Date: Thu, 25 May 2000 19:43:01 -0400 From: Garance A Drosihn <drosih@rpi.edu> To: nsayer@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: Needed: suid library calls [or pkey's?] Message-ID: <v04210100b55361e29d10@[128.113.24.47]> In-Reply-To: <392C60F1.91EDC30D@sftw.com> References: <sheldonh@uunet.co.za> <20000524090528.ECF641CE1@overcee.netplex.com.au> <20000524022840.C79861@freebsd.org> <200005241446.KAA60257@khavrinen.lcs.mit.edu> <20000524075921.A53829@freebsd.org> <200005241709.NAA60822@khavrinen.lcs.mit.edu> <20000524105558.A3407@freebsd.org> <200005241853.OAA61188@khavrinen.lcs.mit.edu> <392C3E40.E0D8974D@vangelderen.org> <392C60F1.91EDC30D@sftw.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On May 24/2000, Nick Sayer scared people when he wrote: >What we _really_ need is some mechanism to recognize the >difference between a user program and a system library, >with an eye towards granting privileges to trusted libraries >without letting those privileges leak past the library in >question. > >I don't claim that this is an _easy_ thing to do, nor that >it is a particularly standard thing to do. > > [...] > >User authentication is only one example. There are many >things that only root can do where letting non-root do >the job is not dangerous, but granting non-root permission >in a general way is. As long as the floor is open to non-standard ideas, let me reminisce about a feature from a different operating system which started with an "M"... It was called program keys, or 'pkey's. When a program was running, there was this pkey attribute (in addition to uid and gid). The pkey was a 16-character value (if I remember right). Each executable had a pkey associated with it, and that value became the current pkey when the program started to execute. Users could change the pkey value of any executable they had access to, but they could only pick values that started with their userid. "System" pkeys were values that started with an '*', and most of those values could only be set by a privileged userid. The default pkey for all executables was '*exec'. There was a system call which allowed a program to change the value of the active pkey. Any program at any time could change the program key to '*exec'. The system call had a table of what which active pkey's were allowed to switch to some other pkey (with a specific list of acceptable values it could switch to). You could permit files to a pkey. So, you could: permit /etc/passwd read pkey=*pw chflag /usr/bin/login pkey *login and then have the 'pushpkey' system routine allow pkey=*login to change the active pkey to *pw. When login starts to execute, the system would change the active pkey to '*login'. While login was running, it could call the pushpkey routine to switch the pkey to *pw, read from /etc/passwd, and then pop the pkey back to *login (or change it to *exec, if it didn't think it needed *login for anything anymore). I'm skipping a lot of details, of course, and it certainly would not be a "standard thing" to do, but it was a very very useful capability. You could have some password-reading routine in a library, and that would be fine because that routine could only PUSH the needed pkey if the calling program had a pkey which allowed that *pw to be set. This is also how things like games were able to keep system-wide score-files. Any user program could use this facility (they were only limited to the values of pkeys they were allowed to 'chflag' to). So, userid 'drosehn' could: permit ~/scorefile write pkey=drosehn:mygame chflag ~/mygame pkey drosehn:mygame and anyone playing the game could write to that file, but only thru the game. And the game, while active, would only have access to files permitted to that specific pkey, instead of all files owned by that userid. I am not sure how one would map this into a distributed computing environment, with NFS, AFS, and other networked file systems shared by many different machines (with different userid spaces). I think it'd be a cool project if it could be done, though. Anyone interested in extra credit points is invited to try and guess which operating system THIS idea is from... --- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?v04210100b55361e29d10>