[illumos-Developer] Integrating identd

[Garrett D'Amore]

On Mon, 2011-04-04 at 01:50 +0100, River Tarnell wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Garrett D'Amore:
> > On Sun, 2011-04-03 at 17:28 -0400, Richard Lowe wrote:
> > > On Sun, Apr 3, 2011 at 17:26, Garrett D'Amore <garrett at nexenta.com> wrote:
> > > > You can't use getpeerucred() to do this work for you?  What am I missing
> > > > that you can't get from getpeerucred()?
>  
> > > You can only look at your own sockets with getpeerucred(), an identd
> > > needs to see who owns the sockets of another process.
>  
> > So we'd have to adequately secure the permissions of this hypothetical
> > new ucred_get_conn() system call, and make sure it was zone aware and
> > zone safe.  (With RBAC controls I guess.)  It doesn't seem like a bad
> > idea.
> 
> I don't have a strong opinion on how the security of this syscall should 
> work; perhaps it could be tied to net_observability (which allows 
> sniffing network traffic) or sys_ip_config.

Actually, I think it might need its own.  This is actually worse in some
ways than snooping IP traffic, because it allows you to learn about
identities of users accessing network facilities on the system.

> 
> For zones, I think when running in a local zone it should only return 
> connections associated with that zone (and return ESRCH for other 
> connections).  In the global zone, perhaps a flag could be used to 
> select whether to return only connection from the global zone (which 
> identd would use), or connections from any zone (which might be useful 
> for other processes).

Generally agreed.

	- Garrett
> 
> 	- river.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (SunOS)
> 
> iEYEARECAAYFAk2ZFccACgkQIXd7fCuc5vLwggCgg0YHrHQ/d6sUCVcQQX0x+Wv7
> xEIAoKIZCslTxXmjGUXNiiVw9bCZRWpn
> =wJLu
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Developer mailing list
> Developer at lists.illumos.org
> http://lists.illumos.org/m/listinfo/developer