[OpenAFS-devel] [LKML] Re: In-kernel Authentication Tokens (PAGs)

David Howells dhowells@redhat.com
Thu, 15 Jul 2004 13:37:21 +0100 

> >  (2) Add a flag to either a keyring or the link to it from the session
> >  keyring such that they can be marked for linking through into to a SUID
> >  binary's new session keyring.
> >
> As long as this inheritance works for _anything_ (except newpag()) that a
> process might do, this might work for us. From earlier in this thread:

Well, newpag() would be done by replacing your session keyring with a new one,
and then using the key ID of the new keyring as the new PAG number.

>   lpr, sendmail, or other apps that are setuid for local storage but
>   need access to your credentials to talk to a network server
> 
> Is this a reasonable request?

Yes. The problem is how do you distinguish between a SUID binary that needs
your keys, and one that shouldn't be given them?

> I would probably make it a key flag (rings behave like keys too, right?).

Keyrings are keys.

> So who is allowed to unlink it?

Unlink will be controlled by the ownership of the keyring, and the new session
keyring will be owned by the new identity. However, if you want to call
setuid(), you might need to change the ownership of your session keyring first
- otherwise you won't be able to modify it.

> Is it still possible to override individual uid ring keys in the session
> ring?

Yes. You can find a keyring by name and subscribe it to your keyring - that
doesn't mean you'll be able to search it though. I may need to add more access
controls, perhaps not letting you subscribe to a keyring that you don't have
execute permission on.

The permission model I'm envisioning is:

    Keys would have a UID, GID, and umask much like a UNIX file does.

    On ordinary keys, this would work like this:

	+r	Key payload can be viewed.
	+w	Key can be updated or revoked.
	+x	Key can be found and used.

    On a keyring, it would work thus:

        +r	Keyring subscriptions can be viewed.
	+w	Keyring subscriptions can be added, removed or cleared.
	+x	Keyring can be found and can be walked through on key search.

    Basically, a keyring's subscription list works just like the payload in an
    ordinary key.

David