nathans wrote:
> [...]
> Introduces knowledge of each connection, and its security attrs
> (particularly uid and gid), in pmdaproc. This allows a suitably
> configured pmcd process (with user/group ACLs) and authenticated
> client connections to be able to retrieve sensitive information
> for the specific authenticated user and not others. Without ACL
> specification in pmcd.conf the behaviour is unchanged from today
> (i.e. pmdaproc always runs as root and can access everything).
How would this ACL look in practice? We certainly wouldn't want to
require a sysadmin to enumerate all userids in an ACL, just to have
pmdaproc be willing to setuid-or-equivalent-check for them for proc
file reading.
Perhaps we need only an option for pmdaproc that says
"show-own-processes-only": ie., for authenticated pcp connections, use
the given uid for permission checks; for unauthenticated pcp
connections, show nothing. This would allow us to enable pmdaproc by
default. (Having a pmcd.conf level ACL can compose with this to
impose further restrictions.)
- FChE
|