[illumos-Developer] Integrating identd

Andrew Gabriel illumos at cucumber.demon.co.uk
Mon Apr 4 09:25:22 PDT 2011


River Tarnell wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Andrew Gabriel:
>> River Tarnell wrote:
>>> For zones, I think when running in a local zone it should only
>>> return connections associated with that zone (and return ESRCH for
>>> other connections).  In the global zone, perhaps a flag could be
>>> used to select whether to return only connection from the global
>>> zone (which identd would use), or connections from any zone (which
>>> might be useful for other processes).
>  
>> The protocol does not include any provision for asking about other
>> IP addresses AFAICS, so I can't see any way in which it could ask
>> about connections in another zone (global, or non-global).
>  
>> Your proposed syscall is not so constrained though, and you are
>> maybe worrying about limiting access to a feature you didn't need to
>> add in the first place?
> 
> I'm not sure I understand...
> 
> If you mean that there's no need for a way to query addresses from other 
> zones, you're right, identd doesn't need that;

Yes.

> but perhaps something 
> else that calls this interface would find it useful.  Other bits of the 
> system have similar zone-aware interfaces (SO_ALLZONES being a similar 
> example).

Well, you're adding an API for which there are no consumers or use
cases and there are some extra security concerns. This part sounds
rather questionable.

I have no objections to adding identd, together with the syscall API
it actually needs to operate. (I don't subscribe to the view that just
because telnetd, rshd, identd, etc may not be the most secure things
in the world, no binaries for them should exist in a general purpose
OS.)

-- 
Andrew



More information about the Developer mailing list