From ebfd0ba17e0d4b220725018d16e294e8e22a1745 Mon Sep 17 00:00:00 2001 From: Laurent Bercot Date: Thu, 15 Jan 2015 20:51:39 +0000 Subject: Move Unix domain socket and access control stuff to s6. Move seekablepipe to s6-portable-utils. Version: 2.0.1.0, release candidate --- doc/index.html | 26 +-- doc/libs6net/accessrules.html | 331 ------------------------------------ doc/libs6net/index.html | 2 - doc/localservice.html | 151 ---------------- doc/s6-accessrules-cdb-from-fs.html | 141 --------------- doc/s6-accessrules-fs-from-cdb.html | 60 ------- doc/s6-connlimit.html | 96 ----------- doc/s6-ioconnect.html | 84 --------- doc/s6-ipcclient.html | 65 ------- doc/s6-ipcserver-access.html | 172 ------------------- doc/s6-ipcserver-socketbinder.html | 72 -------- doc/s6-ipcserver.html | 173 ------------------- doc/s6-ipcserverd.html | 131 -------------- doc/s6-sudo.html | 59 ------- doc/s6-sudoc.html | 80 --------- doc/s6-sudod.html | 165 ------------------ doc/s6-tcpserver-access.html | 18 +- doc/seekablepipe.html | 36 ---- 18 files changed, 13 insertions(+), 1849 deletions(-) delete mode 100644 doc/libs6net/accessrules.html delete mode 100644 doc/localservice.html delete mode 100644 doc/s6-accessrules-cdb-from-fs.html delete mode 100644 doc/s6-accessrules-fs-from-cdb.html delete mode 100644 doc/s6-connlimit.html delete mode 100644 doc/s6-ioconnect.html delete mode 100644 doc/s6-ipcclient.html delete mode 100644 doc/s6-ipcserver-access.html delete mode 100644 doc/s6-ipcserver-socketbinder.html delete mode 100644 doc/s6-ipcserver.html delete mode 100644 doc/s6-ipcserverd.html delete mode 100644 doc/s6-sudo.html delete mode 100644 doc/s6-sudoc.html delete mode 100644 doc/s6-sudod.html delete mode 100644 doc/seekablepipe.html (limited to 'doc') diff --git a/doc/index.html b/doc/index.html index 3b65640..c6d61fa 100644 --- a/doc/index.html +++ b/doc/index.html @@ -45,7 +45,7 @@ compiled with IPv6 support, s6-networking is IPv6-ready.

execline version 2.0.1.1 or later

s6 version -2.0.1.0 or later

+2.0.2.0 or later

s6-dns version 2.0.0.2 or later

@@ -60,7 +60,7 @@ compiled with IPv6 support, s6-networking is IPv6-ready.

Download

The current released version of s6-networking is 2.0.1.0.
The current released version of s6-networking is 2.1.0.0.
Alternatively, you can checkout a copy of the s6-networking git repository:
```
 git clone git://git.skarnet.org/s6-networking 
```

@@ -102,7 +102,7 @@ relevant page.

The s6-taiclockd program

UCSPI implementation

UCSPI TCP implementation

The s6-tcpclient program
The s6-tcpserver6 program
The s6-tcpserver6-socketbinder program
The s6-tcpserver6d program
The s6-ipcclient program
The s6-ipcserver program
The s6-ipcserver-socketbinder program
The s6-ipcserverd program
The s6-ioconnect program

TCP and Unix access control

TCP access control

- -

suidless privilege gain

- -

IDENT protocol implementation

@@ -148,7 +132,6 @@ relevant page.

Miscellaneous utilities

@@ -157,7 +140,6 @@ relevant page.

diff --git a/doc/libs6net/accessrules.html b/doc/libs6net/accessrules.html deleted file mode 100644 index ea996b7..0000000 --- a/doc/libs6net/accessrules.html +++ /dev/null @@ -1,331 +0,0 @@ - - - - - s6-networking: the accessrules library interface - - - - - - -

-libs6net
-s6-networking
-Software
-skarnet.org -

- -

The `accessrules` library interface

- -

- The following functions and structures are declared in the s6-networking/accessrules.h header, -and implemented in the libs6net.a or libs6net.so library. -

- -

General information

- -

- s6net_accessrules is an access control library. It looks up -a key in a user-specified database, then returns a code depending on -whether the database allows access (in which case additional information -can also be returned), denies access, or does not contain the key. -

- -

- accessrules has been designed to be easily extensible to any -database format and any key format. -

- -

- Check the s6-networking/accessrules.h header for the exact definitions. -

- -

Data structures

- -

A s6net_accessrules_result_t is a scalar that -can have the following values: S6NET_ACCESSRULES_ERROR, -S6NET_ACCESSRULES_DENY, S6NET_ACCESSRULES_ALLOW or S6NET_ACCESSRULES_NOTFOUND.
A s6net_accessrules_params_t is a structure containing two -strallocs, -.env and .exec, used to return data contained in the -database when a key has been allowed. The interpretation of this data is -application-defined.

- -

Function types

- -

Backend lookups

- -

- A s6net_accessrules_backend_func_t is the type of a function -that takes a single key, looks it up in a database, and returns the result. -Namely: -

- -

-s6net_accessrules_result_t f (char const *key, unsigned int keylen, void *handle, s6net_accessrules_params_t *params) -

- -

- f looks up key key of length keylen in the database -represented by handle in an implementation-defined way. It returns a -number that says the key has been allowed, denied or not found, or an error -occurred. If the key has been allowed, f stores additional information -from the database into *params. -

- -

- Two s6net_accessrules_backend_func_t functions are natively implemented: -

- -

s6net_accessrules_backend_fs takes a char const * -handle and interprets it as a base directory to look up key -under, in the format understood by -s6-accessrules-cdb-from-fs.
s6net_accessrules_backend_cdb takes a struct cdb * -handle and looks up key in the -CDB it points to. handle must -already be mapped to a CDB file. Such a file can be built with the -s6-accessrules-cdb-from-fs -utility.

- -

Frontend key checking

- -

- A s6net_accessrules_keycheck_func_t is the type of a function that -takes a user-level key, makes a list of corresponding backend-level keys and -calls a s6net_accessrules_backend_func_t function until it finds -a match. Namely: -

- -

-s6net_accessrules_result_t f (void const *key, void *handle, s6net_accessrules_params_t *params, s6net_accessrules_backend_func_t *backend) -

- -

- f derives a list of low-level keys to check from key. -Then, for each key k of length klen in this list, it calls -(*backend)(k, klen, handle, params), returning *backend's result if it -is not S6NET_ACCESSRULES_NOTFOUND. If no match can be found in the whole list, -f finally returns S6NET_ACCESSRULES_NOTFOUND. -

- -

- Five s6net_accessrules_keycheck_func_t functions are natively implemented: -

- -

- - s6net_accessrules_keycheck_uidgid interprets key as a -diuint, i.e. a -structure containing two unsigned ints. The first one is interpreted as an -uid u, the second one as a gid g. The function first looks -for a uid/u match; if it cannot find one, it looks for a -gid/g match. If it cannot find one either, it checks -uid/default and returns the result.
-
- s6net_accessrules_keycheck_reversedns interprets key -as a string containing a FQDN. Then for each suffix k of key, -starting with key itself and ending with key's TLD, -it looks up reversedns/k. The final dot is excluded from -k. If no match can be found, the function checks reversedns/@ -and returns the result. For instance, if key is "foo.bar.com", -the following strings are looked up, in that order: -
- reversedns/foo.bar.com
- reversedns/bar.com
- reversedns/com
- reversedns/@

-
- s6net_accessrules_keycheck_ip4 interprets key as -4 network-byte-order characters containing an IPv4 address. Then for each -netmask mask from 32 to 0, it constructs the IPv4 network -prefix addr corresponding to that address, and looks up -ip4/addr_mask. For instance, if key -is "\300\250\001\007", representing the 192.168.1.7 address, the following -strings are looked up, in that order: -
- ip4/192.168.1.7_32
- ip4/192.168.1.6_31
- ip4/192.168.1.4_30
- ip4/192.168.1.0_29
- ip4/192.168.0.0_28
- ip4/192.168.0.0_27
- and so on, down to: -
- ip4/192.0.0.0_3
- ip4/192.0.0.0_2
- ip4/128.0.0.0_1
- ip4/0.0.0.0_0
- Note that the ip4/0.0.0.0_0 string is a catch-all key that -matches everything.

