1. Model A:
In this model, parent process is the client process. Client process "fork" one child process, acting as the server, processing the request and pass back to client process(parent).
1) The server can be a set-user-ID program, giving it special privileges.
2) The server can determine the real identity of the client by looking at the real user id
3) With the client identity we can do additional permission checking on server side, to determine whether server should give the file back to client based on its user id
4) Problem: child can pass back the file content back to parent, this works for regular file, but not working for device files. Also, child process can not pass the file descriptor back to the parent.
2. Model B:
In this model, parent has one well-know FIFO, which receives requests from clients. And for each client, there is one specific FIFO to receive the reply from server.
3. Model C:
Same as above, just replace FIFOs with message queues.
In that case, client send their requests through well known message queue, also, each client create their own message queue with key "IPC_PRIVATE". Message sent to server must contain the client specific message queue id. In the future(server already know the message queue id of specific clients), all requests and replies can go though client specific message queues.
Problems with message queues:
1) each client specific message usually just have one message on it: a request from client or a response from the server. And OS has upper limit of how many IPC structures can exist system wide
2) If server need to read from multiple message queues, there is no I/O multiplexing like select/poll working with message queues. But if using FIFO(the file in file system), we can use select/poll to read from multiple FIFOs.
4. Model D:
Message Queues:
1) A single queue can be used between the server and all the clients, using the type field of each message to indicate the message recipient. If the type is 1, we can assume the message is for server, if the type is child process id, we can let child process to pick up their own messages.
For Model B, C, D:
When using the message queue, it is very difficult for server to identify the client(know the client's effective user id). Based on msg_lspid of queue, server can know the client process's process id, but there is no way for server to identify the effective user id of client to do the permission checking.
When using FIFOs, the server calls either stat or fstat on the client-specific FIFO, to get the owner id of the FIFO file. Here we assume the client's effective user id is the owner id of the FIFO file.
When using other IPC Structure(message queue, semaphore, shared memory), we can let client create their own IPC structure, then server use ipc_perm structure associated with each IPC structure to identify the creator(cuid and cgid fields)
No comments:
Post a Comment