Xref: utzoo comp.unix.wizards:18255 comp.unix.microport:3772 Path: utzoo!attcan!utgpu!watmath!att!ulysses!smb From: smb@ulysses.homer.nj.att.com (Steven M. Bellovin) Newsgroups: comp.unix.wizards,comp.unix.microport Subject: Re: Stream Pipes Keywords: Sys V, STREAMS Message-ID: <12178@ulysses.homer.nj.att.com> Date: 19 Sep 89 14:36:21 GMT References: <812@sdrc.UUCP> Organization: AT&T Bell Laboratories, Murray Hill Lines: 46 In article <812@sdrc.UUCP>, scjones@sdrc.UUCP (Larry Jones) writes: > On my Microport System V/386 and a number of other versions of > System V that I've checked, there is a "stream pipe" device > driver (sp) and a single node in the file system (/dev/spx) which > is a clone device interface to it. HOWEVER, there is NO MAN PAGE > which describes how to use the danged thing. Since this is about the 3rd or 4th time I've answered this question, I'll post my reply this time instead of emailing it. A few disclaimers first, though: (a) nothing I say is the official opinion of AT&T, etc.; (b) none of this will be relevant in SVR4, which has real stream pipes; (c) it's possible that /dev/spx will even go away in SVR4 -- I just don't know; (d) there's some chance that making this facility available will open up security holes -- more on that later. When you open /dev/spx, two things happen. First, /dev/spx is supposed to be configured to point to the clone driver; thus, each open of it gets an unused channel. Second, each such channel is a *half-pipe* -- it just has a path down into the kernel; it's not tied to anything else. The two halves are linked together via the I_FDINSERT ioctl(), one of the more baroque (not to say downright bizarre) operators available. At that point, you have a fully-functional stream pipe. This whole process is usually encapsulated into a single routine spipe(), of course. And in fact, it's already been done for you -- there's an spipe() routine in one of the RFS libraries -- libns.a last time I checked. There are weirder things you can do, too. For example, if you're running as root, you can use fstat() and mknod() to create a named version of the particular channel you're using, providing you with a stream version of a FIFO. If you observe a careful protocol with I_SENDFD and I_RECVFD, you can implement a channel-per-connection. I discussed some of these things in my paper on the tty session manager at the summer '88 (San Francisco) Usenix; see it for details. Now the security warning... Since /dev/spx was a special-purpose feature put in to support RFS, and was not intended for use by ordinary users, /dev/spx is not normally world-accessible. (I don't remember if it was 644 or 600, but since at least one half has to be opened for write that doesn't matter much.) As far as I know, no one -- including me -- has done any analysis to see if RFS security is compromised by this. For that matter, I won't warrant that the driver is robust against weird things being written to it, or against odd failure modes. It is quite conceivable that malicious users can use it to crash the system. --Steve Bellovin smb@ulysses.att.com