[illumos-Developer] Integrating identd
River Tarnell
r.tarnell at IEEE.ORG
Sun Apr 3 17:50:15 PDT 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Garrett D'Amore:
> On Sun, 2011-04-03 at 17:28 -0400, Richard Lowe wrote:
> > On Sun, Apr 3, 2011 at 17:26, Garrett D'Amore <garrett at nexenta.com> wrote:
> > > You can't use getpeerucred() to do this work for you? What am I missing
> > > that you can't get from getpeerucred()?
> > You can only look at your own sockets with getpeerucred(), an identd
> > needs to see who owns the sockets of another process.
> So we'd have to adequately secure the permissions of this hypothetical
> new ucred_get_conn() system call, and make sure it was zone aware and
> zone safe. (With RBAC controls I guess.) It doesn't seem like a bad
> idea.
I don't have a strong opinion on how the security of this syscall should
work; perhaps it could be tied to net_observability (which allows
sniffing network traffic) or sys_ip_config.
For zones, I think when running in a local zone it should only return
connections associated with that zone (and return ESRCH for other
connections). In the global zone, perhaps a flag could be used to
select whether to return only connection from the global zone (which
identd would use), or connections from any zone (which might be useful
for other processes).
- river.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (SunOS)
iEYEARECAAYFAk2ZFccACgkQIXd7fCuc5vLwggCgg0YHrHQ/d6sUCVcQQX0x+Wv7
xEIAoKIZCslTxXmjGUXNiiVw9bCZRWpn
=wJLu
-----END PGP SIGNATURE-----
More information about the Developer
mailing list