aboutsummaryrefslogtreecommitdiff
path: root/options.c
diff options
context:
space:
mode:
Diffstat (limited to 'options.c')
-rw-r--r--options.c50
1 files changed, 46 insertions, 4 deletions
diff --git a/options.c b/options.c
index ebccd7f..a233972 100644
--- a/options.c
+++ b/options.c
@@ -311,6 +311,10 @@ static const char usage_message[] =
"--management ip port [pass] : Enable a TCP server on ip:port to handle\n"
" management functions. pass is a password file\n"
" or 'stdin' to prompt from console.\n"
+#if UNIX_SOCK_SUPPORT
+ " To listen on a unix domain socket, specific the pathname\n"
+ " in place of ip and use 'unix' as the port number.\n"
+#endif
"--management-client : Management interface will connect as a TCP client to\n"
" ip/port rather than listen as a TCP server.\n"
"--management-query-passwords : Query management channel for private key\n"
@@ -322,6 +326,12 @@ static const char usage_message[] =
" event occurs.\n"
"--management-log-cache n : Cache n lines of log file history for usage\n"
" by the management channel.\n"
+#if UNIX_SOCK_SUPPORT
+ "--management-client-user u : When management interface is a unix socket, only\n"
+ " allow connections from user u.\n"
+ "--management-client-group g : When management interface is a unix socket, only\n"
+ " allow connections from group g.\n"
+#endif
#ifdef MANAGEMENT_DEF_AUTH
"--management-client-auth : gives management interface client the responsibility\n"
" to authenticate clients after their client certificate\n"
@@ -1240,6 +1250,8 @@ show_settings (const struct options *o)
SHOW_INT (management_log_history_cache);
SHOW_INT (management_echo_buffer_size);
SHOW_STR (management_write_peer_info_file);
+ SHOW_STR (management_client_user);
+ SHOW_STR (management_client_group);
SHOW_INT (management_flags);
#endif
#ifdef ENABLE_PLUGIN
@@ -1554,6 +1566,14 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
|| options->management_write_peer_info_file
|| options->management_log_history_cache != defaults.management_log_history_cache))
msg (M_USAGE, "--management is not specified, however one or more options which modify the behavior of --management were specified");
+
+ if ((options->management_flags & (MF_LISTEN_UNIX|MF_CONNECT_AS_CLIENT))
+ == (MF_LISTEN_UNIX|MF_CONNECT_AS_CLIENT))
+ msg (M_USAGE, "--management-client does not support unix domain sockets");
+
+ if ((options->management_client_user || options->management_client_group)
+ && !(options->management_flags & MF_LISTEN_UNIX))
+ msg (M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets");
#endif
/*
@@ -3319,14 +3339,26 @@ add_option (struct options *options,
#ifdef ENABLE_MANAGEMENT
else if (streq (p[0], "management") && p[1] && p[2])
{
- int port;
+ int port = 0;
VERIFY_PERMISSION (OPT_P_GENERAL);
- port = atoi (p[2]);
- if (!legal_ipv4_port (port))
+ if (streq (p[2], "unix"))
{
- msg (msglevel, "port number associated with --management directive is out of range");
+#if UNIX_SOCK_SUPPORT
+ options->management_flags |= MF_LISTEN_UNIX;
+#else
+ msg (msglevel, "MANAGEMENT: this platform does not support unix domain sockets");
goto err;
+#endif
+ }
+ else
+ {
+ port = atoi (p[2]);
+ if (!legal_ipv4_port (port))
+ {
+ msg (msglevel, "port number associated with --management directive is out of range");
+ goto err;
+ }
}
options->management_addr = p[1];
@@ -3336,6 +3368,16 @@ add_option (struct options *options,
options->management_user_pass = p[3];
}
}
+ else if (streq (p[0], "management-client-user") && p[1])
+ {
+ VERIFY_PERMISSION (OPT_P_GENERAL);
+ options->management_client_user = p[1];
+ }
+ else if (streq (p[0], "management-client-group") && p[1])
+ {
+ VERIFY_PERMISSION (OPT_P_GENERAL);
+ options->management_client_group = p[1];
+ }
else if (streq (p[0], "management-query-passwords"))
{
VERIFY_PERMISSION (OPT_P_GENERAL);