Subject: SO_PEERNAME
To: None <tech-kern@netbsd.org>
From: Emmanuel Dreyfus <manu@netbsd.org>
List: tech-kern
Date: 08/25/2001 12:12:04
Linux uses getsockopt to make a few extra informations available to the
calling process. This include for example who connected to the other
side of a UNIX socket, using the SO_PEERNAME getsockopt argument.
This is used for instance by PostgreSQL. On NetBSD, PostgreSQL has no
idea of who is connecting to its UNIX socket. You can connect to the
postgreSQL database pretending to be anyone, and if there is no
password, it works.
On Linux, PostgreSQL uses this SO_PEERNAME feature to identify the
connecting user, so that there is no need to use passwords. You can
hence access the account using RSA keys and SSH, which is much more
secure.
I think it would be nice to implement this on NetBSD, but I don't see
how to cleany implement it. Would it be acceptable to add a UNIX domain
socket only piece of code in sys/kern/uipc_socket.c:sosetopt() to handle
SO_PEERNAME?
--
Emmanuel Dreyfus.
Si la reponse est NT, c'est probablement
que vous n'avez pas compris la question.
manu@netbsd.org