JANUS CLSOCK: Difference between revisions

From m204wiki
Jump to navigation Jump to search
mNo edit summary
mNo edit summary
Line 61: Line 61:


The optional parameters for the JANUS CLSOCK ALLOW command are:
The optional parameters for the JANUS CLSOCK ALLOW command are:
NONE Indicates that no $SOCK_CONN or New method invocation is allowed to
 
access portname. If NONE is specified, no other optional parameters may
<table class="syntaxTable">
be specified.
<tr><th>NONE</th>
USER userid
<td>Indicates that no $SOCK_CONN or New method invocation is allowed to access portname. If NONE is specified, no other optional parameters may be specified.</td></tr>
Indicates that the Model 204 user ID userid may issue $SOCK_CONN or a
 
New method call for portname. For example, if userid is HOMER, a user that
<tr><th>USER userid</th>
logs in as HOMER will be allowed access to portname. If userid is SIMP*,
<td>Indicates that the Model 204 user ID userid may issue $SOCK_CONN or a New method call for portname. For example, if userid is HOMER, a user that logs in as HOMER will be allowed access to portname. If userid is SIMP*, a user that logs in as any user ID that begins with the string SIMP is allowed access to portname. The USER parameter cannot be specified if the USGROUP parameter is specified.<br />USER '' (that is, USER with the null string) is not allowed, since there is
a user that logs in as any user ID that begins with the string SIMP is allowed
always a (non-null) user ID when a request is issued.<br /><br /.USER * is allowed, but it is meaningless: it does not change which conditions a rule matches.</td></tr>
access to portname.
 
The USER parameter cannot be specified if the USGROUP parameter is
<tr><th>USGROUP usgroup</th>
specified.
<td>Indicates that a Model 204 user is allowed access to portname if his or her user ID matches an entry in the user group identified by usgroup. User groups are defined with the JANUS DEFINEUSGROUP command (“JANUS
USER '' (that is, USER with the null string) is not allowed, since there is
DEFINEUSGROUP” on page 116). The USGROUP parameter cannot be specified if the USER parameter is
always a (non-null) user ID when a request is issued.
specified.</td></tr>
USER * is allowed, but it is meaningless: it does not change which
 
conditions a rule matches.
<tr><th>FILE procfile</th>
USGROUP usgroup
<td>Indicates that $SOCK_CONN or a New method call is allowed to access portname if invoked by executing an outer procedure stored in a Model 204 file whose name matches the pattern procfile. FILE * indicates that access is allowed by any procedure except a temporary request or an instream procedure. FILE '' indicates that access is allowed only by a temporary request or an in-stream procedure.</td></tr>
Indicates that a Model 204 user is allowed access to portname if his or her
 
user ID matches an entry in the user group identified by usgroup. User
<tr><th>PROC procname</th>
groups are defined with the JANUS DEFINEUSGROUP command (“JANUS
<td>Indicates that $SOCK_CONN or a New method call is allowed to access portname if invoked by executing an outer procedure whose name matches the pattern procname. PROC * indicates that access is allowed by any procedure except a temporary request or an in-stream procedure. PROC '' indicates that access is allowed only by a temporary request or an
DEFINEUSGROUP” on page 116).
in-stream procedure.</td></tr>
The USGROUP parameter cannot be specified if the USER parameter is
 
specified.
<tr><th>SUBSYS subsysname</th>
FILE procfile
<td>Indicates that a $SOCK_CONN or New method invocation is allowed to access portname if issued from an APSY subsystem with a name that matches the pattern subsysname. SUBSYS * indicates that access is allowed by any subsystem. SUBSYS '' indicates that access is allowed only by a non-subsystem procedure or temporary request, or by an in-stream procedure.</td></tr>
Indicates that $SOCK_CONN or a New method call is allowed to access
 
portname if invoked by executing an outer procedure stored in a Model 204
<tr><th>REMOTE rmt_host rmt_portnum
file whose name matches the pattern procfile. FILE * indicates that
<td>Indicates that a $SOCK_CONN or New method invocation is allowed to access portname if the remote host and port number ($SOCK_CONN or New method arguments, with their defaults from the REMOTE clause of the JANUS DEFINE command for the CLSOCK port) match rmt_host and rmt_portnum, respectively. Rmt_host can be any of the following:
access is allowed by any procedure except a temporary request or an instream
 
procedure. FILE '' indicates that access is allowed only by a
<table class="syntaxTable">
temporary request or an in-stream procedure.
<tr><th>[NAME] hostname</th>
PROC procname
<td>Indicates that access is allowed if the name of the remote host matches the pattern hostname. The null string ('') is not allowed for hostname, since there is always a (non-null) host for the $SOCK_CONN or New method operation. When the NAME keyword is explicitly specified, or when hostname is a form that cannot be an IP address, the clause only matches if the connection to the remote host is made using a name rather than an IP address. This leads to some subtle differences in the meaning of an asterisk in the REMOTE clause. For example, the following rule restricts the connection to any remote host at port 1234, whether the connection is specified by name or by IP address:
Indicates that $SOCK_CONN or a New method call is allowed to access
 
portname if invoked by executing an outer procedure whose name matches
<p class="code"> JANUS CLSOCK FOO ALLOW REMOTE * 1234</p>
the pattern procname. PROC * indicates that access is allowed by any
 
procedure except a temporary request or an in-stream procedure.
The following clause restricts the connection to any remote host at port 1234, as long as the connection is specified by host name:
PROC '' indicates that access is allowed only by a temporary request or an
 
in-stream procedure.
<p class="code"> JANUS CLSOCK FOO ALLOW REMOTE NAME * 1234</p>
SUBSYS subsysname
 
