0

Question

How do I send a message from a user to a daemon where the daemon is guaranteed that the message came from the user? Assuming the user might be malicious.

Original Problem

I'm on linux (arch and ubuntu) I want to mount encrypted zfs datasets on login and have them unmounted (and the key dumped) on logoff. I want to mount the dataset with the users password. The idea is that root doesn't ever see the password and the user doesn't have to enter their password twice.

What I tried

  • Put a line in sudoers: This is my backup plan. I don't want to do this because I want to have a system that has a little more fine grained control.
  • Pam: I can mount on logon with this method but unmounting on logoff doesn't work as a pams concept of a "session" doesn't map to someone actually using a computer.
  • systemd user unit: User units don't have root permission and you need root to mount or unmount
  • systemd global unit: This also doesn't have enough permissions.

What I'm trying now

My current thought is to have a daemon that is started by root on startup. The daemon will get signals from the user on logoff to unmount. These signals will be verified somehow so they are guaranteed not to be from some random user trying to unmount somebody elses stuff.

FAQs

  • Wait are you just gonna send some daemon the password anyway? I don't get the point.

    I wont send the daemon the password. I can mount using pam so I don't need to go through the daemon for that and unmount doesn't require the password. Also, I can verify the daemon to a good extent but not an administrators behavior so I'm somewhat okay passing the data through a script.

  • Root can still get into the dataset when the user logs in.

    Yeah I know. One problem at a time. I'm thinking of slapping down something that records if root goes into the folder. The accountability of that would likely be enough. There will always be a way when you're root but I just want to make it harder (also so I don't have to maintain as many passwords).

  • This is a programming question post it on stack overflow.

    It is not. I know how to write a program, I don't know how to ensure a signal/message came from a user.

  • This is a duplicate of a question asked on serverfault.

    Yeah they told me to come here.

  • After reading your predicament I got this solution that fixes your problem entirely while staying within the bounds of your requirements but isn't directly what you asked

    Heck yeah!!! I'm open to it.

Improve this question

1 Answer 1

Reset to default
0

How do I send a message from a user to a daemon where the daemon is guaranteed that the message came from the user? Assuming the user might be malicious.

Local sockets (AF_UNIX) allow the daemon to retrieve its peer's UID/GID using the SO_PEERCRED option. This is per-connection, though there is also a per-message feature SCM_CREDENTIALS which has a similar purpose.

Many services with '*ctl' commands rely on this feature for fine-grained access control (those which use AF_UNIX directly, as well as those which use the D-Bus IPC system).

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .