On 01/28/09 11:21, Gary Winiger wrote: > Sangeeta, > > >> Recall that we had presented the following proposal for ILB at PSARC >> Inception ( PSARC case 2008/575) >> >> 9.1 IPC details and privileges for ilbd daemon >> >> We will use AF_UNIX socket (socket type of SOCK_SEQPACKET) >> for IPC between libilb and ilbd as both processes will run on the same >> machine. A subset of ilbadm commands will require privileges >> > ^^^^^^^^^^ > While that might be how to express the enforcement in the kernel, > As I understand things ilbadm really just calls ilbd which > does the access check and then proxies the call to the kernel. > So it would be more appropriate to say "will require that the > calling user be authroized" -- and the specific authorizations > are part of the exported interfaces. The auths also need to be > made available either in an existing Rights Profile, or a new > one created. The ildadm man page should document that the > subset of commands can only be run by users having the Rights Profile. > > >> Assuming we go with the "root" with dropped privileges approach, please >> provide us guidance for the specific issues: >> >> o where would you recommend that the persistent config files belong. >> Would having them in /etc/ilbadm directory still be appropriate.? >> > > Ideally it would not exist and be a [set of] smf properties. > Since I believe we've already been down that path and the file > is too complex for properties, what's wrong with the use of > /etc/ilbadm/*? Is the issue that ilbd can't hold the files open > and needs create access in that directory so it can do atomic > renames? > Gary,
We plan to use /etc/ilbadm/* for storing the persistent config. Is there a existing Solaris feature that implements the "root" with dropped privileges approach that we can use as reference? Also recall that ilbadm has two sets of commands - one is for viewing ( ie statistics, load balancing rules etc..) and the other is for configuration ( creating rules/adding removing backend servers , enabling/disabling rules etc). We would like the viewing related commands to be accessible by all and some form of authorization for the configuration commands. It is also important that the task for user to set up the authorization for this task is minimal and easy to do Can you kindly provide input on what you would recommend in terms of authorization? Again a reference to a Solaris feature that implements the authorization in a similar way would be much appreciated. Sangeeta > >> o You had also advised us that in order to keep things simple we should >> run *all* the health checks that ILB provides with a set of privileges >> and document that by default the user-supplied health checks will also >> run with the same exact set of privileges. If the admin has some >> user-supplied scripts that require a larger priv set he/she will have to >> run it with setuid explicitly ( I assume that would be root with just >> the essential privileges) . I assume this advise would still stand? >> > > Yes. If it turns out that ildb needs to keep all privs in its > permitted set, then things could be more flexible. > > HTH, > Gary.. > _______________________________________________ > ilb-dev mailing list > ilb-dev at opensolaris.org > http://mail.opensolaris.org/mailman/listinfo/ilb-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.opensolaris.org/pipermail/ilb-dev/attachments/20090203/1a258d2c/attachment.html>
