Date: Tue, 26 Nov 1996 11:22:17 -0500 (EST) From: Bill Paul <wpaul@skynet.ctr.columbia.edu> To: michaelh@cet.co.jp (Michael Hancock) Cc: jlemon@americantv.com, hackers@freebsd.org Subject: Re: looking for an idea Message-ID: <199611261622.LAA09155@skynet.ctr.columbia.edu> In-Reply-To: <Pine.SV4.3.95.961126224727.2581C-100000@parkplace.cet.co.jp> from "Michael Hancock" at Nov 26, 96 10:50:38 pm
next in thread | previous in thread | raw e-mail | index | archive | help
Of all the gin joints in all the towns in all the world, Michael Hancock
had to walk into mine and say:
> On Tue, 26 Nov 1996, Hr.Ladavac wrote:
>
> > Won't work on SysV. Anyone can chown(2) his own files to anyone else.
> > The funny thing about it is that they claim they support quotas :)
> >
Oooo... I forgot about the SysV chown(2) behavior for a minute there.
But I'm only looking to solve this problem on BSD for now.
I've refined the message queue idea a little, and it seems to work well.
Basically, the caller needs to set up a message queue with a key that it
chooses. (For now, I'm using the RPC XID for the transaction as the key,
though the caller can pick any number.) The caller also specifies
AUTH_UNIX authentication. Normally, AUTH_UNIX authentication uses a empty
verifier; what I do is use the key for the message queue as the verifier
instead. This verifier is sent to the server as part of the RPC process
along with the usual AUTH_UNIX credentials. Before it does the actual
RPC, the client sends a message through the queue containing its PID.
Normally, _svcauth_unix() discards the verifier since it expects it to
be null, but it's easy to tweak it so that it copies it to the right place
in the transport handle. The server can then get the message queue key and
read the message sent by the client.
The server then does an IPC_STAT on the message queue and checks that:
o the creator UID and owner UID are the same (and match the UID
specified in the AUTH_UNIX credentials)
o the mode of the message queue is 0600
o msg_lspid (the last PID to do a msgsnd()) is the same as the PID
sent in the message
If all these things are true, the server assumes that the creator UID of
the message queue is the real UID of the caller. It saves this UID, then
destroys the queue.
I could probably whip up something similar using the file descriptor
passing idea, but this would involve creating a file and then having the
server remove it. This could be messy if NFS is involved, and although
I can't prove it, I think it would be a little slower than using message
queues (I say this mainly because the filesystem support is more complex
than the message queue support).
> Modern SysV uses BSD semantics. I think XOpen requires it.
Somebody should tell SGI then. IRIX defaults to the 'anybody can chown()'
behavior, unless you explicitly turn it off either with systune or by
editing one of the kernel config files and rebuilding the kernel.
-Bill
--
=============================================================================
-Bill Paul (212) 854-6020 | System Manager, Master of Unix-Fu
Work: wpaul@ctr.columbia.edu | Center for Telecommunications Research
Home: wpaul@skynet.ctr.columbia.edu | Columbia University, New York City
=============================================================================
"If you're ever in trouble, go to the CTR. Ask for Bill. He will help you."
=============================================================================
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199611261622.LAA09155>