[Linux-ha-dev] Bind/stat option for IPC Authentication

Andrew lists at beekhof.homeip.net
Fri Jun 18 16:19:44 MDT 2004 

On Jun 18, 2004, at 10:02 PM, Alan Robertson wrote:

> Andrew wrote:
>> On Jun 18, 2004, at 8:09 PM, Alan Robertson wrote:
>>> Andrew Beekhof wrote:
>>>
>>>> I'm looking to apply the attached patch for providing IPC 
>>>> Authentication on machines that dont support SO_PEERCRED, SCM_CREDS 
>>>> or any of the other current options.
>>>>  From the patch:
>>>> +     * This implementation has been adapted from "Advanced 
>>>> Programming
>>>> +     *   in the Unix Environment", Section 15.5.2, by W. Richard 
>>>> Stevens.
>>>> I have taken the liberty of replacing USE_DUMMY_CREDS as I believe 
>>>> this should be portable - Matt perhaps you would like to test this 
>>>> for Solaris.  If this turns out not to be the case I will happily 
>>>> add USE_DUMMY_CREDS back in also.
>>>> Also, the choice for which option to use has been moved earlier in 
>>>> the file so that it can be observed by socket_client_channel_new().
>>>
>>>
>>> This sounds generally reasonable.
>>>
>>> From all I can tell from reading the web and Solaris documentation, 
>>> that Solaris doesn't support any authentication options of any kind 
>>> for sockets...  If I understand correctly, it only supports 
>>> authentication for streams-based communications.
>>>
>>> So, I believe you'll have to restore the USE_DUMMY_CREDS section of 
>>> code...
>> Bugger, I thought because it is essentially stating a file (created 
>> by the bind() call) it might help them too.
>
> OK... Then I didn't understand what you're doing...  I don't have that 
> particular Stevens book.

I also have his IPC book on order :)

>
> If this is the method I'm thinking of, then it has some problems:
> 	group information can be forged because of the existence of chgrp
> 	user id information can be forged on any system which allow chown
>
> Does that sound right?

Pretty much.  I agree its far from perfect, but the way I looked at it, 
it was better than nothing at all.

Do we need to reauthenticate at all?  We could unlink the socket after 
it was first authenticated to reduce the exposure.

Another option that might be possible is to send a local copy of the 
ucred structure to the server as ancillary data.  If Stevens can send a 
file-descriptor, we can surely send credentials.

Its a little less automatic but what do you think?


>
> -- 
>     Alan Robertson <alanr at unix.sh>
>
> "Openness is the foundation and preservative of friendship...  Let me 
> claim from you at all times your undisguised opinions." - William 
> Wilberforce
>
> _______________________________________________________
> Linux-HA-Dev: Linux-HA-Dev at lists.linux-ha.org
> http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
> Home Page: http://linux-ha.org/

More information about the Linux-HA-Dev mailing list