diff options
Diffstat (limited to 'server')
| -rw-r--r-- | server/keytab-backend.8 | 216 | ||||
| -rw-r--r-- | server/wallet-admin.8 | 228 | ||||
| -rw-r--r-- | server/wallet-backend.8 | 407 | ||||
| -rw-r--r-- | server/wallet-report.8 | 333 |
4 files changed, 1184 insertions, 0 deletions
diff --git a/server/keytab-backend.8 b/server/keytab-backend.8 new file mode 100644 index 0000000..b143e46 --- /dev/null +++ b/server/keytab-backend.8 @@ -0,0 +1,216 @@ +.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is turned on, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.nr rF 0 +.if \n(.g .if rF .nr rF 1 +.if (\n(rF:(\n(.g==0)) \{ +. if \nF \{ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{ +. nr % 0 +. nr F 2 +. \} +. \} +.\} +.rr rF +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "KEYTAB-BACKEND 8" +.TH KEYTAB-BACKEND 8 "2014-12-08" "1.2" "wallet" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +keytab\-backend \- Extract keytabs from the KDC without changing the key +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBkeytab-backend\fR retrieve \fIprincipal\fR +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fBkeytab-backend\fR retrieves a keytab for an existing principal from the +\&\s-1KDC\s0 database without changing the current key. It allows generation of a +keytab for a service without rekeying that service. It requires a +\&\fBkadmin.local\fR patched to support the \fB\-norandkey\fR option to \fBktadd\fR. +.PP +This script is intended to run under \fBremctld\fR. On success, it prints +the keytab to standard output, logs a success message to syslog (facility +auth, priority info), and exits with status 0. On failure, it prints out +an error message, logs an error to syslog (facility auth, priority err), +and exits with a non-zero status. +.PP +The principal is checked for basic sanity (only accepting alphanumerics, +\&\f(CW\*(C`_\*(C'\fR, and \f(CW\*(C`\-\*(C'\fR with an optional instance and then only alphanumerics, +\&\f(CW\*(C`_\*(C'\fR, \f(CW\*(C`\-\*(C'\fR, and \f(CW\*(C`.\*(C'\fR in the realm) and then checked against a +configuration file that lists regexes of principals that can be retrieved. +When deploying this software, limit as tightly as possible which +principals can be downloaded in this fashion. Generally only shared +service principals used on multiple systems should be made available in +this way. +.PP +\&\fBkeytab-backend\fR does not do any authorization checks. Those should be +done by \fBremctld\fR before it is called. +.SH "FILES" +.IX Header "FILES" +.IP "\fI/etc/krb5kdc/allow\-extract\fR" 4 +.IX Item "/etc/krb5kdc/allow-extract" +The configuration file that controls which principals can have their +keytabs retrieved. Blank lines and lines starting with \f(CW\*(C`#\*(C'\fR, as well as +anything after \f(CW\*(C`#\*(C'\fR on a line, are ignored. All other lines should be +Perl regular expressions, one per line, that match principals whose +keytabs can be retrieved by \fBkeytab-backend\fR. Any principal that does +not match one of those regular expressions cannot be retrieved. +.IP "\fI/var/lib/keytabs\fR" 4 +.IX Item "/var/lib/keytabs" +The temporary directory used for creating keytabs. \fBkeytab-backend\fR will +create the keytab in this directory, make sure that was successful, and +then delete the temporary file after the results have been sent to +standard output. +.SH "AUTHOR" +.IX Header "AUTHOR" +Russ Allbery <eagle@eyrie.org> +.SH "COPYRIGHT AND LICENSE" +.IX Header "COPYRIGHT AND LICENSE" +Copyright 2006, 2007, 2008, 2010, 2013 The Board of Trustees of the Leland +Stanford Junior University +.PP +Permission is hereby granted, free of charge, to any person obtaining a +copy of this software and associated documentation files (the \*(L"Software\*(R"), +to deal in the Software without restriction, including without limitation +the rights to use, copy, modify, merge, publish, distribute, sublicense, +and/or sell copies of the Software, and to permit persons to whom the +Software is furnished to do so, subject to the following conditions: +.PP +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. +.PP +\&\s-1THE SOFTWARE IS PROVIDED \*(L"AS IS\*(R", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL +THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING +FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER +DEALINGS IN THE SOFTWARE.