commands – protected overview

In order to ensure that job commands and urls, are not run as powerful users—e.g. root—or on sensitive servers—e.g. firewalls, servers containing customer data, etc…—such users and hosts can be defined as protected. When protected, only users and roles that have explicit host acl permission, can define jobs that run as a protected user on a protected host.

What is explicit permission?

Explicit permission means that the user and/or host name in the host acl pattern, must be an exact match and not simply a glob or regex match.

Glob/regex match only

Whilst the user root matches the host acls {root,nobody}@* and ro*@*, such matches are not explict.

Explicit match

Whereas the user root explicitly matches the host acl root@*.

Commands

Defaults

By default localhost & 127.0.0.1 and root are protected hosts and users respectively.

The user executing bc-server (typically bc-daemon) is also unconditionally added as a protected user, unless bc-server was installed outside of /opt/beyondcron, and is being executed by the same user that owns bc-server.

See also