From mboxrd@z Thu Jan  1 00:00:00 1970
From: sbaugh@catern.com
Subject: Re: Providing an alternative to setuid in GuixSD
Date: Wed, 26 Oct 2016 14:34:49 -0400
Message-ID: <87vawfdkmu.fsf@catern.com>
References: <87funnhz7h.fsf@catern.com> <878ttbti19.fsf@gnu.org>
	<87zilr6lr4.fsf@dustycloud.org>
Mime-Version: 1.0
Content-Type: text/plain
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:50593)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <gcggd-guix-devel@m.gmane.org>) id 1bzT3E-0000qn-VD
	for guix-devel@gnu.org; Wed, 26 Oct 2016 14:35:51 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <gcggd-guix-devel@m.gmane.org>) id 1bzT3A-000177-Vl
	for guix-devel@gnu.org; Wed, 26 Oct 2016 14:35:48 -0400
Received: from [195.159.176.226] (port=40297 helo=blaine.gmane.org)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <gcggd-guix-devel@m.gmane.org>)
	id 1bzT3A-00015l-P2
	for guix-devel@gnu.org; Wed, 26 Oct 2016 14:35:44 -0400
Received: from list by blaine.gmane.org with local (Exim 4.84_2)
	(envelope-from <gcggd-guix-devel@m.gmane.org>) id 1bzT2m-0007Lr-RG
	for guix-devel@gnu.org; Wed, 26 Oct 2016 20:35:20 +0200
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-devel@gnu.org

Christopher Allan Webber <cwebber@dustycloud.org> writes:
> So, you're running psudo, and this thing maybe accepts connections over
> something more secure, *maybe* unix domain sockets... so restrict group
> access to the socket to users in the "psudo" group.
>
> From there, maybe it could require PAM authentication while entering the
> root password, or something.
>
> It feels hard to know how psudo could "know" what user is accessing the
> socket... I don't think that information is made available, right?
> Maybe I'm wrong!  I guess postgres and etc do similar things?

On Linux, there is SCM_CREDENTIALS (and similar stuff on BSDs). From
Linux unix(7):

SCM_CREDENTIALS
Send or receive UNIX credentials.  This can be used for authentication.
The credentials are passed as a struct ucred ancillary message.  Thus
structure is defined in <sys/socket.h> as follows:

           struct ucred {
               pid_t pid;    /* process ID of the sending process */
               uid_t uid;    /* user ID of the sending process */
               gid_t gid;    /* group ID of the sending process */
           };

Moreover there is the Polkit (ne PolicyKit) framework for this kind of
stuff, which could provide a more high-level interface if we chose to
use it. (GNOME uses it as does systemd)

(Note that there is already pkexec (bundled with Polkit) which provides
a sudo replacement with authentiation and policy through Polkit. But
it's setuid for some reason. I haven't investigated why...)