For quite some time now credentials are more complicated than just a bunch of ids and as such are stored in a dedicated structure.
Credentials very rarely change (compared to how often they are read), so an approach which optimizes for reads is definitely in order.
First let's have a look at what happens in FreeBSD.
struct ucred contains a reference counter. In short it's a method of counting other structures which use this one [1]. New creds start with refcount of 1 and are freed when the counter reaches 0. The structure is copy-on-write - once initialised, it's never changed. This means that calls which change credentials (e.g. setuid(2)) always allocate new ones [2].
Processes are represented with struct proc which have one or more struct threads linked in. Both structures contain their own pointer to creds and keep their own reference.
So when credentials are changed, new cred struct is allocated and proc's credential pointer is modified to point to it. Threads check they got current cred pointer as they cross kernel<->userspace boundary. If needed they reference new credentials and drop the reference on old ones.
In effect cred access for the executing thread (the common case) is very cheap -- the kernel can just read them without any kind of locking.
This leaves a window where a thread can enter the kernel, while anoother thread just changed credentials and as a result operate using stale creds until it leaves the kernel, which is fine (I may elaborate in another post). Actions concerning process<->process interaction are authorized against proc credentials.
So, what happens in Linux?
Linux has a dedicated structure (struct cred) which also uses a copy-on-write scheme.
Big differences start with processes. These are represented with task_struct. Threads composing a process are just more task_struct's linked together into a thread group.
When credentials are changed in Linux , the kernel only deals with the calling thread. Other threads are not updated and are "unaware" of the event. That's the first weird part.
So how come a multithreaded process calling setuid ends up with consistent creds across its threads?
And the second: glibc makes all threads call setuid on their own (I did not check other libc implementations available for Linux, I presume they do the same.)
Now, it may be there are valid reasons to support per-thread credentials (serving files over the network?). But I would still expect dedicated syscalls (thread_setuid?) which just deal with a given thread and setuid etc. to deal with the entire process.
[1] strictly speaking not every structure storing a pointer to a refcounted structure must have its own reference. Dependencies between various structs can implicitly keep things stable.
[2] while typically true in practice, strictly speaking one could hack it up to e.g. lookup appropriate credentials and grab a reference on them
No comments:
Post a Comment