Subject: Re: CVS commit: src/sys
To: Bill Stouder-Studenmund <wrstuden@netbsd.org>
From: David Laight <david@l8s.co.uk>
List: tech-security
Date: 06/24/2007 19:36:01
On Sun, Jun 24, 2007 at 11:30:10AM -0700, Bill Stouder-Studenmund wrote:
> Setting groups:
> 
> 3) We pass out the memory array, let the caller scribble on it, then 
> process it. This seems like a bad idea. I think what we should do is pass 
> in an array and have kauth set the group list to that. I think changing 
> the group set should be atomic. Either it happens or it doesn't. Other 
> users (other threads in the same process for instance) should either see 
> the old group set or the new group set. Nothing else.
> 
> The current code, however, isn't atomic. We set the number of groups in
> the kauth_cred_setngroups() call. We then let the caller do things. We 
> then kauth_authorize_process() the operation, and if it fails, we error 
> out.

Actually the intent is that this code runs immediately after kauth_cred_alloc()
so the cred structure has no contents prior to the call.

> What's really unclear to me is how we are supposed to go back to the 
> original group set at this point. The caller has directly modified the 
> group set, and I see no way to restore the old contents.

You don't the only user is the code trying to initialise the structure.
on error it is freed.
 
> 4) Since we change the # groups before we finish changing the groups, we 
> can expose concurrent access to group IDs that aren't set yet. Say we 
> raise the count. Before we finish updating the array, other threads can 
> see garbage gids. That's bad.

No only owner is the calling function.
 
> 6) In kauth_proc_setgroups(), there are two calls to proc_crmod_leave() 
> that have "ncred" and "cred" passed as different arguements. Is that 
> correct?

Correct.

	David

-- 
David Laight: david@l8s.co.uk