~flexibeast/s6-networking-man-pages

f30089e41d24f7b60849869b8f4e2e58f137f750 — Alexis 10 months ago 3d50de3 v2.6.0.0.1
Update to s6-networking 2.6.0.0.
12 files changed, 373 insertions(+), 995 deletions(-)

M Makefile
M man8/s6-tcpclient.8
M man8/s6-tcpserver-access.8
R man8/{s6-tcpserver4-socketbinder.8 => s6-tcpserver-socketbinder.8}
M man8/s6-tcpserver.8
D man8/s6-tcpserver4.8
D man8/s6-tcpserver6-socketbinder.8
D man8/s6-tcpserver6.8
D man8/s6-tcpserver6d.8
R man8/{s6-tcpserver4d.8 => s6-tcpserverd.8}
M man8/s6-tlsclient.8
M man8/s6-tlsserver.8
M Makefile => Makefile +2 -6
@@ 18,12 18,8 @@ man8_targets = \
	s6-tcpclient.8 \
	s6-tcpserver.8 \
	s6-tcpserver-access.8 \
	s6-tcpserver4.8 \
	s6-tcpserver4-socketbinder.8 \
	s6-tcpserver4d.8 \
	s6-tcpserver6.8 \
	s6-tcpserver6-socketbinder.8 \
	s6-tcpserver6d.8 \
	s6-tcpserver-socketbinder.8 \
        s6-tcpserverd.8 \
	s6-tlsc.8 \
	s6-tlsc-io.8 \
	s6-tlsclient.8 \

M man8/s6-tcpclient.8 => man8/s6-tcpclient.8 +4 -8
@@ 1,4 1,4 @@
.Dd September 29, 2021
.Dd November 11, 2023
.Dt S6-TCPCLIENT 8
.Os
.Sh NAME


@@ 126,7 126,7 @@ By default, port selection is left to the operating system.
Use
.Ar localname
as the value of the
.Ev TCPLOCALPATH
.Ev TCPLOCALHOST
environment variable instead of looking it up via the DNS.
.It Fl T Ar timeoutconn
Configure the connection timeouts.


@@ 195,12 195,8 @@ Else unset.
.El
.Sh SEE ALSO
.Xr s6-tcpserver 8 ,
.Xr s6-tcpserver4 8 ,
.Xr s6-tcpserver4-socketbinder 8 ,
.Xr s6-tcpserver4d 8 ,
.Xr s6-tcpserver6 8 ,
.Xr s6-tcpserver6-socketbinder 8 ,
.Xr s6-tcpserver6d 8
.Xr s6-tcpserver-socketbinder 8 ,
.Xr s6-tcpserverd 8
.Pp
[1]
.Lk https://cr.yp.to/proto/ucspi.txt

M man8/s6-tcpserver-access.8 => man8/s6-tcpserver-access.8 +22 -37
@@ 1,4 1,4 @@
.Dd September 29, 2021
.Dd November 11, 2023
.Dt S6-TCPSERVER-ACCESS 8
.Os
.Sh NAME


@@ 31,14 31,9 @@ It additionally performs some fine-tuning on a TCP socket.
.Nm
checks it is run under a UCSPI server tool
such as
.Xr s6-tcpserver 8 ,
.Xr s6-tcpserver4 8
or
.Xr s6-tcpserver6 8 ,
or their stripped-down versions
.Xr s6-tcpserver4d 8
or
.Xr s6-tcpserver6d 8 .
.Xr s6-tcpserver 8
or its stripped-down version
.Xr s6-tcpserverd 8 .
.Pp
It checks that the remote end of the connection fits the accepted
criteria defined by the database contained in


@@ 57,21 52,13 @@ instructions to override
.Ar prog... .
.Pp
.Nm
works with
.Xr s6-tcpserver4d 8 ,
handling IPv4 addresses, as well as
.Xr s6-tcpserver6d 8 ,
handling IPv6 addresses.
It will automatically detect the remote address type and match it
against the correct subdatabase.
.Pp
.Nm
may perform several DNS queries.
For efficiency purposes, it does as many of them as possible in
parallel.
However, if asked to do an IDENT query, it does not parallelize it
with DNS queries.
Take that into account when estimating a proper <em>timeout</em>
Take that into account when estimating a proper
.Ar timeout
value.
.Ss Access rule checking
.Nm


@@ 253,7 240,7 @@ environment variables.
Enable DNS lookups.
This is the default.
.It Fl R
DDisable IDENT lookups for the
Disable IDENT lookups for the
.Ev ${PROTO}REMOTEINFO
environment variable.
This is the default.


@@ 305,9 292,7 @@ and
.Fl x
are mutually exclusive.
If none of those options is given, no credential checking will be
performed, and a warning will be emitted on every connection if
.Ar verbosity
is 2 or more.
performed.
.El
.Sh ENVIRONMENT
.Nm


@@ 315,10 300,13 @@ expects to inherit some environment variables from
its parent:
.Bl -tag -width x
.It Ev PROTO
Normally TCP, but could be anything else, like SSL.
Normally TCP, but could be anything else.
.It Ev ${PROTO}LOCALIP
The local address of the socket.
.It Ev ${PROTO}LOCALPORT
The local port of the socket.
.It Ev ${PROTO}REMOTEIP
The remote address of the socket, i.e. the client's IP address.
This can be IPv4 or (if the underlying skalibs supports it) IPv6.
.It Ev ${PROTO}REMOTEPORT
The remote port of the socket.
.El


@@ 326,14 314,8 @@ The remote port of the socket.
Additionally, it exports the following variables before executing into
.Ar prog... :
.Bl -tag -width x
.It Ev ${PROTO}LOCALIP
Set to the local address of the socket.
.It Ev ${PROTO}LOCALPORT
Set to the local port of the socket.
.It Ev ${PROTO}REMOTEINFO
Normally unset, but set to the information retrieved from
.Ev ${PROTO}REMOTEIP
via the IDENT protocol if the
.It Ev ${PROTO}REMOTEIP
Via the IDENT protocol if the
.Fl r
option has been given.
.It Ev ${PROTO}REMOTEHOST


@@ 348,6 330,12 @@ If the
option has been given, set to
.Ar localname
instead.
.It Ev ${PROTO}REMOTEINFO
Normally unset, but set to the information retrieved from
.Ev ${PROTO}REMOTEIP
via the IDENT protocol if the
.Fl r
option has been given.
.El
.Pp
Also, the access rules database can instruct


@@ 359,10 347,7 @@ client address.
.Xr s6-accessrules-cdb-from-fs 8 ,
.Xr s6-envdir 8 ,
.Xr s6-tcpserver 8 ,
.Xr s6-tcpserver4 8 ,
.Xr s6-tcpserver4d 8 ,
.Xr s6-tcpserver6 8 ,
.Xr s6-tcpserver6d 8
.Xr s6-tcpserverd 8
.Pp
[1]
.Lk https://en.wikipedia.org/wiki/Cdb_(software)

R man8/s6-tcpserver4-socketbinder.8 => man8/s6-tcpserver-socketbinder.8 +40 -30
@@ 1,9 1,9 @@
.Dd September 29, 2021
.Dt S6-TCPSERVER4-SOCKETBINDER 8
.Dd November 11, 2023
.Dt S6-TCPSERVER-SOCKETBINDER 8
.Os
.Sh NAME
.Nm s6-tcpserver4-socketbinder
.Nd bind an INET domain socket to an IPv4 address and port, then execute a program
.Nm s6-tcpserver-socketbinder
.Nd bind an INET domain socket to an IPv4 or IPv6 address and port, then execute a program
.Sh SYNOPSIS
.Nm
.Op Fl d | Fl D


@@ 15,49 15,63 @@
.Ar prog...
.Sh DESCRIPTION
.Nm
creates a TCP socket and binds it to IPv4 address
creates a TCP socket and binds it to IP address
.Ar ip ,
port
.Ar port .
.Pp
It prepares the socket to accept connections by calling
.Xr listen 2 .
.Pp
It then
.Xr exec 3
s into
.Xr exec 3 Ns
into
.Ar prog...
with the open socket as its standard input.
.Pp
The socket is provided
.Sy non-blocking by default .
.Em non-blocking by default .
.Pp
.Nm
is part of a set of basic blocks used to build a flexible TCP/IPv4
is part of a set of basic blocks used to build a flexible TCP/IP
super-server.
It normally should be given a command line crafted to make it execute
into
.Xr s6-tcpserver4d 8
.Xr s6-tcpserverd 8
to accept connections from clients, or into a program such as
.Xr s6-applyuidgid 8
to drop privileges before doing so.
.Pp
The
.Xr s6-tcpserver4 8
.Xr s6-tcpserver 8
program does exactly this.
It implements a full TCP/IPv4 super-server by building a command line
It implements a full TCP/IP super-server by building a command line
starting with
.Nm
and ending with
.Xr s6-tcpserver4d 8
.Xr s6-tcpserverd 8
followed by the application program, and executing into it.
.Pp
For
.Nm ,
.Ql ::
means
.Dq all IPv6 addresses ,
and
.Ql 0.0.0.0
means
.Dq all IPv4 addresses .
It does not provide a way to bind a socket to all addresses regardless
of protocol; instead, you should use two sockets, one for IPv4 and one
for IPv6.
.Sh OPTIONS
.Bl -tag -width x
.It Fl d
Allow instant rebinding to the same IP and port even if it has been
used not long ago - this is the
used not long ago \(em this is the
.Dv SO_REUSEADDR
flag to
.Xr setsockopt 2
.Xr  setsockopt 2
and is generally used with server programs.
This is the default.
.It Fl D


@@ 65,15 79,13 @@ Disallow instant rebinding to the same path.
.It Fl b Ar backlog
Set a maximum of
.Ar backlog
backlog connections on the socket - extra connection attempts will
backlog connections on the socket \(em extra connection attempts will
rejected by the kernel.
The default is
.Dv SOMAXCONN ,
i.e. the maximum number allowed by the system.
The default is the maximum number allowed by the system.
If
.Ar backlog
is 0, then the socket will be created, but it
.Sy will not be listening .
.Em will not be listening .
.It Fl M
Create a TCP socket.
This is the default.


@@ 81,28 93,26 @@ This is the default.
Create a UDP socket.
Note that by default UDP sockets are not connection-mode, and
.Xr listen 2
will fail - so you should always give the
.Ql -b0
will fail \(em so you should always give the
.Ql b0
option to
.Nm
along with
.Ql -m .
.Fl m .
.It Fl B
Create a blocking socket.
Default is non-blocking.
.El
.Sh SEE ALSO
.Xr listen 2 ,
.Xr setsockopt 2 ,
.Xr exec 3 ,
.Xr s6-applyuidgid 8 ,
.Xr s6-tcpclient 8 ,
.Xr s6-tcpserver 8 ,
.Xr s6-tcpserver4 8 ,
.Xr s6-tcpserver4d 8 ,
.Xr s6-tcpserver6 8 ,
.Xr s6-tcpserver6-socketbinder 8 ,
.Xr s6-tcpserver6d 8
.Xr s6-tcpserverd 8
.Pp
This man page is ported from the authoritative documentation at:
.Lk https://skarnet.org/software/s6-networking/s6-tcpserver4-socketbinder.html
.Lk https://skarnet.org/software/s6-networking/s6-tcpserver-socketbinder.html
.Sh AUTHORS
.An Laurent Bercot
.An Alexis Ao Mt flexibeast@gmail.com Ac (man page port)

M man8/s6-tcpserver.8 => man8/s6-tcpserver.8 +171 -77
@@ 1,4 1,4 @@
.Dd September 29, 2021
.Dd November 11, 2023
.Dt S6-TCPSERVER 8
.Os
.Sh NAME


@@ 7,7 7,6 @@
.Sh SYNOPSIS
.Nm
.Op Fl q | Fl Q | Fl v
.Op Fl 4 | Fl 6
.Op Fl 1
.Op Fl c Ar maxconn
.Op Fl C Ar localmaxconn


