From owner-freebsd-hackers  Mon Nov  3 16:20:52 1997
Return-Path: <owner-freebsd-hackers>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id QAA16186
          for hackers-outgoing; Mon, 3 Nov 1997 16:20:52 -0800 (PST)
          (envelope-from owner-freebsd-hackers)
Received: from gatekeeper.tsc.tdk.com (root@gatekeeper.tsc.tdk.com [207.113.159.21])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id QAA16179
          for <hackers@FreeBSD.ORG>; Mon, 3 Nov 1997 16:20:46 -0800 (PST)
          (envelope-from gdonl@tsc.tdk.com)
Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191])
          by gatekeeper.tsc.tdk.com (8.8.4/8.8.4) with ESMTP
	  id QAA17506; Mon, 3 Nov 1997 16:19:50 -0800 (PST)
Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194])
	by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id QAA23690;
	Mon, 3 Nov 1997 16:19:49 -0800 (PST)
Received: (from gdonl@localhost)
	by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id QAA10230;
	Mon, 3 Nov 1997 16:19:48 -0800 (PST)
From: Don Lewis <Don.Lewis@tsc.tdk.com>
Message-Id: <199711040019.QAA10230@salsa.gv.tsc.tdk.com>
Date: Mon, 3 Nov 1997 16:19:48 -0800
In-Reply-To: Bill Paul <wpaul@skynet.ctr.columbia.edu>
       "Re: Password verification (Was: cvs commit: ports/x11/kdebase - Imported sources)" (Nov  3,  9:52am)
X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95)
To: Bill Paul <wpaul@skynet.ctr.columbia.edu>, perhaps@yes.no (Eivind Eklund)
Subject: Re: Password verification (Was: cvs commit: ports/x11/kdebase - Imported sources)
Cc: hackers@FreeBSD.ORG
Sender: owner-freebsd-hackers@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Nov 3,  9:52am, Bill Paul wrote:
} Subject: Re: Password verification (Was: cvs commit: ports/x11/kdebase - I

} The SCM_CREDS hack will work better. For those who don't know, SCM_CREDS
} is an additional type of ancillary data that you can transmit with
} sendmsg()/recvmsg() via an AF_UNIX socket. It's similar to SCM_RIGHTS
} which, in 4.4BSD, is used to transfer a file descriptor between processes.
} The idea is that the calling process does a sendmsg() with the SCM_CREDS
} flag set and an empty controll emssage buffer, and when the kernel sees 
} this in unp_internalize(), it fills in the empty buffer with the sending
} process's credentials (UID, EUID, GID, other GIDS). When the receiving
} process does a recvmsg(), it gets a copy of the filled-in buffer and
} can use the credential info to determine the identity of the sending
} process and do access checks. If the sender does not set the SCM_CREDS flag
} when it transmits, the receiver can tell and refuse to do business with
} the sender.

I think this would be an interesting way to implement rcmd().  You send
the daemon the various rcmd() arguments, then it gets your credentials
using SCM_CREDS, authenticates you with the remote host, and then passes
back the fd() for the connected socket(s) using SCM_RIGHTS.  This would
eliminate the need for rsh and rlogin to be setuid root.  The only
problem that I see is that if the remote host does an ident check it will
get the wrong information (from the daemon).  I suppose the daemon could
fork and setuid() before doing the connect.

			---  Truck