[zeromq-dev] IPC path permissions
Jim Garlick
garlick at llnl.gov
Tue Feb 10 22:05:11 CET 2015
Before calling zmq_connect(), call
if (access (socket_path, W_OK | X_OK) < 0) {
// exit with error
}
Server would be unaware of the attempt but the client will fail reasonably.
Jim
On Tue, Feb 10, 2015 at 02:55:06PM -0600, Santosh_Bidaralli at Dell.com wrote:
> Pieter,
>
> We will be using ZAP authentication framework for the external clients, however in our case we also have internal clients that run with different Unix based user and group ids. Hence we would like to detect and deny the requests sent by the processes that do not belong to Broker's group id.
>
> Thanks,
> Santosh
>
> -----Original Message-----
> From: zeromq-dev-bounces at lists.zeromq.org [mailto:zeromq-dev-bounces at lists.zeromq.org] On Behalf Of Pieter Hintjens
> Sent: Tuesday, February 10, 2015 1:42 PM
> To: ZeroMQ development list
> Subject: Re: [zeromq-dev] IPC path permissions
>
> You can do real authentication, there is a framework for this, called ZAP, and you can see how it works from ZeroMQ RFC 27,
> http://rfc.zeromq.org/spec:27 and the various test cases like tests/test_security_null.cpp. You can also see examples of ZAP handler in CZMQ's zauth class.
>
> On Tue, Feb 10, 2015 at 8:31 PM, <Santosh_Bidaralli at dell.com> wrote:
> > Thanks for the response Pieter. However our requirement is to fail when an unauthorized user tries to connect with broker, so we would like to detect and deny an invalid user trying to connect.
> >
> > Thanks,
> > Santosh
> >
> > -----Original Message-----
> > From: zeromq-dev-bounces at lists.zeromq.org
> > [mailto:zeromq-dev-bounces at lists.zeromq.org] On Behalf Of Pieter
> > Hintjens
> > Sent: Tuesday, February 10, 2015 12:40 PM
> > To: ZeroMQ development list
> > Subject: Re: [zeromq-dev] IPC path permissions
> >
> > If you are running on Linux I'd strongly advise using abstract IPC endpoints, which don't need special permissions. "ipc://@/somename".
> >
> >
> > On Tue, Feb 10, 2015 at 7:07 PM, <Santosh_Bidaralli at dell.com> wrote:
> >> Hi All,
> >>
> >>
> >>
> >> I am trying to create broker based client-server apps by referring to
> >> ZMQ guide. I am unable to detect IPC path permission error when an
> >> invalid user tries to connect using zmq_connect().
> >>
> >>
> >>
> >> Following steps explain the test scenario in detail:
> >>
> >> 1. Create a ZMQ broker that stores its IPC socket in a directory
> >> “/var/run/ipcs”
> >>
> >> a. ZMQ broker runs with a specific user and group (ex: zuser and
> >> zgroup respectively)
> >>
> >> b. “/var/run/ipcs” has permissions for all the users that belong to
> >> “zgroup” (permissions = drwxrws---)
> >>
> >> c. IPC path example “ipc:///var/run/ipcs/broker.ipc” (permissions =
> >> drwxrws---)
> >>
> >>
> >>
> >> 2. Create a service provider that listens to request from broker
> >>
> >> a. Service provider runs as a user “zservice” that belongs to “zgroup”
> >>
> >>
> >>
> >> 3. Create a client that connects to ZMQ broker’s IPC path
> >> “ipc:///var/run/ipcs/broker.ipc” and sends the requests
> >>
> >> a. If the client runs with a user that belongs to “zgroup” everything
> >> works fine
> >>
> >> b. If the client runs with invalid a user such as “nobody” that does
> >> not belong to “zgroup”, it does not return any error. In turn
> >> zmq_connect() and zmq_send() returns success and zmq_recv() waits
> >> forever (ZMQ_REP socket).
> >>
> >>
> >>
> >> Can you please let me know how do I get an appropriate error such as
> >> “Permission Denied” in case of an invalid user trying to connect to
> >> broker’s IPC?
> >>
> >>
> >>
> >> Thanks,
> >>
> >> Santosh Bidaralli
> >>
> >>
> >> _______________________________________________
> >> zeromq-dev mailing list
> >> zeromq-dev at lists.zeromq.org
> >> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
> >>
> > _______________________________________________
> > zeromq-dev mailing list
> > zeromq-dev at lists.zeromq.org
> > http://lists.zeromq.org/mailman/listinfo/zeromq-dev
> > _______________________________________________
> > zeromq-dev mailing list
> > zeromq-dev at lists.zeromq.org
> > http://lists.zeromq.org/mailman/listinfo/zeromq-dev
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
More information about the zeromq-dev
mailing list