proposed PAG handling changes for Arla

Jeffrey Hutzelman jhutz at cmu.edu
Tue Jul 20 17:43:10 CEST 1999


On Mon, 19 Jul 1999, Chris Wing wrote:

> 2. We should prevent setgroups() from being used to store a fake PAG of
> the user's choosing. (i.e. "attaching" to someone else's PAG) True, in
> most cases a user with the ability to setgroups() is all-powerful to begin
> with, but the present behavior makes it just too easy for someone with
> root access to use setgroups() and then setuid() to get access to another
> user's AFS tokens. This is especially important in a capabilities system
> like Linux, because in theory a process may have the ability to use
> setgroups(), but no other special privileges.

Note that this would be inconsistent with the behaviour of AFS, which
allows anyone who can call setgroups() to set or change his PAG.

-- Jeff






More information about the Arla-drinkers mailing list