[zeromq-dev] IPC filtering -> ZAP authentication
Brandon Carpenter
brandon.carpenter at pnnl.gov
Sat Jan 4 00:35:41 CET 2014
Pieter,
I am relatively new to zeromq (and I think it's great). We have been
using version 3.x on a project for about 8 months. I added the IPC
filtering code before I read about ZAP, which I discovered while looking
into curvemq. I then wrote the ZAP IPC authentication code. I originally
required setting the ZMQ_ZAP_IPC_CREDS option to avoid breaking any apps
that might rely on the current implementation, but I see that you
removed that with commit 5bf96f64. No problems there... I just didn't
want to break anything. Had I know about ZAP earlier, I would have
never implemented the IPC filter. I think it should die a quick death
as ZAP provides a more flexible mechanism for authentication.
The protocol prefixes are exactly what I wanted too, but I didn't
implement it in my patch because, again, I didn't want to break existing
code. Perhaps I should be less conservative in the future. ;-)
I'm also not sure the way the credentials are currently formatted is
optimal. I included the UID, GID, and PID in the address field so they
are available when using the PLAIN and CURVE mechanisms as well as
NULL. But now I'm thinking they should be sent in the credentials field
and only for the NULL mechanism. The other mechanisms already provide a
method for authentication. Any thoughts?
There is a difference in the Linux and OS X/BSD implementation for
fetching the peer credentials. On Linux, the UID, GID, and PID of the
peer process are provided. On OS X, no PID is provided and a list of
supplemental groups are provided along with the effective GID (which as
far as I know is first in the list). It would be nice to send that list
through ZAP to avoid any duplicate system calls. Perhaps on systems
where peer creds are available, the IPC credentials could include the
following:
* PID, which SHALL be an integer (pid_t) or empty frame (if unavailable)
* effective UID, which SHALL be an integer (uid_t)
* effective GID, which SHALL be an integer (gid_t)
* supplemental groups, which SHALL be zero or more integers (gid_t)
Platforms which do not support peer creds would not send any. What do
you think?
Brandon
On 01/01/2014 Pieter Hintjens wrote:
> Hi,
>
> There's new code in libzmq to do IPC filtering on UID/GID/PID.
>
> I'd like to remove those options and filtering logic, and do this via
> ZAP instead.l That would be more consistent with e.g. filtering on TCP
> address. It would require a change to the ZAP protocol to add the
> transport into the address field, so a TCP address would be prefixed
> by "tcp://" <tcp://%22> and an IPC address by "ipc://". <ipc://%22.>
>
> Comments?
>
> -Pieter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20140103/8d7a38fa/attachment.htm>
More information about the zeromq-dev
mailing list