Re: Change to root uid
Re: Change to root uid
- Subject: Re: Change to root uid
- From: Matthew Jaffa <email@hidden>
- Date: Tue, 15 Feb 2005 12:26:33 -0700
Carl,
in the structure you are defining set this:
<x-tad-bigger>AFctl_reg.ctl_flags = 0;
</x-tad-bigger>That will allow any application to communicate through this
system socket without it being a priviliged application.
Matt
<x-tad-bigger>
</x-tad-bigger>
On Feb 15, 2005, at 8:23 AM, Carl Smith wrote:
<x-tad-bigger>Thanks for the reply Peter. Yes I guess I was too general in my description.</x-tad-bigger>
<x-tad-bigger> </x-tad-bigger>
<x-tad-bigger>What I am trying to accomplish is to have my NKE sending packet statistic to a userland/client application. Seeing as how I want this userland application to be assessable by who ever signs on to the Mac I do not want to limit the ability of my userland application to talk to my NKE.</x-tad-bigger>
<x-tad-bigger> </x-tad-bigger>
<x-tad-bigger>I register my NKE as following:</x-tad-bigger>
<x-tad-bigger>"</x-tad-bigger>
<x-tad-bigger>struct kern_ctl_reg AFctl_reg;</x-tad-bigger>
<x-tad-bigger>bzero(&AFctl_reg, sizeof(AFctl_reg));</x-tad-bigger>
<x-tad-bigger> </x-tad-bigger>
<x-tad-bigger>AFctl_reg.ctl_id = AFMAC_KERN_ID;</x-tad-bigger>
<x-tad-bigger>AFctl_reg.ctl_unit = 0; </x-tad-bigger>
<x-tad-bigger> AFctl_reg.ctl_flags = CTL_FLAG_PRIVILEGED;</x-tad-bigger>
<x-tad-bigger>AFctl_reg.ctl_sendsize = 0;</x-tad-bigger>
<x-tad-bigger>AFctl_reg.ctl_recvsize = 0;</x-tad-bigger>
<x-tad-bigger>AFctl_reg.ctl_connect = AFKernConnect;</x-tad-bigger>
<x-tad-bigger> AFctl_reg.ctl_disconnect = AFKernDisconnect; </x-tad-bigger>
<x-tad-bigger> AFctl_reg.ctl_write = AFClientKernXWrite; </x-tad-bigger>
<x-tad-bigger> AFctl_reg.ctl_set = NULL; </x-tad-bigger>
<x-tad-bigger> AFctl_reg.ctl_get = AFKernGet; </x-tad-bigger>
<x-tad-bigger> </x-tad-bigger>
<x-tad-bigger> static kern_ctl_ref ctlref = 0; /* Reference of the kernel controller */ </x-tad-bigger>
<x-tad-bigger> nReturn = ctl_register(&AFctl_reg, 0, &ctlref);</x-tad-bigger>
<x-tad-bigger> "</x-tad-bigger>
<x-tad-bigger> </x-tad-bigger>
<x-tad-bigger>Then in user land I make the connection to the NKE as follows:</x-tad-bigger>
<x-tad-bigger> </x-tad-bigger>
<x-tad-bigger>"</x-tad-bigger>
<x-tad-bigger>u_int32t unit = 0;</x-tad-bigger>
<x-tad-bigger>int fd;</x-tad-bigger>
<x-tad-bigger>int result = 1;</x-tad-bigger>
<x-tad-bigger>Struct sockaddr_ctl addr:</x-tad-bigger>
<x-tad-bigger>Bzero(&addr, sizeof(addr));</x-tad-bigger>
<x-tad-bigger>addr.sc_len = sizeof(addr);</x-tad-bigger>
<x-tad-bigger>addr.sc_Family = AF_SYSTEM;</x-tad-bigger>
<x-tad-bigger>addr.ss_sysaddr = AF_SYS_CONTROL;</x-tad-bigger>
<x-tad-bigger>addr.sc_id = AFMAC_KERN_ID; // unique registered creator ID addr.sc_unit = unit;</x-tad-bigger>
<x-tad-bigger> </x-tad-bigger>
<x-tad-bigger>fd = socket(PF_SYSTEM, SOCK_DGRAM, SYSPROTO_CONTROL);</x-tad-bigger>
<x-tad-bigger> </x-tad-bigger>
<x-tad-bigger>if(fd)</x-tad-bigger>
<x-tad-bigger>{</x-tad-bigger>
<x-tad-bigger> result = connect(fd, (struct sockaddr*)&addr, sizeof(struct sockaddr_ctl));</x-tad-bigger>
<x-tad-bigger> </x-tad-bigger>
<x-tad-bigger>... and so on</x-tad-bigger>
<x-tad-bigger>}"</x-tad-bigger>
<x-tad-bigger> </x-tad-bigger>
<x-tad-bigger>My socket routine works fine but I am failing on the connect with errno = 1 or EPERM.</x-tad-bigger>
<x-tad-bigger> </x-tad-bigger>
