Provided by: root-system-common_5.34.14-1build1_all bug

NAME

       system.rootdaemonrc, .rootdaemonrc - access control directives for ROOT daemons

LOCATIONS

       ROOTDAEMORC, $HOME/.rootdaemonrc
       /etc/root/system.rootdaemonrc, $ROOTSYS/etc/system.rootdaemonrc

DESCRIPTION

       This  manual  page documents the format of directives specifying access control directives
       for ROOT daemons. These directives are read from a text file whose full path is taken from
       the  environment variable ROOTDAEMONRC.  If such a variable in undefined, the daemon looks
       for a file named .rootdaemonrc in the $HOME directory of the user starting the daemon;  if
       this file does not exists either, the file system.rootdaemonrc, located under /etc/root or
       $ROOTSYS/etc, is used.  If none of these file exists (or is readable),  the  daemon  makes
       use  of  a  default  built-in  directive  derived  from  the  configuration options of the
       installation.

FORMAT

       *      lines starting with '#' are comment lines.

       *      hosts can specified either with their  name  (e.g.  pcepsft43),  their  FQDN  (e.g.
              pcepsft43.cern.ch) or their IP address (e.g. 137.138.99.73).

       *      host  names  can  be  followed  by  :rootd,  :proofd or :sockd to define directives
              applying only to the given service; 'sockd' applies to servers run from interactive
              sessions (TServerSocket class)

       *      directives applying to all host can be specified either by 'default' or '*'

       *      the  '*'  character  can  be  used  in  any  field of the name to indicate a set of
              machines or domains, e.g. pcepsft*.cern.ch applies to all 'pcepsft' machines in the
              domain   'cern.ch'.   (to   indicate   all   'lxplus'   machines   you  should  use
              'lxplus*.cern.ch' because internally the generic lxplus machine has a real name  of
              the  form  lxplusnnn.cern.ch;  you  can  also  use 'lxplus' if you don't care about
              domain name checking).

       *      a whole domain can be indicated by its  name,  e.g.  'cern.ch',  'cnaf.infn.it'  or
              '.ch'

       *      truncated  IP  address  can  also  be  used to indicate a set of machines; they are
              interpreted as the very first or very last part of the  address;  for  example,  to
              select  137.138.99.73,  any  of  these  is  valid:  '137.138.99', '137.138', '137`,
              '99.73'; or with wild cards: '137.13*' or '*.99.73`; however, '138.99'  is  invalid
              because ambiguous.

       *      the information following the name or IP address indicates, in order of preference,
              the short names or the  internal  codes  of  authentication  methods  accepted  for
              requests coming from the specified host(s); the ones implemented so far are:

                 Method                           nickname    code

                 UsrPwd                            usrpwd       0
                 SRP                               srp          1
                 Kerberos                          krb5         2
                 Globus                            globus       3
                 SSH                               ssh          4
                 UidGid                            uidgid       5   (insecure)

              (The  insecure  method is intended to speed up access within a cluster protected by
              other means from outside attacks; should not be used for  inter-cluster  or  inter-
              domain  authentication). Methods non specified explicitly are not accepted. For the
              insecure method it is possible to give access only to a specific list of  users  by
              specifying the usernames after the method separated by colons (:) example:

                 uidgid:user1:user2:user3

              will  allow  uidgid  access only to users user1, user2 and user3. This is useful to
              give easy access to data servers. It is also possible to deny access to a  user  by
              using a '-' in front of the name:

                 uidgid:-user4

       *      Lines  ending  with  'ยด  are followed by additional information for the host on the
              next line; the name of the host should not be repeated.

EXAMPLES

       Valid examples:

       default none
              All requests are denied unless specified by dedicated directives.

       default 0 ssh
              Authentication mechanisms allowed by default are 'usrpwd' (code 0) and 'ssh'

       137.138. 0 4
              Authentication mechanisms allowed from host in the domain  137.138.  (cern.ch)  are
              'usrpwd' (code 0) and 'ssh'

       pceple19.cern.ch 4 1 3 2 5 0
              All mechanisms are accepted for requests coming from host pceple19.cern.ch .

       lxplus*.cern.ch 4 1 globus 0:qwerty:uytre
              Requests  from the lxplus cluster can authenticate using 'ssh', 'srp' and 'globus';
              users 'qwerty' and 'uytre' can also use 'usrpwd' .

       pcep*.cern.ch:rootd 0:-qwerty 4
              Requests from the pcep*.cern.ch nodes can authenticate  using  'usrpwd'  and  'ssh'
              when accessing the 'rootd' daemon ; user 'qwerty' can only use 'ssh'.

SEE ALSO

       rootd(1), proofd(1)

       For more information on the ROOT system, please refer to http://root.cern.ch/ .

ORIGINAL AUTHORS

       The ROOT team (see web page above):
              Rene Brun and Fons Rademakers

COPYRIGHT

       This library is free software; you can redistribute it and/or modify it under the terms of
       the GNU Lesser General Public License as published by the Free Software Foundation; either
       version 2.1 of the License, or (at your option) any later version.

       This  library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
       without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR  PURPOSE.
       See the GNU Lesser General Public License for more details.

       You  should  have received a copy of the GNU Lesser General Public License along with this
       library; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor,
       Boston, MA  02110-1301  USA

AUTHOR

       This manual page was written by G. Ganis <g.ganis@cern.ch> .