tincctl patches

Scott Lamb slamb at slamb.org
Thu Nov 8 17:11:41 CET 2007 

Guus Sliepen wrote:
> On Mon, Jul 23, 2007 at 07:09:24PM -0700, Scott Lamb wrote:
> 
>>> If you use signal events, apparently libevent sets and resets signal
>>> masks around every select/poll/epoll call on Linux. So even if you don't
>>> trigger the signals, it incurs a lot of overhead when you're sending or
>>> receiving a lot of data.
>> Oh, I fixed that. :) Upgrade to libevent 1.3b.
> 
> Great!
> 
>>> That sounds OK. Well, if the administrator does that, and if tincctl uses
>>> getpeercred() or other working alternatives if the OS supports it, and
>>> falls back to the PID provided by the tincd for those OSes that don't
>>> support it, I think that's the best we can do.
>> I think "those OSs that don't support it" is "everything but Linux". I
>> do want to make sure Mac OS X in particular works well, as that's what
>> my laptop runs.
>>
>> How would you feel about making the subdirectory by default and possibly
>> even having tincd and/or tincctl refuse to start if the permissions are
>> too open?
> 
> Hm. Maybe. Or we can use the uid in struct xucred, and check whether
> it is 0 or the same as tincctl's.

Hmm. A bit more research shows:

* Linux's situation is quite good - peer credentials, connect() EPERM,
stat(), fstat(), etc. do what you would expect. You can set permissions
with fchmod(), chmod(), or umask() during bind().

* BSD's not quite as good - peer credentials (no pids), connect() EPERM
works yet strangely stat() always shows owner/group root/wheel even
though connect() with perms 0700 works or not depending on the proper
owner...very weird. fstat() and fchmod() yield EINVAL. You can set
permissions with chmod() or umask() during bind().

* Solaris (according to the bind source; I don't have a Solaris machine
handy) is the worst. No credentials support that I see. No permissions
on sockets; you have to restrict traversal into the parent directory to
have any effect on who can connect. Apparently they have other
mechanisms than AF_UNIX to do credential-passing - STREAMS ticotsord and
"doors". I have no desire to use either.

I played with two different options:

* have fairly clean code that's fully secure only on Linux and *BSD.
(control-socket-credentials-where-available.patch)

* a more complex mkdir()+chdir()+stat(".") permission
check+bind()+fchdir(oldcwd_fd) scheme that I think is fairly good
everywhere. (control-socket-dir.patch) The chdir() is to avoid a race in
permission checking the directory. I could have also ensured only
root/wheel can write to the directories all the way up to the root, but
unfortunately that would have complained about a default OS X
installation like my laptop:

$ ls -laFd / /var /private /private/var /private/var/run
drwxrwxr-t  40 root  admin   1428 Oct 27 16:37 //
drwxr-xr-x@  7 root  wheel    238 Oct 25 14:39 /private/
drwxr-xr-x@ 28 root  wheel    952 Oct 27 16:01 /private/var/
drwxrwxr-x  43 root  daemon  1462 Nov  7 22:58 /private/var/run/
lrwxr-xr-x@  1 root  admin     11 Oct 27 16:01 /var@ -> private/var

Opinion? Messy as it is, I'm likely to polish control-socket-dir.patch a
bit and commit it.

Best regards,
Scott
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: control-socket-credentials-where-available.patch
Url: http://www.tinc-vpn.org/pipermail/tinc-devel/attachments/20071108/823544c6/attachment.txt

More information about the tinc-devel mailing list