Indicates that a $SOCK_CONN or New method invocation is allowed to
REMOTE * * is allowed, but it is meaningless; that is, it does not change which conditions a rule matches. REMOTE NAME * *, however, does restrict a rule to match only if the host name is specified on the connection, but it matches any remote host.</td></tr>
access portname if issued from an APSY subsystem with a name that
 
matches the pattern subsysname. SUBSYS * indicates that access is
<tr><th>IPGROUP ipgroup</th>
allowed by any subsystem. SUBSYS '' indicates that access is allowed
<td>Indicates that access is allowed if the remot host's IP address matches one of the entries in ipgroup. IP groups are defined with the JANUS IPGROUP command (see “[[JANUS DEFINEIPGROUP]]”). ipaddr Indicates that access is allowed if the remote host has an IP address that matches ipaddr. ipaddr can be a simple IP address or it can be a subnet. Subnets are indicated by an IP address followed by either of these:
only by a non-subsystem procedure or temporary request, or by an in-stream
 
procedure.
<ul>
REMOTE rmt_host rmt_portnum
<li>A slash ( / ) followed by a netmask (with no intervening blanks)
Indicates that a $SOCK_CONN or New method invocation is allowed to
<li>A hyphen ( - ) followed by a number of bits in the subnet mask (with no intervening blanks)
access portname if the remote host and port number ($SOCK_CONN or
</ul>
New method arguments, with their defaults from the REMOTE clause of the
 
JANUS DEFINE command for the CLSOCK port) match rmt_host and
For example, 198.244.244.97 is a simple address that must be matched exactly. 198.242.244.0/255.255.255.0,
rmt_portnum, respectively.
which is equivalent to 198.242.244.0-24, indicates that any machine on subnet 198.242.244.0 is to be allowed access to
Rmt_host can be any of the following:
portname.</td</tr>
[NAME] hostname
</table>
Indicates that access is allowed if the name of the remote host
 
matches the pattern hostname.
Note that when the IPGROUP ipgroup or the ipaddr form is used, the rule can match whether a connection is specified by host name or IP address. If the connection is by host name, it is first translated to an IP address, which is then used to match the rule.
The null string ('') is not allowed for hostname, since there is
 
always a (non-null) host for the $SOCK_CONN or New method
operation.
When the NAME keyword is explicitly specified, or when
hostname is a form that cannot be an IP address, the clause only
matches if the connection to the remote host is made using a
name rather than an IP address. This leads to some subtle
differences in the meaning of an asterisk in the REMOTE clause.
For example, the following rule restricts the connection to any
remote host at port 1234, whether the connection is specified by
name or by IP address:
JANUS CLSOCK FOO ALLOW REMOTE * 1234
The following clause restricts the connection to any remote host
at port 1234, as long as the connection is specified by host
name:
JANUS CLSOCK FOO ALLOW REMOTE NAME * 1234
REMOTE * * is allowed, but it is meaningless; that is, it does not
change which conditions a rule matches. REMOTE NAME * *,
however, does restrict a rule to match only if the host name is
specified on the connection, but it matches any remote host.
IPGROUP ipgroup
Indicates that access is allowed if the remot host's IP address
matches one of the entries in ipgroup. IP groups are defined
with the JANUS IPGROUP command (“JANUS
DEFINEIPGROUP” on page 110).
ipaddr Indicates that access is allowed if the remote host has an IP
address that matches ipaddr. ipaddr can be a simple IP address
or it can be a subnet. Subnets are indicated by an IP address
followed by either of these:
<li>A slash ( / ) followed by a netmask (with no intervening
blanks)
<li>A hyphen ( - ) followed by a number of bits in the subnet
mask (with no intervening blanks)
For example, 198.244.244.97 is a simple address that must
be matched exactly. 198.242.244.0/255.255.255.0,
which is equivalent to 198.242.244.0-24, indicates that any
machine on subnet 198.242.244.0 is to be allowed access to
portname.
Note that when the IPGROUP ipgroup or the ipaddr form is used, the rule
can match whether a connection is specified by host name or IP address. If
the connection is by host name, it is first translated to an IP address, which
is then used to match the rule.
Rmt_portnum can be either of these:
Rmt_portnum can be either of these:
<li>An asterisk (*), indicating access is allowed for any port number at the
<ul>
specified remote host.
<li>An asterisk (*), indicating access is allowed for any port number at the specified remote host.</li>
<li>An integer in the range 1-65535, indicating that access is allowed only
<li>An integer in the range 1-65535, indicating that access is allowed only for the specified port number at the specified remote host.</li>
for the specified port number at the specified remote host.
</ul>
JANUS CLSOCK DISALLOW
</td></tr>
JANUS CLSOCK portname DISALLOW -
</table>
[USER userID | USGROUP usgroup] -
 
