hurd-l4/doc hurd-on-l4.tex ipc.tex posix.tex th...

[Marcus Brinkmann]

CVSROOT:        /cvsroot/hurd
Module name:    hurd-l4
Branch:         
Changes by:     Marcus Brinkmann <address@hidden>       03/09/07 18:24:07

Modified files:
        doc            : hurd-on-l4.tex ipc.tex posix.tex 
                         threads-tasks.tex 
Removed files:
        doc            : authentication.tex 

Log message:
        Move authentication into POSIX part.
        
        Downgrade subsubsections to paragraphs again.

CVSWeb URLs:
http://savannah.gnu.org/cgi-bin/viewcvs/hurd/hurd-l4/doc/hurd-on-l4.tex.diff?tr1=1.19&tr2=1.20&r1=text&r2=text
http://savannah.gnu.org/cgi-bin/viewcvs/hurd/hurd-l4/doc/ipc.tex.diff?tr1=1.1&tr2=1.2&r1=text&r2=text
http://savannah.gnu.org/cgi-bin/viewcvs/hurd/hurd-l4/doc/posix.tex.diff?tr1=1.1&tr2=1.2&r1=text&r2=text
http://savannah.gnu.org/cgi-bin/viewcvs/hurd/hurd-l4/doc/threads-tasks.tex.diff?tr1=1.1&tr2=1.2&r1=text&r2=text

Patches:
Index: hurd-l4/doc/hurd-on-l4.tex
diff -u hurd-l4/doc/hurd-on-l4.tex:1.19 hurd-l4/doc/hurd-on-l4.tex:1.20
--- hurd-l4/doc/hurd-on-l4.tex:1.19     Sun Sep  7 17:49:29 2003
+++ hurd-l4/doc/hurd-on-l4.tex  Sun Sep  7 18:24:06 2003
@@ -20,7 +20,6 @@
 \include{ipc}
 \include{threads-tasks}
 \include{vmm}
-\include{authentication}
 \include{posix}
 \include{debugging}
 \include{device-drivers}
Index: hurd-l4/doc/ipc.tex
diff -u hurd-l4/doc/ipc.tex:1.1 hurd-l4/doc/ipc.tex:1.2
--- hurd-l4/doc/ipc.tex:1.1     Sun Sep  7 17:49:29 2003
+++ hurd-l4/doc/ipc.tex Sun Sep  7 18:24:06 2003
@@ -236,7 +236,7 @@
 the other participants task ID, so they can be sure that from there on
 they will always talk to the same task as they talked to before.
 
-\subsubsection{Preconditions}
+\paragraph{Preconditions}
 The client knows the thread ID of the server thread that receives and
 processes the bootstrap messages.  Some other task might hold a task
 info capability to the server the client wants to connect to.
@@ -373,7 +373,7 @@
   \end{comment}
 \end{enumerate}
 
-\subsubsection{Result}
+\paragraph{Result}
 The client has a task info capability for the server and an
 authenticated capability.  The server has a task info capability for
 the client and seen some sort of authentication for the capability it
@@ -419,7 +419,7 @@
 or any of the untrusted participants is malicious, the others should
 not be harmed.
 
-\subsubsection{Preconditions}
+\paragraph{Preconditions}
 The client $C$ has a capability from server $S$ (this implies that $C$
 has a task info cap for $S$ and $S$ has a task info cap for $C$).  It
 wants to copy the capability to the destination task $D$.  For this,
@@ -615,7 +615,7 @@
 
 \end{enumerate}
 
-\subsubsection{Result}
+\paragraph{Result}
 For the client $C$, nothing has changed.  The destination task $D$
 either did not accept the capability, and nothing has changed for it,
 and also not for the server $S$.  Or $D$ accepted the capability, and
@@ -671,7 +671,7 @@
   important information about how, and more importantly, why it works.
 \end{comment}
 
-\subsubsection{The server $S$ dies}
+\paragraph{The server $S$ dies}
 What happens if the server $S$ dies unexpectedly sometime throughout
 the protocol?
 
@@ -700,7 +700,7 @@
 Eventually, $C$ (and $D$ if it already got the task info cap for $S$)
 will process the task death notification and clean up their state.
 
-\subsubsection{The client $C$ dies}
+\paragraph{The client $C$ dies}
 The server $S$ and the destination task $D$ hold a task info cap for
 $C$, so no imposter can get its task ID.  $S$ and $D$ will get errors
 when trying to send messages to $C$.  Depending on when $C$ dies, the
@@ -720,7 +720,7 @@
   suggests that.
 \end{comment}
 
-\subsubsection{The destination task $D$ dies}
+\paragraph{The destination task $D$ dies}
 
 The client $C$ holds a task info cap for $D$ over the whole operation,
 so no imposter can get its task ID.  Depending on when $D$ dies, it
@@ -728,7 +728,7 @@
 destroying the reference container, or it has, and then $S$ will clean
 up its state when it processes the task death notification for $D$.
 
