NAME

hippotat-setup-permissions - set up permissions for (non-root) use of hippotat

SYNOPSYS

 hippotat-setup-permissions client
 hippotat-setup-permissions server
 hippotat-setup-permissions revoke

DESCRIPTION

Sets up (or revokes) the permissions to allow hippotat and/or hippotatd to run.

With "server" permissions needed for the server are granted to the "_hippotat" user (or other user set using "USER" in "/etc/default/hippotat".)

With "client" permissions needed for the client are granted to the "_hippotat" group (or other group set using "GROUP" in "/etc/default/hippotat".)

Required permissions are determined based on the hippotat configuration in "/etc/hippotat". (The "hippotat" or "hippotatd" program is run in a special mode to query the configuration.)

In every run, revokes permissions granted to the configured user and/or group by previous invocations of this script, but which are not any longer needed according to the configuration and command line. So "revoke" revokes all permissions, and "client" and "server" each revoke the other. (Only permissions granted in the specific files used by this script will be amended or revoked.)

FILES

"/etc/userv/ipif-access/hippotat".

Grants to the appropriate user or group the ability to make the virtual network interfaces, and route traffic to them. Created on both clients and servers.

"/etc/authbind/byuid/"uid

Grants the server the ability to bind to the configured ports and addresses. The uid is that for the "_hippotat" user, or "USER". Created on servers.

"/etc/userv/services.d/ipif"

Enables the "ipif" userv service, which is itself controlled by "/etc/userv/ipif-access/" etc.

Will be made a symlink to "/etc/userv/services-available/ipif". Created on both clients and servers. Not removed during revocation, since other programs on the system may need it,

Makes the symlink in . (This is not undone by "revoke", since that might disturb other services which are relying on it.)

"/etc/default/hippotat"

Shell script fragment sourced by the init script and by hippotat-setup-permissions, and the hippotatd init script. Can set "USER" and "GROUP" (and other variables that control the init script).