shithub: sirjofri_de

Download patch

ref: a8046b955aa0a6bad91b212f2c269e2e012eb113
parent: 2cc852c2e63a2c75556a2cdc3816926ebee59098
author: sirjofri <sirjofri@sirjofri.de>
date: Wed Jul 29 04:43:21 EDT 2020

new blog post: restricted cpu access

--- a/changeblog.ht
+++ b/changeblog.ht
@@ -5,6 +5,7 @@
 <a href="changeblog.pdf">Download pdf</a><br>
 <a href="/changeblog.xml">Feed</a><br>
 <ul>
+<li><a href="/changeblog/1596011563/">Wed, 29 Jul 2020 10:32:43 +0200: Restrict RCPU User Access to Groups</a></li>
 <li><a href="/changeblog/1594885496/">Thu, 16 Jul 2020 09:44:56 +0200: lib/profile quick hack</a></li>
 <li><a href="/changeblog/1594881674/">Thu, 16 Jul 2020 08:41:14 +0200: Mail Server Configuration</a></li>
 <li><a href="/changeblog/1593621046/">Wed, 01 Jul 2020 18:30:46 +0200: Guided Replica</a></li>
--- /dev/null
+++ b/changeblog/1596011563.ht
@@ -1,0 +1,99 @@
+<article>
+<header>
+<h2>Restrict RCPU User Access to Groups</h2>
+<b>Wed, 29 Jul 2020 10:32:43 +0200</b>
+</header>
+<p style="margin-top: 0; margin-bottom: 0.50in"></p>
+<p style="margin-top: 0; margin-bottom: 0.21in"></p>
+
+<p style="line-height: 1.4em; margin-left: 1.00in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: center;">
+<span style="font-size: 12pt"><b>Restrict RCPU User Access to Groups</b></span></p>
+<p style="margin-top: 0; margin-bottom: 0.21in"></p>
+
+<p style="margin-top: 0; margin-bottom: 0.21in"></p>
+
+<p style="margin-top: 0; margin-bottom: 0.42in"></p>
+<p style="margin-top: 0; margin-bottom: 0.21in"></p>
+<p style="margin-top: 0; margin-bottom: 0.05in"></p>
+<p style="margin-top: 0; margin-bottom: 0.50in"></p>
+<p style="line-height: 1.2em; margin-left: 1.00in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt">This is how to restrict user access to groups.
+You can use this to enable
+</span><span style="font-size: 10pt"><tt>rcpu</tt></span><span style="font-size: 10pt">
+access for all users of a specific group.
+All other groups will not be allowed.
+</span></p><p style="margin-top: 0; margin-bottom: 0.05in"></p>
+<p style="line-height: 1.2em; margin-left: 1.00in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt">To allow access only to
+</span><span style="font-size: 10pt"><tt>sys</tt></span><span style="font-size: 10pt">
+group members: adjust your
+</span><span style="font-size: 10pt"><tt>/rc/bin/service/tcp17019</tt></span><span style="font-size: 10pt">
+</span></p><p style="margin-top: 0; margin-bottom: 0.05in"></p>
+<p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>#!/bin/rc
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>userfile=/adm/users
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>fn useringroup{
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>    grep $1 $userfile | {
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>        found=0
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>        while(~ $found 0 &amp;&amp; line=&lsquo;:{read}){
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>            if(~ $line(2) $2){
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>                found=1
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>            }
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>        }
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>        if(~ $found 1)
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>            status=&rsquo;&rsquo;
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>        if not
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>            status=&rsquo;not found&rsquo;
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>    }
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>}
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>if(~ $#* 3){
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>    netdir=$3
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>    remote=$2!&lsquo;{cat $3/remote}
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>}
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>fn server {
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>    ~ $#remote 0 || echo -n $netdir $remote &gt;/proc/$pid/args
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>    rm -f /env/&rsquo;fn#server&rsquo;
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>    . &lt;{n=&lsquo;{read} &amp;&amp; ! ~ $#n 0 &amp;&amp; read -c $n} &gt;[2=1]
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>}
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>exec tlssrv -a /bin/rc -c &rsquo;useringroup $user sys &amp;&amp; server&rsquo;
+</tt></span></p><p style="margin-top: 0; margin-bottom: 0.05in"></p>
+<p style="line-height: 1.2em; margin-left: 1.00in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt">This checks if the user is in group
+</span><span style="font-size: 10pt"><tt>sys</tt></span><span style="font-size: 10pt">
+and only then calls the
+</span><span style="font-size: 10pt"><tt>server</tt></span><span style="font-size: 10pt">
+function.
