1SYSTEM.ROOTDAEMONRC(1) General Commands Manual SYSTEM.ROOTDAEMONRC(1)
2
6 system.rootdaemonrc, .rootdaemonrc - access control directives for ROOT
7 daemons
8
10 ROOTDAEMORC, $HOME/.rootdaemonrc
11 /etc/root/system.rootdaemonrc, $ROOTSYS/etc/system.rootdaemonrc
12
14 This manual page documents the format of directives specifying access
15 control directives for ROOT daemons. These directives are read from a
16 text file whose full path is taken from the environment variable ROOT‐
17 DAEMONRC. If such a variable in undefined, the daemon looks for a file
18 named .rootdaemonrc in the $HOME directory of the user starting the
19 daemon; if this file does not exists either, the file system.rootdae‐
20 monrc, located under /etc/root or $ROOTSYS/etc, is used. If none of
21 these file exists (or is readable), the daemon makes use of a default
22 built-in directive derived from the configuration options of the
23 installation.
24
27 * lines starting with '#' are comment lines.
28 * hosts can specified either with their name (e.g. pcepsft43),
30 their FQDN (e.g. pcepsft43.cern.ch) or their IP address (e.g.
31 137.138.99.73).
32 * host names can be followed by :rootd, :proofd or :sockd to
34 define directives applying only to the given service; 'sockd'
35 applies to servers run from interactive sessions (TServerSocket
36 class)
37 * directives applying to all host can be specified either by
39 'default' or '*'
40 * the '*' character can be used in any field of the name to indi‐
42 cate a set of machines or domains, e.g. pcepsft*.cern.ch applies
43 to all 'pcepsft' machines in the domain 'cern.ch'. (to indicate
44 all 'lxplus' machines you should use 'lxplus*.cern.ch' because
45 internally the generic lxplus machine has a real name of the
46 form lxplusnnn.cern.ch; you can also use 'lxplus' if you don't
47 care about domain name checking).
48 * a whole domain can be indicated by its name, e.g. 'cern.ch',
50 'cnaf.infn.it' or '.ch'
51 * truncated IP address can also be used to indicate a set of
53 machines; they are interpreted as the very first or very last
54 part of the address; for example, to select 137.138.99.73, any
55 of these is valid: '137.138.99', '137.138', '137`, '99.73'; or
56 with wild cards: '137.13*' or '*.99.73`; however, '138.99' is
57 invalid because ambiguous.
58 * the information following the name or IP address indicates, in
60 order of preference, the short names or the internal codes of
61 authentication methods accepted for requests coming from the
62 specified host(s); the ones implemented so far are:
63 Method nickname code
65 UsrPwd usrpwd 0
67 SRP srp 1
68 Kerberos krb5 2
69 Globus globus 3
70 SSH ssh 4
71 UidGid uidgid 5 (insecure)
72 (The insecure method is intended to speed up access within a
74 cluster protected by other means from outside attacks; should
75 not be used for inter-cluster or inter-domain authentication).
76 Methods non specified explicitly are not accepted. For the inse‐
77 cure method it is possible to give access only to a specific
78 list of users by specifying the usernames after the method sepa‐
79 rated by colons (:) example:
80 uidgid:user1:user2:user3
82 will allow uidgid access only to users user1, user2 and user3.
84 This is useful to give easy access to data servers. It is also
85 possible to deny access to a user by using a '-' in front of the
86 name:
87 uidgid:-user4
89 * Lines ending with '´ are followed by additional information for
91 the host on the next line; the name of the host should not be
92 repeated.
93
96 Valid examples:
97 default none
100 All requests are denied unless specified by dedicated direc‐
101 tives.
102 default 0 ssh
105 Authentication mechanisms allowed by default are 'usrpwd' (code
106 0) and 'ssh'
107 137.138. 0 4
110 Authentication mechanisms allowed from host in the domain
111 137.138. (cern.ch) are 'usrpwd' (code 0) and 'ssh'
112 pceple19.cern.ch 4 1 3 2 5 0
115 All mechanisms are accepted for requests coming from host pce‐
116 ple19.cern.ch .
117 lxplus*.cern.ch 4 1 globus 0:qwerty:uytre
120 Requests from the lxplus cluster can authenticate using 'ssh',
121 'srp' and 'globus'; users 'qwerty' and 'uytre' can also use
122 'usrpwd' .
123 pcep*.cern.ch:rootd 0:-qwerty 4
126 Requests from the pcep*.cern.ch nodes can authenticate using
127 'usrpwd' and 'ssh' when accessing the 'rootd' daemon ; user
128 'qwerty' can only use 'ssh'.
129
132 rootd(1), proofd(1)
133 For more information on the ROOT system, please refer to
135 http://root.cern.ch/ .
136
139 The ROOT team (see web page above):
140 Rene Brun and Fons Rademakers
141
143 This library is free software; you can redistribute it and/or modify it
144 under the terms of the GNU Lesser General Public License as published
145 by the Free Software Foundation; either version 2.1 of the License, or
146 (at your option) any later version.
147 This library is distributed in the hope that it will be useful, but
149 WITHOUT ANY WARRANTY; without even the implied warranty of MER‐
150 CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser
151 General Public License for more details.
152 You should have received a copy of the GNU Lesser General Public
154 License along with this library; if not, write to the Free Software
155 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301
156 USA
157
159 This manual page was written by G. Ganis <g.ganis@cern.ch> .
160ROOT Version 4 SYSTEM.ROOTDAEMONRC(1)