Dico

4.3.5 Access Control Lists

Access control lists, or ACLs for short, are lists of permissions that can be applied to certain dicod objects. They can be used to control who can connect to the dictionary server and what resources are offered to whom.

An ACL is defined using the acl block statement:

acl name {
  definitions
}

The parameter name specifies a unique name for that ACL. This name will be used by another configuration statements to refer to that ACL (See Security Settings, and see Database Visibility).

A part between the curly braces (denoted by definitions above), is a list of access statements. There are two types of such statements:

ACL: allow user-group sub-acl host-list

Allow access to resource.

ACL: deny user-group sub-acl host-list

Deny access to resource.

All parts of an access statement are optional, but at least one of them must be present.

The user-group part specifies which users match this entry. Allowed values are the following:

all

All users.

authenticated

Only authenticated users.

group group-list

Authenticated users which are members of at least one of the groups listed in group-list.

The sub-acl part, if present, branches to another ACL. The syntax of this group is:

acl name

where name is the name of a previously defined ACL.

Finally, the host-list group matches client IP addresses. It consists of a from keyword followed by a list of address specifiers. Allowed address specifiers are:

any

Matches any client address.

addr

Matches if the client IP equals addr. The latter may be given either as an IP address or as a host name, in which case it will be resolved and the first of its IP addresses will be used.

addr/netlen

Matches if first netlen bits from the client IP address equal to addr. The network mask length, netlen must be an integer number in the range from 0 to 32 for IPv4, and in the range 0 – 128 for IPv6. The address part, addr, is as described above.

addr/netmask

The specifier matches if the result of logical AND between the client IP address and netmask equals to addr. The network mask must be specified in a IP address (either IPv4 or IPv6) notation.

filename

Matches if connection was received from a UNIX socket filename, which must be given as an absolute file name.

To summarize, the syntax of an access statement is:

allow|deny [all|authenticated|group group-list]
           [acl name] [from addr-list]

where square brackets denote optional parts and vertical bar means ‘one of’.

When an ACL is applied to a particular object, its entries are tried in turn until one of them matches, or the end of the list is reached. If a matched entry is found, its command verb, allow or deny, defines the result of ACL match. If the end of list is reached, the result is ‘allow’, unless explicitly specified otherwise.

For example, the following statement defines an ACL named ‘common’, that allows access for any user connected via local UNIX socket /tmp/dicod.sock or coming from a local network ‘192.168.10.0/24’. Any authenticated users are allowed, provided that they are allowed by another ACL ‘my-nets’ (which should have been defined before this definition). Users coming from the network ‘10.10.0.0/24’ are allowed if they authenticate themselves and are members of groups ‘dicod’ or ‘users’. Anybody else is denied access:

acl common {
    allow all from ("/tmp/dicod.sock", "192.168.10.0/24");
    allow authenticated acl "my-nets";
    allow group ("dicod", "users") from "10.10.0.0/24";
    deny all;
}

See Security Settings, for information on how to control daemon security settings.

See Database Visibility, for a detailed description on how to use ACLs to control access to databases.