Subject: kern/10798: getpeereid system call
To: None <gnats-bugs@gnats.netbsd.org>
From: None <web-netbsd@superscript.com>
List: netbsd-bugs
Date: 08/09/2000 12:21:30
>Number: 10798
>Category: kern
>Synopsis: getpeereid system call
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: kern-bug-people
>State: open
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Wed Aug 09 12:22:01 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator: William E. Baxter
>Release: NetBSD 1.4.2, NetBSD-current 10 August 2000<NetBSD-current source date>
>Organization:
SuperScript
>Environment:
System: NetBSD kronos.superscript.com 1.4.2 NetBSD 1.4.2 (GENERIC) #7: Mon Aug 7 10:52:41 PDT 2000 root@kronos.superscript.com:/usr/src/sys/arch/i386/compile/GENERIC i386
>Description:
A patch implementing a getpeereid() syscall in NetBSD
is available at
http://www.superscript.com/patches/netbsd-1-4-PATCH002.getpeereid
This patch was originally generated and tested
against netbsd-1.4.2, but evidently applies equally
well to -current as of today.
A local-domain server uses getpeereid() to obtain
credentials from clients. Credentials are passed
when the client calls connect() and do not require
that the client send any data.
Based on getpeereid() I implemented ucspi-ipc, a framework
for creating local-domain client/server programs. This
system allows a privileged server to act on behalf of
nonprivileged clients without setuid programs. Access
to services is easily configurable based on information
obtained via getpeereid. Clients pass credentials at
connect(), and therefore cannot consume connections
anonymously.
Links to background information, patches, and applications
appear on the ucspi-ipc home page at
http://www.superscript.com/ucspi-ipc/intro.html
I would like to see getpeereid() or sufficient basis for
it incorporated into future NetBSD releases so that we
can all use ucspi-ipc without the need for a kernel patch.
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted: