Re: [pcp] pcp updates: pmcd clients use "local:" as the default instead of gethostname() or localhost

[Dave Brolley <brolley@xxxxxxxxxx>]

On 08/07/2013 10:30 PM, Nathan Scott wrote:
> Just coming back to the latest commits here & I'm seeing a few new
> QA failures (looks like you're running "-g local" now?) - the test
> qa/069 one is a bit worrying...
>
> --- 069.out     2013-08-08 05:18:22.000000000 +1000
> +++ 069.out.bad 2013-08-08 12:16:47.745059980 +1000
> @@ -7,8 +7,12 @@ pmcd.numclients
>       value 2
>   
>   expect two access control errors:
> -pminfo: Cannot connect to PMCD on host "LOCALHOST": No permission to perform 
> requested operation
> -pminfo: Cannot connect to PMCD on host "LOCALHOST": No permission to perform 
> requested operation
> +
> +pmcd.numclients
> +    value 1
> +
> +pmcd.numclients
> +    value 1
>   
>   expect two connection limit errors:
>   pminfo: Cannot connect to PMCD on host "OTHERHOST1": PMCD connection limit 
> for this host exceeded
>
>
> ... so we appear to be no longer enforcing the host-based access control
> for unix domain socket connections.  I think we need to do that, in the
> same way we did for "-h localhost", but its worth discussing more widely
> as others may not think so (can we control local pmcd over-subscription
> without this?).
I'm not surprised to see this. I recall asking on IRC whether we needed 
to do this, but the response was that something along the lines that 
equivalent access control would somehow be provided via the 
authentication protocol. Perhaps I did not ask the question clearly 
enough at the time.
So, as a result, there has been no effort made to provide host based 
access controls for the unix domain socket.
> Digging into the code a bit, looks like we avoid having the same access
> rules as apply to localhost because __pmSockAddrIsLoopBack returns false
> for af_unix sockets.  Call chain there from pmcd to libpcp is:
> __pmAccAddClient -> getClientIds -> __pmSockAddrIsLoopBack ... which is
> gonna send us down a different path to the /* Map "localhost" to the real
> IP addresses. */ path we would've travelled before.
This special handling of localhost has also been questioned in 
http://oss.sgi.com/bugzilla/show_bug.cgi?id=982, so we should keep this 
in mind when discussing this issue.
The name __pmSockAddrIsLoopBack() is pretty specific in what it claims 
to identify. Unless changing the name is still ok, we would probably 
need a new function to use in conjunction with it. Something like 
__pmAddrIsLocal(), although the term local seems to be becoming more and 
more overloaded.
Because we now use the __pm*() API to manipulate addresses using the 
__pmSockAddr type, with a little additional parsing, it should be 
relatively easy to support "local:[//][PATH]" and "unix:[//][PATH]" as 
host access specifiers in the same way as we support hostnames, inet and 
ipv6 addresses. These would also be covered by the '*' wildcard. We 
should probably also support some sort of specific wildcarding for these 
along the lines of "local:[//]*" and local:[//]partial/path/*". The same 
would apply for "unix:".
Dave