Keyring mysteries
From: Andy Lutomirski
Date: Tue Apr 22 2014 - 19:45:40 EST
Here are some keyring mysteries.
If my uid is *not* 1001, and uid 1001 is not currently logged in but
uid 1001 will log in soon, this does terrible things:
$ keyctl newring _uid.1001 @us
In general, I do not understand how it is possible to use
find_keyring_by_name safely. (This may need a CVE number assigned if
it's as bad as I think it may be. I see no a priori reason that it
can't be used to trivially steal Kerberos credentials.)
What does it mean to revoke an entire keyring? keyctl revoke @u seems
to do something odd.
Are you supposed to be able to recover from keyctl setperm @u 0?
What is a possessed key? If I have KEY_LINK, does that mean I can
possess a key and possibly elevate my permissions?
What's up with key_fsuid_changed? It looks like it's a giant security
hole in any case where it has any effect at all and setfsuid is being
used. But maybe I don't understand the point.
Why doesn't key_change_session_keyring use prepare_creds?
Why do keyrings live in struct cred? Especially, why is
thread_keyring in there? I'd really like to get rid of that.
--Andy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/