#79 Add option to disallow wildcards in subconfig files

closed
None
5
2008-06-27
2008-06-27
Jaharmi
No

- Summary
Provide a descriptive summary of the issue.
- The config file includes option should provide an ability to
exclude all wildcard patterns in sub config files.
- This would allow admins in a federated environment to delegate
access to a sub config file with the confidence that
administrators of those config files would not be able to put *
or other wildcard patterns in their config lines. Instead, they
would have to limit their config files to the use of specifically
named DNS hosts, IP addresses, or certificate CNs.
- Steps to reproduce
In numbered format, detail the exact steps taken to produce the
bug.
- n/a
- Expected results
Describe what you expected to happen when you executed the steps
above.
- Disallowing the use of all wildcard patterns in sub config files
would allow a greater degree of trustworthiness in federated
environments.
- Disallowing wildcard patterns should apply to the listed
subconfig file and any of its children.
- Actual results
Please explain what actually occurred when steps above are
executed.
- The proposed config file feature offers the option of limiting
the scope of clients controlled by included config files.
However, this provides limited utility for those without a
tightly controlled DNS, IP, or CN space.
- Regression
Describe circumstances where the problem occurs or does not
occur, such as software versions and/or hardware configurations.
- n/a
- Notes
Provide additional information, such as references to related
problems, workarounds and relevant attachments.
- While this would not solve every problem presented by Radmind in
a federated environment, it would lessen the need to set up
multiple server (processes) with different master config files in
order to support federation at all.
- System configuration
Include the current system configuration of each computer that
experienced the problem.
- n/a

Discussion

    • assigned_to: nobody --> fitterhappier
    • status: open --> closed
     
  • Logged In: YES
    user_id=1298350
    Originator: NO

    I don't see the point. If the subconfig file line in /var/radmind/config is "@include *.example.edu", and the subconfig file contains "* reallybigsecret.K", it will still be limited to hosts matching *.example.edu.