From owner-freebsd-arch Wed Jun 27 10:30:32 2001 Delivered-To: freebsd-arch@freebsd.org Received: from snipe.mail.pas.earthlink.net (snipe.mail.pas.earthlink.net [207.217.120.62]) by hub.freebsd.org (Postfix) with ESMTP id 7E9FB37B406 for ; Wed, 27 Jun 2001 10:30:29 -0700 (PDT) (envelope-from tlambert2@mindspring.com) Received: from mindspring.com (dialup-209.245.141.189.Dial1.SanJose1.Level3.net [209.245.141.189]) by snipe.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id KAA11943; Wed, 27 Jun 2001 10:30:26 -0700 (PDT) Message-ID: <3B3A1852.3C0027EC@mindspring.com> Date: Wed, 27 Jun 2001 10:30:58 -0700 From: Terry Lambert Reply-To: tlambert2@mindspring.com X-Mailer: Mozilla 4.7 [en]C-CCK-MCD {Sony} (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Dima Dorfman Cc: arch@FreeBSD.ORG Subject: Re: Peer credentials on a Unix domain socket References: <20010627070628.AB5F13E2F@bazooka.unixfreak.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Dima Dorfman wrote: > Currently, there is no reliable way for a server listening on a Unix > domain socket to find out the credentials of its peer until the peer > sends something over the socket. Finding its credentials can be > useful if the server only wants to accept connections from certain > users. We already have SCM_CREDS, which will send the peer's > credentials along with a message, but this is *not* sufficient as it > may be unacceptable for the server to wait until the peer sends > something; think of DoS attacked. Times don't help, either; think of > SYN flood-like attacks. It would be useful if this were more general than you are making it. In particular, it would be useful to provide the ability to have a daemon that would sit on a FIFO, and then when people make requests to "connect" (or "bind" or even "socket"), to administratively deny the request and have their system call return EADMIN. The request would be sent up the FIFO only if there were a listenener, and would, of course, be capable of timing out. This is the same local credentials check you appear to want to do, but it must be extended, since there would be an in kernel proxy acting as a "man in the middle". Consider a dialup gateway, which wants to permit some traffic to bring the link up, but wants to stop other traffic before it becomes "demand". This can't be done by port, since you may wish to permit one application or user ID to bring the link up as a result of a DNS requests, but not another (e.g. sendmail vs. IRC vs. HTTP). This also means that I would need to be able to set a "demand source" as part of my credential, not just use the credentials raw. Other than your uipc_ctloutput() function, which seems the wrong name, and the lack of generality in the function for future expansion (e.g. no "switch" statement), this looks like a good start on something that could be more generally useful. -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message