[src/trunk]: src/lib/librump add some notes on access control

[pooka <pooka%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/ab82dae0ff2a
branches:  trunk
changeset: 761791:ab82dae0ff2a
user:      pooka <pooka%NetBSD.org@localhost>
date:      Mon Feb 07 22:04:36 2011 +0000

description:
add some notes on access control

diffstat:

 lib/librump/rump_sp.7 |  14 ++++++++++++--
 1 files changed, 12 insertions(+), 2 deletions(-)

diffs (35 lines):

diff -r 81131c1a1bd5 -r ab82dae0ff2a lib/librump/rump_sp.7
--- a/lib/librump/rump_sp.7     Mon Feb 07 21:39:47 2011 +0000
+++ b/lib/librump/rump_sp.7     Mon Feb 07 22:04:36 2011 +0000
@@ -1,4 +1,4 @@
-.\"     $NetBSD: rump_sp.7,v 1.3 2011/01/25 14:05:43 pooka Exp $
+.\"     $NetBSD: rump_sp.7,v 1.4 2011/02/07 22:04:36 pooka Exp $
 .\"
 .\" Copyright (c) 2010 Antti Kantee.  All rights reserved.
 .\"
@@ -23,7 +23,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd December 16, 2010
+.Dd February 7, 2011
 .Dt RUMP_SP 7
 .Os
 .Sh NAME
@@ -79,6 +79,16 @@
 modifying the shell prompt is recommended -- this is analoguous
 to the visual clue you have when you login from one machine to
 another.
+.Ss Client credentials and access control
+The current scheme gives all connecting clients root credentials.
+It is recommended to take precautions which prevent unauthorized
+access.
+For a unix domain socket it is enough to prevent access to the
+socket using file system permissions.
+For TCP/IP sockets the only available means is to prevent network
+access to the socket with the use of firewalls.
+More fine-grained access control based on cryptographic credentials
+may be implemented at a future date.
 .Sh EXAMPLES
 Get a list of file systems supported by a rump kernel server
 (in case that particular server does not support file systems,