site_archiver@lists.apple.com Delivered-To: darwin-kernel@lists.apple.com Carl, AFctl_reg.ctl_flags = CTL_FLAG_PRIVILEGED; with this line: AFctl_reg.ctl_flags = 0; That should work. Matt From: "Carl Smith" <CSmith@fortresstech.com> To: <darwin-kernel@lists.apple.com> Subject: Change to root uid Date: Tue, 15 Feb 2005 10:23:14 -0500 I register my NKE as following: " struct kern_ctl_reg AFctl_reg; bzero(&AFctl_reg, sizeof(AFctl_reg)); AFctl_reg.ctl_id = AFMAC_KERN_ID; AFctl_reg.ctl_unit = 0; AFctl_reg.ctl_flags = CTL_FLAG_PRIVILEGED; AFctl_reg.ctl_sendsize = 0; AFctl_reg.ctl_recvsize = 0; AFctl_reg.ctl_connect = AFKernConnect; AFctl_reg.ctl_disconnect = AFKernDisconnect; AFctl_reg.ctl_write = AFClientKernXWrite; AFctl_reg.ctl_set = NULL; AFctl_reg.ctl_get = AFKernGet; static kern_ctl_ref ctlref = 0; /* Reference of the kernel controller */ nReturn = ctl_register(&AFctl_reg, 0, &ctlref); " Then in user land I make the connection to the NKE as follows: fd = socket(PF_SYSTEM, SOCK_DGRAM, SYSPROTO_CONTROL); ... and so on }" Thanks Carl -----Original Message----- From: Peter Sent: Monday, February 14, 2005 7:17 PM To: Carl Cc: darwin-kernel@lists.apple.com Subject: Re: Change to root uid On Feb 14, 2005, at 6:35 PM, Carl Smith wrote:

I have a NKE and a client that I to talk to each other. If the client app is run at some user’s, that might not be root, I still want my client/NKE to talk with each other, but it is my understanding that NKE’s need to be set with root user options only. In this case I need to set the uid to root within my client application.

Is this possible and if so could you point me in the right direction as to what api’s I need to be using? The ownership/permissions of the nke need to be root/0755 for security reasons but that doesn't mean that it "runs" as root. It runs in the kernel and any user can talk to it, using various mechanisms. It's up to you to make sure that the uid and/or application which talk to your nke are suitable and appropriate for what you want to do. Your client application does not need to be suid root, nor should you (for usual activity) restrict your nke to a connection which can only be made by someone logged in as root. You haven't given us enough information to provide much more help than this. The best thing would be to describe a bit more of what you're trying to do. Regards.....Peter p.s. remember also that nke interfaces are subject to change, and Apple presently discourages some of this development precisely because of the version-to-version compatibility issues

--- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.853 / Virus Database: 581 - Release Date: 2/1/2005 _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-kernel/mtjaffa%40msn.com _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists.a... Sorry Carl that last message didn't go through. In order for any application root or non-root to talk with your system socket, replace this line: Thanks for the reply Peter. Yes I guess I was too general in my description. What I am trying to accomplish is to have my NKE sending packet statistic to a userland/client application. Seeing as how I want this userland application to be assessable by who ever signs on to the Mac I do not want to limit the ability of my userland application to talk to my NKE. " u_int32t unit = 0; int fd; int result = 1; Struct sockaddr_ctl addr: Bzero(&addr, sizeof(addr)); addr.sc_len = sizeof(addr); addr.sc_Family = AF_SYSTEM; addr.ss_sysaddr = AF_SYS_CONTROL; addr.sc_id = AFMAC_KERN_ID; // unique registered creator ID addr.sc_unit = unit; if(fd) { result = connect(fd, (struct sockaddr*)&addr, sizeof(struct sockaddr_ctl)); My socket routine works fine but I am failing on the connect with errno = 1 or EPERM. My understanding is the with the unit value set in both the NKE and the client that this is setting the ownership to root. You said there are various mechanisms for the client to communicate with the NKE, maybe I am not using the correct mechanism or I am setting some value incorrectly, do you see anything in error? I was basically following the example in the "About Network Kernel Extensions" material. This email sent to mtjaffa@msn.com This email sent to site_archiver@lists.apple.com