Re: [gamin] socket credentials: necessary?

At Tue, 7 Jun 2005 07:46:18 -0400,
Daniel Veillard wrote:
> On Tue, Jun 07, 2005 at 12:39:48PM +0100, Neal H. Walfield wrote:
> > I tried to make my patch as conservative as possible: it fixes the
> > case where LOCAL_CRED is not supported by the underlying OS.
>   I know. But if you want to use a patch based on capacity support from
> Mach, I would take it.

I don't think we need it.  As I tried to explain the security
mechanisms offered by the file system are sufficient to implement the
desired security policy.  POSIX relies on ambient authority (i.e. when
you e.g. open a file you don't explicitly present a capability).  On
Unix-like systems, the kernel determines the authority by the caller
(i.e. the effective user id and group ids of the task).  On the Hurd,
the task is not necessarily the principle (this is particularly useful
with trusted compilers and interpreters): when opening a resource,
authority needs to be presented.  The implementation of the POSIX
personality on the Hurd effectively rewrites open() et al. to include
the authority.

> BTW I don't understand I though HURD used l4 now
> so I'm suprized to see Mach resurfacing (I worked with Mach-3.0 in the
> early nineties, I would not say I kept a good opinion of it).

We are migrating the Hurd from Mach to L4, yes.  That won't
significantly change the higer level Hurd API.  What needs to be done
is to flesh out the capability system on L4 as well as the physical
resource management (memory, CPU, I/O bandwidth).  Making applications
Hurd aware won't adversely affect this work or be affected by it.
Unfortunately, we have not abstracted the fs notification mechanism
thus the code that I have given you will need some tweaking for the
Hurd on L4.

> > >   Your patch sounds acceptable to me but I'm not on one of the affected
> > > platforms, so I asked for a public check.
> > 
> > Linux and, I think, the various BSDs all support LOCAL_CRED.  Which
> > other platforms did you have in mind?
>   I'm not exclusive, but inclusive. You're touching a default behaviour
> so those can't just be listed, examples coming to mind are the various AIXes,
> MacOS X, HP-UX for example.

This is the point I don't understand: the patch only fixes what the
Gamin claims to already do, i.e. support systems without LOCAL_CRED.
If a system does not have LOCAL_CRED defined but does have the
cmsgcred structure then Gamin will not work on that system at all.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]