Authenticating Unix Domain sockets.

Glenn S. Fowler gsf at ulysses.att.com
Thu Jan 31 01:57:41 AEST 1991


In article <11225 at jpl-devvax.JPL.NASA.GOV> lwall at jpl-devvax.JPL.NASA.GOV (Larry Wall) writes:
>In article <1991Jan29.063539.2169 at objy.com> peter at objy.com writes:
>: What I would like is a guaranteed way of finding out the uid of a process
>: that just connected to me using local (same machine) IPC.
>What do you mean by "the" uid?  Given that the other end of a socket may
>be open multiple times by multiple processes, there's no guarantee of
>uniqueness.

accept() on a unix domain socket returns an fd to 1/2 of a unique r/w
stream of which the other 1/2 is returned by connect() (presumably in
another proc)

so there are only two processes in question, the accept()-process A and
the connect()-process C

the problem is to authenticate the uid of C within A

you can set up a handshake where C must pass an fd that only the owner
of the corresponding file F could have opened -- A will then fstat(fd)
and check it against stat(F), along with checks verifying that only C
could have opened F

the access rights array of send(2) and recv(2) are used to send fd's

I would also be interested in an ioctl() to get the uid of C from A

note that the streams ioctl I_RECVFD (the other side of I_SENDFD)
provides uid,gid authentication

Glenn Fowler    (908)-582-2195    AT&T Bell Laboratories, Murray Hill, NJ
uucp: {att,ucbvax}!ulysses!gsf              internet: gsf at ulysses.att.com



More information about the Comp.unix.wizards mailing list