Module Name: src Committed By: pooka Date: Mon Feb 7 22:04:36 UTC 2011
Modified Files: src/lib/librump: rump_sp.7 Log Message: add some notes on access control To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 src/lib/librump/rump_sp.7 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/lib/librump/rump_sp.7 diff -u src/lib/librump/rump_sp.7:1.3 src/lib/librump/rump_sp.7:1.4 --- src/lib/librump/rump_sp.7:1.3 Tue Jan 25 14:05:43 2011 +++ src/lib/librump/rump_sp.7 Mon Feb 7 22:04:36 2011 @@ -1,4 +1,4 @@ -.\" $NetBSD: rump_sp.7,v 1.3 2011/01/25 14:05:43 pooka Exp $ +.\" $NetBSD: rump_sp.7,v 1.4 2011/02/07 22:04:36 pooka Exp $ .\" .\" Copyright (c) 2010 Antti Kantee. All rights reserved. .\" @@ -23,7 +23,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd December 16, 2010 +.Dd February 7, 2011 .Dt RUMP_SP 7 .Os .Sh NAME @@ -79,6 +79,16 @@ modifying the shell prompt is recommended -- this is analoguous to the visual clue you have when you login from one machine to another. +.Ss Client credentials and access control +The current scheme gives all connecting clients root credentials. +It is recommended to take precautions which prevent unauthorized +access. +For a unix domain socket it is enough to prevent access to the +socket using file system permissions. +For TCP/IP sockets the only available means is to prevent network +access to the socket with the use of firewalls. +More fine-grained access control based on cryptographic credentials +may be implemented at a future date. .Sh EXAMPLES Get a list of file systems supported by a rump kernel server (in case that particular server does not support file systems,