Access control for TCP based services

Edit online

DACinet uses the /etc/rc.dacinet startup file, and the configuration files it uses are /etc/security/priv, /etc/security/services, and /etc/security/acl.

Ports listed in /etc/security/services are considered exempt from the ACL checks. The file has the same format as /etc/services. The easiest way to initialize it is to copy the file from /etc to /etc/security and then delete all the ports for which ACLs should be applied. The ACLs are stored in two places. The currently active ACLs are stored in the kernel and can be read by running dacinet aclls. ACLs that will be reactivated at the next system boot by /etc/rc.tcpip are stored in /etc/security/acl. The following format is used:

service host/prefix-length [user|group]

Where the service can be specified either numerically or as listed in /etc/services, the host can be given either as a host name or a network address with a subnet mask specification and the user or group is specified with the u: or g: prefix. When no user or group is specified, then the ACL takes only the sending host into account. Prefixing the service with a - will disable access explicitly. ACLs are evaluated according to the first match. So you could specify access for a group of users, but explicitly deny it for a user in the group by placing the rule for this user in front of the group rule.

The /etc/services file includes two entries with port number values which are not supported in AIX®. The system administrator must remove both lines from that file prior to executing the mkCCadmin command. Remove the following lines from the /etc/services file:

sco_printer     70000/tcp     sco_spooler    # For System V print IPC
sco_s5_port     70001/tcp     lpNet_s5_port  # For future use