Who dat?

XMRP50000[jcm]-a.v.reed avr at mtgzz.att.com
Wed Jul 13 03:30:10 AEST 1988


In article <2310 at rtech.rtech.com>, daveb at llama.rtech.UUCP (Dave Brower) writes:
< On a single machine, we have a suid server process.  A random client
< program wishes to connect and have the server perform some services. The
< server wants to know who the client is before doing anything. They might
< be communicating with sockets, fifos, msgs, or shared memory.
< 
< How can the server find out who the client is, in a spoof-proof and
< secure way?  On BSD, one can have the server ask the client to create a
< randomly-named file, and the server can see who the owner of the file
< is.  On SV, this fails because the client can chown it to be anyone
< else. (The same is true of msgs and shm segments).
< 
< Oh wise and knowledgeable Wizards, what is a Way?

On Sys V: Have the client tell you its uid. To verify, open a file
with mode 002 in a directory which is writable only by you, but is
readable by and known to the client. Then write a newly-generated
random content into that file, change the mode of the file to 004,
and chown it to the uid the client gave you. Then have the client
read its content back to you, and compare it with what you wrote
to the file. If they match, the client is who he says he is.

					Adam Reed
					mtgzz!avr



More information about the Comp.unix.wizards mailing list