Thor Lancelot Simon wrote:
> On Fri, Dec 22, 2006 at 12:47:12AM +0100, Christian Biere wrote:
> > You could use socketpair() with AF_LOCAL instead which would allow checking
> > credentials.
 
> Yes, you could, but why?
 
> This would be a very valuable thing to do for a long-running daemon with
> a well-known AF_LOCAL address: it could check the credentials of other
> programs that messaged it with password-check requests, and service them
> only if the uid were right.  But for a program that's directly executed
> by the client, the ruid is already available, and the pipe cannot be
> hijacked by any other program; so why check socket credentials?

It limits how the helper can be (ab)used. In case of a configuration/permission
error, it might otherwise be possible to retrieve the account of another account.
Consider sudo or the like.

Albeit I'd like to restrict this even more. Isn't it possible to verify
which executable invoked the helper?

-- 
Christian