tincctl patches

Guus Sliepen guus at tinc-vpn.org
Thu Nov 8 18:07:14 CET 2007 

On Thu, Nov 08, 2007 at 08:11:41AM -0800, Scott Lamb wrote:

> >> How would you feel about making the subdirectory by default and possibly
> >> even having tincd and/or tincctl refuse to start if the permissions are
> >> too open?
> > 
> > Hm. Maybe. Or we can use the uid in struct xucred, and check whether
> > it is 0 or the same as tincctl's.
> 
> Hmm. A bit more research shows:
> 
> * Linux's situation is quite good - peer credentials, connect() EPERM,
[...]
> * BSD's not quite as good - peer credentials (no pids), connect() EPERM
[...]
> * Solaris (according to the bind source; I don't have a Solaris machine
[...]

Hm. It seems we're being spoiled with Linux.

> I played with two different options:
> 
> * have fairly clean code that's fully secure only on Linux and *BSD.
> (control-socket-credentials-where-available.patch)
> 
> * a more complex mkdir()+chdir()+stat(".") permission
> check+bind()+fchdir(oldcwd_fd) scheme that I think is fairly good
> everywhere. (control-socket-dir.patch) The chdir() is to avoid a race in
> permission checking the directory. I could have also ensured only
> root/wheel can write to the directories all the way up to the root, but
> unfortunately that would have complained about a default OS X
> installation like my laptop:
> 
> $ ls -laFd / /var /private /private/var /private/var/run
> drwxrwxr-t  40 root  admin   1428 Oct 27 16:37 //
> drwxr-xr-x@  7 root  wheel    238 Oct 25 14:39 /private/
> drwxr-xr-x@ 28 root  wheel    952 Oct 27 16:01 /private/var/
> drwxrwxr-x  43 root  daemon  1462 Nov  7 22:58 /private/var/run/
> lrwxr-xr-x@  1 root  admin     11 Oct 27 16:01 /var@ -> private/var
> 
> Opinion? Messy as it is, I'm likely to polish control-socket-dir.patch a
> bit and commit it.

Ok, that seems the better of the two options. A third option is to do
an authentication handshake over the control socket. This does not have
to be full-blown TLS, but something simple like sending the hash of the
combination of a random string and a secret string from a file that has
been properly chmod/chowned. It would work like this:

Client sends: random1 random2
Servers sends: random3 random4
Client sends: hash("client" + random1 + random4 + secret)
Server sends: hash("server" + random3 + random2 + secret)

A fourth option is to replace the unix socket with an IPv4 socket which
is bound to localhost and a port below 1024, because only root is
allowed to bind sockets to low ports. At least, on Linux :)

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://www.tinc-vpn.org/pipermail/tinc-devel/attachments/20071108/6d210c8d/attachment.pgp

More information about the tinc-devel mailing list