SYSTEM.ROOTDAEMONRC(1)					      General Commands Manual					    SYSTEM.ROOTDAEMONRC(1)

NAME

       system.rootdaemonrc, .rootdaemonrc - access control directives for ROOT daemons

LOCATIONS

       ROOTDAEMORC, $HOME/.rootdaemonrc
       /etc/root/system.rootdaemonrc, $ROOTSYS/etc/system.rootdaemonrc

DESCRIPTION

       This manual page documents the format of directives specifying access control directives for ROOT daemons. These directives are read from a
       text file whose full path is taken from the environment variable ROOTDAEMONRC.  If such a variable in undefined, the  daemon  looks  for  a
       file named .rootdaemonrc in the $HOME directory of the user starting the daemon; if this file does not exists either, the file system.root-
       daemonrc, located under /etc/root or $ROOTSYS/etc, is used.  If none of these file exists (or is readable),  the  daemon  makes	use  of  a
       default built-in directive derived from the configuration options of the installation.

FORMAT

       *      lines starting with '#' are comment lines.

       *      hosts  can  specified  either  with  their  name	(e.g.  pcepsft43),  their  FQDN (e.g. pcepsft43.cern.ch) or their IP address (e.g.
	      137.138.99.73).

       *      host names can be followed by :rootd, :proofd or :sockd to define directives applying only to the given service; 'sockd' applies	to
	      servers run from interactive sessions (TServerSocket class)

       *      directives applying to all host can be specified either by 'default' or '*'

       *      the  '*'	character  can be used in any field of the name to indicate a set of machines or domains, e.g. pcepsft*.cern.ch applies to
	      all 'pcepsft' machines in the domain 'cern.ch'. (to indicate all 'lxplus' machines you should use 'lxplus*.cern.ch'  because  inter-
	      nally  the  generic  lxplus machine has a real name of the form lxplusnnn.cern.ch; you can also use 'lxplus' if you don't care about
	      domain name checking).

       *      a whole domain can be indicated by its name, e.g. 'cern.ch', 'cnaf.infn.it' or '.ch'

       *      truncated IP address can also be used to indicate a set of machines; they are interpreted as the very first or very last part of the
	      address;	for  example, to select 137.138.99.73, any of these is valid: '137.138.99', '137.138', '137`, '99.73'; or with wild cards:
	      '137.13*' or '*.99.73`; however, '138.99' is invalid because ambiguous.

       *      the information following the name or IP address indicates, in order of preference, the short names or the internal codes of authen-
	      tication methods accepted for requests coming from the specified host(s); the ones implemented so far are:

		 Method 			  nickname    code

		 UsrPwd 			   usrpwd	0
		 SRP				   srp		1
		 Kerberos			   krb5 	2
		 Globus 			   globus	3
		 SSH				   ssh		4
		 UidGid 			   uidgid	5   (insecure)

	      (The  insecure  method  is intended to speed up access within a cluster protected by other means from outside attacks; should not be
	      used for inter-cluster or inter-domain authentication). Methods non specified explicitly are not accepted. For the  insecure  method
	      it  is possible to give access only to a specific list of users by specifying the usernames after the method separated by colons (:)
	      example:

		 uidgid:user1:user2:user3

	      will allow uidgid access only to users user1, user2 and user3. This is useful to give easy access to data servers. It is also possi-
	      ble to deny access to a user by using a '-' in front of the name:

		 uidgid:-user4

       *      Lines  ending  with  ''  are  followed  by  additional information for the host on the next line; the name of the host should not be
	      repeated.

EXAMPLES

       Valid examples:

       default none
	      All requests are denied unless specified by dedicated directives.

       default 0 ssh
	      Authentication mechanisms allowed by default are 'usrpwd' (code 0) and 'ssh'

       137.138. 0 4
	      Authentication mechanisms allowed from host in the domain 137.138. (cern.ch) are 'usrpwd' (code 0) and 'ssh'

       pceple19.cern.ch 4 1 3 2 5 0
	      All mechanisms are accepted for requests coming from host pceple19.cern.ch .

       lxplus*.cern.ch 4 1 globus 0:qwerty:uytre
	      Requests from the lxplus cluster can authenticate using 'ssh', 'srp' and 'globus'; users 'qwerty' and 'uytre' can also use  'usrpwd'
	      .

       pcep*.cern.ch:rootd 0:-qwerty 4
	      Requests	from  the  pcep*.cern.ch nodes can authenticate using 'usrpwd' and 'ssh' when accessing the 'rootd' daemon ; user 'qwerty'
	      can only use 'ssh'.

SEE ALSO

       rootd(1), proofd(1)

       For more information on the ROOT system, please refer to http://root.cern.ch/ .

ORIGINAL AUTHORS

       The ROOT team (see web page above):
	      Rene Brun and Fons Rademakers

COPYRIGHT

       This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public  License  as  pub-
       lished by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version.

       This  library  is  distributed  in  the	hope  that  it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MER-
       CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License for more details.

       You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software  Foun-
       dation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA

AUTHOR

       This manual page was written by G. Ganis <g.ganis@cern.ch> .

ROOT
								     Version 4						    SYSTEM.ROOTDAEMONRC(1)