Hey, I'm not seeing much activity on this so here's my $0.02 > Unix socket automatically translates pid attached to SCM_CREDENTIALS. > This requires CAP_SYS_ADMIN for sending arbitrary pids and entering > into pid namespace, this expose process and could be insecure. Perhaps it would be a good idea to add a sysctl switch that prevents credential spoofing over AF_UNIX \by default\ if that is the main concern, or is there another concern and I have read this wrong? I'm having trouble thinking of a legitimate use of SCM_CREDENTIALS spoofing that isn't in a debugging or troubleshooting context and would be more comfortable if it were not possible at all... Anyone know of a program that relies on this spoofing functionality? If you look at socket(7) under SO_PEERCRED there is a way to get credentials at time of connect() for an AF_UNIX SOCK_STREAM, or at time of socketpair() for a SOCK_DGRAM. I would like to think these credentials are reliable, but will probably require some extra daemon to proxy a dgram syslog socket. -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
