search for: so_peercr

.../public.c @@ -47,6 +47,7 @@ #include <limits.h> #include <errno.h> #include <signal.h> +#include <sys/types.h> #ifdef HAVE_TERMIOS_H #include <termios.h> @@ -801,6 +802,113 @@ nbdkit_peer_name (struct sockaddr *addr, socklen_t *addrlen) return 0; } +#ifdef SO_PEERCRED + +static int +get_peercred (int s, int *pid, int *uid, int *gid) +{ + struct ucred ucred; + socklen_t n = sizeof ucred; + + if (getsockopt (s, SOL_SOCKET, SO_PEERCRED, &ucred, &n) == -1) { + nbdkit_error ("getsockopt: SO_PEERCRED: %m"); + return -1; + } + + if (pid &...

On Mon, Oct 05, 2020 at 08:21:50AM -0500, Eric Blake wrote: > On 10/3/20 1:50 PM, Richard W.M. Jones wrote: > > New nbdkit_peer_pid, nbdkit_peer_uid and nbdkit_peer_gid calls can be > > used on Linux (only) to read the peer PID, UID and GID from clients > > connected over a Unix domain socket. This can be used in the > > preconnect phase to add additional filtering.

...t;nbdkit_error> is > +called and this call returns C<-1>. > + > =head1 DEBUGGING > > +static int > +get_peercred (int s, int *pid, int *uid, int *gid) > +{ > + struct ucred ucred; > + socklen_t n = sizeof ucred; > + > + if (getsockopt (s, SOL_SOCKET, SO_PEERCRED, &ucred, &n) == -1) { > + nbdkit_error ("getsockopt: SO_PEERCRED: %m"); > + return -1; > + } > + > + if (pid && ucred.pid >= 1) { > + if (ucred.pid <= INT_MAX) > + *pid = ucred.pid; > + else > + nbdkit_error (&quot...

On Mon, Oct 05, 2020 at 02:38:37PM +0100, Daniel P. Berrangé wrote: > On Mon, Oct 05, 2020 at 08:21:50AM -0500, Eric Blake wrote: > > On 10/3/20 1:50 PM, Richard W.M. Jones wrote: > > > New nbdkit_peer_pid, nbdkit_peer_uid and nbdkit_peer_gid calls can be > > > used on Linux (only) to read the peer PID, UID and GID from clients > > > connected over a Unix domain

http://bugzilla.mindrot.org/show_bug.cgi?id=421 ------- Additional Comments From carl at chage.com 2003-01-10 05:38 ------- I noticed the same problem with a compile error where ucred is undefined in SUSE Linux 6.1. The problem is the test for SO_PEERCRED-- the feature is not available even though the define is present. In my linux/socket.h there is a "#define SCM_CREDENTIALS" next to the ucred definition, so the change from #if defined(SO_PEERCRED) to #if defined(SO_PEERCRED) && defined(SCM_CREDENTIALS) solves the compile pr...

hi, Solaris doesn't have getpeereid() or SO_PEERCRED. However, getpeerucred() is perfectly usable for that; and it's in Solaris 10 and OpenSolaris. So, ssh-agent(1) security there so far depends only on permissions of the socket directory and with this patch it checks peer's credentials, too. I patched following files using a snapshot f...

...-agent.c 2007-08-20 19:56:38.000000000 -0400 @@ -134,6 +134,9 @@ /* Default lifetime (0 == forever) */ static int lifetime = 0; +static int run_inform = 0; +char inform_cmd[MAXPATHLEN]; + static void close_socket(SocketEntry *e) { @@ -247,6 +250,28 @@ MD5_CTX md; Key *key; +#if defined(SO_PEERCRED) + if (AUTH_CONNECTION == e->type) { + struct ucred cred; + socklen_t len = sizeof(cred); + char inform_cmdline[MAXPATHLEN]; + + if (run_inform && getsockopt(e->fd, SOL_SOCKET, SO_PEERCRED, &cred, &len) >= 0) { + int ret; + + snprintf(inform_cmdline, sizeof inform...

https://bugzilla.mindrot.org/show_bug.cgi?id=1775 Summary: RFE: Would like to use 'abstract' unix sockets for ControlPath Product: Portable OpenSSH Version: 5.5p1 Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: ssh AssignedTo:

Hello all, I'm currently writing a C program that uses the libvirt API and I need a way to obtain the pid of a given domain's QEMU process. Specifically, I'm writing an ivshmem server that uses SO_PEERCRED to get the pid of clients that connect to it, and I would like to use that pid to look up the domain in libvirt to determine the proper domain ID to return to the client. As far as I can tell, libvirt doesn't expose this information in an easy to access manner. Of course it is possible t...

