Orphaned
This page is Orphaned, and may need to be merged into another page or deleted.
SWANS Temporary Access
SWANS is sometimes opened to all users for events that interface is hosting such as Installfests. Here's how to control this and how it works.
Control
These paths relative to burns:/etc/swans/rmac
To enable:
www/enable.cgi: Set the tag to use for the event (in $config)
policy.rb: Allow the tag in the policy
To disable:
www/enable.cgi: Set the tag to nil in $config
policy.rb: Deny the tag in the policy
Resync the firewall (/etc/init.d/firewall restart)
How it works
In burns:/etc/swans/rmac:
www/enable.cgi: Ruby script to get a description from the user and call add-temp-mac.rb with mac address
www/index.html: The introduction, with a link to enable.cgi
users/temp: storage for temporary users
add-temp-mac.rb: Ruby script to add temporary users to users/temp and the firewall
www-data is authorised via sudo to run /etc/swans/rmac/add-temp-mac.rb with no password.
thttpd serves from /etc/swans/rmac/www
Issues:
I've attempted to lock the users/temp file when appending to it, but I'm not convinced the current code is correct.
The add-temp-mac.rb does not check the policy before interacting directly with iptables. This should really just write the users/temp file and cause a synchronisation script to be run. This has the curious side effect that if the new tag isn't added to the policy, then all temporary macs will go away when the firewall is reinitialized, which at the time of writing happens daily to sync with the database.
- True to the original version, non-attendees can still access SWANS while the event is running. We could consider a shared password specific to the event.