tincctl patches

[Scott Lamb]

Guus Sliepen wrote:
> If you use signal events, apparently libevent sets and resets signal
> masks around every select/poll/epoll call on Linux. So even if you don't
> trigger the signals, it incurs a lot of overhead when you're sending or
> receiving a lot of data.

Oh, I fixed that. :) Upgrade to libevent 1.3b.

>> Hmm, I guess the default location is /var/run, which is 755 by default.
>> So a malicious user couldn't create a socket there, but if tinc has
>> already created one then died, they could rebind to it. (I believe UNIX
>> domain sockets don't support permissions on most platforms.) Yeah,
>> you're right, this patch is no good (at least by itself).
>>
>> What about putting the control socket in a dedicated subdirectory with
>> locked-down permissions (700)? I believe this is the approach taken by
>> several other daemon/client pairs, including saslauthd/libsasl2. The
>> malicious user then couldn't bind to the socket at all, which seems
>> preferable to just not being able to lie about their pid.
> 
> That sounds OK. Well, if the administrator does that, and if tincctl uses
> getpeercred() or other working alternatives if the OS supports it, and
> falls back to the PID provided by the tincd for those OSes that don't
> support it, I think that's the best we can do.

I think "those OSs that don't support it" is "everything but Linux". I
do want to make sure Mac OS X in particular works well, as that's what
my laptop runs.

How would you feel about making the subdirectory by default and possibly
even having tincd and/or tincctl refuse to start if the permissions are
too open?

Best regards,
Scott

-- 
Scott Lamb <http://www.slamb.org/>