+++ /dev/null
-#
-# default ACL:
-#
-# anyone can execute the get_file_flags operation (since it is applied
-# within the caller's vserver and the command lsattr gives the same
-# info anyway) or get the version string. wait is harmless too since
-# the caller needs to know the child ID. and we let any slice unmount
-# directories in its own filesystem, mostly as a workaround for some
-# Stork problems.
-#
-*: get_file_flags
-*: version
-*: wait
-+: unmount
-
-# give Stork permission to mount and unmount client dirs
-arizona_stork: mount_dir
-arizona_stork: set_file_flags pass, "1"
-arizona_stork: set_file_flags_list "1"
-arizona_stork: bind_socket sockname=64?:*
-arizona_stork2: mount_dir
-arizona_stork2: set_file_flags pass, "1"
-arizona_stork2: set_file_flags_list "1"
-arizona_stork2: bind_socket sockname=64?:*
-
-# give CoMon the necessary permissions to run slicestat
-princeton_slicestat: exec "root", pass, "/usr/local/planetlab/bin/pl-ps", none
-princeton_slicestat: exec "root", pass, "/usr/sbin/vtop", "bn1", none
-princeton_slicestat: open_file file=/proc/virtual/*/cacct
-princeton_slicestat: open_file file=/proc/virtual/*/limit
-princeton_comon: open_file file=/var/log/secure
-princeton_comon: exec "root", pass, "/bin/df", "/vservers", none
-
-# give pl_slicedir access to /etc/passwd
-pl_slicedir: open_file pass, "/etc/passwd"
-
-# netflow now runs in a slice so needs various accesses
-pl_netflow: open file=/etc/passwd, flags=r
-pl_netflow: open_file file=/etc/passwd
-pl_netflow: create_socket
-pl_netflow: bind_socket
-
-# nyu_d are building a DNS demux so give them access to port 53
-nyu_d: bind_socket
-nyu_oasis: bind_socket
-
-# QA slices need to be able to create and delete bind-mounts
-pl_qa_0: mount_dir
-pl_qa_1: mount_dir
-
-# irb_snort needs packet sockets for tcpdump
-irb_snort: create_socket
-
-# uw_ankur is using netlink sockets to do the same thing as netflow
-uw_ankur: create_socket
-
-# cornell_codons gets access to port 53 for now
-cornell_codons: create_socket
-
-# give Mic Bowman's conf-monitor service read-only access to root fs
-# and the ability to run df
-idsl_monitor: mount_dir "root:/", pass, "ro"
-idsl_monitor: unmount
-idsl_monitor: exec "root", pass, "/bin/df", "-P", "/", "/vservers", none
-
-# give Shark access to port 111 to run portmap
-# and port 955 to run mount
-nyu_shkr: bind_socket
-nyu_shkr: mount_dir "nfs:**:**"
-nyu_shkr: exec "root", pass, "/bin/umount", "-l", "/vservers/nyu_shkr/**", none
-
-# give tsinghua_lgh access to restricted ports
-tsinghua_lgh: bind_socket
-
-# CoDeeN needs port 53 too
-princeton_codeen: bind_socket sockname=53:*
-
-# give ucin_load access to /var/log/wtmp
-ucin_load: open_file file=/var/log/wtmp*
-
-# give google_highground permission to bind port 81 (and raw sockets)
-google_highground: bind_socket
-
-# pl_conf needs access to port 814
-pl_conf: bind_socket sockname=814:*
-pl_conf: open file=/home/*/.ssh/authorized_keys
-
-# give princeton_visp permission to read all packets sent through the
-# tap0 device
-princeton_visp: open file=/dev/net/tun, flags=rw
-
-# The PLB group needs the BGP port
-princeton_iias: bind_socket sockname=179:*
-princeton_visp: bind_socket sockname=179:*
-mit_rcp: bind_socket sockname=179:*
-
-# PL-VINI group
-mit_rcp: exec "root", pass, "/usr/bin/chrt"
-princeton_iias: exec "root", pass, "/usr/bin/chrt"
-uw_arvind: exec "root", pass, "/usr/bin/chrt"
git://git.onelab.eu / nodeconfig.git / commitdiff