[983] in arla-drinkers

home help back first fref pref prev next nref lref last post

proposed PAG handling changes for Arla

daemon@ATHENA.MIT.EDU (Chris Wing)
Mon Jul 19 15:51:53 1999

From owner-arla-drinkers@stacken.kth.se Mon Jul 19 19:51:52 1999
Return-Path: <owner-arla-drinkers@stacken.kth.se>
Delivered-To: arla-drinkers-mtg@bloom-picayune.mit.edu
Received: (qmail 13688 invoked from network); 19 Jul 1999 19:51:51 -0000
Received: from unknown (HELO sundance.stacken.kth.se) (130.237.234.41)
  by bloom-picayune.mit.edu with SMTP; 19 Jul 1999 19:51:51 -0000
Received: (from majordom@localhost)
	by sundance.stacken.kth.se (8.8.8/8.8.8) id VAA13770
	for arla-drinkers-list; Mon, 19 Jul 1999 21:46:12 +0200 (MET DST)
Received: from shaft.engin.umich.edu (wingc@shaft.engin.umich.edu [141.213.33.85])
	by sundance.stacken.kth.se (8.8.8/8.8.8) with ESMTP id VAA13766
	for <arla-drinkers@stacken.kth.se>; Mon, 19 Jul 1999 21:46:07 +0200 (MET DST)
Received: from localhost (wingc@localhost)
	by shaft.engin.umich.edu (8.9.3/8.9.3) with ESMTP id PAA01815
	for <arla-drinkers@stacken.kth.se>; Mon, 19 Jul 1999 15:46:04 -0400
X-Authentication-Warning: shaft.engin.umich.edu: wingc owned process doing -bs
Date: Mon, 19 Jul 1999 15:46:04 -0400 (EDT)
From: Chris Wing <wingc@engin.umich.edu>
To: arla-drinkers@stacken.kth.se
Subject: proposed PAG handling changes for Arla
Message-ID: <Pine.LNX.4.10.9907191527560.1772-100000@shaft.engin.umich.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-arla-drinkers@stacken.kth.se
Precedence: bulk

Hi. I'd like to suggest the following changes to Arla's setgroups() system
call wrapper:

1. setgroups() should always leave room for a PAG, by effectively reducing
NGROUPS by 2 when the xfs module is loaded.

2. We should prevent setgroups() from being used to store a fake PAG of
the user's choosing. (i.e. "attaching" to someone else's PAG) True, in
most cases a user with the ability to setgroups() is all-powerful to begin
with, but the present behavior makes it just too easy for someone with
root access to use setgroups() and then setuid() to get access to another
user's AFS tokens. This is especially important in a capabilities system
like Linux, because in theory a process may have the ability to use
setgroups(), but no other special privileges.

There are 2 changes necessary to do this:

a. In Linux, at least, the setgroups() wrapper needs to be aware that if
the actual setgroups() fails, the current process's group list may still
be modified. (this has to do with the implementation of copy_from_user()
in Linux 2.2)

b. Prevent setgroups() from creating a PAG if the user didn't have one to
begin with.

A patch that implements all of this, at least for Linux, is here:

http://www.engin.umich.edu/caen/systems/Linux/code/patches/arla-0.26-pag.patch

The unpag() function in this patch could also be used as a basis for
AFSCALL_UNSETPAG (i.e. revert a process to the default PAG) if we want to
implement that for some reason.

I was going to try doing the same changes for the other OSes in xfs/*, but
I don't know enough about their internals to make the 'obvious' changes.


Thanks,

Chris Wing
wingc@engin.umich.edu


home help back first fref pref prev next nref lref last post