[989] in arla-drinkers

home help back first fref pref prev next nref lref last post

RE: proposed PAG handling changes for Arla

daemon@ATHENA.MIT.EDU (Neulinger, Nathan R.)
Tue Jul 20 12:14:00 1999

From owner-arla-drinkers@stacken.kth.se Tue Jul 20 16:13:59 1999
Return-Path: <owner-arla-drinkers@stacken.kth.se>
Delivered-To: arla-drinkers-mtg@bloom-picayune.mit.edu
Received: (qmail 25196 invoked from network); 20 Jul 1999 16:13:58 -0000
Received: from unknown (HELO sundance.stacken.kth.se) (130.237.234.41)
  by bloom-picayune.mit.edu with SMTP; 20 Jul 1999 16:13:58 -0000
Received: (from majordom@localhost)
	by sundance.stacken.kth.se (8.8.8/8.8.8) id SAA10433
	for arla-drinkers-list; Tue, 20 Jul 1999 18:09:18 +0200 (MET DST)
Received: from umr.edu (hermes.cc.umr.edu [131.151.1.68])
	by sundance.stacken.kth.se (8.8.8/8.8.8) with ESMTP id SAA10429
	for <arla-drinkers@stacken.kth.se>; Tue, 20 Jul 1999 18:09:11 +0200 (MET DST)
Received: from umr-mail01.cc.umr.edu (umr-mail01.cc.umr.edu [131.151.37.121]) via ESMTP by hermes.cc.umr.edu (8.8.7/R.4.20) id LAA17867; Tue, 20 Jul 1999 11:09:04 -0500 (CDT)
Received: by umr-mail01 with Internet Mail Service (5.5.2448.0)
	id <3598W68X>; Tue, 20 Jul 1999 11:09:03 -0500
Message-ID: <9DA8D24B915BD1118911006094516EAF029EEB00@umr-mail02>
From: "Neulinger, Nathan R." <nneul@umr.edu>
To: "'Jeffrey Hutzelman'" <jhutz@cmu.edu>,
        Chris Wing
	 <wingc@engin.umich.edu>
Cc: arla-drinkers@stacken.kth.se
Subject: RE: proposed PAG handling changes for Arla
Date: Tue, 20 Jul 1999 11:08:55 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2448.0)
Content-Type: text/plain;
	charset="ISO-8859-1"
Sender: owner-arla-drinkers@stacken.kth.se
Precedence: bulk

In fact, we make use of this behavior in AFS to clean out the tokens out of
the kernel when users are gone and have no processes, even though their
token hasn't expired.

If we don't, things get really slow cause the token/pag structures get
enormous.

Besides, anyone with root is going to be able to attach to any users
processes with any number of different tools, and if you're using kerberos,
they are going to be able to just access the credentials cache directly.

-- Nathan

------------------------------------------------------------
Nathan Neulinger                       EMail:  nneul@umr.edu
University of Missouri - Rolla         Phone: (573) 341-4841
Computing Services                       Fax: (573) 341-4216


> -----Original Message-----
> From: Jeffrey Hutzelman [mailto:jhutz@cmu.edu]
> Sent: Tuesday, July 20, 1999 10:43 AM
> To: Chris Wing
> Cc: arla-drinkers@stacken.kth.se
> Subject: Re: proposed PAG handling changes for Arla
> 
> 
> On Mon, 19 Jul 1999, Chris Wing wrote:
> 
> > 2. We should prevent setgroups() from being used to store a 
> fake PAG of
> > the user's choosing. (i.e. "attaching" to someone else's 
> PAG) True, in
> > most cases a user with the ability to setgroups() is 
> all-powerful to begin
> > with, but the present behavior makes it just too easy for 
> someone with
> > root access to use setgroups() and then setuid() to get 
> access to another
> > user's AFS tokens. This is especially important in a 
> capabilities system
> > like Linux, because in theory a process may have the ability to use
> > setgroups(), but no other special privileges.
> 
> Note that this would be inconsistent with the behaviour of AFS, which
> allows anyone who can call setgroups() to set or change his PAG.
> 
> -- Jeff
> 

home help back first fref pref prev next nref lref last post