[FILE procfile] -
==JANUS CLSOCK DISALLOW==
[PROC procname] -
 
[SUBSYS subsysname] -
<p class="syntax"> JANUS CLSOCK portname DISALLOW -
[REMOTE rmt_host rmt_portnum]
                [USER userID | USGROUP usgroup] -
JANUS CLSOCK DISALLOW command syntax
                [FILE procfile] -
The JANUS CLSOCK DISALLOW command indicates a combination of conditions
                [PROC procname] -
which, if all specified, prevent a socket-connection $function ($SOCK_CONN) or object
                [SUBSYS subsysname] -
method invocation from accessing the CLSOCK ports that match pattern portname.
                [REMOTE rmt_host rmt_portnum]
The default access for all CLSOCK and DEBUGGERCLIENT ports is to disallow all
</p>
access — except system administrators can access any CLSOCK port, regardless of
<p class="caption">JANUS CLSOCK DISALLOW command syntax</p>
rules (since a system administrator can always issue JANUS CLSOCK to grant access
 
to herself). For a non-system administrator, access to a CLSOCK port on a
The JANUS CLSOCK DISALLOW command indicates a combination of conditions which, if all specified, prevent a socket-connection $function ($SOCK_CONN) or object method invocation from accessing the CLSOCK ports that match pattern portname.  
$SOCK_CONN or New method invocation depends on the most recent rule for that port
 
that matches the conditions of the $SOCK_CONN or New method call:
The default access for all CLSOCK and DEBUGGERCLIENT ports is to disallow all access — except system administrators can access any CLSOCK port, regardless of rules (since a system administrator can always issue JANUS CLSOCK to grant access to herself). For a non-system administrator, access to a CLSOCK port on a $SOCK_CONN or New method invocation depends on the most recent rule for that port that matches the conditions of the $SOCK_CONN or New method call:
 
<ul>
<li>If the conditions match all clauses on a JANUS CLSOCK DISALLOW rule, access
<li>If the conditions match all clauses on a JANUS CLSOCK DISALLOW rule, access
to the port is not allowed.
to the port is not allowed.
Line 184: Line 145:
<li>If the conditions match neither an ALLOW nor DISALLOW rule, access to the port is
<li>If the conditions match neither an ALLOW nor DISALLOW rule, access to the port is
disallowed.
disallowed.
If the JANUS CLSOCK DISALLOW command is specified with no optional parameters,
</ul>
no $SOCK_CONN invocation can access the CLSOCK ports that match the pattern in
 
portname.
If the JANUS CLSOCK DISALLOW command is specified with no optional parameters, no $SOCK_CONN invocation can access the CLSOCK ports that match the pattern in portname.
 
The optional parameters for the JANUS CLSOCK DISALLOW command are:
The optional parameters for the JANUS CLSOCK DISALLOW command are:
USER userid
 
Indicates that the Model 204 user ID userid may not issue $SOCK_CONN or
<table class="syntaxTable">
the New method for portname. For example, if userid is HOMER, a user that
<tr><th>USER userid</th>
logs in as HOMER is not allowed access to portname. If userid is SIMP*, a
<td>Indicates that the Model 204 user ID userid may not issue $SOCK_CONN or the New method for portname. For example, if userid is HOMER, a user that logs in as HOMER is not allowed access to portname. If userid is SIMP*, a user that logs in as any user ID that begins with the string SIMP is not allowed access to portname.<br /><br />The USER parameter cannot be specified if the USGROUP parameter is specified.<br /><br />USER '' (that is, USER with the null string) is not allowed, since there is always a (non-null) user ID when a request is issued.<br /><br />USER * is allowed, but it is meaningless; it does not change which conditions a rule matches.</td></tr>
user that logs in as any user ID that begins with the string SIMP is not
 
allowed access to portname.
<tr><th>USGROUP usgroup</th>
The USER parameter cannot be specified if the USGROUP parameter is
<td>Indicates that a Model 204 user is not allowed access to portname if his or her userid matches an entry in the user group identified by usgroup. User groups are defined with the [[JANUS DEFINEUSGROUP]] command. The USGROUP parameter cannot be specified if the USER parameter is specified.
specified.
 
USER '' (that is, USER with the null string) is not allowed, since there is
<tr><th>FILE procfile</th>
always a (non-null) user ID when a request is issued.
<td>Indicates that $SOCK_CONN or the New method is not allowed to access portname if invoked by executing an outer procedure stored in a Model 204 file whose name matches the pattern procfile. FILE * indicates that access is allowed only by a temporary request or an in-stream procedure. FILE '' indicates that access is allowed by any procedure except a temporary request or an in-stream procedure.</td></tr>
USER * is allowed, but it is meaningless; it does not change which
 
conditions a rule matches.
<tr><th>PROC procname</th>
USGROUP usgroup
<td>Indicates that $SOCK_CONN or the New method is not allowed to access portname if invoked by executing an outer procedure whose name matches the pattern procname. PROC * indicates that access is allowed only by a temporary request or an in-stream procedure. PROC '' indicates that access is allowed by any procedure except a temporary request or an instream procedure.</td></tr>
Indicates that a Model 204 user is not allowed access to portname if his or
 
her userid matches an entry in the user group identified by usgroup. User
<tr><th>SUBSYS subsysname<th>
groups are defined with the JANUS DEFINEUSGROUP command (“JANUS
<td>Indicates that a $SOCK_CONN or New method invocation is not allowed to access portname if issued from an APSY subsystem with a name that matches the pattern subsysname. SUBSYS * indicates that access is allowed only by a non-subsystem procedure or temporary request, or by an in-stream procedure. SUBSYS '' indicates that access is allowed by any subsystem.
DEFINEUSGROUP” on page 116).
 
