Re: [PATCH 3/3] p9auth: add p9auth driver

From: Kyle Moffett
Date: Thu Apr 22 2010 - 00:57:47 EST

Next message: David Miller: "Re: [PATCH] net: change recvform to return same address length asgetsockname on unnamed unix sockets"
Previous message: Joe Perches: "Re: [PATCH] Staging: Comedi: Drivers: Fix coding style issues indt2801.c"
In reply to: Serge E. Hallyn: "Re: [PATCH 3/3] p9auth: add p9auth driver"
Next in thread: Serge E. Hallyn: "Re: [PATCH 3/3] p9auth: add p9auth driver"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Apr 21, 2010 at 15:15, Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote:
> "Serge E. Hallyn" <serue@xxxxxxxxxx> writes:
>
>> Ignoring namespaces for a moment, I guess we could do something like
>>
>> struct credentials_pass {
>> Â Â Â pid_t global_pid;
>> Â Â Â unsigned long unique_id;
>> Â Â Â uid_t new_uid;
>> Â Â Â gid_t new_gid;
>> Â Â Â int num_aux_gids;
>> Â Â Â gid_t aux_gids[];
>> }
>
> This looks surprising like what I am doing in passing uids and pids
> through unix domain sockets.
>
> So if this looks like a direction we want to go it shouldn't be too
> difficult.

Hmm... for an alternative idea:

We have this nice "kernel keyring" infrastructure that lets us stuff
arbitrary things into "keys" and grant/revoke them between processes.
What if we created a relatively generic way for processes to package
up privileges (of whatever form) into a "key" that could be granted to
another process (via UNIX-domain socket)? Then the other process
would use a setuid()-ish syscall which would instead apply a specific
key as your credentials, possibly including the audit context and/or
namespaces it came from.

By using the keyring system, such tokens could be kept around across
multiple processes easily (as opposed to FDs), in the same style as a
"sudo" ticket file, for example (even with an expiration time).

Types of credentials you could pass around:
* Capabilities
* Filesystem UID/GID in a particular UID namespace (for FS operations)
* Process UID/GID in a particular UID namespace (for kill(), etc)
* Audit contexts
* SELinux/etc security labels

All of the above could be optionally limited to effectively require a
bprm-secure-style exec() with specific args. So for example, instead
of making "/usr/sbin/passwd" a setuid program, you could make it be an
unprivileged helper. It would connect to a privileged daemon and ask
for a password-change cookie for that particular user. The daemon
would create what is essentially a "delayed exec" key which grants a
specific UID and capabilities when that process performs an execkey().

So as an example, you could rewrite "sudo" as a partially-privileged
daemon and an unprivileged helper. The unpriv helper would send
across a request (optionally including the command and environment)
which would be checked by the daemon. It would then issue a key to
allow the unpriv helper to perform a limited exec.

Another option would be to rewrite network login programs (eg OpenSSH)
to use this for privilege separation. The listening process would get
a non-expiring key to allow it to exec a partially-privileged
password-checking program. If the password-checking program likes the
password it generates a single-use key to pass back to the forked
network process that allows it to exec a program as that user.

Cheers,
Kyle Moffett
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: David Miller: "Re: [PATCH] net: change recvform to return same address length asgetsockname on unnamed unix sockets"
Previous message: Joe Perches: "Re: [PATCH] Staging: Comedi: Drivers: Fix coding style issues indt2801.c"
In reply to: Serge E. Hallyn: "Re: [PATCH 3/3] p9auth: add p9auth driver"
Next in thread: Serge E. Hallyn: "Re: [PATCH 3/3] p9auth: add p9auth driver"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]