@@ 21,105 20,200 @@
.Ar prog...
.Sh DESCRIPTION
.Nm
accepts connections from clients, and forks a program to handle each
accepts connections from clients, and spawns a program to handle each
connection.
.Pp
.Nm
executes into
.Xr s6-tcpserver4 8
or into
.Xr s6-tcpserver6 8
depending on whether
binds to local IP address
.Ar ip
is an IPv4 or IPv6 address.
It modifies some of its option syntax to match
.Xr s6-tcpserver4 8
and
.Xr s6-tcpserver6 8 Ap
s.
.Po
which can be IPv4 or IPv6
.Pc ,
port
.Ar port .
.Pp
It closes its stdin and stdout.
.Pp
For every TCP connection to this address and port, it spawns a
.Ar prog...
child with stdin reading from the network socket and stdout writing to
it.
.Pp
.Xr s6-tcpserver4 8
or
.Xr s6-tcpserver6 8
handles the connection itself.
Depending on the verbosity level, it logs what it does to stderr.
.Pp
It runs until killed by a signal.
Depending on the received signal, it may kill its children before
exiting.
.Pp
Unlike its ancestor tcpserver[2],
.Nm
will not bind to every available IP address of the machine whether
they are v4 or v6; on the other hand, it can bind to every available
IPv4 address (if
.Ar ip
is
.Ql 0.0.0.0 )
or to every available IPv6 address (if
.Ar ip
is
.Ql :: .
Two instances of
performs just the bare minimum: the point is to have a very small and
very fast process to serve connections with the least possible
overhead.
Features such as access control and DNS resolution are provided via
the
.Xr s6-tcpserver-access 8
+program.
.Pp
.Nm
can cover every available address.
is actually a wrapper that rewrites itself into a command line
running:
.Bl -bullet -width x
.It
.Xr s6-tcpserver-socketbinder 8 ,
that binds the socket and listens to it.
.It
.Xr s6-applyuidgid 8 ,
that drops privileges.
.It
.Xr s6-tcpserverd 8 ,
the long-lived process that actually accepts the connections.
So if you see in your
.Xr ps 1
output that the name of the process is
.Ql s6-tcpserverd ,
that's why.
.El
.Pp
.Nm
treats IPv4 and IPv6 separately.
If you want to listen on
.Em all
the addresses of a machine no matter whether v4 or v6, then you need
to run
.Em two
.Nm
processes: one on
.Ql 0.0.0.0
and one on
.Ql :: .
.Ss Signals
.Bl -tag -width x
.It Dv SIGTERM
Exit.
.It Dv SIGHUP
Send a
.Dv SIGTERM
and a
.Dv SIGCONT
to all children.
.It Dv SIGQUIT
Send a
.Dv SIGTERM
and a
.Dv SIGCONT
to all children, then exit.
.It Dv SIGABRT
Send a SIGKILL to all children, then exit.
.El
.Sh OPTIONS
.Bl -tag -width x
.It Fl q
Be quiet.
This is converted into
.Fl v Ns 0
for
.Xr s6-tcpserver4 8
or
.Xr s6-tcpserver6 8 .
Only print fatal error messages to stderr.
.It Fl Q
Be normally quiet.
This is converted into
.Fl v Ns 1
for
.Xr s6-tcpserver4 8
or
.Xr s6-tcpserver6 8 .
Print warnings and fatal error messages to stderr.
This is the default.
.It Fl v
Be verbose.
This is converted into
.Fl v Ns 2
for
.Xr s6-tcpserver4 8
or
.Xr s6-tcpserver6 8 .
.It Fl 4
IPv4 only.
Interpret
.Ar ip
as IPv4; if it is invalid, exit 100.
.It Fl 6
IPv6 only.
Interpret
.Ar ip
as IPv6; if it is invalid, exit 100.
If neither the
.Fl 4
nor the
.Fl 6
option is given,
.Nm
will parse
.Ar ip
to determine its family.
Additionally to fatal errors and warnings, also print status and
connection information for every client.
.It Fl 1
Write
.Ar port
to stdout, before closing it, right after binding and listening to the
network socket.
If stdout is suitably redirected, this can be used by monitoring
programs to check when the server is ready to accept connections.
.It Fl c Ar maxconn
Accept at most
.Ar maxconn
concurrent connections.
Default is 40.
It is impossible to set it higher than 1000.
.It Fl C Ar localmaxconn
Accept at most
.Ar localmaxconn
connections from the same IP address.
Default is 40.
It is impossible to set it higher than
.Ar maxconn .
.It Fl b Ar backlog
Set a maximum of
.Ar backlog
backlog connections on the socket.
Extra connection attempts will rejected by the kernel.
.It Fl G Ar gidlist
Change
.Nm Ap
s supplementary group list to
.Ar gidlist
after binding the socket.
This is only valid when run as root.
.Ar gidlist must be a comma-separated list of numerical group IDs.
.It Fl g Ar gid
Change
.Nm s
group id to
.Ar gid
after binding the socket.
This is only valid when run as root.
.It Fl u Ar uid
Change
.Nm Ap
s user id to
.Ar uid
after binding the socket.
This is only valid when run as root.
.It Fl U
Change
.Nm Ap
s user id, group id and supplementary group list according to the values of the
.Ev UID ,
.Ev GID
and
.Ev GIDLIST
environment variables after binding the socket.
This is only valid when run as root.
This can be used with the
.Xr s6-envuidgid 8
program to easily script a service that binds to a privileged socket
then drops its privileges to those of a named non-root account.
.El
.Sh ENVIRONMENT
For each connection, an instance of
.Ar prog...
is spawned with the following variables set:
.Bl -tag -width x
.It Ev PROTO
Always set to TCP.
.It Ev TCPLOCALIP
Set to the server's address.
.It Ev TCPLOCALPORT
Set to the server's port.
.It Ev TCPREMOTEIP
Set to the client's address.
.It Ev TCPREMOTEPORT
Set to the client's port.
.It Ev TCPCONNNUM
Set to the number of connections originating from the same IP address.
.El
.Pp
Every other option is passed verbatim to
.Xr s6-tcpserver4 8 or
.Xr s6-tcpserver6 8 .
.Sh SEE ALSO
.Xr ps 1 ,
.Xr s6-applyuidgid 8 ,
.Xr s6-envuidgid 8 ,
.Xr s6-tcpclient 8 ,
.Xr s6-tcpserver4 8 ,
.Xr s6-tcpserver4-socketbinder 8 ,
.Xr s6-tcpserver4d 8 ,
.Xr s6-tcpserver6 8 ,
.Xr s6-tcpserver6-socketbinder 8 ,
.Xr s6-tcpserver6d 8
.Xr s6-tcpserver-access 8 ,
.Xr s6-tcpserver-socketbinder 8 ,
.Xr s6-tcpserverd 8
.Pp
[1]
.Lk https://cr.yp.to/proto/ucspi.txt
.Pp
[2]
.Lk https://cr.yp.to/ucspi-tcp/tcpserver.html
.Pp
This man page is ported from the authoritative documentation at:
.Lk https://skarnet.org/software/s6-networking/s6-tcpserver.html
.Sh AUTHORS

D man8/s6-tcpserver4.8 => man8/s6-tcpserver4.8 +0 -201
@@ 1,201 0,0 @@
.Dd September 29, 2021
.Dt S6-TCPSERVER4 8
.Os
.Sh NAME
.Nm s6-tcpserver4
.Nd super-server for IPv4 TCP connections
.Sh SYNOPSIS
.Nm
.Op Fl 1
.Op Fl v Ar verbosity
.Op Fl c Ar maxconn
.Op Fl C Ar localmaxconn
.Op Fl b Ar backlog
.Op Fl G Ar gidlist
.Op Fl g Ar gid
.Op Fl u Ar uid
.Op Fl U
.Ar ip
.Ar port
.Ar prog...
.Sh DESCRIPTION
.Nm
accepts connections from clients, and forks a program to handle each connection.
.Pp
.Nm
binds to local IPv4 address
.Ar ip ,
port
.Ar port .
.Pp
It closes its stdin and stdout.
.Pp
For every TCP connection to this address and port, it forks.
The child sets some environment variables, then executes
.Ar prog...
with stdin reading from the network socket and stdout writing to it.
.Pp
Depending on the verbosity level, it logs what it does to stderr.
.Pp
It runs until killed by a signal.
Depending on the received signal, it may kill its children before
exiting.
.Pp
.Nm
actually doesn't do any of this itself.
It is a wrapper, rewriting the command line and executing into a chain
of programs that perform those duties.
.Pp
Unlike its ancestor tcpserver[1],
.Nm
performs just the bare minimum: the point is to have a very small and
very fast process to serve connections with the least possible
overhead.
Features such as additional environment variables, access control and
DNS resolution are provided via the
.Xr s6-tcpserver-access 8
program.
.Pp
In previous releases of s6-networking,
.Nm
was monolithic: it did the work of
.Xr s6-tcpserver4-socketbinder 8 ,
.Xr s6-applyuidgid 8
and
.Xr s6-tcpserver4d 8
itself.
The functionality has now been split into several different programs
because some service startup schemes require the daemon to get its
socket from an external program instead of creating and binding it
itself.
The most obvious application of this is upgrading a long-lived process
without losing existing connections.
.Ss Signals
.Bl -tag -width x
.It Dv SIGTERM
Exit.
.It Dv SIGHUP
Send a
.Dv SIGTERM
and a
.Dv SIGCONT
to all children.
.It SIGQUIT
Send a
.Dv SIGTERM
and a
.Dv SIGCONT
to all children, then exit.
.It SIGABRT
Send a
.Dv SIGKILL
to all children, then exit.
.El
.Sh OPTIONS
.Bl -tag -width x
.It Fl 1
write
.Ar port
to stdout, before closing it, right after binding and listening to the
network socket.
If stdout is suitably redirected, this can be used by monitoring
programs to check when the server is ready to accept connections.
.It Fl v Ar verbosity
Be more or less verbose.
By default,
.Ar verbosity
is 1: print warning messages to stderr.
0 means only print fatal error messages; 2 means print status and
connection information for every client.
.It Fl c Ar maxconn
Accept at most
.Ar maxconn
concurrent connections.
Default is 40.
It is impossible to set it higher than 1000.
.It Fl C Ar localmaxconn
Accept at most
.Ar localmaxconn
connections from the same IP address.
Default is 40.
It is impossible to set it higher than
.Ar maxconn .
.It Fl b Ar backlog
Set a maximum of
.Ar backlog
backlog connections on the socket.
Extra connection attempts will rejected by the kernel.
.It Fl G Ar gidlist
Change
.Nm Ap
s supplementary group list to
.Ar gidlist
after binding the socket.
This is only valid when run as root.
.Ar gidlist
must be a comma-separated list of numerical group IDs.
.It Fl g Ar gid
Change
.Nm Ap
s group id to
.Ar gid
after binding the socket.
This is only valid when run as root.
.It Fl u Ar uid
Change
.Nm Ap
s user id
to
.Ar uid
after binding the socket.
This is only valid when run as root.
.It Fl U
Change
.Nm Ap
s user id, group id and supplementary group list according to the
values of the
.Ev UID ,
.Ev GID
and
.Ev GIDLIST
environment variables after binding the socket.
This is only valid when run as root.
This can be used with the
.Xr s6-envuidgid 8
program to easily script a service that binds to a privileged socket
then drops its privileges to those of a named non-root account.
.El
.Sh ENVIRONMENT
For each connection, an instance of
.Ar prog...
is spawned with
the following variables set:
.Bl -tag -width x
.It Ev PROTO
Always set to TCP.
.It Ev TCPREMOTEIP
Set to the originating address.
.It Ev TCPREMOTEPORT
Set to the originating port.
.It Ev TCPCONNNUM
Set to the number of connections originating from the same IP address.
.El
.Sh SEE ALSO
.Xr s6-applyuidgid 8 ,
.Xr s6-envuidgid 8 ,
.Xr s6-tcpclient 8 ,
.Xr s6-tcpserver 8 ,
.Xr s6-tcpserver-access 8 ,
.Xr s6-tcpserver4-socketbinder 8 ,
.Xr s6-tcpserver4d 8 ,
.Xr s6-tcpserver6 8 ,
.Xr s6-tcpserver6-socketbinder 8 ,
.Xr s6-tcpserver6d 8
.Pp
[1]
.Lk https://cr.yp.to/ucspi-tcp/tcpserver.html
This man page is ported from the authoritative documentation at:
.Lk https://skarnet.org/software/s6-networking/s6-tcpserver4.html
.Sh AUTHORS
.An Laurent Bercot
.An Alexis Ao Mt flexibeast@gmail.com Ac (man page port)

