On Fri, 29 Aug 2003, Charles Blundell wrote:

> on Fri, Aug 29, 2003 at 11:14:50AM +0100, Dr R.S. Brooks wrote:
> > environments that is not acceptable.  If the AFS credential is held as
> > part of a process's kernel state (and is only available to the pid which
> > originally obtained the credential and its decendents), then it's rather more
> > difficult for root to impersonate another user (you have to frob kernel
> > data structures rather than just su'ing to the user).
>
> You could probably just use ptrace(2) to impersonate another user
> with the AFS credentials in the kernel, I think?

You can use ptrace(2) to commit just about any evil. If we actually add a
form of kernel cache, we may add a way for the kernel to require some sort
of credential to let you do a ptrace(2). Another option would be to
disable ptrace(2) via sysctl. I'm not sure if we can do this now.

Take care,

Bill