[Openswan dev] user control of conns
Ludwig Nussel
ludwig.nussel at suse.de
Thu Dec 9 17:17:30 CET 2004
D. Hugh Redelmeier wrote:
> | From: Ludwig Nussel <ludwig.nussel at suse.de>
>
> | Use neither setuid nor setgid, make the socket accessible by
> | everyone instead. It's a unix domain socket so pluto can check who
> | is connecting and reject unauthorized users. The messages coming
> | from non-root users cannot be trusted then though.
>
> After I sent the message, I too thought of this.
>
> Making the socket wide-open (with Pluto ignoring unauthorized messages)
> allows for yet another local DoS. Might not matter -- there are so many
> others.
>
> And another alternative: two whack sockets -- one for fully
> authorized users and one for users with limited authorization. This
> could be generalized to any number (small, I hope) of sockets.
>
> It is nice to shift the policy outside of Openswan code to the
> permissions system. This system should be understood by sysadmins
> because it is pervasive in UNIX. Otherwise, they need to absorb
> an Openswan-specific mechanism. Also, it should be easier to be
> ensure that Openswan hasn't authorization bugs since the
> implementation is exterior. That being said, the permissions system
> may not be a perfect fit.
Depends how fine grained the user control should be. You need the
authorization inside openswan if you want to control it on a per
tunnel basis. Like bob can initiate tunnel foo but not bar. Unless
you create a socket for each user controllable tunnel and then apply
filesystem acls on it or so.
cu
Ludwig
--
(o_ Ludwig Nussel
//\ SUSE LINUX Products GmbH, Development
V_/_ http://www.suse.de/
More information about the Dev
mailing list