The USGROUP parameter cannot be specified if the USER parameter is
<tr><th>REMOTE rmt_host rmt_portnum</th>
specified.
<td>Indicates that a $SOCK_CONN or New method invocation is not allowed to access portname if the remote host and port number ($SOCK_CONN or New method arguments, with their defaults from the REMOTE clause of the JANUS DEFINE command for the CLSOCK port) match rmt_host and rmt_portnum, respectively. Rmt_host can be any of the following:
FILE procfile
 
Indicates that $SOCK_CONN or the New method is not allowed to access
<table class="syntaxTable">
portname if invoked by executing an outer procedure stored in a Model 204
<tr><th>[NAME] hostname</th>
file whose name matches the pattern procfile. FILE * indicates that
<td>Indicates that access is not allowed if the name of the remote host matches the pattern hostname.
access is allowed only by a temporary request or an in-stream procedure.
The null string ('') is not allowed for hostname, since there is always a (non-null) host for the $SOCK_CONN or New method operation.<br /><br />When the NAME keyword is explicitly specified, or when hostname is a form that cannot be an IP address, the clause only matches if the connection to the remote host is made using a name rather than an IP address. This leads to some subtle differences in the meaning of an asterisk in the REMOTE clause.<br /><br />For example, the following rule restricts the connection to any remote host, as long as a port other than 1234 is used, whether the connection is specified by name or by IP address:
FILE '' indicates that access is allowed by any procedure except a
 
temporary request or an in-stream procedure.
<p class="code"> JANUS CLSOCK FOO DISALLOW REMOTE * 1234</p>
PROC procname
 
Indicates that $SOCK_CONN or the New method is not allowed to access
The following rule disallows a connection to any remote host at port 1234, if the connection is specified by host name.
portname if invoked by executing an outer procedure whose name matches
 
the pattern procname. PROC * indicates that access is allowed only by a
<p class="code"> JANUS CLSOCK FOO DISALLOW REMOTE NAME * 1234</p>
temporary request or an in-stream procedure. PROC '' indicates that
 
access is allowed by any procedure except a temporary request or an instream
(Admittedly, these DISALLOW examples, especially the latter one, seem far-fetched and probably are not useful in practice.)
procedure.
 
SUBSYS subsysname
REMOTE * * is allowed, but it is meaningless: it does not change which conditions a rule matches. REMOTE NAME * *, however, does restrict a rule to match only if the host name is specified on the connection, but it matches any remote host.</td></tr>
Indicates that a $SOCK_CONN or New method invocation is not allowed to
 
access portname if issued from an APSY subsystem with a name that
<tr><th>IPGROUP ipgroup</th>
matches the pattern subsysname. SUBSYS * indicates that access is
<td>Indicates that access is not allowed if the remote host's IP address matches one of the entries in ipgroup. IP groups are defined with the JANUS IPGROUP command (see “[[JANUS DEFINEIPGROUP]]”). </td></tr>
allowed only by a non-subsystem procedure or temporary request, or by an
 
in-stream procedure. SUBSYS '' indicates that access is allowed by any
<tr><th>ipaddr</th>
subsystem.
<td>Indicates that access is not allowed if the remote host has an IP address that matches ipaddr. ipaddr can be a simple IP address or it can be a subnet. Subnets are indicated by an IP address followed by either of these:
REMOTE rmt_host rmt_portnum
<ul>
Indicates that a $SOCK_CONN or New method invocation is not allowed to
<li>A slash ( / ) followed by a netmask (with no intervening blanks)
access portname if the remote host and port number ($SOCK_CONN or
<li>A hyphen ( - ) followed by a number of bits in the subnet mask (with no intervening blanks)
New method arguments, with their defaults from the REMOTE clause of the
</ul>
JANUS DEFINE command for the CLSOCK port) match rmt_host and
 
rmt_portnum, respectively.
For example, 198.244.244.97 is a simple address that must be matched exactly. 198.242.244.0/255.255.255.0, which is equivalent to 198.242.244.0-24, indicates that any machine on subnet 198.242.244.0 is to be allowed access to portname.
Rmt_host can be any of the following:
</td></tr>
[NAME] hostname
</table>
Indicates that access is not allowed if the name of the remote
 
