[kea-dev] kea-ctrl-agent on unix socket

[Andreas Hasenack]

Hi,

together with my colleagues I'm packaging isc-kea for Ubuntu, and
Debian as a consequence.

After using the software for a while, and writing tests for it, we
realized that once you install the kea-ctrl-agent, any unprivileged
local user has unrestricted API access and can do naughty things like
kill the service, read the config file (which might have passwords for
database backends), manage leases, etc.

I know one can add http basic auth to the service, or even not install
it of course. But I think it should be a bit more secure by default
out of the box, and still be usable.

We can create a random user/password at install time, but I was
wondering if you ever considered having kea-ctrl-agent listen on its
own unix socket, and have kea-shell use that? Controlling localhost
access would be much simpler: one could just chmod/chown the socket
appropriately and then the local admin of the system can decide who to
add to the group that can use the api locally.

What we are considering for now is to either not start the service by
default (kind of against the policy of debian packaging), or create a
user with a random password in postinst, use `password-file` and
`user-file` under authentication.clients, and document that behavior,
but maybe there is another simpler way that is being used out there?