SuperScript::Software::ucspi-ipc

The ipcrules program

Interface

  ipcrules cdb tmp
where cdb is the name of the cdb-format output file, and tmp is the name of a temporary file. ipcserver optionally follows rules to decide whether a local-domain connection is acceptable. For example, the rule 
  1001.1010:deny
prohibits connections from a process with effective user ID 1001 and effective group ID 1010.

ipcrules reads rules from its standard input and writes them into cdb in a binary format suited for quick access by ipcserver.

ipcrules can be used while ipcserver is running. It ensures that cdb is updated atomically. It does this by first writing the rules to tmp and then moving tmp on top of cdb. If tmp already exists, it is destroyed. The directories containing cdb and tmp must be writable to ipcrules, and must also be on the same filesystem.

If there is a problem with the input or with tmp, ipcrules complains and leaves cdb alone.

Rule format

A rule occupies one line. A file containing rules may also contain comments: lines beginning with # are ignored.

Each rule contains an effective ID, a colon, and a list of instructions, with no extra spaces. When ipcserver receives a connection from that userid, it follows the instructions.

Effective IDs

ipcserver looks for rules with various userids:

  1. $IPCREMOTEEUID.$IPCREMOTEEGID;

  2. $IPCREMOTEEUID;

  3. .$IPCREMOTEEGID;

  4. the empty string.

ipcserver uses the first matching rule it finds.

For example, here are some rules: 

  1001.1010:first
  1002:second
  :third
  .1010:fourth

If $IPCREMOTEEUID is 5 and $IPCREMOTEEGID is 10, ipcserver will follow the third instruction.

If $IPCREMOTEEUID is 1002, ipcserver will follow the second instruction.

If $IPCREMOTEEUID is 5 and $IPCREMOTEEGID is 1010, ipcserver will follow the fourth instruction.

If $IPCREMOTEEUID is 1001 and $IPCREMOTEEGID is 1010, ipcserver will follow the first instruction.

You can use ipcrulescheck to see how ipcserver will interpret rules in cdb.

User ranges

ipcrules treats 
  1001-1023:instructions
as an abbreviation for the rules 
  1001:instructions
  1002:instructions
  ...
  1023:instructions

Instructions

The instructions in a rule must begin with either allow or deny. An instruction beginning with deny tells ipcserver to drop the connection without running any program. For example, the rule 
  :deny
tells ipcserver to drop any connection that is not handled by a more specific rule.

The instruction may continue with some environment variables assignments, in the form var="x". ipcserver adds an environment variable $var with value x. For example, 

  1001:allow,ACCESS="special"
adds an environment variable $ACCESS with a value of special. Any repeated character may appear in place of the quote character: 
  1001:allow,ACCESS=/special/
and any number of variables assignments may appear in a single rule: 
  1001:allow,ACCESS="special",SECRETWORD=/mudshark/