Hi Lars, Lars Marowsky-Bree wrote: > On 2010-01-11T15:02:29, Andrew Beekhof <and...@beekhof.net> wrote: > >>> For this authentication issue of local access we discussed last time, I >>> added a geteuid() in the cib_native_signon_raw() function from libcib. >>> Once a client signs on the CIB, it'll invoke the function and transfer >>> its uid to the server end. >> I don't see anywhere that the server checks passwords. Is that really >> intentional? > > I agree, the server needs to verify the credentials. Client-side UID is > not strong enough - after all, we're trying to authenticate & authorize > the _client_, and it won't do to have the client tell us what it thinks > its auth level should be - that would be a bit easy to cheack ;-) > >> Whats the role of this code, is it meant to provide actual security? >> Or is it just casual protection from people accidentally touching >> stuff they probably didn't mean to touch? > > If we provide the latter, they'll expect it to provide the former. So we > need to verify credentials in the CIB server process instead. For SSL > connections to the server, this means username/password transfer, or > challenge-response. > > For local sockets, we can use code similar to the IPC socket stuff from > heartbeat to get the uuid from the other end of the socket? If I understand right, pacemaker uses called "uuid ticket", which is given by the server end when a client signs on the CIB, and then it'll be used in the consequent request for the server end to determine which IPC channel the reply should be sent through. But before the sever give the uuid ticket to the client, it still needs to authenticate user I think.
Is that the same way in heartbeat? If not, it must be a way for the server to determine who's actually on the other end of the socket rather than the client tell it? > > In the mean-time, reviewing the syntax is probably quite important too. Right, I'm looking forward to your comments on that:-) Thanks, Yan -- Yan Gao <y...@novell.com> Software Engineer China Server Team, OPS Engineering, Novell, Inc. _______________________________________________ Pacemaker mailing list Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker
