~flexibeast/s6-networking-man-pages

3086d49c7b5a16c46027458ccf3bdfff3b485c03 — Alexis 3 years ago 99e6c96
Update to 2.5.0.0.
9 files changed, 205 insertions(+), 128 deletions(-)

M Makefile
D minidentd.1
M s6-tcpserver-access.1
M s6-tlsc.1
M s6-tlsd-io.1
M s6-tlsd.1
M s6-tlsserver.1
M s6-ucspitlsc.1
M s6-ucspitlsd.1
M Makefile => Makefile +0 -1
@@ 3,7 3,6 @@ man1 = $(MANPATH)/man1/
man7 = $(MANPATH)/man7/

man1_targets = \
	minidentd.1 \
	s6-clockadd.1 \
	s6-clockview.1 \
	s6-getservbyname.1 \

D minidentd.1 => minidentd.1 +0 -98
@@ 1,98 0,0 @@
.Dd February 16, 2021
.Dt MINIDENTD 1
.Os
.Sh NAME
.Nm minidentd
.Nd small UCSPI[1] server application that answers IDENT requests
.Sh SYNOPSIS
.Nm
.Op Fl v
.Op Fl n | Fl i | Fl r
.Op Fl y Ar file
.Op Fl t Ar timeout
.Sh DESCRIPTION
.Nm
reads a series of IDENT requests on stdin and answers them on stdout.
It logs what it's doing on stderr.
The environment variables
.Ev \& Ns Ar x Ns LOCALIP
and
.Ev \& Ns Ar x Ns REMOTEIP ,
where
.Ar x
is the value of the PROTO environment variable, must contain the IDENT
server address and the IDENT client address, respectively.
.Pp
.Nm
exits 0 on success, 100 on a usage error and 111 on a system call
failure.
.Pp
.Nm
does not contact the network directly.
It's meant to run under a super-server like
.Xr s6-tcpserver 1 .
.Nm
will work with IPv4 as well as IPv6.
.Pp
.Nm
works only under Linux (2.2 or later); on other systems, it will
compile and run, but report an error for every request.
.Pp
The problem is that
.Em there is no portable Unix way
of listing active outgoing TCP connections with the relevant uids.
On Linux,
.Nm
parses the
.Pa /proc/net/tcp
or
.Pa /proc/net/tcp6
virtual file.
Other systems have their own way of doing this, if you want your
system to be supported by
.Nm ,
please contact the author.
.Sh OPTIONS
.Bl -tag -width x
.It Fl v
Verbose mode.
Log queries and replies.
.It Fl n
Send ERROR : HIDDEN-USER replies if the user has a
.Pa .ident
file in their home directory.
.It Fl i
User-defined answers.
The first 14 chars of the user's
.Pa .ident
file, up to EOF or newline, are used instead of the user name.
If the file exists and is empty, send ERROR : HIDDEN-USER.
If it doesn't exist, send a normal reply.
.It Fl r
Send random replies.
.It Fl y Ar file
Valid with
.Ql -n
or
.Ql -i .
Use
.Ar file
instead of
.Pa .ident .
.It Fl t Ar timeout
Close connection after
.Ar timeout
milliseconds without a client request.
.El
.Sh SEE ALSO
.Xr s6-ident-client 1 ,
.Xr s6-tcpserver 1
.Pp
[1]
.Lk https://cr.yp.to/proto/ucspi.txt
.Pp
This man page is ported from the authoritative documentation at:
.Lk https://skarnet.org/software/s6-networking/minidentd.html
.Sh AUTHORS
.An Laurent Bercot
.An Alexis Ao Mt flexibeast@gmail.com Ac (man page port)

M s6-tcpserver-access.1 => s6-tcpserver-access.1 +3 -2
@@ 1,4 1,4 @@
.Dd January 31, 2021
.Dd September 28, 2021
.Dt S6-TCPSERVER-ACCESS 1
.Os
.Sh NAME


@@ 40,7 40,8 @@ or their stripped-down versions
or
.Xr s6-tcpserver6d 1 .
.Pp
It checks that the remote end of the connection fits the accepted criteria defined by the database contained in
It checks that the remote end of the connection fits the accepted
criteria defined by the database contained in
.Ar rulesdir
or
.Ar rulesfile .

