Re: mail lossage?

becka@sunserver1.rz.uni-duesseldorf.de
Wed, 18 Dec 1996 20:45:42 +0100 (MET)

> Andy> Well ... I assumed everything which has a driver-name starting with
> Andy> net-should be left out ... This could be dynamically added to the
> Andy> basename when exporting.
> OK, I thought some more about it. Maybe the proper solution is to
> view this as an authorization question. We change sane_get_devices()
> and sane_open() to accept a pointer to an authorization structure.
O.K. - we probably should solve the problem of authentication now to
avoid running into it later.

I can think of two possible ways :

1. Introduce a new function sane_auth(char *host,char *uid,char *passwd);
that will set the authentication information, if it is necessary.
If authentication is compiled into SANE, it will refuse
sane_get_devices and sane_open with SANE_AUTH, if no correct auth-info
is set. This is compatible to old clients/servers/specs.
2. Add such parameters to sane_getdev and _open. This makes sane somewhat
more state-free, but is incompatible in two ways :
a) the function prototypes change
b) authorization is not that naturally performed "on demand" ...

> As part of that authorization structure, we can keep info on whether this
> is a local user or a remote user (e.g., a NULL authorization pointer
> would imply local user as defined by getuid() etc).
Well maybe we should add authorization for local users, too.

Suggestion :

/etc/saneconf/passwd : lines of username:crypt-passwd
/etc/saneconf/group : lines of groupname:username,username,...

Each driver will maintain its own authorization data which should be
capable of doing something along the lines of .httpauth :

etc/saneconf/pbmsane
device pbm-test1
allow realuser root becka # derived from getuid
allow realgroup sane # derived from getgid
allow user name # name set via a dialog
allow group name # the authenticated user is in group name
or deny the same possibilities as above

The file would be parsed in the following way :
By default the state of the user is "denied".
The lines are parsed one by one and the appropriate checks are made.
Only such check which change the current state are done. I.e. if
the state already is "allow", no further "allow" checks are made.
Note that denying by "sane-user" means "require valid sane-login,
but deny list"

> The net backend (metanet) can then decide what to do with a
> get_device() request based on the authorization: if it's a local user,
> return remote devices, otherwise, return an empty list.
This can be handled very simply with this scheme :

etc/saneconf/metanet
device bla
allow realuser all
deny realuser netsane

This will result in metanet denying access to netsaned (which runs suid netsane)
thus giving the secified behaviour.

CU,ANdy

-- 
==============================================================================
Andreas Beck              |  Email :  <becka@sunserver1.rz.uni-duesseldorf.de>
===  World-Wide-Web URL :  http://sunserver1.rz.uni-duesseldorf.de/~becka  ===
==============================================================================

---
Source code, list archive, and docs: http://www.azstarnet.com/~axplinux/sane/
To unsubscribe:    echo unsubscribe sane-devel | mail majordomo@azstarnet.com