The following have been pushed to the brolley/dev branch of the pcpfans
repository. These changes implement PMCD host access control for unix
domain sockets. Details in the commit logs.
Dave
-------------------------------------------------
commit a022aceedcd0a236acbbe0537158a56f1ea4833e
Author: Dave Brolley <brolley@xxxxxxxxxx>
Date: Fri Aug 23 15:11:11 2013 -0400
More qa fallout from access control for unix:
commit b12fe840511b434ebef13afcd8aa50da612370d7
Merge: c89631e 48e373f
Author: Dave Brolley <brolley@xxxxxxxxxx>
Date: Thu Aug 22 15:44:11 2013 -0400
Merge remote-tracking branch 'origin/dev' into brolley/dev
commit c89631e3dcbbf49c30dc2425f060b7bb98f481a3
Author: Dave Brolley <brolley@xxxxxxxxxx>
Date: Thu Aug 22 15:31:54 2013 -0400
Implement host access checking for unix domain sockets.
- Allow unix:[//][*] as the host pattern on a host access spec.
This applies the given access controls to connections on the
unix domain socket.
- We allow an arbitrary number of initial '/' for consistency with
parseProtocolSpec().
- We allow an optional trailing '*' since this is a form of
wildcard, given that it matches all unix domain socket
paths.
- The '*' wildcard now includes unix: (in addition to .* and :*)
- local:[//][*] may also be specified and expands to the equivalent
unix: spec plus 'localhost'.
- The default [access] section of pmcd.conf is now
[access]
disallow ".*" : store;
disallow ":*" : store;
allow "local:*" : all;
Note that the double quotes are necessary in order to prevent
the ':' from being parsed as a separate token. We cannot use
'disallow * : store' was done previously since * and 'local:*'
both include 'unix:' which causes a permissions clash.
- qa updates for filtering the expected output are included here.
The host access table now lists 'unix:' when present.
commit 289459fe4fc93d4860521cfe0b698f30c221b749
Merge: 6c0e198 39a1dd3
Author: Dave Brolley <brolley@xxxxxxxxxx>
Date: Mon Aug 12 14:08:34 2013 -0400
Merge remote-tracking branch 'origin/dev' into brolley/dev
|