authenticating users for the control socket
martin f krafft
madduck at debian.org
Mon Jun 11 20:25:31 UTC 2007
also sprach Michael Biebl <mbiebl at gmail.com> [2007.06.11.1827 +0100]:
> It does not (yet) provide an authentication protocol [1].
> What it does provide is security policies, that manage access control
> based on uid, gid or being locally logged in (at_console) [2].
I am almost certain that netconf will have a d-bus interface
eventually, but I am unconvinced whether d-bus is a sensible choice
for the core communication. Right now I am trying to figure out how
to allow tools such as /sbin/ifup to talk to netconfd and a d-bus
dependency at this level is definitely asking for trouble later.
Thus I am using sockets and likely a proxy that simply identifies
the user to the daemon, who then does the authorisation.
at_console is an interesting idea in this context but I think
netconfd will likely not make decisions about whether an interface
may be configured locally only or also via the network. Instead,
I think I may implement something akin to molly-guard to prevent
a user from running ifdown via the SSH link using the very link that
is supposed to go down.
Have a look at
http://git.debian.org/?p=netconf/netconf/master.git;a=blob_plain;f=doc/control_syntax.txt;hb=HEAD
I am not a language designer so any comments or flames are welcome.
I am thinking that a d-bus interface could later be added and become
ones of the "select" applications to talk directly to the socket.
Cheers,
--
.''`. martin f. krafft <madduck at debian.org>
: :' : proud Debian developer, author, administrator, and user
`. `'` http://people.debian.org/~madduck - http://debiansystem.info
`- Debian - when you have better things to do than fixing systems
humpty was pushed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature (GPG/PGP)
Url : http://lists.alioth.debian.org/pipermail/netconf-devel/attachments/20070611/4caabc18/attachment.pgp
More information about the netconf-devel
mailing list