I'm not sure why you would want to create files to check UID. Since you have
control of the server and client code, why not just use 'getuid' or
'geteuid' unix system calls? If you don't know what they are, run "man
getuid" for more information. This would be the simplest and most direct way
of getting UID information.
If you're wanting an "authentication" protocol, I think it is quite easy to
use TLS/SSL and require server/client certificates for authentication. You
would of course, require a basic CA setup. A lot of this code is already
available via the OpenSSL libraries so it shouldn't be hard to integrate
into whatever you're writing. Even if you write your own authentication
mechanism, you might want to check out the facilities available to you in
the OpenSSL libraries as any type of "secret" passing authentication should
not be done in cleartext. Your UID checking being an example of that. (sniff
the wire, pickup proper UID, spoof the server, serve up the UID)
Hope that helps...
-Bond Masuda
Security Consultant
-----------------------------------
JL Bond Consulting / www.JLBond.com
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed]
> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of
> rainmailbox2001-ola (at) yahoo (dot) ca [email concealed]
> Sent: Friday, November 24, 2006 10:12 AM
> To: focus-linux (at) securityfocus (dot) com [email concealed]
> Subject: How to check UID of process on the other side of
> local TCP/UDP connection
>
> Hello.
>
> I have the following situation:
> - Client communicates with server via TCP or UDP.
> - Both client and server are on the same local host.
> - Server runs with root privilege.
>
> Now, client connects to server. Server has to check uid of
> the client. How it can be done?
> I need a solution that can be ported to all modern Unix and
> Linux systems.
>
> The most simple solution I came with is as follows:
> 1. Client connects to server.
> 2. Server asks client to create file with random name, for
> example /tmp/check.6723 3. Client generates the file.
> 4. Server checks the owner of the file.
>
> The owner of the file is the UID under which client is running.
>
> But
> the problem is that it requires some additional communication
> between server and client. My programs can communicate
> hundreds times a second so creating, checking and removing
> the file is a big performance issue.
>
> Do you have any ideas how this local authentication can be
> achieved in some different way?
>
> I
> was also thinking about using Unix sockets for communication,
> but it seems that they also lack any mechanism for
> authenticating the client.
> Anyways, I would prefer to stick with TCP/UDP, because this
> is what my programs use already, and I don't really want to
> change everything to Unix sockets (unless of course Unix
> sockets are the only good way to resolve my problems).
>
> Thanks,
> Ola
>
>
>
>
>
control of the server and client code, why not just use 'getuid' or
'geteuid' unix system calls? If you don't know what they are, run "man
getuid" for more information. This would be the simplest and most direct way
of getting UID information.
If you're wanting an "authentication" protocol, I think it is quite easy to
use TLS/SSL and require server/client certificates for authentication. You
would of course, require a basic CA setup. A lot of this code is already
available via the OpenSSL libraries so it shouldn't be hard to integrate
into whatever you're writing. Even if you write your own authentication
mechanism, you might want to check out the facilities available to you in
the OpenSSL libraries as any type of "secret" passing authentication should
not be done in cleartext. Your UID checking being an example of that. (sniff
the wire, pickup proper UID, spoof the server, serve up the UID)
Hope that helps...
-Bond Masuda
Security Consultant
-----------------------------------
JL Bond Consulting / www.JLBond.com
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed]
> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of
> rainmailbox2001-ola (at) yahoo (dot) ca [email concealed]
> Sent: Friday, November 24, 2006 10:12 AM
> To: focus-linux (at) securityfocus (dot) com [email concealed]
> Subject: How to check UID of process on the other side of
> local TCP/UDP connection
>
> Hello.
>
> I have the following situation:
> - Client communicates with server via TCP or UDP.
> - Both client and server are on the same local host.
> - Server runs with root privilege.
>
> Now, client connects to server. Server has to check uid of
> the client. How it can be done?
> I need a solution that can be ported to all modern Unix and
> Linux systems.
>
> The most simple solution I came with is as follows:
> 1. Client connects to server.
> 2. Server asks client to create file with random name, for
> example /tmp/check.6723 3. Client generates the file.
> 4. Server checks the owner of the file.
>
> The owner of the file is the UID under which client is running.
>
> But
> the problem is that it requires some additional communication
> between server and client. My programs can communicate
> hundreds times a second so creating, checking and removing
> the file is a big performance issue.
>
> Do you have any ideas how this local authentication can be
> achieved in some different way?
>
> I
> was also thinking about using Unix sockets for communication,
> but it seems that they also lack any mechanism for
> authenticating the client.
> Anyways, I would prefer to stick with TCP/UDP, because this
> is what my programs use already, and I don't really want to
> change everything to Unix sockets (unless of course Unix
> sockets are the only good way to resolve my problems).
>
> Thanks,
> Ola
>
>
>
>
>
[ reply ]