Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753207AbbD0PuP (ORCPT <rfc822;w@1wt.eu>);
	Mon, 27 Apr 2015 11:50:15 -0400
Received: from mail-qg0-f45.google.com ([209.85.192.45]:36244 "EHLO
	mail-qg0-f45.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752321AbbD0PuN (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Mon, 27 Apr 2015 11:50:13 -0400
MIME-Version: 1.0
In-Reply-To: <20150427155732.7e2fdbd4@lxorguk.ukuu.org.uk>
References: <CALCETrXXUiYKAhsXsdqH2uZMddDhK5hX6V9+rZcHwa1X5WC+1g@mail.gmail.com>
	<CA+55aFyngC1GN7Nr7bfNtDw4ub_GB59Tz0u0L8PtwKX1Q2zuYw@mail.gmail.com>
	<CALCETrVt_ag4+C9+tg9acs1UPh5TKVmUTt4wBKbczMf+xwaTKw@mail.gmail.com>
	<CANq1E4T8h5p=Ryd0dR8VPqnpDi73qLAJuLhjOTtoP343SMJJ1g@mail.gmail.com>
	<20150427155732.7e2fdbd4@lxorguk.ukuu.org.uk>
Date: Mon, 27 Apr 2015 17:50:12 +0200
Message-ID: <CANq1E4TeGCDfdEdVEOsSwyYo6jU37p7zyu_r_JE4eULyQNMx8g@mail.gmail.com>
Subject: Re: Sharing credentials in general (Re: [GIT PULL] kdbus for 4.1-rc1)
From: David Herrmann <dh.herrmann@gmail.com>
To: One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>
Cc: Andy Lutomirski <luto@amacapital.net>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        Arnd Bergmann <arnd@arndb.de>,
        "Eric W. Biederman" <ebiederm@xmission.com>,
        Tom Gundersen <teg@jklm.no>, Jiri Kosina <jkosina@suse.cz>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        Daniel Mack <daniel@zonque.org>, Djalal Harouni <tixxdz@opendz.org>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 3392
Lines: 74

Hi

On Mon, Apr 27, 2015 at 4:57 PM, One Thousand Gnomes
<gnomes@lxorguk.ukuu.org.uk> wrote:
>> But this is not how authorization with polkit works (or anything
>> similar to polkit). The authorization-framework is totally separated
>
> Thats a detail which is changeable

It's not a detail, it's a design choice. But see at the end..

>> from the client that accesses a service. The client asks a service
>> provider to perform an action. The service provider then asks the
>> authorization-framework, whether the client is authorized to run the
>> action.
>
> This is not good design IMHO. The client should always be indicating it
> intends to pass on the credentials it has. That stops privileges leaking
> or programs being tricked into things.

If all you pass along is your identity, you cannot "leak a privilege".
If you run a program as someone privileged and you don't want the
program to run as such a user, well, then you better not run it as
such a user..

We don't do setuid or setcap. A caller always has full control who to
run a program as. Choose that wisely, don't make the program protect
itself against the user. On the contrary, if a program is called with
elevated privileges, then this is an explicit decision of the caller
we must respect.

>> The authorization-framework is explicitly separated from
>> credential-passing. It has a separate configuration that is neither
>> controlled by the client nor the service-provider (the default is
>> usually provided by the latter, though). Therefore, credentials that
>> are passed are not associated with an action, but rather with the
>> identity of the client. If a client does not want to run an operation
>> as its current identity, it better does not call it.
>
> You still want such a usage to involve a client sending a message flag
> which says "and this message is an authority to use the following
> credential". [...]

No, I really don't.

>> Without LSM, we don't have such a unique identifier. Therefore, we
>> send the UIDs+GIDs+CAPs+NAMEs combination. Those we pass on to the
>> authorization framework, to decide on whether the peer is privileged.
>> And we believe those should be mandatory, not optional, just like the
>> seclabel we send if an LSM is active.
>
> The mashed up caps and names really ought to be replaced by something
> better. Especially the names. Would it make sense to put some kind of
> security label on the executable and pass that instead ? So instead of
> all the caps and names crap you label the executable itself as having
> "kbus:awesomerebootpower" or whatever so the kernel can see that cleanly
> as a label that's basically a kbus namespace capability ?

(it would be lovely if you did not call my code 'crap')

But this is the essential difference in our design. We don't want code
to be aware of their privileges. We want privileges to be attached
externally to an identity. Thus, a program should always assume it is
privileged to do whatever its purpose is. If its purpose does not fit
you, you better not call it. In all other cases, a "privilege leak"
would just result in the program running as expected.

Thanks
David
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/