From a9352b9c1363352d166399d08db783dc433ac2e3 Mon Sep 17 00:00:00 2001
From: Ben Kibbey
-• Introduction: Overview of pwmd.
• Invoking: Command line options.
+
-• Access Control: ACL of a single XML element.
• Configuration: Configuration file options.
+
-• Invoking: Command line options.
• Commands: Protocol commands.
+
-• Configuration: Configuration file options.
• Status Messages: Status lines and their meaning.
+
-• Commands: Protocol commands.
• Target Attribute: A kind of symbolic link.
+
-• Status Messages: Status lines and their meaning.
• Signals: Signals known to pwmd.
+
-• Target Attribute: A kind of symbolic link.
• Concept Index: Index of concepts.
+
+• Signals: Signals known to pwmd.
+
@@ -82,7 +84,7 @@ Up: (dir) [
• Concept Index: Index of concepts.
1 Overview of
@@ -147,13 +149,47 @@ characters. It also cannot begin with a ‘!’ since this
reserved for the pwmd
target
attribute. See Target Attribute.
+Next: Invoking, Previous: Introduction, Up: Top [Contents]
+Like a filesystem has an ACL to grant or limit access to directories or
+files for a specific user or group, pwmd
can limit a local user,
+group or a TLS connection to a specific element path. This is done by storing
+an ACL in the element attribute _acl
. Its syntax is similar to the
+allowed
configuration parameter (see Configuration) with the
+exception that a TLS fingerprint hash is prefixed with a #.
+
Access is denied for all users that are not in the ACL of an element with the
+exception of the invoking user (see the invoking_user
and
+invoking_tls
configuration parameters (see Configuration)). The
+connected client must be in the ACL for each element in an element
+path otherwise an error is returned. As an example:
+
<element _name="test" _acl="username,-@wheel,root"> + <element _name="child"/> +</element> +
The user username
would be allowed access to the test
element
+but not if it is a member of the wheel
group. Although the root
+user, who may be a member of the wheel
group, is allowed. No users
+other than the invoking_user
is allowed access to the child
+element.
+
-Next: Configuration, Previous: Introduction, Up: Top [Contents]
+Next: Configuration, Previous: Access Control, Up: Top [Contents]pwmd
pwmd
init
,
Next: TLS, Previous: Invoking, Up: Top [Contents]
-pwmd
configuration file optionspwmd
configuration file optionsIf no configuration file is specified with the pwmd
-f
@@ -336,6 +372,20 @@ a pwmd
process.
umask(2) setting.
This parameter is not to be confused with setuid or setguid upon startup. It
+is the local username that may use the XPATH
, XPATHATTR
+and DUMP
commands (except when disabled with the
+disable_list_and_dump
option). Other users are denied access to these
+commands. This also specifies the user that may access any elements that lack
+an _acl
attribute (see Access Control). The default is the current
+user.
+
Like invoking_user
, but is a hash of a TLS certificate fingerprint.
+
A comma separated list of local user names or group names allowed to connect to the socket. Groups should be prefixed with a ‘@’. When not specified @@ -531,7 +581,7 @@ a specific data file. The default is to allow only the invoking user. Next: Pinentry, Previous: Configuration, Up: Configuration [Contents]
-Remote connections can also be made to pwmd
over TLS.
Authentication is done by using X509 client certificates that are signed with
the same Certificate Authority (CA) as the server certificate.
@@ -632,7 +682,7 @@ information about the format of this string. The default is SECURE256Commands, Previous: TLS, Up: Configuration [Contents]
The pinentry
program is used to prompt the user for passphrase
input or as a confirmation dialog; it needs to know where to prompt for
@@ -652,7 +702,7 @@ need be done only once per client connection. To avoid the use of
Next: Status Messages, Previous: Pinentry, Up: Top [Contents]