MANIFEST(7)                                                        MANIFEST(7)

       manifest - check a proposed escalation program against a list

       manifest  [-P pid] [-C config] [-f file] [-g group] [-R root] [-u user]
       mnemonic program euid:egid cred_type:cred
       manifest -h|-H
       manifest -V

       This helmet is intended to  allow  a  list  of  approved  commands  (or
       scripts)  to be grouped under a single op mnemonic.  A file provided to
       the helmet contains a list of the allowed  commands,  each  non-comment
       line  contains  a perl regular expression, possibly prefixed by an exit
       code.  If that RE matches the proposed program, then the proposed  exit
       code represents the exit status of manifest.

       As either the escalated login's or the client's home directory may dif-
       fer across instances, the REs list allows the replacement of 2  special
       leading  strings.   A  leading tilde slash (~/) is replaced by the pro-
       posed euid's home directory prefixed with a circumflex (^).  A  leading
       dot  slash  (./) is replaced by the escalated uid's home directory pre-
       fixed with a circumflex (^).  This allows a match against  files  which
       may be rooted at different places on various client machines.

       In  the  list  of  REs  leading  hash  (#)  to end of line comments are
       ignored.  This allows revision identification and mk(1l) markup  within
       each file.  Blank lines are also ignored.

       This  program  takes  all the op provided options, but actually doesn't
       look at any of them (other than -P, and the  program  path).   It  does
       sanity check them, just the same.

       Like  any  helmet,  most of the configuration is passed from op via the

              Every path listed as a value of a matching environment  variable
              is searched for a matching RE.  The files are consulted in lexi-
              cal order of the name's.

              The warning message to replace the common  "Sorry"  denial  mes-
              sage.   If  there is not a matching name, then the empty name is
              consulted as a better default.

              The standard reveal logic, see op-jacket(7).

       All of these are deleted from each cmd's  environment:  $IFS,  $CDPATH,
       $ENV,  $BASH_ENV  to prevent perl(1) from refusing to run any commands.
       There is no way to set them, but we do not fork(2) any processes.

       These are example from the command-line:

       /usr/local/libexec/jacket/manifest -V
              Output only the version of the program, then exit.

       /usr/local/libexec/jacket/manifest -H
              Output only a summary of the environment expected.

       All of these are snips from the op file.  Note that you  must
       allow  any referenced environment variables into the escalated environ-
       ment, and it is a really good idea to include a $PATH.

              Consult the proposed login's home directory for an allowed list,
              which starts with a dot (.) to hide it from ls(1).

              Consult  the  escalated login's home directory for an allow list
              based on the client login's user name.

              With no in-scope manifest list this helmet always fails.

              Allow any system shell, since the /etc/shells  file  happens  to
              look just like a list of expressions to this program.

       The  regular  expression  list to allow 2 harmless commands, and forbid
       the date(1) command:
              # $Id... revision control markup $
              # date can set the system clock, never allow that --ksb
       The date program is excluded with the code CANTCREAT (73), since we  do
       not  want  escalated  mortals  setting the system clock.  That's a good
       code for "you are not the superuser", while NOPERM (77) is better for a
       failed escalation.

       Always  allow  the  internal echo command, if that is a possible match.
       This pseudo-command is the only string  presented  (by  op)  without  a
       leading  slash  (/),  as op doesn't really execve(2) another executable
       file.  For example:
              # Either echo is fine

       There is a hackish way to set the default exit  code:  use  a  negative
       number  with  an  empty  RE.   For  example  -63= sets the code for any
       unmatched program to 63 (which is in the range of an  application  spe-
       cific meanings).

       This  jacket  trusts  that the op configuration won't allow a malicious
       shell command in the the regular expression list.   Since  those  lists
       could be writable by others than the superuser, you should take care to
       audit and protect them.

       Manifest should check the permissions of  the  manifest  file,  but  we
       really don't know what they should be.

       We  do  not  check  the options to the command.  It is possible to code
       another helmet for that purpose.  More often a fixed parameter list  is
       provided to each listed script (or shell).

       K S Braunsdorf, from the Non-Player Character Guild
       op at-not-a-spammer ksb dot

       op(1l), op-jacket(7l), stampctl(8l), getpeereid(3), perl(1), shells(5)

                                     LOCAL                         MANIFEST(7)