UNIX credential passing

Kris Kennaway kris at FreeBSD.org
Fri May 30 19:04:50 EDT 2008


Sebastian 'lunar' Wiesner wrote:
> [ Kris Kennaway <kris at FreeBSD.org> ]
> 
>> I want to make use of UNIX credential passing on a local domain socket
>> to verify the identity of a user connecting to a privileged service.
>> However it looks like the socket module doesn't implement
>> sendmsg/recvmsg wrappers, and I can't find another module that does this
>> either.  Is there something I have missed?
> 
> http://pyside.blogspot.com/2007/07/unix-socket-credentials-with-python.html
> 
> Illustrates, how to use socket credentials without sendmsg/recvmsg and so
> without any need for patching.
> 
> 

Thanks to both you and Paul for your suggestions.  For the record, the 
URL above is linux-specific, but it put me on the right track.  Here is 
an equivalent FreeBSD implementation:

def getpeereid(sock):
     """ Get peer credentials on a UNIX domain socket.

         Returns a nested tuple: (uid, (gids)) """

     LOCAL_PEERCRED = 0x001
     NGROUPS = 16

#struct xucred {
#        u_int   cr_version;             /* structure layout version */
#        uid_t   cr_uid;                 /* effective user id */
#        short   cr_ngroups;             /* number of groups */
#        gid_t   cr_groups[NGROUPS];     /* groups */
#        void    *_cr_unused1;           /* compatibility with old ucred */
#};

     xucred_fmt = '2ih16iP'
     res = tuple(struct.unpack(xucred_fmt, sock.getsockopt(0, 
LOCAL_PEERCRED, struct.calcsize(xucred_fmt))))

     # Check this is the above version of the structure
     if res[0] != 0:
         raise OSError

     return (res[1], res[3:3+res[2]])


Kris



More information about the Python-list mailing list