Documentation ¶
Overview ¶
Package rs provides a resource system which enforces unix style access control.
Resources are stored as nugo.Nodes and can either have a []byte slice as source or implement the Executable interface. Using the Save and Load syscalls, structs are gob encoded and decoded to an access controlled resource.
Anonymous account has uid,gid 0,0 whereas the Root account 1,1.
Example (DefaultResourceSystem) ¶
sys := NewSystem() asRoot := Root.Use(sys) asRoot.Fexec(os.Stdout, "/bin/ls -R -l /")
Output: d--xrwxr-xr-x 1 1 /bin ----rwxr-xr-x 1 1 /bin/chmod ----rwxr-xr-x 1 1 /bin/chown ---xrwxr-xr-x 1 1 /bin/ls ----rwxr-xr-x 1 1 /bin/mkacc ----rwxr-xr-x 1 1 /bin/mkdir ----rwxr-xr-x 1 1 /bin/secure d---rwxr-xr-x 1 1 /etc d---rwxr-xr-x 1 1 /etc/accounts ----rw-r--r-- 1 1 /etc/accounts/anonymous ----rw-r--r-- 1 1 /etc/accounts/root d---rwxr-xr-x 1 1 /etc/groups ----rw-r--r-- 1 1 /etc/groups/anonymous ----rw-r--r-- 1 1 /etc/groups/root drwxrwxrwxrwx 1 1 /tmp
Example (ExportSystem) ¶
When exporting a system each node is serialized using base64 encoding of the content, if any.
sys := NewSystem() sys.Export(os.Stdout)
Output: 4026532845 1 1 / 3758097389 1 1 /bin 3758096877 1 1 /etc 3758096877 1 1 /etc/accounts 1610613156 1 1 /etc/accounts/anonymous Mv+DAwEBB0FjY291bnQB/4QAAQMBBE5hbWUBDAABA1VJRAEEAAEGR3JvdXBzAf+GAAAAE/+FAgEBBVtdaW50Af+GAAEEAAAR/4QBCWFub255bW91cwIB 1610613156 1 1 /etc/accounts/root Mv+DAwEBB0FjY291bnQB/4QAAQMBBE5hbWUBDAABA1VJRAEEAAEGR3JvdXBzAf+GAAAAE/+FAgEBBVtdaW50Af+GAAEEAAAO/4QBBHJvb3QBAgEB 3758096877 1 1 /etc/groups 1610613156 1 1 /etc/groups/anonymous JP+BAwEBBWdyb3VwAf+CAAECAQROYW1lAQwAAQNHSUQBBAAAAA7/ggEJYW5vbnltb3Vz 1610613156 1 1 /etc/groups/root JP+BAwEBBWdyb3VwAf+CAAECAQROYW1lAQwAAQNHSUQBBAAAAAv/ggEEcm9vdAEC 3758100479 1 1 /tmp
Example (SaveAndLoadResource) ¶
sys := NewSystem() asRoot := Root.Use(sys) asRoot.Exec("/bin/mkdir /tmp/aliens") filename := "/tmp/aliens/green.gob" asRoot.Save(filename, &Alien{Name: "Mr Green"}) var alien Alien asRoot.Load(&alien, filename) fmt.Printf("%#v", alien)
Output: rs.Alien{Name:"Mr Green"}
Index ¶
- Constants
- Variables
- func Chmod(cmd *Cmd) error
- func Ls(cmd *Cmd) error
- func Mkacc(cmd *Cmd) error
- func Mkdir(cmd *Cmd) error
- func NodeExporter(writer io.Writer) nugo.Visitor
- func Secure(cmd *Cmd) error
- type Account
- type Chown
- type Cmd
- type Credentials
- type ExecFunc
- type Executable
- type Group
- type Mode
- type ResInfo
- type Resource
- type Secret
- type Syscall
- func (me *Syscall) AddAccount(acc *Account) error
- func (me *Syscall) Create(abspath string) (*Resource, error)
- func (me *Syscall) Exec(cli string) error
- func (me *Syscall) Execf(format string, v ...interface{}) error
- func (me *Syscall) Fexec(w io.Writer, cli string) error
- func (me *Syscall) Install(abspath string, cmd Executable, mode nugo.NodeMode) (*ResInfo, error)
- func (me *Syscall) Load(res interface{}, abspath string) error
- func (me *Syscall) LoadAccount(acc *Account, Name string) error
- func (me *Syscall) LoadGroup(group *Group, Name string) error
- func (me *Syscall) Mkdir(abspath string, mode Mode) (*ResInfo, error)
- func (me *Syscall) NextGID() int
- func (me *Syscall) NextUID() int
- func (me *Syscall) Open(abspath string) (*Resource, error)
- func (me *Syscall) RemoveAll(abspath string) error
- func (me *Syscall) Run(cmd *Cmd) error
- func (me *Syscall) Save(abspath string, src interface{}) error
- func (me *Syscall) SaveAs(abspath string, src interface{}) error
- func (me *Syscall) SetAuditer(v fox.Logger)
- func (me *Syscall) SetGroup(abspath string, gid int) error
- func (me *Syscall) SetMode(abspath string, mode Mode) error
- func (me *Syscall) SetOwner(abspath string, uid int) error
- func (me *Syscall) Stat(abspath string) (*ResInfo, error)
- type System
- type Visitor
- type Walker
Examples ¶
Constants ¶
const ( OpRead operation = 1 << (32 - 1 - iota) OpWrite OpExec )
Variables ¶
var ( Anonymous = NewAccount("anonymous", 0) Root = NewAccount("root", 1) )
var ErrPermissionDenied = errors.New("permission denied")
Functions ¶
func Chmod ¶
Chmod command sets mode of a resource.
