Santosh, Sounds like a good change to me. I can't imagine anyone relying on the current behavior, because they wouldn't be able to communicate over that socket anyway.
Care to submit a patch on Github? On Wed, Feb 11, 2015 at 1:19 PM, <santosh_bidara...@dell.com> wrote: > Hi Pieter and Jim, > > I got the trace of the client using strace command to find out what is > going on and below is the log. You can observe that connect is actually > failing with appropriate error "EACCESS", however ZMQ function continues > without failure. > Do you think it is good idea to catch this error in ZMQ lib and fail the > zmq_connect()? > > [pid 3574] socket(PF_LOCAL, SOCK_STREAM, 0) = 9 > [pid 3574] fcntl64(9, F_SETFD, FD_CLOEXEC) = 0 > [pid 3574] fcntl64(9, F_GETFL) = 0x2 (flags O_RDWR) > [pid 3574] fcntl64(9, F_SETFL, O_RDWR|O_NONBLOCK) = 0 > [pid 3574] connect(9, {sa_family=AF_LOCAL, > sun_path="/var/run/ipcs/broker.ipc"}, 110) = -1 EACCES (Permission denied) > [pid 3574] close(9) = 0 > [pid 3574] clock_gettime(CLOCK_MONOTONIC, {99606, 898670000}) = 0 > [pid 3574] read(6, "\1\0\0\0\0\0\0\0", 8) = 8 > [pid 3574] poll([{fd=6, events=POLLIN}], 1, 0) = 0 (Timeout) > [pid 3574] clock_gettime(CLOCK_MONOTONIC, {99606, 903637000}) = 0 > [pid 3574] epoll_wait(7, <unfinished ...> > [pid 3572] <... write resumed> ) = 8 > [pid 3572] write(8, "\1\0\0\0\0\0\0\0", 8) = 8 > [pid 3572] write(1, "dzmq_sync_ots_rcv_msg: Connected"..., > 93dzmq_sync_ots_rcv_msg: Connected successfully to endpoint > [ipc:///var/run/ipcs/broker.ipc] > > Thanks, > Santosh > > -----Original Message----- > From: zeromq-dev-boun...@lists.zeromq.org [mailto: > zeromq-dev-boun...@lists.zeromq.org] On Behalf Of Pieter Hintjens > Sent: Tuesday, February 10, 2015 3:06 PM > To: ZeroMQ development list > Subject: Re: [zeromq-dev] IPC path permissions > > It's been a while since this was discussed, and I'm not sure of the > current state of master. > > You can use the ZMQ_IPC_FILTER_GID socket option. This is marked as > "deprecated" and afair the GID, UID, and PID are sent via ZAP in case it's > an IPC connection. However I've not tested that and vaguely recall that it > never got implemented. > > -Pieter > > On Tue, Feb 10, 2015 at 9:55 PM, <santosh_bidara...@dell.com> wrote: > > Pieter, > > > > We will be using ZAP authentication framework for the external clients, > however in our case we also have internal clients that run with different > Unix based user and group ids. Hence we would like to detect and deny the > requests sent by the processes that do not belong to Broker's group id. > > > > Thanks, > > Santosh > > > > -----Original Message----- > > From: zeromq-dev-boun...@lists.zeromq.org > > [mailto:zeromq-dev-boun...@lists.zeromq.org] On Behalf Of Pieter > > Hintjens > > Sent: Tuesday, February 10, 2015 1:42 PM > > To: ZeroMQ development list > > Subject: Re: [zeromq-dev] IPC path permissions > > > > You can do real authentication, there is a framework for this, called > > ZAP, and you can see how it works from ZeroMQ RFC 27, > > http://rfc.zeromq.org/spec:27 and the various test cases like > tests/test_security_null.cpp. You can also see examples of ZAP handler in > CZMQ's zauth class. > > > > On Tue, Feb 10, 2015 at 8:31 PM, <santosh_bidara...@dell.com> wrote: > >> Thanks for the response Pieter. However our requirement is to fail when > an unauthorized user tries to connect with broker, so we would like to > detect and deny an invalid user trying to connect. > >> > >> Thanks, > >> Santosh > >> > >> -----Original Message----- > >> From: zeromq-dev-boun...