(Illustration by Gaich Muramatsu)
(Illustration by Gaich Muramatsu)
On Sun, Jun 22, 2003 at 01:31:52PM -0400, Samir Patel wrote: > Now that Coda uses realms, it's very easy to try connecting to various > hostnames to see if they run coda (just have to type cd > /coda/<servername> ). Is there anyway to limit access to a Coda realm This has always been possible, it is just a lot easier now :) I'm not sure what you want to do, but technically you can create IN SRV entries in DNS that redirect to your 'recommended' set of root-servers. _codasrv._udp.internal.coda.server.name IN SRV 0 0 2432 root.server1 IN SRV 0 0 2432 root.server2 etc. This way, when someone tries to connect to internal.coda.server.name he will really be talking to the root servers you would prefer. Ofcourse they will still be mounted as /coda/internal.coda.server.name/. When a client wants to access a volume hosted by the 'internal' server the access will ofcourse not be redirected. If you have clients that access names under /coda that you don't want resolved which typically only happens with Windows, i.e. /coda/Recycled you can add a line to /etc/coda/realms with only that name which lists no servers. Hmm, rereading the spec it is possible to have an empty IN SRV entries and get the same effect. RFC-2782: "A Target of "." means that the service is decidedly not available at this domain." _codasrv._udp.internal.server.name IN SRV 0 0 0 . So this will make sure that a client will not try to directly connect to a Coda server on that host as a result of a 'realm mount'. But it will ofcourse still connect if a Coda 'root server' tells it that it should go there to access some volume within the realm. > Assuming someone out there has addressed this sort of security issue, > can you explain what you did? If no one has addressed this issue, or > if the issue is not really an issue... can someone explain? ACL on the root volume that only allows authenticated users to connect. With realms a user can pass tokens to venus before connecting to the realm, so we don't have the lock-out problems we had when a volume that mounted on /coda didn't allow access for System:AnyUser. JanReceived on 2003-06-23 00:35:22