|
The eloqsd.app application configuration allows for a server-side
definition of applications a specific user or client is permitted
to start, including the command line and environment variables and
specifying which environment variables are allowed to pass from the
client.
The name and path of the eloqsd.app configuration file may be
defined in the eloqsd.cfg
configuration file. It defaults to eloqsd.app in the
Eloquence configuration directory.
The eloqsd.app file defines any number of applications. Each application
uses a different section, enclosed in square brackets. The application id
is not case sensitive.
The following configuration items are recognized for each application:
- Command
-
Specifies command line options that are used when starting the
application. If configured, it replaces the command line that
a client may submit.
Command line arguments are separated with spaces. If an argument
contains space characters it should be enclosed in single or
double quotes. Token resolving is applied as explained below.
Multiple Command entries are recognized. The command line is formed
by concatenating the Command entries in the specified order.
For example:
Command = -t -log /tmp/trace.log
Command = PROG,APP
- Env
-
Specifies an environment variable to be passed to the
application. Token resolving is applied as explained below.
Note: Variables passed from the client take precedence, as
explained in the EnvPass section below. Multiple Env entries
are recognized and combined.
For example:
Env = HOME=/home/$user_name
Env = EQPATH=/data/app/admin/prog:/data/app/common/prog
This defines the environment variables HOME and EQPATH.
- EnvPass
-
The EnvPass item restricts which environment variables are allowed
to be passed from the client.
If EnvPass is configured, any variable a client passes must be listed,
otherwise it is not passed to the application. If EnvPass is
configured but empty, all variables a client might pass are dropped.
EnvPass accepts a comma-separated list of environment variable names.
Multiple EnvPass entries are recognized and combined.
Please note: Variables passed from the client take precedence over
variables having the same name that are specified with the Env item.
This allows to configure a fallback for variables a client might or
might not pass.
For example:
Env = DLG=$peer_addr
EnvPass = DLG
Command = -dlg $(DLG) ADMIN,APP
This allows the application to override the default value of
the environment variable DLG.
- StartDir
-
The StartDir item may be used to set the current directory
where an application is started. This overrides the start
directory a client may have passed. Token resolving is applied.
Please note: If the Command item is configured, the start
directory a client may pass is always ignored.
- TTY (HP-UX and Linux)
-
On HP-UX and Linux, the TTY item supports character mode application
debugging by redirecting an application's stdin, stdout and stderr
streams to the specified TTY device. This overrides the TTY setting
a client may have passed. Token resolving is applied.
- UserList
-
UserList is a comma-separated list of user names that
are allowed access an application.
If UserList is configured, the connecting user must be
listed, otherwise access to the application is denied.
Multiple UserList entries are recognized and combined.
The user names refer to the configured users in the
eloqsd.user file or, if
PAM authentication is used (on HP-UX or Linux), to (selected)
operating system users.
The example below defines a UserList that restricts access
to the users "bob", "joe" and "teresa":
UserList = bob
UserList = joe, teresa
- GroupList
-
GroupList accepts a comma-separated list of group names
that are allowed to access an application.
If GroupList is configured, the connecting user must be
a member of a group that is listed, otherwise access to the
application is denied.
Multiple GroupList entries are recognized and combined.
The group names refer to GroupList entries of the configured
users in the eloqsd.user file or,
if PAM authentication is used (on HP-UX or Linux), to operating
system groups associated with the connecting user.
The example below defines a GroupList that restricts access
to users that belong to the groups "admins", "operators",
"local_admins", or "local_operators":
GroupList = admins, operators
GroupList = local_admins,local_operators
- AllowFrom,
DenyFrom
-
The AllowFrom and DenyFrom items restrict access
to an application based on the client IP address or an IP address range.
AllowFrom / DenyFrom argument syntax:
{ All | hostname | ip-address [/{addrbits|netmask}] }
-
Multiple AllowFrom / DenyFrom entries are recognized
and combined.
-
hostname is the name of a host or network that is resolved into one
or more ip addresses.
-
ip-address is either an IPv4 or IPv6 address.
-
An IPv6 address, enclosed in square brackets, such as [::1].
The addrbits option may be used to specify the number of relevant
bits in the IP address.
-
An IPv4 address, such as 127.0.0.1. The addrbits option may be used
to specify the number of relevant bits in the IP address.
The netmask option allows to specify an IPv4 network mask, such as
255.255.255.0.
If neither AllowFrom nor DenyFrom is configured,
access to an application is enabled from any IP address
(implied AllowFrom=All).
If AllowFrom and/or DenyFrom are configured,
access to an application is denied unless specifically allowed
(implied DenyFrom=All).
The example below restricts access to the local system
(localhost) as well as the network 192.168.1.1
to 192.168.1.254 except the 192.168.1.22 address:
AllowFrom = localhost
AllowFrom = 192.168.1.0/24
DenyFrom = 192.168.1.22
- Execute
-
By default, the eloqsd server starts an application using the
eloqcore executable located in the Eloquence bin directory.
The Execute item, if configured, allows to specify a different
executable. This could be used, for example, to start the
Eloquence dbutil program or to invoke a shell script that wraps
the eloqcore executable.
The eloqsd.app configuration below would start the Eloquence dbutil
utility from a JDLG client located on the local
system (localhost) or the network 192.168.1.1 to 192.168.1.254:
[dbutil]
Execute = /opt/eloquence/8.2/bin/dbutil
Env = DLG=$peer_addr
EnvPass = DLG
Command = -D $(DLG)
AllowFrom = localhost
AllowFrom = 192.168.1.0/24
- UMask (HP-UX and Linux)
-
Sets the file mode creation mask (umask) for the application
process. The default umask is inherited from the eloqsd main
process (typically the system default, 0022, user-only writable).
UMask = 0002 (user+group writable)
The Command, Env,
StartDir and TTY items
may use the tokens listed below which are resolved when the application
is started:
- $peer_addr
-
The client IP address
- $peer_name
-
The client host name
- $user_name
-
The user name
- $(VARIABLENAME)
-
The value of an environment variable, including any variable
passed from the client (depending on the EnvPass configuration)
or specified with the Env item.
The predefined [default] section is used as a fallback when
an application is not explicitly configured.
The eloqsd.app configuration template file defines an empty
[default] section to provide full backward compatibility for
existing applications:
[default]
#UserList =
#GroupList =
#AllowFrom =
#DenyFrom =
Because no Command or EnvPass items are defined, the client
command line and environment variables are passed to the
application.
As shown above, the [default] section contains UserList,
GroupList, AllowFrom and DenyFrom items which are commented
out but may be enabled as needed to restrict backward compatibility
to specific users or groups or client IP addresses.
Please note: For security reasons, it is recommended to add a specific
configuration for each application and then to remove or comment
out the [default] section.
[EXAMPLE,APP]
Env = DLG=$peer_addr
Env = HOME=/home/$user_name
EnvPass = DLG
Command = -dlg $(DLG) EXAMPLE,APP
The example configuration defines a program named EXAMPLE
located in the APP volume (client command line: EXAMPLE,APP)
It allows the DLG environment variable to be passed from the client.
On a JDLG client, DLG would typically be set to $host:$port. If DLG
is not set by the client, an Env configuration makes sure it is set
to the peer address. The DLG variable is then used with the -dlg
command line option when starting the EXAMPLE,APP program.
Changes
The B.08.40 release added support for the UMask config item.
The B.08.30 release added support for IPv6 and using host names
in the AllowFrom and DenyFrom config item.
eloqsd.app template file
A default configuration file eloqsd.app is installed and may be customized.
A template eloqsd.app config file is installed as
newconfig/config/eloqsd.app.
