From 8f5afc99bf3a17e47f0c280190689803a7bfaf6f Mon Sep 17 00:00:00 2001
From: Ben Kibbey
Date: Thu, 18 Sep 2014 20:43:58 -0400
Subject: [PATCH] A few documentation fixes.
---
doc/pwmd.html | 61 +++++++++++++++++++++++++++++++----------------------------
doc/pwmd.texi | 61 +++++++++++++++++++++++++++++++----------------------------
2 files changed, 64 insertions(+), 58 deletions(-)
diff --git a/doc/pwmd.html b/doc/pwmd.html
index b93a607b..33676fc1 100644
--- a/doc/pwmd.html
+++ b/doc/pwmd.html
@@ -177,14 +177,15 @@ otherwise an error is returned. As an example:
The user username
would be allowed access to the test
element
-but not if it is a member of the wheel
group. Although the root
+but not if it is a member of the wheel
group although the root
user, who may be a member of the wheel
group, is allowed. No users
other than the invoking_user is allowed access to the child
element.
The first user listed in the ACL is considered the owner of the
-element. This determines which clients may modify an _acl attribute.
-The invoking_user may always modify an ACL.
+element. This determines which clients may modify an _acl attribute and
+store content for an element. The invoking_user may always modify an
+ACL.
@@ -380,21 +381,22 @@ a pwmd
process.
This parameter is not to be confused with setuid or setguid upon startup. It
is the local username that may use the XPATH
, XPATHATTR
and DUMP
commands (except when disabled with the
-disable_list_and_dump
option). Other users are denied access to these
-commands. This also specifies the user that may access any elements that lack
-an _acl
attribute (see Access Control). The default is the current
-user.
+disable_list_and_dump
option) and who may modify elements that have no
+_acl
attribute or is not listed in an _acl
. It is similar to
+the system administrator root account but for a data file
+(see Access Control). The default is the user the executes pwmd
.
-‘invoking_tls = hash’
-Like invoking_user
, but is a hash of a TLS certificate fingerprint.
+
‘invoking_tls = SHA1’
+Like invoking_user
but is a hash of a TLS certificate fingerprint for a
+remote client. The hash should be prefixed with a # character.
‘allowed = [-]user,[-]@group,...’
A comma separated list of local user names or group names allowed to connect
-to the socket. Groups should be prefixed with a ‘@’. When not specified
-only the invoking user may connect. A username or group name may also be
-prefixed with a - to prevent access to a specific user or group
+to the unix domain socket. Groups should be prefixed with a ‘@’. When
+not specified only the invoking user may connect. A username or group name may
+also be prefixed with a - to prevent access to a specific user or group
in the list. The order of the list is important since a user may be of
multiple groups.
@@ -404,7 +406,7 @@ specified in a file section any user that can connect may also open the
filename.
allowed=-@primary,username
@@ -480,19 +482,19 @@ parent process.
‘cipher = algorithm’
-
The default cipher to use for data encryption. The algorithm must be one of:
-aes128
, aes192
, aes256
, serpent128
,
-serpent192
, serpent256
, camellia128
,
-camellia192
, camellia256
, 3des
, cast5
,
-blowfish
, twofish128
or twofish256
. The default is
-aes256
.
+
The default cipher to use for data encryption when saving (see SAVE) a new
+file. The algorithm must be one of: aes128
, aes192
,
+aes256
, serpent128
, serpent192
, serpent256
,
+camellia128
, camellia192
, camellia256
, 3des
,
+cast5
, blowfish
, twofish128
or twofish256
. The
+default is aes256
.
‘cipher_iterations = integer’
The number of times to encrypt the XML data. This differs from the
s2k_count parameter which specifies the number of times to hash the
-passphrase used to encrypt the data. The default is 0 although 1 iteration is
-still done.
+passphrase used to encrypt the data. The default is 0 although at least 1
+iteration is always done.
