Hello, I would like to enquire about the possibility of adding an IP_PEERCRED socket option to ip(4) which would be similar to LOCAL_PEERCRED for unix(4).
Such a option, when requested via getsockopt(2) on a not-connectionless IP (v4 or v6) socket, would either - return credentials of the remote side (as a xucred structure) in the case of a loopback (non-cross-jail) socket; - fail (with EINVAL?). The intended use-case of such a functionnality would be for processes to provide services only to a given user, instead of the local host, while using IP sockets. For instance, an SSH client could use this feature to provide port forwards for a given user, instead of providing it to all users. While bapt@ thought at first glance that it might be a good idea, neither of us know whether it would be reasonable to implement. Any though on this? Best, Nicolas PS: Credit for this idea should go to David Madore (in CC), who blogged about it (in French): http://www.madore.org/~david/weblog/d.2014-10-16.2234.html
signature.asc
Description: PGP signature
