[OpenAFS-devel] [LKML] Re: In-kernel Authentication Tokens (PAGs)

Jeffrey Hutzelman jhutz@cmu.edu
Fri, 23 Jul 2004 08:53:14 -0400


On Thursday, July 22, 2004 01:11:35 -0700 Matthew Andrews 
<matt@slackers.net> wrote:

>
>>
>> Not really.  The user must get a file-descriptor for the key, by opening
>> the file in keyfs (Requires access under keyfs permissions), or by
>> receiving one from a process that sends it one.  Such a key can be
>> completely revoked by the sending process at any time, and can be
>> set to only provide whatever permissions are needed.
>>
>>> So, the "label" we use to mark connections, cached rights data, etc
>>> cannot simply be the value of the key blob.  It needs to be something
>>> the user cannot simply set to whatever he wants.
>>
>>
>> The user can set it to whatever he wants, so long as already has it. If
>> the user is never given a handle to the key, and keyfs is never mounted
>> or has too-strict permissions, then he can't assign himself somebody
>> else's keys.
>
>
> Sure he can, if he can "guess" the value of a currently in use "pagnum"
> he can join it by allocating a new key and addigning it the "guessed"
> value. I guess the thing here is that "what pag the process is in" needs
> to be secret with this implementation, and yet in certain cases(arlad)
> one or more "priveleged" processes must know the "pagnum" value for
> every process on the system(so that it can issue network requests on
> that process's behalf.

It doesn't need to be secret; it just needs to be impossible for the user 
to forge it.  That's done by using an immutable _attribute_ of the key, 
rather than its user-defined value.