[OpenAFS-devel] [LKML] Re: In-kernel Authentication Tokens (PAGs)

Tomas Olsson tol@stacken.kth.se
15 Jul 2004 15:21:50 +0200


David Howells <dhowells@redhat.com> writes:
> > As long as this inheritance works for _anything_ (except newpag()) that a
> > process might do, this might work for us. From earlier in this thread:
> 
> Well, newpag() would be done by replacing your session keyring with a new
> one, and then using the key ID of the new keyring as the new PAG number.
>
Or, in case there are other users of session rings, replacing an individual
key.

> > Is this a reasonable request?
> 
> Yes. The problem is how do you distinguish between a SUID binary that needs
> your keys, and one that shouldn't be given them?
> 
As far as we are concerned, the answer is that if you execute a binary with
our keys held, the binary can use them. Always. For now, I don't believe
that any other policy will work for us. Feel free to convince me :)

In the current, jail-ish PAG world, you just get a new, empty PAG for any
untrusted apps, and you're home safe (ignoring the krb5cc in userland).

Maybe other types of keys should be dropped on s*id, that's fine with
me. As long as my PAG id (or equivalent) is inherited.

> Unlink will be controlled by the ownership of the keyring, and the new
> session keyring will be owned by the new identity. However, if you want
> to call setuid(), you might need to change the ownership of your session
> keyring first - otherwise you won't be able to modify it.
>
copy-on-write for modifications by uid != owner perhaps?

> > Is it still possible to override individual uid ring keys in the session
> > ring?
> 
> Yes. You can find a keyring by name and subscribe it to your keyring -
> that doesn't mean you'll be able to search it though.
>
If I get this right: suppose I have a uid ring U with keys { a, b, c }. My
session ring would then look like S = { &U }. If I search for 'a', I'll
find the key from U. Now, if I want some other 'a' key for this session,
while keeping 'b' and 'c', am I supposed to remove &U from S, add a copy of
U, and set S(a) to some new value? IIRC, in Kyle's proposal each ring is
searched in some arbitrary order, so just adding a new 'a' to S would yield
undefined results? 

/Tomas