[OpenAFS-devel] Re: MEMORY credential cache interop between Heimdal and MIT?

Todd M. Lewis Todd M. Lewis" <utoddl@email.unc.edu
Fri, 31 Aug 2007 15:46:20 -0400 

u+openafsdev-sr55@chalmers.se wrote:
> I would argue for connecting each network identity to a different
> local uid, [...] [I]f a person happens to use several network
> identities, the corresponding processes should have different local uids.

This would preclude a single process being authenticated to two or more 
cells at the same time.

It also precludes one tree of cooperating process (think Apache) from 
acting on behalf of multiple users via their network identities.

Now, if you substitute your "local uid" above with "local gid", and allow 
the OS to instantiate and destroy these groups as needed when presented 
with new network identities, and otherwise follow the normal process group 
list inheritance rules that have been around for ever, you've solved the 
two problems above without conflating local uids with network identities. 
You've also exactly reimplemented PAGs.

> Data flow between those identities then has to be explicit
> and the level of protection/isolation can correspond to the actual task's needs
> (e.g. using local common file areas with properly chosen modes).
> [the actual uid allocation method is irrelevant as long as uids are not shared
> by different identities. I'm using static allocation, it can be done
> dynamically as well]

Network identities have no business accessing/allocating files in local 
file systems. Local processes (which have local ids, and are governed by 
the local system policies) may, and they may be acting on behalf of 
network identities, but local policies control local processes' access. 
Don't conflate the two.

> Given the above I am fine with Kerberos credentials
> in a local file protected by the ancient "owner" and mode bits.

To the extent that Kerberos is being used as the local key master for 
local ids, fine. However, local files are the wrong place to keep 
arbitrary network credentials for exactly this reason: it exposes them to 
access by other uncredentialed local process running under those uids, 
i.e. outside the equivalent of a PAG.
-- 
     +--------------------------------------------------------------+
    / Todd_Lewis@unc.edu  919-445-9302  http://www.unc.edu/~utoddl /
   /    "Poor Faulkner. Does he really think big emotions come    /
  / from big words?" - Ernest Hemingway (about William Faulkner) /
+--------------------------------------------------------------+