From kragen@dnaco.net Wed Sep 30 10:55:16 1998
Date: Wed, 30 Sep 1998 10:55:15 -0400 (EDT)
From: Kragen <kragen@dnaco.net>
To: Just this guy you know <greyfox@greyfox.org>
cc: Olaf Kirch <okir@monad.swb.de>, security-audit@ferret.lmh.ox.ac.uk
Subject: Re: rootd
In-Reply-To: <Pine.LNX.3.96.980930095159.2605B-100000@greyfox.org>
Message-ID: <Pine.SUN.3.96.980930104328.21177A-100000@picard.dnaco.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: O
X-Status: 

On Wed, 30 Sep 1998, Just this guy you know wrote:
> On Wed, 30 Sep 1998, Olaf Kirch wrote:
> > Aah, no. I've toyed with that idea, too, but it's easily defeated.
> I thought about this, too. If you set the capabilities based on the pid,

(etc.)

Well, you know, once you have a single properly authorized socketpair,
you can use that to authorize other socketpairs.

That is, if I run process 'x' which connects to a daemon 'authd' and
somehow establishes credentials and a socketpair, and process 'x' wants
to contact process 'y' (say, rootd), it can ask 'authd' to send 'y' a
message saying 'here is x, it is authorized to be user kragen etc.' and
including an fd to a (new) open connection.

Since 'y' trusts 'authd' to not lie to it, it knows who it's talking to
over any connections established via 'authd'.

Possible ways that 'x' can authenticate might include a login process
with shared-secret authentication or demonstrating filesystem rights --
e.g., demonstrating to 'authd' that it can chown() to who it says it
is.  Or the passcred stuff.

This is capability-based security, like in KeyKOS or EROS, not to be
confused with Unix capabilities.

The biggest problem with this is that it doesn't fit in well with the
usual Unix security model: the kernel knows who the process is, and the
kernel makes most decisions about what to let it do and not do, and
when the process wants to do something different, it can start a setuid
program -- which, again, gets the credentials of the requester from the
kernel.

To be consistent, 'authd' would have to be part of the kernel.  And
that's what the passcred stuff is.

Kragen

-- 
<kragen@pobox.com>       Kragen Sitaker     <http://www.pobox.com/~kragen/>
A well designed system must take people into account.  . . .  It's hard to
build a system that provides strong authentication on top of systems that
can be penetrated by knowing someone's mother's maiden name.  -- Schneier