NAME

       bos_setrestricted - place a server in restricted mode

SYNOPSIS

       bos setrestricted -server <machine name> -mode (0 | 1)
           [-cell <cell name>] [-noauth] [-localauth] [-help]

DESCRIPTION

       The bos setrestricted command places the server in restricted mode. This mode increases the security of
       the bos server by removing access to a number of bos commands that are only used whilst configuring a
       system.

       When a server is in restricted mode, access to bos_exec, bos uninstall, bos install, bos create, bos
       delete, bos prune is denied, and the use of bos getlog is limited.

CAUTIONS

       Once a server has been placed in restricted mode, it may not be opened up again using a remote command.
       That is, bos setrestricted has no method of placing the server in unrestricted mode. Once a server is
       restricted, it can only be opened up again by sending it a SIGFPE, which must be done as root on the
       local machine.

OPTIONS

       -server <machine name>
           Indicates the server machine to restrict.

       -mode <mode>
           Indicates  whether to turn restricted mode off or on. Pass a 1 to turn restricted mode on, and pass a
           0 to turn restricted mode off. The latter will  only  work  if  the  server  is  already  running  in
           unrestricted  mode,  and  thus  won't  do  anything  immediately,  but  can  be  used  to  change the
           corresponding entry in BosConfig(5).

       -cell <cell name>
           Names the cell in which to run the command. Do not combine this argument with  the  -localauth  flag.
           For more details, see bos(8).

       -noauth
           Assigns  the  unprivileged  identity  "anonymous"  to  the  issuer. Do not combine this flag with the
           -localauth flag. For more details, see bos(8).

       -localauth
           Constructs a server ticket using a key from  the  local  /etc/openafs/server/KeyFile  file.  The  bos
           command  interpreter  presents  the  ticket  to  the  BOS Server during mutual authentication. Do not
           combine this flag with the -cell or -noauth options. For more details, see bos(8).

       -help
           Prints the online help for this command. All other valid options are ignored.

PRIVILEGE REQUIRED

       The issuer must be listed in the /etc/openafs/server/UserList file on the machine named  by  the  -server
       argument, or must be logged in as the local superuser "root" if the -localauth flag is included.

       As noted above, this command cannot be run against servers which are already in restricted mode.

SEE ALSO

       BosConfig(5), bos(8), bos_getrestricted(8)

COPYRIGHT

       Copyright 2009 Simon Wilkinson <simon@sxw.org.uk>

       This  documentation  is  covered by the BSD License as written in the doc/LICENSE file. This man page was
       written by Simon Wilkinson for OpenAFS.

OpenAFS                                            2025-05-19                               BOS_SETRESTRICTED(8)