net_access(NF) net_access(NF) Name net_access - allow/deny client access to network services Syntax /etc/service.allow /etc/service.deny Description Some network service daemons allow the system administrator to allow or deny access to that service on a per user/host basis. The files /etc/service.allow and /etc/service.deny contain triples which specify individual users or groups of users to be allowed or denied access to a particular service. Each triple consists of three whitespace-separated values on a single line. The first value contains the name of a network host to which this triple applies; the special entry ``*'' may be used to identify all hosts. (If a host is known by its host name and by aliases, then any tri- ple for that host must have one triple entry with the host name as the first value and a duplicate triple entry for each alias with the alias as the first value.) The second value contains one of the keywords user, group, subsystem, or kernel to mean that this triple applies to a single user, a single group, a group of users having some subsystem authoriza- tion, or a group of users having some kernel authorization. The third value is a local instance of the class identified by the second value, i.e. a local user name, a local group name, a local subsystem authoriza- tion, or a local kernel authorization. In all cases, the special entry ``*'' may be used as the third value to identify all instances of the class identified by the second value. If the allow file for a particular service exists, then all requests from remote hosts for that service are checked to see that the user making the request is identified by at least one of the triples in the allow file. The service is denied if the allow file exists and this check fails. If no allow file for a particular service exists, but a deny file does exist, then all requests from remote hosts for that service are checked to see that the user making the request is not identified by any of the triples in the deny file. The service is denied if any of the deny file triples identify the host/user making the request. If neither the allow nor the deny files exist for a particular service, access to the service is permitted in the normal fashion. Examples Typical /etc/net.allow file: * user paulm * group sales machine1 subsystem backup machine1.sco.com subsystem backup machine2 user * machine2.sco.com user * This restricts access to the rexd service to user paulm (from any host), any member of local group sales, any user from host machine1 who would have the backup subsystem privilege on the local host, and all users from host machine2. Typical /etc/net.deny file: * subsystem auth * user fred machine3 group engineers machine3.sco.com group engineers This denies access to the rexd service to any user from any host who would have the auth subsystem privilege, user fred (from any host), and any member of local group engineers from host machine3. Files /etc/service.allow hosts/users to be allowed access to service /etc/service.deny hosts/users to be denied access to service See also rexd(NADM), rshd(ADMN) Notes At present, only the following use the net_access facility: RPC remote execution server rexd and remote shell server rshd.