[OpenAFS-devel] Lockdown for VL and VOL RPC interfaces for non-authenticated user (was: Authorization Checks for VL and VOL RPC interfaces)

Benjamin Kaduk kaduk@MIT.EDU
Sat, 15 Mar 2014 19:50:38 -0400 (EDT)


On Sat, 15 Mar 2014, Gergely Risko wrote:

> I also found this issue today and this bothers me a bit, so I'd like to
> ask if there are any arguments against doing something very simple right
> now:

I do not know of any arguments against doing the easy simple things.

> If I volunteer to create the patchsets needed for this proposal, is
> there willingness to review and merge them?

I expect that review could be obtained. Some amount of prodding in gerrit 
might be necessary, but sometimes that's true regardless of the nature of 
a patch.
Not being a gatekeeper, I cannot speak to willingness to merge, but I 
believe that if code implements a useful feature and has had sufficient 
review, it can get merged.

> Also, are there any other RPCs in other services with significant
> information leakage?  I played around with the PR ACLs, but PR_ListEntry
> seems to be protected now (when using s---- fields), but is there
> something maybe in fileserver?

I can't answer this off the top of my head.

-Ben Kaduk