From 8f5afc99bf3a17e47f0c280190689803a7bfaf6f Mon Sep 17 00:00:00 2001 From: Ben Kibbey Date: Thu, 18 Sep 2014 20:43:58 -0400 Subject: [PATCH] A few documentation fixes. --- doc/pwmd.html | 61 +++++++++++++++++++++++++++++++---------------------------- doc/pwmd.texi | 61 +++++++++++++++++++++++++++++++---------------------------- 2 files changed, 64 insertions(+), 58 deletions(-) diff --git a/doc/pwmd.html b/doc/pwmd.html index b93a607b..33676fc1 100644 --- a/doc/pwmd.html +++ b/doc/pwmd.html @@ -177,14 +177,15 @@ otherwise an error is returned. As an example:

The user username would be allowed access to the test element -but not if it is a member of the wheel group. Although the root +but not if it is a member of the wheel group although the root user, who may be a member of the wheel group, is allowed. No users other than the invoking_user is allowed access to the child element.

The first user listed in the ACL is considered the owner of the -element. This determines which clients may modify an _acl attribute. -The invoking_user may always modify an ACL. +element. This determines which clients may modify an _acl attribute and +store content for an element. The invoking_user may always modify an +ACL.

@@ -380,21 +381,22 @@ a pwmd process.

This parameter is not to be confused with setuid or setguid upon startup. It is the local username that may use the XPATH, XPATHATTR and DUMP commands (except when disabled with the -disable_list_and_dump option). Other users are denied access to these -commands. This also specifies the user that may access any elements that lack -an _acl attribute (see Access Control). The default is the current -user. +disable_list_and_dump option) and who may modify elements that have no +_acl attribute or is not listed in an _acl. It is similar to +the system administrator root account but for a data file +(see Access Control). The default is the user the executes pwmd.

-
invoking_tls = hash
-

Like invoking_user, but is a hash of a TLS certificate fingerprint. +

invoking_tls = SHA1
+

Like invoking_user but is a hash of a TLS certificate fingerprint for a +remote client. The hash should be prefixed with a # character.

allowed = [-]user,[-]@group,...

A comma separated list of local user names or group names allowed to connect -to the socket. Groups should be prefixed with a ‘@’. When not specified -only the invoking user may connect. A username or group name may also be -prefixed with a - to prevent access to a specific user or group +to the unix domain socket. Groups should be prefixed with a ‘@’. When +not specified only the invoking user may connect. A username or group name may +also be prefixed with a - to prevent access to a specific user or group in the list. The order of the list is important since a user may be of multiple groups.

@@ -404,7 +406,7 @@ specified in a file section any user that can connect may also open the filename.

The following example would deny all users in group primary but -allow username who is a member of primary: +allow username who may be a member of primary: 

allowed=-@primary,username
@@ -480,19 +482,19 @@ parent process.
cipher = algorithm
-

The default cipher to use for data encryption. The algorithm must be one of: -aes128, aes192, aes256, serpent128, -serpent192, serpent256, camellia128, -camellia192, camellia256, 3des, cast5, -blowfish, twofish128 or twofish256. The default is -aes256. +

The default cipher to use for data encryption when saving (see SAVE) a new +file. The algorithm must be one of: aes128, aes192, +aes256, serpent128, serpent192, serpent256, +camellia128, camellia192, camellia256, 3des, +cast5, blowfish, twofish128 or twofish256. The +default is aes256.

cipher_iterations = integer

The number of times to encrypt the XML data. This differs from the s2k_count parameter which specifies the number of times to hash the -passphrase used to encrypt the data. The default is 0 although 1 iteration is -still done. +passphrase used to encrypt the data. The default is 0 although at least 1 +iteration is always done.

cipher_progress = integer
@@ -501,10 +503,10 @@ or decryption iterations have been done. The default is 2000.

keyparam = s-expression
-

The default key paramaters to use when generating a new key-pair. The -default is RSA with 2048 bits. Note that only RSA as the encryption -algorithm is supported at the moment. Both RSA and DSA keys may be used -for signing. +

The default key paramaters to use when generating a new key-pair. The default +is RSA with 2048 bits. Note that only the RSA and ELG algorithms as the +encryption algorithm are supported at the moment. Both RSA and DSA keys may be +used for signing.

pinentry_path = /path/to/pinentry
@@ -639,7 +641,7 @@ message is to disconnect a hung remote client and release any file mutex locks so another client may open the same data file. The default is 60.

-
tls_access = [+][!-]string[,[!-]string,...]
+
tls_access = [+][!-][#]string[,[!-][#]string,...]

A comma separated list of client X509 certificate fingerprints in SHA-1 format that will be allowed to connect or open a file. If prefixed with ! or - then access is denied for the fingerprint. When @@ -655,9 +657,10 @@ fingerprint is matched against the list of allowed fingerprints in the connection is established and the client may proceed to OPEN (see OPEN) a data file. During the OPEN, CLEARCACHE and CACHETIMEOUT commands, the -fingerprint is checked again in a ‘filename’ section. When this -parameter is not found in a ‘filename’ section then access is -granted. +fingerprint is checked again in a ‘filename’ section. +

+

When this parameter is not found in a ‘filename’ section then access is +granted for the ‘filename’.