D man8/s6-tcpserver6-socketbinder.8 => man8/s6-tcpserver6-socketbinder.8 +0 -107
@@ 1,107 0,0 @@
.Dd September 29, 2021
.Dt S6-TCPSERVER6-SOCKETBINDER 8
.Os
.Sh NAME
.Nm s6-tcpserver6-socketbinder
.Nd bind an INET domain socket to an IPv6 address and port, then execute a program
.Sh SYNOPSIS
.Nm
.Op Fl d | Fl D
.Op Fl b Ar backlog
.Op Fl M | Fl m
.Op Fl B
.Ar ip
.Ar port
.Ar prog...
.Sh DESCRIPTION
.Nm
creates an TCP socket
and binds it to IPv6 address
.Ar ip ,
port
.Ar port .
It prepares the socket to accept connections by calling
.Xr listen 2 .
.Pp
It then execs into
.Ar prog...
with the open socket as its standard input.
.Pp
The socket is provided
.Sy non-blocking by default .
.Pp
.Nm
is part of a set of basic blocks used to build a flexible TCP/IPv6
super-server.
It normally should be given a command line crafted to make it execute
into
.Xr s6-tcpserver6d 8
to accept connections from clients, or into a program such as
.Xr s6-applyuidgid 8
to drop privileges before doing so.
.Pp
The
.Xr s6-tcpserver6 8
program does exactly this.
It implements a full TCP/IPv6 super-server by building a command line
starting with
.Nm
and ending with
.Xr s6-tcpserver6d 8
followed by the application program, and executing into it.
.Sh OPTIONS
.Bl -tag -width x
.It Fl d
Allow instant rebinding to the same IP and port even if it has been
used not long ago - this is the
.Dv SO_REUSEADDR
flag to
.Xr setsockopt 2
and is generally used with server programs.
This is the default.
.It Fl D
Disallow instant rebinding to the same path.
.It Fl b Ar backlog
Set a maximum of
.Ar backlog
backlog connections on the socket - extra connection attempts will
rejected by the kernel.
The default is
.Dv SOMAXCONN ,
i.e. the maximum number allowed by the system.
If
.Ar backlog
is 0, then the socket will be created, but it
.Sy will not be listening .
.It Fl M
Create a TCP socket.
This is the default.
.It Fl m
Create a UDP socket.
Note that by default UDP sockets are not connection-mode, and
.Xr listen 2
will fail - so you should always give the
.Ql -b0
option to
.Nm
along with
.Ql -m .
.It Fl B
Create a blocking socket.
Default is non-blocking.
.El
.Sh SEE ALSO
.Xr s6-applyuidgid 8 ,
.Xr s6-tcpclient 8 ,
.Xr s6-tcpserver 8 ,
.Xr s6-tcpserver4 8 ,
.Xr s6-tcpserver4-socketbinder 8 ,
.Xr s6-tcpserver4d 8 ,
.Xr s6-tcpserver6 8 ,
.Xr s6-tcpserver6d 8
.Pp
This man page is ported from the authoritative documentation at:
.Lk https://skarnet.org/software/s6-networking/s6-tcpserver6-socketbinder.html
.Sh AUTHORS
.An Laurent Bercot
.An Alexis Ao Mt flexibeast@gmail.com Ac (man page port)

D man8/s6-tcpserver6.8 => man8/s6-tcpserver6.8 +0 -199
@@ 1,199 0,0 @@
.Dd September 29, 2021
.Dt S6-TCPSERVER6 8
.Os
.Sh NAME
.Nm s6-tcpserver6
.Nd super-server for IPv6 TCP connections
.Sh SYNOPSIS
.Nm
.Op Fl 1
.Op Fl v Ar verbosity
.Op Fl c Ar maxconn
.Op Fl C Ar localmaxconn
.Op Fl b Ar backlog
.Op Fl G Ar gidlist
.Op Fl g Ar gid
.Op Fl u Ar uid
.Op Fl U
.Ar ip
.Ar port
.Ar prog
.Sh DESCRIPTION
.Nm
accepts connections from clients, and forks a program to handle each
connection.
.Pp
.Nm
binds to local IPv6 address
.Ar ip ,
port
.Ar port .
.Pp
It closes its stdin and stdout.
.Pp
For every TCP connection to this address and port, it forks.
The child sets some environment variables, then executes
.Ar prog...
with stdin reading from the network socket and stdout writing to it.
.Pp
Depending on the verbosity level, it logs what it does to stderr.
.Pp
It runs until killed by a signal.
Depending on the received signal, it may kill its children before
exiting.
.Pp
.Nm
actually doesn't do any of this itself.
It is a wrapper, rewriting the command line and executing into a chain
of programs that perform those duties.
.Pp
.Nm
will only serve real IPv6 addresses; it does not default to an IPv4
address.
The
.Xr s6-tcpserver4 8
program should be used to serve IPv4 addresses.
.Pp
.Nm
will only work if the underlying skalibs[1] has been compiled with
IPv6 support.
.Pp
In previous releases of s6-networking, s6-tcpserver6 was
monolithic: it did the work of
.Xr s6-tcpserver6-socketbinder 8 ,
.Xr s6-applyuidgid 8
and
.Xr s6-tcpserver6d 8
itself.
The functionality has now been split into several different programs
because some service startup schemes require the daemon to get its
socket from an external program instead of creating and binding it
itself.
The most obvious application of this is upgrading a long-lived process
without losing existing connections.
.Ss Signals
.Bl -tag -width x
.It Dv SIGTERM
Exit.
.It Dv SIGHUP
Send a
.Dv SIGTERM
and a
.Dv SIGCONT
to all children.
.It Dv SIGQUIT
Send a
.Dv SIGTERM
and a
.Dv SIGCONT
to all children, then exit.
.It Dv SIGABRT
Send a
.Dv SIGKILL
to all children, then exit.
.El
.Sh OPTIONS
.Bl -tag -width x
.It Fl 1
Write
.Ar port
to stdout, before closing it, right after binding and listening to the
network socket.
If stdout is suitably redirected, this can be used by monitoring
programs to check when the server is ready to accept connections.
.It Fl v Ar verbosity
Be more or less verbose.
By default,
.Ar verbosity
is 1: print warning messages to stderr.
0 means only print fatal error messages; 2 means print status and
connection information for every client.
.It Fl c Ar maxconn
Accept at most
.Ar maxconn
concurrent connections.
Default is 40.
It is impossible to set it higher than 1000.
.It Fl C Ar localmaxconn
Accept at most
.Ar localmaxconn
connections from the same IP address.
Default is 40.
It is impossible to set it higher than
.Ar maxconn .
.It Fl b Ar backlog
Set a maximum of
.Ar backlog
backlog connections on the socket.
Extra connection attempts will rejected by the kernel.
.It Fl G Ar gidlist
Change
.Nm Ap
s supplementary group list to
.Ar gidlist
after binding the socket.
This is only valid when run as root.
.Ar gidlist
must be a comma-separated list of numerical group IDs.
.It Fl g Ar gid
Change
.Nm Ap
s group id to
.Ar gid
after binding the socket.
This is only valid when run as root.
.It Fl u Ar uid
Change
.Nm Ap
s user id to
.Ar uid
after binding the socket.
This is only valid when run as root.
.It Fl U
Change
.Nm Ap
s user id, group id and supplementary group list according to the values of the
.Ev UID ,
.Ev GID
and
.Ev GIDLIST
environment variables after binding the socket.
This is only valid when run as root.
This can be used with the
.Xr s6-envuidgid 8
program to easily script a service that binds to a privileged socket
then drops its privileges to those of a named non-root account.
.El
.Sh ENVIRONMENT
For each connection, an instance of <em>prog...</em> is spawned with
the following variables set:
.Bl -tag -width x
.It Ev PROTO
Always set to TCP.
.It Ev TCPREMOTEIP
Set to the originating address, in canonical IPv6 form.
.It Ev TCPREMOTEPORT
Set to the originating port.
.It Ev TCPCONNNUM
Set to the number of connections originating from the same IPv6
address.
.El
.Sh SEE ALSO
.Xr s6-applyuidgid 8 ,
.Xr s6-envuidgid 8 ,
.Xr s6-tcpclient 8 ,
.Xr s6-tcpserver 8 ,
.Xr s6-tcpserver4 8 ,
.Xr s6-tcpserver4-socketbinder 8 ,
.Xr s6-tcpserver4d 8 ,
.Xr s6-tcpserver6-socketbinder 8 ,
.Xr s6-tcpserver6d 8
.Pp
[1]
.Lk https://skarnet.org/software/skalibs/
.Pp
This man page is ported from the authoritative documentation at:
.Lk https://skarnet.org/software/s6-networking/s6-tcpserver6.html
.Sh AUTHORS
.An Laurent Bercot
.An Alexis Ao Mt flexibeast@gmail.com Ac (man page port)

