2 .\" Copyright (c) 1998, Sun Microsystems, Inc. All Rights Reserved
3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
4 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
5 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
6 .TH SAF 8 "Jul 30, 1998"
8 saf \- Service Access Facility
12 The \fBSAF\fR generalizes the procedures for service access so that login
13 access on the local system and network access to local services are managed in
14 similar ways. Under the \fBSAF,\fR systems may access services using a variety
15 of port monitors, including ttymon, the listener, and port monitors written
16 expressly for a user's application. The manner in which a port monitor observes
17 and manages access ports is specific to the port monitor and not to any
18 component of the \fBSAF.\fR Users may therefore extend their systems by
19 developing and installing their own port monitors. One of the important
20 features of the \fBSAF\fR is that it can be extended in this way by users.
23 Relative to the \fBSAF,\fR a service is a process that is started. There are no
24 restrictions on the functions a service may provide. The \fBSAF\fR consists of
25 a controlling process, the service access controller (SAC), and two
26 administrative levels corresponding to two levels in the supporting directory
27 structure. The top administrative level is concerned with port monitor
28 administration, the lower level with service administration. The \fBSAC\fR is
29 documented in the \fBsac\fR(8) man page. The administrative levels and
30 associated utilities are documented in the \fISystem Administration Guide -
31 Volume II\fR. The requirements for writing port monitors and the functions a
32 port monitor must perform to run under the \fBSAF\fR and the \fBSAC\fR are
37 A port monitor is a process that is responsible for monitoring a set of
38 homogeneous, incoming ports on a machine. A port monitor's major purpose is to
39 detect incoming service requests and to dispatch them appropriately.
42 A port is an externally seen access point on a system. A port may be an address
43 on a network (TSAP or PSAP), a hardwired terminal line, an incoming phone line,
44 etc. The definition of what constitutes a port is strictly a function of the
48 A port monitor performs certain basic functions. Some of these are required to
49 conform to the \fBSAF;\fR others may be specified by the requirements and
50 design of the port monitor itself. Port monitors have two main functions:
51 managing ports and monitoring ports for indications of activity.
58 The first function of a port monitor is to manage a port. The actual details of
59 how a port is managed are defined by the person who defines the port monitor. A
60 port monitor is not restricted to handling a single port; it may handle
61 multiple ports simultaneously.
63 Some examples of port management are setting the line speed on incoming phone
64 connections, binding an appropriate network address, reinitializing the port
65 when the service terminates, outputting a prompt, etc.
71 \fBActivity Monitoring\fR
74 The second function of a port monitor is to monitor the port or ports for which
75 it is responsible for indications of activity. Two types of activity may be
78 The first is an indication to the port monitor to take some port
79 monitor-specific action. Pressing the break key to indicate that the line speed
80 should be cycled is an example of a port monitor activity. Not all port
81 monitors need to recognize and respond to the same indications. The indication
82 used to attract the attention of the port monitor is defined by the person who
83 defines the port monitor.
85 The second is an incoming service request. When a service request is received,
86 a port monitor must be able to determine which service is being requested from
87 the port on which the request is received. The same service may be available on
91 .SS "Other Port Monitor Functions"
94 This section briefly describes other port monitor functions.
98 \fBRestricting Access to the System\fR
102 A port monitor must be able to restrict access to the system without disturbing
103 services that are still running. In order to do this, a port monitor must
104 maintain two internal states: enabled and disabled. The port monitor starts in
105 the state indicated by the \fBISTATE\fR environment variable provided by the
106 \fBsac.\fR See sac(8) for details. Enabling or disabling a port monitor
107 affects all ports for which the port monitor is responsible. If a port monitor
108 is responsible for a single port, only that port will be affected. If a port
109 monitor is responsible for multiple ports, the entire collection of ports will
110 be affected. Enabling or disabling a port monitor is a dynamic operation: it
111 causes the port monitor to change its internal state. The effect does not
112 persist across new invocations of the port monitor. Enabling or disabling an
113 individual port, however, is a static operation: it causes a change to an
114 administrative file. The effect of this change will persist across new
115 invocations of the port monitor.
121 \fBCreating \fButmpx\fR Entries\fR
125 Port monitors are responsible for creating \fButmpx\fR entries with the type
126 field set to USER_PROCESS for services they start. If this action has been
127 specified, by using the \fB-fu\fR option in the \fBpmadm\fR command line that
128 added the service, these \fButmpx\fR entries may in turn be modified by the
129 service. When the service terminates, the \fButmpx\fR entry must be set to
136 \fBPort Monitor Process IDs and Lock Files\fR
140 When a port monitor starts, it writes its process id into a file named
141 \fB_pid\fR in the current directory and places an advisory lock on the file.
