[Pacemaker] Multi-level ACLs for the CIB
Lars Marowsky-Bree
lmb at suse.de
Mon Jan 11 15:08:04 UTC 2010
On 2010-01-11T15:02:29, Andrew Beekhof <andrew at beekhof.net> wrote:
> > For this authentication issue of local access we discussed last time, I
> > added a geteuid() in the cib_native_signon_raw() function from libcib.
> > Once a client signs on the CIB, it'll invoke the function and transfer
> > its uid to the server end.
> I don't see anywhere that the server checks passwords. Is that really
> intentional?
I agree, the server needs to verify the credentials. Client-side UID is
not strong enough - after all, we're trying to authenticate & authorize
the _client_, and it won't do to have the client tell us what it thinks
its auth level should be - that would be a bit easy to cheack ;-)
> Whats the role of this code, is it meant to provide actual security?
> Or is it just casual protection from people accidentally touching
> stuff they probably didn't mean to touch?
If we provide the latter, they'll expect it to provide the former. So we
need to verify credentials in the CIB server process instead. For SSL
connections to the server, this means username/password transfer, or
challenge-response.
For local sockets, we can use code similar to the IPC socket stuff from
heartbeat to get the uuid from the other end of the socket?
In the mean-time, reviewing the syntax is probably quite important too.
Regards,
Lars
--
Architect Storage/HA, OPS Engineering, Novell, Inc.
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg)
"Experience is the name everyone gives to their mistakes." -- Oscar Wilde
More information about the Pacemaker
mailing list