HCoop / hcoop / debian / openafs.git / blame
| Commit | Line | Data |
|---|---|---|
| 805e021f CE |
1 | =head1 NAME |
| 2 | ||
| 3 | bos_setrestricted - place a server in restricted mode | |
| 4 | ||
| 5 | =head1 SYNOPSIS | |
| 6 | ||
| 7 | =for html | |
| 8 | <div class="synopsis"> | |
| 9 | ||
| 10 | B<bos setrestricted> S<<< B<-server> <I<machine name>> >>> S<<< B<-mode> (0 | 1) >>> | |
| 11 | S<<< [B<-cell> <I<cell name>>] >>> [B<-noauth>] [B<-localauth>] [B<-help>] | |
| 12 | ||
| 13 | =for html | |
| 14 | </div> | |
| 15 | ||
| 16 | =head1 DESCRIPTION | |
| 17 | ||
| 18 | The B<bos setrestricted> command places the server in restricted mode. This | |
| 19 | mode increases the security of the bos server by removing access to a | |
| 20 | number of bos commands that are only used whilst configuring a system. | |
| 21 | ||
| 22 | When a server is in restricted mode, access to B<bos_exec>, B<bos uninstall>, | |
| 23 | B<bos install>, B<bos create>, B<bos delete>, B<bos prune> | |
| 24 | is denied, and the use of B<bos getlog> is limited. | |
| 25 | ||
| 26 | =head1 CAUTIONS | |
| 27 | ||
| 28 | Once a server has been placed in restricted mode, it may not be opened up | |
| 29 | again using a remote command. That is, B<bos setrestricted> has no method | |
| 30 | of placing the server in unrestricted mode. Once a server is restricted, | |
| 31 | it can only be opened up again by sending it a SIGFPE, which must be done | |
| 32 | as root on the local machine. | |
| 33 | ||
| 34 | =head1 OPTIONS | |
| 35 | ||
| 36 | =over 4 | |
| 37 | ||
| 38 | =item B<-server> <I<machine name>> | |
| 39 | ||
| 40 | Indicates the server machine to restrict. | |
| 41 | ||
| 42 | =item B<-mode> <I<mode>> | |
| 43 | ||
| 44 | Indicates whether to turn restricted mode off or on. Pass a 1 to turn | |
| 45 | restricted mode on, and pass a 0 to turn restricted mode off. The latter | |
| 46 | will only work if the server is already running in unrestricted mode, and | |
| 47 | thus won't do anything immediately, but can be used to change the | |
| 48 | corresponding entry in L<BosConfig(5)>. | |
| 49 | ||
| 50 | =item B<-cell> <I<cell name>> | |
| 51 | ||
| 52 | Names the cell in which to run the command. Do not combine this argument | |
| 53 | with the B<-localauth> flag. For more details, see L<bos(8)>. | |
| 54 | ||
| 55 | =item B<-noauth> | |
| 56 | ||
| 57 | Assigns the unprivileged identity C<anonymous> to the issuer. Do not | |
| 58 | combine this flag with the B<-localauth> flag. For more details, see | |
| 59 | L<bos(8)>. | |
| 60 | ||
| 61 | =item B<-localauth> | |
| 62 | ||
| 63 | Constructs a server ticket using a key from the local | |
| 64 | F</usr/afs/etc/KeyFile> file. The B<bos> command interpreter presents the | |
| 65 | ticket to the BOS Server during mutual authentication. Do not combine this | |
| 66 | flag with the B<-cell> or B<-noauth> options. For more details, see | |
| 67 | L<bos(8)>. | |
| 68 | ||
| 69 | =item B<-help> | |
| 70 | ||
| 71 | Prints the online help for this command. All other valid options are | |
| 72 | ignored. | |
| 73 | ||
| 74 | =back | |
| 75 | ||
| 76 | =head1 PRIVILEGE REQUIRED | |
| 77 | ||
| 78 | The issuer must be listed in the F</usr/afs/etc/UserList> file on the | |
| 79 | machine named by the B<-server> argument, or must be logged in as the | |
| 80 | local superuser C<root> if the B<-localauth> flag is included. | |
| 81 | ||
| 82 | As noted above, this command cannot be run against servers which are | |
| 83 | already in restricted mode. | |
| 84 | ||
| 85 | =head1 SEE ALSO | |
| 86 | ||
| 87 | L<BosConfig(5)>, | |
| 88 | L<bos(8)>, | |
| 89 | L<bos_getrestricted(8)> | |
| 90 | ||
| 91 | =head1 COPYRIGHT | |
| 92 | ||
| 93 | Copyright 2009 Simon Wilkinson <simon@sxw.org.uk> | |
| 94 | ||
| 95 | This documentation is covered by the BSD License as written in the | |
| 96 | doc/LICENSE file. This man page was written by Simon Wilkinson for | |
| 97 | OpenAFS. | |
| 98 |