There is a number of problems with network security in midas. (as separate from
web/http/https security).
1) too many network sockets are unnecessarily bound to the external network interface
instead of localhost (UDP ports are already bound to localhost on MacOS).
2) by default the RPC ports of each midas program accept connections and RPC commands
from anywhere in the world (an access control list is already implemented via
/Experiment/Security/Rpc Hosts, but not active by default)
3) mserver also has an access control list but it is not integrated with the access control list
for the RPC ports.
4) it is difficult to run midas in the presence of firewalls (midas programs listen on random
network ports - cannot be easily added to firewall rules)
There is a new git branch "feature/rpcsecurity" where I am addressing some of these
problems:
1) UDP sockets are only used for internal communications (hotlinks & etc) within one
machine, so they should be bound to the localhost address and become invisible to external
machines. This change breaks binary compatibility from old clients - they are have to be
relinked with the new midas library or hotlinks & etc will stop working. If some clients cannot
be rebuild (I have one like this), I am preserving the old way by checking for a special file in
the experiment directory (same place as ODB.SHM). (done)
2) if one runs on a single machine, does not use the mserver and does not have clients
running on other machines, then all the RPC ports can be bound to localhost. (this kills the
MacOS popups about "odbedit wants to connect to the Internet"). (partially done)
This (2) will become the new default - out of the box, midas will not listen to any external
network connections - making it very secure.
To use the mserver, one will have to change the ODB setting "/Experiment/Security/Enable
external RPC connections" and restart all midas programs (I am looking for a better name for
this odb setting).
3) the out-of-the-box default access control list for RPC connections will be set to
"localhost", which will reject all external connections, even when they are enabled by (2). One
will be required to enter the names of all machines that will run midas clients in
"/Experiment/Security/Rpc hosts". (already implemented in main midas, but default access
control list is empty meaning everybody is permitted)
4) the mserver will be required to attach to some experiment and will use this same access
control list to restrict access to the main mserver listener port. Right now the mserver listens
on this port without attaching to any experiment and accepts the access control list via
command line arguments. I think after this change a single mserver will still be able to service
multiple experiments (TBD).
5) I am adding an option to fix TCP port numbers for MIDAS programs via
"/Experiment/Security/Rpc ports/fename = (int)5555". Once a remote frontend is bound to a
fixed port, appropriate openings can be made in the firewall, etc. Default port number value
will be 0 meaning "use random port", same as now.
One problem remains with initial connecting to the mserver. The client connects to the main
mserver listener port (easy to firewall), but then the mserver connects back to the client - this
reverse connection is difficult to firewall and this handshaking is difficult to fix in the midas
sources. It will probably remain unresolved for now.
K.O. |