Lorenz Schori wrote:> Hi all,
>
> *BSDs and OSX do net seem to support SO_PEERCRED. Checking for that is
> needed in src/tincctl.c.
Those systems do support peer credentials, though not the pid field
specifically.
We had a discussion about this a while ago - I would prefer to satisfy
the security constraint without SO_PEERCRED by putting the socket in a
directory of appropriately tight permissions. IIRC, Guus would prefer to
use peer credentials where available even so.
>
>
> --- src/tincctl.c (revision 1555)
> +++ src/tincctl.c (working copy)
> @@ -399,6 +399,7 @@
> return 1;
> }
>
> +#ifdef SO_PEERCRED
> struct ucred cred;
> socklen_t credlen = sizeof cred;
>
> @@ -411,6 +412,7 @@
> printf("%d\n", cred.pid);
> return 0;
> }
> +#endif
>
> if(!strcasecmp(argv[optind], "stop")) {
> write(fd, "stop\n", 5);
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> tinc-devel mailing list
> tinc-devel at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc-devel