From: "Michael Kerrisk (man-pages)" <mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
To: Carlos O'Donell <carlos-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
"linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Arjun Shankar <arjun-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
Siddhesh Poyarekar
<siddhesh-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Cc: mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
Subject: Re: [patch] hosts.equiv.5: Fix format, clarify IdM needs, and provide examples.
Date: Thu, 18 Jun 2015 21:22:02 +0200 [thread overview]
Message-ID: <55831A5A.2050407@gmail.com> (raw)
In-Reply-To: <558134D3.2010603-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Hi Carlos,
In this earlier reply, I should have highlighted that there is
one open question I have about you patch, at the end of the mail
below. Could you take a look please.
Cheers,
Michael
On 06/17/2015 10:50 AM, Michael Kerrisk (man-pages) wrote:
> Hi Carlos,
>
> I've applied this patch, making a number of formatting changes along
> the way. You might want to review the (rendered) result.
>
> One other comment bewlow
> On 05/24/2015 06:58 AM, Carlos O'Donell wrote:
>> Arjun,
>>
>> As promised. Does this look good to you?
>>
>> Michael,
>>
>> In some recent work with a Red Hat customer I had the opportunity
>> to discuss the fine nuances of the ruserok() function and related
>> API which are used to implement rlogin and rsh.
>>
>> It came to my attention after working with QE on some automated
>> internal testing that there were no good examples in the hosts.equiv
>> manual page showing how the format was supposed to work for this
>> file and for ~/.rhosts, worse the "format" line showed that there
>> should be spaces between arguments when that would clearly lead
>> to incorrect behaviour. In addition some things that the format
>> allows you to write are just wrong like "-host -user" which makes
>> no sense since the host is already rejected, and should be written
>> as "host -user" instead. I added notes in the example to make it
>> clear that "-host -user" is invalid.
>>
>> I fixed three things:
>>
>> (a) The format line.
>> - Either +, or [-]hostname, or +@netgrp or -@netgrp.
>> - Either +, or [-]username, or +@netgrp or -@netgrp.
>> - You must specify something in the hostname portion so remove
>> optional brackets.
>>
>> (b) Clarify language around credentials
>> - If the host is not trusted you must provide credentials to
>> the login system and that could be anything really and it
>> depends on your configuration e.g. PAM or whatever IdM you have.
>>
>> (c) Provide real-world examples
>> - Provide several real world examples and some corner case
>> examples for how you would write something. Hopefully others
>> can add examples as they see fit.
>>
>> Patch applies to trunk.
>>
>> Signed-off-by: Carlos O'Donell <carlos-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
>>
>> diff --git a/man5/hosts.equiv.5 b/man5/hosts.equiv.5
>> index 89d0b4a..c8e85ac 100644
>> --- a/man5/hosts.equiv.5
>> +++ b/man5/hosts.equiv.5
>> @@ -22,7 +22,7 @@ supplying a password.
>> .PP
>> The file uses the following format:
>> .TP
>> -\fI[ + | \- ]\fP \fI[hostname]\fP \fI[username]\fP
>> +\fI+|[\-]hostname|+@netgroup|\-@netgroup\fP \fI[+|[\-]username|+@netgroup|\-@netgroup]\fP
>> .PP
>> The
>> .I hostname
>> @@ -37,9 +37,9 @@ If the plus sign is used alone, it allows any host to access your system.
>> You can explicitly deny access to a host by preceding the
>> .I hostname
>> by a minus (\-) sign.
>> -Users from that host must always supply a password.
>> -For security reasons you should always use the FQDN of the hostname and
>> -not the short hostname.
>> +Users from that host must always supply additional credentials,
>> +including possibly a password. For security reasons you should always
>> +use the FQDN of the hostname and not the short hostname.
>> .PP
>> The
>> .I username
>> @@ -81,6 +81,112 @@ character which means "any host" only when the word
>> is added to the auth component line in your PAM file for
>> the particular service
>> .RB "(e.g., " rlogin ).
>> +.SH EXAMPLE
>> +Here are some example
>> +.I /etc/host.equiv
>> +or
>> +.I ~/.rhosts
>> +files:
>> +.TP
>> +Allow any user to login from any host:
>> +.LP
>> +.RS 4
>> +.TP
>> ++
>> +.PD
>> +.RE
>> +.TP
>> +Allow any user from host with a matching local account to login:
>> +.LP
>> +.RS 4
>> +.TP
>> +host
>> +.PD
>> +.RE
>> +.PP
>> +Note: The use of
>> +.B +host
>> +is never a valid syntax, including attempting to specify that any user from the host is allowed.
