diff options
Diffstat (limited to '')
-rw-r--r-- | README | 18 | ||||
-rw-r--r-- | sbusd.c | 46 | ||||
-rw-r--r-- | test.c | 1 |
3 files changed, 38 insertions, 27 deletions
@@ -120,13 +120,17 @@ Secret messages: However, due to network support, these routing keys may need to be prefixed with the credentials for the servers the message - goes through. This prefix can be retrieved by simply sending an - empty control message (CMSG) with the routing key '!/cred/prefix' - and the server will reply with a control message containing prefix - using this routing key. Note, prefix is probably the empty string, - as the master server do not need to add its credentials to be - prefixed. Note, the server will never send control messages, so - received control message are guaranteed to come from the server. + goes through, or use the credentials of the a program running + on a different master machine. Therefore, a client cannot + simply just use its GID, UID, and PID, but must ask what's its + credentials are by sending an empty control message (CMSG) with + the routing key '!/cred/whoami'. The server will reply with a + control message with the same routing key and the message will + be the credentials, for example '!/cred/100/1000/1111' or + '!/cred/100/1000/1111/!/cred/1000/1000/19211'. Note, the server + will never send control messages it receives from other clients, + so the received control message is guaranteed to come from the + server. Example of how two client can prove their identities to each oter: @@ -292,36 +292,44 @@ send_packet(struct client *cl, const char *buf, size_t n) } static void -handle_cmsg(struct client *cl, const char *msg, size_t n) +handle_cmsg(struct client *cl, char *buf, size_t n) { - if (!strcmp(msg, "CMSG !/cred/prefix")) { - n = sizeof("CMSG !/cred/prefix"); - } else if (!strcmp(msg, "CMSG blocking/soft/queue")) { + struct ucred cred; + if (!strcmp(buf, "CMSG !/cred/whoami")) { + if (getsockopt(cl->fd, SOL_SOCKET, SO_PEERCRED, &cred, &(socklen_t){sizeof(cred)}) < 0) { + weprintf("getsockopt <client> SOL_SOCKET SO_PEERCRED:"); + remove_client(cl); + return; + } + n = sizeof("CMSG !/cred/whoami"); + n += (size_t)sprintf(&buf[n], "!/cred/%lli/%lli/%lli", + (long long int)cred.gid, + (long long int)cred.uid, + (long long int)cred.gid); + if (send_packet(cl, buf, n)) { + weprintf("send <client>:"); + remove_client(cl); + } + } else if (!strcmp(buf, "CMSG blocking/soft/queue")) { cl->soft_blocking_mode = BLOCKING_QUEUE; - } else if (!strcmp(msg, "CMSG blocking/soft/discard")) { + } else if (!strcmp(buf, "CMSG blocking/soft/discard")) { cl->soft_blocking_mode = BLOCKING_DISCARD; - } else if (!strcmp(msg, "CMSG blocking/soft/block")) { + } else if (!strcmp(buf, "CMSG blocking/soft/block")) { cl->soft_blocking_mode = BLOCKING_BLOCK; - } else if (!strcmp(msg, "CMSG blocking/soft/error")) { + } else if (!strcmp(buf, "CMSG blocking/soft/error")) { cl->soft_blocking_mode = BLOCKING_ERROR; - } else if (!strcmp(msg, "CMSG blocking/hard/discard")) { + } else if (!strcmp(buf, "CMSG blocking/hard/discard")) { cl->hard_blocking_mode = BLOCKING_DISCARD; - } else if (!strcmp(msg, "CMSG blocking/hard/block")) { + } else if (!strcmp(buf, "CMSG blocking/hard/block")) { cl->hard_blocking_mode = BLOCKING_BLOCK; - } else if (!strcmp(msg, "CMSG blocking/hard/error")) { + } else if (!strcmp(buf, "CMSG blocking/hard/error")) { cl->hard_blocking_mode = BLOCKING_ERROR; - } else if (!strcmp(msg, "CMSG order/queue")) { + } else if (!strcmp(buf, "CMSG order/queue")) { cl->order = ORDER_QUEUE; - } else if (!strcmp(msg, "CMSG order/stack")) { + } else if (!strcmp(buf, "CMSG order/stack")) { cl->order = ORDER_STACK; - } else if (!strcmp(msg, "CMSG order/random")) { + } else if (!strcmp(buf, "CMSG order/random")) { cl->order |= ORDER_RANDOM; - } else { - return; - } - if (send_packet(cl, msg, n)) { - weprintf("send <client>:"); - remove_client(cl); } } @@ -355,4 +355,3 @@ main(void) /* TODO untested sbusd flags: -p[/dev/null] (-f) -u */ /* TODO test credentials */ -/* TODO test CMSG server */ |