Date: Fri, 2 Nov 2001 03:19:30 -0500
From: Jim Knoble <jmknoble@pobox.com>
To: drt@un.bewaff.net
Subject: didentd-0.2: using 'envdir' from daemontools, etc.

Hi.  Thanks for didentd; it's just what i've been looking for.

I've got a few things to contribute, if you'd like them:

(1) I've modified the 'run' scripts generated by
    didentd(-name|-static)?-conf to use the 'envdir' daemontools
    command instead of putting the environment variables in the script.
    It ends up making things easier to admin.  /var/service/didentd/run
    ends up looking like this:

      #!/bin/sh
      exec 2>&1
      exec envdir ./env sh -c '
        exec envuidgid "${USER}" \
          softlimit -d "${DATALIMIT}" \
          tcpserver -RPHv "${IP}" "${PORT}" /usr/sbin/didentd
      '

    /var/service/didentd/env is mode 0700, and it contains this:

      -rw-r--r--    1 root     root            7 Oct 18 18:58 DATALIMIT
      -rw-r--r--    1 root     root            8 Oct 18 18:58 IP
      -rw-r--r--    1 root     root           64 Nov  2 01:59 KEY
      -rw-r--r--    1 root     root            6 Oct 18 18:58 PORT
      -rw-r--r--    1 root     root           30 Oct 18 18:58 ROOT
      -rw-r--r--    1 root     root            7 Oct 18 18:58 USER

      -------- DATALIMIT --------
      250000
      -------- IP --------
      0.0.0.0
      -------- KEY --------
      <key-removed-to-prevent-disclosure>
      -------- PORT --------
      ident
      -------- ROOT --------
      /var/service/didentd/root
      -------- USER --------
      identd

    The 'run' scripts for didentd-name and didentd-static end up
    looking similar.

    If you like, i can either (a) send you the shell wrapper around
    didentd-conf that does this, or (b) try to patch didentd-conf and
    send you that.

(2) I've put together two companion scripts to make my life easier:

    - didentd-keygen:  Generates a KEY file for didentd with
      near-crypto quality that won't confuse envdir.  It's very simple:
     =20
        #!/bin/sh
        openssl rand 64 |tr -d ' \t\n\0'

      It gets rid of spaces and tabs because envdir trims whitespace at
      the end of a value.  Gets rid of newlines because envdir only
      uses the first line of the file.  Gets rid of nulls because
      envdir translates them to newlines, which is different from what
      happens with cat.  Uses 64 bytes of random, even though the key
      is only 32, to allow for up to 32 characters deleted by tr.

    - didentd-decode:  Wrapper around didentd-decrypt which
      automagically reads the key from /var/service/didentd/env/KEY;
      also allows specification of ident tokens on command line.  Also
      rather simple:
     =20
        #!/bin/sh
        if [ $# -gt 0 ]; then
          for i in "$@"; do
            echo "${i}"
          done
        else
          cat
        fi \
        | KEY=3D`cat "/var/service/didentd/env/KEY"` \
          "/usr/sbin/didentd-decrypt"

      No more fumbling around with the backquote key, or forgetting
      that didentd-decrypt takes KEY as an envariable instead of stdin.

If you like this stuff, feel free to use/include it.

Thanks again.

-- 
jim knoble | jmknoble@pobox.com   | http://www.pobox.com/~jmknoble/
(GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491)