summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorLaurent Bercot <ska-skaware@skarnet.org>2019-02-04 19:04:05 +0000
committerLaurent Bercot <ska-skaware@skarnet.org>2019-02-04 19:04:05 +0000
commite910005b1a337093109af29c7bf21b32c343ab56 (patch)
tree6b3326d5827211c99f858a56e2d4c86307e429d5 /doc
parentfb6877e47d8a60b1e00ea55b2203589a43a610d0 (diff)
downloads6-e910005b1a337093109af29c7bf21b32c343ab56.tar.xz
Revert -I, but add uid/self and gid/self to uidgid accessrules checking
Diffstat (limited to 'doc')
-rw-r--r--doc/libs6/accessrules.html15
-rw-r--r--doc/s6-ipcserver-access.html7
-rw-r--r--doc/upgrade.html4
3 files changed, 17 insertions, 9 deletions
diff --git a/doc/libs6/accessrules.html b/doc/libs6/accessrules.html
index 821575d..2360cfc 100644
--- a/doc/libs6/accessrules.html
+++ b/doc/libs6/accessrules.html
@@ -124,10 +124,17 @@ is not S6_ACCESSRULES_NOTFOUND. If no match can be found in the whole list,
<a name="uidgid" />
<tt>s6_accessrules_keycheck_uidgid</tt> interprets <em>key</em> as a
pointer to a structure containing an uid <em>u</em> and a gid <em>g</em>.
-The function first looks
-for a <tt>uid/<em>u</em></tt> match; if it cannot find one, it looks for a
-<tt>gid/<em>g</em></tt> match. If it cannot find one either, it checks
-<tt>uid/default</tt> and returns the result. </li>
+The following checks are performed, in this order (i.e. subsequent
+checks are not performed if a match is found):
+ <ul>
+ <li> If <em>u</em> is equal to the effective uid of the process, look
+for a <tt>uid/self</tt> match. </li>
+ <li> Look for a <tt>uid/<em>u</em></tt> match. </li>
+ <li> If <em>g</em> is equal to the effective gid of the process, look
+for a <tt>gid/self</tt> match. </li>
+ <li> Look for a <tt>gid/<em>g</em></tt> match. </li>
+ <li> Look for a <tt>uid/default</tt> match. </li>
+ </ul> </li>
<li>
<a name="reversedns" />
<tt>s6_accessrules_keycheck_reversedns</tt> interprets <em>key</em>
diff --git a/doc/s6-ipcserver-access.html b/doc/s6-ipcserver-access.html
index 80b7503..b09d74a 100644
--- a/doc/s6-ipcserver-access.html
+++ b/doc/s6-ipcserver-access.html
@@ -30,7 +30,7 @@ the application program on the s6-ipcserver command line.
<h2> Interface </h2>
<pre>
- s6-ipcserver-access [ -v <em>verbosity</em> ] [ -E | -e ] [ -l <em>localname</em> ] [ -I ] [ -i <em>rulesdir</em> | -x <em>rulesfile</em> ] <em>prog...</em>
+ s6-ipcserver-access [ -v <em>verbosity</em> ] [ -E | -e ] [ -l <em>localname</em> ] [ -i <em>rulesdir</em> | -x <em>rulesfile</em> ] <em>prog...</em>
</pre>
<ul>
@@ -95,9 +95,6 @@ This is the default. </li>
<li> <tt>-l&nbsp;<em>localname</em></tt>&nbsp;: use <em>localname</em>
as the value for the ${PROTO}LOCALPATH environment variable, instead of
looking it up via getsockname(). </li>
- <li> <tt>-I</tt>&nbsp;: accept identity connections. If a client connects
-with the same effective uid/gid pair as s6-ipcserver-access is running under,
-then the ruleset check is bypassed and the connection is accepted. </li>
<li> <tt>-i&nbsp;<em>rulesdir</em></tt>&nbsp;: check client credentials
against a filesystem-based database in the <em>rulesdir</em> directory. </li>
<li> <tt>-x&nbsp;<em>rulesfile</em></tt>&nbsp;: check client credentials
@@ -141,7 +138,9 @@ them with the
function. In other words, it tries to match:
<ul>
+ <li> (if the client's effective uid is the same as <tt>s6-ipcserver-access</tt>'s effective uid) <tt>uid/self</tt> </li>
<li> <tt>uid/</tt><em>uid</em> </li>
+ <li> (if the client's effective gid is the same as <tt>s6-ipcserver-access</tt>'s effective gid) <tt>gid/self</tt> </li>
<li> <tt>gid/</tt><em>gid</em> </li>
<li> <tt>uid/default</tt> </li>
</ul>
diff --git a/doc/upgrade.html b/doc/upgrade.html
index c798448..700422f 100644
--- a/doc/upgrade.html
+++ b/doc/upgrade.html
@@ -26,7 +26,9 @@
<li> New <tt>-d <em>notif</em></tt> option to <a href="s6-log.html">s6-log</a>. </li>
<li> New default for the <tt>-l <em>linelimit</em></tt> option to <a href="s6-log.html">s6-log</a>:
8192 bytes. </li>
- <li> New <tt>-I</tt> option to <a href="s6-ipcserver-access.html">s6-ipcserver-access</a>. </li>
+ <li> In the <a href="libs6/accessrules.html">accessrules</a> library, checking against uid/gid
+now checks the <tt>uid/self</tt> key if the client and the server have the same uid, and
+the <tt>gid/self</tt> key if the client and the server have the same gid. </li>
</ul>
<h2> in 2.7.2.2 </h2>