In Linux, applications like su and login currently run as root in order to access authentication information and set or alter the identity of the process. In such cases, if the application is compromised while running as a privileged user, the entire system can become vulnerable. An alternative approach is taken by the Plan 9 operating system from Bell Labs, which runs such applications as a non-privileged user and relies on a kernel-based capability device working in coordination with an authentication server to provide the same services. This avoids the risk of an application vulnerability becoming a system vulnerability.This paper discusses the extension of Linux authentication mechanisms to allow the use of the Plan 9 approach with existing Linux applications in order to reduce the security risks mentioned earlier. It describes the port of the Plan 9 capability device as a character device driver for the Linux kernel. It also describes the port of the Plan 9 authentication server and the implementation of a PAM module which allows the use of these new facilities. It is now possible to restrain processes like login and su from the uncontrolled se-tuid bit and make them run on behalf of an unprivileged user in Linux.
展开▼
机译:在Linux中,诸如su和login之类的应用程序当前以root身份运行,以访问身份验证信息并设置或更改进程的身份。在这种情况下,如果应用程序在以特权用户身份运行时遭到破坏,则整个系统可能会受到攻击。 Bell Labs的Plan 9操作系统采用了另一种方法,该系统以非特权用户身份运行此类应用程序,并依赖与认证服务器协同工作的基于内核的功能设备来提供相同的服务。这避免了应用程序漏洞成为系统漏洞的风险。本文讨论了Linux身份验证机制的扩展,以允许将Plan 9方法与现有Linux应用程序一起使用,以减少前面提到的安全风险。它将Plan 9功能设备的端口描述为Linux内核的字符设备驱动程序。它还描述了Plan 9身份验证服务器的端口以及允许使用这些新功能的PAM模块的实现。现在,可以从不受控制的安全位限制登录和su之类的进程,并使它们代表Linux中的非特权用户运行。
展开▼