-
- s6net_accessrules_keycheck_ip6 interprets key as -16 network-byte-order characters containing an IPv6 address. Then for each -netmask mask from 128 to 0, it constructs the IPv6 network -prefix addr corresponding to that address, -in canonical form, -and looks up -ip6/addr_mask. For instance, if key -is "*\0\024P@\002\b\003\0\0\0\0\0\0\020\006", representing the -2a00:1450:4002:803::1006 address, the following -strings are looked up, in that order: -
- ip6/2a00:1450:4002:803::1006_128
- ip6/2a00:1450:4002:803::1006_127
- ip6/2a00:1450:4002:803::1004_126
- ip6/2a00:1450:4002:803::1000_125
- ip6/2a00:1450:4002:803::1000_124
- ip6/2a00:1450:4002:803::1000_123
- ip6/2a00:1450:4002:803::1000_122
- ip6/2a00:1450:4002:803::1000_121
- ip6/2a00:1450:4002:803::1000_120
- ip6/2a00:1450:4002:803::1000_119
- ip6/2a00:1450:4002:803::1000_118
- ip6/2a00:1450:4002:803::1000_117
- ip6/2a00:1450:4002:803::1000_116
- ip6/2a00:1450:4002:803::1000_115
- ip6/2a00:1450:4002:803::1000_114
- ip6/2a00:1450:4002:803::1000_113
- ip6/2a00:1450:4002:803::_112
- ip6/2a00:1450:4002:803::_111
- and so on, down to: -
- ip6/2a00::_11
- ip6/2800::_10
- ip6/2800::_9
- ip6/2000::_8
- ip6/2000::_7
- ip6/2000::_6
- ip6/2000::_5
- ip6/2000::_4
- ip6/2000::_3
- ip6/::_2
- ip6/::_1
- ip6/::_0
- Note that the ip6/::_0 string is a catch-all key that -matches everything.

- - s6net_accessrules_keycheck_ip46 interprets key as a pointer to an -ip46_t, and -behaves either as s6net_accessrules_keycheck_ip6 or s6net_accessrules_keycheck_ip4, -depending on the type of address *key contains.

- -

Ready-to-use functions

- - Those functions are mostly macros; they're built by associating a frontend -function with a backend function. - -

-s6net_accessrules_result_t s6net_accessrules_uidgid_cdb -(unsigned int u, unsigned int g, struct cdb *c, -s6net_accessrules_params_t *params)
-Checks the *c CDB database for an authorization for uid u -and gid g. If the result is S6NET_ACCESSRULES_ALLOW, additional -information may be stored into params. -

- -

-s6net_accessrules_result_t s6net_accessrules_uidgid_fs -(unsigned int u, unsigned int g, char const *dir, -s6net_accessrules_params_t *params)
-Checks the dir base directory for an authorization for uid u -and gid g. If the result is S6NET_ACCESSRULES_ALLOW, additional -information may be stored into params. -

- -

-s6net_accessrules_result_t s6net_accessrules_reversedns_cdb -(char const *name, struct cdb *c, -s6net_accessrules_params_t *params)
-Checks the *c CDB database for an authorization for the -name FQDN. If the result is S6NET_ACCESSRULES_ALLOW, additional -information may be stored into params. -

- -

-s6net_accessrules_result_t s6net_accessrules_reversedns_fs -(char const *name, char const *dir, -s6net_accessrules_params_t *params)
-Checks the dir base directory for an authorization for the -name FQDN. If the result is S6NET_ACCESSRULES_ALLOW, additional -information may be stored into params. -

- -

-s6net_accessrules_result_t s6net_accessrules_ip4_cdb -(char const *ip4, struct cdb *c, -s6net_accessrules_params_t *params)
-Checks the *c CDB database for an authorization for the -ip4 IPv4 address (4 network byte order characters). -If the result is S6NET_ACCESSRULES_ALLOW, additional -information may be stored into params. -

- -

-s6net_accessrules_result_t s6net_accessrules_ip4_fs -(char const *ip4, char const *dir, -s6net_accessrules_params_t *params)
-Checks the dir base directory for an authorization for the -ip4 IPv4 address (4 network byte order characters). -If the result is S6NET_ACCESSRULES_ALLOW, additional -information may be stored into params. -

- -

-s6net_accessrules_result_t s6net_accessrules_ip6_cdb -(char const *ip6, struct cdb *c, -s6net_accessrules_params_t *params)
-Checks the *c CDB database for an authorization for the -ip6 IPv6 address (16 network byte order characters). -If the result is S6NET_ACCESSRULES_ALLOW, additional -information may be stored into params. -

- -

-s6net_accessrules_result_t s6net_accessrules_ip6_fs -(char const *ip6, char const *dir, -s6net_accessrules_params_t *params)
-Checks the dir base directory for an authorization for the -ip6 IPv6 address (16 network byte order characters). -If the result is S6NET_ACCESSRULES_ALLOW, additional -information may be stored into params. -

- -

-s6net_accessrules_result_t s6net_accessrules_ip46_cdb -(ip46_t *ip, struct cdb *c, -s6net_accessrules_params_t *params)
-Checks the *c CDB database for an authorization for the -ip IP address. -If the result is S6NET_ACCESSRULES_ALLOW, additional -information may be stored into params. -

- -

-s6net_accessrules_result_t s6net_accessrules_ip46_fs -(ip46_t const *ip, char const *dir, -s6net_accessrules_params_t *params)
-Checks the dir base directory for an authorization for the -ip IP address. -If the result is S6NET_ACCESSRULES_ALLOW, additional -information may be stored into params. -

- - - diff --git a/doc/libs6net/index.html b/doc/libs6net/index.html index 4fb35ff..36440ac 100644 --- a/doc/libs6net/index.html +++ b/doc/libs6net/index.html @@ -53,8 +53,6 @@ own header.

