[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: MEMORY credential cache interop between Heimdal and MIT?

To: Howard Chu <hyc@highlandsun.com>
Subject: Re: MEMORY credential cache interop between Heimdal and MIT?
From: Michael B Allen <miallen@ioplex.com>
Date: Tue, 28 Aug 2007 22:32:48 -0400
Cc: heimdal-discuss@sics.se, "Henry B. Hotz" <hotz@jpl.nasa.gov>, KenRaeburn <raeburn@MIT.EDU>, Jeffrey Altman <jaltman@secure-endpoints.com>, OpenAFS Devel <openafs-devel@openafs.org>
In-Reply-To: <46D4D0CD.3050003@highlandsun.com>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
Organization: IOPLEX Software
References: <Pine.LNX.4.64.0708151117370.17167@iris02.slac.stanford.edu><540F131A-18D4-4343-AE0F-3B5D760DA215@jpl.nasa.gov><20070815161906.8fcc2ddf.miallen@ioplex.com><46C36271.7050402@secure-endpoints.com><20070815183305.2580e548.miallen@ioplex.com><79896EE9-9AE9-41C5-8F66-B144D0E0B1F8@mit.edu><20070815233444.a1d54835.miallen@ioplex.com><E969A5EB-4AC3-471F-AE36-B3645A1349C3@kth.se><20070816145410.3299c310.miallen@ioplex.com><46C49F7C.6050101@secure-endpoints.com><20070816165138.2e42c6f2.miallen@ioplex.com><1B0367BD-BB1D-46F5-A684-346A93B8954E@MIT.EDU><20070822132121.5270f764.miallen@ioplex.com><A44562DD-4EE8-48E1-B562-BA4D0F74B7D5@jpl.nasa.gov><46D4D0CD.3050003@highlandsun.com>
Reply-To: heimdal-discuss@sics.se, Michael B Allen <miallen@ioplex.com>

On Tue, 28 Aug 2007 18:50:05 -0700
Howard Chu <hyc@highlandsun.com> wrote:

> Henry B. Hotz wrote:
> > At this point we're looking for volunteers, not more wishes, but  
> > here's a wish:
> > 
> > Instead of always going up the tree visiting all parents, have some  
> > way to "stop" so you can securely implement PAG semantics.  I don't  
> > think I'd use it often, but I like the idea of being able to set up  
> > an "admin" window and a "secure sandbox" window with more/less  
> > privileges than my default login session.
> > 
> > I would think the AFS folks would be interested in seeing the  
> > Kerberos ticket cache scope match the scope of PAG's as well as  
> > having a PAG implementation that wasn't so dependent on OS-specific  
> > hackery.  I'm not sure this is easier than what they do now, but if  
> > it gets AFS and Kerberos on the same page, that's a good thing.
> 
> You can simply use mmap'd files to accomplish the functionality that Michael 
> proposed. Unix mode bits on the file will determine which uids can open the 
> file. Children of a given process can access it through descriptor inheritance 
> from a process that already has it open/mapped. A process creating a cache 
> would just have to export an environment variable giving the cache name and 
> number of the descriptor in use. (Of course, any child process that closes 
> descriptors or zaps this environment variable would prevent further 
> propagation.) e.g. KRB5MEMCC="3000,/tmp/hyc1234"

If Unix mode bits are used, that is no different from using a ccache file
which has the ownership problem described in the web server scenario. If
descriptor inheritance is used, descriptors are not inherited across
execv which breaks Henry's "admin window" scenario.

> > On Aug 22, 2007, at 10:21 AM, Michael B Allen wrote:
> >> Hi Ken,
> >>
> >> I think that the ccache plugin idea is a worthwhile project. Yes, I
> >> think it would solve Alf's original issue. But by itself it would not
> >> solve the shared storage or access control issues (access control  
> >> being
> >> what I am really interested in).
> >>
> >> The only way to ensure that the ccache is truly protected is with a
> >> kernel extension. I think I would rather invest time into a solid long
> >> term solution and I think a secure shared storage kernel extensions
> >> project would be a step in the right direction.
> >>
> >> The extension could be quite simple. The caller could open a file that
> >> and do an ioctl something roughly like:
> >>
> >>   int fd = open("/dev/sss0", flags)
> >>   ioctl(fd, req, "krb5cc[uid=1234,ppid=5678]")
> >>   FILE *ccachefp = fdopen(fd, mode)
> >>
> >> So the kernel extension could be a simple device file implementation
> >> (this should handle all of the *nix systems). The ioctl data
> >> "krb5cc[uid=1234,ppid=5678]" indicates the name of the storage and
> >> some access control parameters. If the storage is created vs opened
> >> the access control parameters are set. The uid indicates that the  
> >> named
> >> ccache is specific to processes with that uid. The ppid indicates that
> >> only processes with that pid or a descendant of that pid (i.e. the  
> >> check
> >> would simply walk up the parent pids of the current process until it
> >> matched the supplied ppid) should have access to the storage.
> >>
> >> Now if there's some young buck out there looking for an excuse to
> >> experiment with kernel extensions, here's your chance for glory!
> >>
> >> Mike
> > 
> > ------------------------------------------------------------------------
> > The opinions expressed in this message are mine,
> > not those of Caltech, JPL, NASA, or the US Government.
> > Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
> > 
> > 
> 
> 
> -- 
>    -- Howard Chu
>    Chief Architect, Symas Corp.  http://www.symas.com
>    Director, Highland Sun        http://highlandsun.com/hyc/
>    Chief Architect, OpenLDAP     http://www.openldap.org/project/
> 


-- 
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/

Follow-Ups:
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Howard Chu <hyc@highlandsun.com>

References:
- MEMORY credential cache interop between Heimdal and MIT?
  - From: Alf Wachsmann <alfw@slac.stanford.edu>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Ken Raeburn <raeburn@MIT.EDU>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Love Hörnquist Åstrand <lha@kth.se>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Ken Raeburn <raeburn@MIT.EDU>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Howard Chu <hyc@highlandsun.com>

Prev by Date: Re: MEMORY credential cache interop between Heimdal and MIT?
Next by Date: Re: MEMORY credential cache interop between Heimdal and MIT?
Prev by thread: Re: MEMORY credential cache interop between Heimdal and MIT?
Next by thread: Re: MEMORY credential cache interop between Heimdal and MIT?
Index(es):
- Date
- Thread