Added support for getpeereid

configure.ac

@@ -143,7 +143,7 @@ AC_CHECK_MEMBER([struct sockaddr.sa_len],
 
 AC_CHECK_HEADERS([net/if_tun.h linux/if_tun.h netinet/in_systm.h], [], [], [])
 
-AC_CHECK_FUNCS([setproctitle clock_gettime isatty pselect])
+AC_CHECK_FUNCS([setproctitle clock_gettime isatty pselect getpeereid])
 
 if [ test -z "$LIBWRAP" ];then
 	libwrap_enabled="no"

src/sec-mod.c

@@ -298,9 +298,10 @@ socklen_t cr_len;
 		}
 
 #if defined(SO_PEERCRED) && defined(HAVE_STRUCT_UCRED)
-		/* This check is superfluous and mostly for debugging
+		/* This check is superfluous in Linux and mostly for debugging
 		 * purposes. The socket permissions set with umask should
-		 * be sufficient already for access control. */
+		 * be sufficient already for access control, but not all
+		 * UNIXes support that. */
 		cr_len = sizeof(cr);
 		ret = getsockopt(cfd, SOL_SOCKET, SO_PEERCRED, &cr, &cr_len);
 		if (ret == -1) {
@@ -314,6 +315,26 @@ socklen_t cr_len;
 		 	syslog(LOG_ERR, "sec-mod received unauthorized request from pid %u and uid %u", (unsigned)cr.pid, (unsigned)cr.uid);
 		 	goto cont;
 		}
+#elif defined(HAVE_GETPEEREID)
+		{
+			pid_t euid;
+			gid_t egid;
+			ret = getpeereid(cfd, &euid, &egid);
+
+			if (ret == -1) {
+			 	e = errno;
+			 	syslog(LOG_ERR, "sec-mod getpeereid error: %s", strerror(e));
+			 	goto cont;
+			}
+
+		 	syslog(LOG_DEBUG, "sec-mod received request from a processes with uid %u", (unsigned)euid);
+			if (euid != config->uid || egid != config->gid) {
+			 	syslog(LOG_ERR, "sec-mod received unauthorized request from a process with uid %u", (unsigned)euid);
+			 	goto cont;
+			}
+		}
+#else
+# error "Unsupported UNIX variant"
 #endif
 		/* read request */
 		ret = recv(cfd, buffer, buffer_size, 0);