authenticating users for the control socket
martin f krafft
madduck at debian.org
Tue Jun 12 08:29:13 UTC 2007
also sprach Jeremie Koenig <jk at jk.fr.eu.org> [2007.06.12.0326 +0100]:
> Hello,
Good day!
> I just had a quick look at the unix(7) manpage. I may be
> misunderstanding something (i've never had an occasion to use Unix
> sockets), but I am under the impression that you could use the
> SO_PASSCRED/SCM_CREDENTIALS stuff to authenticate the client.
> I don't know how hard it is to do that from Python code.
I will read up on this.
I also had a thought yesterday: for AF_INET sockets, you can get the
peer's IP address from the socket object once a client connected, so
I thought the same should work for AF_UNIX sockets: getpeername()
should return the PID of the connecting process. Unfortunately, it
does not, but an empty string. What a shame.
> Incidentally, if I understand correctly, relying on file permission to
> control access to the socket is not safe across operating systems.
> I guess using Linux-only stuff and making the compilation fail on other
> kernels would be a feature rather than a bug in this case :-)
I don't want to be linux-specific, so I'll take down this note.
Thanks.
Any other ideas?
--
.''`. martin f. krafft <madduck at debian.org>
: :' : proud Debian developer, author, administrator, and user
`. `'` http://people.debian.org/~madduck - http://debiansystem.info
`- Debian - when you have better things to do than fixing systems
someday we'll find it
the rainbow connection
the lovers, the dreamers,
and me!
-- kermit
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature (GPG/PGP)
Url : http://lists.alioth.debian.org/pipermail/netconf-devel/attachments/20070612/0334b525/attachment.pgp
More information about the netconf-devel
mailing list