brolley wrote:
> [...]
> [access]
> -disallow * : all;
> -allow localhost : enquire;
> +disallow .* : all;
> +disallow :* : all;
> +allow local:* : enquire;
> [...]
That is a drastic change, by the way, removing "enquire" powers from
localhost. (We should open a bug to remind ourselves to fix the
pmlogger bug that allows mutation operations to be triggered at the
pmlc-enquire privilege, as discussed on IRC.)
> This code tries to make sure that pmlogger is running by attempting to connect
> using pmlc. Without the updated access controls, pmlogger correctly rejects
> each connection attempt [...]
While you were away last week, we were talking about ACL enforcement
options for the AF_UNIX link. Because of world-readable directories,
a default that prohibits localhost but permits local: (AF_UNIX)
doesn't give us any additional security. We really need to use
AF_UNIX's credential-passing facility.
Where is the "local:*" part of that ACL documented, by the way? Can
we teach it something like:
local:uid /* to mean same-uid as pmlogger */
local:gid /* to mean same-gid as pmlogger */
Then the default ACLs could become these, if we wish to restore
unprivileged enquiry:
disallow .* : all;
disallow :* : all;
disallow local:* : all;
#
allow localhost : enquire;
allow localhost6 : enquire;
allow local:* : enquire;
#
allow local:uid : all;
- FChE
|