M s6-tlsc.1 => s6-tlsc.1 +14 -1
@@ 1,4 1,4 @@
.Dd April 22, 2021
.Dd September 28, 2021
.Dt S6-TLSC 1
.Os
.Sh NAME


@@ 183,6 183,19 @@ Contains
if the
.Fl k
option has been given; otherwise it is removed from the environment.
.It Ev SSL_PEER_CERT_HASH
Contains the hash of the peer's End Entity certificate, prefixed by
the name of the hash and a colon
.Po
typically
.Ql SHA256\&:
.Pc .
.It Ev SSL_PEER_CERT_SUBJECT
Contains the decoded subjectDN of the peer's End Entity certificate,
i.e. identifying information.
What is traditionally called the
.Dq name
of the certificate is the CN field in that data.
.El
.Pp
More similar environment variables containing information about the

M s6-tlsd-io.1 => s6-tlsd-io.1 +62 -7
@@ 1,4 1,4 @@
.Dd February 16, 2021
.Dd September 28, 2021
.Dt S6-TLSD-IO 1
.Os
.Sh NAME


@@ 10,8 10,9 @@ communicate with an existing local program over already established pipes
.Op Fl S | Fl s
.Op Fl Y | Fl y
.Op Fl v Ar verbosity
.Op Fl K kimeout
.Op Fl d notif
.Op Fl K Ar kimeout
.Op Fl k Ar snilevel
.Op Fl d Ar notif
.Op --
.Ar fdr
.Ar fdw


@@ 134,16 135,52 @@ Transmit EOF by half-closing the TCP connection without using
.Ql close_notify .
This is the default.
.It Fl Y
Do not send a client certificate.
This is the default.
Require an optional client certificate.
.It Fl y
Send a client certificate.
Require a mandatory client certificate.
The default, with neither the
.Fl Y
nor the
.Fl y
option, is not to require a client certificate at all.
.It Fl K Ar kimeout
If the peer fails to send data for
.Ar kimeout
milliseconds during the handshake, close the connection.
The default is 0, which means infinite timeout (never kill the
connection).
.It Fl k Ar snilevel
Support alternative certificate chains for SNI.
If
.Ar snilevel
is nonzero, private key file names are read from every environment
variable of the form
.Ev KEYFILE\&: Ns Ar x ,
where
.Ar x
is a server name that the client may require, and a corresponding
certificate chain for the name
.Ar x
should exist in the file named after the contents of the
.Ev CERTFILE\&: Ns Ar x
environment variable.
If
.Ar snilevel
is 2 or more,
.Em only
those files are read, and the generic
.Ev KEYFILE
and
.Ev CERTFILE
variables are ignored.
If
.Ar snilevel
is 0, or if the option is not given, which is the default,
.Ev KEYFILE
and
.Ev CERTFILE
are the only private key / certificate chain pair that are loaded, no
other environment variable is read for keypairs.
.It Fl d Ar notif
Handshake notification.
.Ar notif


@@ 172,7 209,7 @@ expects to have the following environment variables set:
A path to the file containing the server's private key, DER- or
PEM-encoded.
.It Ev CERTFILE
A path to the file containing the server's certificate, DER- or
A path to the file containing the server's certificate chain, DER- or
PEM-encoded.
If PEM-encoded, the file can actually contain a chain of certificates.
.El


@@ 181,6 218,24 @@ If one of those variables is unset,
.Nm
will refuse to run.
.Pp
Alternatively, if
.Ar snilevel
is nonzero, the private key for the server named
.Ar x
should be held in a file whose name is contained in the
.Ev KEYFILE\&: Ns Ar x
environment variable, and the corresponding certificate chain file
should be named in the
.Ev CERTFILE\&: Ns Ar x
environment variable.
If
.Ar snilevel
is 2 or more, the
.Ev KEYFILE
and
.Ev CERTFILE
variables will be entirely ignored.
.Pp
If you are using client certificates,
.Nm
also requires either one of the following variables to be set:

