[cap-talk] Unix FDs as capabilities, preventing socket creation, kerberos etc?

Rob J Meijer rmeijer at xs4all.nl
Sat Nov 26 19:04:39 EST 2005


>> Is it in unix in any way possible to have a process
>> drop
>> its possibility to create new sockets?
>
> The way systrace does it is to run the process in debug mode and trap
> syscalls, and only allowing certain syscalls with certain parameters to
> succeed.

That indeed seems like a usable solution, I must go and play with
that soon.

>> 2) When bootstrapping the basic interconnection process and socket
>> infrastructure, initialy authentication is essential. With normal
>> networking we have kerberos to take care of that, but over a tcp/ip
>> socket
>> we can not
>> comunicate filehandles. Does anyone have any notion on how one could
>> integrate kerberos and the bootstrapping of a unix domain socket based
>> capability system design?
>
> As I understand, capabilities typically remove the need for other access
> control mechanisms, If a capability is passed into an object then it has
> rights to it with no need to double check against a rights lists or
> authentication protocol.

Yes I understand that, but with the objects being processes, also
processes on multiple hosts, You would need to first pass the (initial)
capabilities to the processes. You would thus only need authentication of
the processes during some bootstrapping process, but the processes would
have to be authenticated when started before being passed their initial
capabilities
by some bootstrap capability broker I would think.
I hear a lot of mention on the list that process authorization is not
needed when using capabilities, but to me that will hold only true 'after'
some basic conditions are met, that I think are not yet met during
bootstrapping. If there are other methods, using multi host unix
infrastructures and unix domain socket filehandles as capabilities, to
bootstrap a basic capability based design without initial process
authentication, I would be very interested, as to me a kerberos or simular
process authentication bootstrap would seem like the only viable way to
start the processes upto their initial capabilities.

Rob






More information about the cap-talk mailing list