[zeromq-dev] ØMQ and IPC peer validation (especially Windows)

Razvan COJOCARU rcojocaru at bitdefender.com
Fri Sep 13 18:37:18 CEST 2019


There's a very important scenario from a security perspective that
somewhat disqualifies ØMQ for some uses at this point: if we want a
couple of processes to talk to each other via IPC, but not before
validating each other (say, by checking the binary signature), how do we
achieve that? It's relatively easy to compromise certificate-based
security if the processes run on the same machine, and just storing a
common password somewhere is even worse.

The zmq_setsockopt(3) man page teaches us that we can set
ZMQ_IPC_FILTER_PID. zmq_socket_monitor(3) gives us a way to get a
ZMQ_EVENT_CONNECTED notification, with a file descriptor. So if this is
an AF_UNIX socket (with Linux) we can get the PID with SO_PASSCRED /
SO_PEERCRED, or use something like GetTcpTable2() on Windows [1], verify
the peer based on PID, and then set up ZMQ_IPC_FILTER_PID.

Is that the idiomatic / elegant way to it? Would we get a
ZMQ_EVENT_CONNECTED notification even for ipc:// transports under UNIX?

Also, the documentation states that "this option is deprecated, please
use authentication via the ZAP API and IPC whitelisting / blacklisting".

Where would I find an example of achieving that with ZAP?

And last but not least, (and I know this gets asked from time to time,
in a Groundhog's Day manner) - has any more thought been put into adding
proper ipc:// (via named pipes) for Windows? I understand that the
fundamental problem is a design one, IOCP being proactor and the BSD
socket model being reactor, but _is_ there a way of making the former
behave like the latter for ØMQ? What parts of the code should be
modified, and what (if any) recommendations would you have for an
attempt to add such support?



More information about the zeromq-dev mailing list