[OpenAFS-devel] keyring/pag support for linux

[chas williams - CONTRACTOR]

In message <8B5E7F53C1266DF298D79BAB@sirius.fac.cs.cmu.edu>,Jeffrey Hutzelman w
rites:
>This is fine as a proof-of-concept, but for something real the existing 
>setpag() and pioctl() system calls need to continue to work.  There are 
>things that use these interfaces other than our own library, and IMHO it is 

setpag() still works the same, but does require another library to
be linked against it.  yes, this is a drag.

>same ones we've been waiting on for over a year at this point.  The keyring 
>folks promised Derrick they'd export the required interfaces, but 
>apparently never got around to actually doing so. :-(

joining an anonymous keyring is the only thing that is hard to do in
the kernel w/o the bits we need exported.

>I haven't looked at what you did in detail, but it sounds like part of 
>setpag() in your model is setting a key from usermode which contains the 
>PAG ID.  I'm not sure where you get the ID or what restrictions are 
>enforced, but obviously a user process must not be able to set any 
>arbitrary PAG ID it wants.

i didnt run into this, because i built a new login.krb5 which calls
setpag().  so my key is owned by root and i am unable to modify 
it:

	~ relax.15% keyctl show
	Session Keyring
	       -3 --alswrv      0     0  keyring: _ses.19683
	461211240 --als-rv      0     0   \_ afspag: _pag.1102724497
	~ relax.16% keyctl revoke 461211240
	keyctl_revoke: Permission denied
	~ relax.17% keyctl clear 461211240
	keyctl_clear: Permission denied

so the PagInCred() could trust only key's owned by root.  i imagine the
afspag keytype .instantiate could make all keys owned by root (or atleast
unmodifiable) and make sure that a user doesnt attempt to create a key
in order to join a pag other than the "current" pag in the group list.