The `ipcexecrules` program

Interface

  ipcexecrules cdb tmp

where cdb is the name of the cdb-format output file, and tmp is the name of a temporary file. ipcexec follows rules in cdb to decide whether to execute a program.

ipcexecrules reads rules from its standard input and writes them into cdb in a binary format suited for quick access by ipcexec.

ipcexecrules can be used while ipcexec is running. It ensures that cdb is updated atomically. It does this by first writing the rules to tmp and then moving tmp on top of cdb. If tmp already exists, it is destroyed. The directories containing cdb and tmp must be writable to ipcexecrules, and must also be on the same filesystem.

If there is a problem with the input or with tmp, ipcexecrules complains and leaves cdb alone.

Rule format

A rule occupies one line. A file containing rules may also contain comments: lines beginning with # are ignored.

Each rule contains a pattern, a colon, and a list of instructions, with no extra spaces. When ipcexec receives a request, it follows the instructions of the first matching pattern in cdb.

Patterns

ipcexec looks for rules with various patterns:

$IPCREMOTEEUID.$IPCREMOTEEGID,USERID.cmd;
$IPCREMOTEEUID,USERID.cmd;
.$IPCREMOTEEGID,USERID.cmd;
,USERID.cmd;
the empty string.

ipcexec uses the first matching rule it finds.

For example, here are some rules:

  1001.1010,0.echo:allow,first
  1002,0.echo:allow,second
  :deny,third
  .1010,echo:allow,fourth

If USERID is 0 and cmd is echo:

If $IPCREMOTEEUID is 5 and $IPCREMOTEEGID is 10, ipcexec will follow the third instruction.
If $IPCREMOTEEUID is 1002, ipcexec will follow the second instruction.
If $IPCREMOTEEUID is 5 and $IPCREMOTEEGID is 1010, ipcexec will follow the fourth instruction.
If $IPCREMOTEEUID is 1001 and $IPCREMOTEEGID is 1010, ipcexec will follow the first instruction.

You can use ipcexecrulescheck to see how ipcexec will interpret rules in cdb.

User ranges

ipcexecrules treats

  1001-1023,USERID.cmd:instructions

as an abbreviation for the rules

  1001,USERID.cmd:instructions
  1002,USERID.cmd:instructions
  ...
  1023,USERID.cmd:instructions

Instructions

The instructions in a rule must begin with either allow or deny. An instruction beginning with deny tells ipcexec to exit without running any program. For example, the rule

  :deny

tells ipcexec to ignore any request that is not handled by a more specific rule.

An instruction with allow tells ipcexec to execute the request. It executes cmd with arguments also read from file descriptor 0. Arguments are passed directly to pathexec without further interpretation. If the matching rule instruction begins with

  allow="path"

then ipcexec executes path instead of cmd, with the arguments specified in the request. Any repeated character may appear in place of the quote character.

The instruction may continue with some environment variable assignments, in the form var="x". ipcexec adds an environment variable $var with value x. For example,

  1001,0.echo:allow="/bin/echo",ACCESS="special"

adds an environment variable $ACCESS with a value of special. Any repeated character may appear in place of the quote character:

  1001,0.echo:allow="/bin/echo",ACCESS=/special/

and any number of variables assignments may appear in a single rule: