I'm not sure why you would want to create files to check UID. Since you have
control of the server and client code, why not just use 'getuid' or
'geteuid' unix system calls? If you don't know what they are, run "man
getuid" for more information. This would be the simplest and most direct way
of getting UID information.
If you're wanting an "authentication" protocol, I think it is quite easy to
use TLS/SSL and require server/client certificates for authentication. You
would of course, require a basic CA setup. A lot of this code is already
available via the OpenSSL libraries so it shouldn't be hard to integrate
into whatever you're writing. Even if you write your own authentication
mechanism, you might want to check out the facilities available to you in
the OpenSSL libraries as any type of "secret" passing authentication should
not be done in cleartext. Your UID checking being an example of that. (sniff
the wire, pickup proper UID, spoof the server, serve up the UID)
Hope that helps...
-Bond Masuda
Security Consultant
-----------------------------------
JL Bond Consulting / www.JLBond.com
-----Original Message-----
From: listbounce@securityfocus.com
[mailto:listbounce@securityfocus.com] On Behalf Of
rainmailbox2001-ola@yahoo.ca
Sent: Friday, November 24, 2006 10:12 AM
To: focus-linux@securityfocus.com
Subject: How to check UID of process on the other side of
local TCP/UDP connection
Hello.
I have the following situation:
- Client communicates with server via TCP or UDP.
- Both client and server are on the same local host.
- Server runs with root privilege.
Now, client connects to server. Server has to check uid of
the client. How it can be done?
I need a solution that can be ported to all modern Unix and
Linux systems.
The most simple solution I came with is as follows:
1. Client connects to server.
2. Server asks client to create file with random name, for
example /tmp/check.6723 3. Client generates the file.
4. Server checks the owner of the file.
The owner of the file is the UID under which client is running.
But
the problem is that it requires some additional communication
between server and client. My programs can communicate
hundreds times a second so creating, checking and removing
the file is a big performance issue.
Do you have any ideas how this local authentication can be
achieved in some different way?
I
was also thinking about using Unix sockets for communication,
but it seems that they also lack any mechanism for
authenticating the client.
Anyways, I would prefer to stick with TCP/UDP, because this
is what my programs use already, and I don't really want to
change everything to Unix sockets (unless of course Unix
sockets are the only good way to resolve my problems).
Thanks,
Ola