+Otherwise the connection is terminated.
+</span></p><p style="margin-top: 0; margin-bottom: 0.05in"></p>
+<p style="line-height: 1.2em; margin-left: 1.00in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt">This is especially useful if you want a CPU server to expose filesystems
+</span><span style="font-size: 10pt"><i>and</i></span><span style="font-size: 10pt">
+have cpu access for administrators only.
+</span></p><p style="margin-top: 0; margin-bottom: 0.50in"></p>
+
+</article>
--- /dev/null
+++ b/changeblog/1596011563.ms
@@ -1,0 +1,78 @@
+.HTML Restrict RCPU User Access to Groups
+.TL
+Restrict RCPU User Access to Groups
+.LP
+This is how to restrict user access to groups.
+You can use this to enable
+.CW rcpu
+access for all users of a specific group.
+All other groups will not be allowed.
+.LP
+To allow access only to
+.CW sys
+group members: adjust your
+.CW /rc/bin/service/tcp17019
+.IP
+.CW
+#!/bin/rc
+.br
+userfile=/adm/users
+.br
+fn useringroup{
+.br
+	grep $1 $userfile | {
+.br
+		found=0
+.br
+		while(~ $found 0 && line=`:{read}){
+.br
+			if(~ $line(2) $2){
+.br
+				found=1
+.br
+			}
+.br
+		}
+.br
+		if(~ $found 1)
+.br
+			status=''
+.br
+		if not
+.br
+			status='not found'
+.br
+	}
+.br
+}
+.br
+if(~ $#* 3){
+.br
+	netdir=$3
+.br
+	remote=$2!`{cat $3/remote}
+.br
+}
+.br
+fn server {
+.br
+	~ $#remote 0 || echo -n $netdir $remote >/proc/$pid/args
+.br
+	rm -f /env/'fn#server'
+.br
+	. <{n=`{read} && ! ~ $#n 0 && read -c $n} >[2=1]
+.br
+}
+.br
+exec tlssrv -a /bin/rc -c 'useringroup $user sys && server'
+.LP
+This checks if the user is in group
+.CW sys
+and only then calls the
+.CW server
+function.
+Otherwise the connection is terminated.
+.LP
+This is especially useful if you want a CPU server to expose filesystems
+.I and
+have cpu access for administrators only.
--- a/pub/changeblog.xml
+++ b/pub/changeblog.xml
@@ -8,8 +8,109 @@
 <rights>© Copyright 2020 sirjofri</rights>
 <id>https://sirjofri.de/</id>
 <title>changeblog</title>
-<updated>2020-07-16T23:02:55+02:00</updated>
+<updated>2020-07-29T10:41:35+02:00</updated>
 <entry>
+	<title>Restrict RCPU User Access to Groups</title>
+	<id>https://sirjofri.de/changeblog/1596011563/</id>
+	<link href="https://sirjofri.de/changeblog/1596011563/"/>
+	<updated>2020-07-29T10:32:43+02:00</updated>
+	<content type="html"><![CDATA[<p style="margin-top: 0; margin-bottom: 0.50in"></p>
+<p style="margin-top: 0; margin-bottom: 0.21in"></p>
+
+<p style="line-height: 1.4em; margin-left: 1.00in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: center;">
+<span style="font-size: 12pt"><b>Restrict RCPU User Access to Groups</b></span></p>
+<p style="margin-top: 0; margin-bottom: 0.21in"></p>
+
+<p style="margin-top: 0; margin-bottom: 0.21in"></p>
+
+<p style="margin-top: 0; margin-bottom: 0.42in"></p>
+<p style="margin-top: 0; margin-bottom: 0.21in"></p>
+<p style="margin-top: 0; margin-bottom: 0.05in"></p>
+<p style="margin-top: 0; margin-bottom: 0.50in"></p>
+<p style="line-height: 1.2em; margin-left: 1.00in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt">This is how to restrict user access to groups.
+You can use this to enable
+</span><span style="font-size: 10pt"><tt>rcpu</tt></span><span style="font-size: 10pt">
+access for all users of a specific group.
+All other groups will not be allowed.
+</span></p><p style="margin-top: 0; margin-bottom: 0.05in"></p>
+<p style="line-height: 1.2em; margin-left: 1.00in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt">To allow access only to
+</span><span style="font-size: 10pt"><tt>sys</tt></span><span style="font-size: 10pt">
+group members: adjust your
+</span><span style="font-size: 10pt"><tt>/rc/bin/service/tcp17019</tt></span><span style="font-size: 10pt">
+</span></p><p style="margin-top: 0; margin-bottom: 0.05in"></p>
+<p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>#!/bin/rc
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>userfile=/adm/users
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>fn useringroup{
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>    grep $1 $userfile | {
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>        found=0
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>        while(~ $found 0 &amp;&amp; line=&lsquo;:{read}){
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>            if(~ $line(2) $2){
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>                found=1
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>            }
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>        }
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>        if(~ $found 1)
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>            status=&rsquo;&rsquo;
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>        if not
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>            status=&rsquo;not found&rsquo;
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>    }
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>}
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>if(~ $#* 3){
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>    netdir=$3
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>    remote=$2!&lsquo;{cat $3/remote}
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>}
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>fn server {
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>    ~ $#remote 0 || echo -n $netdir $remote &gt;/proc/$pid/args
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>    rm -f /env/&rsquo;fn#server&rsquo;
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>    . &lt;{n=&lsquo;{read} &amp;&amp; ! ~ $#n 0 &amp;&amp; read -c $n} &gt;[2=1]
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>}
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>exec tlssrv -a /bin/rc -c &rsquo;useringroup $user sys &amp;&amp; server&rsquo;
+</tt></span></p><p style="margin-top: 0; margin-bottom: 0.05in"></p>
+<p style="line-height: 1.2em; margin-left: 1.00in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt">This checks if the user is in group
+</span><span style="font-size: 10pt"><tt>sys</tt></span><span style="font-size: 10pt">
+and only then calls the
+</span><span style="font-size: 10pt"><tt>server</tt></span><span style="font-size: 10pt">
+function.
+Otherwise the connection is terminated.
+</span></p><p style="margin-top: 0; margin-bottom: 0.05in"></p>
+<p style="line-height: 1.2em; margin-left: 1.00in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt">This is especially useful if you want a CPU server to expose filesystems
+</span><span style="font-size: 10pt"><i>and</i></span><span style="font-size: 10pt">
+have cpu access for administrators only.
+</span></p><p style="margin-top: 0; margin-bottom: 0.50in"></p>
+
+]]></content>
+</entry>
+
+<entry>
 	<title>lib/profile quick hack</title>
 	<id>https://sirjofri.de/changeblog/1594885496/</id>
 	<link href="https://sirjofri.de/changeblog/1594885496/"/>
@@ -242,7 +343,7 @@
 <span style="font-size: 10pt">Links:
 </span></p><p style="margin-top: 0; margin-bottom: 0.05in"></p>
 <p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
-<span style="font-size: 10pt">→  https://fqa.9front.org/fqa7.html#7.7
+<span style="font-size: 10pt">&rarr;  https://fqa.9front.org/fqa7.html#7.7
 </span></p><p style="margin-top: 0; margin-bottom: 0.50in"></p>
 
 ]]></content>
--- /dev/null
+++ b/pub/changeblog/1596011563/index.html
@@ -1,0 +1,136 @@
+<!doctype html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<title>sirjofri • changeblog/1596011563</title>
+<style type="text/css">
+body {
+	font-family: sans-serif;
+	max-width: 960px;
+	margin: auto;
+	padding: 10px;
+}
+</style>
+</head>
+<body>
+<header>
+<h1>changeblog/1596011563</h1>
+<nav>
+<a href="/">start</a> •
+<a href="/changeblog/">changeblog</a> •
+<a href="/files/">files</a> •
+<a href="/imprint/">imprint</a>
+</nav>
+</header>
+<main>
+<article>
+<header>
+<h2>Restrict RCPU User Access to Groups</h2>
+<b>Wed, 29 Jul 2020 10:32:43 +0200</b>
+</header>
+<p style="margin-top: 0; margin-bottom: 0.50in"></p>
+<p style="margin-top: 0; margin-bottom: 0.21in"></p>
+
+<p style="line-height: 1.4em; margin-left: 1.00in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: center;">
+<span style="font-size: 12pt"><b>Restrict RCPU User Access to Groups</b></span></p>
+<p style="margin-top: 0; margin-bottom: 0.21in"></p>
+
+<p style="margin-top: 0; margin-bottom: 0.21in"></p>
+
+<p style="margin-top: 0; margin-bottom: 0.42in"></p>
+<p style="margin-top: 0; margin-bottom: 0.21in"></p>
+<p style="margin-top: 0; margin-bottom: 0.05in"></p>
+<p style="margin-top: 0; margin-bottom: 0.50in"></p>
+<p style="line-height: 1.2em; margin-left: 1.00in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt">This is how to restrict user access to groups.
