[Chilli] [PATCH] adds option for chilli query TCP socket

David Bird david at coova.com
Mon Mar 5 13:03:43 UTC 2012


... or at least a pre-shared key and a cipher. You can refer to and/or
reuse the work-in-progress code found in dhcp.c between ENABLE_CLUSTER
ifdef (requires OpenSSL support). 


On Mon, 2012-03-05 at 13:21 +0100, David Bird wrote:
> A valid concern, obviously. The default will remain to be using the unix
> socket and file system permissions for security. The patch (on the
> client side anyway) was limited to localhost, however, the server side
> socket was ANY (so, the patch does in fact have a major security issue
> in that regard, and still needs more). I'd like to see the TCP port
> protected with SSL cert/ca verifications; if anyone cares to implement,
> it would be appreciated. I am also considering making the feature only
> available with a compile-time option so that it isn't used lightly or by
> mistake; certainly should never be the default. 
> 
> 
> 
> On Mon, 2012-03-05 at 12:20 +0100, Joerg Mayer wrote:
> > On Mon, Mar 05, 2012 at 09:33:28AM +0100, David Bird wrote:
> > > I applied and committed your patches. Thanks! However, I'll be making
> > > some changes. For instance, it isn't good that chilli_query will default
> > > to using the TCP port instead of the unix socket... I will change it to
> > > only use the TCP socket if specified. Also, might as well allow for
> > > chilli_query to use an IP other than localhost. It would be great if
> > > you'd make these changes and submit another patch, otherwise I will do
> > > it. 
> > 
> > What sort of security mechanism is there to make sure the tcp sockets cannot
> > be used by any user on localhost or any remote user?
> > 
> > Thanks
> >    Jörg
> 
> 
> _______________________________________________
> Chilli mailing list
> Chilli at coova.org
> http://lists.coova.org/cgi-bin/mailman/listinfo/chilli




More information about the Chilli mailing list