Re: [PATCH 2/2] KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches

[David Howells <dhowells@redhat.com>]

Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:

> > The uid is -1 or the user's own UID for the user's own cache or the uid of
> > some other user's cache (requires CAP_SETUID).  This permits rpc.gssd or
> > whatever to mess with the cache.
> 
> Is the goal here eventually to be able to avoid the upcall to rpc.gssd
> entirely?  It seems a little bit roundabout to have the kernel call up
> into userspace for the credentials, only to talk to a process which then
> calls back into the kernel for something that the kernel has already
> well-defined internally.

I would like to see use of request_key() eventually so that the kernel can
fish a key directly out of the keyring if it needs one.  My kAFS filesystem
could pretty much use that immediately.

However, I don't really want to put all the Kerberos communications into the
kernel.  The keys obtained by request_key() on behalf of a filesystem might be
kerberos tickets or they might be something else.

> It seems like a non-privileged user could use this to store arbitrary data
> in this keyring as a way of hiding what would otherwise be filesystem
> activity or using it for some sort of odd/sneaky IPC mechanism.  Is this an
> intentional side effect?

It is true that a non-privileged user can store arbitrary keys in their
keyring and they could use it as an IPC mechanism if they really wanted to -
but if they could do that, they could use socketpairs, pipes or shm instead so
I'm not sure they can do anything that they couldn't do by some other
mechanism anyway.

Note that key accesses are regulated by the active LSM and I think can appear
in the audit log.

David