At Tue, 17 Jun 2008 22:49:16 +0200, Arthur de Jong wrote: > > Hello list (I'm not subscribed so please keep me in Cc). > > I'm the maintainer of nss-ldapd. I saw that the package was recently > built for GNU Hurd. I haven't tested the package on Hurd but there is > one (not very critical) thing that shows up while compiling. > > What is the best way on the Hurd to get information about > clients that connect through a named socket? > > I currently use this code: > http://arthurenhella.demon.nl/viewcvs/nss-ldapd/nss-ldapd/compat/getpeercred.c?view=markup > which works on a number of platforms but uses the fallthrough code at > the end on the Hurd. > http://buildd.debian-ports.org/fetch.php?pkg=nss-ldapd&arch=hurd-i386&ver=0.6.3&stamp=1213622648&file=log&as=raw
One question you should consider is: why do you need this information? Identity based access control (IBAC) is quite insecure relative to authorization based access control (ABAC). The idea behind ABAC is that if a subject has the "key" (in this case, if the subject has access to a file descriptor designating the unix domain socket), then it most likely got it through an authorization channel. Perhaps it was delegated as the program using it uses privilege separation. So the actor's identity does not matter and may inhibit such useful structuring. On all modern Unixes that I know of, opening a unix domain socket respects the access bits on the file. Thus, the file descriptor should be sufficient proof that the caller has the right to use the object. Neal -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]