X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?a=blobdiff_plain;ds=sidebyside;f=spec.sgml.in;h=8757851a9675f07f8fe533802deec568ddeec70f;hb=de637275e67c38df6aaf5148cde919287d825d36;hp=5fc9ce6348edbe83bd2b17be75d903d76c16d081;hpb=9f9813ee612b45b0bb64345b482899fa3a39b5a5;p=userv.git

diff --git a/spec.sgml.in b/spec.sgml.in
index 5fc9ce6..8757851 100644
--- a/spec.sgml.in
+++ b/spec.sgml.in
@@ -191,11 +191,10 @@ other words are allowed.  The <var/filename/ may also be <tt/stdin/,
 <p>
 
 If no <var/modifiers/ which imply <tt/read/ or <tt/write/ are used it
-is as if <tt/read/ had been specified, except that if the
-filedescriptor 1 or 2 of the service is being opened (either specified
-numerically or with <tt/stdout/ or <tt/stderr/) it is as if
-<tt/overwrite/ had been specified (or <tt/write/ if only <tt/fd/ was
-specified).
+is as if <tt/write/ had been specified, except that if the
+filedescriptor 0 of the service is being opened (either specified
+numerically or with <tt/stdin/) it is as if <tt/overwrite/ had been
+specified (or <tt/write/ if only <tt/fd/ was specified).
 <p>
 
 The client will also use <tt/O_NOCTTY/ when opening files specified by
@@ -372,7 +371,10 @@ contain one or more real newlines.
 Pretend to the service that it is being called by <var/user/ (which
 may be a username or a uid).  This will also affect the group and
 supplementary groups supplied to the service; they will be the
-standard group and supplementary groups for <var/user/.
+standard group and supplementary groups for <var/user/.  The
+<tt/--spoof-user/ option will <em/not/ affect which user is chosen if
+the service user is specified as just <tt/-/; in this case the service
+user will be the real calling user.
 
 </taglist>
 
@@ -863,13 +865,13 @@ directive which modifies any particuar setting will take effect.
 Reject the request.  <prgn/execute/, <prgn/execute-from-directory/ and
 <prgn/execute-from-path/ will change this setting.
 
-<tag/<tt/execute <var/pathname/ [<var/argument/ ...]//
+<tag/<tt/execute <var/program/ [<var/argument/ ...]//
 <item>
-Execute the program <var/pathname/, with the arguments as specified,
+Execute the program <var/program/, with the arguments as specified,
 followed by any arguments given to the client if
 <prgn/no-suppress-args/ is in effect.  It is an error for the
 execution to fail when it is attempted (after all the configuration
-has been parsed).  If <var/pathname/ does not contain a slash it will
+has been parsed).  If <var/program/ does not contain a slash it will
 be searched for on the service user's path.
 
 <tag/<tt/execute-from-directory <var/pathname/ [<var/argument/ ...]//
@@ -1233,6 +1235,30 @@ and the service.
 <chapt id="notes">Applications and notes on use
 <p>
 
+<sect id="standards">Standard services and directory management
+<p>
+
+In later versions of this specification standard service names and
+interfaces for common services such as mail delivery and WWW CGI
+scripts will be specified.
+<p>
+
+<prgn/userv/-using applications and system services which hide
+<prgn/userv/ behind wrapper scripts may need to store information in
+the user's filespace to preserve the correct placement of the security
+perimiters.  Such applications should usually do so in a directory
+(created by them) <tt>~/.userv/.servdata/<var/service/</>, where
+<var/service/ is the service name or application in question.
+<p>
+
+The use of a dot-directory inside <tt>~/.userv</> will hopefully avoid
+the user becoming confused by finding parts of a semi-privileged
+application's internal state in their filespace, and or discourage
+them from fiddling with and thus corrupting it.  (Note that such
+applications should of course not rely for their global integrity on
+the integrity of the data on the user's side of the security
+boundary.)
+
 <sect id="reducepriv">Reducing the number of absolutely privileged subsystems
 <p>