2 .TH yaid 8 "21 October 2012" "Straylight/Edgeware" "Yet Another Ident Daemon"
4 yaid \- Yet Another Ident Daemon
21 daemon implements the identification service defined in RFC1413. This
22 simple protocol allows a remote server to ask its client host for the
23 name of the user who made a given connection to it. It is not useful
24 for authentication, but may be handy when tracking down the source of a
29 doesn't have any features not found elsewhere, its combination appears
33 can handle NAT usefully. On a gateway providing a NAT disservice to
34 client hosts, it will detect that the connection it has been asked about
35 is actually owned by a client, and forward the query to the client. On
36 a client host stuck behind NAT, it will detect that a query is coming
37 from its NAT gateway and respond appropriately.
40 also has powerful policy management, allowing convenient fine-grained
41 control over the response provided to a given query.
47 signal will cause it to shutdown gracefully.
50 accepts the following command-line options.
53 Write to standard output a summary of the command-line options, and exit
57 Write to standard output
59 version number, and exit with status zero.
62 Write to standard output a one-line synopsis of the command-line syntax,
63 and exit with status zero.
66 After initializing, fork twice, and run in the background.
68 .BI "\-G, \-\-group=" group
69 After obtaining any resources requiring elevated privilege, set the
72 which may be a name or number; if initially running as the superuser
73 then supplementary group memberships are also abandoned. The default is
74 to change to the primary group of the
80 option is given either, then don't change group-id.
82 .BI "\-P, \-\-pidfile=" file
83 After forking into the background (if requested using
85 write the daemon's process id to
87 as a single line, in decimal; delete the file on a clean shutdown.
89 .BI "\-U, \-\-user=" user
90 After obtaining any resources requiring elevated privilege, set the
93 which may be a name or number.
95 .BI "\-c, \-\-config=" file
96 Read the global policy rules from
98 The default is to read them from
99 .BR @sysconfdir@/yaid.policy .
100 For a description of the policy file, see below.
102 .BI "\-l, \-\-syslog"
103 Write log messages using
107 facility. The default is to write timestamped log messages to standard
110 .BI "\-p, \-\-port=" port
111 Listen for incoming connections on
113 which may be a port number, or a TCP service name.
117 reads policy rules from
118 .BR @sysconfdir@/yaid.policy ,
119 but this location can be changed using the
121 option. These rules, together with the actual connection ownership
122 information, determine the response given to any particular query.
124 The policy file consists of a number of rules, one per line. It may
125 also contain blank lines, and comments beginning with a
127 The first rule to match the query takes effect; subsequent rules are not
130 A policy rule has the following format.
139 The fields are separated with whitespace.
141 An address pattern has the form
142 .IB address / length \fR.
143 It matches an address if the first
145 bits of the two addresses agree. An
147 may be either an IPv4 or IPv6 address, in the numeric form accepted by
150 A port pattern has the form
152 It matches any port number which lies between
158 A user pattern can be either a user name, or may be of the form
160 The latter matches any uid lying between
166 Also, any of the above patterns may be
168 which matches anything.
170 An action may have one of the following forms.
173 The user's name will be reported honestly, quoting
175 as the operating system.
178 Instead of a user name, a random token unrelated to the user name will
179 be reported, along with the operating system name
195 as the owner of the connection, with
197 as the operating system.
199 .BI "user " action " " \fR...
200 Allow the user who owns the connection to determine the policy. Further
201 policy rules are read from
202 .BI ~ user /.yaid.policy \fR.
203 If a rule matches the query, and the rule's action matches one of the
206 tokens, then that action takes effect. If no rules match, then the
208 rule is considered not to match, and further rules from the global
209 policy file will be tried. Only the first 100 lines of a user policy
212 In any event, the details of the connection and the real owner (uid and
213 name) are always written to the log.
215 If none of the rules match the query then the
217 action is used as a default.
219 Changes to the global policy file take place immediately. There is no
220 need to send the daemon a signal to notify it of the change.
223 .IR "Identification Protocol" ,
226 Mark Wooding, <mdw@distorted.org.uk>