[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [gomd-devel] <DAEMON>: W.I.P: ACL-support status.
|
From: |
Matthias Rechenburg |
|
Subject: |
Re: [gomd-devel] <DAEMON>: W.I.P: ACL-support status. |
|
Date: |
Sat, 5 Jul 2003 12:27:20 +0200 |
|
User-agent: |
KMail/1.4.3 |
Ciao JP,
On Samstag 05 Juli 2003 02:56, Gian Paolo Ghilardi wrote:
> Hi all.
> As written above, I'm workin on ACL stuff.
:)
>
> Thesere are CVS notes abot this new feature.
>
>
> CVS NOTES:
>
> (N) added a new class: aclCheck.h/aclCheck.cpp => its purpose is provide a
> simple ACL support.
> (N) added a simple ACL config file: etc/acl.conf
> (N) all functions returning an info-value now are classified as std (no
> special permissions required) or special (special permissions required).
>
> IN aclCheck.h/aclCheck.cpp
> (N) this class creates an ACL map from a config file (default is
> "etc/acl.conf") and checks permissions.
> (+) added aclCheck(), aclCheck() #2, fillAclMap(),
> getAssociatedSecurityLevel(), convertMacros(), validatePermissions()
> function.
>
> Some notes about how this class works:
> 1)CREATING THE OBJECT
> - the constructor gets local ip and the file with the acl configuration.
> Then calls fillAclMap() function.
> - fillAclMap() function opens acl config file, parse it and stores a map
> with pairs <IP:SECURITY_LEVEL> (check etc/acl.conf for more infos)
> 2)USING THE OBJECT
> - validatePermissions() is called the it calls getAssociatedSecurityLevel()
> function
> - getAssociatedSecurityLevel() function searches the ACL map for the
> security level associated to the provided ip.
> - now validatePermissions()
> * returns false
> => the ip is not allowed at all
> => if the function to call requires special permissions and the IP has
> not a such kind of authorization
> * returns true
> => if the IP is allowed and requires a std function (no special
> permission required to run it)
> => if the function to call requires special permissions and the IP has
> a such kind of authorization
>
> The idea is activate this security stuff while processiing a client's
> command, before calling a specific function by its ID (integer).
yep
>
> IN gomd.cpp
> (+) added a simple ACL test.
> As in acl.conf local node has full permissions, if you test locally
> gomd via telnet,
> program will print "0" value on the shell (==ACL_FULL_CONTROL).
> Please notice this value is related to local node (even if conn is
> from a remote node).
>
> IN etc/acl.conf
> (+) added ACL_FULL_CONTROL for local node
>
>
>
> As usual I'd like to see comments... ;)
sounds well thought of. If we can provide this security
option to the gomd-users, we should.
.... i just thought about it a bit and here is another idea about security :
Maybe we can run the gomd by xinetd !?
Then we can simply use the tcp-wrapper (hosts.allow, hosts.deny)
to filter the gomd access by ip addresses.
.... as usual just an idea, maybe worth to test (the mosstatd can
be run like this too)
anyways i like JP's idea too. good work :)))
>
> CU.
>
> <rejected>
>
>
have a nice weekend, all of you,
Matt
btw: i will be out for the next week on business travel.
Expect a slower reply ;)
>
>
>
> _______________________________________________
> gomd-devel mailing list
> address@hidden
> http://mail.nongnu.org/mailman/listinfo/gomd-devel
--
E-mail : address@hidden
www : http://www.openmosixview.com
an openMosix-cluster management GUI
Experience, n.:
Something you don't get until just after you need it.