Hey, I'm not seeing much activity on this so here's my $0.02 > Unix socket automatically translates pid attached to SCM_CREDENTIALS. > This requires CAP_SYS_ADMIN for sending arbitrary pids and entering > into pid namespace, this expose process and could be insecure.
Perhaps it would be a good idea to add a sysctl switch that prevents credential spoofing over AF_UNIX \by default\ if that is the main concern, or is there another concern and I have read this wrong? I'm having trouble thinking of a legitimate use of SCM_CREDENTIALS spoofing that isn't in a debugging or troubleshooting context and would be more comfortable if it were not possible at all... Anyone know of a program that relies on this spoofing functionality? If you look at socket(7) under SO_PEERCRED there is a way to get credentials at time of connect() for an AF_UNIX SOCK_STREAM, or at time of socketpair() for a SOCK_DGRAM. I would like to think these credentials are reliable, but will probably require some extra daemon to proxy a dgram syslog socket.
