From owner-freebsd-hackers Fri May 4 20:22:17 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from bazooka.unixfreak.org (bazooka.unixfreak.org [63.198.170.138]) by hub.freebsd.org (Postfix) with ESMTP id 9211D37B423; Fri, 4 May 2001 20:22:13 -0700 (PDT) (envelope-from dima@unixfreak.org) Received: from spike.unixfreak.org (spike [63.198.170.139]) by bazooka.unixfreak.org (Postfix) with ESMTP id 3FD923E0B; Fri, 4 May 2001 20:22:13 -0700 (PDT) To: "William E. Baxter" Cc: hackers@freebsd.org, alfred@freebsd.org Subject: Re: Getting peer credentials on a unix domain socket In-Reply-To: <20010504214702.A29392@zeus.superscript.com>; from web@superscript.com on "Fri, 4 May 2001 21:47:02 -0400" Date: Fri, 04 May 2001 20:22:13 -0700 From: Dima Dorfman Message-Id: <20010505032213.3FD923E0B@bazooka.unixfreak.org> Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG "William E. Baxter" writes: > On Fri, May 04, 2001 at 05:07:38PM -0700, Alfred Perlstein wrote: > > * Dima Dorfman [010504 16:06] wrote: > > > Is there a reliable method of obtaining the credentials (uid/gid) of a > > > peer (SOCK_STREAM sockets only, obviously) on a unix domain socket? > > > All the Stevens books I have suggest that there isn't, but I'm > > > wondering if something has been developed since those books were > > > published. Note that a BSD/OS-like LOCAL_CREDS socket opt is not > > > sufficient because using the latter the process must wait until the > > > peer sends something before they can learn its credentials. If this > > > process intends to drop the connection if it's not from an authorized > > > source, this may lead to a DoS attack. Timers don't help, either; > > > think of TCP SYN flood-like attacks. > > > > Someone had some patches for a getpeercreds() syscall, but I wasn't > > happy with it considering we already have the sendmsg() stuff to pass > > credentials along with the fact that the initial creator of a socket > > may be long gone before it's used to connect to something. > > > I wrote that patch. Links to my patches appear at > > http://www.superscript.com/patches/intro.html Cool! Actually, I wrote a patch[1] to implement something simlar before sending my original e-mail. I looked at your patches, and it seems the main difference is that mine uses the getsockopt interface instead of a system call, and mine uses struct xucred which, I believe, is the correct way of passing user credentials to the userland (this structure didn't exist in FreeBSD 4.0, which is what it looks like your patch is against). Other than that they do pretty much the same thing :-). > Explanatory material and links to the same appear at > > http://www.superscript.com/ucspi-ipc/getpeereid.html > > My patch is designed to satisfy these conditions: > > 1. Server can obtain credentials of connect() caller (effective uid and gid suffice). > 2. Server can obtain credentials without depending on client to send data. > > Having met these conditions, it is nearly trivial to create privileged servers > that run behind a unix socket, in an environment under their own control. In > many instances one can replace setuid programs with such servers. Just to expand on that a little more (for others on the list), consider crontab(1). It's setuid root right now. Obviously that's not good. One way of getting rid of that setuid bit is to have cron(8) (or another daemon) listen on a world-writable unix domain socket, and have crontab(1) just be a user interface which sends the information via that socket. With some mechanism to get the credentials of the user that connected, this would be possible. Regards, Dima Dorfman dima@unixfreak.org [1] http://www.unixfreak.org/~dima/home/peercred.diff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message