porting CCAPI to UNIX

Douglas E. Engert deengert at anl.gov
Tue May 8 20:07:42 EDT 2007 

Does any other: application, system lib, SSHD, PAM module whatever...
use this same trick? Why should CACAPI be allowed to use this? If it
does work, how would CCAPI tell its socket from the others?


Nicolas Williams wrote:
> On Wed, May 02, 2007 at 06:25:09PM -0400, Ken Hornstein wrote:
>> I can only tell you what I did.  At login time our credential cache
>> code creates a Unix domain socket (using socketpair()), uses dup2()
>> to make the descriptor the maximum value possible (you look at the
>> maximum number of descriptors available via getrlimit()) and use
>> setrlimit to make the maximum descriptor one below that.  E.g, say
>> the maximum descriptor value is 1023; you use dup2() to make your
>> communication descriptor 1023, and use setrlimit() to make the
>> maximum descriptor value 1022.  This doesn't _prevent_ processes
>> from closing the descriptor, but in my experience they all stop
>> closing descriptors at the maximum descriptor limit.  So all processes
>> that are children of login get this descriptor in their environment
>> and they use it to communicate with a credential cache server that
>> is forked off as part of the login process (it's more complicated
>> than that, but that's the key bit of magic).  This provides
>> per-login-session semantics that seems to be pretty secure (of
>> course it is not perfect).
>>
>> I've been using this in production for ... oh, almost three years
>> now, on a wide variety of Unixes (off the top of my head: tons of
>> different Linuxes, Solaris, AIX, HP/UX, Irix; it works fine on MacOS
>> X but we prefer the CCAPI on that platform), and I am continually
>> surprised how well it works.  We haven't had any problems with it.
>>
>> I admit that it's gross ... but if you can tell me of a portable
>> solution that has the same semantics, I would love to hear about
>> it.
> 
> Watch out:  closefrom(3C) on Solaris uses fdwalk(3C), which readdirs
> /proc/self/fd/ to find open file descriptors.  I.e., lowering the fildes
> limits does not protect file descriptors > the fildes limit against
> closefrom(3C).
> 
> http://src.opensolaris.org/source/xref/onnv/aside/usr/src/lib/libc/port/gen/closefrom.c#54
> 
> Also, how do you track which fildes is the magic fildes?  Do you just
> add 1 to the fildes limit?
> 
> Nico

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list