From owner-freebsd-hackers Tue Aug 8 9:26:32 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from zeus.superscript.com (zeus.superscript.com [206.234.89.16]) by hub.freebsd.org (Postfix) with SMTP id D249737B585 for ; Tue, 8 Aug 2000 09:26:20 -0700 (PDT) (envelope-from web@superscript.com) Received: (qmail 28988 invoked by uid 1008); 8 Aug 2000 16:26:02 -0000 Date: Tue, 8 Aug 2000 11:26:02 -0500 From: "William E. Baxter" To: freebsd-hackers@freebsd.org Subject: getpeereid() syscall patch for FreeBSD 4.0 Message-ID: <20000808112602.A17676@zeus.superscript.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG A patch implementing a getpeereid() syscall in FreeBSD 4.0 is available at http://www.superscript.com/patches/freebsd_4_0.getpeereid A local-domain server uses getpeereid() to obtain client credentials. Based on getpeereid() I created ucspi-ipc, a local-domain analogue to Dan Bernstein's ucspi-tcp. The project came about after I read the "Wiping out setuid programs" discussion the the BugTraq archives. At present, ucspi-ipc runs on patched OpenBSD, patched FreeBSD, and on Linux kernels that support SO_PEERCRED with getsockopt(). Using ucspi-ipc, you can easily create local-domain client/server programs that allow privileged servers to act on behalf of nonprivileged clients. No setuid programs are required, and access is configurable, based on client user and group ID. For ucspi-ipc documentation, links to the relevant background information, patches, and information about the ucspi mailing list, please visit the ucspi-ipc home page at http://www.superscript.com/ucspi-ipc/intro.html I'd like to see getpeereid(), or sufficient basis for it, incorporated into future FreeBSD releases, so that we can all use ucspi-ipc without the need for a kernel patch. Regards, W. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message