host matches the pattern hostname.
The null string ('') is not allowed for hostname, since there is
always a (non-null) host for the $SOCK_CONN or New method
operation.
When the NAME keyword is explicitly specified, or when
hostname is a form that cannot be an IP address, the clause only
matches if the connection to the remote host is made using a
name rather than an IP address. This leads to some subtle
differences in the meaning of an asterisk in the REMOTE clause.
For example, the following rule restricts the connection to any
remote host, as long as a port other than 1234 is used, whether
the connection is specified by name or by IP address:
JANUS CLSOCK FOO DISALLOW REMOTE * 1234
The following rule disallows a connection to any remote host at
port 1234, if the connection is specified by host name.
JANUS CLSOCK FOO DISALLOW REMOTE NAME * 1234
(Admittedly, these DISALLOW examples, especially the latter
one, seem far-fetched and probably are not useful in practice.)
REMOTE * * is allowed, but it is meaningless: it does not
change which conditions a rule matches. REMOTE NAME * *,
however, does restrict a rule to match only if the host name is
specified on the connection, but it matches any remote host.
IPGROUP ipgroup
Indicates that access is not allowed if the remote host's IP
address matches one of the entries in ipgroup. IP groups are
defined with the JANUS IPGROUP command (“JANUS
DEFINEIPGROUP” on page 110).
ipaddr Indicates that access is not allowed if the remote host has an IP
address that matches ipaddr. ipaddr can be a simple IP address
or it can be a subnet. Subnets are indicated by an IP address
followed by either of these:
<li>A slash ( / ) followed by a netmask (with no intervening
blanks)
<li>A hyphen ( - ) followed by a number of bits in the subnet
mask (with no intervening blanks)
For example, 198.244.244.97 is a simple address that must
be matched exactly. 198.242.244.0/255.255.255.0,
which is equivalent to 198.242.244.0-24, indicates that any
machine on subnet 198.242.244.0 is to be allowed access to
portname.
Note that when the IPGROUP ipgroup or the ipaddr form is used, the rule
Note that when the IPGROUP ipgroup or the ipaddr form is used, the rule
can match whether a connection is specified by host name or IP address. If
can match whether a connection is specified by host name or IP address. If
the connection is by host name, it is first translated to an IP address, which
the connection is by host name, it is first translated to an IP address, which
is then used to match the rule.
is then used to match the rule.
Rmt_portnum can be either of these:
Rmt_portnum can be either of these:
<li>An asterisk (*), indicating access is allowed for any port number at the
<li>An asterisk (*), indicating access is allowed for any port number at the
specified remote host.
specified remote host.
<li>An integer in the range 1-65535, indicating that access is allowed only
<li>An integer in the range 1-65535, indicating that access is allowed only
for the specified port number at the specified remote host.
for the specified port number at the specified remote host.
5.5.3 Rule matching order and examples
</ul>
</td></tr>
</table>
 
==Rule matching order and examples==
 
Each execution of a JANUS CLSOCK subcommand adds to the set of rules for the
Each execution of a JANUS CLSOCK subcommand adds to the set of rules for the
specified port. Individual rules cannot be deleted nor modified. All rules can be deleted
specified port. Individual rules cannot be deleted nor modified. All rules can be deleted
only by stopping and deleting the port definition. Deleting a port definition, however,
only by stopping and deleting the port definition. Deleting a port definition, however,
should not be necessary, as long as you follow the two golden rules:
should not be necessary, as long as you follow the two golden rules:
1. Specify the most general rules first and the most specific last.
 
2. Specify an initial rule that “clears” all related rules.
<ol>
<li>Specify the most general rules first and the most specific last.</li>
<li>Specify an initial rule that “clears” all related rules.</li>
</ol>
 
The following example illustrates these principles:
The following example illustrates these principles:
JANUS CLSOCK TEST21 DISALLOW *
 
JANUS CLSOCK TEST21 ALLOW SUBSYS ECOMMER*
<p class="code"> JANUS CLSOCK TEST21 DISALLOW *
JANUS CLSOCK TEST21 ALLOW PROC FILETRANS -
JANUS CLSOCK TEST21 ALLOW SUBSYS ECOMMER*
REMOTE IPADDR 169.84.111.0-24 9333
JANUS CLSOCK TEST21 ALLOW PROC FILETRANS -
JANUS CLSOCK TEST21 ALLOW PROC FILETRANS -
              REMOTE IPADDR 169.84.111.0-24 9333
REMOTE IPADDR 169.84.112.0-24 9333
JANUS CLSOCK TEST21 ALLOW PROC FILETRANS -
JANUS CLSOCK TEST21 ALLOW USER SIMP*
              REMOTE IPADDR 169.84.112.0-24 9333
In this example, any previously specified ALLOW rules on port TEST21 are made
JANUS CLSOCK TEST21 ALLOW USER SIMP*
obsolete by the first DISALLOW rule. Once the TEST21 access rules are cleared, the
</p>
rules allow invocation of $SOCK_CONN or the New method for port TEST21, if any of
 
the following conditions are met:
In this example, any previously specified ALLOW rules on port TEST21 are made obsolete by the first DISALLOW rule. Once the TEST21 access rules are cleared, the rules allow invocation of $SOCK_CONN or the New method for port TEST21, if any of the following conditions are met:
<ul>
<li>It is invoked from a subsystem whose name begins with the string ECOMMER.
<li>It is invoked from a subsystem whose name begins with the string ECOMMER.
<li>It is invoked for port number 9333 at a remote host that is on either the subnet
<li>It is invoked for port number 9333 at a remote host that is on either the subnet 169.84.111.0 or the subnet 169.84.112.0.
169.84.111.0 or the subnet 169.84.112.0.
<li>It is invoked by a Model 204 user whose ID begins with the string SIMP.
<li>It is invoked by a Model 204 user whose ID begins with the string SIMP.
</ul>




==References and links==
See: [[List_of_Janus_commands|Janus command list]]
See: [[List_of_Janus_commands|Janus command list]]
[[Category:Janus commands|JANUS CLSOCK]]
[[Category:Janus commands|JANUS CLSOCK]]
[[Category:Sirius commands]]
[[Category:Sirius commands]]

Revision as of 19:17, 28 February 2011

<section begin="desc" />Defines rules for a Janus socket client<section end="desc" />

The JANUS CLSOCK command defines the rules for a Janus Sockets client (CLSOCK) or DEBUGGERCLIENT port. These rules control access to the port. System administrators always have access to a client port, so no CLSOCK rules are required to provide socket access to these users.

JANUS CLSOCK portname rule_type [optional parameters]

JANUS CLSOCK command syntax

The JANUS CLSOCK command is slightly different from most Janus commands in that it usually takes a set of commands to fully specify the rules for a port. For instance, it may take a number of commands to specify the various users and applications that may use a port on the socket-connection $function ($SOCK_CONN) or object method (New).

The order in which JANUS CLSOCK commands are specified also affects how they are processed.

The first two parameters are positional and are required:

portname A 1 - 30 character name of the port, or a pattern specifying a set of ports, for which the rule is being defined. Wildcards are allowed.
rule_type The type of rule being specified for the port or ports. Valid rule_types are:
  • DISALLOW Removes access permission.
  • ALLOW Assigns access permission.

The ALLOW and DISALLOW rules are processed together, from most recent to oldest. The optional parameters allowed for the JANUS CLSOCK command depend on the rule_type value. The rule types are shown below, followed by a section giving examples and showing the interaction of JANUS CLSOCK commands.

Note that the JANUS CLSOCK and JANUS SRVSOCK commands differ from the corresponding rules available with the JANUS WEB command in the following ways:

  • JANUS WEB does not allow any optional parameters (for example, USGROUP) on the DISALLOW rule.
  • The default access for WEBSERV non-SSL ports and SRVSOCK ports is ALLOW. The default access for WEBSERV SSL ports and CLSOCK ports is DISALLOW.
  • ALLOW and DISALLOW are the only rule types for JANUS CLSOCK and JANUS SRVSOCK. There are a number of other rule types for JANUS WEB.

JANUS CLSOCK ALLOW

JANUS CLSOCK portname ALLOW - [NONE] | [USER userID | USGROUP usgroup] - [FILE procfile] - [PROC procname] - [SUBSYS subsysname] - [REMOTE rmt_host rmt_portnum]

JANUS CLSOCK ALLOW command syntax

The JANUS CLSOCK ALLOW command indicates a combination of conditions which, if all specified, allow a socket-connection $function ($SOCK_CONN) or object method invocation to access a CLSOCK port that matches pattern portname.

The default access for all CLSOCK and DEBUGGERCLIENT ports is to disallow all access — except system administrators can access any CLSOCK port, regardless of rules (since a system administrator can always issue JANUS CLSOCK to grant access to herself). For a non-system administrator, access to a CLSOCK port on a $SOCK_CONN or New method invocation depends on the most recent rule for that port that matches the conditions of the $SOCK_CONN or New method call:

  • If the conditions match all clauses on a JANUS CLSOCK ALLOW rule, access to the port is allowed.
  • If the conditions match all clauses on a JANUS CLSOCK DISALLOW rule, access to the port is disallowed.
  • If the conditions match neither an ALLOW nor DISALLOW rule, access to the port is disallowed.

If the JANUS CLSOCK ALLOW command is specified with no optional parameters, any $SOCK_CONN or New method invocation can access the CLSOCK ports that match the pattern in portname.

The optional parameters for the JANUS CLSOCK ALLOW command are:

NONE Indicates that no $SOCK_CONN or New method invocation is allowed to access portname. If NONE is specified, no other optional parameters may be specified.
USER userid Indicates that the Model 204 user ID userid may issue $SOCK_CONN or a New method call for portname. For example, if userid is HOMER, a user that logs in as HOMER will be allowed access to portname. If userid is SIMP*, a user that logs in as any user ID that begins with the string SIMP is allowed access to portname. The USER parameter cannot be specified if the USGROUP parameter is specified.
USER (that is, USER with the null string) is not allowed, since there is always a (non-null) user ID when a request is issued.
<br /.USER * is allowed, but it is meaningless: it does not change which conditions a rule matches.
USGROUP usgroup Indicates that a Model 204 user is allowed access to portname if his or her user ID matches an entry in the user group identified by usgroup. User groups are defined with the JANUS DEFINEUSGROUP command (“JANUS

