From e0fc82203d677a6f1e808e9a1a46176c109d89be Mon Sep 17 00:00:00 2001 From: Laurent Bercot Date: Mon, 15 Dec 2014 23:08:59 +0000 Subject: Initial commit --- doc/s6-ipcserver-access.html | 172 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 172 insertions(+) create mode 100644 doc/s6-ipcserver-access.html (limited to 'doc/s6-ipcserver-access.html') diff --git a/doc/s6-ipcserver-access.html b/doc/s6-ipcserver-access.html new file mode 100644 index 0000000..817425b --- /dev/null +++ b/doc/s6-ipcserver-access.html @@ -0,0 +1,172 @@ + + + + + s6-networking: the s6-ipcserver-access program + + + + + + +

+s6-networking
+Software
+skarnet.org +

+ +

The s6-ipcserver-access program

+ +

+s6-ipcserver-access is a command-line access +control tool for Unix domain sockets on systems where the +getpeereid() system call can be implemented. +It is meant to be run after +s6-ipcserver and before +the application program on the s6-ipcserver command line. +

+ +

Interface

+ +
+     s6-ipcserver-access [ -v verbosity ] [ -E | -e ] [ -l localname ] [ -i rulesdir | -x rulesfile ] prog...
+
+ + + +

Environment variables

+ +

+s6-ipcserver-access expects to inherit some environment variables from +its parent: +

+ + + +

+ Additionally, it exports the following variables before executing into +prog...: +

+ + + +

+ Also, the access rules database can instruct s6-ipcserver-access to set +up, or unset, more environment variables, depending on the client address. +

+ +

Options

+ + + +

Access rule checking

+ +

+ s6-ipcserver-access checks its client connection against +a ruleset. This ruleset can be implemented: +

+ + + +

+ The exact format of the ruleset is described on the +s6-accessrules-cdb-from-fs page. +

+ +

+s6-ipcserver-access first reads the client UID uid and +GID gid from the +${PROTO}REMOTEEUID and ${PROTO}REMOTEEGID environment variables, and checks +them with the +s6net_accessrules_keycheck_uidgid() +function. In other words, it tries to match: + +

+ +

+ in that order. If no S6NET_ACCESSRULES_ALLOW result can be obtained, +the connection is denied. +

+ +

Environment and executable modifications

+ +

+ s6-ipcserver-access interprets non-empty env subdirectories +and exec files +it finds in the first matching rule of the ruleset, as explained +in the s6-accessrules-cdb-from-fs +page. +

+ + + + + -- cgit v1.2.3