147 \fBChanging the Service Environment: Running\fR
151 \fBdoconfig\fR(3NSL) Before invoking the service designated in the port monitor
152 administrative file, \fB_pmtab\fR, a port monitor must arrange for the
153 per-service configuration script to be run, if one exists, by calling the
154 library function \fBdoconfig\fR(3NSL). Because the per-service configuration
155 script may specify the execution of restricted commands, as well as for other
156 security reasons, port monitors are invoked with root permissions. The details
157 of how services are invoked are specified by the person who defines the port
164 \fBTerminating a Port Monitor\fR
168 A port monitor must terminate itself gracefully on receipt of the signal
169 \fBSIGTERM.\fR The termination sequence is the following:
173 The port monitor enters the stopping state; no further service requests are
179 Any attempt to re-enable the port monitor will be ignored.
184 The port monitor yields control of all ports for which it is responsible. It
185 must be possible for a new instantiation of the port monitor to start correctly
186 while a previous instantiation is stopping.
191 The advisory lock on the process id file is released. Once this lock is
192 released, the contents of the process id file are undefined and a new
193 invocation of the port monitor may be started.
200 This section briefly covers the files used by the \fBSAF.\fR
204 \fBThe Port Monitor Administrative File\fR
208 A port monitor's current directory contains an administrative file named
209 \fB_pmtab\fR; \fB_pmtab\fR is maintained by the \fBpmadm\fR command in
210 conjunction with a port monitor-specific administrative command.
212 The port monitor administrative command for a listen port monitor is
213 \fBnlsadmin\fR(8); the port monitor administrative command for ttymon is
214 \fBttyadm\fR(8). Any port monitor written by a user must be provided with an
215 administrative command specific to that port monitor to perform similar
222 \fBPer-Service Configuration Files\fR
226 A port monitor's current directory also contains the per-service configuration
227 scripts, if they exist. The names of the per-service configuration scripts
228 correspond to the service tags in the \fB_pmtab\fR file.
234 \fBPrivate Port Monitor Files\fR
238 A port monitor may create private files in the directory
239 \fB/var/saf/\fR\fItag\fR, where \fItag\fR is the name of the port monitor.
240 Examples of private files are log files or temporary files.
243 .SS "The SAC/Port Monitor Interface"
246 The \fBSAC\fR creates two environment variables for each port monitor it
247 starts:\fBPMTAG\fR and \fBISTATE\fR.
250 This variable is set to a unique port monitor tag by the \fBSAC.\fR The port
251 monitor uses this tag to identify itself in response to \fBsac\fR messages.
252 \fBISTATE\fR is used to indicate to the port monitor what its initial internal
253 state should be. \fBISTATE\fR is set to "enabled" or "disabled" to indicate
254 that the port monitor is to start in the enabled or disabled state
258 The \fBSAC\fR performs a periodic sanity poll of the port monitors. The
259 \fBSAC\fR communicates with port monitors through FIFOs. A port monitor should
260 open _pmpipe, in the current directory, to receive messages from the \fBSAC\fR
261 and \fB\&../_sacpipe\fR to send return messages to the \fBSAC.\fR
262 .SS "Message Formats"
265 This section describes the messages that may be sent from the \fBSAC\fR to a
266 port monitor (\fBsac\fR messages), and from a port monitor to the \fBSAC\fR
267 (port monitor messages). These messages are sent through FIFOs and are in the
268 form of C structures.
272 \fB\fBsac\fR Messages\fR
275 The format of messages from the \fBSAC\fR is defined by the structure
282 int sc_size; /* size of optional data portion */
283 char sc_type; /* type of message */
293 The \fBSAC\fR may send four types of messages to port monitors. The type of
294 message is indicated by setting the \fBsc_type\fR field of the \fBsacmsg\fR
295 structure to one of the following:
329 message indicating that the port monitor's _pmtab file should be read
334 The \fBsc_size\fR field indicates the size of the optional data part of the
335 message. See "Message Classes." For Solaris, \fBsc_size\fR should always be set
336 to 0. A port monitor must respond to every message sent by the \fBsac.\fR
337 .SS "Port Monitor Messages"
340 The format of messages from a port monitor to the \fBSAC\fR is defined by the
341 structure \fBpmmsg\fR:
346 char pm_type; /* type of message */
347 unchar_t pm_state; /* current state of port monitor */
348 char pm_maxclass; /* maximum message class this port
349 monitor understands */
350 char pm_tag[PMTAGSIZE + 1]; /* port monitor's tag */
351 int pm_size; /* size of optional data portion */
358 Port monitors may send two types of messages to the \fBSAC.\fR The type of
359 message is indicated by setting the \fBpm_type\fR field of the \fBpmmsg\fR
360 structure to one of the following:
376 negative acknowledgment
381 For both types of messages, the \fBpm_tag\fR field is set to the port monitor's
382 tag and the \fBpm_state\fR field is set to the port monitor's current state.
422 The current state reflects any changes caused by the last message from the
423 \fBSAC.\fR The status message is the normal return message. The negative
424 acknowledgment should be sent only when the message received is not understood.
425 \fBpm_size\fR indicates the size of the optional data part of the message.
426 \fBpm_maxclass\fR is used to specify a message class. Both are discussed under
427 "Message Classes." In Solaris, always set \fBpm_maxclass\fR to 1 and
428 \fBsc_size\fR to 0. Port monitors may never initiate messages; they may only
429 respond to messages that they receive.
430 .SS "Message Classes"
433 The concept of message class has been included to accommodate possible
434 \fBSAF\fR extensions. The messages described above are all class 1 messages.
435 None of these messages contains a variable data portion; all pertinent
436 information is contained in the message header. If new messages are added to
437 the protocol, they will be defined as new message classes (for example, class
438 2). The first message the \fBSAC\fR sends to a port monitor will always be a
439 class 1 message. Since all port monitors, by definition, understand class 1
440 messages, the first message the \fBSAC\fR sends is guaranteed to be understood.
441 In its response to the \fBSAC,\fR the port monitor sets the \fBpm_maxclass\fR
442 field to the maximum message class number for that port monitor. The \fBSAC\fR
443 will not send messages to a port monitor from a class with a larger number than
444 the value of \fBpm_maxclass\fR. Requests that require messages of a higher
445 class than the port monitor can understand will fail. For Solaris, always set
446 \fBpm_maxclass\fR to 1.
449 For any given port monitor, messages of class \fBpm_maxclass\fR and messages of
450 all classes with values lower than \fBpm_maxclass\fR are valid. Thus, if the
451 \fBpm_maxclass\fR field is set to 3, the port monitor understands messages of
452 classes 1, 2, and 3. Port monitors may not generate messages; they may only
453 respond to messages. A port monitor's response must be of the same class as the
454 originating message. Since only the \fBSAC\fR can generate messages, this
455 protocol will function even if the port monitor is capable of dealing with
456 messages of a higher class than the \fBSAC\fR can generate. \fBpm_size\fR (an
457 element of the pmmsg structure) and \fBsc_size\fR (an element of the
458 \fBsacmsg\fR structure) indicate the size of the optional data part of the
459 message. The format of this part of the message is undefined. Its definition is
460 inherent in the type of message. For Solaris, always set both \fBsc_size\fR and
461 \fBpm_size\fR to \fB0\fR.
462 .SS "Administrative Interface"
465 This section discusses the port monitor administrative files available under
467 .SS "The SAC Administrative File _sactab"
470 The service access controller's administrative file contains information about
471 all the port monitors for which the \fBSAC\fR is responsible. This file exists
472 on the delivered system. Initially, it is empty except for a single comment
473 line that contains the version number of the \fBSAC.\fR Port monitors are added
474 to the system by making entries in the \fBSAC's\fR administrative file. These
475 entries should be made using the administrative command \fBsacadm\fR(8) with a
476 \fB-a\fR option. \fBsacadm\fR(8) is also used to remove entries from the
477 \fBSAC's\fR administrative file. Each entry in the \fBSAC's\fR administrative
478 file contains the following information.
485 A unique tag that identifies a particular port monitor. The system
486 administrator is responsible for naming a port monitor. This tag is then used
487 by the \fBSAC\fR to identify the port monitor for all administrative purposes.
488 \fBPMTAG\fR may consist of up to 14 alphanumeric characters.
497 The type of the port monitor. In addition to its unique tag, each port monitor
498 has a type designator. The type designator identifies a group of port monitors
499 that are different invocations of the same entity. ttymon and listen are
500 examples of valid port monitor types. The type designator is used to facilitate
501 the administration of groups of related port monitors. Without a type
502 designator, the system administrator has no way of knowing which port monitor
503 tags correspond to port monitors of the same type. \fBPMTYPE\fR may consist of
504 up to 14 alphanumeric characters.
513 The flags that are currently defined are:
520 When started, do not enable the port monitor.
529 Do not start the port monitor.
532 If no flag is specified, the default action is taken. By default a port monitor
533 is started and enabled.
542 The number of times a port monitor may fail before being placed in a failed
543 state. Once a port monitor enters the failed state, the \fBSAC\fR will not try
544 to restart it. If a count is not specified when the entry is created, this
545 field is set to 0. A restart count of 0 indicates that the port monitor is not
546 to be restarted when it fails.
555 A string representing the command that will start the port monitor. The first
556 component of the string, the command itself, must be a full path name.
559 .SS "The Port Monitor Administrative File _pmtab"
562 Each port monitor will have two directories for its exclusive use. The current
563 directory will contain files defined by the \fBSAF\fR (\fB_pmtab\fR,
564 \fB_pid\fR) and the per-service configuration scripts, if they exist. The
565 directory \fB/var/saf/\fR\fIpmtag,\fR where \fIpmtag\fR is the tag of the port
566 monitor, is available for the port monitor's private files. Each port monitor
567 has its own administrative file. The \fBpmadm\fR(8) command should be used to
568 add, remove, or modify service entries in this file. Each time a change is made
569 using \fBpmadm\fR(8), the corresponding port monitor rereads its
570 administrative file. Each entry in a port monitor's administrative file defines
571 how the port monitor treats a specific port and what service is to be invoked
572 on that port. Some fields must be present for all types of port monitors. Each
573 entry must include a service tag to identify the service uniquely and an
574 identity to be assigned to the service when it is started (for example, root).
577 The combination of a service tag and a port monitor tag uniquely define an
578 instance of a service. The same service tag may be used to identify a service
579 under a different port monitor. The record must also contain port monitor
580 specific data (for example, for a ttymon port monitor, this will include the
581 prompt string which is meaningful to ttymon). Each type of port monitor must
582 provide a command that takes the necessary port monitor-specific data as
583 arguments and outputs these data in a form suitable for storage in the file.
584 The \fBttyadm\fR(8) command does this for ttymon and \fBnlsadmin\fR(8) does
585 it for listen. For a user-defined port monitor, a similar administrative
586 command must also be supplied. Each service entry in the port monitor
587 administrative file must have the following format and contain the information
592 svctag:flgs:id:reserved:reserved:reserved:pmspecific# comment
599 \fBSVCTAG\fR is a unique tag that identifies a service. This tag is unique only
600 for the port monitor through which the service is available. Other port
601 monitors may offer the same or other services with the same tag. A service
602 requires both a port monitor tag and a service tag to identify it uniquely.
603 \fBSVCTAG\fR may consist of up to 14 alphanumeric characters. The service
604 entries are defined as:
611 Flags with the following meanings may currently be included in this field:
618 Do not enable this port. By default the port is enabled.
627 Create a utmpx entry for this service. By default no utmpx entry is created
639 The identity under which the service is to be started. The identity has the
640 form of a login name as it appears in \fB/etc/passwd\fR.
646 \fB\fBPMSPECIFIC\fR\fR
649 Examples of port monitor information are addresses, the name of a process to
650 execute, or the name of a STREAMS-based pipe to pass a connection through. This
651 information will vary to meet the needs of each different type of port monitor.
660 A comment associated with the service entry. Port monitors may ignore the
661 \fIu\fR flag if creating a utmpx entry for the service is not appropriate to
662 the manner in which the service is to be invoked. Some services may not start
663 properly unless utmpx entries have been created for them (for example, login).
664 Each port monitor administrative file must contain one special comment of the
669 where \fIvalue\fR is an integer that represents the port monitor's version
670 number. The version number defines the format of the port monitor
671 administrative file. This comment line is created automatically when a port
672 monitor is added to the system. It appears on a line by itself, before the
676 .SS "Monitor-Specific Administrative Command"
679 Previously, two pieces of information included in the \fB_pmtab\fR file were
680 described: the port monitor's version number and the port monitor part of the
681 service entries in the port monitor's \fB_pmtab\fR file. When a new port
682 monitor is added, the version number must be known so that the \fB_pmtab\fR
683 file can be correctly initialized. When a new service is added, the port
684 monitor part of the \fB_pmtab\fR entry must be formatted correctly. Each port
685 monitor must have an administrative command to perform these two tasks. The
686 person who defines the port monitor must also define such an administrative
687 command and its input options. When the command is invoked with these options,
688 the information required for the port monitor part of the service entry must be
689 correctly formatted for inclusion in the port monitor's \fB_pmtab\fR file and
690 must be written to the standard output. To request the version number the
691 command must be invoked with a \fB-V\fR option; when it is invoked in this way,
692 the port monitor's current version number must be written to the standard
693 output. If the command fails for any reason during the execution of either of
694 these tasks, no data should be written to standard output.
695 .SS "The Port Monitor/Service Interface"
698 The interface between a port monitor and a service is determined solely by the
699 service. Two mechanisms for invoking a service are presented here as examples.
703 \fBNew Service Invocations\fR
707 The first interface is for services that are started anew with each request.
708 This interface requires the port monitor to first \fBfork\fR(2) a child
709 process. The child will eventually become the designated service by performing
710 an \fBexec\fR(1). Before the \fBexec\fR(1) happens, the port monitor may take
711 some port monitor-specific action; however, one action that must occur is the
712 interpretation of the per-service configuration script, if one is present. This
713 is done by calling the library routine \fBdoconfig\fR(3NSL).
719 \fBStanding Service Invocations\fR
723 The second interface is for invocations of services that are actively running.
724 To use this interface, a service must have one end of a stream pipe open and be
725 prepared to receive connections through it.
