s6-accessrules-cdb-from-fs.html (5633B)
1 <html> 2 <head> 3 <meta name="viewport" content="width=device-width, initial-scale=1.0" /> 4 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> 5 <meta http-equiv="Content-Language" content="en" /> 6 <title>s6: the s6-accessrules-cdb-from-fs program</title> 7 <meta name="Description" content="s6: the s6-accessrules-cdb-from-fs program" /> 8 <meta name="Keywords" content="s6 s6-accessrules-cdb-from-fs tcp unix access control ipcrules tcprules cdb filesystem" /> 9 <!-- <link rel="stylesheet" type="text/css" href="//skarnet.org/default.css" /> --> 10 </head> 11 <body> 12 13 <p> 14 <a href="index.html">s6</a><br /> 15 <a href="//skarnet.org/software/">Software</a><br /> 16 <a href="//skarnet.org/">skarnet.org</a> 17 </p> 18 19 <h1> The <tt>s6-accessrules-cdb-from-fs</tt> program </h1> 20 21 <p> 22 <tt>s6-accessrules-cdb-from-fs</tt> compiles a directory 23 containing a ruleset suitable for 24 <a href="s6-ipcserver-access.html">s6-ipcserver-access</a> or 25 <a href="//skarnet.org/software/s6-networking/s6-tcpserver-access.html">s6-tcpserver-access</a> into a 26 <a href="https://en.wikipedia.org/wiki/Cdb_(software)">CDB file</a>. 27 </p> 28 29 <h2> Interface </h2> 30 31 <pre> 32 s6-accessrules-cdb-from-fs <em>cdbfile</em> <em>dir</em> 33 </pre> 34 35 <ul> 36 <li> s6-accessrules-cdb-from-fs compiles the <em>dir</em> 37 directory containing a ruleset into a 38 <a href="https://en.wikipedia.org/wiki/Cdb_(software)">CDB file</a> 39 <em>cdbfile</em> then exits 0. </li> 40 </ul> 41 42 <h2> Ruleset directory format </h2> 43 44 <p> 45 To be understood by s6-accessrules-cdb-from-fs, 46 <a href="s6-ipcserver-access.html">s6-ipcserver-access</a>, or 47 <a href="//skarnet.org/software/s6-networking/s6-tcpserver-access.html">s6-tcpserver-access</a>, 48 <em>dir</em> must have a specific format. 49 </p> 50 51 <p> 52 <em>dir</em> contains a series of directories: 53 </p> 54 55 <ul> 56 <li> <tt>ip4</tt> for rules on IPv4 addresses </li> 57 <li> <tt>ip6</tt> for rules on IPv6 addresses </li> 58 <li> <tt>reversedns</tt> for rules on host names </li> 59 <li> <tt>uid</tt> for rules on user IDs </li> 60 <li> <tt>gid</tt> for rules on group IDs </li> 61 </ul> 62 63 <p> 64 Depending on the application, other directories can appear in <em>dir</em> 65 and be compiled into <em>cdbfile</em>, but 66 <a href="//skarnet.org/software/s6-networking/s6-tcpserver-access.html">s6-tcpserver-access</a> only 67 uses the first three, and 68 <a href="s6-ipcserver-access.html">s6-ipcserver-access</a> only 69 uses the last two. 70 </p> 71 72 <p> 73 Each of those directories contains a set of rules. A rule is 74 a subdirectory named after the set of keys it matches, and containing 75 actions that will be executed if the rule is the first matching rule 76 for the tested key. 77 </p> 78 79 <p> 80 The syntax for the rule name is dependent on the nature of keys, and 81 fully documented on the 82 <a href="libs6/accessrules.html">accessrules</a> 83 library page. For instance, a subdirectory named <tt>192.168.0.0_27</tt> 84 in the <tt>ip4</tt> directory will match every IPv4 address in the 85 192.168.0.0/27 network that does not match a more precise rule. 86 </p> 87 88 <p> 89 The syntax for the actions, however, is the same for every type of key. 90 A rule subdirectory can contain the following elements: 91 </p> 92 93 <ul> 94 <li> a file (that can be empty) named <tt>allow</tt>. If such a file exists, 95 a key matching this rule will be immediately accepted. </li> 96 <li> a file (that can be empty) named <tt>deny</tt>. If such a file exists and 97 no <tt>allow</tt> file exists, a key matching this rule will be immediately 98 denied. </li> 99 <li> a subdirectory named <tt>env</tt>. If such a directory exists along 100 with an <tt>allow</tt> file, then its contents represent environment 101 modifications that will be applied after accepting the connection and 102 before executing the next program in the chain, as if the 103 <a href="s6-envdir.html">s6-envdir</a> 104 program, without options, was applied to <tt>env</tt>. <tt>env</tt> 105 has exactly the same format as a directory suitable for s6-envdir; 106 however, if the modifications take up more than 4096 bytes when 107 compiled into <em>cdbfile</em>, then s6-accessrules-cdb-from-fs will 108 complain and exit 100. </li> 109 <li> a file named <tt>exec</tt>. If such a file exists along with an 110 <tt>allow</tt> file, then its contents represent a command line that, 111 interpreted by the 112 <a href="//skarnet.org/software/execline/execlineb.html">execlineb</a> 113 launcher, will be executed after accepting the connection, totally bypassing the 114 original command line. s6-accessrules-cdb-from-fs truncates the <tt>exec</tt> 115 file to 4096 bytes max when embedding it into <em>cdbfile</em>, so make 116 sure it is not larger than that. </li> 117 </ul> 118 119 <h2> Notes </h2> 120 121 <ul> 122 <li> <em>cdbfile</em> can exist prior to, and during, the compilation, 123 which actually works in a temporary file in the same directory as 124 <em>cdbfile</em> and performs an atomic replacement when it is done. 125 So it is not necessary to interrupt a running service during the 126 compilation. </li> 127 <li> If s6-accessrules-cdb-from-fs fails at some point, the temporary 128 file is removed. However, this doesn't happen if 129 s6-accessrules-cdb-from-fs is interrupted by a signal. </li> 130 <li> After the program successfully completes, if <em>dir</em> 131 was a suitable candidate for the <tt>-i</tt> option of 132 <a href="s6-ipcserver-access.html">s6-ipcserver-access</a> or 133 <a href="//skarnet.org/software/s6-networking/s6-tcpserver-access.html">s6-tcpserver-access</a>, then 134 <em>cdbfile</em> will be a suitable candidate for the <tt>-x</tt> option 135 of the same program, implementing the same ruleset. </li> 136 <li> <em>cdbfile</em> can be decompiled by the 137 <a href="s6-accessrules-fs-from-cdb.html">s6-accessrules-fs-from-cdb</a> 138 program. </li> 139 </ul> 140 141 </body> 142 </html>