The s6-networking/accessrules.h header -provides function to check credentials against configuration files.
The s6-networking/ident.h header provides a small IDENT client (RFC 1413).

diff --git a/doc/localservice.html b/doc/localservice.html deleted file mode 100644 index af7aafb..0000000 --- a/doc/localservice.html +++ /dev/null @@ -1,151 +0,0 @@ - - - - - s6-networking: what is a local service - - - - - - -

-s6-networking
-Software
-skarnet.org -

- -

Local services

- -

- A local service is a daemon that listens to incoming connections -on a Unix domain socket. Clients of the service are programs connecting to -this socket: the daemon performs operations on their behalf. -

- -

- The service is called local because it is not accessible to -clients from the network. -

- -

- A widely known example of a local service is the syslogd daemon. -On most implementations, it listens to the /dev/log socket. -Its clients connect to it and send their logs via the socket. The -openlog() function is just a wrapper arround the connect() -system call, the syslog() function a wrapper around write(), -and so on. -

- -

Benefits

- -

Privileges

- -

- The most important benefit of a local service is that it permits -controlled privilege gains without using setuid programs. -The daemon is run as user S; a client running as user C and connecting to -the daemon asks it to perform operations: those will be done as user S. -

- -

- Standard Unix permissions on the listening socket can be used to implement -some basic access control: to restrict access to clients belonging to group -G, change the socket to user S and group G, and give it 0420 permissions. -This is functionally equivalent to the basic access control for setuid -programs: a program having user S, group G and permissions 4750 will be -executable by group G and run with S rights. -

- -

- But modern systems implement the -getpeereid() -system call or library function. This function allows the server to know the -client's credentials: so fine-grained access control is possible. On those -systems, local services can do as much authentication as setuid programs, -in a much more controlled environment. -

- -

fd-passing

- -

- The most obvious difference between a local service and a network service -is that a local service does not serve network clients. But local services -have another nice perk: while network services usually only provide you -with a single channel (a TCP or UDP socket) of communication between the -client and the server, forcing you to multiplex your data into that -channel, local services allow you to have as many -communication channels as you want. -

- -

-(The SCTP transport layer provides a way for network services to use -several communication channels. Unfortunately, it is not widely deployed -yet, and a lot of network services still depend on TCP.) -

- -

- The fd-passing mechanism is Unix domain socket black magic -that allows one peer of the socket to send open file descriptors to -the other peer. So, if the server opens a pipe and sends one end of -this pipe to a client via this mechanism, there is effectively a -socket and a pipe between the client and the server. -

- -

UCSPI

- -

- The UCSPI protocol -is an easy way of abstracting clients and servers from the network. -A server written as a UCSPI server, just as it can be run -under inetd or s6-tcpserver, can be run under -s6-ipcserver: choose a socket -location and you have a local service. -

- -

- Fine-grained access control can be added by inserting -s6-ipcserver-access in -your server command line after s6-ipcserver. -

- -

- A client written as an UCSPI client, i.e. assuming it has descriptor -6 (resp. 7) open and reading from (resp. writing to) the server socket, -can be run under s6-ipcclient. -

- -

Use in skarnet.org software

- -

- skarnet.org libraries often use a separate process to handle -asynchronicity and background work in a way that's invisible to -the user. Among them are: -

- -

s6-ftrigrd, -managing the reception of notifications and only waking up the client process -when the notification pattern matches a regular expression.
s6lockd, -handling time-constrained lock acquisition on client behalf.
skadnsd, -performing asynchronous DNS queries and only waking up the client process -when an answer arrives.

- -

- Those processes are usually spawned from a client, via the corresponding -*_startf*() library call. But they can also be spawned from a -s6-ipcserver program in a local service configuration. In both cases, they -need an additional control channel to be passed from the server to -the client: the main socket is used for synchronous commands from the client -to the server and their answers, whereas the additional channel, which is -now implemented as a socket as well (but created by the server on-demand -and not bound to a local path), is used for asynchronous -notifications from the server to the client. The fd-passing mechanism -is used to transfer the additional channel from the server to the client. -

- - - diff --git a/doc/s6-accessrules-cdb-from-fs.html b/doc/s6-accessrules-cdb-from-fs.html deleted file mode 100644 index 26105b1..0000000 --- a/doc/s6-accessrules-cdb-from-fs.html +++ /dev/null @@ -1,141 +0,0 @@ - - - - - s6-networking: the s6-accessrules-cdb-from-fs program - - - - - - -

-s6-networking
-Software
-skarnet.org -

- -

The `s6-accessrules-cdb-from-fs` program

- -

-s6-accessrules-cdb-from-fs compiles a directory -containing a ruleset suitable for -s6-ipcserver-access or -s6-tcpserver-access into a -CDB file. -

- -

Interface

- -

-     s6-accessrules-cdb-from-fs cdbfile dir
-

- -

s6-accessrules-cdb-from-fs compiles the dir -directory containing a ruleset into a -CDB file -cdbfile then exits 0.

- -

Ruleset directory format

- -

- To be understood by s6-accessrules-cdb-from-fs, -s6-ipcserver-access , or -s6-tcpserver-access , -dir must have a specific format. -

- -

- dir contains a series of directories: -

- -

ip4 for rules on IPv4 addresses
ip6 for rules on IPv6 addresses
reversedns for rules on host names
uid for rules on user IDs
gid for rules on group IDs

- -

-Depending on the application, other directories can appear in dir -and be compiled into cdbfile, but -s6-tcpserver-access only -uses the first three, and -s6-ipcserver-access only -uses the last two. -

- -

- Each of those directories contains a set of rules. A rule is -a subdirectory named after the set of keys it matches, and containing -actions that will be executed if the rule is the first matching rule -for the tested key. -

- -

- The syntax for the rule name is dependent on the nature of keys, and -fully documented on the -accessrules -library page. For instance, a subdirectory named 192.168.0.0_27 -in the ip4 directory will match every IPv4 address in the -192.168.0.0/27 network that does not match a more precise rule. -

- -

- The syntax for the actions, however, is the same for every type of key. -A rule subdirectory can contain the following elements: -

- -

a file (that can be empty) named allow. If such a file exists, -a key matching this rule will be immediately accepted.
a file (that can be empty) named deny. If such a file exists and -no allow file exists, a key matching this rule will be immediately -denied.
a subdirectory named env. If such a directory exists along -with an allow file, then its contents represent environment -modifications that will be applied after accepting the connection and -before executing the next program in the chain, as if the -s6-envdir -program, without options, was applied to env. env -has exactly the same format as a directory suitable for s6-envdir; -however, if the modifications take up more than 4096 bytes when -compiled into cdbfile, then s6-accessrules-cdb-from-fs will -complain and exit 100.
a file named exec. If such a file exists along with an -allow file, then its contents represent a command line that, -interpreted by the -execlineb -launcher, will be executed after accepting the connection, totally bypassing the -original command line. s6-accessrules-cdb-from-fs truncates the exec -file to 4096 bytes max when embedding it into cdbfile, so make -sure it is not larger than that.

- -

Notes

- -

cdbfile can exist prior to, and during, the compilation, -which actually works in a temporary file in the same directory as -cdbfile and performs an atomic replacement when it is done. -So it is not necessary to interrupt a running service during the -compilation.
If s6-accessrules-cdb-from-fs fails at some point, the temporary -file is removed. However, this doesn't happen if -s6-accessrules-cdb-from-fs is interrupted by a signal.
After the program successfully completes, if dir -was a suitable candidate for the -i option of -s6-ipcserver-access or -s6-tcpserver-access, then -cdbfile will be a suitable candidate for the -x option -of the same program, implementing the same ruleset.
cdbfile can be decompiled by the -s6-accessrules-fs-from-cdb -program.

