[OpenAFS] uw-imap & tokens

David Howells dhowells@redhat.com
Thu, 05 Apr 2007 11:43:21 +0100


chas williams - CONTRACTOR <chas@cmf.nrl.navy.mil> wrote:

> > That's what appeared to be shown in Miles's "keyctl show" output:
> >
> >	Session Keyring
> >	       -3 --alswrv      0     0  keyring: _uid_ses.0
> >		2 --alswrv      0     0   \_ keyring: _uid.0
> >	 29391168 ----s--v      0     0   \_ afs_pag: _pag
> >
> > That would seem to be odd, given that the AFS code appears to forcibly
> > replace the session keyring when setpag() is invoked.
> 
> the keyring being owned by uid 0 means that setpag() was called by
> someone running as uid 0.

What I'm pointing out in the above key ring dump is the fact that the _pag key
is attached to the _uid_ses.0 keyring (the root user default session keyring).

Looking at the setpag() function in the AFS code I was pointed at, this keyring
should have been replaced by one called "_ses.<TGID>" before the _pag key was
added, but it hasn't been in the above dump...

> the afs pag is always uid = 0 so that users cant modify the key and discern
> its contents.

Can you achieve that by just not providing read and update ops for the key?

> not owning the keyring used to be a problem with earlier version of
> the keyring code as i recall.  this explains the 'extra' permission
> bits.

Yeah...  It made a lot of sense to grant extra permissions to anyone who
possessed a link to a key over and above permissions granted by UID, GID and
other.  That solves the problem of SUID programs like su.

If someone does, say, "su -" then the PAM script for that operation will
replace the session keyring.  Note that programs like su that have two modes of
operation now have two PAM scripts.  su, for example has:

	/etc/pam.d/su		Script for "su"
	/etc/pam.d/su-l		Script for "su -l" (aka "su -")

> i dont know what created the _uid.0 keyring.

The _uid.<UID> and _uid_ses.<UID> keyrings are created by the kernel when a
process changes to a UID for which it doesn't currently have a user_struct
record.  Those keyrings are destroyed when the user_struct is destroyed.

If a process doesn't have a session keyring, then it will use the _uid_ses
keyring for its UID as its session keyring.  The _uid keyring is not used
directly by a process, but is instead accessed by a link from the session
keyring.

David