Great Circle Associates Majordomo-Workers
(January 1997) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: More musings on a general access restriction mechanism
From: Rob Jenson <robjen @ spotch . com>
Date: Tue, 7 Jan 1997 09:29:04 -0500 (EST)
To: majordomo-workers @ greatcircle . com
In-reply-to: <Pine.OSF.3.95.970107015947.23400B-100000@webdreams.com> from "Brock Rozen" at Jan 7, 97 02:01:27 am
Reply-to: robjen @ spotch . com (Rob Jenson) 
I'm afraid we might be beating a dead horse
on this syntax, but ...

>...From the mail of Brock Rozen:

> On Mon, 6 Jan 1997, Rob Jenson wrote:

> > subscribe : bsps.mot.com : allow
> > subscribe : bmcu.mot.com : allow
> > subscribe : aol.com : consult		# superfluous 
> > subscribe : ALL : consult

> >From my understanding, the last subscribe:ALL would negate all previous
> parameters.  If "commands" are handled in order, then the ALL consult
> would have to go first.

The last subscribe:ALL covers anything not explicitly handled
by the earlier parameters.  Each rule gets processed for
pattern-match against type of request and source of request
first.  If a request matches the rule, the specified action
happens.  If not, we go on to the next rule.  The subscribe:ALL
rule basically says "if none of the previous rules have covered
this particular request, this would be the default action."

> > another example:
> > 
> > subscribe : bsps.mot.com : allow
> > subscribe : bmcu.mot.com : allow
> > subscribe : cyberpromo.com : consult    # trying to snag our mailing lists
> > subscribe : ALL : allow

> See above.

> But I like the system, definetly easy to use.

Jason's previous discussion on the reason for dropping
the standard tcp/ip wrapper syntax over a slightly
less friendly but more implementable format makes sense
to me.  What I would *strongly* recommend is that the
control rules be abstracted out of the majordomo.cf
and into a separate (albeit syntactically equivalent)
file.  This would buy two advantages, IMHO:

o  Easier to read and modify the access control structure
    without "Oops"ing the rest of the .cf file.
o  Easier to verify and/or debug the access control
    structure.
o  It can be generated by a contribbed tool to make it
    easier for the admin.  A very simple syntax that
    makes the access control policy very human-readable
    could be compiled into the format that majordomo
    can handle efficiently.

Cheers,

_rob_
-- 
Rob Jenson - Computer sysadmin into TCP/IP internetworking and UNIX security.
Email: robjen@spotch.com             WWW: http://www.access.digex.net/~robjen
        PGP key and fingerprint available on my web page.
QOTM: "If it makes you happy, It Can't Be That Bad." -- Sheryl Crow
Follow-Ups:
References:
Indexed By Date Previous: restrict_post use consistency
From: Dave Wolfe <dwolfe@risc.sps.mot.com>
Next: Re: More musings on a general access restriction mechanism
From: Dave Wolfe <dwolfe@risc.sps.mot.com>
Indexed By Thread Previous: Re: More musings on a general access restriction mechanism
From: Brock Rozen <brozen@webdreams.com>
Next: Re: More musings on a general access restriction mechanism
From: Jason L Tibbitts III <tibbs@hpc.uh.edu>
Google
 
Search Internet Search www.greatcircle.com