Subject: Re: CVS commit: src/sys
To: Bill Stouder-Studenmund <wrstuden@netbsd.org>
From: Bill Stouder-Studenmund <wrstuden@netbsd.org>
List: tech-security
Date: 06/24/2007 14:05:22
--Qxx1br4bt0+wmkIi
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sun, Jun 24, 2007 at 08:43:30PM +0100, David Laight wrote:
> On Sun, Jun 24, 2007 at 11:30:10AM -0700, Bill Stouder-Studenmund wrote:
> >=20
> > Setting groups:
>=20
> How about:
I think this is a good step in the right direction. I like it.
> @@ -131,6 +131,28 @@ kauth_cred_alloc(void)
> return (cred);
> }
>=20
> +kauth_cred_t
> +kauth_cred_alloc1(int ngroups, gid_t **grbuf)
My instinct is to use a different name, but I'll be honest I've started to=
=20
drink the Objective C naming kool-aid. "kauth_cred_alloc_with_ngroups"=20
comes to mind. But with good doco, kauth_cred_alloc1 can work.
> +{ =20
> + kauth_cred_t cred;
> + =20
> + if (ngroups < 0 || ngroups > NGROUPS)
> + return NULL;
> +
> + cred =3D kauth_cred_alloc();
> + cred->cr_ngroups =3D ngroups;
> + if (grbuf !=3D NULL)
> + *grbuf =3D cred->cr_groups;
> + =20
> + return cred;
> +}
Minor nit, check for failure of kauth_cred_alloc().
> +void
> +kauth_cred_alloc_finalise_grouplist(kauth_cred_t cred)
> +{ =20
> + KASSERT(cred->cr_refcnt =3D=3D 1);
> +}
> +
How about kauth_cred_alloc1_finalize() (changing alloc1 if we change the=20
allocation routine's name as above)? The idea is that allocation is a two=
=20
step process, and this finishes the second step.
Another nit, I think it'd be good to pass the gid array in. While our=20
current credential structure doesn't have to do any work here, if we=20
changed how we handle groups (say GUIDS), we could have a lot of work to=20
do here.
Phrased another way, I think that we aren't violating kauth's opacity if=20
the code doesn't depend on the fact group membership is stored as a set of=
=20
gid_t's. That the code happens to work fast if it is is ok as long as the=
=20
external code doesn't need to change if we change the implementation.
As a test, the calling code should work just as well if we change the=20
alloc1()/finalize() implementation to malloc() a buffer and then memcpy()=
=20
it in finalize(). I think things are easiest then if we pass the array=20
back in.
The only other issue I see is I'd like it if we could make it explicit
that you have to call kauth_cred_alloc1()/
kauth_cred_alloc_finalise_grouplist() as a pair. As in something we could=
=20
KASSERT(). I realize I'm now raising the bar some and making more work, so=
=20
I'm not going to press hard at the moment. But we have a partially-set-up=
=20
kauth_cred_t, and I'd like to make sure we can't do anything else with it=
=20
until we are done.=20
I think what I'm thinking of is some sort of "initializing" flag in the=20
kauth_cred_t and KASSERTS to make sure it's not set.
> @@ -567,19 +567,17 @@ sys_setgroups(struct lwp *l, void *v, re
> int error;
> gid_t *grbuf;
>=20
> - ncred =3D kauth_cred_alloc();
> + ncred =3D kauth_cred_alloc1(SCARG(uap, gidsetsize), &grbuf);
> + if (ncred =3D=3D NULL)
> + return EINVAL;
> =20
> - grbuf =3D kauth_cred_setngroups(ncred, SCARG(uap, gidsetsize));
> - if (grbuf =3D=3D NULL)
> - error =3D EINVAL;
> - else {
> - error =3D copyin(SCARG(uap, gidset), grbuf,
> - SCARG(uap, gidsetsize) * sizeof(gid_t));
> - }
> + error =3D copyin(SCARG(uap, gidset), grbuf,
> + SCARG(uap, gidsetsize) * sizeof(gid_t));
> if (error !=3D 0) {
> kauth_cred_free(ncred); =20
> return error;
> }
> + kauth_cred_alloc_finalise_grouplist(ncred);
> =20
> return kauth_proc_setgroups(l, ncred);
> }
Thank you for making these changes!
Take care,
Bill
--Qxx1br4bt0+wmkIi
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (NetBSD)
iD8DBQFGftySWz+3JHUci9cRAli1AKCQWlE+xxeAiN5zrSoRG1IBnLMczgCdHzWm
dQnOVlm/GXPrqaT2hThS+jw=
=XQkY
-----END PGP SIGNATURE-----
--Qxx1br4bt0+wmkIi--