about summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--NEWS2
-rw-r--r--doc/s6-ipcserver-access.html5
-rw-r--r--doc/upgrade.html1
-rw-r--r--src/conn-tools/s6-ipcserver-access.c19
4 files changed, 18 insertions, 9 deletions
diff --git a/NEWS b/NEWS
index 4b78957..afd4c3c 100644
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,8 @@ In 2.8.0.0
  - Adaptation to skalibs-2.8.0.0.
  - s6-log can now notify readiness with the new -d option.
  - s6-log now has a default line limit of 8 kB.
+ - s6-ipcserver-access now takes a -I option to automatically accept
+connections from clients running with the same euid/egid pair.
 
 
 In 2.7.2.2
diff --git a/doc/s6-ipcserver-access.html b/doc/s6-ipcserver-access.html
index fad54bf..80b7503 100644
--- a/doc/s6-ipcserver-access.html
+++ b/doc/s6-ipcserver-access.html
@@ -30,7 +30,7 @@ the application program on the s6-ipcserver command line.
 <h2> Interface </h2>
 
 <pre>
-     s6-ipcserver-access [ -v <em>verbosity</em> ] [ -E | -e ] [ -l <em>localname</em> ] [ -i <em>rulesdir</em> | -x <em>rulesfile</em> ] <em>prog...</em>
+     s6-ipcserver-access [ -v <em>verbosity</em> ] [ -E | -e ] [ -l <em>localname</em> ] [ -I ] [ -i <em>rulesdir</em> | -x <em>rulesfile</em> ] <em>prog...</em>
 </pre>
 
 <ul>
@@ -95,6 +95,9 @@ This is the default. </li>
  <li> <tt>-l&nbsp;<em>localname</em></tt>&nbsp;: use <em>localname</em>
 as the value for the ${PROTO}LOCALPATH environment variable, instead of
 looking it up via getsockname(). </li>
+ <li> <tt>-I</tt>&nbsp;: accept identity connections. If a client connects
+with the same effective uid/gid pair as s6-ipcserver-access is running under,
+then the ruleset check is bypassed and the connection is accepted. </li>
  <li> <tt>-i&nbsp;<em>rulesdir</em></tt>&nbsp;: check client credentials
 against a filesystem-based database in the <em>rulesdir</em> directory. </li>
  <li> <tt>-x&nbsp;<em>rulesfile</em></tt>&nbsp;: check client credentials
diff --git a/doc/upgrade.html b/doc/upgrade.html
index 84eb7c0..c798448 100644
--- a/doc/upgrade.html
+++ b/doc/upgrade.html
@@ -26,6 +26,7 @@
  <li> New <tt>-d <em>notif</em></tt> option to <a href="s6-log.html">s6-log</a>. </li>
  <li> New default for the <tt>-l <em>linelimit</em></tt> option to <a href="s6-log.html">s6-log</a>:
 8192 bytes. </li>
+ <li> New <tt>-I</tt> option to <a href="s6-ipcserver-access.html">s6-ipcserver-access</a>. </li>
 </ul>
 
 <h2> in 2.7.2.2 </h2>
diff --git a/src/conn-tools/s6-ipcserver-access.c b/src/conn-tools/s6-ipcserver-access.c
index c423974..21171fd 100644
--- a/src/conn-tools/s6-ipcserver-access.c
+++ b/src/conn-tools/s6-ipcserver-access.c
@@ -14,7 +14,7 @@
 #include <execline/config.h>
 #include <s6/accessrules.h>
 
-#define USAGE "s6-ipcserver-access [ -v verbosity ] [ -e | -E ] [ -l localname ] [ -i rulesdir | -x rulesfile ] prog..."
+#define USAGE "s6-ipcserver-access [ -v verbosity ] [ -e | -E ] [ -l localname ] [ -I ] [ -i rulesdir | -x rulesfile ] prog..."
 
 static unsigned int verbosity = 1 ;
 
@@ -108,7 +108,6 @@ static inline int check (s6_accessrules_params_t *params, char const *rules, uns
   }
 }
 
-
 int main (int argc, char const *const *argv, char const *const *envp)
 {
   s6_accessrules_params_t params = S6_ACCESSRULES_PARAMS_ZERO ;
@@ -119,13 +118,14 @@ int main (int argc, char const *const *argv, char const *const *envp)
   uid_t uid = 0 ;
   gid_t gid = 0 ;
   unsigned int rulestype = 0 ;
+  int identity = 0 ;
   int doenv = 1 ;
   PROG = "s6-ipcserver-access" ;
   {
     subgetopt_t l = SUBGETOPT_ZERO ;
     for (;;)
     {
-      int opt = subgetopt_r(argc, argv, "v:Eel:i:x:", &l) ;
+      int opt = subgetopt_r(argc, argv, "v:Eel:Ii:x:", &l) ;
       if (opt == -1) break ;
       switch (opt)
       {
@@ -133,6 +133,7 @@ int main (int argc, char const *const *argv, char const *const *envp)
         case 'E' : doenv = 0 ; break ;
         case 'e' : doenv = 1 ; break ;
         case 'l' : localname = l.arg ; break ;
+        case 'I' : identity = 1 ; break ;
         case 'i' : rules = l.arg ; rulestype = 1 ; break ;
         case 'x' : rules = l.arg ; rulestype = 2 ; break ;
         default : dieusage() ;
@@ -161,11 +162,13 @@ int main (int argc, char const *const *argv, char const *const *envp)
     if (!gid0_scan(x, &gid)) strerr_dieinvalid(100, tmp) ;
   }
 
-  if (!check(&params, rules, rulestype, uid, gid))
-  {
-    if (verbosity >= 2) log_deny(getpid(), uid, gid) ;
-    return 1 ;
-  }
+  if (identity && uid == geteuid() && gid == getegid()) goto accepted ;
+  if (check(&params, rules, rulestype, uid, gid)) goto accepted ;
+
+  if (verbosity >= 2) log_deny(getpid(), uid, gid) ;
+  return 1 ;
+
+ accepted:
   if (verbosity) log_accept(getpid(), uid, gid) ;
 
   if (doenv)