about summary refs log tree commit diff
path: root/doc/s6-fdholderd.html
diff options
context:
space:
mode:
authorLaurent Bercot <ska-skaware@skarnet.org>2015-01-29 11:49:26 +0000
committerLaurent Bercot <ska-skaware@skarnet.org>2015-01-29 11:49:26 +0000
commit0257ca0c6ce27cc8d48323f5fc4f079c7f455b93 (patch)
treeb8c2c4511afbe9cdae35259d777094b9efa6fa50 /doc/s6-fdholderd.html
parentf05b37667624eb178a0d856da339d003f7d63b6e (diff)
downloads6-0257ca0c6ce27cc8d48323f5fc4f079c7f455b93.tar.gz
s6-0257ca0c6ce27cc8d48323f5fc4f079c7f455b93.tar.xz
s6-0257ca0c6ce27cc8d48323f5fc4f079c7f455b93.zip
I changed my mind. Added access control for listing to s6-fdholderd.
Diffstat (limited to 'doc/s6-fdholderd.html')
-rw-r--r--doc/s6-fdholderd.html17
1 files changed, 12 insertions, 5 deletions
diff --git a/doc/s6-fdholderd.html b/doc/s6-fdholderd.html
index 0977101..3f3194a 100644
--- a/doc/s6-fdholderd.html
+++ b/doc/s6-fdholderd.html
@@ -186,8 +186,11 @@ rulesdir as an example, but a rulesfile works the same way):
 <ul>
  <li> Connect to the server. This is a prerequisite for
 doing anything. It will allow a client to perform "public" operations,
-ones that do not require specific access rights other than connecting:
-for instance, listing all identifiers. This right is given if an
+ones that do not require specific access rights other than connecting.
+(There are no such operations for now, but it could change in the
+future; for now, when you allow a client to connect to the server,
+make sure to give him other rights too.)
+ This right is given if an
 <tt>allow</tt> file is found in one of the subdirectories checked by
 <a href="libs6/accessrules.html#uidgid">s6_accessrules_keycheck_uidgid</a>.
 For instance, to allow everyone to connect, touch
@@ -223,6 +226,11 @@ set of identifiers that the client is allowed to use to retrieve file
 descriptors. For instance, <tt>^unix:/tmp/</tt> indicates that a client
 that matches this rule will be allowed to retrieve file descriptors that are
 identified by strings starting with <tt>unix:/tmp/</tt>. </li>
+ <li> Listing rights. This will be checked for clients wanting to list
+the identifiers of the descriptors currently stored in the server. This
+right is given if a non-empty file named <tt>S6_FDHOLDER_LIST</tt> is
+found in the <tt>env/</tt> subdirectory of one of the subdirectories checked by
+<a href="libs6/accessrules.html#uidgid">s6_accessrules_keycheck_uidgid</a>. </li>
  <li> Dump reading rights. This will be checked for clients wanting to
 copy the whole state of the server. This right is given if a non-empty
 file named <tt>S6_FDHOLDER_GETDUMP</tt> is found is the <tt>env/</tt>
@@ -298,9 +306,8 @@ hand, it makes little sense to fd-hold regular files, and if done anyway,
 the results can be surprising, because the read/write file offset is
 stored with the descriptor, and no automatic rewind is performed by the
 daemon. </li>
- <li> Anyone that is allowed to connect is allowed to read the whole list
-of identifiers. This is intentional: identifiers should be public and
-well-known, and the security of the system should not depend on a client
+ <li> Despite there being access control for listing, the security of the
+system should not depend on a client
 not knowing what identifier a certain descriptor is stored under. If you
 need to hold descriptors that only a few programs are supposed to access,
 you can always run a separate s6-fdholderd instance in a private directory