...s. > > Can I suggest you forget UX if you want a DC and use Linux instead. BTW, I've looked back at the original logs. The issue is this: single_terminate: reason[socket_get_remote_addr() failed] The reason is that we require 'credentials passing' via the getpeereid() call or SO_PEERCRED, a feature not in posix but available one way or the other on multiple unix-like systems, which allows one end of the pipe to know the UID and GID of the other end.   We don't have an implementation of this for HP-UX, so the AD DC won't run. I'm sorry the build doesn't fail earl...

v2 was here: https://www.redhat.com/archives/libguestfs/2020-October/msg00019.html v3: * defence -> defense * Use int64_t instead of int. This compiles on Windows. * Add GC wrappers to OCaml bindings. * New FreeBSD patch. * Removed "pid:" example from the ip filter manual, and added a warning beside the pid documentation. Rich.

Hi, Question: Can a TCP server (running on the same host as the OpenSSH server) know the user id/name of a user forwarding an TCP port ? I.e. if someone on some client machine does ssh -L9999:localhost:9999 someuser at somehost nc localhost 9999 and a service accepts the connection on port localhost:9999 on somehost, can it somehow safely read out the user name "someuser"? Long

...] Error 1 I dealt with this recently on an old Redhat 6.2 Alpha box. Your glibc is out of date. You more than likely have 2.0. Which does not include the correct headers from kernel space (back when /usr/includes/linux/ was linked to /usr/src/linux/include/). The hack is to just do a #undef SO_PEERCRED at the top of the bsd-getpeereid.c file. As for a better solution. I'm not sure. I don't want to include <linux/*> stuff. That I think is the wrong solution. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

Hello, we're using the portable OpenSSH (3.8.1p1) with Linux, HP-UX and Solaris. After starting the ssh-agent and adding a private key, I changed the permissions of the socket to 0770, so other users of the same group have access to it. With HP-UX and Solaris this works fine, although with Linux and older OpenSSH versions (3.4p1/SuSE8.1,3.1p1/RedHat7.2). With 3.8.1p1 and Linux

...9 2:31 AM, Shawn Anastasio wrote: > > Hello all, > > > > I'm currently writing a C program that uses the libvirt API and I need a > > way to obtain the pid of a given domain's QEMU process. > > > > Specifically, I'm writing an ivshmem server that uses SO_PEERCRED to get > > the pid of clients that connect to it, and I would like to use that pid > > to look up the domain in libvirt to determine the proper domain ID to > > return to the client. > > > > As far as I can tell, libvirt doesn't expose this information in an easy...

Hi Andrew, I have checked for the reason of below error single_terminate: reason[socket_get_remote_addr() failed] As mentioned by you earlier that it requires "credentials passing via the getpeereid() call or SO_PEERCRED" On investigating it further i found below condition that fails File :- lib/tsocket/tsocket_bsd.c Function int _tsocket_address_bsd_from_sockaddr(TALLOC_CTX *mem_ctx, const struct sockaddr *sa, size_t sa_socklen, struct tsocket_address **_addr, const char *location)...

...l, > > > > > > > > I'm currently writing a C program that uses the libvirt API and I need a > > > > way to obtain the pid of a given domain's QEMU process. > > > > > > > > Specifically, I'm writing an ivshmem server that uses SO_PEERCRED to get > > > > the pid of clients that connect to it, and I would like to use that pid > > > > to look up the domain in libvirt to determine the proper domain ID to > > > > return to the client. > > > > > > > > As far as I can tell, lib...

These two commits add new APIs and enhance nbdkit-ip-filter to allow filtering of Unix domain sockets by the client's PID, UID or GID. eg: nbdkit -U sock --filter=ip ... allow=uid:`id -u` deny=all Rich.

This is just a simple update to: https://www.redhat.com/archives/libguestfs/2020-October/msg00015.html rebased on top of current nbdkit master because I pushed a few simple refactorings. Rich.

...rding -- the first one seems to always be for the client itself (even with public key auth disabled), and then subsequent connections are made 1:1 with remote client connections that are being forwarded. My agent implementation already knows how to look up the PID of the connected process (via SO_PEERCRED, getpeerucred, etc) and find its executable name and basic info (via procfs, kvm_getprocs etc) on the handful of OS that I care about, so this is what I'm thinking of doing: 1. Track connections per process by pid + process start time (so if the PID is re-used, the start time should be...