next up previous contents
Next: The configuration file Up: Specifications Previous: Specifications   Contents

The configuration tool

The configuration tool will be /sbin/lidsadm The configuration tool will have the following options:
-A
to add a node in the configuration file.
-A node [--caps_inherit (NONE|[PARENT:]/path/to/node)]
        [--caps (uid|-1) ((+|-|=)(FULL_SET|EMPTY_SET|
                                  CAP_SYS...|LIDS_UMONT|..))* 
         --mask ((+|-|=)(FULL_SET|EMPTY_SET|
                         CAP_SYS...|LIDS_UMONT|..))* ]*
        [--perm (uid|-1) (RATX|hex) /path/to/object]*
        [--perm_inherit (NONE|[PARENT:]/path/to/node)]
The capabilities sets are computed as follow : the initial value is the previous one, or an empty set if there was no previous. Then, each time a keyword is read, his associated value9.1 either is added to the set if the keyword is preceded by a +, or is removed from the set if the keyword is preceded by a - or replace the current value of the set if the keyword is preceded by a =.

-C
To sanity check the configuration file.
-C -p|-u|-a
The following points are checked :

-p
print updates needed but do nothing
-u
update all without asking
-a
ask before updating

-P
to get a RipeMD-160 encoded password.
-P [-f]
-P
ask for a password and display its Ripe-MD encoded form
-P -f
ask for a password and update the PASSWORD field in lids.conf

-S
to open or close a LIDS-free session
-S [-c|-t sss|hh:mm[:ss]]
-S (-a|-r) pid [pid...]
-S
to open the session. This has no effect if we are already in a LFS.
-S -c
to close the session
-S -t 10
to open the session if it wasn't already opened, and to create a timer to close the session 10 minutes later.
-S -t 7:30
to open the session if it wasn't already opened, and to create a timer to close the session when it is half past seven.
-S -a 12 45 648
to add the three given processes to the LFS. This means that their LFS master becomes the current LFS master. If they have already one, an error is issued.
-S -r 12 648
to remove the two given processes from the LFS. The overloads taht were linked to the LFS are removed.

-O
to overload capabilities sets.
-O [-p pid[ pid[ ...]]] [-m] [-t tag] 
   (-r [-a|-A]|[-a] 
               [--caps ((+|-|=)(FULL_SET|EMPTY_SET|CAP_SYS...|LIDS_UMONT|..))*]
               [--mask ((+|-|=)(FULL_SET|EMPTY_SET|CAP_SYS...|LIDS_UMONT|..))*]
               [--perm (uid|-1) (RATX|hex) /path/to/object]*)
You first give a selector: every processes, or those with specified pids, or those with specified tag or those with specified pids and tag. Then you choose between removing the selected overloads or adding or modifying them.
-m
select also the LFS master, if we are in a LFS.
-a
when overloading is to overload without making a dependance to the possible current LFS. This change will persist when the possible LFS close or the shell die. If removing tags, only those processes which don't have a LFS master will be processed.
-A
only when removing tags, remove those wanted even for processes which have a LFS master.

-I
to seal the kernel.
-I

It just signal LIDS that the boot sequence is over, so that it check permissions and capabilities. If you configure LIDS to check them even in the boot sequence9.4, you don't need to signal the end of the boot sequence


next up previous contents
Next: The configuration file Up: Specifications Previous: Specifications   Contents
Biondi Philippe 2000-12-15