[Linux-ha-dev] Bind/stat Auth Patch

Andrew Beekhof lists at beekhof.net
Mon Oct 4 12:43:32 MDT 2004 

On Oct 4, 2004, at 8:13 PM, Guochun Shi wrote:

> At 06:32 PM 10/4/2004 +0200, you wrote:
>
>> On Oct 4, 2004, at 4:21 PM, Alan Robertson wrote:
>>
>>> Andrew Beekhof wrote:
>>>> Hi all,
>>>> Here is the patch Alan has been talking about.  I'll check it into 
>>>> CVS as soon as I am sure it doesn't break linux.  By default, only 
>>>> OSX makes use of the bind/stat option, I'll leave enabling it on 
>>>> Solaris to those who know what they're doing.
>>>> I also welcome any feedback.
>>>> In addition, I have attached a config.c patch that I would like to 
>>>> apply.  Essentially I think it should also check for a "default" 
>>>> apiauth tag from ha.cf before instantiating any pre-defined 
>>>> defaults.  It sure violated "least surprise" to me.
>>>
>>> Default means "for all systems that don't have their own 
>>> definitions".  I don't know what's so surprising about that.  It 
>>> doesn't mean "and overrides everything else in the world".  That's 
>>> not a default.
>>> That's a mondo override.  And, a horrible security hole.
>>
>> So why is: apiauth default... allowed then?  ahhh /me sees your next 
>> comment.
>
> I've never configured default in ha.cf. Quotes
> "
> #       The groupname "default" has special meaning.  If it is 
> specified, then
> #       this will be used for authorizing groupless clients, and any 
> client groups
> #       not otherwise specified.
> #
> apiauth default gid=haclient
> "
>
> by configuring that, all clients which are in group haclient will be 
> allowed to signon?

thats a bad example because of the programatic defaults.

A better example is to specify
"
apiauth default gid=foo
"
everything except for the 4 services below will check for gid=foo.

	struct DefServices {
		const char *	name;
		const char *	authspec;
	} defserv[] =
	{	{"ipfail",	"uid=" HA_CCMUSER}
	,	{"ccm",		"uid=" HA_CCMUSER}
	,	{"ping",	"gid=" HA_APIGROUP}
	,	{"cl_status",	"gid=" HA_APIGROUP}
	};

and i still say thats non-obvious :)

>
> -Guochun
>
> _______________________________________________________
> Linux-HA-Dev: Linux-HA-Dev at lists.linux-ha.org
> http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
> Home Page: http://linux-ha.org/
>
-- 
Andrew Beekhof

"Ooo Ahhh, Glenn McRath" - TISM

More information about the Linux-HA-Dev mailing list