[Linux-ha-dev] Bind/stat Auth Patch
Guochun Shi
gshi at ncsa.uiuc.edu
Mon Oct 4 12:13:08 MDT 2004
At 06:32 PM 10/4/2004 +0200, you wrote:
>On Oct 4, 2004, at 4:21 PM, Alan Robertson wrote:
>
>>Andrew Beekhof wrote:
>>>Hi all,
>>>Here is the patch Alan has been talking about. I'll check it into CVS as soon as I am sure it doesn't break linux. By default, only OSX makes use of the bind/stat option, I'll leave enabling it on Solaris to those who know what they're doing.
>>>I also welcome any feedback.
>>>In addition, I have attached a config.c patch that I would like to apply. Essentially I think it should also check for a "default" apiauth tag from ha.cf before instantiating any pre-defined defaults. It sure violated "least surprise" to me.
>>
>>Default means "for all systems that don't have their own definitions". I don't know what's so surprising about that. It doesn't mean "and overrides everything else in the world". That's not a default.
>>That's a mondo override. And, a horrible security hole.
>
>So why is: apiauth default... allowed then? ahhh /me sees your next comment.
I've never configured default in ha.cf. Quotes
"
# The groupname "default" has special meaning. If it is specified, then
# this will be used for authorizing groupless clients, and any client groups
# not otherwise specified.
#
apiauth default gid=haclient
"
by configuring that, all clients which are in group haclient will be allowed to signon?
-Guochun
More information about the Linux-HA-Dev
mailing list