[bind10-dev] [svn] commit: r1223 - in /branches/jinmei-asio: ./ src/bin/auth/ src/bin/loadzone/ src/lib/auth/ src/lib/cc/ src/lib/config/ src/lib/dns/ src/lib/dns/rdata/generic/ src/lib/dns/tests/ src/lib/python/isc/auth/ src/lib/python/isc/cc/ src/lib/python/isc/config/ src/lib/python/isc/config/unittests/

[Danny Mayer]

On 4/19/2010 7:26 AM, Shane Kerr wrote:
> Danny,
> 
> On Sat, 2010-04-17 at 23:24 -0400, Danny Mayer wrote:
>>> Does the ASIO support Unix domain sockets? I understand on Unix we plan 
>>> to be able to use those (so we can use Unix file permissions for 
>>> security).  (I understand that Windows has a different but similar 
>>> functionality to domain sockets.)
>>>
>>
>> A little late, but no Windows doesn't have anything similar to Unix
>> domain sockets. It does have the capability of applying permissions to
>> objects like pipes but it's not clear from this comment what you are
>> trying to do with the socket or what permissions you are trying  to
>> apply to the socket. You can however emulate most api's to accomplish
>> similar functionality as long as they can be fully and clearly defined.
> 
> We were going to be using Unix domain sockets for communication between
> the various components and the msgq process. The main motivation for
> this is that we can use the normal Unix file-based security permissions
> for access control. (It is possible it may be a bit more efficient in
> some circumstances - both in speed and memory - but that is not the main
> motivation.)
> 
> We haven't looked into this for Windows. We may use named pipes for this
> there, since they look like they may have similar properties.

I never responded to this, but yes you can get security with named
pipes. CreateNamedPipe() supports a security structure when it is
created. It depends on what security you want to set up on how best to
implement it so that it doesn't look like a wart on the side of BIND10.
I managed to hide most of the ugliness in BIND9 but it takes time to
design in a consistent way.

Danny