Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!uunet!tut.cis.ohio-state.edu!ucbvax!ulysses!ulysses.att.com!gsf
From: gsf@ulysses.att.com (Glenn S. Fowler)
Newsgroups: comp.unix.wizards
Subject: Re: Authenticating Unix Domain sockets.
Message-ID: <14238@ulysses.att.com>
Date: 30 Jan 91 14:57:41 GMT
References: <1991Jan29.063539.2169@objy.com> <11225@jpl-devvax.JPL.NASA.GOV>
Sender: netnews@ulysses.att.com
Organization: AT&T Bell Labs
Lines: 31

In article <11225@jpl-devvax.JPL.NASA.GOV> lwall@jpl-devvax.JPL.NASA.GOV (Larry Wall) writes:
>In article <1991Jan29.063539.2169@objy.com> peter@objy.com writes:
>: What I would like is a guaranteed way of finding out the uid of a process
>: that just connected to me using local (same machine) IPC.
>What do you mean by "the" uid?  Given that the other end of a socket may
>be open multiple times by multiple processes, there's no guarantee of
>uniqueness.

accept() on a unix domain socket returns an fd to 1/2 of a unique r/w
stream of which the other 1/2 is returned by connect() (presumably in
another proc)

so there are only two processes in question, the accept()-process A and
the connect()-process C

the problem is to authenticate the uid of C within A

you can set up a handshake where C must pass an fd that only the owner
of the corresponding file F could have opened -- A will then fstat(fd)
and check it against stat(F), along with checks verifying that only C
could have opened F

the access rights array of send(2) and recv(2) are used to send fd's

I would also be interested in an ioctl() to get the uid of C from A

note that the streams ioctl I_RECVFD (the other side of I_SENDFD)
provides uid,gid authentication

Glenn Fowler    (908)-582-2195    AT&T Bell Laboratories, Murray Hill, NJ
uucp: {att,ucbvax}!ulysses!gsf              internet: gsf@ulysses.att.com