Re: Extended SCM_RIGHTS for AF_UNIX sockets

Eric W. Biederman (
24 Jul 1996 18:00:32 -0500 (Malcolm Beattie) writes:

> We can now pass file descriptors down Unix domain sockets with
> an SCM_RIGHTS control messages in sendmsg() but can't easily
> tell for *certain* who sent them to us. [Guesses made via
> getpeername and stat are subject to minor attacks.]

First I don't have a clue what these minor attacks are.
But I would like to know what is wrong with using unix domain stream
sockets as capabilities? If simple solutions like getpeername don't
Authentication might be a little more difficult to write, but it would
be more portable. Working both on BSD, and probably SysV as well.
And with a little work on systems like mach :)

Unless you really want to be uptime about exactly which process you
are communicating with ( as authenticating file descriptors can be
passed on ). I suspect a capabilities based approach would be
cleaner. Of course if you want to start sending signals to the other
process this could be difficult.

The only reason I can imagine a need for a nicer set of operations is
if we start implementing STREAMS over sockets.

Just some random thoughts,