\s0 +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIkadmin.local\fR\|(8), \fIremctld\fR\|(8) +.PP +This program is part of the wallet system. The current version is +available from <http://www.eyrie.org/~eagle/software/wallet/>. diff --git a/server/wallet-admin.8 b/server/wallet-admin.8 new file mode 100644 index 0000000..cc35d0e --- /dev/null +++ b/server/wallet-admin.8 @@ -0,0 +1,228 @@ +.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is turned on, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.nr rF 0 +.if \n(.g .if rF .nr rF 1 +.if (\n(rF:(\n(.g==0)) \{ +. if \nF \{ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{ +. nr % 0 +. nr F 2 +. \} +. \} +.\} +.rr rF +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "WALLET-ADMIN 8" +.TH WALLET-ADMIN 8 "2014-12-08" "1.2" "wallet" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +wallet\-admin \- Wallet server administrative commands +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBwallet-admin\fR \fIcommand\fR [\fIargs\fR ...] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fBwallet-admin\fR provides a command-line interface for performing +administrative actions for the wallet system, such as setting up a new +database or running reports. It is intended to be run on the wallet +server as a user with access to the wallet database and configuration. +.PP +This program is a fairly thin wrapper around Wallet::Admin that translates +command strings into method calls and returns the results. +.SH "OPTIONS" +.IX Header "OPTIONS" +\&\fBwallet-admin\fR takes no traditional options. +.SH "COMMANDS" +.IX Header "COMMANDS" +.IP "destroy" 4 +.IX Item "destroy" +Deletes all data in the wallet database and drops all of the +wallet-created tables, restoring the database to its state prior to an +\&\f(CW\*(C`initialize\*(C'\fR command. Since this command is destructive and cannot be +easily recovered from, \fBwallet-admin\fR will prompt first to be sure the +user intends to do this. +.IP "initialize <principal>" 4 +.IX Item "initialize <principal>" +Given an empty database, initializes it for use with the wallet server by +creating the necessary tables and initial metadata. Also creates an \s-1ACL\s0 +with the name \s-1ADMIN,\s0 used for administrative privileges to the wallet +system, and adds an \s-1ACL\s0 entry to it with a scheme of \f(CW\*(C`krb5\*(C'\fR and an +instance of <principal>. This bootstraps the authentication system and +allows that user to make further changes to the \s-1ADMIN ACL\s0 and the rest of +the wallet database. \f(CW\*(C`initialize\*(C'\fR uses \f(CW\*(C`localhost\*(C'\fR as the hostname and +<principal> as the user when logging the history of the \s-1ADMIN ACL\s0 creation +and for any subsequent actions required to initialize the database. +.Sp +Before running \f(CW\*(C`initialize\*(C'\fR, the wallet system has to be configured. See +\&\fIWallet::Config\fR\|(3) for more details. Depending on the database backend +used, the database may also have to be created in advance. +.IP "register (object | verifier) <type> <class>" 4 +.IX Item "register (object | verifier) <type> <class>" +Registers an implementation of a wallet object or \s-1ACL\s0 verifier in the +wallet database. The Perl class <class> is registered as the +implementation of an object of type <type> or an \s-1ACL\s0 verifier of scheme +<type>, allowing creation of objects with that type or \s-1ACL\s0 lines with that +scheme. +.Sp +All object and \s-1ACL\s0 implementations that come with wallet are registered by +default as part of database initialization, so this command is used +primarily to register local implementations of additional object types or +\&\s-1ACL\s0 schemes. +.IP "upgrade" 4 +.IX Item "upgrade" +Upgrades the database to the latest schema version, preserving data as +much as possible. +.SH "AUTHOR" +.IX Header "AUTHOR" +Russ Allbery <eagle@eyrie.org> +.SH "COPYRIGHT AND LICENSE" +.IX Header "COPYRIGHT AND LICENSE" +Copyright 2008, 2009, 2010, 2011, 2013 The Board of Trustees of the Leland +Stanford Junior University +.PP +Permission is hereby granted, free of charge, to any person obtaining a +copy of this software and associated documentation files (the \*(L"Software\*(R"), +to deal in the Software without restriction, including without limitation +the rights to use, copy, modify, merge, publish, distribute, sublicense, +and/or sell copies of the Software, and to permit persons to whom the +Software is furnished to do so, subject to the following conditions: +.PP +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. +.PP +\&\s-1THE SOFTWARE IS PROVIDED \*(L"AS IS\*(R", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL +THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING +FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER +DEALINGS IN THE SOFTWARE.\s0 +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIWallet::Admin\fR\|(3), \fIWallet::Config\fR\|(3), \fIwallet\-backend\fR\|(8) +.PP +This program is part of the wallet system. The current version is +available from <http://www.eyrie.org/~eagle/software/wallet/>. diff --git a/server/wallet-backend.8 b/server/wallet-backend.8 new file mode 100644 index 0000000..f1544ac --- /dev/null +++ b/server/wallet-backend.8 @@ -0,0 +1,407 @@ +.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is turned on, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.nr rF 0 +.if \n(.g .if rF .nr rF 1 +.if (\n(rF:(\n(.g==0)) \{ +. if \nF \{ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{ +. nr % 0 +. nr F 2 +. \} +. \} +.\} +.rr rF +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "WALLET-BACKEND 8" +.TH WALLET-BACKEND 8 "2014-12-08" "1.2" "wallet" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +wallet\-backend \- Wallet server for storing and retrieving secure data +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBwallet-backend\fR [\fB\-q\fR] \fIcommand\fR [\fIargs\fR ...] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fBwallet-backend\fR implements the interface between \fBremctld\fR and the +wallet system. It is written to run under \fBremctld\fR and expects the +authenticated identity of the remote user in the \s-1REMOTE_USER\s0 environment +variable. It uses \s-1REMOTE_HOST\s0 or \s-1REMOTE_ADDR\s0 if \s-1REMOTE_HOST\s0 isn't set for +additional trace information. It accepts the command from \fBremctld\fR on +the command line, creates a Wallet::Server object, and calls the +appropriate methods. +.PP +This program is a fairly thin wrapper around Wallet::Server that +translates command strings into method calls and returns the results. It +does check all arguments except for the <data> argument to the store +command and rejects any argument not matching \f(CW\*(C`^[\ew_/.\-]+\ez\*(C'\fR; in other +words, only alphanumerics, underscore (\f(CW\*(C`_\*(C'\fR), slash (\f(CW\*(C`/\*(C'\fR), period (\f(CW\*(C`.\*(C'\fR), +and hyphen (\f(CW\*(C`\-\*(C'\fR) are permitted in arguments. This provides some +additional security over and above the checking already done by the rest +of the wallet code. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-\-quiet\fR, \fB\-q\fR" 4 +.IX Item "--quiet, -q" +If this option is given, \fBwallet-backend\fR will not log its actions to +syslog. +.SH "COMMANDS" +.IX Header "COMMANDS" +Most commands are only available to wallet administrators (users on the +\&\f(CW\*(C`ADMIN\*(C'\fR \s-1ACL\s0). The exceptions are \f(CW\*(C`acl check\*(C'\fR, \f(CW\*(C`check\*(C'\fR, \f(CW\*(C`get\*(C'\fR, +\&\f(CW\*(C`store\*(C'\fR, \f(CW\*(C`show\*(C'\fR, \f(CW\*(C`destroy\*(C'\fR, \f(CW\*(C`flag clear\*(C'\fR, \f(CW\*(C`flag set\*(C'\fR, \f(CW\*(C`getattr\*(C'\fR, +\&\f(CW\*(C`setattr\*(C'\fR, and \f(CW\*(C`history\*(C'\fR. \f(CW\*(C`acl check\*(C'\fR and \f(CW\*(C`check\*(C'\fR can be run by +anyone. All of the rest of those commands have their own ACLs except +\&\f(CW\*(C`getattr\*(C'\fR and \f(CW\*(C`history\*(C'\fR, which use the \f(CW\*(C`show\*(C'\fR \s-1ACL, \s0\f(CW\*(C`setattr\*(C'\fR, which +uses the \f(CW\*(C`store\*(C'\fR \s-1ACL,\s0 and \f(CW\*(C`comment\*(C'\fR, which uses the owner or \f(CW\*(C`show\*(C'\fR \s-1ACL\s0 +depending on whether one is setting or retrieving the comment. If the +appropriate \s-1ACL\s0 is set, it alone is checked to see if the user has access. +Otherwise, \f(CW\*(C`destroy\*(C'\fR, \f(CW\*(C`get\*(C'\fR, \f(CW\*(C`store\*(C'\fR, \f(CW\*(C`show\*(C'\fR, \f(CW\*(C`getattr\*(C'\fR, \f(CW\*(C`setattr\*(C'\fR, +\&\f(CW\*(C`history\*(C'\fR, and \f(CW\*(C`comment\*(C'\fR access is permitted if the user is authorized +by the owner \s-1ACL\s0 of the object. +.PP +Administrators can run any command on any object or \s-1ACL\s0 except for \f(CW\*(C`get\*(C'\fR +and \f(CW\*(C`store\*(C'\fR. For \f(CW\*(C`get\*(C'\fR and \f(CW\*(C`store\*(C'\fR, they must still be authorized by +either the appropriate specific \s-1ACL\s0 or the owner \s-1ACL.\s0 +.PP +If the locked flag is set on an object, no commands can be run on that +object that change data except the \f(CW\*(C`flags\*(C'\fR commands, nor can the \f(CW\*(C`get\*(C'\fR +command be used on that object. \f(CW\*(C`show\*(C'\fR, \f(CW\*(C`history\*(C'\fR, \f(CW\*(C`getacl\*(C'\fR, +\&\f(CW\*(C`getattr\*(C'\fR, and \f(CW\*(C`owner\*(C'\fR, \f(CW\*(C`comment\*(C'\fR, or \f(CW\*(C`expires\*(C'\fR without an argument +can still be used on that object. +.PP +For more information on attributes, see \s-1ATTRIBUTES\s0. +.IP "acl add <id> <scheme> <identifier>" 4 +.IX Item "acl add <id> <scheme> <identifier>" +Add an entry with <scheme> and <identifier> to the \s-1ACL\s0 <id>. <id> may be +either the name of an \s-1ACL\s0 or its numeric identifier. +.IP "acl check <id>" 4 +.IX Item "acl check <id>" +Check whether an \s-1ACL\s0 with the \s-1ID\s0 <id> already exists. If it does, prints +\&\f(CW\*(C`yes\*(C'\fR; if not, prints \f(CW\*(C`no\*(C'\fR. +.IP "acl create <name>" 4 +.IX Item "acl create <name>" +Create a new, empty \s-1ACL\s0 with name <name>. When setting an \s-1ACL\s0 on an +object with a set of entries that don't match an existing \s-1ACL,\s0 first +create a new \s-1ACL\s0 with \f(CW\*(C`acl create\*(C'\fR, add the appropriate entries to it +with \f(CW\*(C`acl add\*(C'\fR, and then set the \s-1ACL\s0 on an object with the \f(CW\*(C`owner\*(C'\fR or +\&\f(CW\*(C`setacl\*(C'\fR commands. +.IP "acl destroy <id>" 4 +.IX Item "acl destroy <id>" +Destroy the \s-1ACL\s0 <id>. This \s-1ACL\s0 must no longer be referenced by any object +or the \s-1ACL\s0 destruction will fail. The special \s-1ACL\s0 named \f(CW\*(C`ADMIN\*(C'\fR cannot +be destroyed. +.IP "acl history <id>" 4 +.IX Item "acl history <id>" +Display the history of the \s-1ACL\s0 <id>. Each change to the \s-1ACL \s0(not +including changes to the name of the \s-1ACL\s0) will be represented by two +lines. The first line will have a timestamp of the change followed by a +description of the change, and the second line will give the user who made +the change and the host from which the change was made. +.IP "acl remove <id> <scheme> <identifier>" 4 +.IX Item "acl remove <id> <scheme> <identifier>" +Remove the entry with <scheme> and <identifier> from the \s-1ACL\s0 <id>. <id> +may be either the name of an \s-1ACL\s0 or its numeric identifier. The last +entry in the special \s-1ACL \s0\f(CW\*(C`ADMIN\*(C'\fR cannot be removed to protect against +accidental lockout, but administrators can remove themselves from the +\&\f(CW\*(C`ADMIN\*(C'\fR \s-1ACL\s0 and can leave only a non-functioning entry on the \s-1ACL. \s0 Use +caution when removing entries from the \f(CW\*(C`ADMIN\*(C'\fR \s-1ACL.\s0 +.IP "acl show <id>" 4 +.IX Item "acl show <id>" +Display the name, numeric \s-1ID,\s0 and entries of the \s-1ACL\s0 <id>. +.IP "autocreate <type> <name>" 4 +.IX Item "autocreate <type> <name>" +Create a new object of type <type> with name <name>. The user must be +listed in the default \s-1ACL\s0 for an object with that type and name, and the +object will be created with that default \s-1ACL\s0 set as the object owner. +.IP "check <type> <name>" 4 +.IX Item "check <type> <name>" +Check whether an object of type <type> and name <name> already exists. If +it does, prints \f(CW\*(C`yes\*(C'\fR; if not, prints \f(CW\*(C`no\*(C'\fR. +.IP "comment <type> <name> [<comment>]" 4 +.IX Item "comment <type> <name> [<comment>]" +If <comment> is not given, displays the current comment for the object +identified by <type> and <name>, or \f(CW\*(C`No comment set\*(C'\fR if none is set. +.Sp +If <comment> is given, sets the comment on the object identified by +<type> and <name> to <comment>. If <comment> is the empty string, clears +the comment. +.IP "create <type> <name>" 4 +.IX Item "create <type> <name>" +Create a new object of type <type> with name <name>. With some backends, +this will trigger creation of an entry in an external system as well. +The new object will have no ACLs and no owner set, so usually the +administrator will want to then set an owner with \f(CW\*(C`owner\*(C'\fR so that the +object will be usable. +.IP "destroy <type> <name>" 4 +.IX Item "destroy <type> <name>" +Destroy the object identified by <type> and <name>. With some backends, +this will trigger destruction of an object in an external system as well. +.IP "expires <type> <name> [<date> [<time>]]" 4 +.IX Item "expires <type> <name> [<date> [<time>]]" +If <date> is not given, displays the current expiration of the object +identified by <type> and <name>, or \f(CW\*(C`No expiration set\*(C'\fR if none is set. +The expiration will be displayed in seconds since epoch. +.Sp +If <date> is given, sets the expiration on the object identified by <type> +and <name> to <date> and (if given) <time>. <date> and <time> must be in +some format that can be parsed by the Perl Date::Parse module. Most +common formats are supported; if in doubt, use \f(CW\*(C`YYYY\-MM\-DD HH:MM:SS\*(C'\fR. If +<date> is the empty string, clears the expiration of the object. +.Sp +Currently, the expiration of an object is not used. +.IP "flag clear <type> <name> <flag>" 4 +.IX Item "flag clear <type> <name> <flag>" +Clears the flag <flag> on the object identified by <type> and <name>. +.IP "flag set <type> <name> <flag>" 4 +.IX Item "flag set <type> <name> <flag>" +Sets the flag <flag> on the object identified by <type> and <name>. +Recognized flags are \f(CW\*(C`locked\*(C'\fR, which prevents all further actions on that +object until the flag is cleared, and \f(CW\*(C`unchanging\*(C'\fR, which tells the +object backend to not generate new data on get but instead return the same +data as previously returned. The \f(CW\*(C`unchanging\*(C'\fR flag is not meaningful for +objects that do not generate new data on the fly. +.IP "get <type> <name>" 4 +.IX Item "get <type> <name>" +Prints to standard output the data associated with the object identified +by <type> and <name>. This may trigger generation of new data and +invalidate old data for that object depending on the object type. +.IP "getacl <type> <name> <acl>" 4 +.IX Item "getacl <type> <name> <acl>" +Prints the \s-1ACL\s0 <acl>, which must be one of \f(CW\*(C`get\*(C'\fR, \f(CW\*(C`store\*(C'\fR, \f(CW\*(C`show\*(C'\fR, +\&\f(CW\*(C`destroy\*(C'\fR, or \f(CW\*(C`flags\*(C'\fR, for the object identified by <type> and <name>. +Prints \f(CW\*(C`No ACL set\*(C'\fR if that \s-1ACL\s0 isn't set on that object. Remember that +if the \f(CW\*(C`get\*(C'\fR, \f(CW\*(C`store\*(C'\fR, or \f(CW\*(C`show\*(C'\fR ACLs aren't set, authorization falls +back to checking the owner \s-1ACL. \s0 See the \f(CW\*(C`owner\*(C'\fR command for displaying +or setting it. +.IP "getattr <type> <name> <attr>" 4 +.IX Item "getattr <type> <name> <attr>" +Prints the object attribute <attr> for the object identified by <type> and +<name>. Attributes are used to store backend-specific information for a +particular object type, and <attr> must be an attribute type known to the +underlying object implementation. The attribute values, if any, are +printed one per line. If the attribute is not set on this object, nothing +is printed. +.IP "history <type> <name>" 4 +.IX Item "history <type> <name>" +Displays the history for the object identified by <type> and <name>. This +human-readable output will have two lines for each action that changes the +object, plus for any get action. The first line has the timestamp of the +action and the action, and the second line gives the user who performed +the action and the host from which they performed it. +.IP "owner <type> <name> [<owner>]" 4 +.IX Item "owner <type> <name> [<owner>]" +If <owner> is not given, displays the current owner \s-1ACL\s0 of the object +identified by <type> and <name>, or \f(CW\*(C`No owner set\*(C'\fR if none is set. The +result will be the name of an \s-1ACL.