1xpaacl(n) SAORD Documentation xpaacl(n)
2
3
4
6 XPAAcl: Access Control for XPA Messaging
7
9 XPA supports host-based access control for each XPA access point. You
10 can enable/disable access control using the XPA_ACL environment vari‐
11 able. You can specify access to specific XPA access points for specific
12 machines using the XPA_DEFACL and XPA_ACLFILE environment variables. By
13 default, an XPA access point is accessible only to processes running on
14 the same machine (same as X Windows).
15
17 When INET sockets are in use (the default, as specified by the
18 XPA_METHOD environment variable), XPA supports a host-based access con‐
19 trol mechanism for individual access points. This mean that access can
20 be specified for get, set, or info operations for each access point on
21 a machine by machine basis. For LOCAL sockets, access is restricted
22 (by definition) to the host machine.
23
24 XPA access control is enabled by default, but can be turned off by set‐
25 ting the XPA_ACL environment variable to false. In this case, any
26 process can access any XPA server.
27
28 Assuming that access control is turned on, the ACL for an individual
29 XPA access point is set up when that access point is registered
30 (although it can be changed later on; see below). This can be done in
31 one of two ways:
32
33 Firstly, the XPA_ACLFILE environment variable can defined to point to a
34 file of access controls for individual access points. The format of
35 this file is:
36
37 class:name ip acl
38
39 The first argument is a template that specifies the class:name of the
40 access point covered by this ACL. See XPA Access Points and Templates
41 for more information about xpa templates.
42
43 The second argument is the IP address (in human-readable format) of the
44 machine which is being given access. This argument can be * to match
45 all IP addresses. It also can be $host to match the IP address of the
46 current host.
47
48 The third argument is a string combination of s, g, or i to allow
49 xpaset, xpaget, or xpainfo access respectively. The ACL argument can
50 be + to give sgi access or it can be - to turn off all access.
51
52 For example,
53
54 *:xpa1 somehost sg
55 *:xpa1 myhost +
56 * * g
57
58 will allow processes on the machine somehost to make xpaget and xpaset
59 calls, allow processes on myhost to make any call, and allow all other
60 hosts to make xpaget (but not xpaset) calls.
61
62 Secondly, if the XPA_ACLFILE does not exist, then a single default
63 value for all access points can be specified using the XPA_DEFACL envi‐
64 ronment variable. The default value for this variable is:
65
66 #define XPA_DEFACL "*:* $host +"
67
68 meaning that all access points are fully accessible to all processes on
69 the current host. Thus, in the absence of any ACL environment vari‐
70 ables, processes on the current host have full access to all access
71 points created on that host. This parallels the X11 xhost mechanism.
72
73 Access to an individual XPA access point can be changed using the -acl
74 parameter for that access point. For example:
75
76 xpaset -p xpa1 -acl "somehost -"
77
78 will turn off all access control for somehost to the xpa1 access point,
79 while:
80
81 xpaset -p XPA:xpa1 -acl "beberly gs"
82
83 will give beberly xpaget and xpaset access to the access point whose
84 class is XPA and whose name is xpa1.
85
86 Similarly, the current ACL for a given access point can be retrieved
87 using:
88
89 xpaget xpa1 -acl
90
91 Of course, you must have xpaget access to this XPA access point to
92 retrieve its ACL.
93
94 Note that the XPA access points registered in the xpans program also
95 behave according to the ACL rules. That is, you cannot use xpaget to
96 view the access points registered with xpans unless you have the proper
97 ACL.
98
99 Note also when a client request is made to an XPA server, the access
100 control is checked when the initial connection is established. This
101 access in effect at this time remains in effect so long as the client
102 connection is maintained, regardless of whether the access fro that XPA
103 is changed later on.
104
105 We recognize that host-based access control is only relatively secure
106 and will consider more stringent security (e.g., private key) in the
107 future if the community requires such support.
108
110 See xpa(n) for a list of XPA help pages
111
112
113
114version 2.1.12 January 26, 2010 xpaacl(n)