Authenticating Unix Domain sockets.
Glenn S. Fowler
gsf at ulysses.att.com
Thu Jan 31 01:57:41 AEST 1991
In article <11225 at jpl-devvax.JPL.NASA.GOV> lwall at jpl-devvax.JPL.NASA.GOV (Larry Wall) writes:
>In article <1991Jan29.063539.2169 at objy.com> peter at objy.com writes:
>: What I would like is a guaranteed way of finding out the uid of a process
>: that just connected to me using local (same machine) IPC.
>What do you mean by "the" uid? Given that the other end of a socket may
>be open multiple times by multiple processes, there's no guarantee of
>uniqueness.
accept() on a unix domain socket returns an fd to 1/2 of a unique r/w
stream of which the other 1/2 is returned by connect() (presumably in
another proc)
so there are only two processes in question, the accept()-process A and
the connect()-process C
the problem is to authenticate the uid of C within A
you can set up a handshake where C must pass an fd that only the owner
of the corresponding file F could have opened -- A will then fstat(fd)
and check it against stat(F), along with checks verifying that only C
could have opened F
the access rights array of send(2) and recv(2) are used to send fd's
I would also be interested in an ioctl() to get the uid of C from A
note that the streams ioctl I_RECVFD (the other side of I_SENDFD)
provides uid,gid authentication
Glenn Fowler (908)-582-2195 AT&T Bell Laboratories, Murray Hill, NJ
uucp: {att,ucbvax}!ulysses!gsf internet: gsf at ulysses.att.com
More information about the Comp.unix.wizards
mailing list