Re: Extended SCM_RIGHTS for AF_UNIX sockets

really kuznet@ms2.inr.ac.ru (inr-linux-kernel@ms2.inr.ac.ru)
26 Jul 1996 18:51:20 +0400


Eric W. Biederman (ebiederm@cse.unl.EDU) wrote:
: malcolm.beattie@computing-services.oxford.ac.uk (Malcolm Beattie) writes:

: > We can now pass file descriptors down Unix domain sockets with
: > an SCM_RIGHTS control messages in sendmsg() but can't easily
: > tell for *certain* who sent them to us. [Guesses made via
: > getpeername and stat are subject to minor attacks.]

: First I don't have a clue what these minor attacks are.
: But I would like to know what is wrong with using unix domain stream
: sockets as capabilities? If simple solutions like getpeername don't
: work.

First of all, fs based authentication is diabolically slow.
To pass one message, you will make miriads of syscalls.
If client will be accurate and will check directory permissions
(else, someone could unlink socket) etc., it will be even more slow.
And in any case, not 100% secure.

: Authentication might be a little more difficult to write, but it would
: be more portable. Working both on BSD, and probably SysV as well.
: And with a little work on systems like mach :)

It is not a problem. If application does not aware this feature,
it does not use it. Real application that needs reliable and fast
authentication is TIRPC, and it encapsulates OS features in system
independent manner.

: The only reason I can imagine a need for a nicer set of operations is
: if we start implementing STREAMS over sockets.

Apparenlty, you mean TLI. Why start? Finish! 8)
I ported TIRPC (and necessary subset of TLI) to Linux and release it,
when control messages will be in kernel. Now it is senceless,
because I change interface every week 8)

Alexey Kuznetsov.