Commit 15ced159 authored by Daniel Salzman's avatar Daniel Salzman

conf: remove control.acl item

parent c0fc94c0
......@@ -102,8 +102,7 @@ network subnet. Also a TSIG key can be specified::
key: key1 # Access based just on TSIG key
action: xfer
Then the rules are referenced from zone :ref:`template_acl` or from
control :ref:`control_acl`::
These rules can then be referenced from a zone :ref:`template_acl`::
zone:
- domain: example.com
......
......@@ -307,7 +307,7 @@ acl:
\- id: STR
address: ADDR[/INT]
key: key_id
action: deny | xfer | notify | update | control ...
action: deny | xfer | notify | update ...
.ft P
.fi
.UNINDENT
......@@ -340,8 +340,6 @@ Possible values:
\fBnotify\fP \- Allow incoming notify
.IP \(bu 2
\fBupdate\fP \- Allow zone updates
.IP \(bu 2
\fBcontrol\fP \- Allow remote control
.UNINDENT
.sp
Default: deny
......@@ -349,8 +347,8 @@ Default: deny
.sp
Configuration of the server remote control.
.sp
Caution: The control protocol is not encrypted, and susceptible to replay
attacks in a short timeframe until message digest expires, for that reason,
Caution: The control protocol is not encrypted and is susceptible to replay
attacks in a short timeframe until message digest expires. For that reason,
it is recommended to use default UNIX socket.
.INDENT 0.0
.INDENT 3.5
......@@ -359,7 +357,6 @@ it is recommended to use default UNIX socket.
.ft C
control:
listen: ADDR[@INT]
acl: acl_id ...
.ft P
.fi
.UNINDENT
......@@ -371,14 +368,6 @@ commands. Optional port specification (default is 5533) can be appended to the
address using \fB@\fP separator.
.sp
Default: \fI\%rundir\fP/knot.sock
.SS acl
.sp
An ordered list of \fI\%references\fP to ACL rules allowing the remote
control.
.sp
Caution: This option has no effect with UNIX socket.
.sp
Default: empty
.SH REMOTE SECTION
.sp
Definition of remote servers for zone transfers or notifications.
......
......@@ -359,7 +359,7 @@ Access control list rules definition.
- id: STR
address: ADDR[/INT]
key: key_id
action: deny | xfer | notify | update | control ...
action: deny | xfer | notify | update ...
.. _acl_id:
......@@ -400,7 +400,6 @@ Possible values:
- ``xfer`` - Allow zone transfer
- ``notify`` - Allow incoming notify
- ``update`` - Allow zone updates
- ``control`` - Allow remote control
Default: deny
......@@ -411,15 +410,14 @@ Control section
Configuration of the server remote control.
Caution: The control protocol is not encrypted, and susceptible to replay
attacks in a short timeframe until message digest expires, for that reason,
Caution: The control protocol is not encrypted and is susceptible to replay
attacks in a short timeframe until message digest expires. For that reason,
it is recommended to use default UNIX socket.
::
control:
listen: ADDR[@INT]
acl: acl_id ...
.. _control_listen:
......@@ -434,16 +432,6 @@ Default: :ref:`rundir<server_rundir>`/knot.sock
.. _control_acl:
acl
---
An ordered list of :ref:`references<acl_id>` to ACL rules allowing the remote
control.
Caution: This option has no effect with UNIX socket.
Default: empty
.. _Remote section:
Remote section
......
......@@ -52,7 +52,6 @@ static const lookup_table_t acl_actions[] = {
{ ACL_ACTION_XFER, "xfer" },
{ ACL_ACTION_NOTF, "notify" },
{ ACL_ACTION_DDNS, "update" },
{ ACL_ACTION_CNTL, "control" },
{ 0, NULL }
};
......@@ -118,7 +117,6 @@ static const yp_item_t desc_acl[] = {
static const yp_item_t desc_control[] = {
{ C_LISTEN, YP_TADDR, YP_VADDR = { REMOTE_PORT, REMOTE_SOCKET } },
{ C_ACL, YP_TREF, YP_VREF = { C_ACL }, YP_FMULTI, { check_ref } },
{ C_COMMENT, YP_TSTR, YP_VNONE },
{ NULL }
};
......@@ -177,10 +175,10 @@ static const yp_item_t desc_log[] = {
const yp_item_t conf_scheme[] = {
{ C_SRV, YP_TGRP, YP_VGRP = { desc_server } },
{ C_CTL, YP_TGRP, YP_VGRP = { desc_control } },
{ C_LOG, YP_TGRP, YP_VGRP = { desc_log }, YP_FMULTI },
{ C_KEY, YP_TGRP, YP_VGRP = { desc_key }, YP_FMULTI },
{ C_ACL, YP_TGRP, YP_VGRP = { desc_acl }, YP_FMULTI },
{ C_CTL, YP_TGRP, YP_VGRP = { desc_control } },
{ C_RMT, YP_TGRP, YP_VGRP = { desc_remote }, YP_FMULTI },
/* MODULES */
{ C_MOD_SYNTH_RECORD, YP_TGRP, YP_VGRP = { scheme_mod_synth_record }, YP_FMULTI },
......
......@@ -908,29 +908,13 @@ int remote_process(server_t *s, struct sockaddr_storage *ctl_addr, int sock,
char addr_str[SOCKADDR_STRLEN] = { 0 };
sockaddr_tostr(addr_str, sizeof(addr_str), &ss);
/* Prepare tsig parameters. */
knot_tsig_key_t tsig = { NULL };
if (pkt->tsig_rr) {
tsig.name = pkt->tsig_rr->owner;
tsig.algorithm = knot_tsig_rdata_alg(pkt->tsig_rr);
}
/* Check ACL. */
rcu_read_lock();
conf_val_t acl = conf_get(conf(), C_CTL, C_ACL);
bool allowed = acl_allowed(&acl, ACL_ACTION_CNTL, &ss, &tsig);
rcu_read_unlock();
if (!allowed) {
log_warning("remote control, denied '%s', "
"no matching ACL", addr_str);
remote_senderr(client, pkt->wire, pkt->size);
ret = KNOT_EACCES;
goto finish;
}
/* Check TSIG. */
if (tsig.name != NULL) {
if (pkt->tsig_rr != NULL) {
knot_tsig_key_t tsig = {
.name = pkt->tsig_rr->owner,
.algorithm = knot_tsig_rdata_alg(pkt->tsig_rr)
};
uint16_t ts_rc = 0;
uint16_t ts_trc = 0;
uint64_t ts_tmsigned = 0;
......
......@@ -35,8 +35,7 @@ typedef enum {
ACL_ACTION_DENY = 0,
ACL_ACTION_XFER = 1,
ACL_ACTION_NOTF = 2,
ACL_ACTION_DDNS = 3,
ACL_ACTION_CNTL = 4
ACL_ACTION_DDNS = 3
} acl_action_t;
/*!
......
This diff is collapsed.
......@@ -119,7 +119,7 @@ extern int cf_debug;
typedef union YYSTYPE YYSTYPE;
union YYSTYPE
{
#line 361 "cf-parse.y" /* yacc.c:1909 */
#line 353 "cf-parse.y" /* yacc.c:1909 */
struct {
char *t;
......
......@@ -199,7 +199,6 @@ typedef enum {
ACL_XFR,
ACL_NTF,
ACL_UPD,
ACL_CTL
} acl_type_t;
static void acl_start(void *scanner, acl_type_t type)
......@@ -212,7 +211,6 @@ static void acl_start(void *scanner, acl_type_t type)
case ACL_XFR: extra->current_trie = extra->share->acl_xfer; break;
case ACL_NTF: extra->current_trie = extra->share->acl_notify; break;
case ACL_UPD: extra->current_trie = extra->share->acl_update; break;
case ACL_CTL: extra->current_trie = extra->share->acl_control; break;
}
}
......@@ -285,8 +283,7 @@ static bool is_acl(void *scanner, const char *str) {
return hattrie_tryget(extra->share->acl_xfer, str, strlen(str)) != NULL ||
hattrie_tryget(extra->share->acl_notify, str, strlen(str)) != NULL ||
hattrie_tryget(extra->share->acl_update, str, strlen(str)) != NULL ||
hattrie_tryget(extra->share->acl_control, str, strlen(str)) != NULL;
hattrie_tryget(extra->share->acl_update, str, strlen(str)) != NULL;
}
static bool have_acl(void *scanner) {
......@@ -294,8 +291,7 @@ static bool have_acl(void *scanner) {
return (hattrie_weight(extra->share->acl_xfer) +
hattrie_weight(extra->share->acl_notify) +
hattrie_weight(extra->share->acl_update) +
hattrie_weight(extra->share->acl_control)) > 0;
hattrie_weight(extra->share->acl_update)) > 0;
}
static char *acl_actions(void *scanner, const char *str) {
......@@ -318,10 +314,6 @@ static char *acl_actions(void *scanner, const char *str) {
strlcat(actions, _first ? "" : ", ", sizeof(actions)); _first = false;
strlcat(actions, "update", sizeof(actions));
}
if (hattrie_tryget(extra->share->acl_control, str, strlen(str)) != NULL) {
strlcat(actions, _first ? "" : ", ", sizeof(actions)); _first = false;
strlcat(actions, "control", sizeof(actions));
}
strlcat(actions, "]", sizeof(actions));
......@@ -758,8 +750,21 @@ ctl_listen_start:
LISTEN_ON
;
ctl_allow_item:
| TEXT { free($1.t); }
| LOG_SRC
| LOG
| LOG_LEVEL
| CONTROL
;
ctl_allow_list:
| ctl_allow_list ctl_allow_item ','
| ctl_allow_list ctl_allow_item ';'
;
ctl_allow_start:
ALLOW { f_name(scanner, R_CTL, C_ACL, false); acl_start(scanner, ACL_CTL); _str = "acl_"; }
ALLOW
;
control:
......@@ -776,7 +781,7 @@ control:
free(_addr);
}
| control ctl_listen_start TEXT ';' { f_quote(scanner, R_CTL, C_LISTEN, $3.t); free($3.t); }
| control ctl_allow_start zone_acl_list
| control ctl_allow_start ctl_allow_list
;
conf: ';' | system '}' | interfaces '}' | keys '}' | remotes '}' | groups '}' | zones '}' | log '}' | control '}';
......
......@@ -31,7 +31,6 @@ typedef struct {
hattrie_t *acl_xfer;
hattrie_t *acl_notify;
hattrie_t *acl_update;
hattrie_t *acl_control;
} share_t;
/*!
......
......@@ -80,7 +80,6 @@ static int convert(const char *file_out, const char *file_in)
.acl_xfer = hattrie_create(),
.acl_notify = hattrie_create(),
.acl_update = hattrie_create(),
.acl_control = hattrie_create(),
};
// Parse the input file multiple times to get some context.
......@@ -115,7 +114,6 @@ static int convert(const char *file_out, const char *file_in)
hattrie_free(share.acl_xfer);
hattrie_free(share.acl_notify);
hattrie_free(share.acl_update);
hattrie_free(share.acl_control);
fclose(out);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment