From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS24940 94.130.0.0/16 X-Spam-Status: No, score=-3.2 required=3.0 tests=AWL,BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DNSWL_HI, SPF_HELO_PASS,SPF_PASS shortcircuit=no autolearn=no autolearn_force=no version=3.4.6 Received: from nue.mailmanlists.eu (nue.mailmanlists.eu [94.130.110.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id 392791F5A0 for ; Mon, 13 Feb 2023 00:45:05 +0000 (UTC) Authentication-Results: dcvr.yhbt.net; dkim=fail reason="signature verification failed" (1024-bit key; secure) header.d=ml.ruby-lang.org header.i=@ml.ruby-lang.org header.a=rsa-sha256 header.s=mail header.b=EuyrbPCw; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=ruby-lang.org header.i=@ruby-lang.org header.a=rsa-sha256 header.s=s1 header.b=GW73nbZl; dkim-atps=neutral Received: from nue.mailmanlists.eu (localhost [127.0.0.1]) by nue.mailmanlists.eu (Postfix) with ESMTP id 10E437E8CB; Mon, 13 Feb 2023 00:44:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ml.ruby-lang.org; s=mail; t=1676249095; bh=dJr4C0k3bpNmlaegEcm58w9rURd0NIiwfBwvgTaait8=; h=Date:References:To:Reply-To:Subject:List-Id:List-Archive: List-Help:List-Owner:List-Post:List-Subscribe:List-Unsubscribe: From:Cc:From; b=EuyrbPCwbLre6SuU1VYEv7awQ4I6ioFAzAkAsf4EB7mxZBQuMq60k5AKeOaELiTTZ k6yY2a7WVnNPHn0DSSv9NFDpzG8EFgKiVka8hj/7l7V+fEWgqB4BEAaJASVtVDe0r9 AUCptLWC1+jfLjscQ7LiaGGg2o9QjBOZjcjVxuKE= Received: from xtrwkhkc.outbound-mail.sendgrid.net (xtrwkhkc.outbound-mail.sendgrid.net [167.89.16.28]) by nue.mailmanlists.eu (Postfix) with ESMTPS id 6E2F17E674 for ; Mon, 13 Feb 2023 00:44:49 +0000 (UTC) Authentication-Results: nue.mailmanlists.eu; dkim=pass (2048-bit key; unprotected) header.d=ruby-lang.org header.i=@ruby-lang.org header.a=rsa-sha256 header.s=s1 header.b=GW73nbZl; dkim-atps=neutral DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ruby-lang.org; h=from:references:subject:mime-version:content-type: content-transfer-encoding:list-id:to:cc:content-type:from:subject:to; s=s1; bh=IpILTg5YeQNk+j1SI6vmk/nG02QQgRQr48jK1ya+5R0=; b=GW73nbZlEnwPZDtREIeyo02dIJ6we3A1o7ineH03Dqa/7XQeY0gK/Fv3IRiQMn0YZZcr krvZQbrOYyGyFVpCZY/2uvdF4gGshFX7hV9UIndyZBdFG4TzqeO2QhB3HJPlco8HkUsKNT gzAB19HNNq/q3yOepxTom10VzYrEiaQdlH6MsNf3CQ+GFn3Eeq9E2ddOTc814bbW0CQ+gj +xfw0xzUOG5VmWmjx5y5YfSIl/SI4GCyJZk1Cs7TQ9G/AuLNIguh48FQc2ETp3NJ6qqAoD ExaGTOfe0LZvDUO0hR9kTphUWqrYjybBKzuvDF7GD3xoAVPFPEuFHOvHhndc3SiA== Received: by filterdrecv-695cbfbb87-bl6ww with SMTP id filterdrecv-695cbfbb87-bl6ww-1-63E987FF-7 2023-02-13 00:44:47.617350834 +0000 UTC m=+193555.381257517 Received: from herokuapp.com (unknown) by geopod-ismtpd-1-2 (SG) with ESMTP id dSNpWn3GTy-I5Y-UGbKOow for ; Mon, 13 Feb 2023 00:44:47.542 +0000 (UTC) Date: Mon, 13 Feb 2023 00:44:47 +0000 (UTC) Message-ID: References: Mime-Version: 1.0 X-Redmine-Project: ruby-master X-Redmine-Issue-Tracker: Feature X-Redmine-Issue-Id: 19179 X-Redmine-Issue-Author: kjtsanaktsidis X-Redmine-Sender: kjtsanaktsidis X-Mailer: Redmine X-Redmine-Host: bugs.ruby-lang.org X-Redmine-Site: Ruby Issue Tracking System X-Auto-Response-Suppress: All Auto-Submitted: auto-generated X-Redmine-MailingListIntegration-Message-Ids: 88776 X-SG-EID: =?us-ascii?Q?bpuAnwiv5wR3AMKfH76hNK7PI5khDDZ1kji5+D8yFrgaUvTZzAkIlQXnVriLYY?= =?us-ascii?Q?wZntoXP0DUH6R9LNgqzTU1esCZ4KY8M9zX8WDhO?= =?us-ascii?Q?VCp0C5Jri1SBvGifLsZYLQ7TBgBmXXDrnoZc8O+?= =?us-ascii?Q?kugDUkAbiQlCITVBDqPNk=2FdIC6sh2YHmAIi8B3B?= =?us-ascii?Q?3iwfNBiWKv4AnuXdYriyye=2FJEC4hUGKQBmSxgx7?= =?us-ascii?Q?BFs=2FkCZb74yCxB145IvamVAWMIiXv4eWSkSMnc8?= =?us-ascii?Q?0B1HX6Tw7S6vMQaNX6Oj+L4iXlZsCx8cYibFlhz?= =?us-ascii?Q?8X4=3D?= To: ruby-core@ml.ruby-lang.org X-Entity-ID: b/2+PoftWZ6GuOu3b0IycA== Message-ID-Hash: 476TWS63AC6GC2TVHV3OLX7UMHPGRSNZ X-Message-ID-Hash: 476TWS63AC6GC2TVHV3OLX7UMHPGRSNZ X-MailFrom: bounces+313651-b711-ruby-core=ml.ruby-lang.org@em5188.ruby-lang.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.3 Precedence: list Reply-To: Ruby developers Subject: [ruby-core:112389] [Ruby master Feature#19179] Support parsing SCM_CRED(ENTIALS) messages from ancillary messages List-Id: Ruby developers Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: "kjtsanaktsidis (KJ Tsanaktsidis) via ruby-core" Cc: "kjtsanaktsidis (KJ Tsanaktsidis)" Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Issue #19179 has been updated by kjtsanaktsidis (KJ Tsanaktsidis). It's true, the API currently exposed in that PR is a bit rough and un-ruby-like. Here's my idea for how the API should actually look: * Expose a new struct `Socket::Credentials`. * It has the following fields: `pid`, `uid`, `gid`, `euid`, `egid`, and `groups`. * My PR currently has an extra field `source`, the name of the struct the credentials came from originally. This is done so that it can be printed in the `#inspect` output of `Socket::AncillaryData` and `Socket::Option`, so that the current output remains the same. I would remove `source` from the struct definition and instead keep it in a hidden ivar inaccessible from Ruby - it's not a field that Ruby code needs to know anything about. * It would have the following methods: * `::new` & `#initialize` - normal struct initialization routines (although I would add `keyword_init: true` to the struct definition, it's not currently in the PR). * `::for_current_process` - initializes a new `Socket::Credentials` structure with values obtained from `Process.pid` etc. This is currently called `::for_process` in my PR, but to me that name kind of implies you could pass a PID and get values for a different process. * `#inspect` - prints similar output to what `Socket::AncillaryData` and `Socket::Option` do today. * `#to_ancillary_data` - Constructs a `Socket::AncillaryData` of type `SCM_CREDENTIALS` (or `SCM_CREDS`) based on these credential * Add some new methods to existing objects: * `Socket::AncillaryData#credentials` and `Socket::Option#credentials`. These would return a new `Socket::Credentials` struct containing the data from the ancdata/option. They would raise `ArgumentError` (or perhaps `TypeError` is more appropriate?) if the ancillary data or socket option is not of the correct type. I would get rid of the `Socket::Credentials::from_*` class methods currently in my PR as well. Does this sound like an improvement? ---------------------------------------- Feature #19179: Support parsing SCM_CRED(ENTIALS) messages from ancillary messages https://bugs.ruby-lang.org/issues/19179#change-101831 * Author: kjtsanaktsidis (KJ Tsanaktsidis) * Status: Open * Priority: Normal ---------------------------------------- ## Background Linux and FreeBSD support processes at either end of a unix socket identifying themselves to the other party by passing an ancillary message of type `SCM_CREDENTIALS` (Linux) or `SCM_CREDS` (FreeBSD). The socket library contains code to parse these ancillary messages, but the only way this is exposed into Ruby code is by the `Socket::AncillaryData#inspect` method - e.g. ``` # On Linux irb(main):002:0> s1, s2 = UNIXSocket.pair => [#, #] irb(main):004:0> s2.setsockopt Socket::SOL_SOCKET, Socket::SO_PASSCRED, 1 => 0 # struct ucred on Linux is (32-bit signed) pid_t, followed by (32-bit unsigned) uid_t, followed by # (32-bit unsigned) gid_t irb(main):008:0> ancdata = [Process.pid, Process.uid, Process.gid].pack("lLL") => "\x1ET\x05\x00\xE8\x03\x00\x00\xE8\x03\x00\x00" # Socket::AncillaryData knows how to unmarshal the data into struct ucred irb(main):010:0> ancmsg = Socket::AncillaryData.new(Socket::AF_UNIX, Socket::SOL_SOCKET, Socket::SCM_CRE DENTIALS, ancdata) => # irb(main):011:0> s1.sendmsg "hi", 0, nil, ancmsg => 2 # ancillary message can be passed through irb(main):012:0> _, _, _, recvanc = s2.recvmsg; recvanc => # ``` On Linux, at least, a suitably privileged process can send any value through for the pid, uid, or gid, but the kernel will reject attempts by unprivileged processes to forge credentials in this way. So SCM_CREDENTIALS messages can be useful for certain systems programming tasks. A somewhat wider array of operating systems support querying the identity of the other side of a socket using a socket option, variously `SO_PEERCRED` (Linux, OpenBSD) or `LOCAL_PEERCRED` (FreeBSD, MacOS). Again, the socket library is able to unmarshal the socket data into the correct structure on these various systems, but it's only exposed to Ruby code via `#inspect` - e.g. ``` irb(main):002:0> s1, s2 = UNIXSocket.pair => [#, #] irb(main):014:0> s1.getsockopt Socket::SOL_SOCKET, Socket::SO_PEERCRED => # ``` Ruby _does_ however support e.g. `BasicSocket#getpeereid`, which could use `SO_PEERCRED` etc under the hood - so getting the uid/gid data is not totally impossible. I believe getting the pid is though. ``` irb(main):016:0> s1.getpeereid => [1000, 1000] ``` ## My proposal I believe we should implement the following: * `Socket::Credentials` - this would be a struct which can contain all the various platform-specific pieces of credential info that can be transferred over a socket, such as uid, gid, pid, euid, egid, and group list. * `Socket::AncillaryData#credentials` - this would parse an `SCM_CREDS` or `SCM_CREDENTIALS` ancillary data message into the appropriate platform-specific struct, and return a `Socket::Credentials` instance containing that data. This would be analogous to `Socket::AncillaryData#int`; a method for interpreting the ancillary data in a certain form. * `Socket::Option#credentials` - This would parse a `SO_PEERCRED` or `LOCAL_PEERCRED` socket option response into the appropriate platform-specific struct, and return a `Socket::Credentials` instance containing that data. Again, this would be analogous to `Socket::Option#int`. The existing `struct ucred`/`struct xucred`/`struct sockpeercred`/`struct cmsgcred` parsing code (used only for `#inspect` output) would be moved into `Socket::Credentials`, and `Socket::AncillaryData#inspect`/`Socket::Option#inspect` would be implemented in terms of `Socket::Credentials`. This would nicely wrap a lot of parsing work that Ruby is already doing, into an API which allows Ruby code to take advantage of it. ## Use-cases My motivation for designing this feature came about whilst I was experimenting with some ideas for Ruby profilers. I wanted to allow a CLI tool to ask a Ruby process to start profiling itself by sending a message on a unix socket. Alongside the message, it would send a file descriptor which was the result of calling `perf_event_open(2)` in the CLI tool. In order to call `perf_event_open(2)`, the CLI tool would need to be privileged. I also wanted the Ruby process to authenticate the request and make sure it came from the same UID that it was running as. Calling `BasicSocket#getpeereuid` would reveal the remote process to be running as UID 0, (or perhaps even some other UID, with sufficient ambient capabilities to call `perf_event_open`). Instead, I decided to make the CLI tool send a `SCM_CREDENTIALS` message containing the uid of the process to be profiled; that way, the kernel does all the policy checking on whether or not this is actually allowed, and the Ruby process receiving th e message just needs to check if `uid == Process.getuid`. I think, on Linux at least, that this feature will be useful for any kind of communication/authentication scheme between privileged & unprivileged processes over unix sockets. ## My implementation I have an implementation of roughly this in this pull request: https://github.com/ruby/ruby/pull/6822 Thanks! -- https://bugs.ruby-lang.org/ ______________________________________________ ruby-core mailing list -- ruby-core@ml.ruby-lang.org To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org ruby-core info -- https://ml.ruby-lang.org/mailman3/postorius/lists/ruby-core.ml.ruby-lang.org/