From: Clinton Ebadi Date: Sun, 6 Jan 2013 08:33:08 +0000 (-0500) Subject: Move Acl.read from start of slave loop to firewall handling case X-Git-Tag: release_20130106 X-Git-Url: https://git.hcoop.net/hcoop/domtool2.git/commitdiff_plain/4f3ef3c5a314eee12b38efa938afcbb2a27c54d6 Move Acl.read from start of slave loop to firewall handling case Reading it before blocking waiting for a message could result in stale permissions being used for a single request. --- diff --git a/src/main.sml b/src/main.sml index 6df1525..4b8123d 100644 --- a/src/main.sml +++ b/src/main.sml @@ -1657,8 +1657,7 @@ fun slave () = val _ = print ("Slave server starting at " ^ now () ^ "\n") fun loop () = - (Acl.read Config.aclFile; - case OpenSSL.accept sock of + (case OpenSSL.accept sock of NONE => () | SOME bio => let @@ -1803,16 +1802,17 @@ fun slave () = SOME "Script execution failed.")) (fn () => ())) | MsgFirewallRegen => - doIt (fn () => if Acl.query {user = user, class = "priv", value = "all"} then - if List.exists (fn x => x = host) Config.Firewall.firewallNodes then - if (Firewall.generateFirewallConfig (Firewall.parseRules ()) andalso Firewall.publishConfig ()) - then - ("Firewall rules regenerated.", NONE) - else + doIt (fn () => (Acl.read Config.aclFile; + if Acl.query {user = user, class = "priv", value = "all"} then + if List.exists (fn x => x = host) Config.Firewall.firewallNodes then + if (Firewall.generateFirewallConfig (Firewall.parseRules ()) andalso Firewall.publishConfig ()) + then + ("Firewall rules regenerated.", NONE) + else ("Rules regeneration failed!", SOME "Script execution failed.") else ("Node not controlled by domtool firewall.", SOME (host)) - else - ("Not authorized to regenerate firewall.", SOME ("Unauthorized user " ^ user ^ " attempted to regenerated firewall"))) + else + ("Not authorized to regenerate firewall.", SOME ("Unauthorized user " ^ user ^ " attempted to regenerated firewall")))) (fn () => ()) | _ => (OpenSSL.close bio;