[989] in arla-drinkers
RE: proposed PAG handling changes for Arla
daemon@ATHENA.MIT.EDU (Neulinger, Nathan R.)
Tue Jul 20 12:14:00 1999
From owner-arla-drinkers@stacken.kth.se Tue Jul 20 16:13:59 1999
Return-Path: <owner-arla-drinkers@stacken.kth.se>
Delivered-To: arla-drinkers-mtg@bloom-picayune.mit.edu
Received: (qmail 25196 invoked from network); 20 Jul 1999 16:13:58 -0000
Received: from unknown (HELO sundance.stacken.kth.se) (130.237.234.41)
by bloom-picayune.mit.edu with SMTP; 20 Jul 1999 16:13:58 -0000
Received: (from majordom@localhost)
by sundance.stacken.kth.se (8.8.8/8.8.8) id SAA10433
for arla-drinkers-list; Tue, 20 Jul 1999 18:09:18 +0200 (MET DST)
Received: from umr.edu (hermes.cc.umr.edu [131.151.1.68])
by sundance.stacken.kth.se (8.8.8/8.8.8) with ESMTP id SAA10429
for <arla-drinkers@stacken.kth.se>; Tue, 20 Jul 1999 18:09:11 +0200 (MET DST)
Received: from umr-mail01.cc.umr.edu (umr-mail01.cc.umr.edu [131.151.37.121]) via ESMTP by hermes.cc.umr.edu (8.8.7/R.4.20) id LAA17867; Tue, 20 Jul 1999 11:09:04 -0500 (CDT)
Received: by umr-mail01 with Internet Mail Service (5.5.2448.0)
id <3598W68X>; Tue, 20 Jul 1999 11:09:03 -0500
Message-ID: <9DA8D24B915BD1118911006094516EAF029EEB00@umr-mail02>
From: "Neulinger, Nathan R." <nneul@umr.edu>
To: "'Jeffrey Hutzelman'" <jhutz@cmu.edu>,
Chris Wing
<wingc@engin.umich.edu>
Cc: arla-drinkers@stacken.kth.se
Subject: RE: proposed PAG handling changes for Arla
Date: Tue, 20 Jul 1999 11:08:55 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2448.0)
Content-Type: text/plain;
charset="ISO-8859-1"
Sender: owner-arla-drinkers@stacken.kth.se
Precedence: bulk
In fact, we make use of this behavior in AFS to clean out the tokens out of
the kernel when users are gone and have no processes, even though their
token hasn't expired.
If we don't, things get really slow cause the token/pag structures get
enormous.
Besides, anyone with root is going to be able to attach to any users
processes with any number of different tools, and if you're using kerberos,
they are going to be able to just access the credentials cache directly.
-- Nathan
------------------------------------------------------------
Nathan Neulinger EMail: nneul@umr.edu
University of Missouri - Rolla Phone: (573) 341-4841
Computing Services Fax: (573) 341-4216
> -----Original Message-----
> From: Jeffrey Hutzelman [mailto:jhutz@cmu.edu]
> Sent: Tuesday, July 20, 1999 10:43 AM
> To: Chris Wing
> Cc: arla-drinkers@stacken.kth.se
> Subject: Re: proposed PAG handling changes for Arla
>
>
> On Mon, 19 Jul 1999, Chris Wing wrote:
>
> > 2. We should prevent setgroups() from being used to store a
> fake PAG of
> > the user's choosing. (i.e. "attaching" to someone else's
> PAG) True, in
> > most cases a user with the ability to setgroups() is
> all-powerful to begin
> > with, but the present behavior makes it just too easy for
> someone with
> > root access to use setgroups() and then setuid() to get
> access to another
> > user's AFS tokens. This is especially important in a
> capabilities system
> > like Linux, because in theory a process may have the ability to use
> > setgroups(), but no other special privileges.
>
> Note that this would be inconsistent with the behaviour of AFS, which
> allows anyone who can call setgroups() to set or change his PAG.
>
> -- Jeff
>