----- Original Message -----
>
> brolley wrote:
>
>
> > [...]
> > [access]
> > -disallow * : all;
> > -allow localhost : enquire;
> > +disallow .* : all;
> > +disallow :* : all;
> > +allow local:* : enquire;
> > [...]
>
> That is a drastic change, by the way, removing "enquire" powers from
> localhost. (We should open a bug to remind ourselves to fix the
Indeed, it is probably too big a risk for a point release I think,
given its the likely (root) cause of that test system failing to
start pmlogger after an upgrade with an existing config.
> pmlogger bug that allows mutation operations to be triggered at the
> pmlc-enquire privilege, as discussed on IRC.)
>
> > This code tries to make sure that pmlogger is running by attempting to
> > connect
> > using pmlc. Without the updated access controls, pmlogger correctly rejects
> > each connection attempt [...]
That'd be a bug, for people on the point-release-upgrade path. But...
> While you were away last week, we were talking about ACL enforcement
> options for the AF_UNIX link. Because of world-readable directories,
> a default that prohibits localhost but permits local: (AF_UNIX)
> doesn't give us any additional security.
[ It does give us the option of moving away from a network accessible
socket (perhaps via command line flag), removing all remote exploit
possibilities - which is some additional security I guess. ]
> We really need to use
> AF_UNIX's credential-passing facility.
>
> Where is the "local:*" part of that ACL documented, by the way? Can
> we teach it something like:
>
> local:uid /* to mean same-uid as pmlogger */
> local:gid /* to mean same-gid as pmlogger */
But same-uid/gid should always be able to connect & have full access
permissions; in which case, this whole problem goes away (AFAICT) and
we have a safe upgrade path. Simpler code & configuration files too.
Is there any reason to not allow same-uid/gid full access?
cheers.
--
Nathan
|