[OpenAFS-devel] Alternative to PAGs
David Howells
dhowells@redhat.com
Thu, 15 May 2003 15:15:49 +0100
Hi Linus,
Okay, starting with a clean slate and writing PAGs off as a bad idea, how
about trying to work out what is required first? As I see it:
THE REQUIREMENTS
================
(1) Credentials/tokens/keys/whatever are held in a "keyring".
(2) A keyring is destroyed when the last reference goes away (kernel
resources are precious, though it may be possible to store credentials
in swapspace somehow).
(3) Every user has to have a default keyring that is created the first time
they log in [Linus demands this].
(4) A user has to be able to override the default keyring, such that they
can, for instance, perform operations on a remote filesystem with a
different credential.
(5) A user has to be able to run a program with a reduced set of
credentials.
(6) A process must be able to pass a subset of its credentials to a second,
already running process so that the second process can perform some
service on its behalf.
This gets tricky if the service process is performing services for a
number of processes simultaneously, each of which has its own set of
credentials.
(7) A process should be able to discard any credential it has access to,
particularly in conjunction with (6).
(8) It must be possible to withdraw a credential.
(9) The credentials governing access to a file must be associated with a
struct file, not with the process context currently accessing a file.
(10) A struct file will gain its credentials at the time it is opened.
POSSIBLE EXTENSIONS
===================
(11) Threads should perhaps share a common set of credentials, but be able to
adjust them on a per-thread basis (see (6)).
(12) A SUID process should add the credentials it gains from its new user ID
to those it inherited from its original context.
(13) There's one place Win32 has an advantage, I think: calls for setting up
handles (files, mutexes, etc) take security context parameters.
I think "groups" specific keyrings and arbitrary joinable keyrings are
superfluous (that's what ACLs are for) and a systems maintenance nightmare, so
I haven't included them.
SUGGESTED IMPLEMENTATION
========================
As far as implementation goes, perhaps each task_struct and each file should
point to a stack of keyrings:
+------+
| |
+--------------------->| USER |
| | |
| +------+
|
+------+ +------+ +------+ +------+
| | | | | | | |
| TASK |----->| SUID |---->| PRIV |---->| USER |
| | | | | | | |
+------+ +------+ +------+ +------+
^ ^
+------+ | |
| | | |
| FILE |---------+ |
| | |
+------+ |
|
+------+ |
| | |
| FILE |----------------------+
| | ^
+------+ |
|
+------+ +------+ +------+
| | | | | |
| TASK |----->| FILE |----------------->| USER |
| | | | | |
+------+ +------+ +------+
The keyrings in the stack would then be refcounted, and the next pointers
would be immutable.
struct keyring {
struct keyring *next;
struct keyring *conjunction;
struct list_head keys;
atomic_t usage;
int type;
#define KEYRING_USER 0
#define KEYRING_PRIVATE 1
#define KEYRING_SUID 2
#define KEYRING_FD 3
};
struct key {
struct list_head link;
atomic_t usage;
int type;
#define KEY_POSITIVE 0
#define KEY_NEGATIVE 1
void *credential;
};
And then add the following syscalls:
(*) auth_clear_stack(int completely)
Totally clear a process's stack (either completely or of everything but
the user credentials).
(*) auth_add_cred(const char *fs, const char *domain, void *data);
Add a new credential to the TOS keyring. The key would be negative if
data is NULL.
(*) auth_push_empty()
Push an empty keyring onto this process's stack.
(*) auth_push_fdcreds(int fd)
Push the credentials associated with fd onto the stack as a preferred
alternative.
(*) auth_pop()
Pop the top credential off of the stack.
David