- - - diff --git a/doc/s6-accessrules-fs-from-cdb.html b/doc/s6-accessrules-fs-from-cdb.html deleted file mode 100644 index 91ec98e..0000000 --- a/doc/s6-accessrules-fs-from-cdb.html +++ /dev/null @@ -1,60 +0,0 @@ - - - - - s6-networking: the s6-accessrules-fs-from-cdb program - - - - - - -

-s6-networking
-Software
-skarnet.org -

- -

The `s6-accessrules-fs-from-cdb` program

- -

-s6-accessrules-fs-from-cdb decompiles a CDB database -containing a ruleset suitable for -s6-ipcserver-access or -s6-tcpserver-access and -that has been compiled with -s6-accessrules-cdb-from-fs . -

- -

Interface

- -

-     s6-accessrules-fs-from-cdb dir cdbfile
-

- -

s6-accessrules-fs-from-cdb decompiles the -CDB file -cdbfile into the directory dir, then exits 0.

- -

Notes

- -

dir must not exist prior to the decompilation.
dir must be considered as a work in progress as long as -s6-accessrules-fs-from-cdb is running. It is only safe to use dir -as a ruleset once the program has exited.
If s6-accessrules-fs-from-cdb fails at some point, the partial -arborescence at dir is removed. However, this doesn't happen if -s6-accessrules-fs-from-cdb is interrupted by a signal.
After the program successfully completes, if cdbfile -was a suitable candidate for the -x option of -s6-ipcserver-access or -s6-tcpserver-access, then -dir will be a suitable candidate for the -i option -of the same program, implementing the same ruleset.

- - - diff --git a/doc/s6-connlimit.html b/doc/s6-connlimit.html deleted file mode 100644 index 5008b4d..0000000 --- a/doc/s6-connlimit.html +++ /dev/null @@ -1,96 +0,0 @@ - - - - - s6-networking: the s6-connlimit program - - - - - - -

-s6-networking
-Software
-skarnet.org -

- -

The `s6-connlimit` program

- -

-s6-connlimit is a small utility to perform IP-based -control on the number of client connections to a TCP socket, and -uid-based control on the number of client connections to a Unix -domain socket. -

- -

Interface

- -

-     s6-connlimit prog...
-

- -

s6-connlimit reads its environment for the PROTO -environment variable, and then for ${PROTO}CONNNUM and ${PROTO}CONNMAX, -which must contain integers.
If the value of ${PROTO}CONNNUM is superior or equal to the value -of ${PROTO}CONNMAX, s6-connlimit exits 1 with an error message.
Else it execs into prog....
If ${PROTO}CONNMAX is unset, s6-connlimit directly execs into -prog... without performing any check: -no maximum number of connections has been defined.

- -

Usage

- -

- The s6-tcpserver4 and -s6-tcpserver6 define the PROTO environment -variable to "TCP", and spawn every child server with the TCPCONNNUM environment -variable set to the number of connections from the same IP address. - The s6-tcpserver-access program -can set environment variables depending on the client's IP address. If the -s6-tcpserver-access database is configured to set the TCPCONNMAX environment -variable for a given set of IP addresses, and s6-tcpserver-access execs into -s6-connlimit, then s6-connlimit will drop connections if there already are -${TCPCONNMAX} connections from the same client IP address. -

- -

- The s6-ipcserver and -s6-ipcserver-access programs can -be used the same way, with "IPC" instead of "TCP", to limit the number -of client connections by UID. -

- -

Example

- -

- The following command line: -

- -

-     s6-tcpserver4 -v2 -c1000 -C40 1.2.3.4 80 \
-     s6-tcpserver-access -v2 -RHl0 -i dir \
-     s6-connlimit \
-     prog...
-

- -

- will run a server listening to IPv4 address 1.2.3.4, on port 80, -serving up to 1000 concurrent connections, and up to 40 concurrent -connections from the same IP address, no matter what the IP address. -For every client connection, it will look up the database set up -in dir; if the connection is accepted, it will run prog.... -

- -

- If the dir/ip4/5.6.7.8_32/env/TCPCONNMAX file -exists and contains the string 30, then at most 30 concurrent -connections from 5.6.7.8 will execute prog..., instead of the -default of 40. -

- - - diff --git a/doc/s6-ioconnect.html b/doc/s6-ioconnect.html deleted file mode 100644 index 5e2b6c6..0000000 --- a/doc/s6-ioconnect.html +++ /dev/null @@ -1,84 +0,0 @@ - - - - - s6-networking: the s6-ioconnect program - - - - - - -

-s6-networking
-Software
-skarnet.org -

- -

The `s6-ioconnect` program

- -

-s6-ioconnect performs full-duplex data transmission -between two sets of open file descriptors. -

- -

Interface

- -

-     s6-ioconnect [ -t millisecs ] [ -r fdr ] [ -w fdw ] [ -0 ] [ -1 ] [ -6 ] [ -7 ]
-

- -

s6-ioconnect reads data from its stdin and writes it as is to -file descriptor 7, which is assumed to be open.
It also reads data from its file descriptor 6, which is assumed -to be open, and writes it as is to its stdout.
When both sides have transmitted EOF and s6-ioconnect has -flushed its buffers, it exits 0.

- -

Options

- -

-t millisecs : if no activity on -either side happens for millisecs milliseconds, s6-ioconnect -closes the connection on both ends and exits 1. By default, -millisecs is 0, which means no such timeout.
-r fdr : Use fd fdr for -"remote" reading instead of fd 6.
-w fdw : Use fd fdw for -"remote" writing instead of fd 7.
-0: assume stdin is a socket and needs to be shut down -for reading after an EOF.
-1: assume stdout is a socket and needs to be shut down -for writing to correctly transmit an EOF.
-6: assume the remote reading fd is a socket and needs to be shut down -for reading after an EOF.
-7: assume the remote writing fd is a socket and needs to be shut down -for writing to correctly transmit an EOF.

- -

Notes

- -

Transmitting EOF across full-duplex sockets -is ugly. The right thing -in every case cannot be automatically determined, so it is up to the user -to mention that a socket must be shut down. Most of the time, though, -shutting down sockets after EOF is the right thing to do, so -s6-ioconnect -67 should be the common use case.
The point of s6-ioconnect is to be used together with -s6-tcpclient or -s6-ipcclient to establish a full- -duplex connection between the client and the server, for instance -for testing purposes. s6-ioconnect is to s6-tcpclient as -cat is to s6-tcpserver: a program that will just echo -what it gets.
On modern Linux systems, s6-ioconnect will perform zero-copy -data transmission, via the -splice -system call.

- - - diff --git a/doc/s6-ipcclient.html b/doc/s6-ipcclient.html deleted file mode 100644 index 2bb66aa..0000000 --- a/doc/s6-ipcclient.html +++ /dev/null @@ -1,65 +0,0 @@ - - - - - s6-networking: the s6-ipcclient program - - - - - - -

-s6-networking
-Software
-skarnet.org -

- -

The `s6-ipcclient` program

- -

-s6-ipcclient is an -UCSPI client tool for -Unix domain sockets. It connects to a socket, then executes into -a program. -

- -

Interface

- -

-     s6-ipcclient [ -q | -Q | -v ] [ -p bindpath ] [ -l localname ] path prog...
-

- -

s6-ipcclient connects to a Unix domain socket on path.
It executes into prog... with descriptor 6 reading from -the socket and descriptor 7 writing to it.

- -

Environment variables

- -

- prog... is run with -the following variables set: -

- -

PROTO: always set to IPC
IPCLOCALPATH: set to the path associated with the local socket, -if any. Be aware that it may contain arbitrary characters.

