Subject: Re: SCM_RIGHTS broken?
To: der Mouse <mouse@Rodents.Montreal.QC.CA>
From: Bill Studenmund <wrstuden@netbsd.org>
List: tech-kern
Date: 02/02/2005 09:24:27
--vkogqOf2sHV7VnPd
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Feb 01, 2005 at 08:03:12PM -0500, der Mouse wrote:
> > and this begs the question whether it is allowable to have a second
> > cmsghdr with something else on the send call, rather than just extra
> > padding
>=20
> It's permitted per RFC3542 control-message formatting rules, but we
> have never permitted it for SCM_RIGHTS messages. The AF_LOCAL usrreq
> procedure, case PRU_SEND, starts with
>=20
> case PRU_SEND:
> /*
> * Note: unp_internalize() rejects any control message
> * other than SCM_RIGHTS, and only allows one. This
> * has the side-effect of preventing a caller from
> * forging SCM_CREDS.
> */
>=20
> While there is a misplaced "only", it's clear that the "just one cmsg"
> semantic is deliberate. The comment is at least five years old; it's
> present in my 1.4T kernel source, and I fuzzily remember something
> similar in the 4.3 source back when I was working with 4.3. Note that
> RFC3542 is not concerned with SCM_RIGHTS messages; it's all about IPv6.
> (Its effect on SCM_RIGHTS is purely because they both use the same
> ancillary-control-data socket interface - which has been a moderately
> long-standing annoyance of mine; in 1.4T, SCM_RIGHTS was handled in a
> way compatible with the old API, but soon after that, things silently
> changed, breaking existing code, when the SCM_RIGHTS code was made to
> use the CMSG_* macros.)
The comment dates from 1998, when credential passing was added. This=20
feature made it into 1.4. Here's the initial comment:
revision 1.30
date: 1998/01/07 22:57:09; author: thorpej; state: Exp; lines: +188 -3
Implement passing credentials as ancillary data on Unix domain sockets,
enabled with the LOCAL_CREDS socket option on the listener. Semantics are
similar to BSD/OS's:
- Creds are available with first data on SOCK_STREAM, and with every=20
datagram
on SOCK_DGRAM.=20
- It is not possible to forge credentials.
Different in that:
- Different credential data structure (ours does not rely on the format
of internal kernel data structures, and does not pass the login name).
- We can pass creds and file descriptors at the same time (this does not
work in BSD/OS).
Luke Mewburn <lukem@netbsd.org> gets credit for inspiring me to implement
this. :-)
Take care,
Bill
--vkogqOf2sHV7VnPd
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)
iD8DBQFCAQzLWz+3JHUci9cRAiUBAJ9Z4Xs9JowAWWVaY0dhuS8NaRJnHACeKRvc
O80o0d02t1cieE67qYfTPJA=
=DLmE
-----END PGP SIGNATURE-----
--vkogqOf2sHV7VnPd--