diff options
| -rw-r--r-- | doc/pies.texi | 46 | ||||
| -rw-r--r-- | src/acl.c | 49 | ||||
| -rw-r--r-- | src/acl.h | 2 | ||||
| -rw-r--r-- | src/comp.c | 1 |
4 files changed, 82 insertions, 16 deletions
diff --git a/doc/pies.texi b/doc/pies.texi index 8e25e76..ae4a56a 100644 --- a/doc/pies.texi +++ b/doc/pies.texi @@ -862,16 +862,6 @@ process instead. @end table @end deffn -@deffn {Config: component} user-acl @{ @dots{} @} -ACL controlling read-only access to this component. -@FIXME-pxref{Access to Components}. -@end deffn - -@deffn {Config: component} admin-acl @{ @dots{} @} -ACL controlling administrative (write) access to this component. -@FIXME-pxref{Access to Components}. -@end deffn - The following subsections describe the rest of @samp{component} substatements. @@ -884,6 +874,7 @@ substatements. * Output Redirectors:: * Inetd-Style Components:: * Meta1-Style Components:: +* Visibility:: * Component Syntax Summary:: @end menu @@ -1603,6 +1594,34 @@ This socket file is supposed to be created by the component binary upon its startup. @end deffn +@node Visibility +@subsection Component Visibility ACLs + + Pies control interface allows certain users to list and modify +components of a running @command{pies} instance. Two access control +lists define who can list and modify the particular component. + +@deffn {Config: component} list-acl @var{name} +@deffnx {Config: component} list-acl @{ @dots{} @} +This list controls who can get listing of this component +(@FIXME-pxref{component listing}). + +In the first form, @var{name} refers to the name of an already defined +global ACL (@pxref{defacl}). + +The second form defines new unnamed ACL. The syntax is described in +detail in @ref{ACL}. +@end deffn + +@deffn {Config: component} admin-acl @var{name} +@deffnx {Config: component} admin-acl @{ @dots{} @} +This list controls who can stop, restart or otherwise modify this +component (@FIXME-pxref{component management}). + +As above, two forms are available: the first one for using an already +defined named ACL, and the second one, for defining a new ACL in place. +@end deffn + @node Component Syntax Summary @subsection Component Syntax Summary This subsection summarizes the @code{component} statements. For each @@ -1687,14 +1706,20 @@ component @var{tag} @{ # @r{ACL for administrative access to this component.} # @FIXME-xref{Access to Components}. + admin-acl @var{name}; + # @r{or:} admin-acl @{ @dots{} @} # @r{ACL for read-only access to this component.} # @FIXME-xref{Access to Components}. + list-acl @var{name}; + # @r{or:} list-acl @{ @dots{} @} # @r{ACL for this component.} # @xref{ACL}. + acl @var{name}; + # @r{or:} acl @{ @dots{} @} # @r{Override default syslog facility for this component.} @@ -1925,6 +1950,7 @@ acl @{ component @acronym{ACL} is consulted. As a result, access is granted only if both lists allow it. +@anchor{defacl} A @dfn{named @acronym{ACL}} is an access control list which is assigned its own name. Named @acronym{ACL}s are defined using the @samp{defacl} statement: @@ -54,6 +54,7 @@ struct acl_entry struct pies_acl { char *name; + size_t refcnt; grecs_locus_t locus; struct grecs_list *list; }; @@ -108,29 +109,48 @@ acl_free_entry (void *p) free (ent); } +void +pies_acl_use (pies_acl_t acl) +{ + ++acl->refcnt; +} + pies_acl_t pies_acl_create (const char *name, grecs_locus_t *locus) { pies_acl_t acl = grecs_malloc (sizeof (acl[0])); acl->name = name ? grecs_strdup (name) : NULL; + acl->refcnt = 0; grecs_locus_copy (&acl->locus, locus); acl->list = grecs_list_create (); acl->list->free_entry = acl_free_entry; + pies_acl_use (acl); return acl; } void -pies_acl_free (pies_acl_t acl) +pies_acl_destroy (pies_acl_t *pacl) { - if (acl) + if (pacl && *pacl && (*pacl)->refcnt) { - free (acl->name); - grecs_locus_free (&acl->locus); - grecs_list_free (acl->list); - free (acl); + pies_acl_t acl = *pacl; + if (--acl->refcnt == 0) + { + free (acl->name); + grecs_locus_free (&acl->locus); + grecs_list_free (acl->list); + free (acl); + *pacl = NULL; + } } } +void +pies_acl_free (pies_acl_t acl) +{ + pies_acl_destroy (&acl); +} + static struct pies_sockaddr * create_acl_sockaddr (int family, int len) { @@ -358,6 +378,8 @@ _parse_sub_acl (struct acl_entry *entry, size_t argc, grecs_value_t **argv) argv[0]->v.string); return 1; } + pies_acl_use (entry->acl); + argc--; argv++; } @@ -548,6 +570,21 @@ _acl_common_section_parser (enum grecs_callback_command cmd, break; case grecs_callback_set_value: + if (assert_grecs_value_type (&value->locus, value, GRECS_TYPE_STRING)) + return 0; + acl = pies_acl_lookup (value->v.string); + if (!acl) + { + grecs_error (&value->locus, 0, _("ACL not defined: %s"), + value->v.string); + return 0; + } + pies_acl_use (acl); + if (pacl) + { + pies_acl_free (*pacl); + *pacl = acl; + } break; } return 0; @@ -25,7 +25,9 @@ struct acl_input }; pies_acl_t pies_acl_create (const char *name, grecs_locus_t *locus); +void pies_acl_destroy (pies_acl_t *pacl); void pies_acl_free (pies_acl_t acl); +void pies_acl_use (pies_acl_t acl); int pies_acl_cmp (struct pies_acl *a, struct pies_acl *b); int pies_acl_check (pies_acl_t acl, struct acl_input *input, int result); int parse_acl_line (grecs_locus_t *locus, int allow, pies_acl_t acl, @@ -184,6 +184,7 @@ component_free (struct component *comp) free_redirector (&comp->redir[0]); free_redirector (&comp->redir[1]); grecs_list_free (comp->act_list); + pies_acl_free (comp->acl); pies_acl_free (comp->list_acl); pies_acl_free (comp->adm_acl); free (comp); |