[zeromq-dev] IPC filtering -> ZAP authentication

Brandon Carpenter brandon.carpenter at pnnl.gov
Sat Jan 4 00:35:41 CET 2014


Pieter,

I am relatively new to zeromq (and I think it's great). We have been 
using version 3.x on a project for about 8 months. I added the IPC 
filtering code before I read about ZAP, which I discovered while looking 
into curvemq. I then wrote the ZAP IPC authentication code. I originally 
required setting the ZMQ_ZAP_IPC_CREDS option to avoid breaking any apps 
that might rely on the current implementation, but I see that you 
removed that with commit 5bf96f64.  No problems there... I just didn't 
want to break anything.  Had I know about ZAP earlier, I would have 
never implemented the IPC filter.  I think it should die a quick death 
as ZAP provides a more flexible mechanism for authentication.

The protocol prefixes are exactly what I wanted too, but I didn't 
implement it in my patch because, again, I didn't want to break existing 
code.  Perhaps I should be less conservative in the future. ;-)

I'm also not sure the way the credentials are currently formatted is 
optimal.  I included the UID, GID, and PID in the address field so they 
are available when using the PLAIN and CURVE mechanisms as well as 
NULL.  But now I'm thinking they should be sent in the credentials field 
and only for the NULL mechanism.  The other mechanisms already provide a 
method for authentication.  Any thoughts?

There is a difference in the Linux and OS X/BSD implementation for 
fetching the peer credentials.  On Linux, the UID, GID, and PID of the 
peer process are provided.  On OS X, no PID is provided and a list of 
supplemental groups are provided along with the effective GID (which as 
far as I know is first in the list).  It would be nice to send that list 
through ZAP to avoid any duplicate system calls. Perhaps on systems 
where peer creds are available, the IPC credentials could include the 
following:

  * PID, which SHALL be an integer (pid_t) or empty frame (if unavailable)
  * effective UID, which SHALL be an integer (uid_t)
  * effective GID, which SHALL be an integer (gid_t)
  * supplemental groups, which SHALL be zero or more integers (gid_t)

Platforms which do not support peer creds would not send any.  What do 
you think?

Brandon


On 01/01/2014 Pieter Hintjens wrote:
> Hi,
>
> There's new code in libzmq to do IPC filtering on UID/GID/PID.
>
> I'd like to remove those options and filtering logic, and do this via
> ZAP instead.l That would be more consistent with e.g. filtering on TCP
> address. It would require a change to the ZAP protocol to add the
> transport into the address field, so a TCP address would be prefixed
> by "tcp://"  <tcp://%22>  and an IPC address by "ipc://".  <ipc://%22.>
>
> Comments?
>
> -Pieter

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20140103/8d7a38fa/attachment.htm>


More information about the zeromq-dev mailing list