1 >\input texinfo @c -*-texinfo-*-
16 @dircategory Miscellaneous
18 * pwmd: (pwmd). Password Manager Daemon
23 @subtitle Commands and syntax
27 @c Node, Next, Previous, Up
31 This manual documents @command{pwmd} version 3.0 protocol commands and
36 * Introduction:: Overview of pwmd.
37 * Access Control:: ACL of a single XML element.
38 * Invoking:: Command line options.
39 * Configuration:: Configuration file options.
40 * Commands:: Protocol commands.
41 * Status Messages:: Status lines and their meaning.
42 * Target Attribute:: A kind of symbolic link.
43 * Signals:: Signals known to pwmd.
44 * Concept Index:: Index of concepts.
47 @c Node, Next, Previous, Up
48 @node Introduction, Access Control, , Top
49 @chapter Overview of @command{pwmd}
54 \- a univeral data server
60 [options] [file1] [...]
64 @command{pwmd} or @dfn{Password Manager Daemon} is a server that
65 applications connect to and send commands to store and retrieve data
66 that is saved in an encrypted @abbr{XML} document.
68 The server uses the Assuan protocol (@inforef{Implementation,,assuan}) which
69 is the same used by @command{gpg-agent}, @command{pinentry} and
70 @command{scdaemon}. It also uses @cite{libgpg-error} for error reporting with
71 the error source set as @var{GPG_ERR_SOURCE_USER_1}.
74 It is recommended to read the texinfo documentation of @command{pwmd}
75 since it contains protocol commands and syntax and other details not
80 The @abbr{XML} document uses the following @abbr{DTD}:
85 <!ELEMENT pwmd (element*)>
86 <!ATTLIST element _name CDATA #REQUIRED>
90 The @code{pwmd} element is the document root node while all other elements
91 of the document have the name @code{element} with an attribute @code{_name}
92 whose value uniquely identifies the element at the current element tree depth.
93 It is done this way to avoid @abbr{XML} parsing errors for commonly used
94 characters. A @abbr{URL} for example would be an invalid @abbr{XML} element
95 since the @abbr{URI} contains a @samp{:} which is also the @abbr{XML}
98 As mentioned, an element name must be unique for the current element tree
99 depth. You cannot have two elements containing the same @code{_name} attribute
100 value. @command{pwmd} will stop searching for an element of an @emph{element
101 path} at the first match then continue searching for the next element of the
102 element path beginning at the child node of the matched element.
104 An @emph{element path} is a @key{TAB} delimited character string where each
105 @key{TAB} separates each element in the path. For example, the element path
106 @code{a@key{TAB}b@key{TAB}c} has the following @abbr{XML} document structure:
113 [... element value or content ...]
120 The only restriction of an element name is that it contain no whitespace
121 characters. It also cannot begin with a @samp{!} since this character is
122 reserved for the @code{target} attribute. @xref{Target Attribute}.
124 @c Node, Next, Previous, Up
125 @node Access Control, Invoking, Introduction, Top
126 @chapter Access Control
128 Like a filesystem has an @abbr{ACL} to grant or limit access to directories or
129 files for a specific user or group, @command{pwmd} can limit a local user,
130 group or a TLS connection to a specific element path. This is done by storing
131 an ACL in the element attribute @var{_acl}. Its syntax is similar to the
132 @var{allowed} configuration parameter (@pxref{Configuration}) with the
133 exception that a TLS fingerprint hash is prefixed with a @key{#}.
