diff options
-rw-r--r-- | NEWS | 2 | ||||
-rw-r--r-- | doc/s6-ipcserver-access.html | 5 | ||||
-rw-r--r-- | doc/upgrade.html | 1 | ||||
-rw-r--r-- | src/conn-tools/s6-ipcserver-access.c | 19 |
4 files changed, 18 insertions, 9 deletions
diff --git a/NEWS b/NEWS index 4b78957..afd4c3c 100644 --- a/NEWS +++ b/NEWS @@ -7,6 +7,8 @@ In 2.8.0.0 - Adaptation to skalibs-2.8.0.0. - s6-log can now notify readiness with the new -d option. - s6-log now has a default line limit of 8 kB. + - s6-ipcserver-access now takes a -I option to automatically accept +connections from clients running with the same euid/egid pair. In 2.7.2.2 diff --git a/doc/s6-ipcserver-access.html b/doc/s6-ipcserver-access.html index fad54bf..80b7503 100644 --- a/doc/s6-ipcserver-access.html +++ b/doc/s6-ipcserver-access.html @@ -30,7 +30,7 @@ the application program on the s6-ipcserver command line. <h2> Interface </h2> <pre> - s6-ipcserver-access [ -v <em>verbosity</em> ] [ -E | -e ] [ -l <em>localname</em> ] [ -i <em>rulesdir</em> | -x <em>rulesfile</em> ] <em>prog...</em> + s6-ipcserver-access [ -v <em>verbosity</em> ] [ -E | -e ] [ -l <em>localname</em> ] [ -I ] [ -i <em>rulesdir</em> | -x <em>rulesfile</em> ] <em>prog...</em> </pre> <ul> @@ -95,6 +95,9 @@ This is the default. </li> <li> <tt>-l <em>localname</em></tt> : use <em>localname</em> as the value for the ${PROTO}LOCALPATH environment variable, instead of looking it up via getsockname(). </li> + <li> <tt>-I</tt> : accept identity connections. If a client connects +with the same effective uid/gid pair as s6-ipcserver-access is running under, +then the ruleset check is bypassed and the connection is accepted. </li> <li> <tt>-i <em>rulesdir</em></tt> : check client credentials against a filesystem-based database in the <em>rulesdir</em> directory. </li> <li> <tt>-x <em>rulesfile</em></tt> : check client credentials diff --git a/doc/upgrade.html b/doc/upgrade.html index 84eb7c0..c798448 100644 --- a/doc/upgrade.html +++ b/doc/upgrade.html @@ -26,6 +26,7 @@ <li> New <tt>-d <em>notif</em></tt> option to <a href="s6-log.html">s6-log</a>. </li> <li> New default for the <tt>-l <em>linelimit</em></tt> option to <a href="s6-log.html">s6-log</a>: 8192 bytes. </li> + <li> New <tt>-I</tt> option to <a href="s6-ipcserver-access.html">s6-ipcserver-access</a>. </li> </ul> <h2> in 2.7.2.2 </h2> diff --git a/src/conn-tools/s6-ipcserver-access.c b/src/conn-tools/s6-ipcserver-access.c index c423974..21171fd 100644 --- a/src/conn-tools/s6-ipcserver-access.c +++ b/src/conn-tools/s6-ipcserver-access.c @@ -14,7 +14,7 @@ #include <execline/config.h> #include <s6/accessrules.h> -#define USAGE "s6-ipcserver-access [ -v verbosity ] [ -e | -E ] [ -l localname ] [ -i rulesdir | -x rulesfile ] prog..." +#define USAGE "s6-ipcserver-access [ -v verbosity ] [ -e | -E ] [ -l localname ] [ -I ] [ -i rulesdir | -x rulesfile ] prog..." static unsigned int verbosity = 1 ; @@ -108,7 +108,6 @@ static inline int check (s6_accessrules_params_t *params, char const *rules, uns } } - int main (int argc, char const *const *argv, char const *const *envp) { s6_accessrules_params_t params = S6_ACCESSRULES_PARAMS_ZERO ; @@ -119,13 +118,14 @@ int main (int argc, char const *const *argv, char const *const *envp) uid_t uid = 0 ; gid_t gid = 0 ; unsigned int rulestype = 0 ; + int identity = 0 ; int doenv = 1 ; PROG = "s6-ipcserver-access" ; { subgetopt_t l = SUBGETOPT_ZERO ; for (;;) { - int opt = subgetopt_r(argc, argv, "v:Eel:i:x:", &l) ; + int opt = subgetopt_r(argc, argv, "v:Eel:Ii:x:", &l) ; if (opt == -1) break ; switch (opt) { @@ -133,6 +133,7 @@ int main (int argc, char const *const *argv, char const *const *envp) case 'E' : doenv = 0 ; break ; case 'e' : doenv = 1 ; break ; case 'l' : localname = l.arg ; break ; + case 'I' : identity = 1 ; break ; case 'i' : rules = l.arg ; rulestype = 1 ; break ; case 'x' : rules = l.arg ; rulestype = 2 ; break ; default : dieusage() ; @@ -161,11 +162,13 @@ int main (int argc, char const *const *argv, char const *const *envp) if (!gid0_scan(x, &gid)) strerr_dieinvalid(100, tmp) ; } - if (!check(¶ms, rules, rulestype, uid, gid)) - { - if (verbosity >= 2) log_deny(getpid(), uid, gid) ; - return 1 ; - } + if (identity && uid == geteuid() && gid == getegid()) goto accepted ; + if (check(¶ms, rules, rulestype, uid, gid)) goto accepted ; + + if (verbosity >= 2) log_deny(getpid(), uid, gid) ; + return 1 ; + + accepted: if (verbosity) log_accept(getpid(), uid, gid) ; if (doenv) |