728 .SS "Port Monitor Requirements"
731 To implement a port monitor, several generic requirements must be met. This
732 section summarizes these requirements. In addition to the port monitor itself,
733 an administrative command must be supplied.
737 \fBInitial Environment\fR
740 When a port monitor is started, it expects an initial execution environment in
746 It has no file descriptors open
752 It cannot be a process group leader
758 It has an entry in \fB/var/log/utmpx\fR of type LOGIN_PROCESS
764 An environment variable, \fBISTATE,\fR is set to "enabled" or "disabled" to
765 indicate the port monitor's correct initial state
771 An environment variable, \fBPMTAG,\fR is set to the port monitor's assigned tag
777 The directory that contains the port monitor's administrative files is its
784 pThe port monitor is able to create private files in the directory
785 \fB/var/saf/\fR\fItag\fR, where \fItag\fR is the port monitor's tag
791 The port monitor is running with user id 0 (root)
798 \fBImportant Files\fR
801 Relative to its current directory, the following key files exist for a port
809 The port monitor's configuration script. The port monitor configuration script
810 is run by the SAC. The \fBSAC\fR is started by \fBinit\fR(8) as a result of an
811 entry in \fB/etc/inittab\fR that calls \fBsac\fR(8).
820 The file into which the port monitor writes its process id.
829 The port monitor's administrative file. This file contains information about
830 the ports and services for which the port monitor is responsible.
839 The\fB FIFO\fR through which the port monitor will receive messages from the
849 The per-service configuration script for the service with the tag \fIsvctag\fR.
855 \fB\fB\&../_sacpipe\fR\fR
858 The \fBFIFO\fR through which the port monitor will send messages to
864 .SS "Port Monitor Responsibilities"
867 A port monitor is responsible for performing the following tasks in addition to
868 its port monitor function:
873 Write its process id into the file \fB_pid\fR and place an advisory lock on the
880 Terminate gracefully on receipt of the signal SIGTERM
886 Follow the protocol for message exchange with the \fBSAC\fR
890 A port monitor must perform the following tasks during service invocation:
895 Create a \fButmpx\fR entry if the requested service has the \fBu\fR flag set in
902 Port monitors may ignore this flag if creating a \fButmpx\fR entry for the
903 service does not make sense because of the manner in which the service is to be
904 invoked. On the other hand, some services may not start properly unless utmpx
905 entries have been created for them.
911 Interpret the per-service configuration script for the requested service, if it
912 exists, by calling the \fBdoconfig\fR(3NSL) library routine
914 .SS "Configuration Files and Scripts"
917 The library routine \fBdoconfig\fR(3NSL), defined in \fBlibnsl.so\fR,
918 interprets the configuration scripts contained in the files
919 \fB/etc/saf/_sysconfig\fR (the per-system configuration file), and
920 \fB/etc/saf/\fR\fIpmtag\fR\fB/_config\fR (per-port monitor configuration
921 files); and in \fB/etc/saf/\fR\fIpmtag\fR\fB/svctag\fR (per-service
922 configuration files). Its syntax is:
927 int doconfig (int fd, char *script, long rflag);
934 \fBscript\fR is the name of the configuration script; \fIfd\fR is a file
935 descriptor that designates the stream to which stream manipulation operations
936 are to be applied; \fIrflag\fR is a bitmask that indicates the mode in which
937 script is to be interpreted. \fIrflag\fR may take two values, \fBNORUN\fR and
938 \fBNOASSIGN,\fR which may be or'd. If \fIrflag\fR is zero, all commands in the
939 configuration script are eligible to be interpreted. If \fIrflag\fR has the
940 \fBNOASSIGN\fR bit set, the assign command is considered illegal and will
941 generate an error return. If \fIrflag\fR has the \fBNORUN\fR bit set, the run
942 and runwait commands are considered illegal and will generate error returns. If
943 a command in the script fails, the interpretation of the script ceases at that
944 point and a positive integer is returned; this number indicates which line in
945 the script failed. If a system error occurs, a value of \(mi1 is returned. If a
946 script fails, the process whose environment was being established should not be
947 started. In the example, \fBdoconfig\fR(3NSL) is used to interpret a
948 per-service configuration script.
953 if ((i = doconfig (fd, svctag, 0)) != 0){
954 error ("doconfig failed on line %d of script %s",i,svctag);
963 \fBThe Per-System Configuration File\fR
967 The per-system configuration file, \fB/etc/saf/_sysconfig\fR, is delivered
968 empty. It may be used to customize the environment for all services on the
969 system by writing a command script in the interpreted language described in
970 this chapter and on the \fBdoconfig\fR(3NSL) manpage. When the \fBSAC\fR is
971 started, it calls the \fBdoconfig\fR(3NSL) function to interpret the per-system
972 configuration script. The \fBSAC\fR is started when the system enters multiuser
979 \fBPer-Port Monitor Configuration Files\fR
983 Per-port monitor configuration scripts
984 (\fB/etc/saf/\fR\fIpmtag\fR\fB/_config)\fR are optional. They allow the user to
985 customize the environment for any given port monitor and for the services that
986 are available through the ports for which that port monitor is responsible.