- -

Options

- -

-q : be quiet.
-Q : be normally verbose. This is the default.
-v : be verbose.
-p localpath : bind the local -socket to localpath before connecting to path.
-l localname : use localname -as the value of the IPCLOCALPATH environment variable.

- - - diff --git a/doc/s6-ipcserver-access.html b/doc/s6-ipcserver-access.html deleted file mode 100644 index 515138c..0000000 --- a/doc/s6-ipcserver-access.html +++ /dev/null @@ -1,172 +0,0 @@ - - - - - s6-networking: the s6-ipcserver-access program - - - - - - -

-s6-networking
-Software
-skarnet.org -

- -

The `s6-ipcserver-access` program

- -

-s6-ipcserver-access is a command-line access -control tool for Unix domain sockets on systems where the -getpeereid() system call can be implemented. -It is meant to be run after -s6-ipcserverd and before -the application program on the s6-ipcserver command line. -

- -

Interface

- -

-     s6-ipcserver-access [ -v verbosity ] [ -E | -e ] [ -l localname ] [ -i rulesdir | -x rulesfile ] prog...
-

- -

s6-ipcserver-access checks it is run under a UCSPI server tool -such as s6-ipcserver. -
It checks that the remote end of the connection fits the -accepted criteria defined by the database contained in rulesdir -or rulesfile. If the database tells it to reject the connection, -the program exits 1.
It sets up a few additional environment variables.
It executes into prog..., -unless the first matching rule in the rule database -includes instructions to override prog....

- -

Environment variables

- -

-s6-ipcserver-access expects to inherit some environment variables from -its parent: -

- -

PROTO: normally IPC, but could be anything else, like UNIX.
${PROTO}REMOTEEUID: the effective UID of the client program connecting to the socket.
${PROTO}REMOTEEGID: the effective GID of the client program connecting to the socket.

- -

- Additionally, it exports the following variables before executing into -prog...: -

- -

${PROTO}LOCALPATH: set to the local "address" of the socket, as -reported by the -getsockname() -system call, truncated to 99 characters max.

- -

- Also, the access rules database can instruct s6-ipcserver-access to set -up, or unset, more environment variables, depending on the client address. -

- -

Options

- -

-v verbosity : be more or less verbose, i.e. -print more or less information to stderr: -
- 0: only log error messages.
- 1: only log error and warning messages, and accepted connections. -This is the default.
- 2: also log rejected connections and more warning messages.
-E : no environment. All environment variables potentially -set by s6-ipcserver-access, as well as those set by -s6-ipcserver, will be unset instead.
-e : set up environment variables normally. -This is the default.
-l localname : use localname -as the value for the ${PROTO}LOCALPATH environment variable, instead of -looking it up via getsockname().
-i rulesdir : check client credentials -against a filesystem-based database in the rulesdir directory.
-x rulesfile : check client credentials -against a cdb -database in the rulesfile file. -i and -x are -mutually exclusive. If none of those options is given, no credential checking will be -performed, and a warning will be emitted on every connection if -verbosity is 2 or more.

- -

Access rule checking

- -

- s6-ipcserver-access checks its client connection against -a ruleset. This ruleset can be implemented: -

- -

either in the filesystem as an arborescence of directories and files, -if the -i option has been given. This option is the most flexible -one: the directory format is simple enough for scripts to understand and -modify it, and the ruleset can be changed dynamically. This is practical, -for instance, for roaming users.
or in a CDB -file, if the -x option has been given. This option is the most -efficient one if the ruleset is static enough: a lot less system calls are -needed to perform searches in a CDB than in the filesystem.

- -

- The exact format of the ruleset is described on the -s6-accessrules-cdb-from-fs page. -

- -

-s6-ipcserver-access first reads the client UID uid and -GID gid from the -${PROTO}REMOTEEUID and ${PROTO}REMOTEEGID environment variables, and checks -them with the -s6net_accessrules_keycheck_uidgid() -function. In other words, it tries to match: - -

uid/uid
gid/gid
uid/default

- -

- in that order. If no S6NET_ACCESSRULES_ALLOW result can be obtained, -the connection is denied. -

- -

Environment and executable modifications

- -

- s6-ipcserver-access interprets non-empty env subdirectories -and exec files -it finds in the first matching rule of the ruleset, as explained -in the s6-accessrules-cdb-from-fs -page. -

- -

An env subdirectory is interpreted as if the -s6-envdir -command had been called before executing prog: the environment -is modified according to the contents of env.
An exec file containing newprog completely -bypasses the rest of s6-ipcserver-access' command line. After -environment modifications, if any, s6-ipcserver-access execs into -execlineb -c newprog.

- - - diff --git a/doc/s6-ipcserver-socketbinder.html b/doc/s6-ipcserver-socketbinder.html deleted file mode 100644 index 2c8d993..0000000 --- a/doc/s6-ipcserver-socketbinder.html +++ /dev/null @@ -1,72 +0,0 @@ - - - - - s6-networking: the s6-ipcserver-socketbinder program - - - - - - -

-s6-networking
-Software
-skarnet.org -

- -

The `s6-ipcserver-socketbinder` program

- -

-s6-ipcserver-socketbinder binds a Unix domain -socket, then executes a program. -

- -

Interface

- -

-     s6-ipcserver-socketbinder [ -d | -D ] [ -b backlog ] path prog...
-

- -

s6-ipcserver-socketbinder creates a Unix domain socket of type SOCK_STREAM -and binds it to path. It prepares the socket to accept -connections by calling -listen().
It then execs into prog... with the open socket -as its standard input.

- -

Options

- -

-d : allow instant rebinding to the same path -even if it has been used not long ago - this is the SO_REUSEADDR flag to -setsockopt() -and is generally used with server programs. This is the default. Note that -path will be deleted if it already exists at program start time.
-D : disallow instant rebinding to the same path.
-b backlog : set a maximum of -backlog backlog connections on the socket. Extra -connection attempts will rejected by the kernel.

- -

Notes

- -

s6-ipcserver-socketbinder is part of a set of basic blocks used to -build a flexible Unix super-server. It normally should be given a -command line crafted to make it execute into -s6-ipcserverd to accept connections -from clients, or into a program such as -s6-applyuidgid -to drop privileges before doing so.
The s6-ipcserver program does -exactly this. It implements -a full Unix super-server by building a command line starting with -s6-ipcserver-socketbinder and ending with s6-ipcserverd followed by the -application program, and executing into it.

- - - diff --git a/doc/s6-ipcserver.html b/doc/s6-ipcserver.html deleted file mode 100644 index 4b52888..0000000 --- a/doc/s6-ipcserver.html +++ /dev/null @@ -1,173 +0,0 @@ - - - - - s6-networking: the s6-ipcserver program - - - - - - -

-s6-networking
-Software
-skarnet.org -

- -

The `s6-ipcserver` program

- -

-s6-ipcserver is an -UCSPI server tool for -Unix domain sockets, i.e. a super-server. -It accepts connections from clients, and forks a -program to handle each connection. -

- -

Interface

- -

-     s6-ipcserver [ -1 ] [ -q | -Q | -v ] [ -d | -D ] [ -P | -p ] [ -c maxconn ] [ -C localmaxconn ] [ -b backlog ] [ -G gidlist ] [ -g gid ] [ -u uid ] [ -U ] path prog...
-

- -

s6-ipcserver binds a Unix domain socket to path.
It can drop its root privileges.
It closes its stdin and stdout.
For every client connection to this socket, it -forks. The child sets some environment variables, then -executes prog... with stdin reading from the socket and -stdout writing to it.
Depending on the verbosity level, it logs what it does to stderr.
It runs until killed by a signal. Depending on the received -signal, it may kill its children before exiting.
s6-ipcserver actually doesn't do any of this itself. It is -a wrapper, rewriting the command line and executing into a chain -of programs that perform those duties.

