[illumos-Developer] Integrating identd
Garrett D'Amore
garrett at damore.org
Mon Apr 4 09:20:44 PDT 2011
On Mon, 2011-04-04 at 16:35 +0100, River Tarnell wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Andrew Gabriel:
> > River Tarnell wrote:
> > >For zones, I think when running in a local zone it should only
> > >return connections associated with that zone (and return ESRCH for
> > >other connections). In the global zone, perhaps a flag could be
> > >used to select whether to return only connection from the global
> > >zone (which identd would use), or connections from any zone (which
> > >might be useful for other processes).
>
> > The protocol does not include any provision for asking about other
> > IP addresses AFAICS, so I can't see any way in which it could ask
> > about connections in another zone (global, or non-global).
>
> > Your proposed syscall is not so constrained though, and you are
> > maybe worrying about limiting access to a feature you didn't need to
> > add in the first place?
>
> I'm not sure I understand...
>
> If you mean that there's no need for a way to query addresses from other
> zones, you're right, identd doesn't need that; but perhaps something
> else that calls this interface would find it useful. Other bits of the
> system have similar zone-aware interfaces (SO_ALLZONES being a similar
> example).
>
> Or do you mean that since the syscall already includes both endpoints,
> the 'all zones' flag would be implicit when requesting an IP address
> assigned to a non-global zone?
I'd say that a non-global zone ought not be able to query the credential
for an endpoint it doesn't "own".
Of course, there's a different question, which is how to deal with
shared IP stacks. I'm not familiar enough with the code to know if you
can tell that a connection associated with a shared IP stack is owned by
a particular zone or not.
You also have to deal with RBAC in a zone-aware manner.
- Garrett
>
> - river.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (SunOS)
>
> iEYEARECAAYFAk2Z5S8ACgkQIXd7fCuc5vIiTQCgktALvH+AU5eb0p8+K4ORfiVl
> eEMAn1LE93fVNtFPQ8CawaQYwcbxyqgb
> =1tF3
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Developer mailing list
> Developer at lists.illumos.org
> http://lists.illumos.org/m/listinfo/developer
More information about the Developer
mailing list