\s0 +.Sp +If <owner> is given, sets the owner of the object identified by <type> and +<name> to <owner>. If <owner> is the empty string, clears the owner of +the object. +.IP "rename <type> <name> <new\-name>" 4 +.IX Item "rename <type> <name> <new-name>" +Renames an existing object. This currently only supports file objects, +where it renames the object itself, then the name and location of the +object in the file store. +.IP "setacl <type> <name> <acl> <id>" 4 +.IX Item "setacl <type> <name> <acl> <id>" +Sets the \s-1ACL\s0 <acl>, which must be one of \f(CW\*(C`get\*(C'\fR, \f(CW\*(C`store\*(C'\fR, \f(CW\*(C`show\*(C'\fR, +\&\f(CW\*(C`destroy\*(C'\fR, or \f(CW\*(C`flags\*(C'\fR, to <id> on the object identified by <type> and +<name>. If <id> is the empty string, clears that \s-1ACL\s0 on the object. +.IP "setattr <type> <name> <attr> <value> [<value> ...]" 4 +.IX Item "setattr <type> <name> <attr> <value> [<value> ...]" +Sets the object attribute <attr> for the object identified by <type> and +<name>. Attributes are used to store backend-specific information for a +particular object type, and <attr> must be an attribute type known to the +underlying object implementation. To clear the attribute for this object, +pass in a <value> of the empty string (\f(CW\*(Aq\*(Aq\fR). +.IP "show <type> <name>" 4 +.IX Item "show <type> <name>" +Displays the current object metadata for the object identified by <type> +and <name>. This human-readable output will show the object type and +name, the owner, any specific ACLs set on the object, the expiration if +any, and the user, remote host, and time when the object was created, last +stored, and last downloaded. +.IP "store <type> <name> [<data>]" 4 +.IX Item "store <type> <name> [<data>]" +Stores <data> for the object identified by <type> and <name> for later +retrieval with \f(CW\*(C`get\*(C'\fR. Not all object types support this. If <data> is +not given as an argument, it will be read from standard input. +.SH "ATTRIBUTES" +.IX Header "ATTRIBUTES" +Object attributes store additional properties and configuration +information for objects stored in the wallet. They are displayed as part +of the object data with \f(CW\*(C`show\*(C'\fR, retrieved with \f(CW\*(C`getattr\*(C'\fR, and set with +\&\f(CW\*(C`setattr\*(C'\fR. +.SS "Keytab Attributes" +.IX Subsection "Keytab Attributes" +Keytab objects support the following attributes: +.IP "enctypes" 4 +.IX Item "enctypes" +Restricts the generated keytab to a specific set of encryption types. The +values of this attribute must be enctype strings recognized by Kerberos +(strings like \f(CW\*(C`aes256\-cts\-hmac\-sha1\-96\*(C'\fR or \f(CW\*(C`des\-cbc\-crc\*(C'\fR). Note that +the salt should not be included; since the salt is irrelevant for keytab +keys, it will always be set to \f(CW\*(C`normal\*(C'\fR by the wallet. +.Sp +If this attribute is set, the specified enctype list will be passed to +ktadd when \fIget()\fR is called for that keytab. If it is not set, the default +set in the \s-1KDC\s0 will be used. +.Sp +This attribute is ignored if the \f(CW\*(C`unchanging\*(C'\fR flag is set on a keytab. +Keytabs retrieved with \f(CW\*(C`unchanging\*(C'\fR set will contain all keys present in +the \s-1KDC\s0 for that Kerberos principal and therefore may contain different +enctypes than those requested by this attribute. +.SH "AUTHOR" +.IX Header "AUTHOR" +Russ Allbery <eagle@eyrie.org> +.SH "COPYRIGHT AND LICENSE" +.IX Header "COPYRIGHT AND LICENSE" +Copyright 2007, 2008, 2010, 2011, 2012, 2013 The Board of Trustees of the +Leland Stanford Junior University +.PP +Permission is hereby granted, free of charge, to any person obtaining a +copy of this