From owner-freebsd-bugs@FreeBSD.ORG  Thu Jul 11 14:10:00 2013
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@smarthost.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id C4854EEB
 for <freebsd-bugs@smarthost.ysv.freebsd.org>;
 Thu, 11 Jul 2013 14:10:00 +0000 (UTC)
 (envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 by mx1.freebsd.org (Postfix) with ESMTP id 91D6C1F9E
 for <freebsd-bugs@smarthost.ysv.freebsd.org>;
 Thu, 11 Jul 2013 14:10:00 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
 by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id r6BEA0Cw096124
 for <freebsd-bugs@freefall.freebsd.org>; Thu, 11 Jul 2013 14:10:00 GMT
 (envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
 by freefall.freebsd.org (8.14.7/8.14.7/Submit) id r6BEA0Q2096123;
 Thu, 11 Jul 2013 14:10:00 GMT (envelope-from gnats)
Resent-Date: Thu, 11 Jul 2013 14:10:00 GMT
Resent-Message-Id: <201307111410.r6BEA0Q2096123@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
 Nicholas Wilson <nicholas@nicholaswilson.me.uk>
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id E5F5AEE7
 for <freebsd-gnats-submit@FreeBSD.org>; Thu, 11 Jul 2013 14:09:44 +0000 (UTC)
 (envelope-from nobody@FreeBSD.org)
Received: from oldred.freebsd.org (oldred.freebsd.org [8.8.178.121])
 by mx1.freebsd.org (Postfix) with ESMTP id D71F01F9B
 for <freebsd-gnats-submit@FreeBSD.org>; Thu, 11 Jul 2013 14:09:44 +0000 (UTC)
Received: from oldred.freebsd.org ([127.0.1.6])
 by oldred.freebsd.org (8.14.5/8.14.7) with ESMTP id r6BE9h0B032594
 for <freebsd-gnats-submit@FreeBSD.org>; Thu, 11 Jul 2013 14:09:43 GMT
 (envelope-from nobody@oldred.freebsd.org)
Received: (from nobody@localhost)
 by oldred.freebsd.org (8.14.5/8.14.5/Submit) id r6BE9hKc032593;
 Thu, 11 Jul 2013 14:09:43 GMT (envelope-from nobody)
Message-Id: <201307111409.r6BE9hKc032593@oldred.freebsd.org>
Date: Thu, 11 Jul 2013 14:09:43 GMT
From: Nicholas Wilson <nicholas@nicholaswilson.me.uk>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Subject: kern/180468: LOCAL_PEERCRED support for PF_INET
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jul 2013 14:10:00 -0000


>Number:         180468
>Category:       kern
>Synopsis:       LOCAL_PEERCRED support for PF_INET
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jul 11 14:10:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator:     Nicholas Wilson
>Release:        9.1-RELEASE
>Organization:
>Environment:
>Description:
It would be very nice if inet connections over loopback supported LOCAL_PEERCRED. On Solaris, when you make a connection over a loopback device, getpeerucred "just works" and gives you the pid and uid of the connecting process on the local system.

This could be used to easily enhance the security of programs like OpenSSH: the ssh-agent uses a domain socket with getpeereid to verify the identity of connecting users, but if I run "ssh -D localhost:9999 ..." it runs an inet listener that any user can connect to. Being able to use the same credentials check here would be handy and plug a gap in our API.
>How-To-Repeat:

>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted: