tech-kern: Re: SCM_RIGHTS broken?

Subject: Re: SCM_RIGHTS broken?
To: der Mouse <mouse@Rodents.Montreal.QC.CA>
From: Bill Studenmund <wrstuden@netbsd.org>
List: tech-kern
Date: 02/02/2005 09:24:27
--vkogqOf2sHV7VnPd
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Feb 01, 2005 at 08:03:12PM -0500, der Mouse wrote:
> > and this begs the question whether it is allowable to have a second
> > cmsghdr with something else on the send call, rather than just extra
> > padding
>=20
> It's permitted per RFC3542 control-message formatting rules, but we
> have never permitted it for SCM_RIGHTS messages.  The AF_LOCAL usrreq
> procedure, case PRU_SEND, starts with
>=20
>         case PRU_SEND:
>                 /*
>                  * Note: unp_internalize() rejects any control message
>                  * other than SCM_RIGHTS, and only allows one.  This
>                  * has the side-effect of preventing a caller from
>                  * forging SCM_CREDS.
>                  */
>=20
> While there is a misplaced "only", it's clear that the "just one cmsg"
> semantic is deliberate.  The comment is at least five years old; it's
> present in my 1.4T kernel source, and I fuzzily remember something
> similar in the 4.3 source back when I was working with 4.3.  Note that
> RFC3542 is not concerned with SCM_RIGHTS messages; it's all about IPv6.
> (Its effect on SCM_RIGHTS is purely because they both use the same
> ancillary-control-data socket interface - which has been a moderately
> long-standing annoyance of mine; in 1.4T, SCM_RIGHTS was handled in a
> way compatible with the old API, but soon after that, things silently
> changed, breaking existing code, when the SCM_RIGHTS code was made to
> use the CMSG_* macros.)

The comment dates from 1998, when credential passing was added. This=20
feature made it into 1.4. Here's the initial comment:

revision 1.30
date: 1998/01/07 22:57:09;  author: thorpej;  state: Exp;  lines: +188 -3
Implement passing credentials as ancillary data on Unix domain sockets,
enabled with the LOCAL_CREDS socket option on the listener.  Semantics are
similar to BSD/OS's:
- Creds are available with first data on SOCK_STREAM, and with every=20
datagram
  on SOCK_DGRAM.=20
- It is not possible to forge credentials.

Different in that:
- Different credential data structure (ours does not rely on the format
  of internal kernel data structures, and does not pass the login name).
- We can pass creds and file descriptors at the same time (this does not
  work in BSD/OS).

Luke Mewburn <lukem@netbsd.org> gets credit for inspiring me to implement
this.  :-)




Take care,

Bill

--vkogqOf2sHV7VnPd
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)

iD8DBQFCAQzLWz+3JHUci9cRAiUBAJ9Z4Xs9JowAWWVaY0dhuS8NaRJnHACeKRvc
O80o0d02t1cieE67qYfTPJA=
=DLmE
-----END PGP SIGNATURE-----

--vkogqOf2sHV7VnPd--