Annotation of fam/man/fam.1m.in, Revision 1.1.1.1
1.1 trev 1: .\"## fam.1m.in
2: .\"##
3: .\"## When configure.in generates fam.1m, lines starting with .\"##
4: .\"## should be removed; when building on IRIX, lines starting with
5: .\"## .\"IRIX should have that part removed (uncommenting the rest
6: .\"## of the line).
7: .\"##
8: .\"## In retrospect, I'm not sure this was better than maintaining two
9: .\"## separate files.
10: .\"##
11: .nr X
12: .if \nX=0 .ds x} fam 1M "Silicon Graphics" "\&"
13: .TH \*(x}
14: .SH NAME
15: fam \- file alteration monitor
16: .SH SYNOPSIS
17: .nf
18: \f3/usr/etc/fam\f1 [ \f3\-f\f1 | \f3\-v\f1 | \f3\-d\f1 ] [ \f3\-l\f1 | \c
19: \f3\-t\f1 \f2NFS_polling_interval\f1 ]
20: [ \f3\-T\f1 \f2idle_timeout\f1 ] [ \f3\-p\f1 \c
21: \f2program\f3.\f2version\f1 ] [ \f3\-L\f1 ] [ \f3-C\f1 ]
22: [ \f3-c\f1 \f2config_file\f1 ]
23: .fi
24: .SH DESCRIPTION
25: \f2fam\f1 is a server that tracks changes to the filesystem and
26: relays these changes to interested applications.
27: Applications such as
28: \f2fm\f1(1G) and \f2mailbox\f1(1) present an up-to-date view of the filesystem.
29: In the absence of \f2fam\f1, these applications and others like them
30: are forced to poll the filesystem to detect changes.
31: \f2fam\f1 is
32: more efficient.
33: .P
34: Applications can request \f2fam\f1 to monitor any files or directories in
35: any filesystem.
36: When \f2fam\f1 detects changes to monitored files, it notifies
37: the appropriate application.
38: The FAM API provides a programmatic interface to \f2fam\f1; see
39: .IR fam (3X).
40: .P
41: \f2fam\f1 is informed of filesystem changes as they happen by the
42: kernel through the \f2imon\f1(7M) pseudo device driver.
43: If asked to
44: monitor files on an NFS mounted filesystem, \f2fam\f1 tries to use
45: \f2fam\f1 on the NFS server to monitor files.
46: If \f2fam\f1 cannot
47: contact a remote \f2fam\f1, it polls the files instead.
48: \f2fam\f1 also polls special files.
49: .P
50: Normally, \f2fam\f1 is started by \f2inetd\f1(1M).
51: It is registered with
52: \f2portmap\f1(1M) as performing the sgi_fam service.
53: .SH OPTIONS
54: .TP 26
55: \f3\-l\f1
56: Disable polling of NFS
57: files.
58: It does not disable use of remote \f2fam\f1 on NFS servers,
59: nor does it disable polling of local files.
60: .TP
61: \f3\-t\f1 \f2NFS_polling_interval\f1
62: Set the interval for polling files to \f2NFS_polling_interval\f1 seconds.
63: The default
64: is six seconds.
65: .TP
66: \f3\-T\f1 \f2idle_timeout\f1
67: Set the idle timeout interval to \f2idle_timeout\f1.
68: fam exits \f2idle_timeout\f1 seconds after its
69: last client disconnects.
70: A value of 0 causes fam to wait indefinitely for new connections.
71: The default is five seconds.
72: .TP
73: \f3\-f\f1
74: Remain in the foreground instead of spawning a child and exiting.
75: This option is ignored if \f2fam\f1 is started by \f2inetd\f1.
76: .TP
77: \f3\-v\f1
78: Turn on verbose messages.
79: .TP
80: \f3\-d\f1
81: Enable verbose messages and debug messages.
82: .TP
83: \f3\-p\f1 \f2program\f3.\f2version\f1
84: Use the specified RPC program and version numbers.
85: .TP
86: \f3\-L\f1
87: Local-only mode. \f2fam\f1 will only accept requests from clients running on the
88: local machine. This overrides the \f2local_only\f1 flag in the configuration
89: file. This option is ignored if \f2fam\f1 is started by \f2inetd\f1.
90: .TP
91: \f3\-C\f1
92: Compatibility mode. This disables authentication and reduces access security
93: as described under SECURITY below. This overrides the
94: \f2insecure_compatibility\f1 flag in the configuration file.
95: .TP
96: \f3\-c\f1 \f2config_file\f1
97: Read configuration information from the given file rather than the default,
98: which is \f2XXX_FAM_CONF\f1.
99: .SH "CONFIGURATION FILE"
100: In addition to its command-line options, \f2fam\f1's behavior can also be
101: controlled through its configuration file. By default, this is
102: \f2XXX_FAM_CONF\f1; the \f3\-c\f1 command-line option can be used to specify
103: an alternate file. Configuration lines are in the format \f2option=value\f1.
104: Lines beginning with \f2#\f1 or \f2!\f1 are ignored.
105: \f2fam\f1 recognizes the following options:
106: .TP 26
107: \f3insecure_compatibility\f1
108: If set to \f2true\f1, this disables authentication and reduces access security
109: as described under SECURITY below. This is \f2false\f1 by default. Setting
110: this option to \f2true\f1 is the same as using the \f3\-C\f1 command-line
111: option.
112: .TP
113: \f3untrusted_user\f1
114: This is the user name or UID of the user account which \f2fam\f1 will use for
115: unauthenticated clients. If a file can't be \f2stat\f1'ed by this user,
116: \f2fam\f1 will not tell unauthenticated clients about the file's existence.
117: If an untrusted user is not given in the configuration file, \f2fam\f1 will
118: write an error message to the system log and terminate.
119: .TP
120: \f3local_only\f1
121: If set to \f2true\f1, \f2fam\f1 will ignore requests from remote \f2fam\f1s.
122: This is \f2false\f1 by default. Setting this option to \f2true\f1 is the same
123: as using the \f3\-L\f1 command-line option. This option is ignored if
124: \f2fam\f1 is started by \f2inetd\f1.
125: .TP
126: \f3idle_timeout\f1
127: This is the time in seconds that fam will wait before exiting after its last
128: client disconnects. The default is five seconds. This option is overridden
129: by the \f3-T\f1 command-line option.
130: .TP
131: \f3nfs_polling_interval\f1
132: This is the interval in seconds between polling files over an NFS filesystem.
133: The default is six seconds. This option is overridden by the \f3-t\f1
134: command-line option.
135: .TP
136: \f3xtab_verification\f1
137: If set to \f2true\f1, \f2fam\f1 will check the list of exported filesystems
138: when remote requests are received to verify that the requests fall on
139: filesystems which are exported to the requesting hosts. This is
140: \f2true\f1 by default. If this option is set to \f2false\f1, \f2fam\f1 will
141: service remote requests without attempting to perform the verification. If
142: the \f2local_only\f1 configuration option or \f3-L\f1 command-line option is
143: used, \f2xtab_verification\f1 has no effect.
144: .\"##
145: .\"## This stuff is removed because the MAC and SAT stuff isn't implemented.
146: .\"## If you put this back, add sysconf(1) to the SEE ALSO section.
147: .\"##
148: .\"##.TP
149: .\"##\f3disable_mac\f1
150: .\"##If set to \f2true\f1, \f2fam\f1 will ignore its clients' MAC labels. By
151: .\"##default, \f2fam\f1 will use MAC labels if MAC and IP_SECOPTS are
152: .\"##\f2sysconf\f1'd on, and will ignore this option if the system doesn't support
153: .\"##MAC and TSIX. The only use for this option is to disable MAC-label-setting on
154: .\"##a system which supports it, which is probably undesirable.
155: .\"##.TP
156: .\"##\f3disable_audit\f1
157: .\"##If set to \f2true\f1, \f2fam\f1 will not log auditing information. By
158: .\"##default, \f2fam\f1 will use SAT (security audit trail) if _SC_AUDIT is
159: .\"##\f2sysconf\f1'd on, and will ignore this option if the system doesn't support
160: .\"##SAT. The only use for this option is to disable auditing on a system which
161: .\"##supports it, which is probably undesirable.
162: .\"##
163: .\"## End of stuff to remove
164: .\"##
165: .SH SECURITY
166: For backward compatibility, the \f3\-C\f1 command-line option and
167: \f2insecure_compatibility\f1 configuration option can be used to disable
168: authentication. Configuring \f2fam\f1 this way opens a publically known
169: security weakness whereby a "rogue client" can obtain the names of all the
170: files and directories on the system.
171: .\"IRIX .P
172: .\"IRIX You might want to configure \f2fam\f1 this way if you have a client
173: .\"IRIX program which is statically linked to an older version of libfam.a
174: .\"IRIX which does not perform authentication; see COMPATIBILITY below.
175: .P
176: \f2Note that fam never opens the files it's monitoring\f1, and cannot
177: be used by a rogue client to read the contents of any file on the system.
178: \f2fam\f1 only gives out the names of monitored files, and only monitors files
179: which the client can
180: .IR stat (1M).
181: Users can stat a file without having read permission on it as long as
182: they have search permission on the directory containing it.
183: .\"IRIX .SH COMPATIBILITY
184: .\"IRIX If you have an existing FAM client which isn't seeing files which
185: .\"IRIX you think it should be able to see, or which doesn't seem to be
186: .\"IRIX responding to file operations, try running \f2fam\f1 with the
187: .\"IRIX \f3-C\f1 flag and restarting the client. If that appears to fix the
188: .\"IRIX problem, the client is probably statically linked with a
189: .\"IRIX non-authenticating version of libfam. (libfam on IRIX prior to
190: .\"IRIX 6.5.8 does not perform authentication.)
191: .\"IRIX .P
192: .\"IRIX The best way to fix this is to recompile your program with a current
193: .\"IRIX version of libfam.
194: .\"##.\"IRIX (Unfortunately, you can't simply install a new
195: .\"##.\"IRIX DSO, because libfam on IRIX prior to 6.5.8 has been a static
196: .\"##.\"IRIX archive.)
197: .\"##.\"IRIX .P
198: .\"IRIX If recompiling isn't an option, and the client only monitors a few
199: .\"IRIX known files, you might add a user account named "fammable" (for
200: .\"IRIX example), add that account to a group which can
201: .\"IRIX .IR stat (1M)
202: .\"IRIX those files, and change the \f2untrusted_user\f1 option in the
203: .\"IRIX configuration file to make \f2fam\f1 use that account for requests
204: .\"IRIX from unauthenticated clients.
205: .SH FILES
206: XXX_FAM_CONF
207: .SH "SEE ALSO"
208: .\"IRIX fm(1G),
209: inetd(1M),
210: .\"IRIX mailbox(1),
211: portmap(1M),
212: fam(3X),
213: imon(7M),
214: stat(1M).
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>