> On Tue, Dec 26, 2000 at 02:20:46AM +0100, Martin Blapp wrote:
> [snip]
> > Issues with the code:
> >
> > 1.) NETBSD sets in svc_tcp.c some LOCAL_CREDS which we don't have in our
> > src/sys/kern/uipc_usrreq.c. They have a FLAG which - if set -
> > automatically sends the credentials on AF_UNIX sockets connections
> > if we do a recvmsg(). We have to implement this to have rpcbind properly
> > working. AF_UNIX socket operations are broken at the moment, but
> > with compability-mode 'rpcbind -Li' rpcbind works.
>
> We have something analogous ... look for SCM_CREDS. It's a shame these
> aren't the same on both (Net|Free)BSD.
I'm responsible for implementing this feature. When I sat down to try
and make secure RPC work, I was unaware of the existence of the LOCAL_CREDS
feature that had been implemented in BSD/OS at about the same time. What
I wanted was a way to provide credentials for each *message* rather than
for each socket, since RPC is more or less message-based. I was also
concerned with avoding problems that might arise if a client process
fork()ed while holding open a socket to which credential info had been
assigned. You obviously don't want the parent and the child process to
return the same credential info. Using the SCM_CREDS 'hack' was
a) expedient, as it only involved a minor change to the kernel and
b) it seemed to agree with the way RPC worked, i.e. each RPC needs
the credential info for authentication.
The reason you need the LOCAL_CREDS/SCM_CREDS stuff at all is that
keyserv needs to know the identity of the user that's talking to it. It
must not allow access to a user's diffie-helman key pair to anyone other
than the user to whom it belongs (and, potentially, the superuser). The
problem is the original sockets API did not provide any way for this
authentication do be done. Many alternatives were discussed and rejected
because they were too complex or just plain didn't work. The notion
of using credentials was new in TI-RPC because STREAMS/TLI offers a
way to do it. In SunOS 4, there was instead a terrible kludge based
on the ugly and bletcherous keyenvoy program. I made keyenvoy work,
but it struck me that it had a potentially serious weakness: it depended
on the "only root can bind to port numbers less than 1024" property
of UNIX TCP/IP networking, and it distinguished local connections from
remote ones by comparing the origin IP address with 127.0.0.1. (Can
you say IP spoofing? I knew you could.)
Anyway, imagine my surprise when, after going to all the trouble of
thinking up the SCM_CREDS hack, making it work, and then patting myself
on the back for being clever, I opened up my brand new copy of _UNIX
Network Programming, 2nd Edition, Vol I_ and found that some fool at
BSDi had come up with the idea first. :) NetBSD uses the BSD/OS approach
rather than the FreeBSD approach. In theory, you could have both. I
still say the per-message credential mechanism works better with RPC,
but I'm just a crotchety old fart anyway.
Relatively speaking.
-Bill
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
