
==========================================
ORBit2 Resource File
By: Brian Cameron  <Brian.Cameron@Sun.Com>
Last Updated: 03/29/2005
==========================================

The system-wide ORBit2 Resource file is installed to $sysconfdir/orbitrc
where $sysconfdir is normally "/etc".  User's may override this file by
installing a $HOME/.orbitrc file.

ORBit2 Resource File can contain options with values, one per line.   Option
values can be of the following types, with examples

   STRING
      ORBDebugFlags=timings:types

   INT
      ORBInitialMsgLimit=15

   BOOLEAN
      ORBIIOPIPv4=1

   KEY_VALUE
	ORBInitRef=NameService=IOR_of_naming_service 

Boolean values are set in the ORBit2 resource file as follows

The ORBit2 Resource File supports the following options which have security
implications.

   ORBIIOPUSock (BOOLEAN)
   ORBIIOPUNIX (BOOLEAN)
   ORBIIOPIPv4 (BOOLEAN)
   ORBIIOPIPv6 (BOOLEAN)
   ORBLocalOnly (BOOLEAN)
   ======================

   - ORBit can be run in three modes.  These are:
     - Lock-Down Single User Mode (normal default).  This is specified with
       the ORBit ORBIIOPUSock or ORBIIOPUNIX option (they are synonymous).
       Sockets are used for all CORBA transactions.  The sockets are placed in
       a user-owned directory named /tmp/orbit-$USER with read/write/execute
       permissions only for the user.  In other words, this case boils down to
       "if you can become the user, then you can do anything as that user".  

     - Java-Interoperability, single-machine mode (default to support a11y
       with Java applications).  This is specified by using the ORBit
       ORBIIOPIPv4 or ORBIIOPIPv6 option with the ORBLocalOnly option.
       Transactions are handled over TCP/IP but connections are only allowed
       from the local machine.

     - Wide-Open.  This is specified by using the ORBit ORBIIOPIPv4 or
       ORBIIOPIPv6 option without the ORBLocalOnly option.  Transactions are
       handled over TCP/IP and connections are allowed from anywhere.
  
   - When TCP/IP is used without the ORBLocalOnly option, ORBit obviously
     becomes vulnerable to typical TCP/IP attacks including Denial-Of-Service
     attacks.  It is also vulnerable to malign use if the magic cookie used to
     protect ORBit connections were known.  Example of misuse would be spoofed
     client requests or buffer-overflow attacks.

     A case where ORBit would need to be run over TCP/IP would be if
     the user wants better session support across multiple sessions.  
     Running ORBit over TCP/IP allows various GNOME daemons to be shared
     across a network.  The system could be set up to run TCP/IP over SSH
     or SSL, though this is not how things run by default.

    It is recommended to enhance the Java ORB to work directly with ORBit
    sockets, so Java a11y could be supported without needing to make ORBit run
    over TCP/IP.

   ORBHTTPIORs (BOOLEAN)
   =====================

   - Can only be used if ORBit is configured with --enable-http which is
     non-default.  Allows HTTP connections to ORBit.

   ORBSimpleUIDs (BOOLEAN)
   =======================

   - This turns on simple cookie generation, which builds a fairly insecure magic
     cookie via the following logic

     (formatting slightly modified for readability):

     genuid_simple (guchar *buffer, int length)
     {
       static guint32 inc = 0;
       g_assert (length >= 4);
       p_memzero (buffer, length);

       if (length > 4)
               memcpy (buffer + 4, &genuid_pid, 4);
       if (length > 8)
               memcpy (buffer + 8, &genuid_uid, 4);

       INC_LOCK ();
       inc++;
       memcpy (buffer, &inc, 4);
       xor_buffer (buffer, length);
       INC_UNLOCK ();
     }


The ORBit2 Resource File supports the following options which do not have
security implications.

   ORBNamingIOR (STRING)
   =====================

   - Specifies the Naming Service IOR to the calling object.  Valid values could
     include the following:

       NameService
       RootPOA
       SecurityCurrent
       PolicyCurrent
       etc.

     The Interoperable NamingService (INS) specification introduced the
     -OrbInitRef=IOR command line option can be used to achieve this as well.

   ORBIIOPIPName (STRING)
   ORBIIOPIPSock (STRING)
   =====================

   - IP Name and Socket for the the server shall bind to and the port number to
     listen for IIOP connections.  This parameter is required for persistent
     object references (PortableServer_PERSISTENT policy).


   ORBInitialMsgLimit (INT)
   ========================

   - Amount of data accepted on first method invocation. Succeeding method
     invocations are not limited. This option is used to prevent DOS attacks - ie.
     opening a connection to service, sending huge amount of junk data.

   ORBIIOPIrDA (BOOLEAN)
   =====================

   - Disable/Enable IrDA (InfraRed Data Association) capabilities.

   ORBDebugFlags (STRING)
   =====================

   - The amount of debugging information to display.  Valid values follow, multiple
     values can be combined by using , ":" as separator.

       traces
       inproc_traces
       timings
       types
       messages
       errors
       objects
       giop
       refs
       force_threaded

   ORBCorbaloc (BOOLEAN)
   =====================

   - If set, object_to_string will create corbaloc URL terms instead of IORs, ie.
     corbaloc:iiop:1.2@gnome.org:8884/NameService%00

   ORBInitRef (KEY_VALUE)
   ======================

   - Define initial reference of generic service, ie. on command line define
     reference of NameService by -ORBInitRef=NameService=IOR:010000002800000...

