New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wrong GID/UID received #246
Comments
It even happens when I explicitly uses a non root user in docker: https://gitlab.kretschmann.software/kai/commonapisample/-/jobs/7121 The processes see their ID 1000 which is right, but the vsomeip reports funny numbers. |
It seems related to GCC in version 11, if reduce the docker root package to gcc:9.3.0 that error is gone. So there must be some problem in the GCC 11 changes regarding the storage for credential pairs in the routing server. |
I'm seeing this with gcc 9.3.0 |
@kkretsch Did you ever make any progress on this? I've been stepping through the code in a debugger and it seems like the credentials simply don't get set. I'm somewhat convinced that
bound_uid (received through
uid .
But otherwise, vsomeip/implementation/helper/1.55/boost/asio/detail/reactor_op_ext_local.hpp Lines 30 to 31 in 13f9c89
vsomeip/implementation/helper/1.55/boost/asio/detail/reactive_socket_recv_op_ext_local.hpp Line 102 in 13f9c89
|
I didn't have yet the time to continue on it. |
I just checked tht again and still have that problem. Worked: Failed: |
What version of boost are you using? We're using 1.74. Nothing I did ever got credentials to work unfortunately.
|
I'm using the ubuntu given ones 1.74 by installing libboost-all-dev within the container. I also cloned the vsomeip to my server and changed/added some debugging to it. The boud_uid didn't look any better:
That looks rather strange, only sometimes the value 1000 is right. |
That's exactly what I saw. This makes me question if any one has ever truly gotten vsomeip security features to work. I suspect maybe most users use remote connections where the credentials aren't relevant, so haven't even checked it. A couple academic vsomeip security paper I read appear to just ignore vsomeip security features, and implement some sort of handshake with encryption and message counters - which to be fair, is a much better approach to credentials for local connections and faith for remote connections. |
At least for local communication one should be able to trust those IDs. And if I get randomly a "0" then it looks like beeing root without haven those rights in real. For me that is a noteworthy security failure. I'll try to dig deeper into that as we are using this feature for some real projects. |
any progress on the wrong uid/gid? |
None... But since my interest is mainly with remote clients, it wouldn't offer much security anyways. |
@kkretsch could you please confirm if this is occurring with the last release? |
I try to run a hello world example using vSomeIP 3.1.20.3 inside a docker gitlab CI container.
Everything works fine, until I enable check_credentials.
All tasks in that docker are started as root UID/GID 0/0, but I receive those lines by the service and client startup:
So with audit mode they can communicate, but where does that ID come from? It isn't even defined in the docker local passwd or group file.
The same source runs locally on ubuntu with activated security and my local IDs 1000 without problems.
The text was updated successfully, but these errors were encountered: