proposed PAG handling changes for Arla

Chris Wing wingc at engin.umich.edu
Mon Jul 19 21:46:12 CEST 1999


Hi. I'd like to suggest the following changes to Arla's setgroups() system
call wrapper:

1. setgroups() should always leave room for a PAG, by effectively reducing
NGROUPS by 2 when the xfs module is loaded.

2. We should prevent setgroups() from being used to store a fake PAG of
the user's choosing. (i.e. "attaching" to someone else's PAG) True, in
most cases a user with the ability to setgroups() is all-powerful to begin
with, but the present behavior makes it just too easy for someone with
root access to use setgroups() and then setuid() to get access to another
user's AFS tokens. This is especially important in a capabilities system
like Linux, because in theory a process may have the ability to use
setgroups(), but no other special privileges.

There are 2 changes necessary to do this:

a. In Linux, at least, the setgroups() wrapper needs to be aware that if
the actual setgroups() fails, the current process's group list may still
be modified. (this has to do with the implementation of copy_from_user()
in Linux 2.2)

b. Prevent setgroups() from creating a PAG if the user didn't have one to
begin with.

A patch that implements all of this, at least for Linux, is here:

http://www.engin.umich.edu/caen/systems/Linux/code/patches/arla-0.26-pag.patch

The unpag() function in this patch could also be used as a basis for
AFSCALL_UNSETPAG (i.e. revert a process to the default PAG) if we want to
implement that for some reason.

I was going to try doing the same changes for the other OSes in xfs/*, but
I don't know enough about their internals to make the 'obvious' changes.


Thanks,

Chris Wing
wingc at engin.umich.edu






More information about the Arla-drinkers mailing list