Page MenuHomeFreeBSD
Files F147286827

D9298.id24530.diff
No OneTemporary
Actions

D9298.id24530.diff
View Options

Index: lib/libc/sys/recv.2
===================================================================
--- lib/libc/sys/recv.2
+++ lib/libc/sys/recv.2
@@ -266,57 +266,10 @@
.Fn accept
system call.
.Pp
-Open file descriptors are now passed as ancillary data for
+With
.Dv AF_UNIX
-domain sockets, with
-.Fa cmsg_level
-set to
-.Dv SOL_SOCKET
-and
-.Fa cmsg_type
-set to
-.Dv SCM_RIGHTS .
-The close-on-exec flag on received descriptors is set according to the
-.Dv MSG_CMSG_CLOEXEC
-flag passed to
-.Fn recvmsg .
-.Pp
-Process credentials can also be passed as ancillary data for
-.Dv AF_UNIX
-domain sockets using a
-.Fa cmsg_type
-of
-.Dv SCM_CREDS .
-In this case,
-.Fa cmsg_data
-should be a structure of type
-.Fa cmsgcred ,
-which is defined in
-.In sys/socket.h
-as follows:
-.Bd -literal
-struct cmsgcred {
- pid_t cmcred_pid; /* PID of sending process */
- uid_t cmcred_uid; /* real UID of sending process */
- uid_t cmcred_euid; /* effective UID of sending process */
- gid_t cmcred_gid; /* real GID of sending process */
- short cmcred_ngroups; /* number or groups */
- gid_t cmcred_groups[CMGROUP_MAX]; /* groups */
-};
-.Ed
-.Pp
-If a sender supplies ancillary data with enough space for the above struct
-tagged as
-.Dv SCM_CREDS
-control message type to the
-.Fn sendmsg
-system call, then kernel will fill in the credential information of the
-sending process and deliver it to the receiver.
-Since receiver usually has no control over a sender, this method of retrieving
-credential information isn't reliable.
-For reliable retrieval of remote side credentials it is advised to use the
-.Dv LOCAL_CREDS
-socket option on the receiving socket.
+domain sockets, ancillary data can be used to pass file descriptors and
+process credentials.
See
.Xr unix 4
for details.
Index: share/man/man4/unix.4
===================================================================
--- share/man/man4/unix.4
+++ share/man/man4/unix.4
@@ -119,12 +119,12 @@
or
.Xr sendto 2
must be writable.
-.Sh PASSING FILE DESCRIPTORS
+.Sh CONTROL MESSAGES
The
.Ux Ns -domain
sockets support the communication of
.Ux
-file descriptors through the use of the
+file descriptors and process credentials through the use of the
.Va msg_control
field in the
.Fa msg
@@ -132,13 +132,12 @@
.Xr sendmsg 2
and
.Xr recvmsg 2 .
-.Pp
-Any valid descriptor may be sent in a message.
-The file descriptor(s) to be passed are described using a
+The items to be passed are described using a
.Vt "struct cmsghdr"
that is defined in the include file
.In sys/socket.h .
-The type of the message is
+.Pp
+To send file descriptors, the type of the message is
.Dv SCM_RIGHTS ,
and the data portion of the messages is an array of integers
representing the file descriptors to be passed.
@@ -161,6 +160,39 @@
Descriptors that are awaiting delivery, or that are
purposely not received, are automatically closed by the system
when the destination socket is closed.
+.Pp
+Credentials of the sending process can be transmitted explicitly using a
+control message of type
+.Dv SCM_CREDS
+with a data portion of type
+.Vt "struct cmsgcred" ,
+defined in
+.In sys/socket.h
+as follows:
+.Bd -literal
+struct cmsgcred {
+ pid_t cmcred_pid; /* PID of sending process */
+ uid_t cmcred_uid; /* real UID of sending process */
+ uid_t cmcred_euid; /* effective UID of sending process */
+ gid_t cmcred_gid; /* real GID of sending process */
+ short cmcred_ngroups; /* number of groups */
+ gid_t cmcred_groups[CMGROUP_MAX]; /* groups */
+};
+.Ed
+.Pp
+The sender should pass a zeroed buffer which will be filled in by the system.
+.Pp
+The group list is truncated to at most
+.Dv CMGROUP_MAX
+GIDs.
+.Pp
+The process ID
+.Fa cmcred_pid
+should not be looked up (such as via the
+.Dv KERN_PROC_PID
+sysctl) for making security decisions.
+The sending process could have exited and its process ID already been
+reused for a new process.
.Sh SOCKET OPTIONS
.Tn UNIX
domain sockets support a number of socket options which can be set with
@@ -176,7 +208,13 @@
.Dv SOCK_STREAM
socket.
This option provides a mechanism for the receiver to
-receive the credentials of the process as a
+receive the credentials of the process calling
+.Xr write 2 ,
+.Xr send 2 ,
+.Xr sendto 2
+or
+.Xr sendmsg 2
+as a
.Xr recvmsg 2
control message.
The
@@ -201,6 +239,10 @@
};
.Ed
.Pp
+The current implementation truncates the group list to at most
+.Dv CMGROUP_MAX
+groups.
+.Pp
The
.Fn SOCKCREDSIZE
macro computes the size of the
@@ -221,7 +263,28 @@
and
.Dv SOCK_SEQPACKET
sockets credentials are passed only on the first read from a socket,
-then system clears the option on socket.
+then the system clears the option on the socket.
+.Pp
+This option and the above explicit
+.Vt "struct cmsgcred"
+both use the same value
+.Dv SCM_CREDS
+but incompatible control messages.
+If this option is enabled and the sender attached a
+.Dv SCM_CREDS
+control message with a
+.Vt "struct cmsgcred" ,
+it will be discarded and a
+.Vt "struct sockcred"
+will be included.
+.Pp
+Many setuid programs will
+.Xr write 2
+data at least partially controlled by the invoker,
+such as error messages.
+Therefore, a message accompanied by a particular
+.Fa sc_euid
+value should not be trusted as being from that user.
.It Dv LOCAL_CONNWAIT
Used with
.Dv SOCK_STREAM

File Metadata

Mime Type
text/plain
Expires
Tue, Mar 10, 5:08 PM (16 h, 54 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
29452265
Default Alt Text
D9298.id24530.diff (5 KB)

Event Timeline