- -

Implementation

- -

s6-ipcserver parses the options and arguments it is given, and -builds a new command line with them. It then executes into that new -command line.
The first program s6-ipcserver executes into is -s6-ipcserver-socketbinder. -It will create and bind a Unix domain socket to path, then -execute into the rest of the command line.
If a privilege-dropping operation has been requested, the -program that s6-ipcserver-socketbinder executes into is -s6-applyuidgid. -It will drop the root privileges, then execute into the rest of the -command line.
The next program in the chain is -s6-ipcserverd. It is executed into -by s6-applyuidgid, or directly by s6-ipcserver-socketbinder if no -privilege-dropping operation has been requested. s6-ipcserverd is -the long-lived process, the "daemon" itself, accepting connections -from clients.
For every client, s6-ipcserverd will spawn an instance of -prog..., the remainder of the command line.

- - -

Options

- -

-1 : write path, followed by a newline, -to stdout, before -closing it, right after binding and listening to the Unix socket. -If stdout is suitably redirected, this can be used by monitoring -programs to check when the server is ready to accept connections.
-q : be quiet.
-Q : be normally verbose. This is the default.
-v : be verbose.
-d : allow instant rebinding to the same path -even if it has been used not long ago - this is the SO_REUSEADDR flag to -setsockopt() -and is generally used with server programs. This is the default. Note that -path will be deleted if it already exists at program start time.
-D : disallow instant rebinding to the same path.
-P : disable client credentials lookups. The -IPCREMOTEEUID and IPCREMOTEEGID environment variables will be unset -in every instance of prog.... This is the portable option, -because not every system supports credential lookup across Unix domain -sockets; but it is not as secure.
-p : enable client credentials lookups. This -is the default; it works at least on Linux, Solaris, and -*BSD systems. On systems that do not support it, every connection -attempt will fail with a warning message.
-c maxconn : accept at most -maxconn concurrent connections. Default is 40. It is -impossible to set it higher than 1000.
-C localmaxconn : accept at most -localmaxconn connections from the same user ID. -Default is 40. It is impossible to set it higher than maxconn.
-b backlog : set a maximum of -backlog backlog connections on the socket. Extra -connection attempts will rejected by the kernel.
-G gidlist : change s6-ipcserver's -supplementary group list to gidlist after binding the socket. -This is only valid when run as root. gidlist must be a -comma-separated list of numerical group IDs.
-g gid : change s6-ipcserver's groupid -to gid after binding the socket. This is only valid when run -as root.
-u uid : change s6-ipcserver's userid -to uid after binding the socket. This is only valid when run -as root.
-U : change s6-ipcserver's user id, group id and -supplementary group list -according to the values of the UID, GID and GIDLIST environment variables -after binding the socket. This is only valid when run as root. -This can be used with the -s6-envuidgid -program to easily script a service that binds to a privileged socket -then drops its privileges to those of a named non-root account.

- -

Implementation

- -

s6-ipcserver parses the options and arguments it is given, and -builds a new command line with them. It then executes into that new -command line.
The first program s6-ipcserver executes into is -s6-ipcserver-socketbinder. -It will create and bind a Unix domain socket to path, then -execute into the rest of the command line.
If a privilege-dropping operation has been requested, the -program that s6-ipcserver-socketbinder executes into is -s6-applyuidgid. -It will drop the root privileges, then execute into the rest of the -command line.
The next program in the chain is -s6-ipcserverd. It is executed into -by s6-applyuidgid, or directly by s6-ipcserver-socketbinder if no -privilege-dropping operation has been requested. s6-ipcserverd is -the long-lived process, the "daemon" itself, accepting connections -from clients.
For every client, s6-ipcserverd will spawn an instance of -prog..., the remainder of the command line.

- -

Notes

- -

s6-ipcserver does not interpret its options itself. It just -dispatches them to the appropriate program on the command line that -it builds.
In previous releases of s6-networking, s6-ipcserver was -monolithic: it did the work of s6-ipcserver-socketbinder, -s6-applyuidgid and s6-ipcserverd itself. The functionality has now -been split into several different programs because some service startup -schemes require the daemon to get its socket from an external -program instead of creating and binding it itself. The most obvious -application of this is upgrading a long-lived process without -losing existing connections.

- - - diff --git a/doc/s6-ipcserverd.html b/doc/s6-ipcserverd.html deleted file mode 100644 index 916de12..0000000 --- a/doc/s6-ipcserverd.html +++ /dev/null @@ -1,131 +0,0 @@ - - - - - s6-networking: the s6-ipcserverd program - - - - - - -

-s6-networking
-Software
-skarnet.org -

- -

The `s6-ipcserverd` program

- -

-s6-ipcserverd is the serving part of the -s6-ipcserver super-server. -It assumes that its stdin is a bound and listening Unix -domain socket, and -it accepts connections from clients connecting to it, forking a -program to handle each connection. -

- -

Interface

- -

-     s6-ipcserverd [ -1 ] [ -v verbosity ] [ -P | -p ] [ -c maxconn ] [ -C localmaxconn ] prog...
-

- -

s6-ipcserverd accepts connections from clients to an already -bound and listening SOCK_STREAM Unix domain socket which is its -standard input.
For every client connection to this socket, it -forks. The child sets some environment variables, then -executes prog... with stdin reading from the socket and -stdout writing to it.
Depending on the verbosity level, it logs what it does to stderr.
It runs until killed by a signal. Depending on the received -signal, it may kill its children before exiting.

- -

Environment variables

- -

- For each connection, an instance of prog... is spawned with -the following variables set: -

- -

PROTO: always set to IPC
IPCREMOTEEUID: set to the effective UID of the client, -unless credentials lookups have been disabled
IPCREMOTEEGID: set to the effective GID of the client, -unless credentials lookups have been disabled
IPCREMOTEPATH: set to the path associated with the remote socket, -if any. Be aware that it may contain arbitrary characters.
IPCCONNNUM: set to the number of connections originating from -the same user (i.e. same uid)

- -

- If client credentials lookup has been disabled, IPCREMOTEEUID and -IPCREMOTEEUID will be set, but empty. -

- - -

Options

- -

-1 : write a newline to stdout, and close stdout, -right before entering the client-accepting loop. -If stdout is suitably redirected, this can be used by monitoring -programs to check when the server is accepting connections. -The s6-notifywhenup -program can be used before the s6-ipcserver -invocation to notify listeners when the server is ready.
-v verbosity : be more or less -verbose. verbosity can be 0 (quiet), 1 (normal), or 2 -(verbose).
-P : disable client credentials lookups. The -IPCREMOTEEUID and IPCREMOTEEGID environment variables will be unset -in every instance of prog.... This is the portable option, -because not every system supports credential lookup across Unix domain -sockets; but it is not as secure.
-p : enable client credentials lookups. This -is the default; it works at least on Linux, Solaris, and -*BSD systems. On systems that do not support it, every connection -attempt will fail with a warning message.
-c maxconn : accept at most -maxconn concurrent connections. Default is 40. It is -impossible to set it higher than 1000.
-C localmaxconn : accept at most -localmaxconn connections from the same user ID. -Default is 40. It is impossible to set it higher than maxconn.

