Mail archive
acf

[Acf] [RFC] privilete separation in ACF

From: Natanael Copa <natanael.copa_at_gmail.com>
Date: Fri, 09 Nov 2007 17:28:57 +0100

Hi,

I have been talking in private with some of the devs about privilege
separation in ACF. I will prestent some info here about it, for the
record.

The idea is that only a fraction of the code will need root privileges
and web programming is risky. So it is desireable that only the code
that needs root privileges has it and the rest runs without root
privileges.

So i suggest this, we fork the process, drop the privileges and
implement some kind of local RPC between the processes, but instead of
communicating via a network socket, we can cummunicate via 2 local
pipes.

This diagram shows how it works:
http://wiki.alpinelinux.org/w/images/3/38/ACF_privilege_separation.pdf

Attatched is a small demo to show how it could be implemented, using
JSON. I chose JSON because its a standard, and there is a library
available thats easy enough for me to understand :)

I have attatched json.lua to be able to run the demo but you will also
need lposix (available in alpine as luaposix)

While this adds a few bits of complexity but thanks to the current MVC
model, much of the complexity can be hidden away.

Its just an idea...

-nc








Received on Fri Nov 09 2007 - 17:28:57 GMT