-\subsubsection{The client $C$ and the destination task $D$ die}
+\paragraph{The client $C$ and the destination task $D$ die}
 
 This scenario is the reason why the server acquires its own task info
 cap for $D$ so early, and why it must do that under the constraint
@@ -761,7 +761,7 @@
 Of course, if the capability was already copied at the time $C$ and
 $D$ die, the server will just do the normal cleanup.
 
-\subsubsection{The client $C$ and the server $S$ die}
+\paragraph{The client $C$ and the server $S$ die}
 
 This scenario does not cause any problems, because on the one hand,
 the destination task $D$ holds a task info cap for $C$, and it
@@ -774,14 +774,14 @@
 from $D$ because $D$ uses $C$ as its constraint in acquireing the task
 info cap for $S$.
 
-\subsubsection{The destination task $D$ and the server $S$ die}
+\paragraph{The destination task $D$ and the server $S$ die}
 
 As $C$ holds task info caps for $S$ and $D$, there is nothing that can
 go wrong here.  Eventually, the task death notifications are
 processed, but the task info caps are not released until the protocol
 is completed or aborted because of errors.
 
-\subsubsection{The client $C$, the destination task $D$ and the server $S$ die}
+\paragraph{The client $C$, the destination task $D$ and the server $S$ die}
 
 Before the last one of these dies, you are in one of the scenarios
 which already have been covered.  After the last one dies, there is
@@ -812,7 +812,7 @@
   server $S$.
 \end{comment}
 
-\subsubsection{The client $C$ is malicious}
+\paragraph{The client $C$ is malicious}
 
 If the client $C$ wants to break the protocol, it has numerous
 possibilities to do so.  The first thing it can do is to provide a
@@ -908,7 +908,7 @@
 it could just follow the protocol with the imposter as the destination
 task.
 
-\subsubsection{The destination task $D$ is malicious}
+\paragraph{The destination task $D$ is malicious}
 
 The destination task has not as many possibilities as $C$ to attack
 the protocol.  This is because it is trusted by $C$.  So the only
@@ -937,7 +937,7 @@
   The destination task $D$ is welcome to shoot itself in its foot.
 \end{comment}
 
-\subsubsection{The client $C$ and the destination task $D$ are malicious}
+\paragraph{The client $C$ and the destination task $D$ are malicious}
 
 The final question we want to raise is what can happen if the client
 $C$ and the destination task $D$ are malicious.  Can $C$ and $D$
Index: hurd-l4/doc/posix.tex
diff -u hurd-l4/doc/posix.tex:1.1 hurd-l4/doc/posix.tex:1.2
--- hurd-l4/doc/posix.tex:1.1   Sun Sep  7 17:49:29 2003
+++ hurd-l4/doc/posix.tex       Sun Sep  7 18:24:06 2003
@@ -5,6 +5,164 @@
 the Hurd servers.  Several system servers support the C library.
 
