[Openswan dev] user control of conns
Michael Richardson
mcr at sandelman.ottawa.on.ca
Tue Dec 7 09:29:50 CET 2004
-----BEGIN PGP SIGNED MESSAGE-----
DHR, I wrote a minimal version of whack that can only do --initiate
and --terminate.
It was my intention to make this program setuid root, such that it could
talk to the whack socket.
On the other hand, making the whack socket have group permissions
permits the executable either to be setgid() instead, or for the user to
actually be a member of a "pluto" (or "ipsec" ??) group.
What do you think?
a) setuid-root permits pluto to remain very much isolated.
Access control to the binary can be via group permissions on the
executable.
b) setgid-pluto permits pluto to be controlled more easily, but anyone
that can run the setgid program can up/down conns.
(alas, groups are overloaded --- both to decide who can run the
executable, and to decide what to setgid to. The program could be
setgid-pluto, and it could then check the gid-vector for a second
group of people who are permitted to change states)
Note that group access to /var/run/pluto_ctl means that anyone in the
pluto group can load new policy, etc. which is *not* the intention of
whackinit.
Rather the goal was to permit a mortal user to start/stop a VPN.
I think that loading a conn should definitely require root. Thus I am
shying away from group permissions on the socket.
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr at xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQbXafIqHRg3pndX9AQGDEAQA13C7EFKrAsgkkXpTa5kMsTr+dSK/QLd3
vIOtDkn9wqFUBUuXG01O2TsyPK78/6TdkHb0XRgzP9RyulwOF/Y8yoCWul3Q1+Kb
ScDJDvfAR1LuG6tGQCxBVox5BhWN7QJK/Mt28lz4ju+2WdVSG8hYQc5BJZwX7Vd0
BVfJEdNDuuM=
=y+0T
-----END PGP SIGNATURE-----
More information about the Dev
mailing list