> We can now pass file descriptors down Unix domain sockets with
> an SCM_RIGHTS control messages in sendmsg() but can't easily
> tell for *certain* who sent them to us. [Guesses made via
> getpeername and stat are subject to minor attacks.]
First I don't have a clue what these minor attacks are.
But I would like to know what is wrong with using unix domain stream
sockets as capabilities? If simple solutions like getpeername don't
work.
Authentication might be a little more difficult to write, but it would
be more portable. Working both on BSD, and probably SysV as well.
And with a little work on systems like mach :)
Unless you really want to be uptime about exactly which process you
are communicating with ( as authenticating file descriptors can be
passed on ). I suspect a capabilities based approach would be
cleaner. Of course if you want to start sending signals to the other
process this could be difficult.
The only reason I can imagine a need for a nicer set of operations is
if we start implementing STREAMS over sockets.
Just some random thoughts,
Eric