[Linux-ha-dev] Bind/stat Auth Patch

Alan Robertson alanr at unix.sh
Mon Oct 4 13:40:10 MDT 2004 

Andrew Beekhof wrote:
> 
> On Oct 4, 2004, at 8:13 PM, Guochun Shi wrote:
> 
>> At 06:32 PM 10/4/2004 +0200, you wrote:
>>
>>> On Oct 4, 2004, at 4:21 PM, Alan Robertson wrote:
>>>
>>>> Andrew Beekhof wrote:
>>>>
>>>>> Hi all,
>>>>> Here is the patch Alan has been talking about.  I'll check it into 
>>>>> CVS as soon as I am sure it doesn't break linux.  By default, only 
>>>>> OSX makes use of the bind/stat option, I'll leave enabling it on 
>>>>> Solaris to those who know what they're doing.
>>>>> I also welcome any feedback.
>>>>> In addition, I have attached a config.c patch that I would like to 
>>>>> apply.  Essentially I think it should also check for a "default" 
>>>>> apiauth tag from ha.cf before instantiating any pre-defined 
>>>>> defaults.  It sure violated "least surprise" to me.
>>>>
>>>>
>>>> Default means "for all systems that don't have their own 
>>>> definitions".  I don't know what's so surprising about that.  It 
>>>> doesn't mean "and overrides everything else in the world".  That's 
>>>> not a default.
>>>> That's a mondo override.  And, a horrible security hole.
>>>
>>>
>>> So why is: apiauth default... allowed then?  ahhh /me sees your next 
>>> comment.
>>
>>
>> I've never configured default in ha.cf. Quotes
>> "
>> #       The groupname "default" has special meaning.  If it is 
>> specified, then
>> #       this will be used for authorizing groupless clients, and any 
>> client groups
>> #       not otherwise specified.
>> #
>> apiauth default gid=haclient
>> "
>>
>> by configuring that, all clients which are in group haclient will be 
>> allowed to signon?
> 
> 
> thats a bad example because of the programatic defaults.
> 
> A better example is to specify
> "
> apiauth default gid=foo
> "
> everything except for the 4 services below will check for gid=foo.

Provided this is exactly the only service listed in the ha.cf file.

>     struct DefServices {
>         const char *    name;
>         const char *    authspec;
>     } defserv[] =
>     {    {"ipfail",    "uid=" HA_CCMUSER}
>     ,    {"ccm",        "uid=" HA_CCMUSER}
>     ,    {"ping",    "gid=" HA_APIGROUP}
>     ,    {"cl_status",    "gid=" HA_APIGROUP}
>     };
> 
> and i still say thats non-obvious :)

What's non-obvious is the fact that these four services have defaults. 
This is a documentation issue.  Please feel free to correct the 
documentation ;-).


-- 
     Alan Robertson <alanr at unix.sh>

"Openness is the foundation and preservative of friendship...  Let me claim 
from you at all times your undisguised opinions." - William Wilberforce

More information about the Linux-HA-Dev mailing list