SystemImager devel code now does (and requires) "hosts allow = " restrictions in rsyncd.conf on "golden clients" during prepareclient with the required --server option, limiting access to the server.
The server side rsync header file
"/etc/systemimager/rsync_stubs/10header"
includes the comments below, and perhaps will automate and require the addition of this in the near future: # # For additional security, modify and uncomment this line. See # "man rsyncd.conf" for details. # #hosts allow = 127.0.0.0/24 MY_NET/NETMASK MY_CLIENT/32
As part of the OSCAR install, we could simply add a line like the above, but with the compute node network information instead of MY_NET/NETMASK. I know this only addresses one concern, but hey -- there you go.
> * both of these services can and should be tcp wrapped > * if we can't take steps to secure a running tftpd, we've got serious > problems. We are apparently comfortable having it running on some > (arguably most) clusters, then we need a security scheme good enough for > all anyway
That's good to hear. That will be a nice option to have once it's released... and in the period that it's not available, we should be able to tcp_wrap it external to the SI installation of course. We'll be doing it to tftpd anyway; it's trivial to add another port to the list.
Jeremy
------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Oscar-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/oscar-devel
