[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[leafnode-list] Re: ACLs
Hi,
without being involved in ACL things or something and probably without
ever going to use something like this, nonetheless I want to suggest a
little improvement. Before I already used INNs access-control system for
my own home server. Today I use "listen on IP ..." and IP-based
filtering to make sure, noone can abuse my leafnode.
On Sun, Jul 30, 2006 at 01:32:21PM +1000, Matthew Parry wrote:
> I've been reading up a bit and thinking about ACLs and I can see
> now that there are some problems with the way I've implemented
> them. To make ACLs more general, for application to user/pass
> etc, I think there should be a separate file defining the ACLs
> which will allow us to refer to lists of groups by name.
That sounds alright. Furthermore I'd create a second file with i
| user - passwd - IPs allowed(?) - group
if I had to implement things like that. IP based things could turn out a
bit difficult, since IPs are not known to leafnode but only to inetd,
iirc.
Maybe /etc/leafnode/users
| all .* .* world
| matthew secret 192\.168\.0.* business
| martin passwd 127\.0\.0\.* fullaccess
> eg, we could have a file /etc/leafnode/access such as:
/etc/leafnode/acl ?
> # Define some lists of groups.
> #
> # acl=name - define a new acl called "name"
> # groups=pattern,pattern,... - set which groups
> # belong to the ACL using
> # wildmat patterns.
>
> # The standard hierarchies.
> acl=standard
> groups=alt.*,comp.*,gnu.*,linux.*,misc.*,news.*,rec.*,sci.*,soc.*,talk.*
>
> # Groups with no relevance to a business
> acl=recreational
> groups=alt.*,rec.*,talk.*
Looks good ... but ...
> # Groups allowed at some business accessing the server
> # add=name,name,... - Add the groups in the named ACLs.
> # delete=name,name,... - Delete the groups in the named ACLs.
> acl=business
> add=standard
> delete=recreational
> # The business is in Australia, so add the aus hierarchy
> groups=aus.*
Somehow I don't like this.
On second thought there's also read/write permission missing.
What about the following way (I leave the comments out):
| [standard]
| R alt.*
| R comp.*
| R gnu.*
| R linux.*
| R misc.*
| R news.*
| R rec.*
| R sci.*
| R soc.*
| R talk.*
|
| [recreational]
| R alt.*
| R rec.*
| R talk.*
|
| [business]
| @standard
| !@recreational
| R aus.*
| W .*business.*
So a user of ACL business may read comp, gnu, linux, misc, news, sci,
soc and aus, but only write to groups containing "business". An internal
rule could be added saying: If there's no read access to a group,
there's never write access.
Just my thoughts about it...
Martin
--
_______________________________________________
leafnode-list mailing list
leafnode-list@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
https://www.dt.e-technik.uni-dortmund.de/mailman/listinfo/leafnode-list
http://leafnode.sourceforge.net/