Adding IP_PEERCRED?
Nicolas Braud-Santoni
nicolas at braud-santoni.eu
Sat Oct 18 00:02:43 UTC 2014
Hello,
I would like to enquire about the possibility of adding an IP_PEERCRED
socket option to ip(4) which would be similar to LOCAL_PEERCRED for
unix(4).
Such a option, when requested via getsockopt(2) on a not-connectionless IP (v4 or v6) socket, would either
- return credentials of the remote side (as a xucred structure) in the
case of a loopback (non-cross-jail) socket;
- fail (with EINVAL?).
The intended use-case of such a functionnality would be for processes
to provide services only to a given user, instead of the local host,
while using IP sockets.
For instance, an SSH client could use this feature to provide port
forwards for a given user, instead of providing it to all users.
While bapt@ thought at first glance that it might be a good idea,
neither of us know whether it would be reasonable to implement.
Any though on this?
Best,
Nicolas
PS: Credit for this idea should go to David Madore (in CC), who blogged
about it (in French):
http://www.madore.org/~david/weblog/d.2014-10-16.2234.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20141018/b14b3716/attachment.sig>
More information about the freebsd-net
mailing list