On Thu, Jan 25, 2024 at 5:38 PM Daniel P. Berrangé <berra...@redhat.com> wrote:
> > +static void
> > +qio_channel_socket_get_peerpid(QIOChannel *ioc,
> > + unsigned int *pid,
> > + Error **errp)
> > +{
> > +#ifdef CONFIG_LINUX
> > + QIOChannelSocket *sioc = QIO_CHANNEL_SOCKET(ioc);
> > + Error *err = NULL;
> > + socklen_t len = sizeof(struct ucred);
> > +
> > + struct ucred cred;
> > + if (getsockopt(sioc->fd,
> > + SOL_SOCKET, SO_PEERCRED,
> > + &cred, &len) == -1) {
> > + error_setg_errno(&err, errno, "Unable to get peer credentials");
> > + error_propagate(errp, err);
> > + }
> > + *pid = (unsigned int)cred.pid;
> > +#else
> > + *pid = 0;
>
> Defaulting 'pid' to 0 is potentially unsafe, because to a caller it
> now appears that the remote party is 'root' and thus implied to be
> a privileged account.
This is a pid, so 0 cannot be confused; however, I agree that
returning an error is better.
Paolo
