[OpenAFS-devel] Re: MEMORY credential cache interop between Heimdal and MIT?

Howard Chu hyc@highlandsun.com
Wed, 29 Aug 2007 09:46:43 -0700


Hi Mike,

Michael B Allen wrote:
> Hi Howard,
> 
> Actually I've changed my mind (somewhat). I think I will pursue the mmap
> descriptor inheritance technique. It seems like it could be elegant,
> portable and it would satisfy my immediate web server problem and the
> implementation interop issue. For some reason I didn't think descriptors
> would be inherited across execv but after trying a few tests I am
> satisfied that the technique could be quite effective.
> 
> However, without a file access point it cannot be used in place of a
> regular ccache file.

I don't understand this statement. All you need is the descriptor to access it. 
(So yes, you need a valid file to begin with, you cannot just use an anonymous 
mmap. But you can create the file with mode 000 and unlink it immediately, to 
prevent anyone else from opening it.)

 > And with it it has the same ownership issue as a
> regular ccache file. Also, access control is limited to what inheritance
> provides.

Could you summarize these ownership concerns again, or point me at an archived 
posting that enumerates these issues? I've missed some context somewhere.

> Therefore, I still think that the kernel is the only place where a
> wide variety of sophisticated access control methods can be implemented
> efficiently. Descendant based access control is only one example of the
> type of protection someone might want.

Besides owner based and descendant, can anyone list some other controls they 
have an immediate use for?

> Locking issues can be handled
> much more effectively (e.g. no orphaned semids). The kernel has
> the best vantage point to protect sensitive data like credentials.

SysV IPC is not a good solution here. (or just about anywhere, for that 
matter...) Use sem_init() and store the semaphore in the mmap'd memory region.

IMO, any kernel extension must still obey standard Unix security semantics. 
I.e., it allows resources to be opened based on mode bits, and allows access to 
any process that already has the open descriptor.
-- 
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP     http://www.openldap.org/project/