D man8/s6-tcpserver6d.8 => man8/s6-tcpserver6d.8 +0 -143
@@ 1,143 0,0 @@
.Dd September 29, 2021
.Dt S6-TCPSERVER6D 8
.Os
.Sh NAME
.Nm s6-tcpserver6d
.Nd the serving part of the
.Xr s6-tcpserver6 8
super-server
.Sh SYNOPSIS
.Nm
.Op Fl 1
.Op Fl v Ar verbosity
.Op Fl c Ar maxconn
.Op Fl C Ar localmaxconn
.Ar prog...
.Sh DESCRIPTION
.Nm
assumes that its stdin is a bound and listening TCP/IPv6 socket, and
it accepts connections from clients connecting to it, forking a
program to handle each connection.
.Pp
.Nm
accepts connections from clients to an already bound and listening TCP
socket which is its standard input.
.Pp
For every TCP connection to this socket, it forks.
The child sets some environment variables, then
executes
.Ar prog...
with stdin reading from the network socket and stdout writing to it.
.Pp
Depending on the verbosity level, it logs what it does to stderr.
.Pp
It runs until killed by a signal.
Depending on the received signal, it may kill its children before
exiting.
.Pp
Unlike its ancestor tcpserver[1],
.Nm
performs just the bare minimum: the point is to have a very small and
very fast process to serve connections with the least possible
overhead.
Features such as additional environment variables, access control and
DNS resolution are provided via the
.Xr s6-tcpserver-access 8
program.
.Pp
.Nm
is meant to be
.Xr execve 2 Ap
d into by a program that gets the listening socket.
That program is normally
.Xr s6-tcpserver6-socketbinder 8 ,
which creates the socket itself; but it can be a different one if the
socket is to be retrieved by another means, for instance by fd-passing
from a fd-holding daemon (some people call this
.Dq socket activation Ns
).
.Ss Signals
.Bl -tag -width x
.It Dv SIGTERM
Exit.
.It Dv SIGHUP
Send a
.Dv SIGTERM
and a
.Dv SIGCONT
to all children.
.It Dv SIGQUIT
Send a
.Dv SIGTERM
and a
.Dv SIGCONT
to all children, then exit.
.It Dv SIGABRT
Send a
.Dv SIGKILL
to all children, then exit.
.El
.Sh OPTIONS
.Bl -tag -width x
.It Fl 1
Write a newline to stdout, and close stdout, right before entering the
client-accepting loop.
If stdout is suitably redirected, this can be used by monitoring
programs to check when the server is accepting connections, for
instance s6's
.Xr s6-notifywhenup 7
readiness notification mechanism.
.It Fl v Ar verbosity
Be more or less verbose.
By default,
.Ar verbosity
is 1: print warning messages to stderr.
0 means only print fatal error messages; 2 means print status and
connection information for every client.
.It Fl c Ar maxconn
Accept at most
.Ar maxconn
concurrent connections.
Default is 40.
It is impossible to set it higher than 1000.
.It Fl C Ar localmaxconn
Accept at most
.Ar localmaxconn
connections from the same IP address.
Default is 40.
It is impossible to set it higher than
.Ar maxconn .
.El
.Sh ENVIRONMENT
For each connection, an instance of
.Ar prog...
is spawned with the following variables set:
.Bl -tag -width x
.It Ev PROTO
Always set to TCP.
.It Ev TCPREMOTEIP
Set to the originating address.
.It Ev TCPREMOTEPORT
Set to the originating port.
.It Ev TCPCONNNUM
Set to the number of connections originating from the same IP address.
.El
.Sh SEE ALSO
.Xr s6-notifywhenup 7 ,
.Xr s6-tcpclient 8 ,
.Xr s6-tcpserver 8 ,
.Xr s6-tcpserver-access 8 ,
.Xr s6-tcpserver4 8 ,
.Xr s6-tcpserver4-socketbinder 8 ,
.Xr s6-tcpserver4d 8 ,
.Xr s6-tcpserver6 8 ,
.Xr s6-tcpserver6-socketbinder 8
.Pp
[1]
.Lk https://cr.yp.to/ucspi-tcp/tcpserver.html
.Pp
This man page is ported from the authoritative documentation at:
.Lk https://skarnet.org/software/s6-networking/s6-tcpserver6d.html
.Sh AUTHORS
.An Laurent Bercot
.An Alexis Ao Mt flexibeast@gmail.com Ac (man page port)

R man8/s6-tcpserver4d.8 => man8/s6-tcpserverd.8 +40 -34
@@ 1,32 1,36 @@
.Dd September 29, 2021
.Dt S6-TCPSERVER4D 8
.Dd November 11, 2023
.Dt S6-TCPSERVERD 8
.Os
.Sh NAME
.Nm s6-tcpserver4d
.Nm s6-tcpserverd
.Nd the serving part of the
.Xr s6-tcpserver4 8
.Xr s6-tcpserver 8
super-server
.Sh SYNOPSIS
.Nm
s6-tcpserverd
.Op Fl 1
.Op Fl v Ar verbosity
.Op Fl c Ar maxconn
.Op Fl C Ar localmaxconn
.Ar Fl C Ar localmaxconn
.Ar prog...
.Sh DESCRIPTION
.Nm
assumes that its stdin is a bound and listening TCP/IPv4 socket, and
it accepts connections from clients connecting to it, forking a
is the serving part of the
.Xr s6-tcpserver 8
super-server.
It assumes that its stdin is a bound and listening TCP/IP socket, and
it accepts connections from clients connecting to it, spawning a
program to handle each connection.
.Pp
.Nm
accepts connections from clients to an already bound and listening TCP
socket which is its standard input.
.Pp
For every TCP connection to this socket, it forks.
The child sets some environment variables, then executes
For every TCP connection to this socket, it spawns a
.Ar prog...
with stdin reading from the network socket and stdout writing to it.
child with stdin reading from the network socket and stdout writing to
it.
.Pp
Depending on the verbosity level, it logs what it does to stderr.
.Pp


