Re: Extended SCM_RIGHTS for AF_UNIX sockets

really kuznet@ms2.inr.ac.ru (inr-linux-kernel@ms2.inr.ac.ru)
24 Jul 1996 18:11:05 +0400


Marty Leisner (leisner@sdsp.mc.xerox.COM) wrote:
: > We can now pass file descriptors down Unix domain sockets with
: > an SCM_RIGHTS control messages in sendmsg() but can't easily
: > tell for *certain* who sent them to us. [Guesses made via
: > getpeername and stat are subject to minor attacks.] SysV file
: > descriptor passing uses a STREAMS I_SENDFD and the receiver gets
: > the sender's euid and egid. I'd like to add something like
: > SCM_XRIGHTS to Linux which would behaves like SCM_RIGHTS on the
: > sender side but the receiver gets a control message containing:
: > uid_t uid;
: > gid_t gid;
: > pid_t pid;
: > int fd[...];
: > instead of just the array of descriptors. Notice that the trivial
: > case is also useful. The sender can send zero file descriptors with
: > SCM_RIGHTS and the receiver can verify who sent the message, both
: > uid/gid and the PID of the sender. Would anyone mind if I added this
: > extension?
: >

: I don't see why its necessary...you can devise a protocol where this
: information
: is in the data field...

It is necessary. Without this feature participant of socket communication
never knows exactly who is its peer.

Authentication information in data field can be easily forged,
that makes it useless. Spectacular example is AUTH_SYS "authentication"
in Sun RPC, that has nothing to do with real authentication.

Credentials passing was introduced in SVR4 not only for I_SENDFD,
it is the main idea of SVR4 TIRPC.

Alexey Kuznetsov.