summaryrefslogtreecommitdiffstats
path: root/man/mann/xpaacl.n
blob: d339c5dc6371f7a7d3b9b32e20b4c31e50ccb694 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.13)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings.  \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
.    ds -- \(*W-
.    ds PI pi
.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
.    ds L" ""
.    ds R" ""
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds -- \|\(em\|
.    ds PI \(*p
.    ds L" ``
.    ds R" ''
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD.  Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
.    de IX
.    tm Index:\\$1\t\\n%\t"\\$2"
..
.    nr % 0
.    rr F
.\}
.el \{\
.    de IX
..
.\}
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
.    \" fudge factors for nroff and troff
.if n \{\
.    ds #H 0
.    ds #V .8m
.    ds #F .3m
.    ds #[ \f1
.    ds #] \fP
.\}
.if t \{\
.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
.    ds #V .6m
.    ds #F 0
.    ds #[ \&
.    ds #] \&
.\}
.    \" simple accents for nroff and troff
.if n \{\
.    ds ' \&
.    ds ` \&
.    ds ^ \&
.    ds , \&
.    ds ~ ~
.    ds /
.\}
.if t \{\
.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
.    \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
.    \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
.    \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
.    ds : e
.    ds 8 ss
.    ds o a
.    ds d- d\h'-1'\(ga
.    ds D- D\h'-1'\(hy
.    ds th \o'bp'
.    ds Th \o'LP'
.    ds ae ae
.    ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "xpaacl n"
.TH xpaacl n "July 23, 2013" "version 2.1.15" "SAORD Documentation"
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
\&\fBXPAAcl: Access Control for \s-1XPA\s0 Messaging\fR
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\s-1XPA\s0 supports host-based access control for each \s-1XPA\s0 access point.  You
can enable/disable access control using the \s-1XPA_ACL\s0 environment
variable. You can specify access to specific \s-1XPA\s0 access points for
specific machines using the \s-1XPA_DEFACL\s0 and \s-1XPA_ACLFILE\s0 environment
variables. By default, an \s-1XPA\s0 access point is accessible only to
processes running on the same machine (same as X Windows).
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
When \s-1INET\s0 sockets are in use (the default, as specified by the
\&\fI\s-1XPA_METHOD\s0\fR environment variable), \s-1XPA\s0 supports a host-based
access control mechanism for individual access points. This mean that
access can be specified for get, set, or info operations for each
access point on a machine by machine basis.  For \s-1LOCAL\s0 sockets, access
is restricted (by definition) to the host machine.
.PP
\&\s-1XPA\s0 access control is enabled by default, but can be turned off by
setting the \fI\s-1XPA_ACL\s0\fR environment variable to \fIfalse\fR.
In this case, any process can access any \s-1XPA\s0 server.
.PP
Assuming that access control is turned on, the \s-1ACL\s0 for an individual
\&\s-1XPA\s0 access point is set up when that access point is registered
(although it can be changed later on; see below). This can be done in
one of two ways:
.PP
Firstly, the \fI\s-1XPA_ACLFILE\s0\fR environment variable can defined to
point to a file of access controls for individual access points. The format
of this file is:
.PP
.Vb 1
\& class:name ip acl
.Ve
.PP
The first argument is a template that specifies the class:name of the
access point covered by this \s-1ACL\s0. See
\&\s-1XPA\s0 Access Points and Templates
for more information about xpa templates.
.PP
The second argument is the \s-1IP\s0 address (in human-readable format) of
the machine which is being given access.  This argument can be
\&\fI*\fR to match all \s-1IP\s0 addresses.  It also can be \fI\f(CI$host\fI\fR
to match the \s-1IP\s0 address of the current host.
.PP
The third argument is a string combination of \fIs\fR, \fIg\fR,
or \fIi\fR to allow \fIxpaset\fR, \fIxpaget\fR, or
\&\fIxpainfo\fR access respectively.  The \s-1ACL\s0 argument can be
\&\fI+\fR to give \fIsgi\fR access or it can be \fI\-\fR to turn
off all access.
.PP
For example,
.PP
.Vb 3
\&  *:xpa1  somehost sg
\&  *:xpa1  myhost +
\&  * * g
.Ve
.PP
will allow processes on the machine somehost to make xpaget and xpaset calls,
allow processes on myhost to make any call, and allow all other hosts to
make xpaget (but not xpaset) calls.
.PP
Secondly, if the \fI\s-1XPA_ACLFILE\s0\fR does not exist, then a single
default value for all access points can be specified using the
\&\fI\s-1XPA_DEFACL\s0\fR environment variable.  The default value for this
variable is:
.PP
.Vb 1
\&  #define XPA_DEFACL "*:* $host +"
.Ve
.PP
meaning that all access points are fully accessible to all processes
on the current host. Thus, in the absence of any \s-1ACL\s0 environment variables,
processes on the current host have full access to all access points
created on that host. This parallels the X11 xhost mechanism.
.PP
Access to an individual \s-1XPA\s0 access point can be changed using the \-acl
parameter for that access point.  For example:
.PP
.Vb 1
\&  xpaset \-p xpa1 \-acl "somehost \-"
.Ve
.PP
will turn off all access control for somehost to the xpa1 access point, while:
.PP
.Vb 1
\&  xpaset \-p XPA:xpa1 \-acl "beberly gs"
.Ve
.PP
will give beberly xpaget and xpaset access to the access point whose
class is \s-1XPA\s0 and whose name is xpa1.
.PP
Similarly, the current \s-1ACL\s0 for a given access point can be retrieved using:
.PP
.Vb 1
\&  xpaget xpa1 \-acl
.Ve
.PP
Of course, you must have xpaget access to this \s-1XPA\s0 access point to
retrieve its \s-1ACL\s0.
.PP
Note that the \s-1XPA\s0 access points registered in the \fIxpans\fR
program also behave according to the \s-1ACL\s0 rules.  That is, you cannot
use xpaget to view the access points registered with xpans unless
you have the proper \s-1ACL\s0.
.PP
Note also when a client request is made to an \s-1XPA\s0 server, the access
control is checked when the initial connection is established.  This
access in effect at this time remains in effect so long as the client
connection is maintained, regardless of whether the access fro that
\&\s-1XPA\s0 is changed later on.
.PP
We recognize that host-based access control is only relatively secure
and will consider more stringent security (e.g., private key) in the
future if the community requires such support.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
See xpa(n) for a list of \s-1XPA\s0 help pages