[Openswan dev] user control of conns

D. Hugh Redelmeier hugh at mimosa.com
Wed Dec 8 12:43:14 CET 2004


| From: Ludwig Nussel <ludwig.nussel at suse.de>

| Use neither setuid nor setgid, make the socket accessible by
| everyone instead. It's a unix domain socket so pluto can check who
| is connecting and reject unauthorized users. The messages coming
| from non-root users cannot be trusted then though.

After I sent the message, I too thought of this.

Making the socket wide-open (with Pluto ignoring unauthorized messages)  
allows for yet another local DoS.  Might not matter -- there are so many
others.

And another alternative: two whack sockets -- one for fully
authorized users and one for users with limited authorization.  This
could be generalized to any number (small, I hope) of sockets.

It is nice to shift the policy outside of Openswan code to the
permissions system.  This system should be understood by sysadmins
because it is pervasive in UNIX.  Otherwise, they need to absorb
an Openswan-specific mechanism.  Also, it should be easier to be
ensure that Openswan hasn't authorization bugs since the
implementation is exterior.  That being said, the permissions system
may not be a perfect fit.



More information about the Dev mailing list