From: Joe Lowe <joe@pismotec.com>
To: cygwin-developers@cygwin.com
Subject: Re: AF_UNIX status report
Date: Thu, 5 Nov 2020 11:54:29 -0800 [thread overview]
Message-ID: <59856c67-d643-b662-bec5-69bbc6a81d19@pismotec.com> (raw)
In-Reply-To: <90fdecee-fb2d-6b24-ef30-356df2dbc3d2@cornell.edu>
On 2020-11-05 11:01, Ken Brown via Cygwin-developers wrote:
> On 11/5/2020 12:21 PM, Corinna Vinschen wrote:
>> On Nov 5 09:23, Ken Brown via Cygwin-developers wrote:
>>> OK, here's how I imagine this working:
>>>
>>> A process wants to send a file descriptor fd, so it creates a msghdr
>>> with an
>>> SCM_RIGHTS cmsghdr and calls sendmsg. The latter creates and sends
>>> an admin
>>> packet A containing the fhandler for fd, and then it sends the original
>>> packet P.
>>>
>>> At the receiving end, recvmsg sees packet A first (recvmsg is always
>>> checking for admin packets anyway whenever it's called). It stores the
>>> fhandler somewhere. When it then reads packet P, it retrieves the
>>> stored
>>> fhandler, fiddles with it (duplicating handles, etc.), and creates
>>> the new
>>> file descriptor.
>>
>> Actually, this needs to be implemented in a source/dest-independent
>> manner. Only the server of the named pipe can impersonate the client.
>> So the server side should do the job of duplicating the handles. If the
>> sever is also the source of SCM_RIGHTS, it should send the fhandler with
>> already duplicated handles.
>
> Ah, OK. I was thinking of it differently. Rather than having the
> server impersonate the client, I was thinking that the sender would send
> its winpid as part of its admin packet, which the receiver could then
> use to get a handle to the sender's process. The receiver could then
> duplicate the handles. But maybe your approach is better. I'll have to
> rethink it.
SCM_RIGHTS on *nix; fd are retained by message buffering in the kernel.
A sending process can close an fd after sendmsg is called, before
recvmsg is called in the receiving process.
SCM_RIGHTS on *nix; fd are not added to a receiving process fd table
until the SCM_RIGHTS message is read. This is a consideration for DOS
attacks.
So I expect it is necessary to create a temp copy of each fd being sent,
so the sender can close the original. And I expect it is necessary to
use handshake/acks between the two processes; so the DuplicateHandle()
call can happen in the correct process and not until the SCM_RIGHTS
message is read.
>>> Does this seem reasonable? The main thing bothering me is the lack of
>>> atomicity. I don't like the gap between the sending of the two
>>> packets A
>>> and P, and similarly for the receiving. I thought about using the
>>> io_lock
>>> to at least make sure that the two packets are adjacent in the pipe,
>>> but I
>>> don't know if we want to tie up the io_lock for that long.
>>>
>>> Also, the sending process might be sending several file descriptors
>>> at once,
>>> so that there would be several admin packets to be sent (unless we
>>> want to
>>> cram it all into one).
>>
>> We can safely assume that pipe packets up to 64K are sent and received
>> atomically.
>>
>> In most cases this shouldn't be much of a problem. Most scenarios using
>> SCM_RIGHTS send no or only a minor payload. Most scenarios share a
>> single or only a handful of descriptors.
>>
>> Apart from that, Linux also defines SCM_MAX_FD, the max. number of
>> descriptors in a single sendmsg call. If the number of descriptors
>> is larger, sendmsg returns EINVAL. SCM_MAX_FD is 253 on Linux, but
>>
>> What that means to us is, we can choose our own SCM_MAX_FD and just
>> return EINVAL if the number of descriptors is uncomfortably high.
>> The max. number of descriptors should be limited so that all descriptors
>> fit into 64K, or even 32K, just to leave space for payload.
>> Assuming a size of about 600 bytes per fhandler, 50 might be a good
>> candidate for SCM_MAX_FD. I'd say even 32 would be sufficent for most
>> scenarios.
>>
>> The idea would be to create the packet on the source side with all
>> fhandlers in the ancilliary data block, followed by the payload.
>> This should typically fit in a 64K package. If not, only the
>> payload needs to be split into multiple packages. Do we really
>> need atomicity there? Not sure, but only then we'd need an io_lock.
Joe L.
next prev parent reply other threads:[~2020-11-05 19:54 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-26 22:04 Ken Brown
2020-10-27 9:43 ` Corinna Vinschen
2020-10-29 20:19 ` Ken Brown
2020-10-29 21:53 ` Joe Lowe
2020-10-30 9:20 ` Corinna Vinschen
2020-11-03 15:43 ` Ken Brown
2020-11-04 12:03 ` Corinna Vinschen
2020-11-05 14:23 ` Ken Brown
2020-11-05 17:21 ` Corinna Vinschen
2020-11-05 19:01 ` Ken Brown
2020-11-05 19:54 ` Joe Lowe [this message]
2020-11-06 4:02 ` Ken Brown
2020-11-05 23:41 ` Ken Brown
2020-11-06 9:12 ` Corinna Vinschen
2020-11-07 22:25 ` Ken Brown
2020-11-08 22:40 ` Ken Brown
2020-11-09 9:08 ` Corinna Vinschen
2020-11-17 19:57 ` Ken Brown
2020-11-18 8:34 ` Corinna Vinschen
2020-11-22 20:44 ` Ken Brown
2020-11-23 8:43 ` Corinna Vinschen
2020-11-26 17:06 ` Ken Brown
2020-12-15 17:33 ` Ken Brown
2020-12-16 9:29 ` Corinna Vinschen
2020-12-16 21:09 ` Ken Brown
2020-12-17 15:54 ` Ken Brown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=59856c67-d643-b662-bec5-69bbc6a81d19@pismotec.com \
--to=joe@pismotec.com \
--cc=cygwin-developers@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).