From 413a8662d24c882422ef20af8dff42de47dab6b4 Mon Sep 17 00:00:00 2001
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Tue, 10 Jan 2023 23:37:26 +0000
Subject: [PATCH] New configuration setup script

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---
 hippotat-setup-permissions       | 120 +++++++++++++++++++++++++++++++
 hippotat-setup-permissions.8.pod |  77 ++++++++++++++++++++
 2 files changed, 197 insertions(+)
 create mode 100755 hippotat-setup-permissions
 create mode 100644 hippotat-setup-permissions.8.pod

diff --git a/hippotat-setup-permissions b/hippotat-setup-permissions
new file mode 100755
index 0000000..78e922e
--- /dev/null
+++ b/hippotat-setup-permissions
@@ -0,0 +1,120 @@
+#!/bin/sh
+set -e
+
+usage () {
+    cat <<END
+usage:
+   hippotat-setup-permissions client
+   hippotat-setup-permissions server
+   hippotat-setup-permissions revoke
+END
+}
+
+case "$1.$#" in
+client.1|server.1|revoke.1)	cs="$1" ;;
+--help.*)		usage; exit 0 ;;
+*)
+    echo >&2 "bad usage: unknown arguments/options"
+    usage >&2
+    exit 12
+    ;;
+esac
+
+DAEMON=/usr/sbin/hippotatd
+USER=_hippotat
+GROUP=_hippotat
+test -e /etc/default/hippotatd && . /etc/default/hippotatd
+
+uid=$(id -u "$USER")
+
+if ! test -e /etc/userv/services.d/ipif; then
+    ln -s ../services-available/ipif /etc/userv/services.d/ipif
+    echo 'enabled ipif userv service'
+fi
+
+case "$USER" in
+    root)
+	echo "USER=root, revoking permissions"
+	cs=revoke
+	;;
+esac
+
+remove_file () {
+    if test -e "$f"; then
+	echo "Removing $f"
+    fi
+    rm -f "$f" "$f~new~"
+}
+start_file () {
+    exec 3>"$f~new~"
+    echo >&3 '# created by hippotat-setup-permissions'
+}
+install_file () {
+    mv -f "$f~new~" "$f"
+    echo "Installed $f"
+}
+
+f=/etc/authbind/byuid/$uid
+case "$cs" in
+    client|revoke)
+	remove_file
+	;;
+    server)
+	start_file
+	$DAEMON --print-config port,addrs | \
+	    while read port addrs; do
+		for addr in $addrs; do
+		    echo >&3 "$addr,$port"
+		done
+	    done
+	install_file
+	;;
+esac
+
+permit_ipif () {
+    user_spec=$1
+    printf >&3 "permit %s ifname %s local %s" "$user_spec" "$ifname" "$vaddr"
+    for vnet in $vnets; do
+	printf >&3 " remote %s" "$vnet"
+    done
+    echo >&3
+}
+
+f=/etc/userv/ipif-access/hippotat
+start_file
+case "$cs" in
+    *server*)
+	$DAEMON --print-config ifname_server,vaddr,vnetwork,vroutes | \
+	    while read ifname vaddr vnets; do
+		permit_ipif "user $USER" 
+	    done
+	;;
+esac
+case "$cs" in
+    *client*)
+	hippotat --print-config ifname_client,client,vnetwork,vroutes | \
+	    while read ifname vaddr vnets; do
+		permit_ipif "group $GROUP" 
+	    done
+	;;
+esac
+
+if test -s "$f~new~"; then
+    install_file
+else
+    case "$cs" in
+	revoke) ;;
+	*) echo 'No hippotat configuration.' ;;
+    esac
+    remove_file
+    echo "Revoked virtual network interface permissions."
+fi
+
+if grep -q '^permit user ' $f; then
+    echo "Granted user $USER permissions needed for running the server."
+fi
+
+if grep -q '^permit group ' $f; then
+    echo "Granted group $GROUP permissions needed for running the client."
+    echo "Consider putting yourself in that group!"
+fi
diff --git a/hippotat-setup-permissions.8.pod b/hippotat-setup-permissions.8.pod
new file mode 100644
index 0000000..dbb82cc
--- /dev/null
+++ b/hippotat-setup-permissions.8.pod
@@ -0,0 +1,77 @@
+=head1 NAME
+
+hippotat-setup-permissions - set up permissions for (non-root) use of hippotat
+
+=head1 SYNOPSYS
+
+ hippotat-setup-permissions client
+ hippotat-setup-permissions server
+ hippotat-setup-permissions revoke
+
+=head1 DESCRIPTION
+
+Sets up (or revokes)
+the permissions to allow hippotat and/or hippotatd to run.
+
+With C<server>
+permissions needed for the server are granted to the C<_hippotat> user
+(or other user set using C<USER> in C</etc/default/hippotat>.)
+
+With C<client>
+permissions needed for the client are granted to the C<_hippotat> I<group>
+(or other group set using C<GROUP> in C</etc/default/hippotat>.)
+
+Required permissions are determined based on the hippotat configuration in
+C</etc/hippotat>.  (The C<hippotat> or C<hippotatd> program is run in a
+special mode to query the configuration.)
+
+In every run, revokes permissions granted to the 
+configured user and/or group
+by previous invocations of this script,
+but which are not any longer needed according to the configuration
+and command line.
+So C<revoke> revokes all permissions,
+and C<client> and C<server> each revoke the other.
+(Only permissions granted in the specific files used by this script
+will be amended or revoked.)
+
+=head1 FILES
+
+=over
+
+=item C</etc/userv/ipif-access/hippotat>.
+
+Grants to the appropriate user or group the ability to make
+the virtual network interfaces, and route traffic to them.
+Created on both clients and servers.
+
+=item C</etc/authbind/byuid/>I<uid>
+
+Grants the server the ability
+to bind to the configured ports and addresses.
+The uid is that for the C<_hippotat> user, or C<USER>.
+Created on servers.
+
+=item C</etc/userv/services.d/ipif>
+
+Enables the C<ipif> userv service,
+which is itself controlled by C</etc/userv/ipif-access/> etc.
+
+Will be made a symlink to C</etc/userv/services-available/ipif>.
+Created on both clients and servers.
+Not removed during revocation,
+since other programs on the system may need it,
+
+Makes the symlink in .
+(This is not undone by C<revoke>, since that might disturb other
+services which are relying on it.)
+
+=item C</etc/default/hippotat>
+
+Shell script fragment sourced by 
+the init script and by hippotat-setup-permissions,
+and the hippotatd init script.
+Can set C<USER> and C<GROUP>
+(and other variables that control the init script).
+
+=back
-- 
2.30.2