[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: getpeercred() on the Hurd

Neal H. Walfield, le Wed 18 Jun 2008 13:43:41 +0200, a écrit :
> At Wed, 18 Jun 2008 12:41:48 +0200,
> Neal H. Walfield wrote:
> > 
> > At Wed, 18 Jun 2008 12:20:10 +0200 (CEST),
> > Arthur de Jong wrote:
> > > > One question you should consider is: why do you need this information?
> > > [...]
> > > 
> > > I agree with your point in general and think there are better ways to 
> > > do access control.
> > > 
> > > nss-ldapd is an NSS module that does lookups in an LDAP database. The NSS 
> > > module does not do the lookup itself (this causes a lot of headaches) but 
> > > offloads it to a deamon (nslcd). Most NSS calls should be no problem but 
> > > shadow calls pose an exception to that. The server (nslcd) will only 
> > > return shadow information if it can determine that the caller runs as 
> > > root.
> > > 
> > > So I would like to keep one socket for all requests and not mess with 
> > > permissions of sockets.
> > 
> > Sounds broken.  Good luck.
> 
> That wasn't very helpful.  If you are dead set on using IBAC, you
> could use the auth protocol to establish the identify of the client.
> The interface is described in auth/auth.defs .

Well, I guess he doesn't have a running Hurd system.

Actually I guess we could easily add SO_PASSCRED to pflocal sockets, by
using auth_user_authenticate/auth_server_authenticate indeed.

Samuel
Reply to: