Re: BSD Auth

To: David Holland <dholland-security%netbsd.org@localhost>
Subject: Re: BSD Auth
From: "Greg A. Woods; Planix, Inc." <woods%planix.ca@localhost>
Date: Wed, 20 Aug 2008 12:44:32 -0400


On 19-Aug-08, at 9:07 PM, David Holland wrote:

Nonsense. The application process needs to be able to communicate with
the bsdauth process anyway; there's nothing inherent that prevents
such communication from including Kerberos tickets.

Indeed -- however the action of setting the credentials for theprocess (i.e. in the process context) is, by necessity, a privilegedoperation. The naive "one big ball of wax or whatever" solution is tostart the process as root, authenticate the user, set the credentialsin the process context, then call setuid() to give up superuserprivileges and authorize the authenticated user to run.

Whether bsdauth as it currently exists is actually capable of doing
this properly is another question; but it's also not entirely clear
that PAM as it exists can do this properly either.

Not quite -- as I outlined in 2003 I think another system call, orpair of system calls, is the most elegant solution. These would allowa privileged child process to set the credentials of the parentprocess. I haven't done a formal analysis of this model, though Ihave done a lot of critical thinking about it, and so far as I can seeit can be made secure and robust.


--
                                        Greg A. Woods; Planix, Inc.
                                        <woods%planix.ca@localhost>

References:
- Re: BSD Auth
  - From: Greg A. Woods; Planix, Inc.
- Re: BSD Auth
  - From: SODA Noriyuki
- Re: BSD Auth
  - From: Greg A. Woods; Planix, Inc.
- Re: BSD Auth
  - From: SODA Noriyuki
- Re: BSD Auth
  - From: David Holland

Prev by Date: Re: BSD Auth
Next by Date: NetBSD Security Advisory 2008-010: Malicious PPPoE discovery packet can overrun a kernel buffer
Previous by Thread: Re: BSD Auth
Next by Thread: Re: BSD Auth
Indexes:

Home | Main Index | Thread Index | Old Index