+You can use this to enable
+</span><span style="font-size: 10pt"><tt>rcpu</tt></span><span style="font-size: 10pt">
+access for all users of a specific group.
+All other groups will not be allowed.
+</span></p><p style="margin-top: 0; margin-bottom: 0.05in"></p>
+<p style="line-height: 1.2em; margin-left: 1.00in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt">To allow access only to
+</span><span style="font-size: 10pt"><tt>sys</tt></span><span style="font-size: 10pt">
+group members: adjust your
+</span><span style="font-size: 10pt"><tt>/rc/bin/service/tcp17019</tt></span><span style="font-size: 10pt">
+</span></p><p style="margin-top: 0; margin-bottom: 0.05in"></p>
+<p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>#!/bin/rc
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>userfile=/adm/users
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>fn useringroup{
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>    grep $1 $userfile | {
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>        found=0
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>        while(~ $found 0 &amp;&amp; line=&lsquo;:{read}){
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>            if(~ $line(2) $2){
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>                found=1
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>            }
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>        }
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>        if(~ $found 1)
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>            status=&rsquo;&rsquo;
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>        if not
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>            status=&rsquo;not found&rsquo;
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>    }
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>}
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>if(~ $#* 3){
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>    netdir=$3
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>    remote=$2!&lsquo;{cat $3/remote}
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>}
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>fn server {
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>    ~ $#remote 0 || echo -n $netdir $remote &gt;/proc/$pid/args
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>    rm -f /env/&rsquo;fn#server&rsquo;
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>    . &lt;{n=&lsquo;{read} &amp;&amp; ! ~ $#n 0 &amp;&amp; read -c $n} &gt;[2=1]
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>}
+</tt></span></p><p style="line-height: 1.2em; margin-left: 1.35in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt"><tt>exec tlssrv -a /bin/rc -c &rsquo;useringroup $user sys &amp;&amp; server&rsquo;
+</tt></span></p><p style="margin-top: 0; margin-bottom: 0.05in"></p>
+<p style="line-height: 1.2em; margin-left: 1.00in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt">This checks if the user is in group
+</span><span style="font-size: 10pt"><tt>sys</tt></span><span style="font-size: 10pt">
+and only then calls the
+</span><span style="font-size: 10pt"><tt>server</tt></span><span style="font-size: 10pt">
+function.
+Otherwise the connection is terminated.
+</span></p><p style="margin-top: 0; margin-bottom: 0.05in"></p>
+<p style="line-height: 1.2em; margin-left: 1.00in; text-indent: 0.00in; margin-right: 1.00in; margin-top: 0; margin-bottom: 0; text-align: justify;">
+<span style="font-size: 10pt">This is especially useful if you want a CPU server to expose filesystems
+</span><span style="font-size: 10pt"><i>and</i></span><span style="font-size: 10pt">
+have cpu access for administrators only.
+</span></p><p style="margin-top: 0; margin-bottom: 0.50in"></p>
+
+</article>
+</main>
+<hr>
+<footer>
+<a href="/">start</a> •
+<a href="/changeblog/">changeblog</a> •
+<a href="/imprint/">imprint (german)</a>
+<br>
+© Copyright 2020 sirjofri
+</footer>
+</body>
+</html>
binary files a/pub/changeblog/changeblog.pdf b/pub/changeblog/changeblog.pdf differ
--- a/pub/changeblog/index.html
+++ b/pub/changeblog/index.html
@@ -31,6 +31,7 @@
 <a href="changeblog.pdf">Download pdf</a><br>
 <a href="/changeblog.xml">Feed</a><br>
 <ul>
+<li><a href="/changeblog/1596011563/">Wed, 29 Jul 2020 10:32:43 +0200: Restrict RCPU User Access to Groups</a></li>
 <li><a href="/changeblog/1594885496/">Thu, 16 Jul 2020 09:44:56 +0200: lib/profile quick hack</a></li>
 <li><a href="/changeblog/1594881674/">Thu, 16 Jul 2020 08:41:14 +0200: Mail Server Configuration</a></li>
 <li><a href="/changeblog/1593621046/">Wed, 01 Jul 2020 18:30:46 +0200: Guided Replica</a></li>