Skip to content

Security Enhancement

Jump to bottom
Esteban Chacon Martin edited this page Aug 20, 2022 · 1 revision

This security enhancement provides a real user ‘system user’ mechanism to enforce trough the file system driver the directory and file access permission. It works in one of the following ways:

  • Single-user:

The TFProtocol deployment creates a default user for the protocol daemon. The daemon works on behalf this user and there is no need for further settings, and login it is not required. In this case every connection to the protocol will work with that user permission.

  • Multi-user:

The TFProtocol does not define any default user; instead, it defines a set of user/password pairs. In this case, once the connection is established, the client should call as a first command ‘LOGIN’ to login at the server. If the user/password combination is a valid one, the server will use that user as the persona of the process. The fundamental difference in regards to the ‘Single-user’ mentioned above is that every connection can login with a different user and thus its respective access permission.

This way every client using the protocol can create directories and files with ownership and security access enforced by the file-system driver. This allows clients, if used properly, to have directories and files that no one else can read/write.

Only the following commands can be called before LOGIN:

END, KEEPALIVE, and PROCKEY

In order to allow this security enhancement to work, the protocol defines a few special commands for this task: LOGIN, CHMOD,CHOWN.

You can find more information in the next section.

In-jail:

The TFProtocol deployment sets whether in-jailing will be required or not. The term in-jail refers to restrict the access of the TFProtocol daemon to a particular directory. Is in-jailing is required, it has to be called after a possible login requirement, but before every other command. For further information see the INJAIL command documentation.

Only the following commands can be called before INJAIL if multi- user is set:

END, LOGIN, KEEPALIVE, and PROCKEY If single-user is set, only the END command can be called before INJAIL.

Only the following commands can be called before INJAIL if multi- user is set.

drawing

Our website GoDjango

TFProtocol

Clone this wiki locally