@lists.zeromq.org > >> [mailto:zeromq-dev-boun...@lists.zeromq.org] On Behalf Of Pieter > >> Hintjens > >> Sent: Tuesday, February 10, 2015 12:40 PM > >> To: ZeroMQ development list > >> Subject: Re: [zeromq-dev] IPC path permissions > >> > >> If you are running on Linux I'd strongly advise using abstract IPC > endpoints, which don't need special permissions. "ipc://@/somename". > >> > >> > >> On Tue, Feb 10, 2015 at 7:07 PM, <santosh_bidara...@dell.com> wrote: > >>> Hi All, > >>> > >>> > >>> > >>> I am trying to create broker based client-server apps by referring > >>> to ZMQ guide. I am unable to detect IPC path permission error when > >>> an invalid user tries to connect using zmq_connect(). > >>> > >>> > >>> > >>> Following steps explain the test scenario in detail: > >>> > >>> 1. Create a ZMQ broker that stores its IPC socket in a directory > >>> “/var/run/ipcs” > >>> > >>> a. ZMQ broker runs with a specific user and group (ex: zuser and > >>> zgroup respectively) > >>> > >>> b. “/var/run/ipcs” has permissions for all the users that belong > to > >>> “zgroup” (permissions = drwxrws---) > >>> > >>> c. IPC path example “ipc:///var/run/ipcs/broker.ipc” > (permissions = > >>> drwxrws---) > >>> > >>> > >>> > >>> 2. Create a service provider that listens to request from broker > >>> > >>> a. Service provider runs as a user “zservice” that belongs to > “zgroup” > >>> > >>> > >>> > >>> 3. Create a client that connects to ZMQ broker’s IPC path > >>> “ipc:///var/run/ipcs/broker.ipc” and sends the requests > >>> > >>> a. If the client runs with a user that belongs to “zgroup” > everything > >>> works fine > >>> > >>> b. If the client runs with invalid a user such as “nobody” that > does > >>> not belong to “zgroup”, it does not return any error. In turn > >>> zmq_connect() and zmq_send() returns success and zmq_recv() waits > >>> forever (ZMQ_REP socket). > >>> > >>> > >>> > >>> Can you please let me know how do I get an appropriate error such as > >>> “Permission Denied” in case of an invalid user trying to connect to > >>> broker’s IPC? > >>> > >>> > >>> > >>> Thanks, > >>> > >>> Santosh Bidaralli > >>> > >>> > >>> _______________________________________________ > >>> zeromq-dev mailing list > >>> zeromq-dev@lists.zeromq.org > >>> http://lists.zeromq.org/mailman/listinfo/zeromq-dev > >>> > >> _______________________________________________ > >> zeromq-dev mailing list > >> zeromq-dev@lists.zeromq.org > >> http://lists.zeromq.org/mailman/listinfo/zeromq-dev > >> _______________________________________________ > >> zeromq-dev mailing list > >> zeromq-dev@lists.zeromq.org > >> http://lists.zeromq.org/mailman/listinfo/zeromq-dev > > _______________________________________________ > > zeromq-dev mailing list > > zeromq-dev@lists.zeromq.org > > http://lists.zeromq.org/mailman/listinfo/zeromq-dev > > _______________________________________________ > > zeromq-dev mailing list > > zeromq-dev@lists.zeromq.org > > http://lists.zeromq.org/mailman/listinfo/zeromq-dev > _______________________________________________ > zeromq-dev mailing list > zeromq-dev@lists.zeromq.org > http://lists.zeromq.org/mailman/listinfo/zeromq-dev > _______________________________________________ > zeromq-dev mailing list > zeromq-dev@lists.zeromq.org > http://lists.zeromq.org/mailman/listinfo/zeromq-dev >
_______________________________________________ zeromq-dev mailing list zeromq-dev@lists.zeromq.org http://lists.zeromq.org/mailman/listinfo/zeromq-dev