s6-ipcserver-access.html (7058B)
1 <html> 2 <head> 3 <meta name="viewport" content="width=device-width, initial-scale=1.0" /> 4 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> 5 <meta http-equiv="Content-Language" content="en" /> 6 <title>s6: the s6-ipcserver-access program</title> 7 <meta name="Description" content="s6: the s6-ipcserver-access program" /> 8 <meta name="Keywords" content="s6 s6-ipcserver-access unix access control ipcrules" /> 9 <!-- <link rel="stylesheet" type="text/css" href="//skarnet.org/default.css" /> --> 10 </head> 11 <body> 12 13 <p> 14 <a href="index.html">s6</a><br /> 15 <a href="//skarnet.org/software/">Software</a><br /> 16 <a href="//skarnet.org/">skarnet.org</a> 17 </p> 18 19 <h1> The <tt>s6-ipcserver-access</tt> program </h1> 20 21 <p> 22 <tt>s6-ipcserver-access</tt> is a command-line access 23 control tool for Unix domain sockets on systems where the 24 <a href="http://www.superscript.com/ucspi-ipc/getpeereid.html">getpeereid()</a> system call can be implemented. 25 It is meant to be run after 26 <a href="s6-ipcserverd.html">s6-ipcserverd</a> and before 27 the application program on the s6-ipcserver command line. 28 </p> 29 30 <h2> Interface </h2> 31 32 <pre> 33 s6-ipcserver-access [ -v <em>verbosity</em> ] [ -E | -e ] [ -l <em>localname</em> ] [ -i <em>rulesdir</em> | -x <em>rulesfile</em> ] <em>prog...</em> 34 </pre> 35 36 <ul> 37 <li> s6-ipcserver-access checks it is run under a UCSPI server tool 38 such as <a href="s6-ipcserver.html">s6-ipcserver</a>. 39 <li> It checks that the remote end of the connection fits the 40 accepted criteria defined by the database contained in <em>rulesdir</em> 41 or <em>rulesfile</em>. If the database tells it to reject the connection, 42 the program exits 1. </li> 43 <li> It sets up a few additional environment variables. </li> 44 <li> It executes into <em>prog...</em>, 45 unless the first matching rule in the rule database 46 includes instructions to override <em>prog...</em>. </li> 47 </ul> 48 49 <h2> Environment variables </h2> 50 51 <p> 52 s6-ipcserver-access expects to inherit some environment variables from 53 its parent: 54 </p> 55 56 <ul> 57 <li> PROTO: normally IPC, but could be anything else, like UNIX. </li> 58 <li> ${PROTO}REMOTEEUID: the effective UID of the client program connecting to the socket. </li> 59 <li> ${PROTO}REMOTEEGID: the effective GID of the client program connecting to the socket. </li> 60 </ul> 61 62 <p> 63 Additionally, it exports the following variables before executing into 64 <em>prog...</em>: 65 </p> 66 67 <ul> 68 <li> ${PROTO}LOCALPATH: set to the local "address" of the socket, as 69 reported by the 70 <a href="https://pubs.opengroup.org/onlinepubs/9699919799/functions/getsockname.html">getsockname()</a> 71 system call, truncated to 99 characters max. </li> 72 </ul> 73 74 <p> 75 Also, the access rules database can instruct s6-ipcserver-access to set 76 up, or unset, more environment variables, depending on the client address. 77 </p> 78 79 <h2> Options </h2> 80 81 <ul> 82 <li> <tt>-v <em>verbosity</em></tt> : be more or less verbose, i.e. 83 print more or less information to stderr: 84 <ul> 85 <li> 0: only log error messages. </li> 86 <li> 1: only log error and warning messages, and accepted connections. 87 This is the default. </li> 88 <li> 2: also log rejected connections and more warning messages. </li> 89 </ul> </li> 90 <li> <tt>-E</tt> : no environment. All environment variables potentially 91 set by s6-ipcserver-access, as well as those set by 92 <a href="s6-ipcserver.html">s6-ipcserver</a>, will be unset instead. </li> 93 <li> <tt>-e</tt> : set up environment variables normally. 