[Linux-ha-dev] Bind/stat Auth Patch
alanr at unix.sh
Mon Oct 4 08:21:03 MDT 2004
Andrew Beekhof wrote:
> Hi all,
> Here is the patch Alan has been talking about. I'll check it into CVS
> as soon as I am sure it doesn't break linux. By default, only OSX makes
> use of the bind/stat option, I'll leave enabling it on Solaris to those
> who know what they're doing.
> I also welcome any feedback.
> In addition, I have attached a config.c patch that I would like to
> apply. Essentially I think it should also check for a "default" apiauth
> tag from ha.cf before instantiating any pre-defined defaults. It sure
> violated "least surprise" to me.
Default means "for all systems that don't have their own definitions". I
don't know what's so surprising about that. It doesn't mean "and overrides
everything else in the world". That's not a default. That's a mondo
override. And, a horrible security hole.
If the config.c change works like you described, I'd oppose it. It'll
break lots of things. And, that's what I'd call surprising.
Default should maybe even be eliminated from the code completely. Then
this wouldn't be an issue.
Here's how the system currently works:
If you specify the permissions for a subsystem, they are used.
If you don't specify permissions for a subsystem by name,
then the built-in default permissions (if any) for that
subsystem are used.
If you don't specify permissions of a subsystem in any way,
explicitly or implicitly, then those specified
by the default keyword (if any) are used.
I would argue that default shouldn't even be allowed for named subsystems
(those that can send messages). It leaves too much to chance. If you
wanted to say "it's evil" I would understand that. The only thing
surprising about it is that it is insufficiently safe.
Alan Robertson <alanr at unix.sh>
"Openness is the foundation and preservative of friendship... Let me claim
from you at all times your undisguised opinions." - William Wilberforce
More information about the Linux-HA-Dev