diff options
| author | Laurent Bercot <ska-skaware@skarnet.org> | 2015-01-29 11:49:26 +0000 |
|---|---|---|
| committer | Laurent Bercot <ska-skaware@skarnet.org> | 2015-01-29 11:49:26 +0000 |
| commit | 0257ca0c6ce27cc8d48323f5fc4f079c7f455b93 (patch) | |
| tree | b8c2c4511afbe9cdae35259d777094b9efa6fa50 /doc/s6-fdholderd.html | |
| parent | f05b37667624eb178a0d856da339d003f7d63b6e (diff) | |
| download | s6-0257ca0c6ce27cc8d48323f5fc4f079c7f455b93.tar.xz | |
I changed my mind. Added access control for listing to s6-fdholderd.
Diffstat (limited to 'doc/s6-fdholderd.html')
| -rw-r--r-- | doc/s6-fdholderd.html | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/doc/s6-fdholderd.html b/doc/s6-fdholderd.html index 0977101..3f3194a 100644 --- a/doc/s6-fdholderd.html +++ b/doc/s6-fdholderd.html @@ -186,8 +186,11 @@ rulesdir as an example, but a rulesfile works the same way): <ul> <li> Connect to the server. This is a prerequisite for doing anything. It will allow a client to perform "public" operations, -ones that do not require specific access rights other than connecting: -for instance, listing all identifiers. This right is given if an +ones that do not require specific access rights other than connecting. +(There are no such operations for now, but it could change in the +future; for now, when you allow a client to connect to the server, +make sure to give him other rights too.) + This right is given if an <tt>allow</tt> file is found in one of the subdirectories checked by <a href="libs6/accessrules.html#uidgid">s6_accessrules_keycheck_uidgid</a>. For instance, to allow everyone to connect, touch @@ -223,6 +226,11 @@ set of identifiers that the client is allowed to use to retrieve file descriptors. For instance, <tt>^unix:/tmp/</tt> indicates that a client that matches this rule will be allowed to retrieve file descriptors that are identified by strings starting with <tt>unix:/tmp/</tt>. </li> + <li> Listing rights. This will be checked for clients wanting to list +the identifiers of the descriptors currently stored in the server. This +right is given if a non-empty file named <tt>S6_FDHOLDER_LIST</tt> is +found in the <tt>env/</tt> subdirectory of one of the subdirectories checked by +<a href="libs6/accessrules.html#uidgid">s6_accessrules_keycheck_uidgid</a>. </li> <li> Dump reading rights. This will be checked for clients wanting to copy the whole state of the server. This right is given if a non-empty file named <tt>S6_FDHOLDER_GETDUMP</tt> is found is the <tt>env/</tt> @@ -298,9 +306,8 @@ hand, it makes little sense to fd-hold regular files, and if done anyway, the results can be surprising, because the read/write file offset is stored with the descriptor, and no automatic rewind is performed by the daemon. </li> - <li> Anyone that is allowed to connect is allowed to read the whole list -of identifiers. This is intentional: identifiers should be public and -well-known, and the security of the system should not depend on a client + <li> Despite there being access control for listing, the security of the +system should not depend on a client not knowing what identifier a certain descriptor is stored under. If you need to hold descriptors that only a few programs are supposed to access, you can always run a separate s6-fdholderd instance in a private directory |