Re: Proposal "LUID"

From: allbery@kf8nh.apk.net
Date: Sun Apr 16 2000 - 17:38:14 EST


On 16 Apr, Jamie Lokier wrote:
+-----
| Ok, but what's the point? There is a perfectly functional "real user
| id", and since you have to audit daemons to ensure LUID is properly
| tracked according to your preferred definition of "session", why not
| just ensure that the ruid tracks the same way. I.e., just use ruid and
| call it LUID for CAPP purposes.
+--->8

No. ruid changes over su; it has to, so setuid programs do the right
thing (if you su, you do not want setuid programs to switch between
their set uid and your original real uid). You need a separate uid to
track who you logged in as for security auditing.

Also, CAPP/C2 security auditing/logging doesn't work in terms of
sessions. LUID isn't set by login to enforce some kind of session
mechanism, but solely to indicate that some process which does
something security-auditable was ultimately initiated, directly or
indirectly, by a user who authenticated to the system as the user with
that (l)uid. Cron also sets it for cron jobs, because it's acting as a
proxy to run things for the user that installed the crontab.

| If you're thinking about capabilities to restrict LUID changes to the
+--->8

Capabilities also aren't related to luids. They're quite simple: only
a process with a "null" luid (for some suitable definition of "null";
0 doesn't qualify if root is allowed to login) can change its luid.
This is part of the official CCAP/C2 definition of luid.

| And there's always the session id, but I never understood what that's
| for, in the midst of all the controlling terminal / process group id /
| process group leader quagmire.
+--->8

No; the session id is useless for this.

-- 
brandon s. allbery	   os/2,linux,solaris,perl	allbery@kf8nh.apk.net
system administrator	   kthkrb,heimdal,gnome,rt	  allbery@ece.cmu.edu
carnegie mellon / electrical and computer engineering			kf8nh
    We are Linux. Resistance is an indication that you missed the point.

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Sun Apr 23 2000 - 21:00:09 EST