From owner-freebsd-hackers Tue Aug 8 11:28:51 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from netplex.com.au (adsl-63-207-30-186.dsl.snfc21.pacbell.net [63.207.30.186]) by hub.freebsd.org (Postfix) with ESMTP id 1B28937B835 for ; Tue, 8 Aug 2000 11:28:40 -0700 (PDT) (envelope-from peter@netplex.com.au) Received: from netplex.com.au (peter@localhost [127.0.0.1]) by netplex.com.au (8.9.3/8.9.3) with ESMTP id LAA75113; Tue, 8 Aug 2000 11:28:16 -0700 (PDT) (envelope-from peter@netplex.com.au) Message-Id: <200008081828.LAA75113@netplex.com.au> X-Mailer: exmh version 2.1.1 10/15/1999 To: "William E. Baxter" Cc: freebsd-hackers@FreeBSD.ORG, bright@wintelcom.net Subject: Re: getpeereid() syscall patch for FreeBSD 4.0 In-Reply-To: <20000808121849.A27414@zeus.superscript.com> Date: Tue, 08 Aug 2000 11:28:16 -0700 From: Peter Wemm Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG "William E. Baxter" wrote: > With getpeereid() the credentials are passed at connect() and do not > require the client to send data. Therefore clients cannot consume > connections anonymously. In the patch: + error = copyout((caddr_t) &g, (caddr_t)(uap->egid), sizeof(gid_t)); + return (error); ... Passing only one gid is nearly useless. You should copy them all or not at all. I would like to see real and effective uid's as well. For what it's worth, we presently use SCM_CREDS in our RPC library to verify identity. This is mainly for keyserv and rpc.yppasswdd. The biggest problem with a "get the other side's credential" type operation is that it is ambiguous in the case of forked or shared fd's. Also, what about the case of changing uids? Do you give it the current uid or the uid at time of connection? SCM_CREDS has the ability for the client to authenticate at exactly the right time and without ambiguity. > W. > > On Tue, Aug 08, 2000 at 09:35:28AM -0700, Alfred Perlstein wrote: > > > > I haven't used the credential passing feature of sendmsg(), but I > > was wondering what advantages this has over being able to pass > > kernel verified id's through a unix domain socket using SCM_CREDS. > > My reading of UNP seems to indicate that it offers the same features. > > > > > -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] > > "I have the heart of a child; I keep it in a jar on my desk." > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-hackers" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-hackers" in the body of the message > Cheers, -Peter -- Peter Wemm - peter@FreeBSD.org; peter@yahoo-inc.com; peter@netplex.com.au "All of this is for nothing if we don't go to the stars" - JMS/B5 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message