# @(#) eloqsd.app - B.08.40 ($Revision: 29.4 $)
#
# The purpose of this file is to configure the applications
# a client is permitted to start through the eloqsd server.
# It is installed in the location:
# /etc/opt/eloquence/8.4/eloqsd.app
#
# This file is read at the startup time of the eloqsd process.
# Changes are automatically detected and honored.
#
# Format:
#
# The section names are not case sensitive. String values can be
# enclosed in double quotes to protect leading or trailing spaces.
# Everything after a hash (#) character is considered a comment.
#
# Each application definition is a different section.
#
# The app_id matches the last component of the command line that
# a client submits. Typically, this is an Eloquence program name.
#
# The following configuration items are recognized for each section:
#
# [app_id]
#
# Command Specifies the command line to start the application.
# If configured, it replaces the command line that a
# client submits.
#
# Command line arguments are separated with spaces. If an
# argument contains space characters it should be enclosed
# in single or double quotes.
#
# Token resolving:
#
# $peer_addr - client IP address
# $peer_name - client host name
# $user_name - user name
#
# $(VARIABLENAME) - value of an environment variable,
# including any variable passed from the client (depending
# on the EnvPass configuration, see below) or specified
# with the Env configuration (see below).
#
# Multiple Command entries are recognized. The command
# line is formed by concatenating the Command entries
# in the specified order.
#
# Env Specifies an environment variable to be passed to the
# application. Token resolving is applied as explained
# in the Command section above.
# Note: Variables passed from the client take precedence,
# as explained in the EnvPass section below.
# Multiple Env entries are recognized and combined.
#
# EnvPass Comma-separated list of environment variable names.
# The corresponding variables are allowed to be passed
# from the client. If configured, any variable a client
# passes must be listed, otherwise it is not passed to
# the application. If configured but empty, no variables
# are allowed to pass from the client.
#
# Note: Variables passed from the client take precedence
# over variables having the same name that are specified
# with the Env configuration (see above). This allows to
# configure a fallback for variables a client might pass.
#
# Multiple EnvPass entries are recognized and combined.
#
# StartDir Used to set the current directory where an application
# is started. Overrides the startdir a client may have
# passed. Token resolving is applied as explained in the
# Command section above.
# Note: If Command is configured, the startdir a client
# may have passed is never used.
#
# TTY Supports character mode application debugging, redirects
# an application's stdin, stdout and stderr to the specified
# TTY device. Overrides the TTY setting a client may have
# passed. Token resolving is applied as explained in the
# Command section above.
#
# UserList Comma-separated list of user names. If configured, the
# connecting user must be listed, otherwise the user is
# not allowed to start an application.
# Multiple UserList entries are recognized and combined.
#
# GroupList Comma-separated list of group names. If configured, the
# connecting user must be member of a group that is listed,
# otherwise the user is not allowed to start an application.
# Multiple GroupList entries are recognized and combined.
#
# AllowFrom Used to enable or reject access to an application based
# DenyFrom on the client network address.
#
# AllowFrom/DenyFrom argument syntax:
# { All | hostname | ip-address [/{addrbits|netmask]} }
#
# Multiple AllowFrom/DenyFrom entries are
# recognized and combined.
#
# hostname is the name of a host or network that is resolved
# into one or more ip addresses.
#
# ip-address is either an IPv4 or IPv6 address.
#
# * An IPv6 address, enclosed in square brackets, such
# as [::1]. The addrbits option may be used to specify
# the number of relevant bits in the IP address.
#
# * An IPv4 address, such as 127.0.0.1. The addrbits option
# may be used to specify the number of relevant bits in the
# IP address. The netmask option allows to specify an IPv4
# network mask, such as 255.255.255.0.
#
# If neither AllowFrom nor DenyFrom are configured, access
# to an application is enabled from all network addresses
# (implied AllowFrom=All).
#
# If AllowFrom and/or DenyFrom are configured, access to an
# application is denied unless specifically allowed
# (implied DenyFrom=All).
#
# Execute If configured, specifies the executable to start the
# application. By default, this is the eloqcore executable
# located in the Eloquence bin directory.
#
# UMask Sets the file mode creation mask (umask) for the application
# process. The default umask is inherited from the eloqsd main
# process (typically 0022, user-only writable).
#
# For example: UMask = 0002 (user+group writable)
#
# The predefined [default] section, if configured, is used whenever
# an application is not explicitly configured.
#
# The [default] section below is configured for backward compatibility
# to retain the previous eloqsd behavior, where any client may start
# any application. The UserList/GroupList/AllowFrom/DenyFrom items may
# be configured to restrict this to specific users or groups or client
# IP addresses.
#
# For security reasons, it is recommended to add a specific configuration
# for each application and then to remove or comment out the [default]
# section below.
[default]
#UserList =
#GroupList =
#AllowFrom =
#DenyFrom =
# The example configuration below matches a program named EXAMPLE
# located in the APP volume (client command line: EXAMPLE,APP)
#
# It allows the DLG environment variable to be passed from the client.
# On a JDLG client, DLG would typically be set to $host:$port. If DLG
# is not set by the client, an Env configuration makes sure it is set
# to the peer address. The DLG variable is then used with the -dlg
# command line option when starting the EXAMPLE,APP program.
#[EXAMPLE,APP]
#Env = DLG=$peer_addr
#Env = HOME=/home/$user_name
#EnvPass = DLG
#Command = -dlg $(DLG) EXAMPLE,APP
# The [dbutil] configuration below could be used to start the Eloquence
# dbutil program from a webdlg session. It is recommended to require a
# login to limit the access.
#
# Corresponding WEBDLG application configuration:
#[DBUTIL]
#Command = dbutil
#WindowFeatures.HELP = popup,width=800,height=600
#[dbutil]
#Execute = /opt/eloquence/8.4/bin/dbutil
#The command option is required to to reset default command line
#Command=
#AllowFrom = localhost
#UserList=
eloqsd
eloqsd.cfg
eloqsd application configuration (B.08.20 release notes)
|
|