@@ 36,11 40,10 @@ exiting.
.Pp
Unlike its ancestor tcpserver[1],
.Nm
performs just the bare minimum: the point is to have a very small and
very fast process to serve connections with the least possible
overhead.
Features such as additional environment variables, access control and
DNS resolution are provided via the
performs just the bare minimum: the point is to have a small and very
fast process to serve connections with the least possible overhead.
Features such as access control and DNS resolution are provided via
the
.Xr s6-tcpserver-access 8
program.
.Pp


@@ 49,12 52,14 @@ is meant to be
.Xr execve 2 Ap
d into by a program that gets the listening socket.
That program is normally
.Xr s6-tcpserver4-socketbinder 8 ,
.Xr s6-tcpserver-socketbinder 8 ,
which creates the socket itself; but it can be a different one if the
socket is to be retrieved by another means, for instance by fd-passing
from a fd-holding daemon (some people call this
.Dq socket activation Ns
).
from a fd-holding daemon
.Po
some people call this
.Dq socket activation
.Pc .
.Ss Signals
.Bl -tag -width x
.It Dv SIGTERM


@@ 79,8 84,8 @@ to all children, then exit.
.Sh OPTIONS
.Bl -tag -width x
.It Fl 1
Write a newline to stdout, and close stdout, right before entering the
client-accepting loop.
Write the local port, followed by newline, to stdout, and close
stdout, right before entering the client-accepting loop.
If stdout is suitably redirected, this can be used by monitoring
programs to check when the server is accepting connections.
This can be used with s6's


@@ 96,10 101,9 @@ is 1: print warning messages to stderr.
connection information for every client.
.It Fl c Ar maxconn
Accept at most
.Ar maxconn
concurrent connections.
.Ar maxconn concurrent connections.
Default is 40.
It is impossible to set it higher than 1000.
It is impossible to set it higher than 16384.
.It Fl C Ar localmaxconn
Accept at most
.Ar localmaxconn


@@ 109,34 113,36 @@ It is impossible to set it higher than
.Ar maxconn .
.El
.Sh ENVIRONMENT
For each connection, an instance of <em>prog...</em> is spawned with
the following variables set:
For each connection, an instance of
.Ar prog...
is spawned with the following variables set:
.Bl -tag -width x
.It Ev PROTO
Always set to TCP.
.It Ev TCPLOCALIP
Set to the server socket's address.
.It Ev TCPLOCALPORT
Set to the server socket's port.
.It Ev TCPREMOTEIP
Set to the originating address.
Set to the client socket's address.
.It Ev TCPREMOTEPORT
Set to the originating port.
Set to the client socket's port.
.It Ev TCPCONNNUM
Set to the number of connections originating from the same IP address.
.El
.Sh SEE ALSO
.Xr execve 2 ,
.Xr s6-notifywhenup 7 ,
.Xr s6-tcpclient 8 ,
.Xr s6-tcpserver 8 ,
.Xr s6-tcpserver-access 8 ,
.Xr s6-tcpserver4 8 ,
.Xr s6-tcpserver4-socketbinder 8 ,
.Xr s6-tcpserver6 8 ,
.Xr s6-tcpserver6-socketbinder 8 ,
.Xr s6-tcpserver6d 8
.Xr s6-tcpserver-socketbinder 8
.Pp
[1]
.Lk https://cr.yp.to/ucspi-tcp/tcpserver.html
.Pp
This man page is ported from the authoritative documentation at:
.Lk https://skarnet.org/software/s6-networking/s6-tcpserver4d.html
.Lk https://skarnet.org/software/s6-networking/s6-tcpserverd.html
.Sh AUTHORS
.An Laurent Bercot
.An Alexis Ao Mt flexibeast@gmail.com Ac (man page port)

M man8/s6-tlsclient.8 => man8/s6-tlsclient.8 +36 -44
@@ 1,4 1,4 @@
.Dd September 29, 2021
.Dd November 11, 2023
.Dt S6-TLSCLIENT 8
.Os
.Sh NAME


@@ 69,54 69,46 @@ option and do not provide a server name via
.Sy SNI will not be used, which may be a security risk .
.Sh OPTIONS
.Nm
accepts a myriad of options, most of which are passed as is to the
accepts a myriad of options, all of which are passed as is to the
correct executable.
Not giving any options will generally work: the defaults are sensible.
.Ss Options passed as-is to Xr s6-tcpclient 1
.Bl -bullet -width x
.It
.Fl q ,
.Fl Q ,
.Fl v
.It
.Fl 4 ,
.Fl 6
.It
.Fl d ,
.Fl D
.It
.Fl r ,
.fl R
.It
.Fl h ,
.Fl H ,
.Fl l Ar localname
.It
.Fl n ,
.Fl N
.It
.Fl t Ar timeout
.It
.Fl i Ar localip ,
.Fl p Ar localport
.It
.Fl T Ar timeoutconn
.Bl -tag -width x
.It Fl q , Fl Q , Fl v
Be quiet, normally verbose, or verbose.
.It Fl 4 , Fl 6
Stick to IPv4 or IPv6 addresses.
.It Fl d , Fl D
Enable or disable Nagle's algorithm.
.It Fl r , Fl R
Enable or disable IDENT lookup.
.It Fl h , Fl H
Enable or disable DNS lookups.
.It Fl l Ar localname
Get the local name from the command line, not from a DNS lookup.
.It Fl n , Fl N
Qualify the host or not when resolving it.
.It Fl t Ar timeout
Global timeout on the connection attempt.
.It Fl i Ar localip , Fl p Ar localport
Force local socket parameters.
.It Fl T Ar timeoutconn
Configurable connection timeouts.
.El
.Ss Options passed as-is to Xr s6-tlsc 1
.Bl -bullet -width x
.It
.Fl Z ,
.Fl z
.It
.Fl S ,
.Fl s
.It
.Fl Y ,
.Fl y
.It
.Fl k Ar servername
.It
.Fl K Ar kimeout
.Bl -tag -width x
.It Fl Z , Fl z
Keep or remove the
.Xr s6-tlsc-io 8 Ns
-specific variables from the application's environment.
.It Fl S , Fl s
Use close_notify or EOF to signal the end of a TLS connection.
.It Fl Y , Fl y
Don't send, or send, a client certificate.
.It Fl k Ar servername
Use SNI and provide a server name.
.It Fl K Ar kimeout
Set a timeout for the TLS handshake.
.El
.Sh ENVIRONMENT
.Ss Read

M man8/s6-tlsserver.8 => man8/s6-tlsserver.8 +58 -109
@@ 1,4 1,4 @@
.Dd January 15, 2023
.Dd November 11, 2023
.Dt S6-TLSSERVER 8
.Os
.Sh NAME


@@ 32,9 32,7 @@ Note that
also rewrites itself into a more complex command line
.Po
the final long-lived process being
.Xr s6-tcpserver4d 8
or
.Xr s6-tcpserver6d 8
.Xr s6-tcpserverd 8
.Pc ,
so your end command line may look a lot longer in
.Xr ps 1


@@ 75,119 73,73 @@ descriptors will not be a network socket - they will be pipes.
.Ss Signals
.Nm
reacts to the same signals as
.Xr s6-tcpserver4d 8
or
.Xr s6-tcpserver6d 8 ,
one of which is the long-lived process hanging around.
.Xr s6-tcpserverd 8 ,
which is the long-lived process hanging around.
.Sh OPTIONS
.Nm
accepts a myriad of options, most of which are passed as is to the
accepts a myriad of options, all of which are passed as is to the
correct executable.
Not giving any options will generally work, but unless you're running
a very public server (such as a Web server) or base your access
control on client certificates, you probably still want TCP access
rules.
.Ss Options handled directly by s6-tlsserver
.Bl -bullet -width x
.It
.Fl e
indicates that
.Xr s6-tcpserver-access 8
should be invoked, even if no other option requires it, even in the
absence of an access control ruleset.
This ensures that
.Ar prog...
will always have access to environment variables such as
.Ev TCPLOCALPORT .
This option also ensures that the log does not get spammed with
spurious
.Dq no ruleset
warnings if the
.Fl v
option has been
given but no
.Fl i
or
.Fl x
option.
.El
.Ss Options passed as-is to Xr s6-tcpserver 1
.Bl -bullet -width x
.It
.Fl q ,
.Fl Q ,
.Fl v
.It
.Fl 4 ,
.Fl 6
.It
.Fl 1
.It
.Fl c Ar maxconn
.It
.Fl C Ar localmaxconn
.It
.Fl b Ar backlog
.Bl -tag -width x
.It Fl q , Fl Q , Fl v
.It Fl 1
.It Fl c Ar maxconn
.It Fl C Ar localmaxconn
.It Fl b Ar backlog
.El
.Ss Options passed as-is to Xr s6-tcpserver-access 1
.Bl -bullet -width x
.It
The verbosity level, if not default, as
.Ql -v0
or
.Ql -v2
.It
.Fl w ,
.Fl W
.It
.Fl d ,
.Fl D
.It
.Fl r ,
.Fl R
.It
.Fl p ,
.Fl P
.It
.Fl h ,
.Fl H ,
.Fl l Ar localname
.It
.Fl B Ar banner
.It
.Fl t Ar timeout
.It
.Fl i Ar rulesdir ,
.Fl x Ar rulesfile
.Bl -tag -width x
.It Fl v0 , Fl v2
The verbosity level.
.It Fl w , Fl W
Be strict or tolerant with DNS or IDENT resolution errors.
.It Fl d , Fl D
Enable or disable Nagle's algorithm.
.It Fl r , Fl R
Enable or disable IDENT lookups.
.It Fl p , Fl P
Enable or disable paranoid DNS cross-checking.
.It Fl h , Fl H
Enable or disable DNS lookups.
.It Fl l Ar localname
Get the local name from the command line, not from DNS.
.It Fl B Ar banner
Initial server-side banner.
.It Fl t Ar timeout
Set a timeout for all the lookups.
.It Fl i Ar rulesdir , Fl x Ar rulesfile
TCP access control.
.El
.Ss Options passed as-is to Xr s6-tlsd 1
.Bl -bullet -width x
.It
.Fl Z ,
.Fl z
.It
.Fl S ,
.Fl s
.It
.Fl Y ,
.Fl y
.It
.Fl K Ar kimeout
.It
.Fl k Ar snilevel
.Bl -tag -width x
.It Fl Z , Fl z
Keep or remove the
.Xr s6-tlsd-io 8 Ns
-specific variables from the application's environment.
.It Fl S , Fl s
Use close_notify or EOF to signal the end of a TLS connection.
.It Fl Y , Fl y
Request an optional or a mandatory client certificate.
.It Fl K Ar kimeout
Set a timeout for the TLS handshake.
.It Fl k Ar snilevel
Support SNI-based certificate chains.
.El
.Ss Options passed to s6-applyuidgid
.Bl -bullet -width x
.It
.Fl u Ar uid ,
.Fl g Ar gid ,
.Fl G Ar gidlist
.It
.Fl U
.Po
passed as
.Ql -Uz
.Pc
.Bl -tag -width x
.It Fl u Ar uid , Fl g Ar gid , Fl G Ar gidlist
Set uid, gid, or supplementary group list.
.It Fl U Po passed as Fl Uz Pc
Get the uid, gid and supplementary group list from the
.Ev UID ,
.Ev GID
and
.Ev GIDLIST
variables, and remove these variables from the application's environment.
.El
.Sh ENVIRONMENT
.Ss Read


@@ 222,9 174,7 @@ is mandatory.
.Ar prog...
is run with the following variables added to,
or removed from, its environment by
.Xr s6-tcpserver4d 8
or
.Xr s6-tcpserver6d 8 ,
.Xr s6-tcpserverd 8
and possibly by
.Xr s6-tcpserver-access 8 :
.Bl -tag -width x


@@ 279,7 229,7 @@ s environment.
As root:
.Bd -literal -offset indent
env KEYFILE=/etc/ssl/private/mykey.der CERTFILE=/etc/ssl/public/mycert.pem \
TLS_UID=65534 TLS_UID=65534 \
TLS_UID=65534 TLS_GID=65534 \
s6-envuidgid www \
s6-tlsserver -U -- 1.2.3.4 443 httpd
.Ed


@@ 305,8 255,7 @@ that it keeps to itself.
.Xr s6-applyuidgid 8 ,
.Xr s6-tcpserver 8 ,
.Xr s6-tcpserver-access 8 ,
.Xr s6-tcpserver4d 8 ,
.Xr s6-tcpserver6d 8 ,
.Xr s6-tcpserverd 8 ,
.Xr s6-tlsc 8 ,
.Xr s6-tlsc-io 8 ,
.Xr s6-tlsclient 8 ,