SYSTEM.ROOTDAEMONRC(1) General Commands Manual SYSTEM.ROOTDAEMONRC(1)
system.rootdaemonrc, .rootdaemonrc - access control directives for ROOT daemons
This manual page documents the format of directives specifying access control directives for ROOT daemons. These directives are read from a
text file whose full path is taken from the environment variable ROOTDAEMONRC. If such a variable in undefined, the daemon looks for a
file named .rootdaemonrc in the $HOME directory of the user starting the daemon; if this file does not exists either, the file system.root-
daemonrc, located under /etc/root or $ROOTSYS/etc, is used. If none of these file exists (or is readable), the daemon makes use of a
default built-in directive derived from the configuration options of the installation.
* lines starting with '#' are comment lines.
* hosts can specified either with their name (e.g. pcepsft43), their FQDN (e.g. pcepsft43.cern.ch) or their IP address (e.g.
* host names can be followed by :rootd, :proofd or :sockd to define directives applying only to the given service; 'sockd' applies to
servers run from interactive sessions (TServerSocket class)
* directives applying to all host can be specified either by 'default' or '*'
* the '*' character can be used in any field of the name to indicate a set of machines or domains, e.g. pcepsft*.cern.ch applies to
all 'pcepsft' machines in the domain 'cern.ch'. (to indicate all 'lxplus' machines you should use 'lxplus*.cern.ch' because inter-
nally the generic lxplus machine has a real name of the form lxplusnnn.cern.ch; you can also use 'lxplus' if you don't care about
domain name checking).
* a whole domain can be indicated by its name, e.g. 'cern.ch', 'cnaf.infn.it' or '.ch'
* truncated IP address can also be used to indicate a set of machines; they are interpreted as the very first or very last part of the
address; for example, to select 126.96.36.199, any of these is valid: '137.138.99', '137.138', '137`, '99.73'; or with wild cards:
'137.13*' or '*.99.73`; however, '138.99' is invalid because ambiguous.
* the information following the name or IP address indicates, in order of preference, the short names or the internal codes of authen-
tication methods accepted for requests coming from the specified host(s); the ones implemented so far are:
Method nickname code
UsrPwd usrpwd 0
SRP srp 1
Kerberos krb5 2
Globus globus 3
SSH ssh 4
UidGid uidgid 5 (insecure)
(The insecure method is intended to speed up access within a cluster protected by other means from outside attacks; should not be
used for inter-cluster or inter-domain authentication). Methods non specified explicitly are not accepted. For the insecure method
it is possible to give access only to a specific list of users by specifying the usernames after the method separated by colons (:)
will allow uidgid access only to users user1, user2 and user3. This is useful to give easy access to data servers. It is also possi-
ble to deny access to a user by using a '-' in front of the name:
* Lines ending with '' are followed by additional information for the host on the next line; the name of the host should not be
All requests are denied unless specified by dedicated directives.
default 0 ssh
Authentication mechanisms allowed by default are 'usrpwd' (code 0) and 'ssh'
137.138. 0 4
Authentication mechanisms allowed from host in the domain 137.138. (cern.ch) are 'usrpwd' (code 0) and 'ssh'
pceple19.cern.ch 4 1 3 2 5 0
All mechanisms are accepted for requests coming from host pceple19.cern.ch .
lxplus*.cern.ch 4 1 globus 0:qwerty:uytre
Requests from the lxplus cluster can authenticate using 'ssh', 'srp' and 'globus'; users 'qwerty' and 'uytre' can also use 'usrpwd'
pcep*.cern.ch:rootd 0:-qwerty 4
Requests from the pcep*.cern.ch nodes can authenticate using 'usrpwd' and 'ssh' when accessing the 'rootd' daemon ; user 'qwerty'
can only use 'ssh'.
For more information on the ROOT system, please refer to http://root.cern.ch/ .
The ROOT team (see web page above):
Rene Brun and Fons Rademakers
This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as pub-
lished by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MER-
CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foun-
dation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
This manual page was written by G. Ganis <email@example.com> .
Version 4 SYSTEM.ROOTDAEMONRC(1)