Subject: Re: Passing credentials as ancillary data
To: Luke Mewburn <email@example.com>
From: Jason Thorpe <firstname.lastname@example.org>
Date: 01/07/1998 10:06:22
On Wed, 07 Jan 1998 22:41:44 +1100
Luke Mewburn <email@example.com> wrote:
> > Yes the id's are all that the kernel check, but the login name can still be
> > useful - for logging if nothing else.
> yeah, i agree (where a setuid() has been done, but the logname is
> still the original user).
The reason the login name (and the supplemental group list, too) is not
included is that you then change the format of the data structure if
either MAXLOGNAME or NGROUPS is changed (there's also the problem of
having to pull in <sys/param.h> to build socket-using code, but that's
another issue :-).
If you want to get the string identity of the original user, use getpwuid()
with the real user id passed in the sockcred.
> > Also, I think something like this would be more useful if there were
> > provision for an opaque token of some reasonable length. I'm
> > thinking of when we are all trying to implement single sign-on and
> > wanting to pass digitally signed tokens about...
> that's what the rest of the space in the packet is for :-)
Well, that's really out of the scope of this interface. There are already
lots of interfaces for doing such a thing (i.e. regular Unix domain sockets :-)
Jason R. Thorpe firstname.lastname@example.org
NASA Ames Research Center Home: +1 408 866 1912
NAS: M/S 258-6 Work: +1 650 604 0935
Moffett Field, CA 94035 Pager: +1 415 428 6939