CIFS client updates for auto-reconnect [PSARC/2009/366 FastTrack timeout 06/24/2009]
Gordon Ross
Gordon.Ross at sun.com
Mon Jun 22 11:09:13 PDT 2009
Darren Moffat wrote:
> >> IMO door servers need to be as robust as possible - particularly if
> >> they are running with any privilege but even if they are running as a
> >> "normal" user. Not only should they check who the peer caller is but
> >> they also need to be very very careful about how they parse the input
> >> coming over the door. See the (unfortunately closed) source for kcfd
> >> as an example.
There's not much in the way of parsing. The door server accepts just
one fixed-size structure containing stuff like the server IP address,
user name, NTLM hash, some flags, etc.
> In this case given the daemon is running as a normal user (but I assume
> it originally started with privilege so has SNOCD set right?) the door
It's started by via fork/exec from a program also running as a
normal user, so it should not have any extra privileges.
> server should check that its euid matches that of the caller, or the
> caller's euid == 0 and has all privs (or the kernel will use a cred_t
> with euid == the user's). Additional protection that we are really
> being called by who we expect it to be called by - which BTW isn't
> actually clear from the case materials.
In the case materials, I described the door permissions and ownership.
While I still think that should be entirely sufficient, I don't mind
adding another check if someone will point me to an example of what
the check should look like.
Thanks,
Gordon
More information about the opensolaris-arc
mailing list