DragonFly users List (threaded) for 2009-02
DragonFly BSD
DragonFly users List (threaded) for 2009-02
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

Re: mirror-stream over ssh w/o 'root' privs


From: "Steve O'Hara-Smith" <steve@xxxxxxxxxx>
Date: Wed, 25 Feb 2009 22:53:01 +0000

On Wed, 25 Feb 2009 10:06:14 -0800 (PST)
Matthew Dillon <dillon@apollo.backplane.com> wrote:

>     Well, you can always write the stream out to a file I guess,
>     but the basic problem here is that the mirroring stream is a
>     B-Tree layer stream.  If we can't trust the source there's no
>     point running the stream onto an actual filesystem without some
>     major auditing of its contents.

	I don't think that's the real problem, at least it's not the bit
that makes me nervous. The bit that makes me nervous is opening root access
by ssh at all, it's possible to lock down root ssh access but it's fiddly
and a mistake in doing so leaves a gaping security hole.

	I think what I'd like to be able to do is open a tunnel between the
machines using an unprivileged user and attach a hammer process to each
end. This can of course be done using tools like hose and faucet but I found
them clumsy to use with jscan.

	Perhaps something like a -p <port number> argument for mirror-read,
mirror-read-stream and mirror-write - for mirror-write it would establish a
listening socket on localhost that would only accept one connection at a
time, for the read operations it would connect to the specified port on
localhost.

	If you think it's a good idea I'm pretty sure I can implement it.

-- 
Steve O'Hara-Smith                          |   Directable Mirror Arrays
C:>WIN                                      | A better way to focus the sun
The computer obeys and wins.                |    licences available see
You lose and Bill collects.                 |    http://www.sohara.org/



[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]