Subject: lib/6836: fixes for librwrap hosts_access(5) manual page
To: None <gnats-bugs@gnats.netbsd.org>
From: None <woods@proven.weird.com>
List: netbsd-bugs
Date: 01/18/1999 12:08:56
>Number: 6836
>Category: lib
>Synopsis: fixes for librwrap hosts_access(5) manual page
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: lib-bug-people (Library Bug People)
>State: open
>Class: doc-bug
>Submitter-Id: net
>Arrival-Date: Mon Jan 18 09:20:00 1999
>Last-Modified:
>Originator: Greg A. Woods
>Organization:
Planix, Inc.; Toronto, Ontario; Canada
>Release: NetBSD-current
>Environment:
System: NetBSD 1.3I
>Description:
hosts_access(5) does not mention line length limitations.
There are also some minor formatting problems with the manual
page.
>How-To-Repeat:
>Fix:
line numbers may be off....
Index: lib/libwrap/hosts_access.5
===================================================================
RCS file: /cvs/NetBSD/src/lib/libwrap/hosts_access.5,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 hosts_access.5
--- lib/libwrap/hosts_access.5 1998/02/20 00:33:03 1.1.1.1
+++ lib/libwrap/hosts_access.5 1998/10/25 03:17:25
@@ -2,10 +2,7 @@
.SH NAME
hosts_access,
hosts.allow,
-hosts.deny,
-hosts_ctl,
-request_init,
-request_set \- format of host access control files
+hosts.deny \- format of host access control files
.SH DESCRIPTION
This manual page describes a simple access control language that is
based on client (host name/address, user name), and server (process
@@ -26,7 +23,7 @@
network daemon process, and \fIclient\fR is the name and/or address of
a host requesting service. Network daemon process names are specified
in the inetd configuration file.
-.SH ACCESS CONTROL FILES
+.SH "ACCESS CONTROL FILES"
The access control software consults two files. The search stops
at the first match:
.IP \(bu
@@ -41,14 +38,15 @@
A non-existing access control file is treated as if it were an empty
file. Thus, access control can be turned off by providing no access
control files.
-.SH ACCESS CONTROL RULES
+.SH "ACCESS CONTROL RULES"
Each access control file consists of zero or more lines of text. These
lines are processed in order of appearance. The search terminates when a
match is found.
.IP \(bu
A newline character is ignored when it is preceded by a backslash
-character. This permits you to break up long lines so that they are
-easier to edit.
+character. This permits you to break up long lines so that they are
+easier to edit. \fBWARNING:\fP The total length of an entry can be no
+more than 2047 characters long including the final newline.
.IP \(bu
Blank lines or lines that begin with a `#\' character are ignored.
This permits you to insert comments and whitespace so that the tables
@@ -160,7 +162,7 @@
.PP
Characters in % expansions that may confuse the shell are replaced by
underscores.
-.SH SERVER ENDPOINT PATTERNS
+.SH "SERVER ENDPOINT PATTERNS"
In order to distinguish clients by the network address that they
connect to, use patterns of the form:
.sp
@@ -179,7 +181,7 @@
The host_pattern obeys the same syntax rules as host names and
addresses in client_list context. Usually, server endpoint information
is available only with connection-oriented services.
-.SH CLIENT USERNAME LOOKUP
+.SH "CLIENT USERNAME LOOKUP"
When the client host supports the RFC 931 protocol or one of its
descendants (TAP, IDENT, RFC 1413) the wrapper programs can retrieve
additional information about the owner of a connection. Client username
@@ -223,7 +225,7 @@
.PP
would match members of the pc netgroup without doing username lookups,
but would perform username lookups with all other systems.
-.SH DETECTING ADDRESS SPOOFING ATTACKS
+.SH "DETECTING ADDRESS SPOOFING ATTACKS"
A flaw in the sequence number generator of many TCP/IP implementations
allows intruders to easily impersonate trusted hosts and to break in
via, for example, the remote shell service. The IDENT (RFC931 etc.)
@@ -257,7 +259,7 @@
The examples use host and domain names. They can be improved by
including address and/or network/netmask information, to reduce the
impact of temporary name server lookup failures.
-.SH MOSTLY CLOSED
+.SH "MOSTLY CLOSED"
In this case, access is denied by default. Only explicitly authorized
hosts are permitted access.
.PP
@@ -287,7 +289,7 @@
netgroup. The second rule permits access from all hosts in the
\fIfoobar.edu\fP domain (notice the leading dot), with the exception of
\fIterminalserver.foobar.edu\fP.
-.SH MOSTLY OPEN
+.SH "MOSTLY OPEN"
Here, access is granted by default; only explicitly specified hosts are
refused service.
.PP
@@ -303,7 +305,7 @@
.PP
The first rule denies some hosts and domains all services; the second
rule still permits finger requests from other hosts and domains.
-.SH BOOBY TRAPS
+.SH "BOOBY TRAPS"
The next example permits tftp requests from hosts in the local domain
(notice the leading dot). Requests from any other hosts are denied.
Instead of the requested file, a finger probe is sent to the offending
@@ -354,15 +356,18 @@
/etc/hosts.deny, (daemon,client) pairs that are denied access.
.ad
.fi
-.SH SEE ALSO
+.SH "SEE ALSO"
.nf
-tcpdchk(8), tcpdmatch(8), test programs.
+hosts_options(5), tcpdchk(8), tcpdmatch(8), test programs.
.SH BUGS
If a name server lookup times out, the host name will not be available
to the access control software, even though the host is registered.
.PP
Domain name server lookups are case insensitive; NIS (formerly YP)
netgroup lookups are case sensitive.
+.PP
+The total length of an entry can be no more than 2047 characters long,
+including the final newline.
.SH AUTHOR
.na
.nf
>Audit-Trail:
>Unformatted: