X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?a=blobdiff_plain;f=spec.sgml.in;h=d0de3742f8ed268244cd8b12cb8b052944717282;hb=9e6cd7b0be95cfddf19962d00619a470ec6b4d9b;hp=5fc9ce6348edbe83bd2b17be75d903d76c16d081;hpb=9f9813ee612b45b0bb64345b482899fa3a39b5a5;p=userv.git diff --git a/spec.sgml.in b/spec.sgml.in index 5fc9ce6..d0de374 100644 --- a/spec.sgml.in +++ b/spec.sgml.in @@ -2,7 +2,7 @@ User service daemon and client specification -<author>Ian Jackson <email>ian@chiark.greenend.org.uk +<author>Ian Jackson <email>ian@davenant.greenend.org.uk <version></version> <abstract> @@ -11,7 +11,7 @@ program to invoke another when only limited trust exists between them. <copyright> -Copyright 1996-1997 Ian Jackson. +<prgn/userv/ is Copyright 1996-1999 Ian Jackson. <p> <prgn/userv/ is free software; you can redistribute it and/or modify @@ -191,11 +191,10 @@ other words are allowed. The <var/filename/ may also be <tt/stdin/, <p> If no <var/modifiers/ which imply <tt/read/ or <tt/write/ are used it -is as if <tt/read/ had been specified, except that if the -filedescriptor 1 or 2 of the service is being opened (either specified -numerically or with <tt/stdout/ or <tt/stderr/) it is as if -<tt/overwrite/ had been specified (or <tt/write/ if only <tt/fd/ was -specified). +is as if <tt/write/ had been specified, except that if the +filedescriptor 0 of the service is being opened (either specified +numerically or with <tt/stdin/) it is as if <tt/overwrite/ had been +specified (or <tt/write/ if only <tt/fd/ was specified). <p> The client will also use <tt/O_NOCTTY/ when opening files specified by @@ -372,7 +371,10 @@ contain one or more real newlines. Pretend to the service that it is being called by <var/user/ (which may be a username or a uid). This will also affect the group and supplementary groups supplied to the service; they will be the -standard group and supplementary groups for <var/user/. +standard group and supplementary groups for <var/user/. The +<tt/--spoof-user/ option will <em/not/ affect which user is chosen if +the service user is specified as just <tt/-/; in this case the service +user will be the real calling user. </taglist> @@ -705,7 +707,7 @@ in the context of and with the privileges of the service user. <tag/<tt/errors-to-syslog/ [<var/facility/ [<var/level/]]/ <item> Error messages will be delivered using <prgn/syslog/. The default -<var/facility/ is <tt/daemon/; the default <var/level/ is <tt/error/. +<var/facility/ is <tt/user/; the default <var/level/ is <tt/error/. </taglist> <sect1 id="dirs-control">Control structure directives @@ -863,13 +865,13 @@ directive which modifies any particuar setting will take effect. Reject the request. <prgn/execute/, <prgn/execute-from-directory/ and <prgn/execute-from-path/ will change this setting. -<tag/<tt/execute <var/pathname/ [<var/argument/ ...]// +<tag/<tt/execute <var/program/ [<var/argument/ ...]// <item> -Execute the program <var/pathname/, with the arguments as specified, +Execute the program <var/program/, with the arguments as specified, followed by any arguments given to the client if <prgn/no-suppress-args/ is in effect. It is an error for the execution to fail when it is attempted (after all the configuration -has been parsed). If <var/pathname/ does not contain a slash it will +has been parsed). If <var/program/ does not contain a slash it will be searched for on the service user's path. <tag/<tt/execute-from-directory <var/pathname/ [<var/argument/ ...]// @@ -948,6 +950,10 @@ files). Displays the top-level override configuration (the configuration data, evaluated by the server, which causes all the other configuration data to be parsed). + +<tag/<tt/help// +<item> +Displays a list of the understood builtin service names and arguments. </taglist> In the future other builtin services may be defined which do more than @@ -1233,6 +1239,30 @@ and the service. <chapt id="notes">Applications and notes on use <p> +<sect id="standards">Standard services and directory management +<p> + +In later versions of this specification standard service names and +interfaces for common services such as mail delivery and WWW CGI +scripts will be specified. +<p> + +<prgn/userv/-using applications and system services which hide +<prgn/userv/ behind wrapper scripts may need to store information in +the user's filespace to preserve the correct placement of the security +perimiters. Such applications should usually do so in a directory +(created by them) <tt>~/.userv/.servdata/<var/service/</>, where +<var/service/ is the service name or application in question. +<p> + +The use of a dot-directory inside <tt>~/.userv</> will hopefully avoid +the user becoming confused by finding parts of a semi-privileged +application's internal state in their filespace, and or discourage +them from fiddling with and thus corrupting it. (Note that such +applications should of course not rely for their global integrity on +the integrity of the data on the user's side of the security +boundary.) + <sect id="reducepriv">Reducing the number of absolutely privileged subsystems <p>