Heads up for login managers
Alan Cox
alan at redhat.com
Mon Feb 12 23:56:05 UTC 2007
On Mon, Feb 12, 2007 at 03:17:02PM -0500, David Zeuthen wrote:
> > with the same uid to access and use. Its nerf security.
>
> I never claimed it provided security. You will be able to copy
> XDG_SESSION_COOKIE from your other processes and that's fine. Just keep
> in mind it's easier to just run VNC than copying it around.
That bit is really important. If your session cookie is just a non security
helper object then you don't need to do sick hacks grovelling around in
other processes environment (which isnt safe). You can pass the session id
explicitly. The other end knows the uid so can validate the session id with
respect to the user. Keep it in the environment but pass it and don't do
sick /proc hacks. Use kerberos keys (See below) and it gets kind of hard to
pass fake keys too.
> However if we used something else than XDG_SESSION_COOKIE, like tagging
> a process with a secret cookie that only privileged processes can
> read/write it would provide real security.
Only in some very narrow cases. If power is acquired through posession of
a key then your security boundary is uid. Even if only a privileged process
can read or write the key, the mere possession case applies as I can modify
any executable I own, or any running image I own.
More seriously the moment you want to deal in passing secure secret cookies
around and using them as authentication tokens you are doing Kerberos, the
difference being MIT has spent years making it secure and doing the crypto
right.
You can (and IMHO should) look seriously at this point at having the objects
you pass explicitly being kerberos keys. At that point all the existing
kerberos single sign on, web authentication of services by keys and desktop
will be using the very same authority objects, and those objects are
directly bindable to NFSv4 for file serving, cryptographically sound and
already supported by things like ssh and our tools and libraries. Kerberos
is a cross system, cross architecture, cross platform and a standard so its
ideal with a "Gnome is not Linux" hat on too.
There are some other things kerberos gives you that are powerful too, such
as constructs like key granting tickets so you can build heirarchies.
Alan
More information about the Fedora-maintainers
mailing list