On 03/05/2014 02:30 PM, Frank Ch. Eigler wrote:
brolley wrote:
[...]
[access]
-disallow * : all;
-allow localhost : enquire;
+disallow .* : all;
+disallow :* : all;
+allow local:* : enquire;
[...]
That is a drastic change, by the way, removing "enquire" powers from
localhost. (We should open a bug to remind ourselves to fix the
pmlogger bug that allows mutation operations to be triggered at the
pmlc-enquire privilege, as discussed on IRC.)
I think you have the wrong idea. This does not remove enquire powers
from localhost. "local:*" here works the same way as it does for pmcd,
which is to say that it means "unix:*" followed by "localhost". What
this change is intended to do is to enable the "unix:*" part which is
not allowed by the existing '*' config line. We made the exact same
change to the pmcd access controls when AF_UNIX, unix: and local: were
implemented there.
Now that I reconsider this, I believe, as Nathan does, that the failure
of pmlc to connect during the pmlogger startup test is probably a bug,
since the "localhost" part of "local:*" should have been allowed. I'll
look into that further.
This code tries to make sure that pmlogger is running by attempting to connect
using pmlc. Without the updated access controls, pmlogger correctly rejects
each connection attempt [...]
While you were away last week, we were talking about ACL enforcement
options for the AF_UNIX link. Because of world-readable directories,
a default that prohibits localhost but permits local: (AF_UNIX)
doesn't give us any additional security. We really need to use
AF_UNIX's credential-passing facility.
Once again, don't confuse "local:" with "unix:", but otherwise, yes, or
as nathans would say, *nod*
Where is the "local:*" part of that ACL documented, by the way?
For pmcd, the full URL syntax for access control is documented in the
"ACCESS CONTROL CONFIGURATION" section of pmcd(1), I have not yet
updated the appropriate man page(s) for pmlogger. However, the '*' in
"local:*" and "unix:*" here refers to all socket paths.
Can
we teach it something like:
local:uid /* to mean same-uid as pmlogger */
local:gid /* to mean same-gid as pmlogger */
I suggest teaching it something similar to what is allowed for pmcd, if
needed. i.e.
allow users userlist : operations ;
disallow users userlist : operations ;
allow groups grouplist : operations ;
disallow groups grouplist : operations ;
I agree with Nathan that same-uid and same-gid should always be allowed
full access.
Then the default ACLs could become these, if we wish to restore
unprivileged enquiry:
disallow .* : all;
disallow :* : all;
disallow local:* : all;
#
allow localhost : enquire;
allow localhost6 : enquire;
allow local:* : enquire;
This will result in an access control conflict error on "local:*". The
first "disallow local:* : all" is not necessary. The "allow localhost
..." and "allow localhost6 ..." are also redundant since they should be
covered by "allow local:*". This does raise a good point. I need to
double check that IPv6 access is covered by "local:". With these changes
we end up with the configuration that I have already proposed, i.e.
disallow .* : all;
disallow :* : all;
allow local:* : enquire;
#
allow local:uid : all;
As discussed above, this is probably not needed.
Dave
|