- -A
- to add a node in the configuration file.
-A node [--caps_inherit (NONE|[PARENT:]/path/to/node)]
[--caps (uid|-1) ((+|-|=)(FULL_SET|EMPTY_SET|
CAP_SYS...|LIDS_UMONT|..))*
--mask ((+|-|=)(FULL_SET|EMPTY_SET|
CAP_SYS...|LIDS_UMONT|..))* ]*
[--perm (uid|-1) (RATX|hex) /path/to/object]*
[--perm_inherit (NONE|[PARENT:]/path/to/node)]
The capabilities sets are computed as follow : the initial value is
the previous one, or an empty set if there was no previous. Then, each time a
keyword is read, his associated value9.1 either is added to the set if the keyword is
preceded by a +, or is removed from the set if the keyword is
preceded by a - or replace the current value of the set if the
keyword is preceded by a =.
- -C
- To sanity check the configuration file.
-C -p|-u|-a
The following points are checked :
- The files have correct inode and device numbers
- The files tagged as PARENT are the right ones9.2
- The general options are consistents
- There is a mail address if a log through mail is asked for
- The mail address is correct9.3
- There is a syslog address if a log to a remote syslog daemon is asked for
- Check wether the remote syslog daemon is listening
- Any other tests
- -p
- print updates needed but do nothing
- -u
- update all without asking
- -a
- ask before updating
- -P
- to get a RipeMD-160 encoded password.
-P [-f]
- -P
- ask for a password and display its Ripe-MD encoded form
- -P -f
- ask for a password and update the PASSWORD field in lids.conf
- -S
- to open or close a LIDS-free session
-S [-c|-t sss|hh:mm[:ss]]
-S (-a|-r) pid [pid...]
- -S
- to open the session. This has no effect if we are
already in a LFS.
- -S -c
- to close the session
- -S -t 10
- to open the session if it wasn't already opened,
and to create a timer to close the session 10 minutes later.
- -S -t 7:30
- to open the session if it wasn't already
opened, and to create a timer to close the session when it is half
past seven.
- -S -a 12 45 648
- to add the three given processes to the
LFS. This means that their LFS master becomes the current LFS
master. If they have already one, an error is issued.
- -S -r 12 648
- to remove the two given processes from the
LFS. The overloads taht were linked to the LFS are removed.
- -O
- to overload capabilities sets.
-O [-p pid[ pid[ ...]]] [-m] [-t tag]
(-r [-a|-A]|[-a]
[--caps ((+|-|=)(FULL_SET|EMPTY_SET|CAP_SYS...|LIDS_UMONT|..))*]
[--mask ((+|-|=)(FULL_SET|EMPTY_SET|CAP_SYS...|LIDS_UMONT|..))*]
[--perm (uid|-1) (RATX|hex) /path/to/object]*)
You first give a selector: every processes, or those with specified pids, or those with specified tag
or those with specified pids and tag. Then you
choose between removing the selected overloads or adding or modifying them.
- -m
- select also the LFS master, if we are in a LFS.
- -a
- when overloading is to overload without making a dependance to the possible current LFS. This change will persist when the possible LFS close or the shell die. If removing tags, only those processes which don't have a LFS master will be processed.
- -A
- only when removing tags, remove those wanted even for processes which have a LFS master.
- -I
- to seal the kernel.
-I
It just signal LIDS that the boot sequence is over, so that it check permissions and capabilities.
If you configure LIDS to check them even in the boot sequence9.4, you don't need to signal the end of the boot sequence