94 This is the default. </li> 95 <li> <tt>-l <em>localname</em></tt> : use <em>localname</em> 96 as the value for the ${PROTO}LOCALPATH environment variable, instead of 97 looking it up via getsockname(). </li> 98 <li> <tt>-i <em>rulesdir</em></tt> : check client credentials 99 against a filesystem-based database in the <em>rulesdir</em> directory. </li> 100 <li> <tt>-x <em>rulesfile</em></tt> : check client credentials 101 against a <a href="https://en.wikipedia.org/wiki/Cdb_(software)">cdb</a> 102 database in the <em>rulesfile</em> file. <tt>-i</tt> and <tt>-x</tt> are 103 mutually exclusive. If none of those options is given, no credential checking will be 104 performed, and a warning will be emitted on every connection if 105 <em>verbosity</em> is 2 or more. </li> 106 </ul> 107 108 <h2> Access rule checking </h2> 109 110 <p> 111 s6-ipcserver-access checks its client connection against 112 a ruleset. This ruleset can be implemented: 113 </p> 114 115 <ul> 116 <li> either in the filesystem as an arborescence of directories and files, 117 if the <tt>-i</tt> option has been given. This option is the most flexible 118 one: the directory format is simple enough for scripts to understand and 119 modify it, and the ruleset can be changed dynamically. This is practical, 120 for instance, for roaming users. </li> 121 <li> or in a <a href="https://en.wikipedia.org/wiki/Cdb_(software)">CDB 122 file</a>, if the <tt>-x</tt> option has been given. This option is the most 123 efficient one if the ruleset is static enough: a lot less system calls are 124 needed to perform searches in a CDB than in the filesystem. </li> 125 </ul> 126 127 <p> 128 The exact format of the ruleset is described on the 129 <a href="s6-accessrules-cdb-from-fs.html">s6-accessrules-cdb-from-fs</a> page. 130 </p> 131 132 <p> 133 s6-ipcserver-access first reads the client UID <em>uid</em> and 134 GID <em>gid</em> from the 135 ${PROTO}REMOTEEUID and ${PROTO}REMOTEEGID environment variables, and checks 136 them with the 137 <a href="libs6/accessrules.html#uidgid">s6_accessrules_keycheck_uidgid()</a> 138 function. In other words, it tries to match: 139 140 <ul> 141 <li> (if the client's effective uid is the same as <tt>s6-ipcserver-access</tt>'s effective uid) <tt>uid/self</tt> </li> 142 <li> <tt>uid/</tt><em>uid</em> </li> 143 <li> (if the client's effective gid is the same as <tt>s6-ipcserver-access</tt>'s effective gid) <tt>gid/self</tt> </li> 144 <li> <tt>gid/</tt><em>gid</em> </li> 145 <li> <tt>uid/default</tt> </li> 146 </ul> 147 148 <p> 149 in that order. If no S6_ACCESSRULES_ALLOW result can be obtained, 150 the connection is denied. 151 </p> 152 153 <h2> Environment and executable modifications </h2> 154 155 <p> 156 s6-ipcserver-access interprets non-empty <tt>env</tt> subdirectories 157 and <tt>exec</tt> files 158 it finds in the first matching rule of the ruleset, as explained 159 in the <a href="s6-accessrules-cdb-from-fs.html">s6-accessrules-cdb-from-fs</a> 160 page. 161 </p> 162 163 <ul> 164 <li> An <tt>env</tt> subdirectory is interpreted as if the 165 <a href="//skarnet.org/software/s6/s6-envdir.html">s6-envdir</a> 166 command had been called before executing <em>prog</em>: the environment 167 is modified according to the contents of <tt>env</tt>. </li> 168 <li> An <tt>exec</tt> file containing <em>newprog</em> completely 169 bypasses the rest of s6-ipcserver-access' command line. After 170 environment modifications, if any, s6-ipcserver-access execs into 171 <tt><a href="//skarnet.org/software/execline/execlineb.html">execlineb</a> -c <em>newprog</em></tt>. 172 Please be aware that the <tt>exec</tt> file functionality is only supported 173 when s6 has been built with execline support. Otherwise, a warning message 174 is printed and executable diversion is <em>not</em> performed. </li> 175 </ul> 176 177 </body> 178 </html>