porting CCAPI to UNIX
Ken Hornstein
kenh at cmf.nrl.navy.mil
Wed May 2 18:25:09 EDT 2007
>I've been looking at porting the CCAPI code that's used on the Mac
>for managing credentials caches over to UNIX.
>[...]
You've hit the nail on the head about the real problem: restricting
access to the "right" set of processes. Everything else is relatively
straightforward.
I can only tell you what I did. At login time our credential cache
code creates a Unix domain socket (using socketpair()), uses dup2()
to make the descriptor the maximum value possible (you look at the
maximum number of descriptors available via getrlimit()) and use
setrlimit to make the maximum descriptor one below that. E.g, say
the maximum descriptor value is 1023; you use dup2() to make your
communication descriptor 1023, and use setrlimit() to make the
maximum descriptor value 1022. This doesn't _prevent_ processes
from closing the descriptor, but in my experience they all stop
closing descriptors at the maximum descriptor limit. So all processes
that are children of login get this descriptor in their environment
and they use it to communicate with a credential cache server that
is forked off as part of the login process (it's more complicated
than that, but that's the key bit of magic). This provides
per-login-session semantics that seems to be pretty secure (of
course it is not perfect).
I've been using this in production for ... oh, almost three years
now, on a wide variety of Unixes (off the top of my head: tons of
different Linuxes, Solaris, AIX, HP/UX, Irix; it works fine on MacOS
X but we prefer the CCAPI on that platform), and I am continually
surprised how well it works. We haven't had any problems with it.
I admit that it's gross ... but if you can tell me of a portable
solution that has the same semantics, I would love to hear about
it.
--Ken
More information about the krbdev
mailing list