[OpenAFS-devel] [LKML] Re: In-kernel Authentication Tokens (PAGs)

Tomas Olsson tol@stacken.kth.se
14 Jul 2004 11:30:42 +0200 

Kyle Moffett <mrmacman_g4@mac.com> writes:

> setuid() et. al. require no additional logic because they just modify
> UID/GID.  If there are any key-rings associated with the UID/GID, those
> won't be available any more and the ones of the new UID/GID will, but
> that is the only changing one part of the set.  On the other hand, keys
> that are not linked through the UID or GID will remain the same without
> explicit manipulation.  This makes it easy for me to give a setuid
> program the ability to read in a file from my AFS home.
> 
Nice. Sessions only change upon explicit KEYCTL_SET(KEY_SESSION, ...)?

Is there any way to figure out or be notified when a certain key is no
longer referenced? I suppose you do some refcounting.

> > KEYCTL_SHLOCK
> > KEYCTL_EXLOCK
> > KEYCTL_UNLOCK:	A mandatory lock on the key/key-ring
>
Be careful with those :)
Are the locks connected to the open file, and discarded on close? 

Then there is the question about default PAGs and the PAG jail. I'm still
not sure if those are necessary or even desirable. The way the current AFS
implementations seems to work is that if you don't have an allocated PAG
(PAG@localhost session key?), your uid is used as the key under which to
store your tokens. This is handy as you don't need to initialize tokens for
every login if you do several. Also, once you have a real PAG, you can't
touch your default, or any other PAGs. This can be used as a kind of jail,
creating an unauthenticated context where it doesn't matter that I don't
know what I'm doing.

This seems kinda tricky to implement, _if_ it happens to be desirable.
Despends on how elaborate the access control is. The default PAG is easy
enough to keep under a uid key. But one would need to stop processes from
dropping our session key, right? Or else they could remove it and gain
access to the uid key. Might be undesirable if there are any applications
that change uid to root (say), should root have a default PAG with
interesting tokens attached. Or perhaps I'm just confused about which uid
is used when. Or perhaps root just needs to be careful.

Still the PAG jail isn't for real now, as I store my kerberos tickets in an
ordinary file owned by myself...

AFS-folks: help me out here.

Kyle: are you in sync with dhowells on this?

/Tomas