>> +.TP
>> +Allow any user from host to login:
>> +.LP
>> +.RS 4
>> +.TP
>> +host +
>> +.PD
>> +.RE
>> +.PP
>> +Note: This is distinct from the previous example since it does not require a matching local account.
>> +.TP
>> +Allow user from host to login:
>> +.LP
>> +.RS 4
>> +.TP
>> +host user
>> +.PD
>> +.RE
>> +.TP
>> +Allow all users with matching local accounts from host to login except for baduser:
>> +.LP
>> +.RS 4
>> +.PD 0
>> +.TP
>> +host -baduser
>> +.TP
>> +host
>> +.PD
>> +.RE
>> +.TP
>> +Deny all users from host:
>> +.LP
>> +.RS 4
>> +.TP
>> +-host
>> +.PD
>> +.RE
>> +.PP
>> +Note: The use of
>> +.B -host -user
>> +is never a valid syntax, including attempting to specify that a particular user from the host is not trusted.
>> +.TP
>> +Allow all users with matching local accounts in all hosts in the netgroup:
>> +.LP
>> +.RS 4
>> +.TP
>> ++@netgroup
>> +.PD
>> +.RE
>> +.TP
>> +Disallow all users in all hosts in the netgroup:
>> +.LP
>> +.RS 4
>> +.TP
>> +-@netgroup
>> +.PD
>> +.RE
>> +.TP
>> +Allow all users in netgroup to login from host:
>> +.LP
>> +.RS 4
>> +.TP
>> +host +@netgroup
>> +.PD
>> +.RE
>> +.TP
>> +Allow all users with matching local accounts in all hosts in the netgroup except baduser:
>> +.LP
>> +.RS 4
>> +.PD 0
>> +.TP
>> ++@netgroup -baduser
>> +.TP
>> ++@netgroup
>> +.PD
>> +.RE
>> +.TP
>> +Note: The deny statements must always preceed the allow statements because the file is processed one line at a time.
>
> This last explanation feels incomplete. Should it not be something like:
>
> The deny statements must always precede the allow statements
> because the file is processed sequentially until the first
> matching rule is found.
>
> ?
>
>> +
>> +
>> .SH SEE ALSO
>> .BR rhosts (5),
>> .BR rlogind (8),
>
> Cheers,
>
> Michael
>
>
>
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2015-06-18 19:22 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-24 4:58 [patch] hosts.equiv.5: Fix format, clarify IdM needs, and provide examples Carlos O'Donell
[not found] ` <55615A71.4010600-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-06-16 10:06 ` Michael Kerrisk (man-pages)
[not found] ` <557FF511.7040500-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2015-06-16 21:15 ` Carlos O'Donell
[not found] ` <558091DD.30004-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-06-17 7:10 ` Michael Kerrisk (man-pages)
2015-06-17 16:17 ` Arjun Shankar
2015-06-17 17:14 ` [patch] hosts.equiv.5: Clarify that `host <user>` enables non-like-named account logins Carlos O'Donell
[not found] ` <5581AAEA.9090709-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-06-18 13:07 ` Michael Kerrisk (man-pages)
2015-06-18 6:34 ` [patch] hosts.equiv.5: Fix format, clarify IdM needs, and provide examples Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkjK89FgqHPMp2znUvO2jYyiHmTreLPZc7DwG8LV-RP33w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-06-18 13:15 ` Carlos O'Donell
[not found] ` <5582C459.3020402-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-06-18 13:51 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkhbX+e7vSJrxu0jfGaLESs5G2nEuX1Chaoai_K=X90Jcg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-06-18 15:23 ` Carlos O'Donell
[not found] ` <5582E27D.9070600-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-06-18 19:20 ` Michael Kerrisk (man-pages)
2015-06-17 8:50 ` Michael Kerrisk (man-pages)
[not found] ` <558134D3.2010603-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2015-06-18 19:22 ` Michael Kerrisk (man-pages) [this message]
[not found] ` <55831A5A.2050407-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2015-06-24 14:13 ` Michael Kerrisk (man-pages)
2015-07-08 5:16 ` Carlos O'Donell
[not found] ` <559CB227.802-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-07-21 14:03 ` Michael Kerrisk (man-pages)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55831A5A.2050407@gmail.com \
--to=mtk.manpages-re5jqeeqqe8avxtiumwx3w@public.gmane.org \
--cc=arjun-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=carlos-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=siddhesh-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.