getpeercred() on the Hurd

>
> Hello list (I'm not subscribed so please keep me in Cc).
>
> I'm the maintainer of nss-ldapd. I saw that the package was recently
> built for GNU Hurd. I haven't tested the package on Hurd but there is
> one (not very critical) thing that shows up while compiling.
>
> What is the best way on the Hurd to get information about
> clients that connect through a named socket?
>
> I currently use this code:
> http://arthurenhella.demon.nl/viewcvs/nss-ldapd/nss-ldapd/compat/getpeercred.c?view=markup
> which works on a number of platforms but uses the fallthrough code at
> the end on the Hurd.
> http://buildd.debian-ports.org/fetch.php?pkg=nss-ldapd&arch=hurd-i386&ver=0.6.3&stamp=1213622648&file=log&as=raw

> > One question you should consider is: why do you need this information?
> [...]
>
> I agree with your point in general and think there are better ways to
> do access control.
>
> nss-ldapd is an NSS module that does lookups in an LDAP database. The NSS
> module does not do the lookup itself (this causes a lot of headaches) but
> offloads it to a deamon (nslcd). Most NSS calls should be no problem but
> shadow calls pose an exception to that. The server (nslcd) will only
> return shadow information if it can determine that the caller runs as
> root.
>
> So I would like to keep one socket for all requests and not mess with
> permissions of sockets.

>
> At Wed, 18 Jun 2008 12:20:10 +0200 (CEST),
> Arthur de Jong wrote:
> > > One question you should consider is: why do you need this information?
> > [...]
> >
> > I agree with your point in general and think there are better ways to
> > do access control.
> >
> > nss-ldapd is an NSS module that does lookups in an LDAP database. The NSS
> > module does not do the lookup itself (this causes a lot of headaches) but
> > offloads it to a deamon (nslcd). Most NSS calls should be no problem but
> > shadow calls pose an exception to that. The server (nslcd) will only
> > return shadow information if it can determine that the caller runs as
> > root.
> >
> > So I would like to keep one socket for all requests and not mess with
> > permissions of sockets.
>
> Sounds broken.  Good luck.

> At Wed, 18 Jun 2008 12:41:48 +0200,
> Neal H. Walfield wrote:
> >
> > At Wed, 18 Jun 2008 12:20:10 +0200 (CEST),
> > Arthur de Jong wrote:
> > > > One question you should consider is: why do you need this information?
> > > [...]
> > >
> > > I agree with your point in general and think there are better ways to
> > > do access control.
> > >
> > > nss-ldapd is an NSS module that does lookups in an LDAP database. The NSS
> > > module does not do the lookup itself (this causes a lot of headaches) but
> > > offloads it to a deamon (nslcd). Most NSS calls should be no problem but
> > > shadow calls pose an exception to that. The server (nslcd) will only
> > > return shadow information if it can determine that the caller runs as
> > > root.
> > >
> > > So I would like to keep one socket for all requests and not mess with
> > > permissions of sockets.
> >
> > Sounds broken.  Good luck.
>
> That wasn't very helpful.  If you are dead set on using IBAC, you
> could use the auth protocol to establish the identify of the client.
> The interface is described in auth/auth.defs .

> Neal H. Walfield, le Wed 18 Jun 2008 13:43:41 +0200, a écrit :
> > At Wed, 18 Jun 2008 12:41:48 +0200,
> > Neal H. Walfield wrote:
> > >
> > > At Wed, 18 Jun 2008 12:20:10 +0200 (CEST),
> > > Arthur de Jong wrote:
> > > > > One question you should consider is: why do you need this information?
> > > > [...]
> > > >
> > > > I agree with your point in general and think there are better ways to
> > > > do access control.
> > > >
> > > > nss-ldapd is an NSS module that does lookups in an LDAP database. The NSS
> > > > module does not do the lookup itself (this causes a lot of headaches) but
> > > > offloads it to a deamon (nslcd). Most NSS calls should be no problem but
> > > > shadow calls pose an exception to that. The server (nslcd) will only
> > > > return shadow information if it can determine that the caller runs as
> > > > root.
> > > >
> > > > So I would like to keep one socket for all requests and not mess with
> > > > permissions of sockets.
> > >
> > > Sounds broken.  Good luck.
> >
> > That wasn't very helpful.  If you are dead set on using IBAC, you
> > could use the auth protocol to establish the identify of the client.
> > The interface is described in auth/auth.defs .
>
> Well, I guess he doesn't have a running Hurd system.
>
> Actually I guess we could easily add SO_PASSCRED to pflocal sockets, by
> using auth_user_authenticate/auth_server_authenticate indeed.