From 0f6846374d1a296e29ecd6b26957330fc2fcb0d4 Mon Sep 17 00:00:00 2001 From: Faiyaz Ahmed Date: Thu, 14 Aug 2008 19:51:52 +0000 Subject: [PATCH] deprecated. --- PlanetLabConf/propd.conf | 100 --------------------------------------- 1 file changed, 100 deletions(-) delete mode 100755 PlanetLabConf/propd.conf diff --git a/PlanetLabConf/propd.conf b/PlanetLabConf/propd.conf deleted file mode 100755 index dd5a6d0..0000000 --- a/PlanetLabConf/propd.conf +++ /dev/null @@ -1,100 +0,0 @@ -# -# default ACL: -# -# anyone can execute the get_file_flags operation (since it is applied -# within the caller's vserver and the command lsattr gives the same -# info anyway) or get the version string. wait is harmless too since -# the caller needs to know the child ID. and we let any slice unmount -# directories in its own filesystem, mostly as a workaround for some -# Stork problems. -# -*: get_file_flags -*: version -*: wait -+: unmount - -# give Stork permission to mount and unmount client dirs -arizona_stork: mount_dir -arizona_stork: set_file_flags pass, "1" -arizona_stork: set_file_flags_list "1" -arizona_stork: bind_socket sockname=64?:* -arizona_stork2: mount_dir -arizona_stork2: set_file_flags pass, "1" -arizona_stork2: set_file_flags_list "1" -arizona_stork2: bind_socket sockname=64?:* - -# give CoMon the necessary permissions to run slicestat -princeton_slicestat: exec "root", pass, "/usr/local/planetlab/bin/pl-ps", none -princeton_slicestat: exec "root", pass, "/usr/sbin/vtop", "bn1", none -princeton_slicestat: open_file file=/proc/virtual/*/cacct -princeton_slicestat: open_file file=/proc/virtual/*/limit -princeton_comon: open_file file=/var/log/secure -princeton_comon: exec "root", pass, "/bin/df", "/vservers", none - -# give pl_slicedir access to /etc/passwd -pl_slicedir: open_file pass, "/etc/passwd" - -# netflow now runs in a slice so needs various accesses -pl_netflow: open file=/etc/passwd, flags=r -pl_netflow: open_file file=/etc/passwd -pl_netflow: create_socket -pl_netflow: bind_socket - -# nyu_d are building a DNS demux so give them access to port 53 -nyu_d: bind_socket -nyu_oasis: bind_socket - -# QA slices need to be able to create and delete bind-mounts -pl_qa_0: mount_dir -pl_qa_1: mount_dir - -# irb_snort needs packet sockets for tcpdump -irb_snort: create_socket - -# uw_ankur is using netlink sockets to do the same thing as netflow -uw_ankur: create_socket - -# cornell_codons gets access to port 53 for now -cornell_codons: create_socket - -# give Mic Bowman's conf-monitor service read-only access to root fs -# and the ability to run df -idsl_monitor: mount_dir "root:/", pass, "ro" -idsl_monitor: unmount -idsl_monitor: exec "root", pass, "/bin/df", "-P", "/", "/vservers", none - -# give Shark access to port 111 to run portmap -# and port 955 to run mount -nyu_shkr: bind_socket -nyu_shkr: mount_dir "nfs:**:**" -nyu_shkr: exec "root", pass, "/bin/umount", "-l", "/vservers/nyu_shkr/**", none - -# give tsinghua_lgh access to restricted ports -tsinghua_lgh: bind_socket - -# CoDeeN needs port 53 too -princeton_codeen: bind_socket sockname=53:* - -# give ucin_load access to /var/log/wtmp -ucin_load: open_file file=/var/log/wtmp* - -# give google_highground permission to bind port 81 (and raw sockets) -google_highground: bind_socket - -# pl_conf needs access to port 814 -pl_conf: bind_socket sockname=814:* -pl_conf: open file=/home/*/.ssh/authorized_keys - -# give princeton_visp permission to read all packets sent through the -# tap0 device -princeton_visp: open file=/dev/net/tun, flags=rw - -# The PLB group needs the BGP port -princeton_iias: bind_socket sockname=179:* -princeton_visp: bind_socket sockname=179:* -mit_rcp: bind_socket sockname=179:* - -# PL-VINI group -mit_rcp: exec "root", pass, "/usr/bin/chrt" -princeton_iias: exec "root", pass, "/usr/bin/chrt" -uw_arvind: exec "root", pass, "/usr/bin/chrt" -- 2.43.0