[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [OpenAFS-devel] Re: MEMORY credential cache interop between Heimdal and MIT?



Hi,

I happen to have an opinion,
based on years with AFS, DCE/DFS and Coda, fwiiw.

On Wed, Aug 29, 2007 at 02:08:48PM -0700, Henry B. Hotz wrote:
> (Process Authentication Group) problem the same way we solve the  
> secure credential cache problem.  PAGs have better semantics than any  
> extant Kerberos ccache implementation.

This is a questionable statement.

PAGs are supposed to be handy, but they contradict the basic *nix design,
which is built around uid as the main credential.
So they are controversial by nature.

They create lots of confusion, are not as isolating as one might believe
and eventually reduce security as they are breaking the borders
of security domains (switching uids while inheriting rights or vice versa).

> From a user's perspective, a PAG is like a terminal login session  
> with two exceptions.  First it's "secure";  you can't break into and  
> access anything from another session (even with the same UID).   

That's not true, processes with the same uid are in most cases _not_ isolated
from each other, they can possibly trace each other or have rights
on common resources like dotfiles or an X11-display.
They share too much to be able to say a PAG is "secured" from processes
of the same uid. It can be inconvenient or hard to subvert a PAG
but it is far from being called "secure".

There is a fundamental reason why PAGs are so hard to do "right",
they try to work around essential characteristics of *nix design -
with other words, there hardly is any "right" solution.

I wouldn't suggest any similar approach for Kerberos.

Best regards,
Rune