Date: Thu, 11 Jul 2013 14:09:43 GMT From: Nicholas Wilson <nicholas@nicholaswilson.me.uk> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/180468: LOCAL_PEERCRED support for PF_INET Message-ID: <201307111409.r6BE9hKc032593@oldred.freebsd.org> Resent-Message-ID: <201307111410.r6BEA0Q2096123@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 180468 >Category: kern >Synopsis: LOCAL_PEERCRED support for PF_INET >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Thu Jul 11 14:10:00 UTC 2013 >Closed-Date: >Last-Modified: >Originator: Nicholas Wilson >Release: 9.1-RELEASE >Organization: >Environment: >Description: It would be very nice if inet connections over loopback supported LOCAL_PEERCRED. On Solaris, when you make a connection over a loopback device, getpeerucred "just works" and gives you the pid and uid of the connecting process on the local system. This could be used to easily enhance the security of programs like OpenSSH: the ssh-agent uses a domain socket with getpeereid to verify the identity of connecting users, but if I run "ssh -D localhost:9999 ..." it runs an inet listener that any user can connect to. Being able to use the same credentials check here would be handy and plug a gap in our API. >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201307111409.r6BE9hKc032593>