Provided by: root-system-common_5.34.30-0ubuntu8_all 
NAME
system.rootdaemonrc, .rootdaemonrc - access control directives for ROOT daemons
LOCATIONS
ROOTDAEMORC, $HOME/.rootdaemonrc
/etc/root/system.rootdaemonrc, $ROOTSYS/etc/system.rootdaemonrc
DESCRIPTION
This manual page documents the format of directives specifying access control directives
for ROOT daemons. These directives are read from a text file whose full path is taken from
the environment variable ROOTDAEMONRC. If such a variable in undefined, the daemon looks
for a file named .rootdaemonrc in the $HOME directory of the user starting the daemon; if
this file does not exists either, the file system.rootdaemonrc, located under /etc/root or
$ROOTSYS/etc, is used. If none of these file exists (or is readable), the daemon makes
use of a default built-in directive derived from the configuration options of the
installation.
FORMAT
* lines starting with '#' are comment lines.
* hosts can specified either with their name (e.g. pcepsft43), their FQDN (e.g.
pcepsft43.cern.ch) or their IP address (e.g. 137.138.99.73).
* host names can be followed by :rootd, :proofd or :sockd to define directives
applying only to the given service; 'sockd' applies to servers run from interactive
sessions (TServerSocket class)
* directives applying to all host can be specified either by 'default' or '*'
* the '*' character can be used in any field of the name to indicate a set of
machines or domains, e.g. pcepsft*.cern.ch applies to all 'pcepsft' machines in the
domain 'cern.ch'. (to indicate all 'lxplus' machines you should use
'lxplus*.cern.ch' because internally the generic lxplus machine has a real name of
the form lxplusnnn.cern.ch; you can also use 'lxplus' if you don't care about
domain name checking).
* a whole domain can be indicated by its name, e.g. 'cern.ch', 'cnaf.infn.it' or
'.ch'
* truncated IP address can also be used to indicate a set of machines; they are
interpreted as the very first or very last part of the address; for example, to
select 137.138.99.73, any of these is valid: '137.138.99', '137.138', '137`,
'99.73'; or with wild cards: '137.13*' or '*.99.73`; however, '138.99' is invalid
because ambiguous.
* the information following the name or IP address indicates, in order of preference,
the short names or the internal codes of authentication methods accepted for
requests coming from the specified host(s); the ones implemented so far are:
Method nickname code
UsrPwd usrpwd 0
SRP srp 1
Kerberos krb5 2
Globus globus 3
SSH ssh 4
UidGid uidgid 5 (insecure)
(The insecure method is intended to speed up access within a cluster protected by
other means from outside attacks; should not be used for inter-cluster or inter-
domain authentication). Methods non specified explicitly are not accepted. For the
insecure method it is possible to give access only to a specific list of users by
specifying the usernames after the method separated by colons (:) example:
uidgid:user1:user2:user3
will allow uidgid access only to users user1, user2 and user3. This is useful to
give easy access to data servers. It is also possible to deny access to a user by
using a '-' in front of the name:
uidgid:-user4
* Lines ending with 'ยด are followed by additional information for the host on the
next line; the name of the host should not be repeated.
EXAMPLES
Valid examples:
default none
All requests are denied unless specified by dedicated directives.
default 0 ssh
Authentication mechanisms allowed by default are 'usrpwd' (code 0) and 'ssh'
137.138. 0 4
Authentication mechanisms allowed from host in the domain 137.138. (cern.ch) are
'usrpwd' (code 0) and 'ssh'
pceple19.cern.ch 4 1 3 2 5 0
All mechanisms are accepted for requests coming from host pceple19.cern.ch .
lxplus*.cern.ch 4 1 globus 0:qwerty:uytre
Requests from the lxplus cluster can authenticate using 'ssh', 'srp' and 'globus';
users 'qwerty' and 'uytre' can also use 'usrpwd' .
pcep*.cern.ch:rootd 0:-qwerty 4
Requests from the pcep*.cern.ch nodes can authenticate using 'usrpwd' and 'ssh'
when accessing the 'rootd' daemon ; user 'qwerty' can only use 'ssh'.
SEE ALSO
rootd(1), proofd(1)
For more information on the ROOT system, please refer to http://root.cern.ch/ .
ORIGINAL AUTHORS
The ROOT team (see web page above):
Rene Brun and Fons Rademakers
COPYRIGHT
This library is free software; you can redistribute it and/or modify it under the terms of
the GNU Lesser General Public License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
See the GNU Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public License along with this
library; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor,
Boston, MA 02110-1301 USA
AUTHOR
This manual page was written by G. Ganis <g.ganis@cern.ch> .