Re: [Libguestfs] [PATCH nbdkit v2 1/3] server: Add new APIs for reading the client’s SO_PEERCRED.
On Mon, Oct 05, 2020 at 08:21:50AM -0500, Eric Blake wrote:
On 10/3/20 1:50 PM, Richard W.M. Jones wrote:
> New nbdkit_peer_pid, nbdkit_peer_uid and nbdkit_peer_gid calls can be
> used on Linux (only) to read the peer PID, UID and GID from clients
> connected over a Unix domain socket. This can be used in the
> preconnect phase to add additional filtering.
>
> One use for this is to add an extra layer of authentication for local
> connections. A subsequent commit will enhance the now misnamed
> nbdkit-ip-filter to allow filtering on these extra fields.
>
> It appears as if it would be possible to implement this for FreeBSD
> too (see comment in code).
> ---
> docs/nbdkit-plugin.pod | 47 +++++++++++++++--
> include/nbdkit-common.h | 3 ++
> server/nbdkit.syms | 3 ++
> server/public.c | 108 ++++++++++++++++++++++++++++++++++++++++
> 4 files changed, 156 insertions(+), 5 deletions(-)
>
> +=head2 C<nbdkit_peer_pid>
> +
> +(nbdkit E<ge> 1.24)
> +
> + int nbdkit_peer_pid (void);
> +
> +Return the peer process ID. This is only available when the client
> +connected over a Unix domain socket, and only works for Linux.
> +
> +On success this returns the peer process ID. On error,
> +C<nbdkit_error> is called and this call returns C<-1>.
Is int always going to be sufficient? Or are there platforms with
64-bit pid_t? Mingw is an interesting beast; I've seen conflicting
stories on whether 64-bit windows has 32- or 64-bit pids (the spawn APIs
manage 64-bit handles, but other windows APIs return 32-bit int), so
64-bit pid_t on mingw does seem to be a real concern.
IIUC, POSIX says pid_t is a signed integer, but doesn't specify the
size. Thus libvirt exposed pid_t as "signed long long" in our APIs
to be futureproof.
> +
> +=head2 C<nbdkit_peer_uid>
> +
> +(nbdkit E<ge> 1.24)
> +
> + int nbdkit_peer_uid (void);
> +
> +Return the peer user ID. This is only available when the client
> +connected over a Unix domain socket, and only works for Linux.
> +
> +On success this returns the user ID. On error, C<nbdkit_error> is
> +called and this call returns C<-1>.
> +
> +=head2 C<nbdkit_peer_gid>
> +
> +(nbdkit E<ge> 1.24)
> +
> + int nbdkit_peer_gid (void);
int for these two is probably fine.
IIUC, gid_t/uid_t don't have their signed-ness specified by POSIX,
nor size, but you're required to cast negative values eg
gid_t foo = (gid_t)-1;
based on this, libvirt chose to expose them as "unsigned long long" to
maximise future proofing.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|