Re: The auth interface on L4-Hurd

[Wolfgang Jährling]

Marcus Brinkmann <address@hidden> wrote:
> There is no reason why we couldn't do it exactly like we do it now.

I am not convinced at all.  What prevents me from "flooding" the auth
server with auth_server_authenticate requests, passing a lot of (faked,
i.e. non-existing) handles to it and hoping that a user might soon use
one of those numbers?  In Mach, this is prevented by the fact that we
can only pass a port to someone if we actually hold a reference to that
port.  This is not the case with object handles on L4, as it is up to
the server to ignore requests from unknown persons.

You might say that we could just make a check a) on the user-side after
authentication or b) in the auth server when matching the requests.
Neither of these work, for the same reason.

a) On the user-side, we can't assume that the handle we get from
   auth_user_authenticate refers to an object that is owned by the
   server we have contacted, as it should be possible for him to ask
   someone else to do the auth_server_authenticate and handle future
   requets from the user.

b) The auth server could try to verify that the handle he got from the
   server is something that refers to the user, but as handles can, like
   ports, be passed around, this does not work.

If, however, we force people to not pass around one kind of object
handles involved in this authentication process, it might work.  But is
this a restriction we want to make?  I don't think so.

Cheers,
GNU/Wolfgang

-- 
Wolfgang Jährling  <address@hidden>  \\  http://stdio.cjb.net/
Debian GNU/Hurd user && Debian GNU/Linux user \\  http://www.gnu.org/
The Hurd Hacking Guide: http://www.gnu.org/software/hurd/hacking-guide/
["We're way ahead of you here. The Hurd has always been on the    ]
[ cutting edge of not being good for anything." -- Roland McGrath ]