On Monday, April 03, 2006 11:11:14 AM -0500 Nicolas Williams <[EMAIL PROTECTED]> wrote:
> Let's uplevel a bit. > > To me PAGs provide a useful distinction between processes in some sort > of session, sharing some common characteristics, one that is better than > environment variables in that it is easily (cheaply) observable from the > IPC peers. > > PAGs have, for me, at least these uses: > > - As an Identity Selection Problem tool. Yes. > - As a link from cred_t to user-land that can be used to "extend" > cred_t. Yes. > - As a better point for tracking extant references to network > authentication credentials than UIDs. It's unclear to me what you mean here. > PAGs, like group memberships, do not, IMO, make a good access control on > process tracing, and they are orthogonal to [local] filesystem access > controls. It would be rather surprising if one could not trace/debug > one's processes from different login sessions. It would not be surprising if that's what you were expecting. But let's leave the issue of paranoid people aside for a moment, on concentrate on PAG's as an identity selection mechanism. You're right; that's essentially how they are used in AFS today, though in a roundabout way. Essentially, we use PAG's to separate management and use of credentials between sessions. So a user can have multiple sessions with different PAG's, and they don't interfere with each other. He can create a new PAG and set credentials for a different identity, and processes in the new PAG get the new identity while processes in the old PAG get the old one. Now, the issue is that when you're talking about a caching distributed filesystem, your identity affects not only what credentials are used to establish connections to fileservers on your behalf, but also what you are allowed to do with cached data and connections. For example... The first time I try to read a file from a given server, the AFS client will establish a connection to the fileserver on my behalf, using my credentials. Now, established connections are not expensive, but establishing them is, so the client caches open connections. The next time I try to access a file on that server, it uses my cached connection, even if the access is from a different process. However, if I access a file on that server from a different PAG, a new connection must be established, because the new PAG might have different credentials (or none at all). If the client fails to separate connections by PAG in this fashion, then it becomes impossible to use PAG's for identity selection wrt the filesystem, because you can't be assured that file accesses will actually happen with the credentials you selected. In addition, the cache manager has to cache access rights associated with files, so that it can cache my private files without giving you access to them, but still keep only one copy of files to which we both have access (this is particularly important for consistency if we both have _write_ access). Like cached connections, cached access rights data needs to be indexed by PAG, not by UID; otherwise processes in a new PAG get access to files they shouldn't, or don't get access to files they should, and identity selection breaks. Now, the thing that makes PAG's more than just identity selection is that you can't arbitrarily select a PAG -- you can use the one you have, or ask for a new (empty) one, but you can't pick up one arbitrarily and use it. Now, I know this has no real security value as long as it is trivial to cross PAG boundaries, but the people who are really paranoid will do something about it, perhaps by disabling tracing altogether (along with dtrace, and the ability to load kernel modules or touch kernel memory in any way, etc, etc, etc). Interestinly, while PAG's don't directly provide process group separate, it occurs to me that given the ability for in-kernel code to determine a process's PAG, they could be used to _implement_ stronger session separation. I don't know enough about the internals of Solaris, but I bet I could write a security module for Linux that did exactly this, using AFS PAG's. But again, process group separation isn't really the point. The point, for AFS, is making identity selection work. -- Jeff ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
