The s6-ipcserver-access program

s6-ipcserver-access is a command-line access control tool for Unix domain sockets on systems where the getpeereid() system call can be implemented. It is meant to be run after s6-ipcserverd and before the application program on the s6-ipcserver command line.


     s6-ipcserver-access [ -v verbosity ] [ -E | -e ] [ -l localname ] [ -i rulesdir | -x rulesfile ] prog...

Environment variables

s6-ipcserver-access expects to inherit some environment variables from its parent:

Additionally, it exports the following variables before executing into prog...:

Also, the access rules database can instruct s6-ipcserver-access to set up, or unset, more environment variables, depending on the client address.


Access rule checking

s6-ipcserver-access checks its client connection against a ruleset. This ruleset can be implemented:

The exact format of the ruleset is described on the s6-accessrules-cdb-from-fs page.

s6-ipcserver-access first reads the client UID uid and GID gid from the ${PROTO}REMOTEEUID and ${PROTO}REMOTEEGID environment variables, and checks them with the s6_accessrules_keycheck_uidgid() function. In other words, it tries to match:

in that order. If no S6_ACCESSRULES_ALLOW result can be obtained, the connection is denied.

Environment and executable modifications

s6-ipcserver-access interprets non-empty env subdirectories and exec files it finds in the first matching rule of the ruleset, as explained in the s6-accessrules-cdb-from-fs page.