"Oliver Elphick" <olly@lfix.co.uk> writes: > It is indeed the case that ident is needed to allow local access without > a password. I understand that this presents a small security risk on the > server. I think README.Debian or somesuch should tell why ident is necessary, and perhaps also how one can restrict ident access (e.g. by firewalling port 113 except for localhost). > In case anyone should ask why the server cannot authenticate directly, > communication between front- and back-ends is done through a Unix socket > and therefore it is not possible for the back-end to know the identity > of the user at the front-end. That's not true for Linux 2.[24].x at least. One can use getsockopt(..., SO_PEERCRED, ...) to get the uid of the other end. It would be nice if you could request that as an upstream feature. -- Robbe
Attachment:
signature.ng
Description: PGP signature