987 Per-port monitor configuration scripts are written in the same language used
988 for per-system configuration scripts. The per-port monitor configuration script
989 is interpreted when the port monitor is started. The port monitor is started by
990 the \fBSAC\fR after the \fBSAC\fR has itself been started and after it has run
991 its own configuration script, \fB/etc/saf/_sysconfig\fR. The per-port monitor
992 configuration script may override defaults provided by the per-system
993 configuration script.
999 \fBPer-Service Configuration Files\fR
1003 Per-service configuration files allow the user to customize the environment for
1004 a specific service. For example, a service may require special privileges that
1005 are not available to the general user. Using the language described in the
1006 \fBdoconfig\fR(3NSL) manpage, you can write a script that will grant or limit
1007 such special privileges to a particular service offered through a particular
1008 port monitor. The per-service configuration may override defaults provided by
1009 higher-level configuration scripts. For example, the per-service configuration
1010 script may specify a set of STREAMS modules other than the default set.
1013 .SS "The Configuration Language"
1016 The language in which configuration scripts are written consists of a sequence
1017 of commands, each of which is interpreted separately. The following reserved
1018 keywords are defined: \fBassign\fR, \fBpush\fR, \fBpop\fR, \fBrunwait\fR, and
1019 \fBrun\fR. The comment character is #. Blank lines are not significant. No line
1020 in a command script may exceed 1024 characters.
1024 \fB\fBassign\fR \fIvariable\fR=\fIvalue\fR\fR
1028 Used to define environment variables; \fIvariable\fR is the name of the
1029 environment variable and \fIvalue\fR is the value to be assigned to it. The
1030 value assigned must be a string constant; no form of parameter substitution is
1031 available. \fIvalue\fR may be quoted. The quoting rules are those used by the
1032 shell for defining environment variables. \fBassign\fR will fail if space
1033 cannot be allocated for the new variable or if any part of the specification is
1040 \fB\fBpush\fR \fImodule1\fR[,\fImodule2, module3\fR, ...]\fR
1044 Used to push STREAMS modules onto the stream designated by \fBfd\fR;
1045 \fImodule1\fR is the name of the first module to be pushed, \fImodule2\fR is
1046 the name of the second module to be pushed, and so on. The command will fail if
1047 any of the named modules cannot be pushed. If a module cannot be pushed, the
1048 subsequent modules on the same command line will be ignored and modules that
1049 have already been pushed will be popped.
1055 \fB\fBpop\fR [\fImodule\fR]\fR
1059 Used to pop STREAMS modules off the designated stream. If \fBpop\fR is invoked
1060 with no arguments, the top module on the stream is popped. If an argument is
1061 given, modules will be popped one at a time until the named module is at the
1062 top of the stream. If the named module is not on the designated stream, the
1063 stream is left as it was and the command fails. If \fImodule\fR is the special
1064 keyword \fBALL\fR, then all modules on the stream will be popped. Only modules
1065 above the topmost driver are affected.
1071 \fB\fBrunwait\fR \fBcommand\fR\fR
1075 The \fBrunwait\fR command runs a command and waits for it to complete;
1076 \fBcommand\fR is the path name of the command to be run. The command is run
1077 with \fB/bin/sh\fR \fB-c\fR prepended to it; shell scripts may thus be executed
1078 from configuration scripts. The \fBrunwait\fR command will fail if command
1079 cannot be found or cannot be executed, or if \fBcommand\fR exits with a nonzero
1086 \fB\fBrun\fR \fBcommand\fR\fR
1090 The \fBrun\fR command is identical to \fBrunwait\fR except that it does not
1091 wait for command to complete; \fBcommand\fR is the path name of the command to
1092 be run. \fBrun\fR will not fail unless it is unable to create achild process
1093 to execute the command. Although they are syntactically indistinguishable, some
1094 of the commands available to \fBrun\fR and \fBrunwait\fR are interpreter
1095 built-in commands. Interpreter built-ins are used when it is necessary to alter
1096 the state of a process within the context of that process. The \fBdoconfig\fR
1097 interpreter built-in commands are similar to the shell special commands and,
1098 like these, they do not spawn another process for execution. See the
1099 \fBsh\fR(1) man page. The initial set of built-in commands is: \fBcd\fR,
1100 \fBulimit\fR, \fBumask\fR.
1103 .SS "Sample Port Monitor Code"
1106 This example shows an example of a "null" port monitor that simply responds to
1107 messages from the \fBSAC.\fR
1111 ># include <stdlib.h>
1113 # include <unistd.h>
1115 # include <signal.h>
1118 char Scratch[BUFSIZ]; /* scratch buffer */
1119 char Tag[PMTAGSIZE + 1]; /* port monitor's tag */
1120 FILE *Fp; /* file pointer for log file */
1121 FILE *Tfp; /* file pointer for pid file */
1122 char State; /* portmonitor's current state*/
1129 strcpy(Tag, getenv("PMTAG"));
1131 * open up a log file in port monitor's private directory
1133 sprintf(Scratch, "/var/saf/%s/log", Tag);
1134 Fp = fopen(Scratch, "a+");
1137 log(Fp, "starting");
1139 * retrieve initial state (either "enabled" or "disabled") and set
1142 istate = getenv("ISTATE");
1143 sprintf(Scratch, "ISTATE is %s", istate);
1145 if (!strcmp(istate, "enabled"))
1147 else if (!strcmp(istate, "disabled"))
1148 State = PM_DISABLED;
1150 log(Fp, "invalid initial state");
1153 sprintf(Scratch, "PMTAG is %s", Tag);
1156 * set up pid file and lock it to indicate that we are active
1158 Tfp = fopen("_pid", "w");
1160 log(Fp, "couldn't open pid file");
1163 if (lockf(fileno(Tfp), F_TEST, 0) < 0) {
1164 log(Fp, "pid file already locked");
1168 log(Fp, "locking file");
1169 if (lockf(fileno(Tfp), F_LOCK, 0) < 0) {
1170 log(Fp, "lock failed");
1173 fprintf(Tfp, "%d", getpid());
1177 * handle poll messages from the sac ... this function never returns
1187 int pfd; /* file descriptor for incoming pipe */
1188 int sfd; /* file descriptor for outgoing pipe */
1189 struct sacmsg sacmsg; /* incoming message */
1190 struct pmmsg pmmsg; /* outgoing message */
1192 * open pipe for incoming messages from the sac
1194 pfd = open("_pmpipe", O_RDONLY|O_NONBLOCK);
1196 log(Fp, "_pmpipe open failed");
1200 * open pipe for outgoing messages to the sac
1202 sfd = open("../_sacpipe", O_WRONLY);
1204 log(Fp, "_sacpipe open failed");
1208 * start to build a return message; we only support class 1 messages
1210 strcpy(pmmsg.pm_tag, Tag);
1212 pmmsg.pm_maxclass = 1;
1214 * keep responding to messages from the sac
1217 if (read(pfd, &sacmsg, sizeof(sacmsg)) != sizeof(sacmsg)) {
1218 log(Fp, "_pmpipe read failed");
1222 * determine the message type and respond appropriately
1224 switch (sacmsg.sc_type) {
1226 log(Fp, "Got SC_STATUS message");
1227 pmmsg.pm_type = PM_STATUS;
1228 pmmsg.pm_state = State;
1231 /*note internal state change below*/
1232 log(Fp, "Got SC_ENABLE message");
1233 pmmsg.pm_type = PM_STATUS;
1235 pmmsg.pm_state = State;
1238 /*note internal state change below*/
1239 log(Fp, "Got SC_DISABLE message");
1240 pmmsg.pm_type = PM_STATUS;
1241 State = PM_DISABLED;
1242 pmmsg.pm_state = State;
1246 * if this were a fully functional port
1247 * monitor it would read _pmtab here
1248 * and take appropriate action
1250 log(Fp, "Got SC_READDB message");
1251 pmmsg.pm_type = PM_STATUS;
1252 pmmsg.pm_state = State;
1255 sprintf(Scratch, "Got unknown message <%d>",
1258 pmmsg.pm_type = PM_UNKNOWN;
1259 pmmsg.pm_state = State;
1263 * send back a response to the poll
1264 * indicating current state
1266 if (write(sfd, &pmmsg, sizeof(pmmsg)) != sizeof(pmmsg))
1267 log(Fp, "sanity response failed");
1271 * general logging function
1277 fprintf(fp, "%d; %s\en", getpid(), msg);
1284 .SS "The sac.h Header File"
1287 The following example shows the sac.h header file.
1291 /* length in bytes of a utmpx id */
1293 /* wild character for utmpx ids */
1294 # define SC_WILDC 0xff
1295 /* max len in bytes for port monitor tag */
1296 # define PMTAGSIZE 14
1298 * values for rflag in doconfig()
1300 /* don't allow assign operations */
1301 # define NOASSIGN 0x1
1302 /* don't allow run or runwait operations */
1305 * message to SAC (header only). This header is forever fixed. The
1306 * size field (pm_size) defines the size of the data portion of the
1307 * message, which follows the header. The form of this optional data
1308 * portion is defined strictly by the message type (pm_type).
1311 char pm_type; /* type of message */
1312 unchar_t pm_state; /* current state of pm */
1313 char pm_maxclass; /* max message class this port monitor
1315 char pm_tag[PMTAGSIZE + 1]; /* pm's tag */
1316 int pm_size; /* size of opt data portion */
1321 # define PM_STATUS 1 /* status response */
1322 # define PM_UNKNOWN 2 /* unknown message was received */
1329 # define PM_STARTING 1 /* monitor in starting state */
1330 # define PM_ENABLED 2 /* monitor in enabled state */
1331 # define PM_DISABLED 3 /* monitor in disabled state */
1332 # define PM_STOPPING 4 /* monitor in stopping state */
1334 * message to port monitor
1337 int sc_size; /* size of optional data portion */
1338 char sc_type; /* type of message */
1342 * These represent commands that the SAC sends to a port monitor.
1343 * These commands are divided into "classes" for extensibility. Each
1344 * subsequent "class" is a superset of the previous "classes" plus
1345 * the new commands defined within that "class". The header for all
1346 * commands is identical; however, a command may be defined such that
1347 * an optional data portion may be sent in addition to the header.
1348 * The format of this optional data piece is self-defining based on
1349 * the command. The first message sent by the SAC
1350 * will always be a class 1 message. The port monitor response
1351 * indicates the maximum class that it is able to understand. Another
1352 * note is that port monitors should only respond to a message with
1353 * an equivalent class response (i.e. a class 1 command causes a
1354 * class 1 response).
1357 * Class 1 commands (currently, there are only class 1 commands)
1359 # define SC_STATUS 1 /* status request *
1360 # define SC_ENABLE 2 /* enable request */
1361 # define SC_DISABLE 3 /* disable request */
1362 # define SC_READDB 4 /* read pmtab request */
1364 * `errno' values for Saferrno, note that Saferrno is used by both
1365 * pmadm and sacadm and these values are shared between them
1367 # define E_BADARGS 1 /* bad args/ill-formed cmd line */
1368 # define E_NOPRIV 2 /* user not priv for operation */
1369 # define E_SAFERR 3 /* generic SAF error */
1370 # define E_SYSERR 4 /* system error */
1371 # define E_NOEXIST 5 /* invalid specification */
1372 # define E_DUP 6 /* entry already exists */
1373 # define E_PMRUN 7 /* port monitor is running */
1374 # define E_PMNOTRUN 8 /* port monitor is not running */
1375 # define E_RECOVER 9
1381 .SS "Directory Structure"
1384 This section gives a description of the \fBSAF\fR files and directories.
1388 \fB\fB/etc/saf/_sysconfig\fR\fR
1391 The per-system configuration script.
1397 \fB\fB/etc/saf/_sactab\fR\fR
1400 The \fBSAC's\fR administrative file. Contains information about the port
1401 monitors for which the SAC is responsible.
1407 \fB\fB/etc/saf/\fR\fIpmtag\fR\fR
1410 The home directory for port monitor \fIpmtag\fR.
1416 \fB\fB/etc/saf/\fR\fIpmtag\fR\fB/_config\fR\fR
1419 The per-port monitor configuration script for port monitor pmtag.
1425 \fB\fB/etc/saf/\fR\fIpmtag\fR\fB/_pmtab\fR\fR
1428 Port monitor pmtag's administrative file. Contains information about the
1429 services for which \fIpmtag\fR is responsible.
1435 \fB\fB/etc/saf/\fR\fIpmtag\fR\fB/\fR\fIsvctag\fR\fR
1438 The file in which the per-service configuration script for service \fIsvctag\fR
1439 (available through port monitor \fBpmtag\fR) is placed.
1445 \fB\fB/etc/saf/\fR\fIpmtag\fR\fB/_pid\fR\fR
1448 The file in which a port monitor writes its process id in the current directory
1449 and places an advisory lock on the file.
1455 \fB\fB/etc/saf/\fR \fBpmtag\fR \fB/_pmpipe\fR\fR
1458 The file in which the port monitor receives messages from the \fBSAC\fR and
1459 \fB\&../_sacpipe\fR and sends return messages to the \fBSAC.\fR
1465 \fB\fB/var/saf/_log\fR\fR
1468 The \fBSAC's\fR log file.
1474 \fB\fB/var/saf/\fR\fIpmtag\fR\fR
1477 The directory for files created by port monitor \fIpmtag,\fR for example its
1481 .SH LIST OF COMMANDS
1484 The following administrative commands relate to \fBSAF.\fR
1488 \fB\fBsacadm\fR(8)\fR
1491 port monitor administrative command
1497 \fB\fBpmadm\fR(8)\fR
1500 service administration command
1506 \fBexec\fR(1), \fBsh\fR(1), \fBinit\fR(8), \fBnlsadmin\fR(8),
1507 \fBpmadm\fR(8), \fBsac\fR(8), \fBsacadm\fR(8), \fBttyadm\fR(8),
1508 \fBfork\fR(2), \fBdoconfig\fR(3NSL), \fBattributes\fR(5)