[OpenAFS-devel] [LKML] Re: In-kernel Authentication Tokens (PAGs)

[Matthew Andrews]

Tomas Olsson wrote:

>Alexander Boström <abo@e.kth.se> writes:
>  
>
>>>If default PAGs are by uid, it might be possible to use root's PAG after
>>>saying "default, please" and calling smth setuid.
>>>      
>>>
>>Our users don't get a PAG when they telnet to one of our hosts, so we've
>>never had any real PAG "jail" to begin with. I doubt we really need one.
>>
>>    
>>
>Good point.  Of course, any app accessing the wrong files in root's name is
>seriously broken regardless of PAG behaviour.
>
>Thanks.
>
>/Tomas
>_______________________________________________
>OpenAFS-devel mailing list
>OpenAFS-devel@openafs.org
>https://lists.openafs.org/mailman/listinfo/openafs-devel
>
>
>  
>
besides, in the case of processes running as root, you don't really have
a jai with the current implementation, since you can peek through /proc
till you see a process with the gredentials you want, look at his group
membershps, and set yours to match. If you're expecting the current
implementation to protect you from stealing someone's tokens, you've
already lost. I suppose that because of the trapped setgroups syscall,
you can't actually directly join the default pag, but you can almost
certainly convince nother currently pagless process to spawn a child for
you. think attaching to another root process with a debugger, and
inserting code to fork, and then exec whatever you want.


Hmm, now that I think of it, what prevents someone from using this trick 
as a normal user. IE if you have 2 processes that run as the same user, 
but with different pags, couldn't one of them use the debugging faculty 
to write code to fork and exec an arbitrary program into a chunk of 
memory, and then jump there?

-Matt Andrews