On Fri, Dec 22, 2006 at 01:51:04AM +0100, Christian Biere wrote:
> Thor Lancelot Simon wrote:
> > On Fri, Dec 22, 2006 at 12:47:12AM +0100, Christian Biere wrote:
> > > You could use socketpair() with AF_LOCAL instead which would allow checking
> > > credentials.
>  
> > Yes, you could, but why?
>  
> > This would be a very valuable thing to do for a long-running daemon with
> > a well-known AF_LOCAL address: it could check the credentials of other
> > programs that messaged it with password-check requests, and service them
> > only if the uid were right.  But for a program that's directly executed
> > by the client, the ruid is already available, and the pipe cannot be
> > hijacked by any other program; so why check socket credentials?
> 
> It limits how the helper can be (ab)used.
> In case of a configuration/permission error, it might otherwise be
> possible to retrieve the account of another account.
> Consider sudo or the like.

Yes, and it might be possible for monkeys to fly out of my butt, but I
am asking for a specific example, not a vague sense of dread.

Can you actually propose a specific example where checking the ruid of
the helper executable would not help, but checking the socket credentials
would?  Because I have thought about this issue quite a bit, for many
years, and I can't.  Ultimately, both methods obtain the same information:
the effective user ID of the executable which itself forked and execed the
suid helper.  I just do not see why _how_ you check matters.

If you can provide a concrete example it would be very helpful to me in
understanding this better.

Thor