search for: nbdkit_peer_gid

On 10/3/20 1:50 PM, Richard W.M. Jones wrote: > New nbdkit_peer_pid, nbdkit_peer_uid and nbdkit_peer_gid calls can be > used on Linux (only) to read the peer PID, UID and GID from clients > connected over a Unix domain socket. This can be used in the > preconnect phase to add additional filtering. > > One use for this is to add an extra layer of authentication for local > connectio...

New nbdkit_peer_pid, nbdkit_peer_uid and nbdkit_peer_gid calls can be used on Linux (only) to read the peer PID, UID and GID from clients connected over a Unix domain socket. This can be used in the preconnect phase to add additional filtering. One use for this is to add an extra layer of authentication for local connections. A subsequent commit will...

This is just a simple update to: https://www.redhat.com/archives/libguestfs/2020-October/msg00015.html rebased on top of current nbdkit master because I pushed a few simple refactorings. Rich.

v2 was here: https://www.redhat.com/archives/libguestfs/2020-October/msg00019.html v3: * defence -> defense * Use int64_t instead of int. This compiles on Windows. * Add GC wrappers to OCaml bindings. * New FreeBSD patch. * Removed "pid:" example from the ip filter manual, and added a warning beside the pid documentation. Rich.

...t -> unit (** Print a debug message when nbdkit is in verbose mode. *) val debug : ('a, unit, string, unit) format4 -> 'a + +(** Binding for [nbdkit_peer_pid]. *) +val peer_pid : unit -> int +(** Binding for [nbdkit_peer_uid]. *) +val peer_uid : unit -> int +(** Binding for [nbdkit_peer_gid]. *) +val peer_gid : unit -> int diff --git a/plugins/ocaml/NBDKit.ml b/plugins/ocaml/NBDKit.ml index 739210fa..76fa3a77 100644 --- a/plugins/ocaml/NBDKit.ml +++ b/plugins/ocaml/NBDKit.ml @@ -257,3 +257,7 @@ external _debug : string -> unit = "ocaml_nbdkit_debug" "noalloc"...

These two commits add new APIs and enhance nbdkit-ip-filter to allow filtering of Unix domain sockets by the client's PID, UID or GID. eg: nbdkit -U sock --filter=ip ... allow=uid:`id -u` deny=all Rich.

On Mon, Oct 05, 2020 at 08:21:50AM -0500, Eric Blake wrote: > On 10/3/20 1:50 PM, Richard W.M. Jones wrote: > > New nbdkit_peer_pid, nbdkit_peer_uid and nbdkit_peer_gid calls can be > > used on Linux (only) to read the peer PID, UID and GID from clients > > connected over a Unix domain socket. This can be used in the > > preconnect phase to add additional filtering. > > > > One use for this is to add an extra layer of authentication...

On Mon, Oct 05, 2020 at 02:38:37PM +0100, Daniel P. Berrangé wrote: > On Mon, Oct 05, 2020 at 08:21:50AM -0500, Eric Blake wrote: > > On 10/3/20 1:50 PM, Richard W.M. Jones wrote: > > > New nbdkit_peer_pid, nbdkit_peer_uid and nbdkit_peer_gid calls can be > > > used on Linux (only) to read the peer PID, UID and GID from clients > > > connected over a Unix domain socket. This can be used in the > > > preconnect phase to add additional filtering. > > > > > > One use for this is to add an extr...

...essage when nbdkit is in verbose mode. *) > val debug : ('a, unit, string, unit) format4 -> 'a > + > +(** Binding for [nbdkit_peer_pid]. *) > +val peer_pid : unit -> int > +(** Binding for [nbdkit_peer_uid]. *) > +val peer_uid : unit -> int > +(** Binding for [nbdkit_peer_gid]. *) > +val peer_gid : unit -> int Is int sufficient on 32-bit platforms, or do you need int32? But on 64-bit platforms, I don't see a system ever having enough valid uid_t/gid_t/pid_t to overflow int to the point that int64 would have been better. Otherwise looks fine. -- Eric Blake...

...eer_* call fails. */ + case PID: + if (family != AF_UNIX) return false; + return nbdkit_peer_pid () == rule->u.id; + + case UID: + if (family != AF_UNIX) return false; + return nbdkit_peer_uid () == rule->u.id; + + case GID: + if (family != AF_UNIX) return false; + return nbdkit_peer_gid () == rule->u.id; + case BAD: default: abort (); @@ -430,8 +485,10 @@ check_if_allowed (const struct sockaddr *addr) { int family = ((struct sockaddr_in *)addr)->sin_family; - /* There's an implicit allow all for non-IP sockets, see the manual. */ - if (family != AF_INE...