- -

Signals

- -

SIGTERM: exit.
SIGHUP: send a SIGTERM and a SIGCONT to all children.
SIGQUIT: send a SIGTERM and a SIGCONT to all children, then exit.
SIGABRT: send a SIGKILL to all children, then exit.

- -

Notes

- -

Unlike his close cousin -ipcserver, -s6-ipcserverd does not perform operations such as access control. Those are -delegated to the -s6-ipcserver-access program.
s6-ipcserverd can be used to set up -local services.
s6-ipcserverd is meant to be execve'd into by a program that gets -the listening socket. That program is normally -s6-ipcserver-socketbinder, -which creates the socket itself; but it can be a different one if the -socket is to be retrieved by another means, for instance by fd-passing -from a fd-holding daemon (some people call this "socket activation").

- - - diff --git a/doc/s6-sudo.html b/doc/s6-sudo.html deleted file mode 100644 index 603ad8a..0000000 --- a/doc/s6-sudo.html +++ /dev/null @@ -1,59 +0,0 @@ - - - - - s6-networking: the s6-sudo program - - - - - - -

-s6-networking
-Software
-skarnet.org -

- -

The `s6-sudo` program

- -

-s6-sudo connects to a Unix domain socket and passes -its standard file descriptors, command-line arguments and -environment to a program running on the server side, potentially -with different privileges. -

- -

Interface

- -

-     s6-sudo [ -q | -Q | -v ] [ -p bindpath ] [ -l localname ] [ -e ] [ -t timeoutconn ] [ -T timeoutrun ] path [ args... ]
-

- -

s6-sudo executes into s6-ipcclient path -s6-sudoc args... It does nothing else: it is just a -convenience program. The s6-ipcclient program connects -to a Unix socket at path, and the -s6-sudoc program transmits the desired elements over the -socket.
It should be used to connect to a -local service running the -s6-sudod program, which will run a server program on the -client's behalf.

- -

Options

- -

The -q, -Q, -v, -p and -l -options are passed to s6-ipcclient.
The -e, -t and -T options are passed to -s6-sudoc.
Command-line arguments, if any, are also passed to -s6-sudoc, which will transmit them to -s6-sudod over the socket. -

- - - diff --git a/doc/s6-sudoc.html b/doc/s6-sudoc.html deleted file mode 100644 index def09a9..0000000 --- a/doc/s6-sudoc.html +++ /dev/null @@ -1,80 +0,0 @@ - - - - - s6-networking: the s6-sudoc program - - - - - - -

-s6-networking
-Software
-skarnet.org -

- -

The `s6-sudoc` program

- -

-s6-sudoc talks to a peer s6-sudod -program over a Unix socket, passing it command-line arguments, environment -variables and standard descriptors. -

- -

Interface

- -

-     s6-sudoc [ -e ] [ -t timeoutconn ] [ -T timeoutrun ] [ args... ]
-

- -

s6-sudoc transmits its standard input, standard output and standard error -via fd-passing over a Unix socket that must be open on its descriptors 6 and 7. - It expects a s6-sudod process to be receiving them -on the other side.
It also transmits its command-line arguments args, and also its -environment by default. Note that s6-sudod will not necessarily accept all the -environment variables that s6-sudoc tries to transmit.
s6-sudoc waits for the server program run by s6-sudod to finish. It exits -the same exit code as the server program. If the server program is killed by a -signal, s6-sudoc kills itself with the same signal.

- -

Options

- -

-e : do not attempt to transmit any environment variables -to s6-sudod.
-t timeoutconn : if s6-sudod has not -managed to process the given information and start the server program after -timeoutconn milliseconds, give up. By default, timeoutconn -is 0, meaning infinite. Note that there is no reason to set up a nonzero -timeoutconn with a large value: s6-sudod is not supposed to block. -The option is only there to protect against ill-written services.
-T timeoutrun : if the server program -has not exited after timeoutrun milliseconds, give up. By -default, timeoutrun is 0, meaning infinite.

- -

Notes

- -

If s6-sudoc is killed, or exits after timeoutrun milliseconds, -while the server program is still running, s6-sudod will send a SIGTERM and a -SIGCONT to the server program - but this does not guarantee that it will die. -If the server program keeps running, it might still read from the file that -was s6-sudoc's stdin, or write to the files that were s6-sudoc's stdout or -stderr. This is a potential security risk. -Administrators should audit their server programs to make sure this does not -happen.
More generally, anything using signals or terminals will not be -handled transparently by the s6-sudoc + s6-sudod mechanism. The mechanism -was designed to allow programs to gain privileges in specific situations: -short-lived, simple, noninteractive processes. It was not designed to emulate -the full suid functionality and will not go out of its way to do so.

- - - diff --git a/doc/s6-sudod.html b/doc/s6-sudod.html deleted file mode 100644 index c783736..0000000 --- a/doc/s6-sudod.html +++ /dev/null @@ -1,165 +0,0 @@ - - - - - s6-networking: the s6-sudod program - - - - - - -

-s6-networking
-Software
-skarnet.org -

- -

The `s6-sudod` program

- -

-s6-sudod receives command-line arguments, environment variables -and standard descriptors from a peer s6-sudoc -program over a Unix socket, then forks another program. -

- -

Interface

- -

-     s6-sudod [ -0 ] [ -1 ] [ -2 ] [ -s ] [ -t timeout ] [ sargv... ]
-

- -

s6-sudod gets 3 file descriptors via fd-passing over a Unix socket that -must be open on its descriptors 0 and 1. (The received descriptors will be the -stdin, stdout and stderr of the server program.) It expects a -s6-sudoc process to be sending them on the -client side.
It also receives a list of command-line arguments cargv..., and -an environment clientenv.
s6-sudod forks and executes sargv... cargv... -The client command line is appended to the server command line.
s6-sudod waits for its child to exit and transmits its exit code -to the peer s6-sudoc process. It then exits 0.

- -

Environment

- -

-s6-sudod transmits its own environment to its child, plus the environment sent -by s6-sudoc, filtered in the following manner: -for every variable sent by s6-sudoc, if the -variable is present but empty in s6-sudod's environment, then -its value is overriden by the value given by s6-sudoc. A variable that is -already nonempty, or that doesn't exist, in s6-sudod's environment, will not -be transmitted to the child. -

- -

Options

- -

-0 : do not inherit stdin from s6-sudoc. The child will be -run with its stdin pointing to /dev/null instead.
-1 : do not inherit stdout from s6-sudoc. The child will be -run with its stdout pointing to /dev/null instead.
-2 : do not inherit stderr from s6-sudoc. The child will be -run with its stderr being a copy of s6-sudod's stderr instead. (This is useful -to still log the child's error messages without sending them to the client.)
-t timeout : if s6-sudod has not -received all the needed data from the client after timeout -milliseconds, it will exit without spawning a child. By default, timeout -is 0, meaning infinite. This mechanism exists to protect the server from -malicious or buggy clients that would uselessly consume resources.

- -

Usage example

- -

- The typical use of s6-sudod is in a -local service with a -s6-ipcserver process listening on a Unix -socket, a s6-ipcserver-access process -performing client authentication and access control, and possibly a -s6-envdir -process setting up the environment variables that will be accepted by -s6-sudod. The following script, meant to be a run script in a -service directory, -will set up a privileged program: -

- -

-#!/command/execlineb -P
-fdmove -c 2 1
-s6-envuidgid serveruser
-s6-ipcserver -U -- serversocket
-s6-ipcserver-access -v2 -l0 -i rules --
-exec -c
-s6-envdir env
-s6-sudod
-sargv
-

- -

execlineb -executes the script.
fdmove makes -sure the script's error messages are sent to the service's logger.
s6-envuidgid -sets the UID, GID and GIDLIST environment variables for s6-ipcserver to interpret.
s6-ipcserver binds to serversocket -and drops its privileges to those of serveruser. Then, for every client -connecting to serversocket: -
- s6-ipcserver-access checks the -client's credentials according to the rules in directory rules. -
- exec -c -clears the environment.
- s6-envdir -sets environment variables according to the directory env. You can -make sure that a variable VAR will be present but empty by performing -echo > env/VAR. (A single newline is interpreted by s6-envdir as -an empty variable; whereas if env/VAR is totally empty, then the -VAR variable will be removed from the environment.)
- s6-sudod reads a command line cargv, a client environment -and file descriptors over the socket.
- s6-sudod spawns sargv cargv.
- (Actually, s6-ipcserver does not do this -itself: it executes into other programs that each do one of the tasks. But for -our example, it does not matter.)

- -

- This means that user clientuser running -s6-sudo serversocket cargv will be -able, if authorized by the configuration in rules, to run -sargv cargv as user serveruser, with stdin, -stdout, stderr and the environment variables properly listed in env -transmitted to sargv. -

- -

Notes

- -

If s6-sudoc is killed, or exits after timeoutrun milliseconds, -while the server program is still running, s6-sudod will send a SIGTERM and a -SIGCONT to its child, then exit 1. However, sending a SIGTERM to the child -does not guarantee that it will die; and -if it keeps running, it might still read from the file that -was s6-sudoc's stdin, or write to the files that were s6-sudoc's stdout or -stderr. This is a potential security risk. -Administrators should audit their server programs to make sure this does not -happen.
More generally, anything using signals or terminals will not be -handled transparently by the s6-sudoc + s6-sudod mechanism. The mechanism -was designed to allow programs to gain privileges in specific situations: -short-lived, simple, noninteractive processes. It was not designed to emulate -the full suid functionality and will not go out of its way to do so.
sargv may be empty. In that case, the client is in complete -control of the command line executed as serveruser. This setup is -permitted by s6-sudod, but it is very dangerous, and extreme attention should -be paid to the construction of the s6-ipcserver-access rules.

- - - diff --git a/doc/s6-tcpserver-access.html b/doc/s6-tcpserver-access.html index a89d9e3..435c92d 100644 --- a/doc/s6-tcpserver-access.html +++ b/doc/s6-tcpserver-access.html @@ -163,13 +163,13 @@ needed to perform searches in a CDB than in the filesystem.

The exact format of the ruleset is described on the -s6-accessrules-cdb-from-fs page. +s6-accessrules-cdb-from-fs page.

s6-tcpserver-access first gets the remote address ip of the client and converts it to canonical form. Then it checks it with the -s6net_accessrules_keycheck_ip46() +s6_accessrules_keycheck_ip46() function. In other words, it tries to match broader and broader network prefixes of ip, from ip4/ip_32 to ip4/0.0.0.0_0 if ip is v4, or from @@ -177,10 +177,10 @@ prefixes of ip, from ip4/ip_32 to is v6. If the result is:

S6NET_ACCESSRULES_ERROR: it immediately exits 111.

S6NET_ACCESSRULES_DENY: it immediately exits 1.

S6NET_ACCESSRULES_ALLOW: it grants access.

S6NET_ACCESSRULES_NOTFOUND: more information is needed.

S6_ACCESSRULES_ERROR: it immediately exits 111.

S6_ACCESSRULES_DENY: it immediately exits 1.

S6_ACCESSRULES_ALLOW: it grants access.

S6_ACCESSRULES_NOTFOUND: more information is needed.

@@ -188,12 +188,12 @@ is v6. If the result is: is denied. But if s6-tcpserver-access is authorized to perform DNS lookups, then it gets the remote name of the client, remotehost, and checks it with the -s6net_accessrules_keycheck_reversedns() +s6_accessrules_keycheck_reversedns() function. In other words, it tries to match shorter and shorter suffixes of remotehost, from reversedns/remotehost to reversedns/@. This time, the connection is denied is the result is anything else than -S6NET_ACCESSRULES_ALLOW. +S6_ACCESSRULES_ALLOW.

@@ -208,7 +208,7 @@ query on remotehost does not match ip. s6-tcpserver-access interprets non-empty env subdirectories and exec files it finds in the matching rule of the ruleset, as explained -in the s6-accessrules-cdb-from-fs +in the s6-accessrules-cdb-from-fs page.

diff --git a/doc/seekablepipe.html b/doc/seekablepipe.html deleted file mode 100644 index cd17b2e..0000000 --- a/doc/seekablepipe.html +++ /dev/null @@ -1,36 +0,0 @@ - - - - - s6-networking: the seekablepipe program - - - - - - -

-s6-networking
-Software
-skarnet.org -

- -

The `seekablepipe` program

- -seekablepipe turns the reading end of a pipe into a seekable -file descriptor, using a temporary file. - -

Interface

- -

-     writer | seekablepipe tmpfile reader [ args ... ]
-

- -

-seekablepipe writes writer's output to tmpfile, -which is unlinked as soon as it is created. Then it execs into -reader, reading from a file descriptor on tmpfile. -

- - - -- cgit v1.2.3

Download

UCSPI implementation

UCSPI TCP implementation

TCP and Unix access control

TCP access control

suidless privilege gain

IDENT protocol implementation

Miscellaneous utilities

The accessrules library interface

General information

Data structures

Function types

Backend lookups

Frontend key checking

Ready-to-use functions

Local services

Benefits

Privileges

fd-passing

UCSPI

Use in skarnet.org software

The s6-accessrules-cdb-from-fs program

Interface

Ruleset directory format

Notes

The s6-accessrules-fs-from-cdb program

Interface

Notes

The s6-connlimit program

Interface

Usage

Example

The s6-ioconnect program

Interface

Options

Notes

The s6-ipcclient program

Interface

Environment variables

Options

The s6-ipcserver-access program

Interface

Environment variables

Options

Access rule checking

Environment and executable modifications

The s6-ipcserver-socketbinder program

Interface

Options

Notes

The s6-ipcserver program

Interface

Implementation

Options

Implementation

Notes

The s6-ipcserverd program

Interface

Environment variables

Options

Signals

Notes

The s6-sudo program

Interface

Options

The s6-sudoc program

Interface

Options

Notes

The s6-sudod program

Interface

Environment

Options

Usage example

Notes

The seekablepipe program

Interface

The `accessrules` library interface

The `s6-accessrules-cdb-from-fs` program

The `s6-accessrules-fs-from-cdb` program

The `s6-connlimit` program

The `s6-ioconnect` program

The `s6-ipcclient` program

The `s6-ipcserver-access` program

The `s6-ipcserver-socketbinder` program

The `s6-ipcserver` program

The `s6-ipcserverd` program

The `s6-sudo` program

The `s6-sudoc` program

The `s6-sudod` program

The `seekablepipe` program