proposed PAG handling changes for Arla
Neulinger, Nathan R.
nneul at umr.edu
Tue Jul 20 18:09:18 CEST 1999
In fact, we make use of this behavior in AFS to clean out the tokens out of
the kernel when users are gone and have no processes, even though their
token hasn't expired.
If we don't, things get really slow cause the token/pag structures get
enormous.
Besides, anyone with root is going to be able to attach to any users
processes with any number of different tools, and if you're using kerberos,
they are going to be able to just access the credentials cache directly.
-- Nathan
------------------------------------------------------------
Nathan Neulinger EMail: nneul at umr.edu
University of Missouri - Rolla Phone: (573) 341-4841
Computing Services Fax: (573) 341-4216
> -----Original Message-----
> From: Jeffrey Hutzelman [mailto:jhutz at cmu.edu]
> Sent: Tuesday, July 20, 1999 10:43 AM
> To: Chris Wing
> Cc: arla-drinkers at stacken.kth.se
> Subject: Re: proposed PAG handling changes for Arla
>
>
> On Mon, 19 Jul 1999, Chris Wing wrote:
>
> > 2. We should prevent setgroups() from being used to store a
> fake PAG of
> > the user's choosing. (i.e. "attaching" to someone else's
> PAG) True, in
> > most cases a user with the ability to setgroups() is
> all-powerful to begin
> > with, but the present behavior makes it just too easy for
> someone with
> > root access to use setgroups() and then setuid() to get
> access to another
> > user's AFS tokens. This is especially important in a
> capabilities system
> > like Linux, because in theory a process may have the ability to use
> > setgroups(), but no other special privileges.
>
> Note that this would be inconsistent with the behaviour of AFS, which
> allows anyone who can call setgroups() to set or change his PAG.
>
> -- Jeff
>
More information about the Arla-drinkers
mailing list