Re: RFC: [PATCH] SCM_CREDS support 1(2)

[Samuel Thibault]

Svante Signell, le Wed 16 Oct 2013 09:50:27 +0200, a écrit :
> 
> On Wed, 2013-10-16 at 09:24 +0200, Samuel Thibault wrote:
> > Svante Signell, le Wed 16 Oct 2013 07:44:11 +0200, a écrit :
> > > What about being paranoid, and do the check on both the transmit _and_
> > > receive side?
> > 
> > There is no need for a check on the transmit side: the sender does know
> > for sure what he is.
> 
> As a motivation for having the check at the receive side, a malicious
> sender will not got through sendmsg then?

Of course. Anybody can emit their RPC by hand, without going through the
glibc code.

Also, you need to check that it works when the sender and the receiver
don't have the same uid/gid/etc., e.g. root sending to a normal user
(which is one of the most used cases).

> So let's be serious, which entries are part of the ancillary data to
> check: pid, auid, agid, euid, egid (not in scm_creds), cmcred_groups[]?

All of them. Everything that is provided in cmsgcred is supposed to have
been checked by the operating system as being correct.

> E.g. where to add the groups data, on the transmit or receive side?

Well, just like other fields: the transmit side should send it, and the
receive side should check them.  I don't see what poses problem.

Samuel