-
Notifications
You must be signed in to change notification settings - Fork 2
/
daemon-manager.conf.asciidoc
158 lines (113 loc) · 4.5 KB
/
daemon-manager.conf.asciidoc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
// -*- text -*-
daemon-manager.conf(5)
======================
David Caldwell <david@porkrind.org>
NAME
----
daemon-manager.conf - Master configuration file for Daemon Manager
SYNOPSIS
--------
[settings]
daemon-path-daemon = ~/.daemon-manager/daemons
daemon-path-log = ~/.daemon-manager/logs
daemon-path-daemon-root = /etc/daemon-manager/daemons
daemon-path-log-root = /var/log/daemon-manager
# Example configuration file
[can_run_as]
user1: www-data
# user2 is allowed to launch daemons but only as itself
user2
user3: nobody, www-data # Comments can go anywhere.
user4: @group1 # user4 can run as any user in group1
@group2: user1, @group3 # any user in group2 can run as user1
# or any user in group3
[manages]
user1 : user2, user3 # whitespace is generally ignored
user3: user1
user3: user2 # user3 manages user1 & user2 (the rules accumulate)
@group1: user1, @group2 # Groups work here too.
DESCRIPTION
-----------
This manual page describes the master config file for
'daemon-manager(1)'. This file controls which users can launch daemons and
what users the daemons can be run as when they are launched. The file is
loaded from *'/etc/daemon-manager/daemon-manager.conf'*. It is required to be
owned by root and cannot be world or group writable.
FILE FORMAT
-----------
The config file is a plain text file. Comments are stripped from lines before
they are parsed. A comment starts with a "#" and continues to the end of a
line. Blank lines are ignored.
The file consists of one optional and two manditory sections designated by:
[settings]
[can_run_as]
[manages]
=== '[settings]'
The 'settings' section is optional and supports the following settings (shown
with their default values):
daemon-path-daemon = ~/.daemon-manager/daemons
daemon-path-log = ~/.daemon-manager/logs
daemon-path-daemon-root = /etc/daemon-manager/daemons
daemon-path-log-root = /var/log/daemon-manager
These specify which paths Daemon Manager will search for daemon config files
('daemon-path-daemon') and write logs to ('daemon-path-logs'). The 2 settings
ending with '-root' are similar but only apply to the 'root' user (this is
because systems typically put root settings in '/etc').
All path settings will perform the following substitutions:
*~/*::
Paths that start with `~/` will have the `~` replaced user's home
directory.
NOTE: In this case, when daemon manager starts it will create the
directories for any active users (anyone listed on the left hand side in the
'can_run_as' section described below).
*%username%*::
If the string `%username%` appears anywhere in the path it will be replaced by
the user's login name.
=== '[can_run_as]'
The 'can_run_as' section identifies which users are allowed to launch daemons. It
looks like this:
bob: mary, bruce, rhonda
That line means that 'bob' is allowed to start the demons in his home
directory and have them run as 'bob', 'mary', 'bruce', or 'rhonda'. Users
are always allowed to launch daemons as themselves so there is no need to list
them on the right hand side. If you only want to allow 'bob' to launch
daemons as himself then just list him on his own line in the 'can_run_as'
section:
bob
A trailing `:' is also acceptable:
bob:
=== '[manages]'
The 'manages' section allows the system administrator to appoint users that
can start and stop daemons on behalf of other users. It has the same syntax as
the 'can_run_as' section:
larry: bob, martha
That line means that 'larry' can start, stop, restart, and inspect 'bob' or
_martha_'s daemons. He will not be able to see or control _bruce_'s daemons,
though.
GROUPS
~~~~~~
If a name is prefixed by `@' then the name is interpreted as a unix group
name and acts as if the members of that group had been listed explicitly:
bob: @dev
is equivalent to this, if the group named 'dev' has 'mary' and 'bruce' as
members:
bob: mary, bruce
On the other hand, this:
@dev: bob
is equivalent to this, given the same constraints:
mary: bob
bruce: bob
REPETITION
~~~~~~~~~~
If a user is referenced on the left hand side of the `:' in more than one
rule (including the case where the user is part of a `@group' expansion),
then the result is an accumulation of the rules:
bob: mary
bob: bruce
@dev: www-data
If 'dev' has 'bob' and 'bruce' as members, then this is equivalent:
bob: mary, bruce, www-data
bruce: www-data
SEE ALSO
--------
'daemon-manager(1)', 'daemon-manager.conf(5)', 'dmctl(1)'