Hi -
Dave and I got talking about why we're doing AF_UNIX comms for
pmlc<->pmlogger at all: it's primarily for securing pmlogger against
hostile users. The current patchset doesn't address that aspect, so
let's discuss some possibilities while our mental caches are fresh.
To secure pmlogger across AF_UNIX, it's not enough to put the sockets
into variously owned owned directories. /var/lib/pcp/tmp is currently
world-readable, and the socket's own permissions may or may not be
factored by the kernel, so potentially any local joe can attach.
That's no better than tcp/localhost.
With AF_UNIX, we get the connecting client's uid/gid/pid for free,
which we pass along for PMAPI authentication purposes within PMCD. I
propose pmlogger also use that information to extend the pmlogger ACL
language to assert simple predicates like
allow unix-uidmatch : all;
# allow unix-gidmatch : all; # probably not a good default
allow unix : enquire;
which we could then put into the default / pmlogconf-generated files.
As an aside, the pmlogger acl system has a nice separation of
"enquire" vs "all" operations. However, some mutative operations are
in the enquire category, but probably shouldn't be: namely "new
volume" and "flush". Both these could be misused for denial-of-service,
so should be restricted.
- FChE
|