James Gates writes: > I'm sponsoring this case on behalf of Mayuresh Nirhali. Timeout is set > for 10/22/2008. Attached is the one_pager and FOSS checklist. ARC review > is required on account of their being configuration files in /etc and > setuid/setgid privileged binaries.
Yay! > Dante is a circuit-level firewall/proxy that can be used to provide > convenient and secure network connectivity to a wide range of hosts > while requiring only the server Dante runs on to have external > network connectivity. Are there follow-on projects to SOCKSify applications? > Are there any setuid/setgid privileged binaries in the project? > [X] Yes - ARC review required [...] > > If yes then are the setuid/setgid privileges handled by the use of > roles? > [ ] Yes > [X] No - ARC review required If you're using SMF for the service, then what's the need for setuid/setgid? > 3.4.3 Auditing > (see http://opensolaris.org/os/community/arc/policies/audit-policy/ for > details) > (see http://opensolaris.org/os/community/arc/caselog/2003/397 for > details) > Does this component contain administrative or security enforcing > software? > [ ] Yes - ARC review required > [X] No - continue to next section (section 3.4.4) Is that answer right? The SOCKS server *does* have a facility to authenticate users and enforce security, doesn't it? I don't think this has auditing capabilities. > 3.4.4 Authentication > (see http://opensolaris.org/os/community/arc/policies/PAM/) > Do the components contain any authentication code? > [ ] Yes > [X] No - continue to next section (section 3.4.5) The normal Dante server does. You set it up with the "method:" keyword. > 3.4.5 Passwords > (see > http://opensolaris.org/os/community/arc/bestpractices/passwords-cli/ and > > http://opensolaris.org/os/community/arc/bestpractices/passwords-files/ for > details) > Do any of the components for the project deal with passwords? > [ ] Yes > [X] No - continue to next section (section 3.4.6) Yes; both client and server can use passwords and user names. > Do network services for the project make decisions based upon user, > host or > service identities? > [ ] Yes - explain below > [X] No > [ ] N/A Yes, they can do this. > Do the components make use of secret information during authentication > and/or > authorization? > [ ] Yes - explain below > [X] No > [ ] N/A Yes. > | 1 | libdsocks.so | Unstable/Uncommitted | SOCKS daemon > library | > | > |---------------------+--------------------------------------------------| > | 2 | libsocks.so | Unstable/Uncommitted | SOCKS library > | Given the age and stability of this project, and the way in which SOCKSified applications depend on them, I don't think the above is right. Plus, "Unstable" isn't a commitment level. I suspect that libdsocks.so is actually Project Private (nothing outside of Dante should use it), and that libsocks.so is a Committed interface (it's not going to change incompatibly; it's set by the BSD sockets interface). > Dante is a third party Socks server and client implementation. The > current version (1.1.19) is stable and it was released in > January 2006. Since then, there has been no releases of this product. That conflicts with the interface stability. If it's stable, then let's make it stable for our customers as well. > SMF service for Dante SOCKS server will be added under network category > as > network/sockd. The package will add the manifest file and SMF method as > below, Nit: please use network/socks rather than network/sockd. We're trying to avoid 'd' for 'daemon' in the names of SMF FMRIs. -- James Carlson, Solaris Networking <james.d.carlson at sun.com> Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677