135 Access is denied for all users that are not in the @abbr{ACL} of an element
136 with the exception of the invoking user (see the @var{invoking_user} and
137 @var{invoking_tls} configuration parameters (@pxref{Configuration})). The
138 connected client must be in the @abbr{ACL} for each element in an element path
139 otherwise an error is returned. As an example:
142 <element _name="test" _acl="username,-@@wheel,root">
143 <element _name="child"/>
147 The user @code{username} would be allowed access to the @code{test} element
148 but not if it is a member of the @code{wheel} group although the @code{root}
149 user, who may be a member of the @code{wheel} group, is allowed. No users
150 other than the @var{invoking_user} is allowed access to the @code{child}
153 The first user listed in the @abbr{ACL} is considered the owner of the
154 element. This determines which clients may modify an @var{_acl} attribute and
155 store content for an element. The @var{invoking_user} may always modify an
158 @c Node, Next, Previous, Up
159 @node Invoking, Configuration, Access Control, Top
160 @chapter Invoking @command{pwmd}
164 When @command{pwmd} is started with the @option{--use-agent} command
165 line option then @command{pwmd} will use @command{gpg-agent} for key
166 generation, decryption, signing and caching of passphrases as the
167 default rather than symmetrically encrypted data files.
168 @command{gpg-agent} must be running prior to @command{pwmd} startup when
169 this option is enabled. The @env{GPG_AGENT_INFO} environment variable is
170 set by @command{gpg-agent} and @command{pwmd} uses this variable to
171 determine where the @command{gpg-agent} socket is listening for
174 It is recommended to pass the @option{--allow-preset-passphrase}
175 command line option to @command{gpg-agent}. Doing so allows @command{pwmd}
176 cache pushing on startup. It is also recommended to pass the
177 @option{--allow-loopback-pinentry} to @command{gpg-agent}. This option allows
178 a passphrase to be inquired from @command{pwmd} when a @command{pinentry} is
179 unavailable to the client.
181 @cindex Running @command{pwmd}
182 @command{pwmd} is executed as follows:
185 pwmd @var{options} [ file1 ] [ @dots{} ]
188 Non-option arguments are data files to cache on startup. When the data file
189 requires a passphrase for decryption a @command{pinentry} will prompt either
190 on the current @abbr{TTY} or from an X11 window when the @env{DISPLAY}
191 environment variable is set.
195 The following command line options are supported:
199 @item --homedir directory
200 The root directory where pwmd will store its data and temporary files. The
201 default is @file{~/.pwmd}.
203 @item --rcfile, -f rcfile
204 Specify an alternate configuration file. The default is
205 @file{~/.pwmd/config}.
208 Enable the use of @command{gpg-agent} and add support for data files
209 encrypted with a keypair. Files previously handled by
210 @command{gpg-agent} when this option is not specified will no longer be
211 able to be opened and new data files are symmetrically or conventionally
212 encrypted and without a public and private key. If
213 specified, both data file types are supported.
215 @item --import, -I filename
216 Imports an @abbr{XML} file. The @abbr{XML} file should be in conformance to
217 the @command{pwmd} @abbr{DTD} (@pxref{Introduction}). You
218 will be prompted for a passphrase to encrypt with. The output is written to
219 the filename specified with @option{--outfile}. To make use of the imported
220 data, place the output file in @file{~/.pwmd/data}.
222 @item --keyparam S-expression
223 The key parameters to use when generating a new key pair while importing an
224 @abbr{XML} file or when converting a @emph{version 2} data file. The argument
225 must be a valid S-expression (@inforef{S-expressions,, gcrypt}).
227 @item --keygrip hexstring
228 Specifies the hexadecimal encoded public key-grip to use for encryption when
229 importing or converting. When not specified a new key-pair will be created.
231 @item --sign-keygrip hexstring
232 Specifies the hexadecimal encoded public key-grip to use for signing of the
233 data file when importing or converting. When not specified the generated
234 public key or the key specified with the @option{--keygrip} option will be
237 @item --passphrase-file, -k filename"
238 Obtain the passphrase from the specified filename.
240 @item --s2k-count iterations
241 The number of times to hash the passphrase when importing or converting. The
242 default is the gpg-agent calibrated value of the machine. When less than
243 @samp{65536} the default will be used.
245 @item --cipher-iterations iterations
246 The number of symmetric encryption iterations. The value is actually N+1. The
250 When importing, the cipher to use for data encryption. See the @var{cipher}
251 configuration parameter (@pxref{Configuration}) for available ciphers. The
252 default is @samp{aes256}.
254 @item --convert, -C filename
255 Converts a @command{pwmd} @emph{version 2} data file to a @emph{version 3}
256 data file. If encrypted, you will be prompted for a passphrase to use for
257 decryption unless @option{--passphrase-file} was specified. The converted data
258 file will be saved to the filename specified with @option{--outfile}. All
259 @option{--import} related options may also be used when converting.
261 @item --disable-dump, -D
262 Disable the @code{XPATH}, @code{XPATHATTR}, @code{LIST} and @code{DUMP}
263 protocol commands (@pxref{Commands}). This overrides any
264 @var{disable_list_and_dump} configuration parameter (@pxref{Configuration}).
267 Run as a foreground process and do not fork into the background.
269 @item --ignore, --force
270 Ignore cache pushing failures on startup. By default, @command{pwmd} will exit
271 if an error occurred do to an invalid passphrase or other error.
273 @item --debug-level keyword,keyword,...
274 Output libassuan @inforef{Top,,assuan} protocol IO with the comma
275 separated list of output keywords. Valid keywords are: @code{init},
276 @code{ctx}, @code{engine}, @code{data}, @code{sysio} and @code{control}.
279 Show the version, copyright and compile time features and exit.
282 Print a summary of options.
286 @c Node, Next, Previous, Up
287 @node Configuration, TLS, Invoking, Top
288 @chapter @command{pwmd} configuration file options
290 @mansect configuration file
291 If no configuration file is specified with the @command{pwmd} @option{-f}
292 command line option, @command{pwmd} will read @file{~/.pwmd/config} if it
293 exists, and if not, will use defaults. Blank lines and lines beginning with
294 @samp{#} are ignored. Some parameters may have data file specific settings by
295 placing them in a file section. A file section is declared by surrounding the
296 filename with braces (i.e., @samp{[filename]}). Global options may be
297 specified in a @samp{[global]} section and are the default options for new or
300 A tilde @key{~} will be expanded to the home directory of the invoking user
301 when contained in a parameter whose value is a filename.
303 @cindex Reloading the configuration file
304 The configuration file can be reloaded by sending the @emph{SIGHUP} signal to
305 a @command{pwmd} process.
307 @cindex Global configuration options
308 The following options are only for use in the @samp{global} section:
311 @item socket_path = /path/to/socket
312 Listen on the specified socket. The default is @file{~/.pwmd/socket}.
314 @item socket_perms = octal_mode
315 Permissions to set after creating the socket. This will override any
316 @cite{umask(2)} setting.
318 @item invoking_user = username
319 This parameter is not to be confused with setuid or setguid upon startup. It
320 is the local username that may use the @command{XPATH}, @command{XPATHATTR}
321 and @command{DUMP} commands (except when disabled with the
322 @code{disable_list_and_dump} option) and who may modify elements that have no
323 @code{_acl} attribute or is not listed in an @code{_acl}. It is similar to
324 the system administrator root account but for a data file
325 (@pxref{Access Control}). The default is the user the executes @command{pwmd}.
327 @item invoking_tls = SHA1
328 Like @code{invoking_user} but is a hash of a TLS certificate fingerprint for a
329 remote client. The hash should be prefixed with a @key{#} character.
331 @item allowed = [-]user,[-]@@group,...
332 A comma separated list of local user names or group names allowed to connect
333 to the unix domain socket. Groups should be prefixed with a @samp{@@}. When
334 not specified only the invoking user may connect. A username or group name may
335 also be prefixed with a @key{-} to prevent access to a specific user or group
336 in the list. The order of the list is important since a user may be of
339 This parameter may also be specified in a filename section to allow or
340 deny a local user to @code{OPEN} (@pxref{OPEN}) a data file. When not
341 specified in a file section any user that can connect may also open the
344 The following example would deny all users in group @code{primary} but
345 allow @code{username} who may be a member of @code{primary}:
348 allowed=-@@primary,username
351 @item disable_mlockall = boolean
352 When set to @code{false}, @cite{mlockall(2)} will be called on startup. This
353 will use more physical memory but may also be more secure since no swapping to
354 disk will occur. The default is @var{true}.
356 @item log_path = /path/to/logfile
357 Logs informational messages to the specified file. The default is
360 @item enable_logging = boolean
361 Enable or disable logging to @var{log_path}. The default is @code{false}.
363 @item log_keepopen = boolean
364 When set to @code{false}, the log file specified with @var{log_path} will be
365 closed after writing each line. The default is @code{true}.
367 @item syslog = boolean
368 Enable logging to @cite{syslog(8)} with facility @emph{LOG_DAEMON} and priority
369 @emph{LOG_INFO}. The default is @code{false}.
371 @item log_level = level
372 When @code{0}, only connections and errors are logged. When @code{1}, client
373 commands are also logged. When @code{2}, the command arguments are also logged.
374 The default is @code{0}.
376 @item use_agent = boolean
377 When true, enable @command{gpg-agent} support (@pxref{Invoking}).
379 @item agent_env_file = filename
380 A file containing the @env{GPG_AGENT_INFO} environment variable and value as
381 output by the @command{gpg-agent} @option{--write-env-file} command line
384 @item kill_scd = boolean
385 Kill @command{scdaemon} after each @code{OPEN} (@pxref{OPEN}) or @code{SAVE}
386 (@pxref{SAVE}) command.
388 @item require_save_key = boolean
389 Require the passphrase needed to open a data file before writing changes
390 of the documment to disk reguardless of the key cache status.
392 @item disable_list_and_dump = boolean
393 When @code{true}, the @code{XPATH}, @code{XPATHATTR}, @code{LIST} and
394 @code{DUMP} protocol commands (@pxref{Commands}) will be disabled.
396 @item cache_push = file1,file2
397 A comma separated list of filenames that will be pushed into the file cache
398 upon startup. @command{pwmd} will prompt for the passphrase for each file unless
399 specified with the @var{passphrase} or @var{passphrase_file} parameters in a
400 matching file section.
402 @item priority = integer
403 The priority, or niceness, of the server. The default is inherited from the
406 @item cipher = algorithm
407 The default cipher to use for data encryption when saving (@pxref{SAVE}) a new
408 file. The algorithm must be one of: @code{aes128}, @code{aes192},
409 @code{aes256}, @code{serpent128}, @code{serpent192}, @code{serpent256},
410 @code{camellia128}, @code{camellia192}, @code{camellia256}, @code{3des},
411 @code{cast5}, @code{blowfish}, @code{twofish128} or @code{twofish256}. The
412 default is @code{aes256}.
414 @item cipher_iterations = integer
415 The number of times to encrypt the XML data. This differs from the
416 @var{s2k_count} parameter which specifies the number of times to hash the
417 passphrase used to encrypt the data. The default is 0 although at least 1
418 iteration is always done.
420 @item cipher_progress = integer
421 Send a progress message to the client after the specified amount of encryption
422 or decryption iterations have been done. The default is 2000.
424 @item keyparam = s-expression
425 The default key paramaters to use when generating a new key-pair. The default
426 is RSA with 2048 bits. Note that only the RSA and ELG algorithms as the
427 encryption algorithm are supported at the moment. Both RSA and DSA keys may be
430 @item pinentry_path = /path/to/pinentry
431 The location of the @command{pinentry} binary. This program is used to
432 prompt for a passphrase when not using @command{gpg-agent}. The default
433 is specified at compile time.
435 @item pinentry_timeout = seconds
436 The number of seconds to wait for a pinentry before giving up and
437 returning an error. This timeout value is used for both waiting for
438 another pinentry to complete and for the pinentry waiting for user input.
441 @cindex Data file configuration options
442 The following options are defaults for new files when specified in the
443 @samp{global} section. When placed in a data file section they are options
444 specific to that data file only.
447 @item backup = boolean
448 Whether to create a backup of the data file when saving. The backup filename
449 has the @file{.backup} extension appended to the opened file. The default is
452 @item cache_timeout = seconds
453 The number of seconds to keep the cache entry for this file. If @code{-1}, the
454 cache entry is kept forever. If @code{0}, each time an encrypted file is
455 @code{OPEN}ed (@pxref{OPEN}) a passphrase will be required. The default
456 is @code{600} or 10 minutes.
458 @item xfer_progress = bytes
459 Commands that send data lines to the client will also send the @code{XFER}
460 status message (@pxref{Status Messages}) after the specified number of bytes
461 have been sent. The number of bytes is rounded to @var{ASSUAN_LINELENGTH} or
462 @code{1002} bytes. The default is @code{8196}.
464 @item passphrase = string
465 The passphrase to use for this file. If specified in the @samp{global} section
466 then @samp{global} is treated as a data filename and not a default for other
467 files. Note that if a client changes the passphrase for this data file then
468 this value is not modified and will need to be updated.
470 @item passphrase_file = /path/to/file
471 Same as the @var{passphrase} parameter above but obtains the passphrase from
472 the specified filename.
474 @item recursion_depth = integer
475 The maximum number of times to resolve a @code{target} attribute for an
476 element in an element path (@pxref{Target Attribute}). An error is returned
477 when this value is exceeded. The default is @code{100} but can be disabled by
478 setting to @code{0} (@emph{not recommended}).
480 @item allowed = [-]user,[-]@@group,...
481 Same parameter value as the @code{allowed} parameter mentioned above in
482 the @samp{global} section but grants or denies a local user from opening
483 a specific data file. The default is to allow only the invoking user.
487 * TLS:: Remote connections over TLS.
488 * Pinentry:: Configuration file and defaults.
491 @node TLS, Pinentry, Configuration, Configuration
492 @chapter Configuring remote connections over TLS.
496 Remote connections can also be made to @command{pwmd} over @abbr{TLS}.
497 Authentication is done by using X509 client certificates that are signed with
498 the same Certificate Authority (@abbr{CA}) as the server certificate.
500 The @abbr{CA} certificate is expected to be found in
501 @file{~/.pwmd/ca-cert.pem} while the @command{pwmd} server certificate and key
502 file should be put in @file{~/.pwmd/server-cert.pem} and
503 @file{~/.pwmd/server-key.pem}, respectively.
505 See the documentation of @command{certtool} or @command{openssl} for details
506 on creating self-signed certificates.
508 The following TLS configuration options are available:
511 @item enable_tcp = boolean
512 Whether to enable TCP/TLS server support. If enabled, both TCP and the local
513 unix domain socket will listen for connections. The default is
516 @item tcp_port = integer
517 The TCP port to listen on when @var{enable_tcp} is @code{true}. The default is
520 @item tcp_bind = string
521 The internet protocol to listen with. Must be one of @code{ipv4}, @code{ipv6}
522 or @code{any} to listen for both IPv4 and IPv6 connections.
524 @item tcp_interface = string
525 Only useful if running as root.
527 @item tls_timeout = seconds
528 The number of seconds to wait for a read() or write() call on a
529 @abbr{TLS} client file descriptor to complete before returning an
530 error. The default is @var{300}.
532 Note that the @code{SAVE} command (@pxref{SAVE}) may take a longer time
533 to complete than other commands since key generation may need to be done
534 or do to a large @option{--cipher-iterations} setting.
536 @item keepalive_interval = seconds
537 Send a keepalive status message to an idle remote client. An idle
538 client is one who is not in a command. The purpose of this status
539 message is to disconnect a hung remote client and release any file mutex
540 locks so another client may open the same data file. The default is @code{60}.
542 @item tls_access = [+][!-][#]string[,[!-][#]string,...]
543 A comma separated list of client X509 certificate fingerprints in SHA-1
544 format that will be allowed to connect or open a file. If prefixed with
545 @code{!} or @code{-} then access is denied for the fingerprint. When
546 @code{!} or @code{-} is found by itself in the list it is treated as a
547 default for remaining fingerprints in the list. The @code{+} prefix
548 behaves the same but allows access. The order of the list is important
549 meaning that if one or more fingerprints is of the same SHA-1 hash, only
550 the final in the list is considered.
552 The access control is two fold: when the client connects its SHA-1
553 fingerprint is matched against the list of allowed fingerprints in the
554 @samp{global} section. When allowed in the @samp{global} section the
555 connection is established and the client may proceed to @code{OPEN}
556 (@pxref{OPEN}) a data file. During the @code{OPEN}, @code{CLEARCACHE}
557 and @code{CACHETIMEOUT} commands, the
558 fingerprint is checked again in a @samp{filename} section.
560 When this parameter is not found in a @samp{filename} section then access is
561 granted for the @samp{filename}.
563 @item tcp_require_key = boolean
564 When @code{true}, require the remote client to provide the key or passphrase
565 to open a data file even if the file is cached. Note that the cache entry is
566 cleared during the @pxref{OPEN} command and the passphrase will be retrieved
567 from the client via a server @emph{INQUIRE}. This option is a default
568 for all files when specified in the @samp{global} section. The default
571 @item tcp_wait = integer
572 The time in tenths of a second to wait between TCP connections. Setting to 0
573 will disable waiting. The default is @code{3}.
575 @item tls_cipher_suite = string
576 The GnuTLS cipher suite and protocol to use. See the GnuTLS documentation for
577 information about the format of this string. The default is @code{SECURE256}.
580 @node Pinentry, Commands, TLS, Configuration
581 @chapter Pinentry configuration
583 The @command{pinentry} program is used to prompt the user for passphrase
584 input or as a confirmation dialog; it needs to know where to prompt for
585 the input, beit from a terminal or an X11 display.
587 It is the responsibility of the client to tell @command{pinentry} about
588 the terminal or X11 display before requiring the input. This is done by
589 using the @command{pwmd} @code{OPTION} (@pxref{OPTION}) protocol command. It
590 need be done only once per client connection. To avoid the use of
591 @command{pinentry} entirely, use the @code{OPTION} (@pxref{OPTION})
592 @option{--disable-pinentry} protocol command.
595 @c Node, Next, Previous, Up
596 @node Commands, Status Messages, Pinentry, Top
597 @chapter Protocol commands and their syntax
599 @include commands.texi
601 @c Node, Next, Previous, Up
602 @node Status Messages, Target Attribute, Commands, Top
603 @chapter Status messages and their meanings
604 Some commands send status messages to inform the client about certain
605 operations or as a progress indicator. Status messages begin with a
606 @code{KEYWORD} followed by a status description for status messages that
607 require it. What status messages are sent, when, and how often may depend on
608 configuration settings (@pxref{Configuration}). A status message sent from
609 @command{gpg-agent} (@inforef{Invoking GPG-AGENT,,gnupg}) is also forwarded to
612 @multitable @columnfractions .20 .25 .55
613 @headitem Message @tab Parameters @tab Description
616 @tab @code{<integer>}
617 @tab The number of cached documents. Sent to each client after connecting
618 (@pxref{GETINFO}) and after every cache modification.
622 @tab @code{<integer>}
623 @tab The number of connected clients (@pxref{GETINFO}). Sent to each client
624 when another client either connects or disconnects.
628 @tab @code{<current>} @code{<total>}
629 @tab Sent to the current client during a decrypt operation. How often this
630 status message is sent is determined by the @code{cipher_progress}
631 (@pxref{Configuration}) setting.
635 @tab @code{<current>} @code{<total>}
636 @tab Sent to the current client during an encrypt operation. How often this
637 status message is sent is determined by the @code{cipher_progress}
638 (@pxref{Configuration}) setting.
643 @tab Sent once to the current client just before generating a new key-pair.
646 @cindex INQUIRE_MAXLEN
648 @tab Sent to the client from @command{gpg-agent} when inquiring data. This
649 specifies the maximum number of bytes allowed for the client to send and
650 should not be exceeded.
655 @tab Sent to each idle client every @var{keepalive_interval}
656 (@pxref{Configuration}) seconds.
661 @tab Sent to the current client when another client is holding the lock for
662 the mutex associated with a file.
667 @tab Sent to the current client when the opened (@pxref{OPEN}) file does not
668 exist on the file-system.
672 @tab @code{<sent> <total>}
673 @tab Sent to the current client when transferring data. It has two space
674 delimited arguments. The first being the current amount of bytes transferred
675 and the other being the total bytes to be transferred.
678 @c Node, Next, Previous, Up
679 @node Target Attribute, Signals, Status Messages, Top
680 @chapter The @code{target} attribute
681 @cindex target attribute
682 A @emph{case sensitive} attribute named @code{target} is treated specially
683 when found in each element of an element path. This attribute, like other
684 element attributes, is created or modified with the @code{ATTR} command
685 (@pxref{ATTR}). The value of this attribute is an existing element path
686 somewhere in the document. If you are familiar with @abbr{XML} entities or
687 maybe the @abbr{HTML} @code{id} or @code{target} attributes or a symbolic link
688 in a file-system, you may find this attribute behaves similar to any of those.
690 To create a @code{target} attribute use the following syntax:
693 ATTR SET target [!]element[@key{TAB}[!]child[..]] [!]element[@key{TAB}[!]child[..]]
696 Note the single space between the two element paths. The first element path is
697 where the @code{target} attribute will be created. If the element path does
698 not exist then it will be created. This is the only time the @code{ATTR}
699 (@pxref{ATTR}) command will create elements. The attribute is created in the
700 final element of the first element path.
702 The second element path is the destination of where you want the first element
703 path to resolve to. When an element path is passed as an argument to a
704 protocol command @command{pwmd} looks for a @code{target} attribute when
705 resolving each element and, if found, "jumps" to the attribute value and
706 continues resolving any remaining elements. When you want to avoid the
707 @code{target} attribute for any element of an element path then prefix the
708 element with the literal element character @samp{!}.
710 When an element of a element path is removed that a @code{target} attribute
711 resolves to then an error will occur when trying to access that element. You
712 may need to either update the @code{target} attribute value with a new element
713 path or remove the attribute entirely. Remember that since the element
714 contains the @code{target} attribute it will need to be prefixed with the
715 literal element character @samp{!} when specifying the element path to prevent
716 @command{pwmd} from trying to resolve the @code{target} attribute. For
717 example, to remove a @code{target} attribute for an element containing it:
720 ATTR DELETE target path@key{TAB}to@key{TAB}!element
723 Clients should be careful of creating @code{target} loops, or targets that
724 resolve to themselves. See the @var{recursion_depth} (@pxref{Configuration})
725 configuration parameter for details.
727 The @code{REALPATH} command (@pxref{REALPATH}) can be used to show the element
728 path after resolving all @code{target} attributes.
731 @c Node, Next, Previous, Up
732 @node Signals, Concept Index, Target Attribute, Top
733 @chapter Recognized signals
736 Sending the @emph{SIGHUP} signal to a @command{pwmd} process will reload the
737 configuration file and sending @emph{SIGUSR1} will clear the entire file
742 .BR gpg-agent (1), pinentry (1)
746 @c Node, Next, Previous, Up
747 @node Concept Index, , Signals, Top
748 @unnumbered Concept Index