[OpenAFS-devel] [LKML] Re: In-kernel Authentication Tokens (PAGs)
David Howells
dhowells@redhat.com
Thu, 15 Jul 2004 11:30:24 +0100
I've been talking to various people here about my keyring stuff. How's about
this for an idea:
Currently, my patch introduces five keyrings:
Thread -- replaced on any clone/fork call and on exec
Process -- replaced on fork or clone without CLONE_THREAD
Session -- replaced on request or by SUID exec
UID
GID
And then the search algorithm does a depth-first search on each ring in the
order listed.
This, however, means that a key in a UID or GID keyring can't be evaded; it
can only be overridden by installing an alternative key in a higher-priority
keyring.
What I'm thinking of is:
(1) Each UID has two keyrings:
(a) the UID specific keys
(b) the default session ring for that UID
(2) Add a flag to either a keyring or the link to it from the session keyring
such that they can be marked for linking through into to a SUID binary's
new session keyring.
(3) Instead of searching the UID and GID rings directly, when a new session
ring is created the appropriate UID and GID rings are linked into it
automatically. They can be later unlinked if that is desirable.
(4) Rather than requesting a new session keyring for a process and getting
one that's completely empty, you may:
(a) ask to join one by name - it's created if it doesn't already exist
and preloaded as (3).
(b) clone the current session keyring under a new name.
(5) On SUID exec, I'm tempted to link the old session keyring to the
process's new session keyring, marking it for unlinking on further exec.
The problem really is that we need to be able to say which SUID binaries we
trust sufficiently to give access to our keyrings.
David