help-hurd
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Q: Auth server


From: Stefan Karrmann
Subject: Re: Q: Auth server
Date: Fri, 26 Oct 2001 14:56:48 +0200
User-agent: Mutt/1.2i

Marcus Brinkmann schrieb folgendes am Tue, Oct 23, 2001 at 02:29:27PM +0200:
> On Tue, Oct 23, 2001 at 09:03:59AM +0200, Stefan Karrmann wrote:
> > How does the auth server work? I've read the doc (but not the source),
> > but I still have only a vague idea about it.
> > Mainly the translators check who opens (or modifies ?) a node using
> > auth? But how looks the protocol?
> 
> Please look into my talk in the Documentation part of the Hurd web page.
> It is a handshake protocol, the user provides the server with a rendevouz
> port, the user and the server pass the rendevouz port to the auth server,
> which matches them.  As auth knows about the user ids (it is the authority
> for it), it can pass them to the server, while the user will get a special
> server port that was provided to auth by the server.

Right, your presentation clearifies it.

> > What prevents a user to set up a loop-like translator, modify some
> > setuids et. al. on the fs-image to obtain root privileges, for example?
> 
> The user needs a port to the auth server that represents the user ids.  It
> won't get such a port by modifying some bits in a data storage owned by the
> user.
> 
> > Or can only user X translators provide user X setuid? 
> 
> Well, he can do with the filesystem what he wants, so he might make it look
> like the executable is owned by root and suid.  But if the translator
> doesn't run with root privileges itself, it won't be able to make the suid bit
> effective.  Suid root only works among the trusted system servers which run
> as root, or if you have the root id already among your effective user ids (I
> think).

How does the exec work in detail? You have 6 parts:

1. Environment variable EXECSERVERS.
2. The user process which calls exec.
3. The translator which provides the executable.
4. The auth server.
5. The exec server.
6. The global proc server.

In some way the user (or library) has to check if the translator is trustworthy,
otherwise translators may introduce trojan horses.

Thanks,
-- 
Stefan Karrmann



reply via email to

[Prev in Thread] Current Thread [Next in Thread]