DEFINEUSGROUP” on page 116). The USGROUP parameter cannot be specified if the USER parameter is

specified.
FILE procfile Indicates that $SOCK_CONN or a New method call is allowed to access portname if invoked by executing an outer procedure stored in a Model 204 file whose name matches the pattern procfile. FILE * indicates that access is allowed by any procedure except a temporary request or an instream procedure. FILE indicates that access is allowed only by a temporary request or an in-stream procedure.
PROC procname Indicates that $SOCK_CONN or a New method call is allowed to access portname if invoked by executing an outer procedure whose name matches the pattern procname. PROC * indicates that access is allowed by any procedure except a temporary request or an in-stream procedure. PROC indicates that access is allowed only by a temporary request or an in-stream procedure.
SUBSYS subsysname Indicates that a $SOCK_CONN or New method invocation is allowed to access portname if issued from an APSY subsystem with a name that matches the pattern subsysname. SUBSYS * indicates that access is allowed by any subsystem. SUBSYS indicates that access is allowed only by a non-subsystem procedure or temporary request, or by an in-stream procedure.
REMOTE rmt_host rmt_portnum Indicates that a $SOCK_CONN or New method invocation is allowed to access portname if the remote host and port number ($SOCK_CONN or New method arguments, with their defaults from the REMOTE clause of the JANUS DEFINE command for the CLSOCK port) match rmt_host and rmt_portnum, respectively. Rmt_host can be any of the following:
[NAME] hostname Indicates that access is allowed if the name of the remote host matches the pattern hostname. The null string () is not allowed for hostname, since there is always a (non-null) host for the $SOCK_CONN or New method operation. When the NAME keyword is explicitly specified, or when hostname is a form that cannot be an IP address, the clause only matches if the connection to the remote host is made using a name rather than an IP address. This leads to some subtle differences in the meaning of an asterisk in the REMOTE clause. For example, the following rule restricts the connection to any remote host at port 1234, whether the connection is specified by name or by IP address:

JANUS CLSOCK FOO ALLOW REMOTE * 1234

The following clause restricts the connection to any remote host at port 1234, as long as the connection is specified by host name:

JANUS CLSOCK FOO ALLOW REMOTE NAME * 1234

REMOTE * * is allowed, but it is meaningless; that is, it does not change which conditions a rule matches. REMOTE NAME * *, however, does restrict a rule to match only if the host name is specified on the connection, but it matches any remote host.
IPGROUP ipgroup Indicates that access is allowed if the remot host's IP address matches one of the entries in ipgroup. IP groups are defined with the JANUS IPGROUP command (see “JANUS DEFINEIPGROUP”). ipaddr Indicates that access is allowed if the remote host has an IP address that matches ipaddr. ipaddr can be a simple IP address or it can be a subnet. Subnets are indicated by an IP address followed by either of these:
  • A slash ( / ) followed by a netmask (with no intervening blanks)
  • A hyphen ( - ) followed by a number of bits in the subnet mask (with no intervening blanks)

For example, 198.244.244.97 is a simple address that must be matched exactly. 198.242.244.0/255.255.255.0, which is equivalent to 198.242.244.0-24, indicates that any machine on subnet 198.242.244.0 is to be allowed access to

portname.</td

Note that when the IPGROUP ipgroup or the ipaddr form is used, the rule can match whether a connection is specified by host name or IP address. If the connection is by host name, it is first translated to an IP address, which is then used to match the rule.

Rmt_portnum can be either of these:

  • An asterisk (*), indicating access is allowed for any port number at the specified remote host.
  • An integer in the range 1-65535, indicating that access is allowed only for the specified port number at the specified remote host.

JANUS CLSOCK DISALLOW

JANUS CLSOCK portname DISALLOW - [USER userID | USGROUP usgroup] - [FILE procfile] - [PROC procname] - [SUBSYS subsysname] - [REMOTE rmt_host rmt_portnum]

JANUS CLSOCK DISALLOW command syntax

The JANUS CLSOCK DISALLOW command indicates a combination of conditions which, if all specified, prevent a socket-connection $function ($SOCK_CONN) or object method invocation from accessing the CLSOCK ports that match pattern portname.

The default access for all CLSOCK and DEBUGGERCLIENT ports is to disallow all access — except system administrators can access any CLSOCK port, regardless of rules (since a system administrator can always issue JANUS CLSOCK to grant access to herself). For a non-system administrator, access to a CLSOCK port on a $SOCK_CONN or New method invocation depends on the most recent rule for that port that matches the conditions of the $SOCK_CONN or New method call:

  • If the conditions match all clauses on a JANUS CLSOCK DISALLOW rule, access to the port is not allowed.
  • If the conditions match all clauses on a JANUS CLSOCK ALLOW rule, access to the port is allowed.
  • If the conditions match neither an ALLOW nor DISALLOW rule, access to the port is disallowed.

If the JANUS CLSOCK DISALLOW command is specified with no optional parameters, no $SOCK_CONN invocation can access the CLSOCK ports that match the pattern in portname.

The optional parameters for the JANUS CLSOCK DISALLOW command are:

USER userid Indicates that the Model 204 user ID userid may not issue $SOCK_CONN or the New method for portname. For example, if userid is HOMER, a user that logs in as HOMER is not allowed access to portname. If userid is SIMP*, a user that logs in as any user ID that begins with the string SIMP is not allowed access to portname.

The USER parameter cannot be specified if the USGROUP parameter is specified.

USER (that is, USER with the null string) is not allowed, since there is always a (non-null) user ID when a request is issued.

