• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Getting uid of connected user from daemon (possibly using kernel?)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Getting uid of connected user from daemon (possibly using kernel?)

  • Subject: Re: Getting uid of connected user from daemon (possibly using kernel?)
  • From: Michael Smith <email@hidden>
  • Date: Tue, 20 May 2008 19:12:41 -0700

On May 20, 2008, at 3:55 AM, Platon Fomichev wrote:

I have a rather interesting but imho trivial task to accomplish, yet I can't find the solution. I have a daemon running as root that listens to user's request using Unix domain sockets. That daemon will receive requests from local client application belonging to different users (i.e. multi-user config). It is possible that hacker software will try to emulate the requests so I absolutely can't rely on any protocol - I need a clear answer from the system who's knocking on the daemon door (listening socket). On Windows I use RPC and impersonation and although I am not a Window guy - I might say this works pretty well. On Linux I use credential passing through socket using sendmsg/recvmsg (which is unfortunately not supported by OS X :((( ). So what can I do in OS X - I looked at all possible levels, starting from Kernel and ending with Cocoa and I can't find any suitable mechanism that can help my daemon. A possible but cumbersome solution is System V shared memory as it holds uid of connected user..

Knowing the UID of the process on the other end of a socket does not protect you against "hacker software trying to emulate the requests", as said "hacker software" will probably be running with the same UID as your legitimate clients.

The only reason to want to know the credential of the process at the other end of an RPC is when you are doing work on their behalf, when you want to assume their identity in order to have a third party (e.g. the kernel) make an authorisation decision based on that information.

What you might want is a mediated attestation of the identity of the *software* running at the other end of the pipe. This is not a feature that is currently offered by MacOS X.

 = Mike

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden




  • Follow-Ups:

      

    • Re: Getting uid of connected user from daemon (possibly using	kernel?)

      • From: Platon Fomichev <email@hidden>
      • 

    • Re: Getting uid of connected user from daemon (possibly using	kernel?)

      • From: Michael Smith <email@hidden>
      • 





References: 


 >Getting uid of connected user from daemon (possibly using kernel?) (From: Platon Fomichev <email@hidden>)






    

  • Prev by Date:
Re: Asynchronous sock_sendmbuf

    • 

  • Next by Date:
Re: Asynchronous sock_sendmbuf

    • 

  • Previous by thread:
Getting uid of connected user from daemon (possibly using kernel?)

    • 

  • Next by thread:
Re: Getting uid of connected user from daemon (possibly using	kernel?)

    • 

  • Index(es):

      

    • Date
      • 

    • Thread
      • 

    

    •