Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!usc!elroy.jpl.nasa.gov!jpl-devvax!lwall From: lwall@jpl-devvax.JPL.NASA.GOV (Larry Wall) Newsgroups: comp.unix.wizards Subject: Re: Authenticating Unix Domain sockets. Message-ID: <11243@jpl-devvax.JPL.NASA.GOV> Date: 31 Jan 91 02:11:14 GMT References: <1991Jan29.063539.2169@objy.com> <11225@jpl-devvax.JPL.NASA.GOV> <1991Jan30.213227.19055@shearson.com> Reply-To: lwall@jpl-devvax.JPL.NASA.GOV (Larry Wall) Organization: Jet Propulsion Laboratory, Pasadena, CA Lines: 57 In article <1991Jan30.213227.19055@shearson.com> viktor@shearson.com (Viktor Dukhovni) writes: : lwall@jpl-devvax.JPL.NASA.GOV (Larry Wall) writes: : : >In article <1991Jan29.063539.2169@objy.com> peter@objy.com writes: : >: What I would like is a guaranteed way of finding out the uid of a process : >: that just connected to me using local (same machine) IPC. : : >What do you mean by "the" uid? Given that the other end of a socket may : >be open multiple times by multiple processes, there's no guarantee of : >uniqueness. : : Actually this is wrong! With a SOCK_STREAM socket, : or using the "fromaddr" argument of recvfrom() the peer address : can be examined using getpeername or directly respectively. : : Since UNIX sockets must be bound explicitly, and must not : exit prior to creation, the effecttive user id of the remote process : is the same as the owner of the the remote socket in the file space. Oh, come now. This is comp.unix.wizards. Surely you've heard of fork() and setuid(). I can easily make your socket hooked to 10 processes, not one of which has the uid of the socket in the file space. One of the first tricks in the book is to fork the client so that you have separate processes reading and writing the socket. And we're ignoring totally the possibility that the file you are stat()ing may not be the file you thought you were stat()ing. At a miminum, change your code to use fstat(). On top of which, the file is owned by the process that creates it, which is going to be the server, not the client. No good for finding out who just connected to you. : Just : : struct sockaddr_un fromaddr; : int len=sizeof(fromaddr); : uid_t uid; : : bzero(fromaddr,len); : : geetpeername(s,(struct sockaddr *)&fromaddr,&len); : if ( ((struct sockaddr *)&fromaddr)->sa_family != AF_UNIX ) { : /* Bitch about impossible connection */ : exit(1); : } : : stat( fromaddr.sun_path, &st ); : uid = st.st_uid; : : ... : : Works for me. Your mileage may vary. It certainly does. Larry