[OpenAFS-devel] Re: MEMORY credential cache interop between Heimdal and MIT?

Howard Chu hyc@highlandsun.com
Tue, 28 Aug 2007 19:49:14 -0700


Michael B Allen wrote:
> On Tue, 28 Aug 2007 18:50:05 -0700
> Howard Chu <hyc@highlandsun.com> wrote:
> 
>> Henry B. Hotz wrote:
>>> At this point we're looking for volunteers, not more wishes, but  
>>> here's a wish:
>>>
>>> Instead of always going up the tree visiting all parents, have some  
>>> way to "stop" so you can securely implement PAG semantics.  I don't  
>>> think I'd use it often, but I like the idea of being able to set up  
>>> an "admin" window and a "secure sandbox" window with more/less  
>>> privileges than my default login session.
>>>
>>> I would think the AFS folks would be interested in seeing the  
>>> Kerberos ticket cache scope match the scope of PAG's as well as  
>>> having a PAG implementation that wasn't so dependent on OS-specific  
>>> hackery.  I'm not sure this is easier than what they do now, but if  
>>> it gets AFS and Kerberos on the same page, that's a good thing.
>> You can simply use mmap'd files to accomplish the functionality that Michael 
>> proposed. Unix mode bits on the file will determine which uids can open the 
>> file. Children of a given process can access it through descriptor inheritance 
>> from a process that already has it open/mapped. A process creating a cache 
>> would just have to export an environment variable giving the cache name and 
>> number of the descriptor in use. (Of course, any child process that closes 
>> descriptors or zaps this environment variable would prevent further 
>> propagation.) e.g. KRB5MEMCC="3000,/tmp/hyc1234"
> 
> If Unix mode bits are used, that is no different from using a ccache file
> which has the ownership problem described in the web server scenario.

Your proposal for a kernel driver below would have the same ownership problem. 
Unless you're telling me that your driver would allow any user opening the 
device to specify any arbitrary UID to own a particular cache. That seems a bit 
odd to me but so it goes; HPUX also allows anyone to chown files they own to 
anybody else too by default so somebody out there must think it's a good idea. 
 From a security perspective, it's apalling.

 > If
> descriptor inheritance is used, descriptors are not inherited across
> execv which breaks Henry's "admin window" scenario.

Nonsense. Descriptors are only closed if they are explicitly set to Close-on-Exec.

>>> On Aug 22, 2007, at 10:21 AM, Michael B Allen wrote:
>>>> Hi Ken,
>>>>
>>>> I think that the ccache plugin idea is a worthwhile project. Yes, I
>>>> think it would solve Alf's original issue. But by itself it would not
>>>> solve the shared storage or access control issues (access control  
>>>> being
>>>> what I am really interested in).
>>>>
>>>> The only way to ensure that the ccache is truly protected is with a
>>>> kernel extension. I think I would rather invest time into a solid long
>>>> term solution and I think a secure shared storage kernel extensions
>>>> project would be a step in the right direction.
>>>>
>>>> The extension could be quite simple. The caller could open a file that
>>>> and do an ioctl something roughly like:
>>>>
>>>>   int fd = open("/dev/sss0", flags)
>>>>   ioctl(fd, req, "krb5cc[uid=1234,ppid=5678]")
>>>>   FILE *ccachefp = fdopen(fd, mode)
>>>>
>>>> So the kernel extension could be a simple device file implementation
>>>> (this should handle all of the *nix systems). The ioctl data
>>>> "krb5cc[uid=1234,ppid=5678]" indicates the name of the storage and
>>>> some access control parameters. If the storage is created vs opened
>>>> the access control parameters are set. The uid indicates that the  
>>>> named
>>>> ccache is specific to processes with that uid. The ppid indicates that
>>>> only processes with that pid or a descendant of that pid (i.e. the  
>>>> check
>>>> would simply walk up the parent pids of the current process until it
>>>> matched the supplied ppid) should have access to the storage.
>>>>
>>>> Now if there's some young buck out there looking for an excuse to
>>>> experiment with kernel extensions, here's your chance for glory!
>>>>
>>>> Mike
>>> ------------------------------------------------------------------------
>>> The opinions expressed in this message are mine,
>>> not those of Caltech, JPL, NASA, or the US Government.
>>> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
>>>
>>>
>>
>> -- 
>>    -- Howard Chu
>>    Chief Architect, Symas Corp.  http://www.symas.com
>>    Director, Highland Sun        http://highlandsun.com/hyc/
>>    Chief Architect, OpenLDAP     http://www.openldap.org/project/
>>
> 
> 


-- 
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP     http://www.openldap.org/project/