2009-12-24 13:00:53 +00:00
|
|
|
=head1 NAME
|
|
|
|
|
|
|
|
|
|
bos_setrestricted - place a server in restricted mode
|
|
|
|
|
|
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
|
|
|
|
|
|
=for html
|
|
|
|
|
<div class="synopsis">
|
|
|
|
|
|
2014-03-12 09:47:17 +00:00
|
|
|
B<bos setrestricted> S<<< B<-server> <I<machine name>> >>> S<<< B<-mode> (0 | 1) >>>
|
2009-12-24 13:00:53 +00:00
|
|
|
S<<< [B<-cell> <I<cell name>>] >>> [B<-noauth>] [B<-localauth>] [B<-help>]
|
|
|
|
|
|
|
|
|
|
=for html
|
|
|
|
|
</div>
|
|
|
|
|
|
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
|
|
2013-01-30 19:11:04 +00:00
|
|
|
The B<bos setrestricted> command places the server in restricted mode. This
|
2009-12-24 13:00:53 +00:00
|
|
|
mode increases the security of the bos server by removing access to a
|
|
|
|
|
number of bos commands that are only used whilst configuring a system.
|
|
|
|
|
|
|
|
|
|
When a server is in restricted mode, access to B<bos_exec>, B<bos uninstall>,
|
2013-01-30 19:11:04 +00:00
|
|
|
B<bos install>, B<bos create>, B<bos delete>, B<bos prune>
|
2009-12-24 13:00:53 +00:00
|
|
|
is denied, and the use of B<bos getlog> is limited.
|
|
|
|
|
|
|
|
|
|
=head1 CAUTIONS
|
|
|
|
|
|
|
|
|
|
Once a server has been placed in restricted mode, it may not be opened up
|
|
|
|
|
again using a remote command. That is, B<bos setrestricted> has no method
|
2014-03-12 09:47:17 +00:00
|
|
|
of placing the server in unrestricted mode. Once a server is restricted,
|
|
|
|
|
it can only be opened up again by sending it a SIGFPE, which must be done
|
|
|
|
|
as root on the local machine.
|
2009-12-24 13:00:53 +00:00
|
|
|
|
|
|
|
|
=head1 OPTIONS
|
|
|
|
|
|
|
|
|
|
=over 4
|
|
|
|
|
|
|
|
|
|
=item B<-server> <I<machine name>>
|
|
|
|
|
|
|
|
|
|
Indicates the server machine to restrict.
|
|
|
|
|
|
2013-06-14 21:58:45 +01:00
|
|
|
=item B<-mode> <I<mode>>
|
|
|
|
|
|
|
|
|
|
Indicates whether to turn restricted mode off or on. Pass a 1 to turn
|
2014-03-12 09:47:17 +00:00
|
|
|
restricted mode on, and pass a 0 to turn restricted mode off. The latter
|
|
|
|
|
will only work if the server is already running in unrestricted mode, and
|
|
|
|
|
thus won't do anything immediately, but can be used to change the
|
|
|
|
|
corresponding entry in L<BosConfig(5)>.
|
2013-06-14 21:58:45 +01:00
|
|
|
|
2009-12-24 13:00:53 +00:00
|
|
|
=item B<-cell> <I<cell name>>
|
|
|
|
|
|
|
|
|
|
Names the cell in which to run the command. Do not combine this argument
|
|
|
|
|
with the B<-localauth> flag. For more details, see L<bos(8)>.
|
|
|
|
|
|
|
|
|
|
=item B<-noauth>
|
|
|
|
|
|
|
|
|
|
Assigns the unprivileged identity C<anonymous> to the issuer. Do not
|
|
|
|
|
combine this flag with the B<-localauth> flag. For more details, see
|
|
|
|
|
L<bos(8)>.
|
|
|
|
|
|
|
|
|
|
=item B<-localauth>
|
|
|
|
|
|
|
|
|
|
Constructs a server ticket using a key from the local
|
|
|
|
|
F</usr/afs/etc/KeyFile> file. The B<bos> command interpreter presents the
|
|
|
|
|
ticket to the BOS Server during mutual authentication. Do not combine this
|
|
|
|
|
flag with the B<-cell> or B<-noauth> options. For more details, see
|
|
|
|
|
L<bos(8)>.
|
|
|
|
|
|
|
|
|
|
=item B<-help>
|
|
|
|
|
|
|
|
|
|
Prints the online help for this command. All other valid options are
|
|
|
|
|
ignored.
|
|
|
|
|
|
|
|
|
|
=back
|
|
|
|
|
|
|
|
|
|
=head1 PRIVILEGE REQUIRED
|
|
|
|
|
|
|
|
|
|
The issuer must be listed in the F</usr/afs/etc/UserList> file on the
|
|
|
|
|
machine named by the B<-server> argument, or must be logged in as the
|
|
|
|
|
local superuser C<root> if the B<-localauth> flag is included.
|
|
|
|
|
|
|
|
|
|
As noted above, this command cannot be run against servers which are
|
|
|
|
|
already in restricted mode.
|
|
|
|
|
|
|
|
|
|
=head1 SEE ALSO
|
|
|
|
|
|
2014-03-07 10:03:36 +00:00
|
|
|
L<BosConfig(5)>,
|
|
|
|
|
L<bos(8)>,
|
|
|
|
|
L<bos_getrestricted(8)>
|
2009-12-24 13:00:53 +00:00
|
|
|
|
|
|
|
|
=head1 COPYRIGHT
|
|
|
|
|
|
2011-02-03 20:22:02 +00:00
|
|
|
Copyright 2009 Simon Wilkinson <simon@sxw.org.uk>
|
2009-12-24 13:00:53 +00:00
|
|
|
|
|
|
|
|
This documentation is covered by the BSD License as written in the
|
|
|
|
|
doc/LICENSE file. This man page was written by Simon Wilkinson for
|
|
|
|
|
OpenAFS.
|
|
|
|
|
|
