Next: The configuration file Up: Specifications Previous: Specifications Contents

The configuration tool

The configuration tool will be /sbin/lidsadm The configuration tool will have the following options:

-A

to add a node in the configuration file.

-A node [--caps_inherit (NONE|[PARENT:]/path/to/node)]
        [--caps (uid|-1) ((+|-|=)(FULL_SET|EMPTY_SET|
                                  CAP_SYS...|LIDS_UMONT|..))* 
         --mask ((+|-|=)(FULL_SET|EMPTY_SET|
                         CAP_SYS...|LIDS_UMONT|..))* ]*
        [--perm (uid|-1) (RATX|hex) /path/to/object]*
        [--perm_inherit (NONE|[PARENT:]/path/to/node)]

The capabilities sets are computed as follow : the initial value is the previous one, or an empty set if there was no previous. Then, each time a keyword is read, his associated value^9.1 either is added to the set if the keyword is preceded by a +, or is removed from the set if the keyword is preceded by a - or replace the current value of the set if the keyword is preceded by a =.

-C

To sanity check the configuration file.

-C -p|-u|-a

The following points are checked :

The files have correct inode and device numbers
The files tagged as PARENT are the right ones^9.2
The general options are consistents
There is a mail address if a log through mail is asked for
The mail address is correct^9.3
There is a syslog address if a log to a remote syslog daemon is asked for
Check wether the remote syslog daemon is listening
Any other tests

-p: print updates needed but do nothing
-u: update all without asking
-a: ask before updating

-P

to get a RipeMD-160 encoded password.

-P [-f]

-P: ask for a password and display its Ripe-MD encoded form
-P -f: ask for a password and update the PASSWORD field in lids.conf

-S

to open or close a LIDS-free session

-S [-c|-t sss|hh:mm[:ss]]
-S (-a|-r) pid [pid...]

-S: to open the session. This has no effect if we are already in a LFS.
-S -c: to close the session
-S -t 10: to open the session if it wasn't already opened, and to create a timer to close the session 10 minutes later.
-S -t 7:30: to open the session if it wasn't already opened, and to create a timer to close the session when it is half past seven.
-S -a 12 45 648: to add the three given processes to the LFS. This means that their LFS master becomes the current LFS master. If they have already one, an error is issued.
-S -r 12 648: to remove the two given processes from the LFS. The overloads taht were linked to the LFS are removed.

-O

to overload capabilities sets.

-O [-p pid[ pid[ ...]]] [-m] [-t tag] 
   (-r [-a|-A]|[-a] 
               [--caps ((+|-|=)(FULL_SET|EMPTY_SET|CAP_SYS...|LIDS_UMONT|..))*]
               [--mask ((+|-|=)(FULL_SET|EMPTY_SET|CAP_SYS...|LIDS_UMONT|..))*]
               [--perm (uid|-1) (RATX|hex) /path/to/object]*)

You first give a selector: every processes, or those with specified pids, or those with specified tag or those with specified pids and tag. Then you choose between removing the selected overloads or adding or modifying them.

-m: select also the LFS master, if we are in a LFS.
-a: when overloading is to overload without making a dependance to the possible current LFS. This change will persist when the possible LFS close or the shell die. If removing tags, only those processes which don't have a LFS master will be processed.
-A: only when removing tags, remove those wanted even for processes which have a LFS master.

-I

to seal the kernel.

-I

It just signal LIDS that the boot sequence is over, so that it check permissions and capabilities. If you configure LIDS to check them even in the boot sequence^9.4, you don't need to signal the end of the boot sequence

Next: The configuration file Up: Specifications Previous: Specifications Contents

Biondi Philippe 2000-12-15