tcp_require_key = boolean
diff --git a/doc/pwmd.texi b/doc/pwmd.texi index 51b7dc02..2e789687 100644 --- a/doc/pwmd.texi +++ b/doc/pwmd.texi @@ -145,14 +145,15 @@ otherwise an error is returned. As an example: @end example The user @code{username} would be allowed access to the @code{test} element -but not if it is a member of the @code{wheel} group. Although the @code{root} +but not if it is a member of the @code{wheel} group although the @code{root} user, who may be a member of the @code{wheel} group, is allowed. No users other than the @var{invoking_user} is allowed access to the @code{child} element. The first user listed in the @abbr{ACL} is considered the owner of the -element. This determines which clients may modify an @var{_acl} attribute. -The @var{invoking_user} may always modify an @abbr{ACL}. +element. This determines which clients may modify an @var{_acl} attribute and +store content for an element. The @var{invoking_user} may always modify an +@abbr{ACL}. @c Node, Next, Previous, Up @node Invoking, Configuration, Access Control, Top @@ -318,19 +319,20 @@ Permissions to set after creating the socket. This will override any This parameter is not to be confused with setuid or setguid upon startup. It is the local username that may use the @command{XPATH}, @command{XPATHATTR} and @command{DUMP} commands (except when disabled with the -@code{disable_list_and_dump} option). Other users are denied access to these -commands. This also specifies the user that may access any elements that lack -an @code{_acl} attribute (@pxref{Access Control}). The default is the current -user. +@code{disable_list_and_dump} option) and who may modify elements that have no +@code{_acl} attribute or is not listed in an @code{_acl}. It is similar to +the system administrator root account but for a data file +(@pxref{Access Control}). The default is the user the executes @command{pwmd}. -@item invoking_tls = hash -Like @code{invoking_user}, but is a hash of a TLS certificate fingerprint. +@item invoking_tls = SHA1 +Like @code{invoking_user} but is a hash of a TLS certificate fingerprint for a +remote client. The hash should be prefixed with a @key{#} character. @item allowed = [-]user,[-]@@group,... A comma separated list of local user names or group names allowed to connect -to the socket. Groups should be prefixed with a @samp{@@}. When not specified -only the invoking user may connect. A username or group name may also be -prefixed with a @key{-} to prevent access to a specific user or group +to the unix domain socket. Groups should be prefixed with a @samp{@@}. When +not specified only the invoking user may connect. A username or group name may +also be prefixed with a @key{-} to prevent access to a specific user or group in the list. The order of the list is important since a user may be of multiple groups. @@ -340,7 +342,7 @@ specified in a file section any user that can connect may also open the filename. The following example would deny all users in group @code{primary} but -allow @code{username} who is a member of @code{primary}: +allow @code{username} who may be a member of @code{primary}: @example allowed=-@@primary,username @@ -402,28 +404,28 @@ The priority, or niceness, of the server. The default is inherited from the parent process. @item cipher = algorithm -The default cipher to use for data encryption. The algorithm must be one of: -@code{aes128}, @code{aes192}, @code{aes256}, @code{serpent128}, -@code{serpent192}, @code{serpent256}, @code{camellia128}, -@code{camellia192}, @code{camellia256}, @code{3des}, @code{cast5}, -@code{blowfish}, @code{twofish128} or @code{twofish256}. The default is -@code{aes256}. +The default cipher to use for data encryption when saving (@pxref{SAVE}) a new +file. The algorithm must be one of: @code{aes128}, @code{aes192}, +@code{aes256}, @code{serpent128}, @code{serpent192}, @code{serpent256}, +@code{camellia128}, @code{camellia192}, @code{camellia256}, @code{3des}, +@code{cast5}, @code{blowfish}, @code{twofish128} or @code{twofish256}. The +default is @code{aes256}. @item cipher_iterations = integer The number of times to encrypt the XML data. This differs from the @var{s2k_count} parameter which specifies the number of times to hash the -passphrase used to encrypt the data. The default is 0 although 1 iteration is -still done. +passphrase used to encrypt the data. The default is 0 although at least 1 +iteration is always done. @item cipher_progress = integer Send a progress message to the client after the specified amount of encryption or decryption iterations have been done. The default is 2000. @item keyparam = s-expression -The default key paramaters to use when generating a new key-pair. The -default is RSA with 2048 bits. Note that only RSA as the encryption -algorithm is supported at the moment. Both RSA and DSA keys may be used -for signing. +The default key paramaters to use when generating a new key-pair. The default +is RSA with 2048 bits. Note that only the RSA and ELG algorithms as the +encryption algorithm are supported at the moment. Both RSA and DSA keys may be +used for signing. @item pinentry_path = /path/to/pinentry The location of the @command{pinentry} binary. This program is used to @@ -537,7 +539,7 @@ client is one who is not in a command. The purpose of this status message is to disconnect a hung remote client and release any file mutex locks so another client may open the same data file. The default is @code{60}. -@item tls_access = [+][!-]string[,[!-]string,...] +@item tls_access = [+][!-][#]string[,[!-][#]string,...] A comma separated list of client X509 certificate fingerprints in SHA-1 format that will be allowed to connect or open a file. If prefixed with @code{!} or @code{-} then access is denied for the fingerprint. When @@ -553,9 +555,10 @@ fingerprint is matched against the list of allowed fingerprints in the connection is established and the client may proceed to @code{OPEN} (@pxref{OPEN}) a data file. During the @code{OPEN}, @code{CLEARCACHE} and @code{CACHETIMEOUT} commands, the -fingerprint is checked again in a @samp{filename} section. When this -parameter is not found in a @samp{filename} section then access is -granted. +fingerprint is checked again in a @samp{filename} section. + +When this parameter is not found in a @samp{filename} section then access is +granted for the @samp{filename}. @item tcp_require_key = boolean When @code{true}, require the remote client to provide the key or passphrase -- 2.11.4.GIT