‘cipher_progress = integer’
@@ -501,10 +503,10 @@ or decryption iterations have been done. The default is 2000.
‘keyparam = s-expression’
-
The default key paramaters to use when generating a new key-pair. The
-default is RSA with 2048 bits. Note that only RSA as the encryption
-algorithm is supported at the moment. Both RSA and DSA keys may be used
-for signing.
+
The default key paramaters to use when generating a new key-pair. The default
+is RSA with 2048 bits. Note that only the RSA and ELG algorithms as the
+encryption algorithm are supported at the moment. Both RSA and DSA keys may be
+used for signing.
‘pinentry_path = /path/to/pinentry’
@@ -639,7 +641,7 @@ message is to disconnect a hung remote client and release any file mutex
locks so another client may open the same data file. The default is
60
.
-
‘tls_access = [+][!-]string[,[!-]string,...]’
+
‘tls_access = [+][!-][#]string[,[!-][#]string,...]’
A comma separated list of client X509 certificate fingerprints in SHA-1
format that will be allowed to connect or open a file. If prefixed with
!
or -
then access is denied for the fingerprint. When
@@ -655,9 +657,10 @@ fingerprint is matched against the list of allowed fingerprints in the
connection is established and the client may proceed to OPEN
(see OPEN) a data file. During the OPEN
, CLEARCACHE
and CACHETIMEOUT
commands, the
-fingerprint is checked again in a ‘filename’ section. When this
-parameter is not found in a ‘filename’ section then access is
-granted.
+fingerprint is checked again in a ‘filename’ section.
+
+When this parameter is not found in a ‘filename’ section then access is
+granted for the ‘filename’.
‘tcp_require_key = boolean’
diff --git a/doc/pwmd.texi b/doc/pwmd.texi
index 51b7dc02..2e789687 100644
--- a/doc/pwmd.texi
+++ b/doc/pwmd.texi
@@ -145,14 +145,15 @@ otherwise an error is returned. As an example:
@end example
The user @code{username} would be allowed access to the @code{test} element
-but not if it is a member of the @code{wheel} group. Although the @code{root}
+but not if it is a member of the @code{wheel} group although the @code{root}
user, who may be a member of the @code{wheel} group, is allowed. No users
other than the @var{invoking_user} is allowed access to the @code{child}
element.
The first user listed in the @abbr{ACL} is considered the owner of the
-element. This determines which clients may modify an @var{_acl} attribute.
-The @var{invoking_user} may always modify an @abbr{ACL}.
+element. This determines which clients may modify an @var{_acl} attribute and
+store content for an element. The @var{invoking_user} may always modify an
+@abbr{ACL}.
@c Node, Next, Previous, Up
@node Invoking, Configuration, Access Control, Top
@@ -318,19 +319,20 @@ Permissions to set after creating the socket. This will override any
This parameter is not to be confused with setuid or setguid upon startup. It
is the local username that may use the @command{XPATH}, @command{XPATHATTR}
and @command{DUMP} commands (except when disabled with the
-@code{disable_list_and_dump} option). Other users are denied access to these
-commands. This also specifies the user that may access any elements that lack
-an @code{_acl} attribute (@pxref{Access Control}). The default is the current
-user.
+@code{disable_list_and_dump} option) and who may modify elements that have no
+@code{_acl} attribute or is not listed in an @code{_acl}. It is similar to
+the system administrator root account but for a data file
+(@pxref{Access Control}). The default is the user the executes @command{pwmd}.
-@item invoking_tls = hash
-Like @code{invoking_user}, but is a hash of a TLS certificate fingerprint.
+@item invoking_tls = SHA1
+Like @code{invoking_user} but is a hash of a TLS certificate fingerprint for a
+remote client. The hash should be prefixed with a @key{#} character.
@item allowed = [-]user,[-]@@group,...
