.
contact contact

B.08.40 / Reference Docs / Utilities / eloqsd.app

eloqsd.app configuration file

 
.
  The eloqsd.app application configuration allows for a server-side definition of applications a specific user or client is permitted to start, including the command line and environment variables and specifying which environment variables are allowed to pass from the client.

The name and path of the eloqsd.app configuration file may be defined in the eloqsd.cfg configuration file. It defaults to eloqsd.app in the Eloquence configuration directory.

The eloqsd.app file defines any number of applications. Each application uses a different section, enclosed in square brackets. The application id is not case sensitive.

The following configuration items are recognized for each application:

Command
Specifies command line options that are used when starting the application. If configured, it replaces the command line that a client may submit.

Command line arguments are separated with spaces. If an argument contains space characters it should be enclosed in single or double quotes. Token resolving is applied as explained below.

Multiple Command entries are recognized. The command line is formed by concatenating the Command entries in the specified order.

For example:

Command = -t -log /tmp/trace.log 
Command = PROG,APP

Env
Specifies an environment variable to be passed to the application. Token resolving is applied as explained below.

Note: Variables passed from the client take precedence, as explained in the EnvPass section below. Multiple Env entries are recognized and combined.

For example:

Env = HOME=/home/$user_name
Env = EQPATH=/data/app/admin/prog:/data/app/common/prog
This defines the environment variables HOME and EQPATH.

EnvPass
The EnvPass item restricts which environment variables are allowed to be passed from the client.

If EnvPass is configured, any variable a client passes must be listed, otherwise it is not passed to the application. If EnvPass is configured but empty, all variables a client might pass are dropped.

EnvPass accepts a comma-separated list of environment variable names. Multiple EnvPass entries are recognized and combined.

Please note: Variables passed from the client take precedence over variables having the same name that are specified with the Env item. This allows to configure a fallback for variables a client might or might not pass.

For example:

Env = DLG=$peer_addr
EnvPass = DLG
Command = -dlg $(DLG) ADMIN,APP
This allows the application to override the default value of the environment variable DLG.

StartDir
The StartDir item may be used to set the current directory where an application is started. This overrides the start directory a client may have passed. Token resolving is applied.

Please note: If the Command item is configured, the start directory a client may pass is always ignored.

TTY (HP-UX and Linux)
On HP-UX and Linux, the TTY item supports character mode application debugging by redirecting an application's stdin, stdout and stderr streams to the specified TTY device. This overrides the TTY setting a client may have passed. Token resolving is applied.

UserList
UserList is a comma-separated list of user names that are allowed access an application. If UserList is configured, the connecting user must be listed, otherwise access to the application is denied. Multiple UserList entries are recognized and combined.

The user names refer to the configured users in the eloqsd.user file or, if PAM authentication is used (on HP-UX or Linux), to (selected) operating system users.

The example below defines a UserList that restricts access to the users "bob", "joe" and "teresa":

UserList = bob
UserList = joe, teresa

GroupList
GroupList accepts a comma-separated list of group names that are allowed to access an application. If GroupList is configured, the connecting user must be a member of a group that is listed, otherwise access to the application is denied. Multiple GroupList entries are recognized and combined.

The group names refer to GroupList entries of the configured users in the eloqsd.user file or, if PAM authentication is used (on HP-UX or Linux), to operating system groups associated with the connecting user.

The example below defines a GroupList that restricts access to users that belong to the groups "admins", "operators", "local_admins", or "local_operators":

GroupList = admins, operators
GroupList = local_admins,local_operators

AllowFrom, DenyFrom
The AllowFrom and DenyFrom items restrict access to an application based on the client IP address or an IP address range.

AllowFrom / DenyFrom argument syntax:

{ All | hostname | ip-address [/{addrbits|netmask}] }
  • Multiple AllowFrom / DenyFrom entries are recognized and combined.

  • hostname is the name of a host or network that is resolved into one or more ip addresses.

  • ip-address is either an IPv4 or IPv6 address.

    • An IPv6 address, enclosed in square brackets, such as [::1]. The addrbits option may be used to specify the number of relevant bits in the IP address.

    • An IPv4 address, such as 127.0.0.1. The addrbits option may be used to specify the number of relevant bits in the IP address. The netmask option allows to specify an IPv4 network mask, such as 255.255.255.0.

If neither AllowFrom nor DenyFrom is configured, access to an application is enabled from any IP address (implied AllowFrom=All).
If AllowFrom and/or DenyFrom are configured, access to an application is denied unless specifically allowed (implied DenyFrom=All).

The example below restricts access to the local system (localhost) as well as the network 192.168.1.1 to 192.168.1.254 except the 192.168.1.22 address:

AllowFrom = localhost
AllowFrom = 192.168.1.0/24
DenyFrom  = 192.168.1.22

Execute
By default, the eloqsd server starts an application using the eloqcore executable located in the Eloquence bin directory.

The Execute item, if configured, allows to specify a different executable. This could be used, for example, to start the Eloquence dbutil program or to invoke a shell script that wraps the eloqcore executable.

The eloqsd.app configuration below would start the Eloquence dbutil utility from a JDLG client located on the local system (localhost) or the network 192.168.1.1 to 192.168.1.254:

[dbutil]
Execute = /opt/eloquence/8.2/bin/dbutil
Env = DLG=$peer_addr
EnvPass = DLG
Command = -D $(DLG)
AllowFrom = localhost
AllowFrom = 192.168.1.0/24

UMask (HP-UX and Linux)
Sets the file mode creation mask (umask) for the application process. The default umask is inherited from the eloqsd main process (typically the system default, 0022, user-only writable).
UMask = 0002 (user+group writable)

Token resolving

The Command, Env, StartDir and TTY items may use the tokens listed below which are resolved when the application is started:
$peer_addr
The client IP address

$peer_name
The client host name

$user_name
The user name

$(VARIABLENAME)
The value of an environment variable, including any variable passed from the client (depending on the EnvPass configuration) or specified with the Env item.

Backward Compatibility

The predefined [default] section is used as a fallback when an application is not explicitly configured.

The eloqsd.app configuration template file defines an empty [default] section to provide full backward compatibility for existing applications:

[default]
#UserList =
#GroupList =
#AllowFrom =
#DenyFrom =
Because no Command or EnvPass items are defined, the client command line and environment variables are passed to the application.

As shown above, the [default] section contains UserList, GroupList, AllowFrom and DenyFrom items which are commented out but may be enabled as needed to restrict backward compatibility to specific users or groups or client IP addresses.

Please note: For security reasons, it is recommended to add a specific configuration for each application and then to remove or comment out the [default] section.

Example

[EXAMPLE,APP]
Env = DLG=$peer_addr
Env = HOME=/home/$user_name
EnvPass = DLG
Command = -dlg $(DLG) EXAMPLE,APP
The example configuration defines a program named EXAMPLE located in the APP volume (client command line: EXAMPLE,APP)

It allows the DLG environment variable to be passed from the client. On a JDLG client, DLG would typically be set to $host:$port. If DLG is not set by the client, an Env configuration makes sure it is set to the peer address. The DLG variable is then used with the -dlg command line option when starting the EXAMPLE,APP program.

Changes

The B.08.40 release added support for the UMask config item.

The B.08.30 release added support for IPv6 and using host names in the AllowFrom and DenyFrom config item.

eloqsd.app template file

A default configuration file eloqsd.app is installed and may be customized. A template eloqsd.app config file is installed as newconfig/config/eloqsd.app.

# @(#) eloqsd.app - B.08.40 ($Revision: 29.4 $)
#
# The purpose of this file is to configure the applications
# a client is permitted to start through the eloqsd server.
# It is installed in the location:
# /etc/opt/eloquence/8.4/eloqsd.app
#
# This file is read at the startup time of the eloqsd process.
# Changes are automatically detected and honored.
#
# Format:
#
# The section names are not case sensitive. String values can be
# enclosed in double quotes to protect leading or trailing spaces.
# Everything after a hash (#) character is considered a comment.
#
# Each application definition is a different section.
#
# The app_id matches the last component of the command line that
# a client submits. Typically, this is an Eloquence program name.
#
# The following configuration items are recognized for each section:
#
# [app_id]
#
# Command   Specifies the command line to start the application.
#           If configured, it replaces the command line that a
#           client submits.
#
#           Command line arguments are separated with spaces. If an
#           argument contains space characters it should be enclosed
#           in single or double quotes.
#
#           Token resolving:
#
#           $peer_addr - client IP address
#           $peer_name - client host name
#           $user_name - user name
#
#           $(VARIABLENAME) - value of an environment variable,
#           including any variable passed from the client (depending
#           on the EnvPass configuration, see below) or specified
#           with the Env configuration (see below).
#
#           Multiple Command entries are recognized. The command
#           line is formed by concatenating the Command entries
#           in the specified order.
#
# Env       Specifies an environment variable to be passed to the
#           application. Token resolving is applied as explained
#           in the Command section above.
#           Note: Variables passed from the client take precedence,
#           as explained in the EnvPass section below.
#           Multiple Env entries are recognized and combined.
#
# EnvPass   Comma-separated list of environment variable names.
#           The corresponding variables are allowed to be passed
#           from the client. If configured, any variable a client
#           passes must be listed, otherwise it is not passed to
#           the application. If configured but empty, no variables
#           are allowed to pass from the client.
#
#           Note: Variables passed from the client take precedence
#           over variables having the same name that are specified
#           with the Env configuration (see above). This allows to
#           configure a fallback for variables a client might pass.
#
#           Multiple EnvPass entries are recognized and combined.
#
# StartDir  Used to set the current directory where an application
#           is started. Overrides the startdir a client may have
#           passed. Token resolving is applied as explained in the
#           Command section above.
#           Note: If Command is configured, the startdir a client
#           may have passed is never used.
#
# TTY       Supports character mode application debugging, redirects
#           an application's stdin, stdout and stderr to the specified
#           TTY device. Overrides the TTY setting a client may have
#           passed. Token resolving is applied as explained in the
#           Command section above.
#
# UserList  Comma-separated list of user names. If configured, the
#           connecting user must be listed, otherwise the user is
#           not allowed to start an application.
#           Multiple UserList entries are recognized and combined.
#
# GroupList Comma-separated list of group names. If configured, the
#           connecting user must be member of a group that is listed,
#           otherwise the user is not allowed to start an application.
#           Multiple GroupList entries are recognized and combined.
#
# AllowFrom Used to enable or reject access to an application based
# DenyFrom  on the client network address.
#
#           AllowFrom/DenyFrom argument syntax:
#           { All | hostname | ip-address [/{addrbits|netmask]} }
#
#           Multiple AllowFrom/DenyFrom entries are
#           recognized and combined.
#
#           hostname is the name of a host or network that is resolved
#           into one or more ip addresses.
#
#           ip-address is either an IPv4 or IPv6 address.
#
#           * An IPv6 address, enclosed in square brackets, such
#           as [::1]. The addrbits option may be used to specify
#           the number of relevant bits in the IP address.
#
#           * An IPv4 address, such as 127.0.0.1. The addrbits option
#           may be used to specify the number of relevant bits in the
#           IP address. The netmask option allows to specify an IPv4
#           network mask, such as 255.255.255.0.
#
#           If neither AllowFrom nor DenyFrom are configured, access
#           to an application is enabled from all network addresses
#           (implied AllowFrom=All).
#
#           If AllowFrom and/or DenyFrom are configured, access to an
#           application is denied unless specifically allowed
#           (implied DenyFrom=All).
#
# Execute   If configured, specifies the executable to start the
#           application. By default, this is the eloqcore executable
#           located in the Eloquence bin directory.
#
# UMask     Sets the file mode creation mask (umask) for the application
#           process. The default umask is inherited from the eloqsd main
#           process (typically 0022, user-only writable).
#
#           For example: UMask = 0002 (user+group writable)
#
# The predefined [default] section, if configured, is used whenever
# an application is not explicitly configured.
#
# The [default] section below is configured for backward compatibility
# to retain the previous eloqsd behavior, where any client may start
# any application. The UserList/GroupList/AllowFrom/DenyFrom items may
# be configured to restrict this to specific users or groups or client
# IP addresses.
#
# For security reasons, it is recommended to add a specific configuration
# for each application and then to remove or comment out the [default]
# section below.

[default]
#UserList =
#GroupList =
#AllowFrom =
#DenyFrom =

# The example configuration below matches a program named EXAMPLE
# located in the APP volume (client command line: EXAMPLE,APP)
#
# It allows the DLG environment variable to be passed from the client.
# On a JDLG client, DLG would typically be set to $host:$port. If DLG
# is not set by the client, an Env configuration makes sure it is set
# to the peer address. The DLG variable is then used with the -dlg
# command line option when starting the EXAMPLE,APP program.

#[EXAMPLE,APP]
#Env = DLG=$peer_addr
#Env = HOME=/home/$user_name
#EnvPass = DLG
#Command = -dlg $(DLG) EXAMPLE,APP

# The [dbutil] configuration below could be used to start the Eloquence
# dbutil program from a webdlg session. It is recommended to require a
# login to limit the access.
#
# Corresponding WEBDLG application configuration:
#[DBUTIL]
#Command = dbutil
#WindowFeatures.HELP = popup,width=800,height=600

#[dbutil]
#Execute = /opt/eloquence/8.4/bin/dbutil
#The command option is required to to reset default command line
#Command=
#AllowFrom = localhost
#UserList=

See also

eloqsd eloqsd.cfg
eloqsd application configuration (B.08.20 release notes)


 
 
 
  Privacy | Webmaster | Terms of use | Impressum Revision: [B.08.40] 2024-05-31  
  Copyright © 1995-2024 Marxmeier Software AG