porting CCAPI to UNIX
Chaskiel M Grundman
cg2v at andrew.cmu.edu
Wed May 9 16:43:37 EDT 2007
--On Wednesday, May 09, 2007 03:33:56 PM -0400 Ken Raeburn
<raeburn at mit.edu> wrote:
> On May 9, 2007, at 15:31, Russ Allbery wrote:
>> AFS PAGs provide cross-session process isolation (well, not from
>> root, but
>> that's a different matter). I was actually under the impression that
>> keyrings did as well.
>
> Not when I tried running some keyring tests.
Modulo a race condition, it should be possible, but it requires setting
non-default permissions on the keyring and the key.
Keys have four sets of permission bits: In addition to the usual owner,
group, and other, there are bits granted to 'possessors' of a key, that is,
processes which have this key in (or as) one of their keyrings.
If the owner bits (but not the possessor bits) of a session keyring are
cleared, then other processes with that uid will not be able to join the
keyring. if the owner bits (but not the possessor bits) of the key are
cleared, then other processes with that uid will not be able to access the
key. The race comes from the fact that you cannot set the permission bits
of a keyring when you create it, so an evil process can join the keyring
before the owner access bits are cleared.
More information about the krbdev
mailing list