6 files changed, 124 insertions, 4 deletions

diff --git a/src/include/gnunet_connection_lib.h b/src/include/gnunet_connection_lib.h
index 33afb0386..8d2dbb611 100644
--- a/src/include/gnunet_connection_lib.h
+++ b/src/include/gnunet_connection_lib.h
@@ -53,15 +53,34 @@ struct GNUNET_CONNECTION_Handle;
 
 
 /**
+ * Credentials for UNIX domain sockets.
+ */
+struct GNUNET_CONNECTION_Credentials
+{
+  /**
+   * UID of the other end of the connection.
+   */
+  uid_t uid;
+
+  /**
+   * GID of the other end of the connection.
+   */
+  gid_t gid;
+};
+
+
+/**
  * Function to call for access control checks.
  *
  * @param cls closure
+ * @param ucred credentials, if available, otherwise NULL
  * @param addr address
  * @param addrlen length of address
  * @return GNUNET_YES to allow, GNUNET_NO to deny, GNUNET_SYSERR
  *   for unknown address family (will be denied).
  */
 typedef int (*GNUNET_CONNECTION_AccessCheck) (void *cls,
+                                              const struct GNUNET_CONNECTION_Credentials *ucred,
                                            const struct sockaddr * addr,
                                            socklen_t addrlen);
 
diff --git a/src/include/gnunet_network_lib.h b/src/include/gnunet_network_lib.h
index 73303689a..34cb7bc32 100644
--- a/src/include/gnunet_network_lib.h
+++ b/src/include/gnunet_network_lib.h
@@ -309,6 +309,7 @@ void GNUNET_NETWORK_fdset_add (struct GNUNET_NETWORK_FDSet *dst,
 void GNUNET_NETWORK_fdset_copy (struct GNUNET_NETWORK_FDSet *to,
                                 const struct GNUNET_NETWORK_FDSet *from);
 
+
 /**
  * Return file descriptor for this network handle
  *
diff --git a/src/include/platform.h b/src/include/platform.h
index cc2aa03ae..230031307 100644
--- a/src/include/platform.h
+++ b/src/include/platform.h
@@ -156,6 +156,9 @@
 #include <sys/loadavg.h>
 #include <semaphore.h>
 #endif
+#if HAVE_UCRED_H
+#include <ucred.h>
+#endif
 #ifdef CYGWIN
 #include <windows.h>
 #include <cygwin/if.h>
diff --git a/src/util/connection.c b/src/util/connection.c
index aa5db91bf..12969b3ba 100644
--- a/src/util/connection.c
+++ b/src/util/connection.c
@@ -346,6 +346,12 @@ GNUNET_CONNECTION_create_from_accept (GNUNET_CONNECTION_AccessCheck access,
   struct sockaddr_in6 *v6;
   struct sockaddr *sa;
   void *uaddr;
+  struct GNUNET_CONNECTION_Credentials *gcp;  
+  struct GNUNET_CONNECTION_Credentials gc;  
+#ifdef SO_PEERCRED
+  struct ucred uc;
+  socklen_t olen;
+#endif
 
   addrlen = sizeof (addr);
   sock =
@@ -384,9 +390,50 @@ GNUNET_CONNECTION_create_from_accept (GNUNET_CONNECTION_AccessCheck access,
       uaddr = GNUNET_malloc (addrlen);
       memcpy (uaddr, addr, addrlen);
     }
+  gcp = NULL;
+  gc.uid = 0;
+  gc.gid = 0;
+  if (sa->sa_family == AF_UNIX)
+    {
+#if HAVE_GETPEEREID
+      /* most BSDs */
+      if (0 == getpeereid (GNUNET_NETWORK_get_fd (sock), 
+                           &gc.uid,
+                           &gc.gid))
+        gcp = &gc;
+#else
+#ifdef SO_PEERCRED
+      /* largely traditional GNU/Linux */
+      olen = sizeof (uc);
+      if ( (0 ==
+            getsockopt (GNUNET_NETWORK_get_fd (sock), 
+                        SOL_SOCKET, SO_PEERCRED, &uc, &olen)) &&
+           (olen == sizeof (uc)) )
+        {
+          gc.uid = uc.uid;
+          gc.gid = uc.gid;
+          gcp = &gc;    
+        }
+#else
+#if HAVE_GETPEERUCRED
+      /* this is for Solaris 10 */
+      ucred_t *uc;
+
+      uc = NULL;
+      if (0 == getpeerucred (GNUNET_NETWORK_get_fd (sock), &uc))
+        {
+          gc.uid = ucred_geteuid (uc);
+          gc.gid = ucred_getegid (uc);
+          gcp = &gc;
+        }
+      ucred_free (uc);
+#endif
+#endif
+#endif
+    }
 
   if ((access != NULL) &&
-      (GNUNET_YES != (aret = access (access_cls, uaddr, addrlen))))
+      (GNUNET_YES != (aret = access (access_cls, gcp, uaddr, addrlen))))
     {
       if (aret == GNUNET_NO)
         GNUNET_log (GNUNET_ERROR_TYPE_INFO,
diff --git a/src/util/network.c b/src/util/network.c
index 9e85a3be9..f7c1e53c1 100644
--- a/src/util/network.c
+++ b/src/util/network.c
@@ -451,6 +451,7 @@ GNUNET_NETWORK_socket_recvfrom_amount (const struct GNUNET_NETWORK_Handle
     return GNUNET_NO;
 }
 
+
 /**
  * Read data from a connected socket (always non-blocking).
  * @param desc socket
@@ -774,12 +775,20 @@ GNUNET_NETWORK_fdset_copy (struct GNUNET_NETWORK_FDSet *to,
 #endif
 }
 
+
+/**
+ * Return file descriptor for this network handle
+ *
+ * @param desc wrapper to process
+ * @return POSIX file descriptor
+ */
 int
 GNUNET_NETWORK_get_fd (struct GNUNET_NETWORK_Handle *desc)
 {
   return desc->fd;
 }
 
+
 /**
  * Copy a native fd set
  *
diff --git a/src/util/service.c b/src/util/service.c
index ac90eb93b..0594149d9 100644
--- a/src/util/service.c
+++ b/src/util/service.c
@@ -512,6 +512,18 @@ struct GNUNET_SERVICE_Context
   int require_found;
 
   /**
+   * Do we require a matching UID for UNIX domain socket
+   * connections?
+   */
+  int match_uid;
+
+  /**
+   * Do we require a matching GID for UNIX domain socket
+   * connections?
+   */
+  int match_gid;
+
+  /**
    * Our options.
    */
   enum GNUNET_SERVICE_Options options;
@@ -579,9 +591,18 @@ static const struct GNUNET_SERVER_MessageHandler defhandlers[] = {
 
 /**
  * Check if access to the service is allowed from the given address.
+ *
+ * @param cls closure
+ * @param uc credentials, if available, otherwise NULL
+ * @param addr address
+ * @param addrlen length of address
+ * @return GNUNET_YES to allow, GNUNET_NO to deny, GNUNET_SYSERR
+ *   for unknown address family (will be denied).
  */
 static int
-check_access (void *cls, const struct sockaddr *addr, socklen_t addrlen)
+check_access (void *cls, 
+              const struct GNUNET_CONNECTION_Credentials *uc,
+              const struct sockaddr *addr, socklen_t addrlen)
 {
   struct GNUNET_SERVICE_Context *sctx = cls;
   const struct sockaddr_in *i4;
@@ -609,8 +630,23 @@ check_access (void *cls, const struct sockaddr *addr, socklen_t addrlen)
             (!check_ipv6_listed (sctx->v6_denied, &i6->sin6_addr)));
       break;
     case AF_UNIX:
-      /* FIXME: support checking UID/GID in the future... */
       ret = GNUNET_OK; /* always OK for now */
+      if ( (sctx->match_uid == GNUNET_YES) ||
+           (sctx->match_gid == GNUNET_YES) )
+        ret = GNUNET_NO;
+      if ( (uc != NULL) &&
+           ( (sctx->match_uid != GNUNET_YES) ||
+             (uc->uid == geteuid()) ||
+             (uc->uid == getuid()) ) &&
+           ( (sctx->match_gid != GNUNET_YES) ||
+             (uc->gid == getegid()) ||
+             (uc->gid == getgid())) )
+        ret = GNUNET_YES;
+      else
+        GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                    _("Access denied to UID %d / GID %d\n"), 
+                    (uc == NULL) ? -1 : uc->uid,
+                    (uc == NULL) ? -1 : uc->gid);       
       break;
     default:
       GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
@@ -1187,7 +1223,12 @@ setup_service (struct GNUNET_SERVICE_Context *sctx)
                                              &sctx->addrlens)) )
     return GNUNET_SYSERR;
   sctx->require_found = tolerant ? GNUNET_NO : GNUNET_YES;
-
+  sctx->match_uid = GNUNET_CONFIGURATION_get_value_yesno (sctx->cfg,
+                                                          sctx->serviceName,
+                                                          "UNIX_MATCH_UID");
+  sctx->match_gid = GNUNET_CONFIGURATION_get_value_yesno (sctx->cfg,
+                                                          sctx->serviceName,
+                                                          "UNIX_MATCH_GID");
   process_acl4 (&sctx->v4_denied, sctx, "REJECT_FROM");
   process_acl4 (&sctx->v4_allowed, sctx, "ACCEPT_FROM");
   process_acl6 (&sctx->v6_denied, sctx, "REJECT_FROM6");