software and associated documentation files (the \*(L"Software\*(R"), +to deal in the Software without restriction, including without limitation +the rights to use, copy, modify, merge, publish, distribute, sublicense, +and/or sell copies of the Software, and to permit persons to whom the +Software is furnished to do so, subject to the following conditions: +.PP +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. +.PP +\&\s-1THE SOFTWARE IS PROVIDED \*(L"AS IS\*(R", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL +THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING +FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER +DEALINGS IN THE SOFTWARE.\s0 +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIWallet::Server\fR\|(3), \fIremctld\fR\|(8) +.PP +This program is part of the wallet system. The current version is +available from <http://www.eyrie.org/~eagle/software/wallet/>. diff --git a/server/wallet-report.8 b/server/wallet-report.8 new file mode 100644 index 0000000..ac3714f --- /dev/null +++ b/server/wallet-report.8 @@ -0,0 +1,333 @@ +.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is turned on, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.nr rF 0 +.if \n(.g .if rF .nr rF 1 +.if (\n(rF:(\n(.g==0)) \{ +. if \nF \{ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{ +. nr % 0 +. nr F 2 +. \} +. \} +.\} +.rr rF +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "WALLET-REPORT 8" +.TH WALLET-REPORT 8 "2014-12-08" "1.2" "wallet" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +wallet\-report \- Wallet server reporting interface +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBwallet-report\fR \fItype\fR [\fIargs\fR ...] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fBwallet-report\fR provides a command-line interface for running reports on +the wallet database. It is intended to be run on the wallet server as a +user with access to the wallet database and configuration, but can also be +made available via remctl to users who should have reporting privileges. +.PP +This program is a fairly thin wrapper around Wallet::Report that +translates command strings into method calls and returns the results. +.SH "OPTIONS" +.IX Header "OPTIONS" +\&\fBwallet-report\fR takes no traditional options. +.SH "COMMANDS" +.IX Header "COMMANDS" +.IP "acls" 4 +.IX Item "acls" +.PD 0 +.IP "acls duplicate" 4 +.IX Item "acls duplicate" +.IP "acls empty" 4 +.IX Item "acls empty" +.IP "acls entry <scheme> <identifier>" 4 +.IX Item "acls entry <scheme> <identifier>" +.IP "acls unused" 4 +.IX Item "acls unused" +.PD +Returns a list of ACLs in the database. Except for the \f(CW\*(C`duplicate\*(C'\fR +report, ACLs will be listed in the form: +.Sp +.Vb 1 +\& <name> (ACL ID: <id>) +.Ve +.Sp +where <name> is the human-readable name and <id> is the numeric \s-1ID. \s0 The +numeric \s-1ID\s0 is what's used internally by the wallet system. There will be +one line per \s-1ACL.\s0 +.Sp +For the \f(CW\*(C`duplicate\*(C'\fR report, the output will instead be one duplicate set +per line. This will be a set of ACLs that all have the same entries. +Only the names will be given, separated by spaces. +.Sp +If no search type is given, all the ACLs in the database will be returned. +If a search type (and possible search arguments) are given, then the ACLs +will be limited to those that match the search. +.Sp +The currently supported \s-1ACL\s0 search types are: +.RS 4 +.IP "acls duplicate" 4 +.IX Item "acls duplicate" +Returns all sets of ACLs that are duplicates, meaning that they contain +exactly the same entries. Each line will be the names of the ACLs in a +set of duplicates, separated by spaces. +.IP "acls empty" 4 +.IX Item "acls empty" +Returns all ACLs which have no entries, generally so that abandoned ACLs +can be destroyed. +.IP "acls entry <scheme> <identifier>" 4 +.IX Item "acls entry <scheme> <identifier>" +Returns all ACLs containing an entry with given scheme and identifier. +The scheme must be an exact match, but the <identifier> string will match +any identifier containing that string. +.IP "acls unused" 4 +.IX Item "acls unused" +Returns all ACLs that are not referenced by any of the objects in the +wallet database, either as an owner or on one of the more specific ACLs. +.RE +.RS 4 +.RE +.IP "audit acls name" 4 +.IX Item "audit acls name" +.PD 0 +.IP "audit objects name" 4 +.IX Item "audit objects name" +.PD +Returns all ACLs or objects that violate the current site naming policy. +Objects will be listed in the form: +.Sp +.Vb 1 +\& <type> <name> +.Ve +.Sp +and ACLs in the form: +.Sp +.Vb 1 +\& <name> (ACL ID: <id>) +.Ve +.Sp +where <name> is the human-readable name and <id> is the numeric \s-1ID. \s0 The +numeric \s-1ID\s0 is what's used internally by the wallet system. There will be +one line per object or \s-1ACL.\s0 +.IP "help" 4 +.IX Item "help" +Displays a summary of all available commands. +.IP "objects" 4 +.IX Item "objects" +.PD 0 +.IP "objects acl <acl>" 4 +.IX Item "objects acl <acl>" +.IP "objects flag <flag>" 4 +.IX Item "objects flag <flag>" +.IP "objects owner <owner>" 4 +.IX Item "objects owner <owner>" +.IP "objects type <type>" 4 +.IX Item "objects type <type>" +.IP "objects unused" 4 +.IX Item "objects unused" +.PD +Returns a list of objects in the database. Objects will be listed in the +form: +.Sp +.Vb 1 +\& <type> <name> +.Ve +.Sp +There will be one line per object. +.Sp +If no search type is given, all objects in the database will be returned. +If a search type (and possible search arguments) are given, the objects +will be limited to those that match the search. +.Sp +The currently supported object search types are: +.RS 4 +.IP "objects acl <acl>" 4 +.IX Item "objects acl <acl>" +Returns all objects for which the given \s-1ACL\s0 name or \s-1ID\s0 has any +permissions. This includes those objects owned by the \s-1ACL\s0 as well as +those where that \s-1ACL\s0 has any other, more limited permissions. +.IP "objects flag <flag>" 4 +.IX Item "objects flag <flag>" +Returns all objects which have the given flag set. +.IP "objects owner <acl>" 4 +.IX Item "objects owner <acl>" +Returns all objects owned by the given \s-1ACL\s0 name or \s-1ID.\s0 +.IP "objects type <type>" 4 +.IX Item "objects type <type>" +Returns all objects of the given type. +.IP "objects unused" 4 +.IX Item "objects unused" +Returns all objects that have never been downloaded (have never been the +target of a get command). +.RE +.RS 4 +.RE +.IP "owners <type\-pattern> <name\-pattern>" 4 +.IX Item "owners <type-pattern> <name-pattern>" +Returns a list of all \s-1ACL\s0 entries in owner ACLs for all objects matching +both <type\-pattern> and <name\-pattern>. These can be the type or name of +objects or they can be patterns using \f(CW\*(C`%\*(C'\fR as the wildcard character +following the normal rules of \s-1SQL\s0 patterns. +.Sp +The output will be one line per \s-1ACL\s0 line in the form: +.Sp +.Vb 1 +\& <scheme> <identifier> +.Ve +.Sp +with duplicates suppressed. +.SH "AUTHOR" +.IX Header "AUTHOR" +Russ Allbery <eagle@eyrie.org> +.SH "COPYRIGHT AND LICENSE" +.IX Header "COPYRIGHT AND LICENSE" +Copyright 2008, 2009, 2010, 2013 The Board of Trustees of the Leland +Stanford Junior University +.PP +Permission is hereby granted, free of charge, to any person obtaining a +copy of this software and associated documentation files (the \*(L"Software\*(R"), +to deal in the Software without restriction, including without limitation +the rights to use, copy, modify, merge, publish, distribute, sublicense, +and/or sell copies of the Software, and to permit persons to whom the +Software is furnished to do so, subject to the following conditions: +.PP +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. +.PP +\&\s-1THE SOFTWARE IS PROVIDED \*(L"AS IS\*(R", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL +THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING +FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER +DEALINGS IN THE SOFTWARE.\s0 +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIWallet::Config\fR\|(3), \fIWallet::Report\fR\|(3), \fIwallet\-backend\fR\|(8) +.PP +This program is part of the wallet system. The current version is +available from <http://www.eyrie.org/~eagle/software/wallet/>. |