From owner-freebsd-hackers Tue Nov 26 08:23:57 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA10851 for hackers-outgoing; Tue, 26 Nov 1996 08:23:57 -0800 (PST) Received: from skynet.ctr.columbia.edu (skynet.ctr.columbia.edu [128.59.64.70]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id IAA10845 for ; Tue, 26 Nov 1996 08:23:51 -0800 (PST) Received: (from wpaul@localhost) by skynet.ctr.columbia.edu (8.6.12/8.6.9) id LAA09155; Tue, 26 Nov 1996 11:22:19 -0500 From: Bill Paul Message-Id: <199611261622.LAA09155@skynet.ctr.columbia.edu> Subject: Re: looking for an idea To: michaelh@cet.co.jp (Michael Hancock) Date: Tue, 26 Nov 1996 11:22:17 -0500 (EST) Cc: jlemon@americantv.com, hackers@freebsd.org In-Reply-To: from "Michael Hancock" at Nov 26, 96 10:50:38 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Of all the gin joints in all the towns in all the world, Michael Hancock had to walk into mine and say: > On Tue, 26 Nov 1996, Hr.Ladavac wrote: > > > Won't work on SysV. Anyone can chown(2) his own files to anyone else. > > The funny thing about it is that they claim they support quotas :) > > Oooo... I forgot about the SysV chown(2) behavior for a minute there. But I'm only looking to solve this problem on BSD for now. I've refined the message queue idea a little, and it seems to work well. Basically, the caller needs to set up a message queue with a key that it chooses. (For now, I'm using the RPC XID for the transaction as the key, though the caller can pick any number.) The caller also specifies AUTH_UNIX authentication. Normally, AUTH_UNIX authentication uses a empty verifier; what I do is use the key for the message queue as the verifier instead. This verifier is sent to the server as part of the RPC process along with the usual AUTH_UNIX credentials. Before it does the actual RPC, the client sends a message through the queue containing its PID. Normally, _svcauth_unix() discards the verifier since it expects it to be null, but it's easy to tweak it so that it copies it to the right place in the transport handle. The server can then get the message queue key and read the message sent by the client. The server then does an IPC_STAT on the message queue and checks that: o the creator UID and owner UID are the same (and match the UID specified in the AUTH_UNIX credentials) o the mode of the message queue is 0600 o msg_lspid (the last PID to do a msgsnd()) is the same as the PID sent in the message If all these things are true, the server assumes that the creator UID of the message queue is the real UID of the caller. It saves this UID, then destroys the queue. I could probably whip up something similar using the file descriptor passing idea, but this would involve creating a file and then having the server remove it. This could be messy if NFS is involved, and although I can't prove it, I think it would be a little slower than using message queues (I say this mainly because the filesystem support is more complex than the message queue support). > Modern SysV uses BSD semantics. I think XOpen requires it. Somebody should tell SGI then. IRIX defaults to the 'anybody can chown()' behavior, unless you explicitly turn it off either with systune or by editing one of the kernel config files and rebuilding the kernel. -Bill -- ============================================================================= -Bill Paul (212) 854-6020 | System Manager, Master of Unix-Fu Work: wpaul@ctr.columbia.edu | Center for Telecommunications Research Home: wpaul@skynet.ctr.columbia.edu | Columbia University, New York City ============================================================================= "If you're ever in trouble, go to the CTR. Ask for Bill. He will help you." =============================================================================