 
+\section{Authentication}
+\label{auth}
+
+Capabilities are a good way to give access to protected objects and
+services.  They are flexible, lightweight and generic.  However, Unix
+traditionally uses access control lists (ACL) to restrict access to
+objects like files.  Any task running with a certain user ID can
+access all files that are readable for the user with that user ID.
+Although all objects are implemented as capabilities in the Hurd, the
+Hurd also supports the use of user IDs for access control.
+
+The system authentication server \texttt{auth} implements the Unix
+authentication scheme using capabilities.  It provides auth
+capabilities, which are associated with a list of effective and
+available user and group IDs.  The holder of such a capability can use
+it to authenticate itself to other servers, using the protocol below.
+
+Of course, these other servers must use (and trust) the same
+\texttt{auth} server as the user.  Otherwise, the authentication will
+fail.  Once a capability is authenticated in the server, the server
+will know the user IDs of the client, and can use them to validate
+further operations.
+
+The \texttt{auth} server provides two types of capabilities:
+
+\paragraph{Auth capabilities}
+An auth capability is associated with four vectors of IDs: The
+effective user and group IDs, which should be used by other servers to
+authenticate operations that require certain user or group IDs, and
+the available user and group IDs.  Available IDs should not be used
+for authentication purposes, but can be turned into effective IDs by
+the holder of an auth capability at any time.
+
+New auth capabilities can be created from existing auth capabilities,
+but only if the requested IDs are a subsets from the union of the
+(effective and available) IDs in the provided auth capabilities.  If
+an auth capability has an effective or available user ID 0, then
+arbitrary new auth objects can be created from that.
+
+\paragraph{Passport capabilities}
+A passport capability can be created from an auth capability and is
+only valid for the task that created it.  It can be provided to a
+server in an authentication process (see below).  For the client, the
+passport capability does not directly implement any useful operation.
+For the server, it can be used to verify the identity of a user and
+read out the effective user and group IDs.
+
+The auth server should always create new passport objects for
+different tasks, even if the underlying auth object is the same, so
+that a task having the passport capability can not spy on other tasks
+unless they were given the passport capability by that task.
+
+\subsection{Authenticating a client to a server}
+
+A client can authenticate itself to a server with the following
+protocol:
+
+\paragraph{Preconditions}
+The client $C$ has an auth capability implemented by the \texttt{auth}
+server $A$.  It also has a capability implemented by the server $S$.
+It wants to reauthenticate this capability with the auth capability,
+so the server associates the new user and group IDs with it.
+
+The server also has an auth capability implemented by its trusted
+\texttt{auth} server.  For the reauthentication to succeed, the
+\texttt{auth} server of the client and the server must be identical.
+If this is the case, the participating tasks hold task info caps for
+all other participating tasks (because of the capabilities they hold).
+
+\begin{enumerate}
+\item The client $C$ requests the passport capability for itself from
+  the auth capability from $A$.
+
+  \begin{comment}
+    Normally, the client will request the passport capability only
+    once and store it together with the auth capability.
+  \end{comment}
+  
+\item The \texttt{auth} server receives the request and creates a new
+  passport capability for this auth capability and this client.  The
+  passport capability is returned to the user.
+  
+\item The user receives the reply from the \texttt{auth} server.
+  
+  It then sends the reauthentication request to the server $S$, which
+  is invoked on the capability the client wants to reauthenticate.  It
+  provides the passport capability as an argument.
+  
+\item The server $S$ can accept the passport capability, if it
+  verifies that it is really implemented by the \texttt{auth} server
+  it trusts.  If the client does not provide a passport capability to
+  the trusted \texttt{auth} server, the authentication process is
+  aborted with an error.
+  
+  Now the server can send a request to the \texttt{auth} server to
+  validate the passport capability.  The RPC is invoked on the
+  passport capability.
+  
+\item The \texttt{auth} server receives the validation request on the
+  passport capability and returns the task ID of the client $C$ that
+  this passport belongs to, and the effective user and group IDs for
+  the auth cap to which this passport cap belongs.
+
+  \begin{comment}
+    The Hurd on Mach returned the available IDs as well.  This feature
+    is not used anywhere in the Hurd, and as the available IDs should
+    not be used for authentication anyway, this does not seem to be
+    useful.  If it is needed, it can be added in an extended version
+    of the validation RPC.
+  \end{comment}
+  
+\item The server receives the task ID and the effective user and group
+  IDs.  The server now verifies that the task ID is the same as the
+  task ID of the sender of the reauthentication request.  Only then
+  was the reauthentication request made by the owner of the auth cap.
+  It can then return a new capability authenticated with the new user
+  and group IDs.
+
+  \begin{comment}
+    The verification of the client's task ID is necessary.  As the
+    passport cap is copied to other tasks, it can not serve as a proof
+    of identity alone.  It is of course absolutely crucial that the
+    server holds the task info cap for the client task $C$ for the
+    whole time of the protocol.  But the same is actually true for any
+    RPC, as the server needs to be sure that the reply message is sent
+    to the sender thread (and not any imposter).
+  \end{comment}
+  
+\item The client receives the reply with the new, reauthenticated
+  capability.  Usually this capability is associated in the server
+  with the same abstract object, but different user credentials.
+
+  \begin{comment}
+    Of course a new capability must be created.  Otherwise, all other
+    users holding the same capability would be affected as well.
+  \end{comment}
+
+  The client can now deallocate the passport cap.
+
+  \begin{comment}
+    As said before, normally the passport cap is cached by the client
+    for other reauthentications.
+  \end{comment}
+\end{enumerate}
+
+\paragraph{Result}
+The client $C$ has a new capability that is authenticated with the new
+effective user and group IDs.  The server has obtained the effective
+user and group IDs from the \texttt{auth} server it trusts.
+
+\begin{comment}
+  The Hurd on Mach uses a different protocol, which is more complex
+  and is vulnerable to DoS attacks.  The above protocol can not
+  readily be used on Mach, because the sender task of a message can
+  not be easily identified.
+\end{comment}
+
+
 \section{Process Management}
 \label{proc}
 
Index: hurd-l4/doc/threads-tasks.tex
diff -u hurd-l4/doc/threads-tasks.tex:1.1 hurd-l4/doc/threads-tasks.tex:1.2
--- hurd-l4/doc/threads-tasks.tex:1.1   Sun Sep  7 17:49:29 2003
+++ hurd-l4/doc/threads-tasks.tex       Sun Sep  7 18:24:06 2003
@@ -14,7 +14,7 @@
 
 The \texttt{task} server provides three different capability types.
 
-\subsubsection{Task control capabilities}
+\paragraph{Task control capabilities}
 If a new task is created, it is always associated with a task control
 capability.  The task control capability can be used to create and
 destroy threads in the task, and destroy the task itself.  So the task
@@ -31,7 +31,7 @@
   capability reference is released.
 \end{comment}
 
-\subsubsection{Task info capabilities}
+\paragraph{Task info capabilities}
 \label{taskinfocap}
 Any task can create task info capabilities for other tasks.  Such task
 info capabilities are used mainly in the IPC system (see section
@@ -74,7 +74,7 @@
   do not need anymore.
 \end{comment}
 
-\subsubsection{Task manager capability}
+\paragraph{Task manager capability}
 A task is a relatively simple object, compared to a full blown POSIX
 process, for example.  As the \texttt{task} server is enforced system
 code, the Hurd does not impose POSIX process semantics in the task