[Opendnssec-develop] Again: Sharing PIN through POSIX message queues
Rick van Rein
rick at openfortress.nl
Wed Aug 10 18:31:07 UTC 2011
Hello Rickard,
I was pretty accurate with my "two years ago" estimate -- here is the PIN daemon
that I proposed in August 2009. It is based on message queues, the principle
of which is documented in most UNIX manuals, but it is not widely used by
programmers:
http://linux.die.net/man/7/mq_overview
http://www.users.pjwstk.edu.pl/~jms/qnx/help/watcom/clibref/mq_overview.html
Note that the attached code uses the older SysV API, which caught critisism
back then. The POSIX references above are a little different, but capture
the same idea. The SysV API is documented here:
http://linux.die.net/man/2/msgget
http://linux.die.net/man/2/msgctl
http://linux.die.net/man/2/msgsnd
http://linux.die.net/man/2/msgrcv
The driving reason for preferring this mechanism for security reasons are:
1. The announcement is not as public as a filesystem reference; that is, it is
not only protected by user/access settings like a file, but it actually
is under full control of the PIN serving daemon;
2. The ability to lookup the sender's PID makes it possible to limit service
to very specific processes, such as those whose PID is stored in a certain
file in a certain location.
I've been looking through the POSIX mq_ documentation, and cannot find the
process identifier back. That means that the mileage of this approach may
vary with the platform. (But now that OpenDNSSEC is ported to Windows, I
suppose that is a basic issue underpinning OpenDNSSEC security anyway!)
Let me know if you need more information!
Cheers,
-Rick
-------------- next part --------------
An embedded message was scrubbed...
From: Rick van Rein <rick at openfortress.nl>
Subject: Sharing PIN through POSIX message queues
Date: Wed, 19 Aug 2009 07:25:30 +0000
Size: 4312
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20110810/69b58a8e/attachment.eml>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: msgqueue-pin.tgz
Type: application/x-gtar
Size: 1810 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20110810/69b58a8e/attachment.gtar>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: Digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20110810/69b58a8e/attachment.bin>
More information about the Opendnssec-develop
mailing list