Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

system.rootdaemonrc(1) [v7 man page]

SYSTEM.ROOTDAEMONRC(1)					      General Commands Manual					    SYSTEM.ROOTDAEMONRC(1)

NAME
system.rootdaemonrc, .rootdaemonrc - access control directives for ROOT daemons LOCATIONS
ROOTDAEMORC, $HOME/.rootdaemonrc /etc/root/system.rootdaemonrc, $ROOTSYS/etc/system.rootdaemonrc DESCRIPTION
This manual page documents the format of directives specifying access control directives for ROOT daemons. These directives are read from a text file whose full path is taken from the environment variable ROOTDAEMONRC. If such a variable in undefined, the daemon looks for a file named .rootdaemonrc in the $HOME directory of the user starting the daemon; if this file does not exists either, the file system.root- daemonrc, located under /etc/root or $ROOTSYS/etc, is used. If none of these file exists (or is readable), the daemon makes use of a default built-in directive derived from the configuration options of the installation. FORMAT
* lines starting with '#' are comment lines. * hosts can specified either with their name (e.g. pcepsft43), their FQDN (e.g. pcepsft43.cern.ch) or their IP address (e.g. 137.138.99.73). * host names can be followed by :rootd, :proofd or :sockd to define directives applying only to the given service; 'sockd' applies to servers run from interactive sessions (TServerSocket class) * directives applying to all host can be specified either by 'default' or '*' * the '*' character can be used in any field of the name to indicate a set of machines or domains, e.g. pcepsft*.cern.ch applies to all 'pcepsft' machines in the domain 'cern.ch'. (to indicate all 'lxplus' machines you should use 'lxplus*.cern.ch' because inter- nally the generic lxplus machine has a real name of the form lxplusnnn.cern.ch; you can also use 'lxplus' if you don't care about domain name checking). * a whole domain can be indicated by its name, e.g. 'cern.ch', 'cnaf.infn.it' or '.ch' * truncated IP address can also be used to indicate a set of machines; they are interpreted as the very first or very last part of the address; for example, to select 137.138.99.73, any of these is valid: '137.138.99', '137.138', '137`, '99.73'; or with wild cards: '137.13*' or '*.99.73`; however, '138.99' is invalid because ambiguous. * the information following the name or IP address indicates, in order of preference, the short names or the internal codes of authen- tication methods accepted for requests coming from the specified host(s); the ones implemented so far are: Method nickname code UsrPwd usrpwd 0 SRP srp 1 Kerberos krb5 2 Globus globus 3 SSH ssh 4 UidGid uidgid 5 (insecure) (The insecure method is intended to speed up access within a cluster protected by other means from outside attacks; should not be used for inter-cluster or inter-domain authentication). Methods non specified explicitly are not accepted. For the insecure method it is possible to give access only to a specific list of users by specifying the usernames after the method separated by colons (:) example: uidgid:user1:user2:user3 will allow uidgid access only to users user1, user2 and user3. This is useful to give easy access to data servers. It is also possi- ble to deny access to a user by using a '-' in front of the name: uidgid:-user4 * Lines ending with '' are followed by additional information for the host on the next line; the name of the host should not be repeated. EXAMPLES
Valid examples: default none All requests are denied unless specified by dedicated directives. default 0 ssh Authentication mechanisms allowed by default are 'usrpwd' (code 0) and 'ssh' 137.138. 0 4 Authentication mechanisms allowed from host in the domain 137.138. (cern.ch) are 'usrpwd' (code 0) and 'ssh' pceple19.cern.ch 4 1 3 2 5 0 All mechanisms are accepted for requests coming from host pceple19.cern.ch . lxplus*.cern.ch 4 1 globus 0:qwerty:uytre Requests from the lxplus cluster can authenticate using 'ssh', 'srp' and 'globus'; users 'qwerty' and 'uytre' can also use 'usrpwd' . pcep*.cern.ch:rootd 0:-qwerty 4 Requests from the pcep*.cern.ch nodes can authenticate using 'usrpwd' and 'ssh' when accessing the 'rootd' daemon ; user 'qwerty' can only use 'ssh'. SEE ALSO
rootd(1), proofd(1) For more information on the ROOT system, please refer to http://root.cern.ch/ . ORIGINAL AUTHORS
The ROOT team (see web page above): Rene Brun and Fons Rademakers COPYRIGHT
This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as pub- lished by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MER- CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foun- dation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA AUTHOR
This manual page was written by G. Ganis <g.ganis@cern.ch> . ROOT
Version 4 SYSTEM.ROOTDAEMONRC(1)
Man Page