diff options
author | Laurent Bercot <ska-skaware@skarnet.org> | 2019-02-04 19:04:05 +0000 |
---|---|---|
committer | Laurent Bercot <ska-skaware@skarnet.org> | 2019-02-04 19:04:05 +0000 |
commit | e910005b1a337093109af29c7bf21b32c343ab56 (patch) | |
tree | 6b3326d5827211c99f858a56e2d4c86307e429d5 /doc | |
parent | fb6877e47d8a60b1e00ea55b2203589a43a610d0 (diff) | |
download | s6-e910005b1a337093109af29c7bf21b32c343ab56.tar.xz |
Revert -I, but add uid/self and gid/self to uidgid accessrules checking
Diffstat (limited to 'doc')
-rw-r--r-- | doc/libs6/accessrules.html | 15 | ||||
-rw-r--r-- | doc/s6-ipcserver-access.html | 7 | ||||
-rw-r--r-- | doc/upgrade.html | 4 |
3 files changed, 17 insertions, 9 deletions
diff --git a/doc/libs6/accessrules.html b/doc/libs6/accessrules.html index 821575d..2360cfc 100644 --- a/doc/libs6/accessrules.html +++ b/doc/libs6/accessrules.html @@ -124,10 +124,17 @@ is not S6_ACCESSRULES_NOTFOUND. If no match can be found in the whole list, <a name="uidgid" /> <tt>s6_accessrules_keycheck_uidgid</tt> interprets <em>key</em> as a pointer to a structure containing an uid <em>u</em> and a gid <em>g</em>. -The function first looks -for a <tt>uid/<em>u</em></tt> match; if it cannot find one, it looks for a -<tt>gid/<em>g</em></tt> match. If it cannot find one either, it checks -<tt>uid/default</tt> and returns the result. </li> +The following checks are performed, in this order (i.e. subsequent +checks are not performed if a match is found): + <ul> + <li> If <em>u</em> is equal to the effective uid of the process, look +for a <tt>uid/self</tt> match. </li> + <li> Look for a <tt>uid/<em>u</em></tt> match. </li> + <li> If <em>g</em> is equal to the effective gid of the process, look +for a <tt>gid/self</tt> match. </li> + <li> Look for a <tt>gid/<em>g</em></tt> match. </li> + <li> Look for a <tt>uid/default</tt> match. </li> + </ul> </li> <li> <a name="reversedns" /> <tt>s6_accessrules_keycheck_reversedns</tt> interprets <em>key</em> diff --git a/doc/s6-ipcserver-access.html b/doc/s6-ipcserver-access.html index 80b7503..b09d74a 100644 --- a/doc/s6-ipcserver-access.html +++ b/doc/s6-ipcserver-access.html @@ -30,7 +30,7 @@ the application program on the s6-ipcserver command line. <h2> Interface </h2> <pre> - s6-ipcserver-access [ -v <em>verbosity</em> ] [ -E | -e ] [ -l <em>localname</em> ] [ -I ] [ -i <em>rulesdir</em> | -x <em>rulesfile</em> ] <em>prog...</em> + s6-ipcserver-access [ -v <em>verbosity</em> ] [ -E | -e ] [ -l <em>localname</em> ] [ -i <em>rulesdir</em> | -x <em>rulesfile</em> ] <em>prog...</em> </pre> <ul> @@ -95,9 +95,6 @@ This is the default. </li> <li> <tt>-l <em>localname</em></tt> : use <em>localname</em> as the value for the ${PROTO}LOCALPATH environment variable, instead of looking it up via getsockname(). </li> - <li> <tt>-I</tt> : accept identity connections. If a client connects -with the same effective uid/gid pair as s6-ipcserver-access is running under, -then the ruleset check is bypassed and the connection is accepted. </li> <li> <tt>-i <em>rulesdir</em></tt> : check client credentials against a filesystem-based database in the <em>rulesdir</em> directory. </li> <li> <tt>-x <em>rulesfile</em></tt> : check client credentials @@ -141,7 +138,9 @@ them with the function. In other words, it tries to match: <ul> + <li> (if the client's effective uid is the same as <tt>s6-ipcserver-access</tt>'s effective uid) <tt>uid/self</tt> </li> <li> <tt>uid/</tt><em>uid</em> </li> + <li> (if the client's effective gid is the same as <tt>s6-ipcserver-access</tt>'s effective gid) <tt>gid/self</tt> </li> <li> <tt>gid/</tt><em>gid</em> </li> <li> <tt>uid/default</tt> </li> </ul> diff --git a/doc/upgrade.html b/doc/upgrade.html index c798448..700422f 100644 --- a/doc/upgrade.html +++ b/doc/upgrade.html @@ -26,7 +26,9 @@ <li> New <tt>-d <em>notif</em></tt> option to <a href="s6-log.html">s6-log</a>. </li> <li> New default for the <tt>-l <em>linelimit</em></tt> option to <a href="s6-log.html">s6-log</a>: 8192 bytes. </li> - <li> New <tt>-I</tt> option to <a href="s6-ipcserver-access.html">s6-ipcserver-access</a>. </li> + <li> In the <a href="libs6/accessrules.html">accessrules</a> library, checking against uid/gid +now checks the <tt>uid/self</tt> key if the client and the server have the same uid, and +the <tt>gid/self</tt> key if the client and the server have the same gid. </li> </ul> <h2> in 2.7.2.2 </h2> |