--- /dev/null
+#!/bin/sh
+set -e
+
+usage () {
+ cat <<END
+usage:
+ hippotat-setup-permissions client
+ hippotat-setup-permissions server
+ hippotat-setup-permissions revoke
+END
+}
+
+case "$1.$#" in
+client.1|server.1|revoke.1) cs="$1" ;;
+--help.*) usage; exit 0 ;;
+*)
+ echo >&2 "bad usage: unknown arguments/options"
+ usage >&2
+ exit 12
+ ;;
+esac
+
+DAEMON=/usr/sbin/hippotatd
+USER=_hippotat
+GROUP=_hippotat
+test -e /etc/default/hippotatd && . /etc/default/hippotatd
+
+uid=$(id -u "$USER")
+
+if ! test -e /etc/userv/services.d/ipif; then
+ ln -s ../services-available/ipif /etc/userv/services.d/ipif
+ echo 'enabled ipif userv service'
+fi
+
+case "$USER" in
+ root)
+ echo "USER=root, revoking permissions"
+ cs=revoke
+ ;;
+esac
+
+remove_file () {
+ if test -e "$f"; then
+ echo "Removing $f"
+ fi
+ rm -f "$f" "$f~new~"
+}
+start_file () {
+ exec 3>"$f~new~"
+ echo >&3 '# created by hippotat-setup-permissions'
+}
+install_file () {
+ mv -f "$f~new~" "$f"
+ echo "Installed $f"
+}
+
+f=/etc/authbind/byuid/$uid
+case "$cs" in
+ client|revoke)
+ remove_file
+ ;;
+ server)
+ start_file
+ $DAEMON --print-config port,addrs | \
+ while read port addrs; do
+ for addr in $addrs; do
+ echo >&3 "$addr,$port"
+ done
+ done
+ install_file
+ ;;
+esac
+
+permit_ipif () {
+ user_spec=$1
+ printf >&3 "permit %s ifname %s local %s" "$user_spec" "$ifname" "$vaddr"
+ for vnet in $vnets; do
+ printf >&3 " remote %s" "$vnet"
+ done
+ echo >&3
+}
+
+f=/etc/userv/ipif-access/hippotat
+start_file
+case "$cs" in
+ *server*)
+ $DAEMON --print-config ifname_server,vaddr,vnetwork,vroutes | \
+ while read ifname vaddr vnets; do
+ permit_ipif "user $USER"
+ done
+ ;;
+esac
+case "$cs" in
+ *client*)
+ hippotat --print-config ifname_client,client,vnetwork,vroutes | \
+ while read ifname vaddr vnets; do
+ permit_ipif "group $GROUP"
+ done
+ ;;
+esac
+
+if test -s "$f~new~"; then
+ install_file
+else
+ case "$cs" in
+ revoke) ;;
+ *) echo 'No hippotat configuration.' ;;
+ esac
+ remove_file
+ echo "Revoked virtual network interface permissions."
+fi
+
+if grep -q '^permit user ' $f; then
+ echo "Granted user $USER permissions needed for running the server."
+fi
+
+if grep -q '^permit group ' $f; then
+ echo "Granted group $GROUP permissions needed for running the client."
+ echo "Consider putting yourself in that group!"
+fi
--- /dev/null
+=head1 NAME
+
+hippotat-setup-permissions - set up permissions for (non-root) use of hippotat
+
+=head1 SYNOPSYS
+
+ hippotat-setup-permissions client
+ hippotat-setup-permissions server
+ hippotat-setup-permissions revoke
+
+=head1 DESCRIPTION
+
+Sets up (or revokes)
+the permissions to allow hippotat and/or hippotatd to run.
+
+With C<server>
+permissions needed for the server are granted to the C<_hippotat> user
+(or other user set using C<USER> in C</etc/default/hippotat>.)
+
+With C<client>
+permissions needed for the client are granted to the C<_hippotat> I<group>
+(or other group set using C<GROUP> in C</etc/default/hippotat>.)
+
+Required permissions are determined based on the hippotat configuration in
+C</etc/hippotat>. (The C<hippotat> or C<hippotatd> program is run in a
+special mode to query the configuration.)
+
+In every run, revokes permissions granted to the
+configured user and/or group
+by previous invocations of this script,
+but which are not any longer needed according to the configuration
+and command line.
+So C<revoke> revokes all permissions,
+and C<client> and C<server> each revoke the other.
+(Only permissions granted in the specific files used by this script
+will be amended or revoked.)
+
+=head1 FILES
+
+=over
+
+=item C</etc/userv/ipif-access/hippotat>.
+
+Grants to the appropriate user or group the ability to make
+the virtual network interfaces, and route traffic to them.
+Created on both clients and servers.
+
+=item C</etc/authbind/byuid/>I<uid>
+
+Grants the server the ability
+to bind to the configured ports and addresses.
+The uid is that for the C<_hippotat> user, or C<USER>.
+Created on servers.
+
+=item C</etc/userv/services.d/ipif>
+
+Enables the C<ipif> userv service,
+which is itself controlled by C</etc/userv/ipif-access/> etc.
+
+Will be made a symlink to C</etc/userv/services-available/ipif>.
+Created on both clients and servers.
+Not removed during revocation,
+since other programs on the system may need it,
+
+Makes the symlink in .
+(This is not undone by C<revoke>, since that might disturb other
+services which are relying on it.)
+
+=item C</etc/default/hippotat>
+
+Shell script fragment sourced by
+the init script and by hippotat-setup-permissions,
+and the hippotatd init script.
+Can set C<USER> and C<GROUP>
+(and other variables that control the init script).
+
+=back
~ian / hippotat.git / commitdiff