PageViews: 1,196 hits / 141 nets

Implanted Configuration Parameters of DeleGate

Yutaka Sato
December 4, 2006

Since the version 9.4.0, DeleGate has "implanted parameters" in its executable file. Those parameters can be used to control authentication and capability control, that is, who may execute the executable and which functions or protocols may be used.

The executable file can be set with so called "set user-id on execution" flag which is used to run under the super-user's privilege independent of who invoked it. DeleGate may require such privilege in some cases, including when it uses privileged port or doing PAM authentication. This flag obsoletes external programs under "subin" which have been necessary to be installed supplementally.

                                   owned-by-rooot      INSTALLATION /
  INVOCATION              _________set-uid-on-exec     CONFIGURATION
                         /                        \
                         |   the executable file  |
             forbidden   |       of DeleGate      |
  user1 ---- NO -------->|                        |
                         |                        |
  user2 ---- OK -----+---> +-> authentication     |
                     |   | +-> capability control |
                     |   | +-> default config.    |
                     |   | |                      |
                [key]+---->(decrypt)              |    editing with
                         | |     _____________    |   "delegated -Fimp"
                         | |    +             +   |     +[key]
                         | +----+ implanted   <<--------+(encrypt)
                         |      + parameters  +   |
                         |      +_____________+   |
                         |                        |
                         \________________________/

The size of area for implants is 10K bytes by default. Arbitrary configuration parameters can be holded in it.

It can be dangerous to turn the "set user-id on execution" flag for a versatile program like DeleGate especially when the executable file is marked to be "executable by anybody". Therefore an executable file of DeleGate with the flag is restricted to be executable only when the user is explicitly permitted the execution, that is when the user is in the list of permitted users and/or when the user knows the password to execute it.

EXAMPLES

    Show the help and the current implants.
% delegated -Fimp
% delegated -Fimp ADMIN=you@your.domain
% delegated -Fimp -U user2,user3
% delegated -Fimp -C http,ftp
% delegated -Fimp -k
% su root -c "delegated -Fimp -m"
% delegated -Fimp SERVER=http -P8080 -vt ADMIN=me@my.domain
% delegated
% delegated -Fimp -sk conf.enc

(INTERNAL-ERROR-SEE-LOGFILE-AROUND-11/21-19:52:27.03-WITH-KEY=673F8F7B)