M s6-tlsd.1 => s6-tlsd.1 +66 -6
@@ 1,4 1,4 @@
.Dd April 22, 2021
.Dd September 28, 2021
.Dt S6-TLSD 1
.Os
.Sh NAME


@@ 10,7 10,8 @@
.Op Fl Y | Fl y
.Op Fl Z | Fl z
.Op Fl v Ar verbosity
.Op Fl K Ar kimeout ]
.Op Fl K Ar kimeout
.Op Fl k Ar snilevel
.Op --
.Ar prog...
.Sh DESCRIPTION


@@ 112,6 113,38 @@ If the peer fails to send data for
milliseconds during the handshake, close the connection.
The default is 0, which means infinite timeout (never kill the
connection).
.It Fl k Ar snilevel
Support alternative certificate chains for SNI.
If
.Ar snilevel
is nonzero, private key file names are read from every environment
variable of the form
.Ev KEYFILE\&: Ns Ar x ,
where
.Ar x
is a server name that the client may require, and a corresponding
certificate chain for the name
.Ar x
should exist in the file named after the contents of the
.Ev CERTFILE\&: Ns Ar x
environment variable.
If
.Ar snilevel
is 2 or more,
.Em only
those files are read, and the generic
.Ev KEYFILE
and
.Ev CERTFILE
variables are ignored.
If
.Ar snilevel
is 0, or if the option is not given, which is the default,
.Ev KEYFILE
and
.Ev CERTFILE
are the only private key / certificate chain pair that are loaded, no
other environment variable is read for keypairs.
.El
.Sh ENVIRONMENT
.Ss Read


@@ 125,7 158,16 @@ So it should pay attention to the following variables:
.It
.Ev KEYFILE
and
.Ev CERTFILE
.Ev CERTFILE .
Also (or alternatively), if the
.Fl k
option is given: a series of
.Ev KEYFILE\&: Ns Ar x
and
.Ev CERTFILE\&: Ns Ar x
variables, for every
.Ar x
in the set of server names.
.It
(If the
.Fl y


@@ 134,11 176,11 @@ or
option has been given)
.Ev CADIR
or
.Ev CAFILE
.Ev CAFILE .
.It
.Ev TLS_UID
and
.Ev TLS_GID
.Ev TLS_GID .
.El
.Ss Written
By default,


@@ 149,6 191,11 @@ is run with all these variables
.Ev CAFILE ,
.Ev KEYFILE ,
.Ev CERTFILE ,
.Ev KEYFILE\&: Ns Ar x
and
.Ev CERTFILE\&: Ns Ar x
for every
.Ar x ,
.Ev TLS_UID
and
.Ev TLS_GID .


@@ 158,7 205,7 @@ child but not to
.Ar prog... .
The
.Fl Z
option prevents that behaviour.
option prevents that behaviour and keeps them accessible in the child.
.Pp
However,
.Ar prog...


@@ 172,6 219,19 @@ Contains the name of the cipher used.
Contains the required SNI server name, if any.
It is removed from the environment if no SNI has been sent by the
client.
.It Ev SSL_PEER_CERT_HASH
Contains the hash of the peer's End Entity certificate, prefixed by
the name of the hash and a colon
.Po
typically
.Ql SHA256\&:
.Pc .
.It Ev SSL_PEER_CERT_SUBJECT
Contains the decoded subjectDN of the peer's End Entity certificate,
i.e. identifying information.
What is traditionally called the
.Dq name
of the certificate is the CN field in that data.
.El
.Pp
More similar environment variables containing information about the

M s6-tlsserver.1 => s6-tlsserver.1 +2 -0
@@ 173,6 173,8 @@ or
.Fl y
.It
.Fl K Ar kimeout
.It
.Fl k Ar snilevel
.El
.Ss Options passed to Xr s6-applyuidgid 1
.Bl -bullet -width x

M s6-ucspitlsc.1 => s6-ucspitlsc.1 +4 -5
@@ 1,4 1,4 @@
.Dd February 16, 2021
.Dd September 28, 2021
.Dt S6-UCSPITLSC 1
.Os
.Sh NAME


@@ 63,7 63,6 @@ Default for
.Ar verbosity
is 1.
0 is quiet, 2 is verbose, more than 2 is debug output.
This option currently has no effect.
.It Fl Z
Do not clean the environment of the variables used by
.Xr s6-tlsc-io 1


@@ 135,18 134,18 @@ So it should pay attention to the following variables:
.It
.Ev CADIR
or
.Ev CAFILE
.Ev CAFILE .
.It
(If the
.Fl y
option has been given)
.Ev CERTFILE
and
.Ev KEYFILE
.Ev KEYFILE .
.It
.Ev TLS_UID
and
.Ev TLS_GID
.Ev TLS_GID .
.El
.Ss Written
By default,

M s6-ucspitlsd.1 => s6-ucspitlsd.1 +54 -8
@@ 1,4 1,4 @@
.Dd February 16, 2021
.Dd September 28, 2021
.Dt S6-UCSPITLSD 1
.Os
.Sh NAME


@@ 12,7 12,8 @@ then execs into an application
.Op Fl Y | Fl y
.Op Fl Z | Fl z
.Op Fl v Ar verbosity
.Op FL K Ar kimeout
.Op Fl K Ar kimeout
.Op Fl k Ar snilevel
.Op --
.Ar prog...
.Sh DESCRIPTION


@@ 65,7 66,6 @@ Default for
.Ar verbosity
is 1.
0 is quiet, 2 is verbose, more than 2 is debug output.
This option currently has no effect.
.It Fl Z
Do not clean the environment of the variables used by
.Xr s6-tlsc-io 1


@@ 106,6 106,38 @@ Close the connection if the handshake takes more than
milliseconds to complete.
The default is 0, which means infinite timeout: let the handshake
complete at its own pace, no matter how slow.
.It Fl k Ar snilevel
Support alternative certificate chains for SNI.
If
.Ar snilevel
is nonzero, private key file names are read from every environment
variable of the form
.Ev KEYFILE\&: Ns Ar x ,
where
.Ar x
is a server name that the client may require, and a corresponding
certificate chain for the name
.Ar x
should exist in the file named after the contents of the
.Ev CERTFILE\&: Ns Ar x
environment variable.
If
.Ar snilevel
is 2 or more,
.Em only
those files are read, and the generic
.Ev KEYFILE
and
.Ev CERTFILE
variables are ignored.
If
.Ar snilevel
is 0, or if the option is not given, which is the default,
.Ev KEYFILE
and
.Ev CERTFILE
are the only private key / certificate chain pair that are loaded, no
other environment variable is read for keypairs.
.El
.Sh ENVIRONMENT
.Ss Read


@@ 119,7 151,16 @@ So it should pay attention to the following variables:
.It
.Ev CERTFILE
and
.Ev KEYFILE
.Ev KEYFILE .
Also (or alternatively), if the
.Fl k
option is given: a series of
.Ev KEYFILE\&: Ns Ar x
and
.Ev CERTFILE\&: Ns Ar x
variables, for every
.Ar x
in the set of server names.
.It
(If the
.Fl Y


@@ 128,11 169,11 @@ or
option has been given)
.Ev CADIR
or
.Ev CAFILE
.Ev CAFILE .
.It
.Ev TLS_UID
and
.Ev TLS_GID
.Ev TLS_GID .
.El
.Ss Written
By default,


@@ 143,16 184,21 @@ is run with all these variables
.Ev CAFILE ,
.Ev KEYFILE ,
.Ev CERTFILE ,
.Ev KEYFILE\&: Ns Ar x
and
.Ev CERTFILE\&: Ns Ar x
for every
.Ar x ,
.Ev TLS_UID
and
.Ev TLS_GID .
They're passed to the
The variables are passed to the
.Xr s6-tlsd-io 1
child but not to
.Ar prog... .
The
.Fl Z
option prevents that behaviour.
option prevents that behaviour and keeps them accessible in the child.
.Pp
However,
.Ar prog...