A comma separated list of local user names or group names allowed to connect
-to the socket. Groups should be prefixed with a @samp{@@}. When not specified
-only the invoking user may connect. A username or group name may also be
-prefixed with a @key{-} to prevent access to a specific user or group
+to the unix domain socket. Groups should be prefixed with a @samp{@@}. When
+not specified only the invoking user may connect. A username or group name may
+also be prefixed with a @key{-} to prevent access to a specific user or group
in the list. The order of the list is important since a user may be of
multiple groups.
@@ -340,7 +342,7 @@ specified in a file section any user that can connect may also open the
filename.
The following example would deny all users in group @code{primary} but
-allow @code{username} who is a member of @code{primary}:
+allow @code{username} who may be a member of @code{primary}:
@example
allowed=-@@primary,username
@@ -402,28 +404,28 @@ The priority, or niceness, of the server. The default is inherited from the
parent process.
@item cipher = algorithm
-The default cipher to use for data encryption. The algorithm must be one of:
-@code{aes128}, @code{aes192}, @code{aes256}, @code{serpent128},
-@code{serpent192}, @code{serpent256}, @code{camellia128},
-@code{camellia192}, @code{camellia256}, @code{3des}, @code{cast5},
-@code{blowfish}, @code{twofish128} or @code{twofish256}. The default is
-@code{aes256}.
+The default cipher to use for data encryption when saving (@pxref{SAVE}) a new
+file. The algorithm must be one of: @code{aes128}, @code{aes192},
+@code{aes256}, @code{serpent128}, @code{serpent192}, @code{serpent256},
+@code{camellia128}, @code{camellia192}, @code{camellia256}, @code{3des},
+@code{cast5}, @code{blowfish}, @code{twofish128} or @code{twofish256}. The
+default is @code{aes256}.
@item cipher_iterations = integer
The number of times to encrypt the XML data. This differs from the
@var{s2k_count} parameter which specifies the number of times to hash the
-passphrase used to encrypt the data. The default is 0 although 1 iteration is
-still done.
+passphrase used to encrypt the data. The default is 0 although at least 1
+iteration is always done.
@item cipher_progress = integer
Send a progress message to the client after the specified amount of encryption
or decryption iterations have been done. The default is 2000.
@item keyparam = s-expression
-The default key paramaters to use when generating a new key-pair. The
-default is RSA with 2048 bits. Note that only RSA as the encryption
-algorithm is supported at the moment. Both RSA and DSA keys may be used
-for signing.
+The default key paramaters to use when generating a new key-pair. The default
+is RSA with 2048 bits. Note that only the RSA and ELG algorithms as the
+encryption algorithm are supported at the moment. Both RSA and DSA keys may be
+used for signing.
@item pinentry_path = /path/to/pinentry
The location of the @command{pinentry} binary. This program is used to
@@ -537,7 +539,7 @@ client is one who is not in a command. The purpose of this status
message is to disconnect a hung remote client and release any file mutex
locks so another client may open the same data file. The default is @code{60}.
-@item tls_access = [+][!-]string[,[!-]string,...]
+@item tls_access = [+][!-][#]string[,[!-][#]string,...]
A comma separated list of client X509 certificate fingerprints in SHA-1
format that will be allowed to connect or open a file. If prefixed with
@code{!} or @code{-} then access is denied for the fingerprint. When
@@ -553,9 +555,10 @@ fingerprint is matched against the list of allowed fingerprints in the
connection is established and the client may proceed to @code{OPEN}
(@pxref{OPEN}) a data file. During the @code{OPEN}, @code{CLEARCACHE}
and @code{CACHETIMEOUT} commands, the
-fingerprint is checked again in a @samp{filename} section. When this
-parameter is not found in a @samp{filename} section then access is
-granted.
+fingerprint is checked again in a @samp{filename} section.
+
+When this parameter is not found in a @samp{filename} section then access is
+granted for the @samp{filename}.
@item tcp_require_key = boolean
When @code{true}, require the remote client to provide the key or passphrase
--
2.11.4.GIT