[mirror-admin] MirrorManager ACL is useless
Matt Domsch
matt at domsch.com
Mon Nov 7 14:43:34 EST 2011
On Mon, Nov 7, 2011 at 1:37 PM, Jan Kasprzak <kas at fi.muni.cz> wrote:
> Hello,
>
> has anybody actually looked at the mirrormanager ACL file
> at https://admin.fedoraproject.org/mirrormanager/rsync_acl ?
> I think it is pretty unusable as a list of Tier 2 mirrors
> which can be allowed to access the pre-bitflip content.
> It contains whatever the mirror owners decide to put into
> mirrormanager: I can probably add something like
>
> \n[hiddenmodule]\npath=/\nuid=root\ngid=root\nread only=no\n
>
> there and get the full access to the whole file system of those
> mirrors who are "brave enough" to include this list in their rsyncd.conf.
> The input is not sanitized in any way. It contains empty lines,
> several rsync:// urls, several /24 prefixes, a /15 prefix,
> and two /8 prefixes.
>
> Some time ago I wanted to use it for my pre-bitflip data module,
> but after looking at it I have decided to maintain the list of
> downstream Tier-2 mirrors for my site manually.
This is all true. It simply passes through what any mirror admin may
wish to put there, and anyone with a FAS account can create a mirror
entry in MM. It certainly needs to be sanitized before use, but as I
haven't spent any time thinking about what a sanitized list there
would look like, and it wasn't really being used, it's been a low
priority thought process (at best).
-Matt
--
More information about the Mirror-admin
mailing list