----- Original Message -----
>
> brolley wrote:
>
> > [...]
> > I suggest teaching it something similar to what is allowed for pmcd,
> > if needed. i.e.
> >
> > allow users userlist : operations ;
> > disallow users userlist : operations ;
> > allow groups grouplist : operations ;
> > disallow groups grouplist : operations ;
>
> The reason we can't have exactly that is because we don't have
> user/group databases/authentication in effect for the pmlc-pmlogger
> connection. (I don't think we really want to go there either.)
>
> > I agree with Nathan that same-uid and same-gid should always be
> > allowed full access.
>
> This is not obviously appropriate. GID's can be shared amongst many
> people, and we definitely don't want to hard-code that kind of trust.
Indeed. Checking for just the same uid should suffice for full-access.
I think we'll also need to allow uid==zero, else we'll need to not risk
breaking init scripts.
If/when the full-blown authentication exchange is done (like pmcd), we
should add the user/group ACLs in here too, which would help with the
groups-having-lots-of-people issue. It would be good to have this ...
needs TLS on the socket and optional addition of the Auth PDU into the
protocol exchange.
> The same-UID one is arguable. A person may want to prevent accidental
> runtime modification of his logger, even by his own future processes.
That doesn't make sense to me. Said person cannot prevent himself (?!)
from sending signals to his own pmlogger, which can already cause change
(e.g. start new volume via sighup, termination via sigkill, etc).
cheers.
--
Nathan
|