User-manageable sub-ids proposals

From: Romano Giannetti (romano@dea.icai.upco.es)
Date: Thu Dec 13 2001 - 05:36:16 EST

Next message: Russell King: "Re: USB not processing APM suspend event properly?"
Previous message: Petr Vandrovec: "Re: Repost: could ia32 mmap() allocations grow downward?"
In reply to: Hans Reiser: "Re: reiser4 (was Re: [PATCH] Revised extended attributes interface)"
Next in thread: Ragnar Kjørstad: "Re: User-manageable sub-ids proposals"
Reply: Ragnar Kjørstad: "Re: User-manageable sub-ids proposals"
Maybe reply: Jacques Gelinas: "re: User-manageable sub-ids proposals"
Reply: David Wagner: "Re: User-manageable sub-ids proposals"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Good morning to everyone.

I was thinking about the idea of sub-ids to enable users to run "untrusted"
binary or "dangerous" one without risk for their files/privacy.

I had an idea to a low-profile, almost no invasive way to implement it that
should be almost transparent to user-space application (almost all). Let me
explain with an example.

Let's add to task_struct another array like groups[NGROUPS], calling it
slave_uids[NSLAVES]. Add a (privileged) syscall, addslave(uid_t, uid_t),
that can fill that arrays.

Now, the user space configuration is the following:

I am romano, uid 300.
There is(/are) another(s) user, for example r-slave, uid 3001, no login
shell, with home dir in ~romano/r-slave.

When I login as romano, the login binary call a addslave(300, 3001), looking
at a /etc/slaves that has a line that says romano:r-slave

Now change the kernel so that:

1) user romano can do a setuid() call to become anyone of its slaves, with
no way back possible.

2) user romano can chown() files owned by him and by any of its slaves to
any of the romano or slaves uids.

And that's all. All the other strange file management that user romano would
want to do on the slave-id environment, he can do by doing a kind-of-su(*)
to one of its slaves (with setuid) and then play in the restricted
enviroment. If you add ACL to this(**), you could easily fine-control what the
untrusted binary can see of your environment; add the per-vfsmount ro-flag
and it gives to you a lot of flexibility.

This should be a change simple enough for the kernel, and for the userspace
too: just change login to add addslave call, and the tools that need to
spawn untrusted binaries can do a setuid() to a slave before the exec().

Is there something that I am missing here?

Romano

(*) probably to be called giu... (sorry, Italian-speaking only joke: /su/
means 'up' in Italian, and /giu/ means 'down').

(**) and without ACL, if you makes a parallel thing for gid, you can
probably fine-tune access in the old-style ways, provided that the system
set-up is the "every user in its own group" style.

-- 
Romano Giannetti             -  Univ. Pontificia Comillas (Madrid, Spain)
Electronic Engineer - phone +34 915 422 800 ext 2416  fax +34 915 411 132
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Next message: Russell King: "Re: USB not processing APM suspend event properly?"
Previous message: Petr Vandrovec: "Re: Repost: could ia32 mmap() allocations grow downward?"
In reply to: Hans Reiser: "Re: reiser4 (was Re: [PATCH] Revised extended attributes interface)"
Next in thread: Ragnar Kjørstad: "Re: User-manageable sub-ids proposals"
Reply: Ragnar Kjørstad: "Re: User-manageable sub-ids proposals"
Maybe reply: Jacques Gelinas: "re: User-manageable sub-ids proposals"
Reply: David Wagner: "Re: User-manageable sub-ids proposals"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Sat Dec 15 2001 - 21:00:25 EST