RPC == setuid procedure call?

Nathaniel Mishkin mishkin at apollo.COM
Thu Aug 25 22:54:00 AEST 1988


In article <6890 at umn-cs.cs.umn.edu> randy at umn-cs.UUCP (Randy Orrison) writes:
>I'm starting to learn about RPC for a project we're working on here, and I've
>come up with a question:
>
>	Is local RPC (i.e. Remote Procedure Call to a server on the local
>	host) usable as a setuid procedure call?
>
>It seems to me that if the RPC server is running as uid root, and you make an
>RPC to it, it should be able to do things for you, as root.  Is there a
>problem with this?  (Other than the obvious one of validating the caller
>for what he wants done!)
>
>Is this difficulty severe enough that only root should be allowed to make
>RPCs to a RPC server running as root?

I can't quite tell whether you're worried about a security problem or
trying to decide whether this property is a good idea.

Clearly it's up to all servers to decide whether they should perform
any given request made by a client.  Many RPC applications written to
date have just punted on the issue because either (a) it was too hard
to do authentication (and people were willing to assume a generally
trustworthy environment), or (b) what the servers did just wasn't that
sensitive (e.g. if the remote procedure is one that returns the number
of logged in users the server really doesn't care who's making the
request).  As more applications are written both of these cases will
tend to be less common.

One way of thinking about all this is that system calls (e.g. open, read,
write, fork, etc.) are just special cases of remote calls where the kernel
is the server, the user space application is the client, and the source
and target machines of the call are identical.  Given the nature of the
user-space / kernel relationship, the kernel can "know" the identity
of the caller and decide whether the operation should be performed.  This
isn't just random musings.  At Apollo we'd like to implement certain
kernel functionality as specially privileged (user-space) RPC server
processes that would get (at least most of) their calls from local clients.
(In fact, I think this is the basic model of Topaz, the DEC SRC operating
system.)  Thus, some things that are currently "system calls" (real traps
to the kernel) would become "remote" calls to local processes.  (Obviously
this scheme requires that intra-machine RPC be implemented efficiently
since you won't have "the slow network" to blame any more when the calls
don't go fast.)



-- 
                    -- Nat Mishkin
                       Apollo Computer Inc., Chelmsford, MA
                       mishkin at apollo.com



More information about the Comp.unix.wizards mailing list