diff options
Diffstat (limited to 'static/plan9-4e/man3/cap.3')
| -rw-r--r-- | static/plan9-4e/man3/cap.3 | 81 |
1 files changed, 81 insertions, 0 deletions
diff --git a/static/plan9-4e/man3/cap.3 b/static/plan9-4e/man3/cap.3 new file mode 100644 index 00000000..5d6bffba --- /dev/null +++ b/static/plan9-4e/man3/cap.3 @@ -0,0 +1,81 @@ +.TH CAP 3 +.SH NAME +cap \- capabilities for setting the user id of processes +.SH SYNOPSIS +.B bind #ยค +.I dir +.nf + +.IB dir /caphash +.IB dir /capuse +.fi +.SH DESCRIPTION +.PP +This device enables a trusted process to +create a capability that another process +may then use to change its user id. The intent is to allow +server processes, for example +.B telnetd +(see +.IR ipserv (8)), +to change their user id after having proved +to a trusted process, such as +.IR factotum (4), +that they are indeed executing +on behalf of a user. +A trusted process is one running with the user id +of the host owner (see +.B /dev/hostowner +in +.IR cons (3)). +.PP +A capability is a null terminated string consisting of the concatenation of +an old user name, an ``@'', a new user name, an ``@'', and a string of randomly +generated characters called the key. +The trusted process enables the kernel to authenticate +capabilities passed to it by writing to +.I caphash +a secure hash of the capability. +The hash is 20 bytes long and generated by the following call: +.EX + + hmac_sha1(old_at_new, strlen(old_at_new), key, strlen(key), + hash, nil); + +.EE +The kernel maintains a list of hashes, freeing them after the +corresponding capability is used or after a minute has passed +since the write to +.IR caphash . +.PP +The trusted process may then pass the capability to any process +running as the old user. That process may then +use the capability to change identity to the new user. +A process uses a capability by writing it to +.IR capuse . +The kernel computes the same hash using the supplied capability +and searches its list of hashes for a match. If one is found, +the kernel sets the process's user id to that in the capability. +.SH DIAGNOSTICS +.PP +Errors generated by reading and writing +.I caphash +and +.I capuse +can be obtained using +.IR errstr (2). +A read of +.I caphash +with a length of less than 20 +or a write to +.I capuse +that doesn't contain two @ characters +generates the error ``read or write too small''. +A write to +.I capuse +that has no matching hash generates the error +``invalid capability''. +.SH SOURCE +.B /sys/src/9/port/devcap.c +.SH "SEE ALSO" +.IR sechash (2) |