<x-tad-bigger>My understanding is the with the unit value set in both the NKE and the client that this is setting the ownership to root.</x-tad-bigger>
<x-tad-bigger> </x-tad-bigger>
<x-tad-bigger>You said there are various mechanisms for the client to communicate with the NKE, maybe I am not using the correct mechanism or I am setting some value incorrectly, do you see anything in error?</x-tad-bigger>
<x-tad-bigger> </x-tad-bigger>
<x-tad-bigger>I was basically following the example in the "About Network Kernel Extensions" material.</x-tad-bigger>
<x-tad-bigger> </x-tad-bigger>
<x-tad-bigger>Thanks</x-tad-bigger>
<x-tad-bigger>Carl</x-tad-bigger>
<x-tad-bigger> </x-tad-bigger>
<x-tad-bigger> </x-tad-bigger>
<x-tad-bigger>-----Original Message-----</x-tad-bigger>
<x-tad-bigger>From: Peter</x-tad-bigger>
<x-tad-bigger>Sent: Monday, February 14, 2005 7:17 PM</x-tad-bigger>
<x-tad-bigger>To: Carl</x-tad-bigger>
<x-tad-bigger>Cc: email@hidden</x-tad-bigger>
<x-tad-bigger>Subject: Re: Change to root uid</x-tad-bigger>
<x-tad-bigger> </x-tad-bigger>
<x-tad-bigger> </x-tad-bigger>
<x-tad-bigger>On Feb 14, 2005, at 6:35 PM, Carl Smith wrote:</x-tad-bigger>
<x-tad-bigger> </x-tad-bigger>
<x-tad-bigger>> I have a NKE and a client that I to talk to each other. If the client</x-tad-bigger>
<x-tad-bigger>> app is run at some user’s, that might not be root, I still want my</x-tad-bigger>
<x-tad-bigger> > client/NKE to talk with each other, but it is my understanding that</x-tad-bigger>
<x-tad-bigger> > NKE’s need to be set with root user options only. In this case I need</x-tad-bigger>
<x-tad-bigger> > to set the uid to root within my client application.</x-tad-bigger>
<x-tad-bigger>></x-tad-bigger>
<x-tad-bigger>> Is this possible and if so could you point me in the right direction</x-tad-bigger>
<x-tad-bigger>> as to what api’s I need to be using?</x-tad-bigger>
<x-tad-bigger> </x-tad-bigger>
<x-tad-bigger>The ownership/permissions of the nke need to be root/0755 for security</x-tad-bigger>
<x-tad-bigger> reasons but that doesn't mean that it "runs" as root. It runs in the</x-tad-bigger>
<x-tad-bigger> kernel and any user can talk to it, using various mechanisms. It's up</x-tad-bigger>
<x-tad-bigger> to you to make sure that the uid and/or application which talk to your</x-tad-bigger>
<x-tad-bigger> nke are suitable and appropriate for what you want to do.</x-tad-bigger>
<x-tad-bigger> </x-tad-bigger>
<x-tad-bigger>Your client application does not need to be suid root, nor should you</x-tad-bigger>
<x-tad-bigger> (for usual activity) restrict your nke to a connection which can only</x-tad-bigger>
<x-tad-bigger> be made by someone logged in as root.</x-tad-bigger>
<x-tad-bigger> </x-tad-bigger>
<x-tad-bigger>You haven't given us enough information to provide much more help than</x-tad-bigger>
<x-tad-bigger> this. The best thing would be to describe a bit more of what you're</x-tad-bigger>
<x-tad-bigger> trying to do.</x-tad-bigger>
<x-tad-bigger> </x-tad-bigger>
<x-tad-bigger>Regards.....Peter</x-tad-bigger>
<x-tad-bigger> </x-tad-bigger>
<x-tad-bigger>p.s. remember also that nke interfaces are subject to change, and Apple</x-tad-bigger>
<x-tad-bigger> presently discourages some of this development precisely because of the</x-tad-bigger>
<x-tad-bigger> version-to-version compatibility issues</x-tad-bigger>
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.853 / Virus Database: 581 - Release Date: 2/1/2005
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden