diff options
author | Samuel Mendoza-Jonas <sam@mendozajonas.com> | 2018-06-19 16:50:28 +1000 |
---|---|---|
committer | Samuel Mendoza-Jonas <sam@mendozajonas.com> | 2018-12-03 14:39:57 +1100 |
commit | 336f4eb17fb50526ea9fda82262356581e1b9ae0 (patch) | |
tree | 0a0b0fc427646d6ccd39f9baf209e62bfd40eb23 /discover/platform.h | |
parent | de6f6c4bff7d42f63e2bbd01d2bab65ae9635877 (diff) | |
download | talos-petitboot-336f4eb17fb50526ea9fda82262356581e1b9ae0.tar.gz talos-petitboot-336f4eb17fb50526ea9fda82262356581e1b9ae0.zip |
discover/discover-server: Restrict clients based on uid
If crypt support is enabled restrict what actions clients can perform by
default. Initial authorisation is set at connection time; clients
running as root are unrestricted, anything else runs as restricted until
it makes an authentication to pb-discover.
Unprivileged clients may only perform the following actions:
- Boot the default boot option.
- Cancel the autoboot timeout.
- Make an authentication request.
If a group named "petitgroup" exists then the socket permissions are
also modified so that only clients running as root or in that group may
connect to the socket.
The user-event socket is only usable by root since the two main
usecases are by utilities called by pb-discover or by a user in the
shell who will need to su to root anyway.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Diffstat (limited to 'discover/platform.h')
-rw-r--r-- | discover/platform.h | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/discover/platform.h b/discover/platform.h index 2940562..f7d3d1c 100644 --- a/discover/platform.h +++ b/discover/platform.h @@ -12,6 +12,8 @@ struct platform { void (*pre_boot)(struct platform *, const struct config *); int (*get_sysinfo)(struct platform *, struct system_info *); + bool (*restrict_clients)(struct platform *); + int (*set_password)(struct platform *, const char *hash); uint16_t dhcp_arch_id; void *platform_data; }; @@ -20,6 +22,8 @@ int platform_init(void *ctx); int platform_fini(void); const struct platform *platform_get(void); int platform_get_sysinfo(struct system_info *info); +bool platform_restrict_clients(void); +int platform_set_password(const char *hash); void platform_pre_boot(void); /* configuration interface */ |