xpaacl: Access control for \s-1xpa\s0 messaging

DESCRIPTION

When \s-1INET\s0 sockets are in use (the default, as specified by the \s-1XPA_METHOD\s0 environment variable), \s-1XPA\s0 supports a host-based access control mechanism for individual access points. This mean that access can be specified for get, set, or info operations for each access point on a machine by machine basis. For \s-1LOCAL\s0 sockets, access is restricted (by definition) to the host machine.

\s-1XPA\s0 access control is enabled by default, but can be turned off by setting the \s-1XPA_ACL\s0 environment variable to false. In this case, any process can access any \s-1XPA\s0 server.

Assuming that access control is turned on, the \s-1ACL\s0 for an individual \s-1XPA\s0 access point is set up when that access point is registered (although it can be changed later on; see below). This can be done in one of two ways:

Firstly, the \s-1XPA_ACLFILE\s0 environment variable can defined to point to a file of access controls for individual access points. The format of this file is:

 class:name ip acl

The first argument is a template that specifies the class:name of the access point covered by this \s-1ACL\s0. See \s-1XPA\s0 Access Points and Templates for more information about xpa templates.

The second argument is the \s-1IP\s0 address (in human-readable format) of the machine which is being given access. This argument can be * to match all \s-1IP\s0 addresses. It also can be $host to match the \s-1IP\s0 address of the current host.

The third argument is a string combination of s, g, or i to allow xpaset, xpaget, or xpainfo access respectively. The \s-1ACL\s0 argument can be + to give sgi access or it can be - to turn off all access.

For example,

*:xpa1 somehost sg *:xpa1 myhost + * * g

will allow processes on the machine somehost to make xpaget and xpaset calls, allow processes on myhost to make any call, and allow all other hosts to make xpaget (but not xpaset) calls.

Secondly, if the \s-1XPA_ACLFILE\s0 does not exist, then a single default value for all access points can be specified using the \s-1XPA_DEFACL\s0 environment variable. The default value for this variable is:

#define XPA_DEFACL "*:* $host +"

meaning that all access points are fully accessible to all processes on the current host. Thus, in the absence of any \s-1ACL\s0 environment variables, processes on the current host have full access to all access points created on that host. This parallels the X11 xhost mechanism.

Access to an individual \s-1XPA\s0 access point can be changed using the \-acl parameter for that access point. For example:

xpaset \-p xpa1 \-acl "somehost -"

will turn off all access control for somehost to the xpa1 access point, while:

xpaset \-p XPA:xpa1 \-acl "beberly gs"

will give beberly xpaget and xpaset access to the access point whose class is \s-1XPA\s0 and whose name is xpa1.

Similarly, the current \s-1ACL\s0 for a given access point can be retrieved using:

xpaget xpa1 \-acl

Of course, you must have xpaget access to this \s-1XPA\s0 access point to retrieve its \s-1ACL\s0.

Note that the \s-1XPA\s0 access points registered in the xpans program also behave according to the \s-1ACL\s0 rules. That is, you cannot use xpaget to view the access points registered with xpans unless you have the proper \s-1ACL\s0.

Note also when a client request is made to an \s-1XPA\s0 server, the access control is checked when the initial connection is established. This access in effect at this time remains in effect so long as the client connection is maintained, regardless of whether the access fro that \s-1XPA\s0 is changed later on.

We recognize that host-based access control is only relatively secure and will consider more stringent security (e.g., private key) in the future if the community requires such support.

xpaacl (7)

SYNOPSIS

DESCRIPTION

RELATED TO xpaacl…