The shell command allows you to define additional processing that is triggered by a match in

the access control list. In all practical examples, this feature is used in the hosts.deny file to
gather more information about the intruder or to provide immediate notification to the system
administrator about a potential security attack. For example:
in.rshd : ALL : (safe_finger l @%h | /usr/sbin/mail s %d %h root) &
In this example from a hosts.deny file, all systems are denied access to rshd. After logging
the attempted access and blocking it, tcpd sends the safe_finger command to the shell for
execution. All versions of finger, including safe_finger, query the remote host to find out who
is loggedin to that host. This information can be useful when tracking down an attacker. The
result of the safe_finger command is mailed to the root account. The ampersand (&) at the
end of the line causes the shell commands to run in the background. This is important;
without it, tcpd would sit and wait for these programs to complete before returning to its own
work.
Note The safe_finger program is provided with the tcpd wrapper software. It is specially
modified to be less vulnerable to attack than the standard finger program.
There are some variables, such as %h and %d, used in the shell command example. These
tcpd wrapper variables, listed in Table 12.1, allow you to take values for the incoming
connection anduse them in the shell process.