--On Wednesday, August 27, 2008 05:51:36 PM -0700 Bill Sommerfeld <sommerfeld at sun.com> wrote:
> On Wed, 2008-08-27 at 17:03 -0700, Darren Reed wrote: >> On 08/27/08 16:37, Bill Sommerfeld wrote: >> > Unless I'm mistaken, the spec as written would allow *any* service >> > administrator to inject essentially arbitrary rules into the global >> > ipf.conf. > >> Given David's replies, do you still see that as being possible? > > The spec needs to make it clear that it is unsafe to delegate access to > these properties. > > smf could probably use a mechanism to make it harder to screw up access > to critical properties like this. > >> Maybe I should ask, what would you define as being an "overall >> policy"? > > A single coherent source for "what should be allowed on this system" > which comes from a single origin. You are likely to lose that coherance > when you take the policy, salami-slice it, and spread it through a bunch > of service properties. It's not a bad model for the same packages and smf services that provide a service to contain the required firewall rules, such that those rules are installed when the service is installed, and enabled when the service is enabled. However, that only works when the rules are written according to a coherent model such that they don't conflict with each other or leave gaps that do unsafe things. I am very wary of a model that permits any service administrator to inject arbitrary ipf rules. This is a problem even if you trust that no service admin is malicious (a big leap), because ipf rules may interact with each other in complex ways that the service admins may be unable to predict. -- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu> Carnegie Mellon University - Pittsburgh, PA
