arla-0.38

Jack Neely jjneely at pams.ncsu.edu
Fri Dec 31 16:20:33 CET 2004 

Thanks for the information.  I read the below line somehow as "we
implement PAGs in a better way than with groups."

Correct me if I'm wrong, but this looks very close to the PAG behavior I
get with OpenAFS on a 2.6 kernel.  Which is very usable for the most
part I believe as anything that calls setgroups() nowadays usually goes
through PAM for proper authentication.

I'll do some testing...

Thanks!
Jack Neely

On Wed, Dec 29, 2004 at 02:20:50PM +0100, Alexander Boström wrote:
> tis 2004-12-28 klockan 12:38 -0500 skrev Jack Neely: 
> > On Sun, Dec 26, 2004 at 02:32:00AM +0100, Love wrote:
> > > 
> > > * Enables PAGs without setgroups() override on Linux 2.6
> > > 
> > 
> > Whoa...how does this work?
> 
> It is exactly that, group-based PAGs as usual, but without the
> setgroups() override.
> 
> First of all, remember that any PAG that is used by a process is
> available to any other process with the same uid, if the code explicitly
> uses ptrace() to "borrow" it. This is true even with the override in
> place, of course.
> 
> However, without the override, a process that calls setgroups() will
> accidentally end up with the wrong PAG (a default PAG). Although I'm not
> aware of any such case (except su), to be safe you should not put tokens
> in the default PAG of root or any other user if there *might* be some
> setuid root binary that calls setgroups() and switches to the uid of
> that user.
> 
> But you shouldn't put tokens in the default PAGs of such special users
> even with the override in place, because changing uid is still enough to
> switch PAG if a process doesn't have a PAG group. So disabling the
> override really doesn't change anything in that respect, unless all
> untrusted processes always have a PAG group attached to them.
> 
> su should be safe, since it does proper authentication. Regarding PAGs,
> su will behave like if you were using the default PAG. (Always use the
> default PAG of the target user or whatever PAG was allocated by a PAM
> module.) Different, perhaps confusing, but not really a problem.
> 
> So, in short: If users always get a PAG allocated for them when they log
> in, and the sysadmin kinits in the default PAG of root, then this might
> be a problem. If users sometimes run without a PAG group, and the
> sysadmin kinits in the default PAG of root, then the potential problem
> already existed, even with the override in place.
> 
> /abo
> 
> 

-- 
Jack Neely <slack at quackmaster.net>
Realm Linux Administration and Development
PAMS Computer Operations at NC State University
GPG Fingerprint: 1917 5AC1 E828 9337 7AA4  EA6B 213B 765F 3B6A 5B89

More information about the Arla-drinkers mailing list