[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[leafnode-list] Re: ACLs


without being involved in ACL things or something and probably without
ever going to use something like this, nonetheless I want to suggest a
little improvement. Before I already used INNs access-control system for
my own home server. Today I use "listen on IP ..." and IP-based
filtering to make sure, noone can abuse my leafnode.

On Sun, Jul 30, 2006 at 01:32:21PM +1000, Matthew Parry wrote:
> I've been reading up a bit and thinking about ACLs and I can see
> now that there are some problems with the way I've implemented
> them.  To make ACLs more general, for application to user/pass
> etc, I think there should be a separate file defining the ACLs
> which will allow us to refer to lists of groups by name.

That sounds alright. Furthermore I'd create a second file with i

| user - passwd - IPs allowed(?) - group 

if I had to implement things like that. IP based things could turn out a
bit difficult, since IPs are not known to leafnode but only to inetd,

Maybe /etc/leafnode/users

| all		.*	.*		world
| matthew	secret	192\.168\.0.*	business
| martin	passwd	127\.0\.0\.*	fullaccess

> eg, we could have a file /etc/leafnode/access such as:

/etc/leafnode/acl ?

> # Define some lists of groups.
> #
> # acl=name - define a new acl called "name"
> # groups=pattern,pattern,... - set which groups
> #			belong to the ACL using
> #			wildmat patterns.
> # The standard hierarchies.
> acl=standard
> groups=alt.*,comp.*,gnu.*,linux.*,misc.*,news.*,rec.*,sci.*,soc.*,talk.*
> # Groups with no relevance to a business
> acl=recreational
> groups=alt.*,rec.*,talk.*

Looks good ... but ...

> # Groups allowed at some business accessing the server
> # add=name,name,... - Add the groups in the named ACLs.
> # delete=name,name,... - Delete the groups in the named ACLs.
> acl=business
> add=standard
> delete=recreational
> # The business is in Australia, so add the aus hierarchy
> groups=aus.*

Somehow I don't like this.

On second thought there's also read/write permission missing.

What about the following way (I leave the comments out):

| [standard]
| R alt.*
| R comp.*
| R gnu.*
| R linux.*
| R misc.*
| R news.*
| R rec.*
| R sci.*
| R soc.*
| R talk.*
| [recreational]
| R alt.*
| R rec.*
| R talk.*
| [business]
| @standard
| !@recreational
| R aus.*
| W .*business.*

So a user of ACL business may read comp, gnu, linux, misc, news, sci,
soc and aus, but only write to groups containing "business". An internal
rule could be added saying: If there's no read access to a group,
there's never write access.

Just my thoughts about it...

leafnode-list mailing list