Opened 9 years ago

Last modified 9 years ago

#6397 enhancement new

Create an authbind endpoint.

Reported by: Tom Prince Owned by:
Priority: normal Milestone:
Component: core Keywords:
Cc: Thijs Triemstra Branch:
Author:

Description (last modified by Thijs Triemstra)

authbind supports being used directly by programs, without needing to use the wrapper, or LD_PRELOAD magic, just by calling authbind-helper with the appropriate arguments, and the socket to bind as fd 0. It should be fairly easy for twisted to support this.

Change History (4)

comment:1 Changed 9 years ago by Thijs Triemstra

Cc: Thijs Triemstra added
Description: modified (diff)

Add link to authbind for some background info.

comment:2 Changed 9 years ago by Glyph

Thanks for discovering this. It sounds nifty... although it would be good to include some motivation here as to why one would want to do it this way, since it's a bit more effort than just invoking 'authbind twistd'. Is avoiding the LD_PRELOAD wrapper more secure? more performant? etc.

comment:3 Changed 9 years ago by Jean-Paul Calderone

One advantage is that you don't have to remember that the command is actually probably authbind --deep twistd ... or maybe authbind --depth 2 twistd ... (or authbind --depth 3 twistd ...?)

And that actually leads me to another advantage. If you have an existing program that launches a child process that binds a port, then being able to pass an authbind endpoint through to that child is possible and nice, whereas convincing the parent to launch the child with authbind is hard, and launching the parent with authbind --deep may be granting more permissions than you want (although I admit that likelihood that a scenario exists where this security difference is important seems low).

comment:4 in reply to:  3 Changed 9 years ago by Glyph

Replying to exarkun: (snip)

Thanks for writing that up.

Note: See TracTickets for help on using tickets.