[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[leafnode-list] Re: ACLs

To: leafnode-list@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Subject: [leafnode-list] Re: ACLs
From: Martin <virenfang@xxxxxxxx>
Date: Sun, 30 Jul 2006 08:26:22 +0200
Delivery-date: Sun, 30 Jul 2006 17:06:04 +0200
List-id: Discussions on the Leafnode Usenet software package <leafnode-list.dt.e-technik.uni-dortmund.de>
Sender: leafnode-list-bounces+list01=leafnode.de@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.5.11

Hi,

without being involved in ACL things or something and probably without
ever going to use something like this, nonetheless I want to suggest a
little improvement. Before I already used INNs access-control system for
my own home server. Today I use "listen on IP ..." and IP-based
filtering to make sure, noone can abuse my leafnode.

On Sun, Jul 30, 2006 at 01:32:21PM +1000, Matthew Parry wrote:
> I've been reading up a bit and thinking about ACLs and I can see
> now that there are some problems with the way I've implemented
> them.  To make ACLs more general, for application to user/pass
> etc, I think there should be a separate file defining the ACLs
> which will allow us to refer to lists of groups by name.

That sounds alright. Furthermore I'd create a second file with i

| user - passwd - IPs allowed(?) - group 

if I had to implement things like that. IP based things could turn out a
bit difficult, since IPs are not known to leafnode but only to inetd,
iirc.

Maybe /etc/leafnode/users

| all		.*	.*		world
| matthew	secret	192\.168\.0.*	business
| martin	passwd	127\.0\.0\.*	fullaccess

> eg, we could have a file /etc/leafnode/access such as:

/etc/leafnode/acl ?

> # Define some lists of groups.
> #
> # acl=name - define a new acl called "name"
> # groups=pattern,pattern,... - set which groups
> #			belong to the ACL using
> #			wildmat patterns.
> 
> # The standard hierarchies.
> acl=standard
> groups=alt.*,comp.*,gnu.*,linux.*,misc.*,news.*,rec.*,sci.*,soc.*,talk.*
> 
> # Groups with no relevance to a business
> acl=recreational
> groups=alt.*,rec.*,talk.*

Looks good ... but ...

> # Groups allowed at some business accessing the server
> # add=name,name,... - Add the groups in the named ACLs.
> # delete=name,name,... - Delete the groups in the named ACLs.
> acl=business
> add=standard
> delete=recreational
> # The business is in Australia, so add the aus hierarchy
> groups=aus.*

Somehow I don't like this.

On second thought there's also read/write permission missing.

What about the following way (I leave the comments out):

| [standard]
| R alt.*
| R comp.*
| R gnu.*
| R linux.*
| R misc.*
| R news.*
| R rec.*
| R sci.*
| R soc.*
| R talk.*
|
| [recreational]
| R alt.*
| R rec.*
| R talk.*
| 
| [business]
| @standard
| !@recreational
| R aus.*
| W .*business.*

So a user of ACL business may read comp, gnu, linux, misc, news, sci,
soc and aus, but only write to groups containing "business". An internal
rule could be added saying: If there's no read access to a group,
there's never write access.

Just my thoughts about it...

Martin
-- 
_______________________________________________
leafnode-list mailing list
leafnode-list@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
https://www.dt.e-technik.uni-dortmund.de/mailman/listinfo/leafnode-list
http://leafnode.sourceforge.net/

Follow-Ups:
- [leafnode-list] Re: ACLs
  - From: Matthew Parry
- [leafnode-list] Re: ACLs
  - From: Matthias Andree

References:
- [leafnode-list] ACLs
  - From: Matthew Parry

Prev by Date: [leafnode-list] ACLs
Next by Date: [leafnode-list] Re: ACLs
Previous by thread: [leafnode-list] ACLs
Next by thread: [leafnode-list] Re: ACLs
Index(es):
- Date
- Thread