USER * is allowed, but it is meaningless; it does not change which conditions a rule matches.
USGROUP usgroup Indicates that a Model 204 user is not allowed access to portname if his or her userid matches an entry in the user group identified by usgroup. User groups are defined with the JANUS DEFINEUSGROUP command. The USGROUP parameter cannot be specified if the USER parameter is specified.
FILE procfile Indicates that $SOCK_CONN or the New method is not allowed to access portname if invoked by executing an outer procedure stored in a Model 204 file whose name matches the pattern procfile. FILE * indicates that access is allowed only by a temporary request or an in-stream procedure. FILE indicates that access is allowed by any procedure except a temporary request or an in-stream procedure.
PROC procname Indicates that $SOCK_CONN or the New method is not allowed to access portname if invoked by executing an outer procedure whose name matches the pattern procname. PROC * indicates that access is allowed only by a temporary request or an in-stream procedure. PROC indicates that access is allowed by any procedure except a temporary request or an instream procedure.
SUBSYS subsysname Indicates that a $SOCK_CONN or New method invocation is not allowed to access portname if issued from an APSY subsystem with a name that matches the pattern subsysname. SUBSYS * indicates that access is allowed only by a non-subsystem procedure or temporary request, or by an in-stream procedure. SUBSYS indicates that access is allowed by any subsystem.
REMOTE rmt_host rmt_portnum Indicates that a $SOCK_CONN or New method invocation is not allowed to access portname if the remote host and port number ($SOCK_CONN or New method arguments, with their defaults from the REMOTE clause of the JANUS DEFINE command for the CLSOCK port) match rmt_host and rmt_portnum, respectively. Rmt_host can be any of the following:
[NAME] hostname Indicates that access is not allowed if the name of the remote host matches the pattern hostname.

The null string () is not allowed for hostname, since there is always a (non-null) host for the $SOCK_CONN or New method operation.

When the NAME keyword is explicitly specified, or when hostname is a form that cannot be an IP address, the clause only matches if the connection to the remote host is made using a name rather than an IP address. This leads to some subtle differences in the meaning of an asterisk in the REMOTE clause.

For example, the following rule restricts the connection to any remote host, as long as a port other than 1234 is used, whether the connection is specified by name or by IP address:

JANUS CLSOCK FOO DISALLOW REMOTE * 1234

The following rule disallows a connection to any remote host at port 1234, if the connection is specified by host name.

JANUS CLSOCK FOO DISALLOW REMOTE NAME * 1234

(Admittedly, these DISALLOW examples, especially the latter one, seem far-fetched and probably are not useful in practice.)

REMOTE * * is allowed, but it is meaningless: it does not change which conditions a rule matches. REMOTE NAME * *, however, does restrict a rule to match only if the host name is specified on the connection, but it matches any remote host.
IPGROUP ipgroup Indicates that access is not allowed if the remote host's IP address matches one of the entries in ipgroup. IP groups are defined with the JANUS IPGROUP command (see “JANUS DEFINEIPGROUP”).
ipaddr Indicates that access is not allowed if the remote host has an IP address that matches ipaddr. ipaddr can be a simple IP address or it can be a subnet. Subnets are indicated by an IP address followed by either of these:
  • A slash ( / ) followed by a netmask (with no intervening blanks)
  • A hyphen ( - ) followed by a number of bits in the subnet mask (with no intervening blanks)

For example, 198.244.244.97 is a simple address that must be matched exactly. 198.242.244.0/255.255.255.0, which is equivalent to 198.242.244.0-24, indicates that any machine on subnet 198.242.244.0 is to be allowed access to portname.

Note that when the IPGROUP ipgroup or the ipaddr form is used, the rule can match whether a connection is specified by host name or IP address. If the connection is by host name, it is first translated to an IP address, which is then used to match the rule.

Rmt_portnum can be either of these:

  • An asterisk (*), indicating access is allowed for any port number at the specified remote host.
  • An integer in the range 1-65535, indicating that access is allowed only for the specified port number at the specified remote host.

    • Rule matching order and examples

    Each execution of a JANUS CLSOCK subcommand adds to the set of rules for the specified port. Individual rules cannot be deleted nor modified. All rules can be deleted only by stopping and deleting the port definition. Deleting a port definition, however, should not be necessary, as long as you follow the two golden rules:

    1. Specify the most general rules first and the most specific last.
    2. Specify an initial rule that “clears” all related rules.

    The following example illustrates these principles:

    JANUS CLSOCK TEST21 DISALLOW * JANUS CLSOCK TEST21 ALLOW SUBSYS ECOMMER* JANUS CLSOCK TEST21 ALLOW PROC FILETRANS - REMOTE IPADDR 169.84.111.0-24 9333 JANUS CLSOCK TEST21 ALLOW PROC FILETRANS - REMOTE IPADDR 169.84.112.0-24 9333 JANUS CLSOCK TEST21 ALLOW USER SIMP*

    In this example, any previously specified ALLOW rules on port TEST21 are made obsolete by the first DISALLOW rule. Once the TEST21 access rules are cleared, the rules allow invocation of $SOCK_CONN or the New method for port TEST21, if any of the following conditions are met:

    • It is invoked from a subsystem whose name begins with the string ECOMMER.
    • It is invoked for port number 9333 at a remote host that is on either the subnet 169.84.111.0 or the subnet 169.84.112.0.
    • It is invoked by a Model 204 user whose ID begins with the string SIMP.


    References and links

    See: Janus command list

    Retrieved from "https://m204wiki.rocketsoftware.com/index.php?title=JANUS_CLSOCK&oldid=37852"