Re: [gamin] socket credentials patch for NetBSD

From: Daniel Veillard <veillard redhat com>
To: "Johnny C. Lam" <jlam NetBSD org>
Cc: gamin-list gnome org
Subject: Re: [gamin] socket credentials patch for NetBSD
Date: Wed, 31 Aug 2005 18:05:24 -0400

On Wed, Aug 31, 2005 at 06:35:10PM +0000, Johnny C. Lam wrote:
> I've made some changes to the gamin sources that will correctly
> determine socket credentials and deals with differences in the sysctl
> MIBs available on NetBSD and FreeBSD.  When the changes are applied
> to gamin-0.1.5, Linux, NetBSD and FreeBSD all passed the test scenarios.
> The attached patch is relative to anoncvs.gnome.org gamin HEAD as of
> 2005-08-31.
> 
> I've modified slightly the authentication procedure so that instead
> of sending a NUL byte through the socket to prime the credentials
> check, the client and server send their PIDs through the socket.  The
> reason for this is that on NetBSD, the peer PID information isn't
> available, though the UID and GID are, so we simply read the peer's
> PID from the socket instead.  This doesn't affect Linux and FreeBSD,
> which both still determine the peer's PID by pulling the information
> from their respective socket credentials structures.  I understand
> that this does slightly weaken the security of gamin on NetBSD as the
> PID may be spoofed by another process, but at least the attack vector
> is still restricted to those processes with the same uid/gid.  However,
> this does at least allow gamin to work on NetBSD.
> 
> Please let me know if these changes might be committed.

  Changing the protocol on NetBSD where it doesn't work currently is fine,
but breaking the protocol API without added value (the pid, gid are trivially
spoofable so this doesn't add any security on Linux at least, while making
the code paths more complex) is not IMHO acceptable. I prefer to keep
the Linux and FreeBSD code as-is, still send a nul byte around and keep
the compatibility, it's inforamtion we can't trust anyway. The problem
of changing the API is that if you upgrade, kill the server or restart any
client then there is a protocol mismatch. Having a special protocol for
OS lacking secure local socket infrastructure is a workaround, I'm okay 
with this but not with generalizing the case. 
   So could you rewrite the patch to keep the existing code as-is for Linux
and FreeBSD, basically all changes in you patch should be conditional code
to your platform. I prefer making the code a bit less readable but keep
the protocol as-is where it works, then the patch will be fine.

   Sorry for nitpicking :-)

  thanks,

Daniel

-- 
Daniel Veillard      | Red Hat Desktop team http://redhat.com/
veillard redhat com  | libxml GNOME XML XSLT toolkit  http://xmlsoft.org/
http://veillard.com/ | Rpmfind RPM search engine http://rpmfind.net/

Follow-Ups:
- Re: [gamin] socket credentials patch for NetBSD
  - From: Johnny C. Lam

References:
- [gamin] socket credentials patch for NetBSD
  - From: Johnny C. Lam

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]