lines": 14, "subsections": [] }, { "name": "LOGGING", "lines": 7, "subsections": [] }, { "name": "ACCESS CONTROL", "lines": 19, "subsections": [] }, { "name": "RUNNING OTHER COMMANDS", "lines": 52, "subsections": [] }, { "name": "NETWORK OPTIONS", "lines": 10, "subsections": [] }, { "name": "USERNAME LOOKUP", "lines": 8, "subsections": [] }, { "name": "MISCELLANEOUS", "lines": 35, "subsections": [] }, { "name": "DIAGNOSTICS", "lines": 3, "subsections": [] }, { "name": "SEE ALSO", "lines": 2, "subsections": [] }, { "name": "AUTHOR", "lines": 10, "subsections": [] } ], "sections": { "NAME": { "content": "hostsoptions - host access control language extensions\n", "subsections": [] }, "DESCRIPTION": { "content": "This document describes extensions to the language described in the hostsaccess(5) document.\n\nThe extensible language uses the following format:\n\ndaemonlist : clientlist : option : option ...\n\nThe first two fields are described in the hostsaccess(5) manual page. The remainder of the\nrules is a list of zero or more options. Any \":\" characters within options should be pro‐\ntected with a backslash.\n\nAn option is of the form \"keyword\" or \"keyword value\". Options are processed in the specified\norder. Some options are subjected to % substitutions. For the sake of backwards com‐\npatibility with earlier versions, an \"=\" is permitted between keyword and value.\n", "subsections": [] }, "LOGGING": { "content": "severity mail.info\n\nseverity notice\nChange the severity level at which the event will be logged. Facility names (such as\nmail) are optional, and are not supported on systems with older syslog implementa‐\ntions. The severity option can be used to emphasize or to ignore specific events.\n", "subsections": [] }, "ACCESS CONTROL": { "content": "allow\n\ndeny Grant (deny) service. These options must appear at the end of a rule.\n\nThe allow and deny keywords make it possible to keep all access control rules within a single\nfile, for example in the hosts.allow file.\n\nTo permit access from specific hosts only:\n\nALL: .friendly.domain: ALLOW\nALL: ALL: DENY\n\nTo permit access from all hosts except a few trouble makers:\n\nALL: .bad.domain: DENY\nALL: ALL: ALLOW\n\nNotice the leading dot on the domain name patterns.\n", "subsections": [] }, "RUNNING OTHER COMMANDS": { "content": "aclexec shellcommand\nExecute, in a child process, the specified shell command, after performing the % expansions described in the hostsaccess(5) manual page. The command is executed\nwith stdin, stdout and stderr connected to the null device, so that it won't mess up\nthe conversation with the client host. Example:\n\nsmtp : ALL : aclexec checkdnsbl %a\n\nexecutes, in a background child process, the shell command \"checkdnsbl %a\" after re‐\nplacing %a by the address of the remote host.\n\nThe connection will be allowed or refused depending on whether the command returns a\ntrue or false exit status.\n\nspawn shellcommand\nExecute, in a child process, the specified shell command, after performing the % expansions described in the hostsaccess(5) manual page. The command is executed\nwith stdin, stdout and stderr connected to the null device, so that it won't mess up\nthe conversation with the client host. Example:\n\nspawn (/usr/sbin/safefinger -l @%h | /usr/bin/mail root) &\n\nexecutes, in a background child process, the shell command \"safefinger -l @%h | mail\nroot\" after replacing %h by the name or address of the remote host.\n\nThe example uses the \"safefinger\" command instead of the regular \"finger\" command, to\nlimit possible damage from data sent by the finger server. The \"safefinger\" command\nis part of the daemon wrapper package; it is a wrapper around the regular finger com‐\nmand that filters the data sent by the remote host.\n\ntwist shellcommand\nReplace the current process by an instance of the specified shell command, after per‐\nforming the % expansions described in the hostsaccess(5) manual page. Stdin,\nstdout and stderr are connected to the client process. This option must appear at the\nend of a rule.\n\nTo send a customized bounce message to the client instead of running the real ftp dae‐\nmon:\n\nin.ftpd : ... : twist /bin/echo 421 Some bounce message\n\nFor an alternative way to talk to client processes, see the banners option below.\n\nTo run /some/other/in.telnetd without polluting its command-line array or its process\nenvironment:\n\nin.telnetd : ... : twist PATH=/some/other; exec in.telnetd\n\nWarning: in case of UDP services, do not twist to commands that use the standard I/O\nor the read(2)/write(2) routines to communicate with the client process; UDP requires\nother I/O primitives.\n", "subsections": [] }, "NETWORK OPTIONS": { "content": "keepalive\nCauses the server to periodically send a message to the client. The connection is\nconsidered broken when the client does not respond. The keepalive option can be useful\nwhen users turn off their machine while it is still connected to a server. The\nkeepalive option is not useful for datagram (UDP) services.\n\nlinger numberofseconds\nSpecifies how long the kernel will try to deliver not-yet delivered data after the\nserver process closes a connection.\n", "subsections": [] }, "USERNAME LOOKUP": { "content": "rfc931 [ timeoutinseconds ]\nLook up the client user name with the RFC 931 (TAP, IDENT, RFC 1413) protocol. This\noption is silently ignored in case of services based on transports other than TCP. It\nrequires that the client system runs an RFC 931 (IDENT, etc.) -compliant daemon, and\nmay cause noticeable delays with connections from non-UNIX clients. The timeout pe‐\nriod is optional. If no timeout is specified a compile-time defined default value is\ntaken.\n", "subsections": [] }, "MISCELLANEOUS": { "content": "banners /some/directory\nLook for a file in `/some/directory´ with the same name as the daemon process (for ex‐\nample in.telnetd for the telnet service), and copy its contents to the client. Newline\ncharacters are replaced by carriage-return newline, and % sequences are ex‐\npanded (see the hostsaccess(5) manual page).\n\nThe tcp wrappers source code distribution provides a sample makefile (Banners.Make‐\nfile) for convenient banner maintenance.\n\nWarning: banners are supported for connection-oriented (TCP) network services only.\n\nnice [ number ]\nChange the nice value of the process (default 10). Specify a positive value to spend\nmore CPU resources on other processes.\n\nsetenv name value\nPlace a (name, value) pair into the process environment. The value is subjected to\n% expansions and may contain whitespace (but leading and trailing blanks are\nstripped off).\n\nWarning: many network daemons reset their environment before spawning a login or shell\nprocess.\n\numask 022\nLike the umask command that is built into the shell. An umask of 022 prevents the cre‐\nation of files with group and world write permission. The umask argument should be an\noctal number.\n\nuser nobody\n\nuser nobody.kmem\nAssume the privileges of the \"nobody\" userid (or user \"nobody\", group \"kmem\"). The\nfirst form is useful with inetd implementations that run all services with root privi‐\nlege. The second form is useful for services that need special group privileges only.\n", "subsections": [] }, "DIAGNOSTICS": { "content": "When a syntax error is found in an access control rule, the error is reported to the syslog\ndaemon; further options will be ignored, and service is denied.\n", "subsections": [] }, "SEE ALSO": { "content": "hostsaccess(5), the default access control language\n", "subsections": [] }, "AUTHOR": { "content": "Wietse Venema (wietse@wzv.win.tue.nl)\nDepartment of Mathematics and Computing Science\nEindhoven University of Technology\nDen Dolech 2, P.O. Box 513,\n5600 MB Eindhoven, The Netherlands\n\n\n\n\nHOSTSOPTIONS(5)", "subsections": [] } } } }