On 3/9/2018 11:06 AM, Dirk Heinrichs wrote: > Am 08.03.2018 um 18:54 schrieb Jeffrey Altman: >>> 2. let AFS use the per-user keyring instead of the per-session one >>> (suggested in the systemd bug discussion) >>> >>> Does the second one sound reasonable? >> Switching to the user keyring is unreasonable. The impact of such a >> change is that all user sessions on a system share the same tokens and >> an effective uid change permits access to those same tokens. >> >> Process Authentication Groups (PAGs) exist explicitly to establish a >> security barrier to prevent such credential leakage. > > I understand. However, why not let the user (or better: admin) decide? I > assume this is coded in the cache manager, so the module could be > enhanced with a parameter that allows to choose between the two variants > at module load time. The current behaviour of using the session keyring > could still be the default.
It is already up the administrator. The choice of whether or not to use PAGs is a decision made by the tooling that acquires tokens. If PAGs are not used, the tokens are bound to the uid. Making the choice to not use PAGs means that there is a serious security vulnerability. Jeffrey Altman
<<attachment: jaltman.vcf>>
smime.p7s
Description: S/MIME Cryptographic Signature
