Thor Lancelot Simon wrote:
> On Fri, Dec 22, 2006 at 12:47:12AM +0100, Christian
Biere wrote:
> > You could use socketpair() with AF_LOCAL instead
which would allow checking
> > credentials.
> Yes, you could, but why?
> This would be a very valuable thing to do for a
long-running daemon with
> a well-known AF_LOCAL address: it could check the
credentials of other
> programs that messaged it with password-check requests,
and service them
> only if the uid were right. But for a program that's
directly executed
> by the client, the ruid is already available, and the
pipe cannot be
> hijacked by any other program; so why check socket
credentials?
It limits how the helper can be (ab)used. In case of a
configuration/permission
error, it might otherwise be possible to retrieve the
account of another account.
Consider sudo or the like.
Albeit I'd like to restrict this even more. Isn't it
possible to verify
which executable invoked the helper?
--
Christian
|