similar to: [PATCH nbdkit v2 0/3] ip: Add filtering by process ID, user ID and group ID.

v2 was here: https://www.redhat.com/archives/libguestfs/2020-October/msg00019.html v3: * defence -> defense * Use int64_t instead of int. This compiles on Windows. * Add GC wrappers to OCaml bindings. * New FreeBSD patch. * Removed "pid:" example from the ip filter manual, and added a warning beside the pid documentation. Rich.

These two commits add new APIs and enhance nbdkit-ip-filter to allow filtering of Unix domain sockets by the client's PID, UID or GID. eg: nbdkit -U sock --filter=ip ... allow=uid:`id -u` deny=all Rich.

On 10/3/20 1:50 PM, Richard W.M. Jones wrote: > New nbdkit_peer_pid, nbdkit_peer_uid and nbdkit_peer_gid calls can be > used on Linux (only) to read the peer PID, UID and GID from clients > connected over a Unix domain socket. This can be used in the > preconnect phase to add additional filtering. > > One use for this is to add an extra layer of authentication for local >

New nbdkit_peer_pid, nbdkit_peer_uid and nbdkit_peer_gid calls can be used on Linux (only) to read the peer PID, UID and GID from clients connected over a Unix domain socket. This can be used in the preconnect phase to add additional filtering. One use for this is to add an extra layer of authentication for local connections. A subsequent commit will enhance the now misnamed nbdkit-ip-filter to

On 10/3/20 1:50 PM, Richard W.M. Jones wrote: > --- > plugins/ocaml/NBDKit.mli | 7 +++++++ > plugins/ocaml/NBDKit.ml | 4 ++++ > plugins/ocaml/bindings.c | 24 ++++++++++++++++++++++++ > 3 files changed, 35 insertions(+) > > diff --git a/plugins/ocaml/NBDKit.mli b/plugins/ocaml/NBDKit.mli > index ececd5fd..8abfeb49 100644 > --- a/plugins/ocaml/NBDKit.mli > +++

On Mon, Oct 05, 2020 at 08:21:50AM -0500, Eric Blake wrote: > On 10/3/20 1:50 PM, Richard W.M. Jones wrote: > > New nbdkit_peer_pid, nbdkit_peer_uid and nbdkit_peer_gid calls can be > > used on Linux (only) to read the peer PID, UID and GID from clients > > connected over a Unix domain socket. This can be used in the > > preconnect phase to add additional filtering.

On Mon, Oct 05, 2020 at 02:38:37PM +0100, Daniel P. Berrangé wrote: > On Mon, Oct 05, 2020 at 08:21:50AM -0500, Eric Blake wrote: > > On 10/3/20 1:50 PM, Richard W.M. Jones wrote: > > > New nbdkit_peer_pid, nbdkit_peer_uid and nbdkit_peer_gid calls can be > > > used on Linux (only) to read the peer PID, UID and GID from clients > > > connected over a Unix domain

If you're following nbdkit development upstream you'll have seen that we are still making changes to the .list_exports and related APIs. The current .list_exports API upstream is not how it will look finally. The latest set of proposals was here: https://www.redhat.com/archives/libguestfs/2020-August/thread.html#00330 At the same time I'd like to do an nbdkit 1.22 (stable) release.

More patches on the way for improving .list_exports signature and adding .export_description, but this is the promised code showing why nbdkit_string_intern is useful. Patch 4 is somewhat RFC: we could either add new API to take the boilerplate from: foo_config(const char *key, const char *value) { if (strcmp (key, "file") == 0) { CLEANUP_FREE char *tmp = nbdkit_realpath (value);

--- filters/ip/nbdkit-ip-filter.pod | 64 +++++++++++++++++++++++++----- tests/Makefile.am | 14 ++++++- filters/ip/ip.c | 69 +++++++++++++++++++++++++++++--- tests/test-ip-filter-gid.sh | 51 ++++++++++++++++++++++++ tests/test-ip-filter-pid.sh | 70 +++++++++++++++++++++++++++++++++ tests/test-ip-filter-uid.sh | 51 ++++++++++++++++++++++++ 6 files

This is a revision of my .default_export work, plus new work on .export_descriptions and a new exportname filter. I think it is now ready to check in. Things I'd still like in 1.22: - the file plugin should implement .list_exports (patch already posted, but it needs rebasing on this series) - the ext2 filter should override .list_exports when in exportname mode - the nbd plugin should be

--- plugins/ocaml/NBDKit.mli | 7 +++++++ plugins/ocaml/NBDKit.ml | 4 ++++ plugins/ocaml/bindings.c | 24 ++++++++++++++++++++++++ 3 files changed, 35 insertions(+) diff --git a/plugins/ocaml/NBDKit.mli b/plugins/ocaml/NBDKit.mli index ececd5fd..8abfeb49 100644 --- a/plugins/ocaml/NBDKit.mli +++ b/plugins/ocaml/NBDKit.mli @@ -162,3 +162,10 @@ val shutdown : unit -> unit (** Print a

This series is based on my blog posting here: https://rwmj.wordpress.com/2019/09/13/nbdkit-supports-exportnames/ It depends on the fix for realloc: https://www.redhat.com/archives/libguestfs/2019-September/thread.html#00103 This series adds a fun plugin, and also an semi-related feature I've long thought to be desirable. You can consider patches 1 & 4, and patches 2 & 3 as forming

It's been several weeks since I posted v2 (I got distracted by improving libnbd to better test things, which in turn surfaced some major memory leak problems in nbdsh that are now fixed). Many of the patches are minor rebases from v2, with the biggest changes being fallout from: - patch 2: rename nbdkit_add_default_export to nbdkit_use_default_export - overall: this missed 1.22, so update

This incomplete patch adds a new filter allowing more control over when nbdkit exits. You can now get nbdkit to exit gracefully on certain events, such as a file being created, a pipe held open by another process going away, or when another PID exits. There is also a script option to allow for completely custom events. It is untested at the moment, I'm posting it to get feedback on the

https://bugzilla.mindrot.org/show_bug.cgi?id=1775 Summary: RFE: Would like to use 'abstract' unix sockets for ControlPath Product: Portable OpenSSH Version: 5.5p1 Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: ssh AssignedTo:

hi, Solaris doesn't have getpeereid() or SO_PEERCRED. However, getpeerucred() is perfectly usable for that; and it's in Solaris 10 and OpenSolaris. So, ssh-agent(1) security there so far depends only on permissions of the socket directory and with this patch it checks peer's credentials, too. I patched following files using a snapshot from 20060921: openssh/config.h.in

This adds a simple plugin using libssh (not libssh2). The intended use for this is with virt-v2v when sourcing guests from VMware over SSH. We've had several years of problems getting our libssh-based driver into qemu. By putting it into nbdkit instead we can bypass that. However this also lets us combine ssh access with filters, in particular the recently written ‘rate’ filter. Rich.

Accepting only Unix sockets can be a bit limiting; let's be more flexible. Eric Blake (2): nbd: Refactor Unix socket connection nbd: Support TCP socket plugins/nbd/nbdkit-nbd-plugin.pod | 36 ++++-- plugins/nbd/nbd.c | 175 ++++++++++++++++++++++-------- TODO | 3 - 3 files changed, 161 insertions(+), 53 deletions(-) -- 2.20.1

Unfinished (needs tests). This is my attempt to make a "remote tmpfs" plugin as outlined in this prior email: https://www.redhat.com/archives/libguestfs/2020-March/msg00134.html Although it would be possible to construct something a bit like this using existing plugins and filters (perhaps with some new features in those filters) I think it may be nicer to have a dedicated plugin for