From owner-freebsd-hackers  Fri May  4 17: 7:46 2001
Delivered-To: freebsd-hackers@freebsd.org
Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20])
	by hub.freebsd.org (Postfix) with ESMTP id EFCE737B424
	for <hackers@FreeBSD.ORG>; Fri,  4 May 2001 17:07:43 -0700 (PDT)
	(envelope-from bright@fw.wintelcom.net)
Received: (from bright@localhost)
	by fw.wintelcom.net (8.10.0/8.10.0) id f4507cW04458;
	Fri, 4 May 2001 17:07:38 -0700 (PDT)
Date: Fri, 4 May 2001 17:07:38 -0700
From: Alfred Perlstein <bright@wintelcom.net>
To: Dima Dorfman <dima@unixfreak.org>
Cc: hackers@FreeBSD.ORG
Subject: Re: Getting peer credentials on a unix domain socket
Message-ID: <20010504170738.U18676@fw.wintelcom.net>
References: <20010504230540.00BEE3E0B@bazooka.unixfreak.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010504230540.00BEE3E0B@bazooka.unixfreak.org>; from dima@unixfreak.org on Fri, May 04, 2001 at 04:05:39PM -0700
X-all-your-base: are belong to us.
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

* Dima Dorfman <dima@unixfreak.org> [010504 16:06] wrote:
> Is there a reliable method of obtaining the credentials (uid/gid) of a
> peer (SOCK_STREAM sockets only, obviously) on a unix domain socket?
> All the Stevens books I have suggest that there isn't, but I'm
> wondering if something has been developed since those books were
> published.  Note that a BSD/OS-like LOCAL_CREDS socket opt is not
> sufficient because using the latter the process must wait until the
> peer sends something before they can learn its credentials.  If this
> process intends to drop the connection if it's not from an authorized
> source, this may lead to a DoS attack.  Timers don't help, either;
> think of TCP SYN flood-like attacks.

Someone had some patches for a getpeercreds() syscall, but I wasn't
happy with it considering we already have the sendmsg() stuff to pass
credentials along with the fact that the initial creator of a socket
may be long gone before it's used to connect to something.

-- 
-Alfred Perlstein - [alfred@freebsd.org]
Represent yourself, show up at BABUG http://www.babug.org/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message