[Openswan dev] user control of conns

[Michael Richardson]

-----BEGIN PGP SIGNED MESSAGE-----


DHR, I wrote a minimal version of whack that can only do --initiate
     and --terminate. 

It was my intention to make this program setuid root, such that it could
talk to the whack socket. 

On the other hand, making the whack socket have group permissions
permits the executable either to be setgid() instead, or for the user to
actually be a member of a "pluto" (or "ipsec" ??) group.

What do you think?

a) setuid-root permits pluto to remain very much isolated.
   Access control to the binary can be via group permissions on the 
   executable.

b) setgid-pluto permits pluto to be controlled more easily, but anyone
   that can run the setgid program can up/down conns.
   (alas, groups are overloaded --- both to decide who can run the
   executable, and to decide what to setgid to. The program could be
   setgid-pluto, and it could then check the gid-vector for a second
   group of people who are permitted to change states)


Note that group access to /var/run/pluto_ctl means that anyone in the
pluto group can load new policy, etc. which is *not* the intention of
whackinit.

Rather the goal was to permit a mortal user to start/stop a VPN.
I think that loading a conn should definitely require root. Thus I am
shying away from group permissions on the socket.

- -- 
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQbXafIqHRg3pndX9AQGDEAQA13C7EFKrAsgkkXpTa5kMsTr+dSK/QLd3
vIOtDkn9wqFUBUuXG01O2TsyPK78/6TdkHb0XRgzP9RyulwOF/Y8yoCWul3Q1+Kb
ScDJDvfAR1LuG6tGQCxBVox5BhWN7QJK/Mt28lz4ju+2WdVSG8hYQc5BJZwX7Vd0
BVfJEdNDuuM=
=y+0T
-----END PGP SIGNATURE-----