From: Andy Lutomirski <luto@myrealbox.com>
To: David Howells <dhowells@redhat.com>
Cc: Andy Lutomirski <luto@myrealbox.com>, linux-kernel@vger.kernel.org
Subject: Re: Where's the key management patchset at?
Date: Fri, 10 Sep 2004 21:58:07 -0700 [thread overview]
Message-ID: <414285DF.5040608@myrealbox.com> (raw)
In-Reply-To: <13082.1094581810@redhat.com>
David Howells wrote:
>>Second, is there a way for a process/user to have "use but not read"
>>access so it could pass the key to a different _userspace_ process
>>(probably a daemon running as root) that wants to read it? This would
>>be nice for all kinds of things (like ssh agents and such).
>
>
> That depends on what you mean by "use but not read" access.
>
> Keys now have five permissions (View, Link, Write, Read, Search) and these can
> be applied to user, group or other.
>
> An in-kernel service just requires Search (Use) permission to be able to use a
> key. It calls request_key() to come up with a key from the process's keyrings
> or from userspace.
>
> I'll probably have to do it by passing a new type of SCM message over
AF_UNIX
> sockets - one that attaches a key and can drop it into the process's
thread
> keyring.
>
I mean that a process would have be permitted to "use" a key (whatever
that means) but have no right to read the contents, delegating the
reading to a second process. This way a process could delegate the act
of seeing the key contents (computing a signature, for example) to a
trusted process, limiting the damage if the key-holding program is
compromised. This also might allow smart-cards to fit into the model
(where "use" makes sense but "read" is meant to be physically impossible).
Maybe one way to do this is to have a second UID attached to the key
(with its corresponding permission mask), the restriction that Read
without Search is forbidden and the exception that Search is implied by
a key's presence in a keyring. You'd also need to prevent the key owner
from changing the key's permissions if the owner doesn't have Read.
So my hypothetical ssh agent-like program has a key with UID 500: VLS /
GID whatever: - / 2nd UID 100: R and a setuid-100 program that does
public-key ops on it. Then if the user's account is compromised, no one
gets the private key.
I'm out of town now, so I haven't actually tried any of this. I'll take
a look at the code next week.
--Andy
next prev parent reply other threads:[~2004-09-11 4:55 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20040907031856.58f33b99.akpm@osdl.org>
[not found] ` <20040904032913.441631e6.akpm@osdl.org>
[not found] ` <20040904022656.31447b51.akpm@osdl.org>
[not found] ` <20040903224513.0154c1d3.akpm@osdl.org>
[not found] ` <24752.1094234169@redhat.com>
[not found] ` <12766.1094289316@redhat.com>
[not found] ` <14279.1094293508@redhat.com>
[not found] ` <13781.1094551789@redhat.com>
[not found] ` <14622.1094552807@redhat.com>
[not found] ` <20040907033255.78128ebd.akpm@osdl.org>
2004-09-07 13:21 ` Where's the key management patchset at? David Howells
[not found] ` <413DED11.5030700@myrealbox.com>
2004-09-07 18:30 ` David Howells
2004-09-11 4:58 ` Andy Lutomirski [this message]
2004-09-07 20:56 ` Andrew Morton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=414285DF.5040608@myrealbox.com \
--to=luto@myrealbox.com \
--cc=dhowells@redhat.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.