Example ¶
asRoot := Root.Use(NewSystem()) asRoot.Exec("/bin/mkdir /tmp/a") asRoot.Fexec(os.Stdout, "/bin/ls -l /tmp") // before asRoot.Exec("/bin/chmod -m 01755 /tmp/a") asRoot.Fexec(os.Stdout, "/bin/ls -l /tmp") // after
Output: d---rwxr-xr-x 1 1 a d--xrwxr-xr-x 1 1 a
Example (Help) ¶
asRoot := Root.Use(NewSystem()) asRoot.Fexec(os.Stdout, "/bin/chmod -h")
Output: Usage of chmod: -m uint mode
func Ls ¶
Ls lists resources
Example ¶
Anonymous.Use(NewSystem()).Fexec(os.Stdout, "/bin/ls /")
Output: bin etc tmp
Example (Help) ¶
asRoot := Root.Use(NewSystem()) asRoot.Fexec(os.Stdout, "/bin/ls -h")
Output: Usage of ls: -R recursive -json write json -json-name string result name of resources, if empty written as array -l use a long listing format
Example (LongListFormat) ¶
Anonymous.Use(NewSystem()).Fexec(os.Stdout, "/bin/ls -l /")
Output: d--xrwxr-xr-x 1 1 bin d---rwxr-xr-x 1 1 etc drwxrwxrwxrwx 1 1 tmp
func Mkacc ¶
Mkacc creates an account.
Example (Help) ¶
asRoot := Root.Use(NewSystem()) asRoot.Fexec(os.Stdout, "/bin/mkacc -h")
Output: Usage of mkacc: -gid int optional gid of the new account (default -1) -uid int optional uid of the new account (default -1)
func Mkdir ¶
Mkdir creates directories
Example (Help) ¶
asRoot := Root.Use(NewSystem()) asRoot.Fexec(os.Stdout, "/bin/mkdir -h")
Output: Usage of mkdir: -m uint mode for new directory (default 493)
func NodeExporter ¶ added in v0.3.0
NodeExporter writes each node with it's content as base64 encoded string
Types ¶
type Account ¶
func NewAccount ¶
NewAccount returns a new account with the given uid as both uid and group id.
type Chown ¶ added in v0.2.0
type Chown struct{}
Example (Help) ¶
asRoot := Root.Use(NewSystem()) asRoot.Fexec(os.Stdout, "/bin/chown -h")
Output: Usage: Chown OWNER ...paths
func (*Chown) WriteUsage ¶ added in v0.2.0
type Cmd ¶
type Credentials ¶ added in v0.2.0
type Credentials struct {
Secrets []*Secret
}
func NewCredentials ¶ added in v0.2.0
func NewCredentials() *Credentials
func (*Credentials) AddSecret ¶ added in v0.2.0
func (me *Credentials) AddSecret(s *Secret)
AddSecret
type Executable ¶
type Group ¶
type Group struct { Name string // contains filtered or unexported fields }
type ResInfo ¶
type ResInfo struct {
// contains filtered or unexported fields
}
ResInfo describes a resource and is returned by Stat
type Resource ¶
Resource wraps access to the underlying node
func (*Resource) Close ¶
Close closes the resource. If resource is in write mode the written buffer is flushed.
type Syscall ¶
type Syscall struct {
// contains filtered or unexported fields
}
func (*Syscall) AddAccount ¶
AddAccount adds a new account to the system. Name and uid must be unique.
func (*Syscall) Create ¶
Create returns a new resource for writing. Fails if existing resource is directory. Caller must close resource.
func (*Syscall) Exec ¶
Exec splits the cli on whitespace and executes the first as absolute path and the rest as arguments
func (*Syscall) Fexec ¶
Fexec creates and executes a new command and directs the output to the given writer.
func (*Syscall) Load ¶
Load loads the resource from abspath. If res implements io.ReaderFrom that is used otherwise gob.Decoded.
func (*Syscall) LoadAccount ¶ added in v0.2.0
LoadAccount
func (*Syscall) Mkdir ¶
Mkdir creates the absolute path whith a given mode where the parent must exist.
func (*Syscall) Open ¶
Open resource for reading. Underlying source must be string or []byte. If resource is open for writing this call blocks.
func (*Syscall) Run ¶ added in v0.2.0
Run executes the given command. Fails if e.g. resource is not Executable. All exec calls are audited if system has an auditer configured.
func (*Syscall) Save ¶
Save saves src to the given abspath. Overwrites existing resource. If src implements io.WriterTo interface that is used otherwise it's gob encoded.
func (*Syscall) SetAuditer ¶ added in v0.4.1
SetAuditer sets the auditer to use. nil disables audit.
func (*Syscall) SetMode ¶
SetMode sets the mode of abspath if the caller is the owner or Root. Only permissions bits can be set for now.
func (*Syscall) Stat ¶
Stat returns the node of the abspath if account is allowed to reach it, ie. all nodes up to it must have execute flags set.
Example ¶
sys := Anonymous.Use(NewSystem()) _, err := sys.Stat("/etc/accounts/root") fmt.Println(err)
Output: Stat /etc/accounts/root uid:0: d---rwxr-xr-x 1 1 accounts exec denied
type System ¶
type System struct { Accounts []*Account Groups []*Group // contains filtered or unexported fields }
func NewSystem ¶
func NewSystem() *System
NewSystem returns a system with installed resources resembling a unix filesystem.
func (*System) Import ¶ added in v0.4.0
Import imports resources to the system from the given reader to the abspath.
func (*System) LastModified ¶ added in v0.3.0
LastModified returns last time resources state was modified.