Table of Contents
system.rootdaemonrc, .rootdaemonrc - access control directives for
ROOTDAEMORC, $HOME/.rootdaemonrc/etc/root/system.rootdaemonrc, $ROOTSYS/etc/system.rootdaemonrc
manual page documents the format of directives specifying access control
directives for ROOT daemons. These directives are read from a text file
whose full path is taken from the environment variable ROOTDAEMONRC. If
such a variable in undefined, the daemon looks for a file named .rootdaemonrc
in the $HOME directory of the user starting the daemon; if this file does
not exists either, the file system.rootdaemonrc, located under /etc/root
or $ROOTSYS/etc, is used. If none of these file exists (or is readable),
the daemon makes use of a default built-in directive derived from the configuration
options of the installation.
- lines starting with ’#’ are comment
- hosts can specified either with their name (e.g. pcepsft43), their
FQDN (e.g. pcepsft43.cern.ch) or their IP address (e.g. 220.127.116.11).
- host names
can be followed by :rootd, :proofd or :sockd to define directives applying
only to the given service; ’sockd’ applies to servers run from interactive
sessions (TServerSocket class)
- directives applying to all host can be
specified either by ’default’ or ’*’
- the ’*’ character can be used in any
field of the name to indicate a set of machines or domains, e.g. pcepsft*.cern.ch
applies to all ’pcepsft’ machines in the domain ’cern.ch’. (to indicate all ’lxplus’
machines you should use ’lxplus*.cern.ch’ because internally the generic lxplus
machine has a real name of the form lxplusnnn.cern.ch; you can also use ’lxplus’
if you don’t care about domain name checking).
- a whole domain can be indicated
by its name, e.g. ’cern.ch’, ’cnaf.infn.it’ or ’.ch’
- truncated IP address can also
be used to indicate a set of machines; they are interpreted as the very
first or very last part of the address; for example, to select 18.104.22.168,
any of these is valid: ’137.138.99’, ’137.138’, ’137‘, ’99.73’; or with wild cards:
’137.13*’ or ’*.99.73‘; however, ’138.99’ is invalid because ambiguous.
- the information
following the name or IP address indicates, in order of preference, the
short names or the internal codes of authentication methods accepted for
requests coming from the specified host(s); the ones implemented so far
Method nickname code
UsrPwd usrpwd 0
SRP srp 1
Kerberos krb5 2
Globus globus 3
SSH ssh 4
UidGid uidgid 5 (insecure)
(The insecure method is intended to speed up access within a cluster
protected by other means from outside attacks; should not be used for inter-cluster
or inter-domain authentication). Methods non specified explicitly are not
accepted. For the insecure method it is possible to give access only to
a specific list of users by specifying the usernames after the method separated
by colons (:) example:
will allow uidgid access only to users user1, user2 and user3. This is
useful to give easy access to data servers. It is also possible to deny
access to a user by using a ’-’ in front of the name:
- Lines ending with ’’ are followed by additional information for the host
on the next line; the name of the host should not be repeated.
- default none
- All requests are denied unless specified
by dedicated directives.
- default 0 ssh
- Authentication mechanisms
allowed by default are ’usrpwd’ (code 0) and ’ssh’
- 137.138. 0 4
- Authentication mechanisms allowed from host in the domain 137.138. (cern.ch)
are ’usrpwd’ (code 0) and ’ssh’
- pceple19.cern.ch 4 1 3 2 5 0
- All mechanisms
are accepted for requests coming from host pceple19.cern.ch .
4 1 globus 0:qwerty:uytre
- Requests from the lxplus cluster can authenticate
using ’ssh’, ’srp’ and ’globus’; users ’qwerty’ and ’uytre’ can also use ’usrpwd’ .
- pcep*.cern.ch:rootd 0:-qwerty 4
- Requests from the pcep*.cern.ch nodes can
authenticate using ’usrpwd’ and ’ssh’ when accessing the ’rootd’ daemon ; user
’qwerty’ can only use ’ssh’.
For more information
on the ROOT system, please refer to http://root.cern.ch/ .
ROOT team (see web page above):
Rene Brun and Fons Rademakers
library is free software; you can redistribute it and/or modify it under
the terms of the GNU Lesser General Public License as published by the
Free Software Foundation; either version 2.1 of the License, or (at your
option) any later version.
This library is distributed in the hope that
it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser
General Public License for more details.
You should have received a copy
of the GNU Lesser General Public License along with this library; if not,
write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor,
Boston, MA 02110-1301 USA
This manual page was written by G. Ganis
Table of Contents