pcp
[Top] [All Lists]

Re: PCP Updates: pmlogger AF_UNIX socket for normal users; qa version ch

To: Dave Brolley <brolley@xxxxxxxxxx>
Subject: Re: PCP Updates: pmlogger AF_UNIX socket for normal users; qa version check bump
From: fche@xxxxxxxxxx (Frank Ch. Eigler)
Date: Wed, 05 Mar 2014 14:30:53 -0500
Cc: Nathan Scott <nathans@xxxxxxxxxx>, pcp@xxxxxxxxxxx
Delivered-to: pcp@xxxxxxxxxxx
In-reply-to: <53175AAC.5050706@xxxxxxxxxx> (Dave Brolley's message of "Wed, 05 Mar 2014 12:11:08 -0500")
References: <53075D46.6090807@xxxxxxxxxx> <1734063835.17483667.1393481715436.JavaMail.zimbra@xxxxxxxxxx> <53175AAC.5050706@xxxxxxxxxx>
User-agent: Gnus/5.1008 (Gnus v5.10.8) Emacs/21.4 (gnu/linux)
brolley wrote:


> [...]
>          [access]
>         -disallow * : all;
>         -allow localhost : enquire;
>         +disallow .* : all;
>         +disallow :* : all;
>         +allow local:* : enquire;
> [...]

That is a drastic change, by the way, removing "enquire" powers from
localhost.  (We should open a bug to remind ourselves to fix the
pmlogger bug that allows mutation operations to be triggered at the
pmlc-enquire privilege, as discussed on IRC.)


> This code tries to make sure that pmlogger is running by attempting to connect
> using pmlc. Without the updated access controls, pmlogger correctly rejects
> each connection attempt [...]

While you were away last week, we were talking about ACL enforcement
options for the AF_UNIX link.  Because of world-readable directories,
a default that prohibits localhost but permits local: (AF_UNIX)
doesn't give us any additional security.  We really need to use
AF_UNIX's credential-passing facility.

Where is the "local:*" part of that ACL documented, by the way?  Can
we teach it something like:

local:uid    /* to mean same-uid as pmlogger */
local:gid    /* to mean same-gid as pmlogger */

Then the default ACLs could become these, if we wish to restore
unprivileged enquiry:

disallow .* : all;
disallow :* : all;
disallow local:* : all;
#
allow localhost : enquire;
allow localhost6 : enquire;
allow local:* : enquire;
#
allow local:uid : all;


- FChE

<Prev in Thread] Current Thread [Next in Thread>