caps behaviour

Matthew Dillon dillon at apollo.backplane.com
Wed Feb 1 11:59:14 PST 2006 

:I've started playing with caps a little and have some questions about
:how a few things behave. I've taken a look at the kernel-side source but
:not too in-depth yet.
:
:First, it seems like I can open several service ports with the same
:name. Is that correct? For example, in the case of a password lookup
:daemon, one could do:
:
:ucid = caps_sys_service(SERVICE_NAME, getuid(), getgid(), 0, CAPF_GROUP|CAPF_WORLD);
:rcid = caps_sys_service(SERVICE_NAME, getuid(), getgid(), 0, CAPF_USER);
:
:Then, you could have a thread waiting for messages on each port,
:responding with the crypted passwords on root's port but not doing
:the shadow lookups on the user port.
:
:Also, big thanks to Csaba Henk for the OpenGrok site, the code is much
:easier to chew in small bites, especially for folks not used to
:something as huge as the internals of the BSD source.

    For the caps_sys_service() system call uniqueness is determined by
    the combination of the name, uid, and gid.  CAPF_GROUP and CAPF_WORLD
    only applies to the caps_sys_client() system call.  Those flags do
    not apply to caps_sys_service().

    Duplicate registrations are allowed unless CAPF_EXCL is specified.  The
    idea here is two fold:

    * To be able to register a new daemon for a service before killing the
      old daemon.  There would be a short period of time where both demons
      would be able to accept requests (the kernel will route a new request
      to one of them), thus providing 'seemless operation' in the face
      of a switchover.

      Presumably the client(s) would also help implement this idea of 
      seemless operation by reconnecting when it gets an appropriate error
      code.

    * To be able to create localized services or backup services.  For
      example, the system standard service might run as root, but you
      could also run a version under your own user id which overrides
      the system standard service for programs run under your user id.

    Using your password lookup idea as an example, it wasn't really the
    intent to use the uid/gid distinction to separate crypted functionality
    from non-crypted functionality, though that can certainly be done and
    might even be beneficial from a security standpoint.

    Instead the idea is for e.g. the root server to support both crypted
    and non-crypted functionality by observing the creds that are passed
    to it along with a message.

    Local per-user services, distincted by the user id they are registered
    under, are primarily intended to allow a user to override system 
    standard services with his own local version, and also intended to
    allow IPC between cooperating users.

    The system calls do not handle automatica reconnection or automatic
    backoff (i.e. trying to connect to root if the user is not available).
    The idea is to have a library, e.g. libcaps, which provides API functions
    which do all that for the program.

					-Matt
					Matthew Dillon 
					<dillon at xxxxxxxxxxxxx>

More information about the Kernel mailing list