Pie in the Sky suggestions
Posted: Wed Nov 11, 2009 3:34 pm
I had a few suggestions that occurred to me over the years but I never got around to posting. They're just sort of pie in the sky things.
* It'd be kind of neat to have the role be repeatable but with different "role_allow_ip" subnets -- like a first match or most specific match. I like to lock down root's role to just a few IPs, but then any daemons running as root talking to the outside world get dumped into the same 'default' role as random unprivileged users (like suexec running CGI for arbitrary users). It'd be really nice to have that "role_allow_ip"-locked-down root role but also have a much more stripped down root role with just enough privs for daemons to operate. That sounds like a seriously non-trivial feature though.
* A flag for suppressing 'connect' and RES_* logging. Especially for 'connect', I've got a number of things locked down but that get triggered by benign things. Being able to suppress known benign things like you can do with regular file entries in the ACL would be handy to cut down the log noise.
* Multiple ports on a 'connect' line, e.g. to connect to a web server on either 80 or 443, "connect 192.168.1.1/32:80,443 stream tcp", instead of multiple lines for :80 and :443.
* A test flag for gradm to test ACL syntax but without actually having to load/reload the new ACL.
* It'd be kind of neat to have the role be repeatable but with different "role_allow_ip" subnets -- like a first match or most specific match. I like to lock down root's role to just a few IPs, but then any daemons running as root talking to the outside world get dumped into the same 'default' role as random unprivileged users (like suexec running CGI for arbitrary users). It'd be really nice to have that "role_allow_ip"-locked-down root role but also have a much more stripped down root role with just enough privs for daemons to operate. That sounds like a seriously non-trivial feature though.
* A flag for suppressing 'connect' and RES_* logging. Especially for 'connect', I've got a number of things locked down but that get triggered by benign things. Being able to suppress known benign things like you can do with regular file entries in the ACL would be handy to cut down the log noise.
* Multiple ports on a 'connect' line, e.g. to connect to a web server on either 80 or 443, "connect 192.168.1.1/32:80,443 stream tcp", instead of multiple lines for :80 and :443.
* A test flag for gradm to test ACL syntax but without actually having to load/reload the new ACL.