NOTES These are the release notes for the kernel token distribution, 0.2. Please read the license in license/ktokens.license. Contents -------- 0. New Features since 0.1 1. Limitations 2. Building ktokens 3. Test Programs 4. Good Things to Try 5. Files and Directories 6. Contact Information 0. New Features since 0.1 ------------------------- - Mod unload garbage collection now works - Bug fixes - Rudimentary TOKEND behavior implemented - KerberosIV patches to use Tokens/PAGs - Setuidtoken implemented as sample syscall access control behavior - More extensive user test utilities - Makefiles improved -- make install added 1. Limitations -------------- Many: proc hooks: There is current no extended authentication hook in the kernel proc structure. To work around this, the ktoken kernel module uses a hash table to map use processes to PAG structures. The real solution is just to add a new pointer in the proc structure (see kernel/p_authext.diff). As this is not yet available in the main FreeBSD tree, this is not used. The hash table implementation is a hack, and does not behave well on a collision. The code works perfectly until at least 2048 processes have joined a PAG. At that point, collisions result in a failure of new processes to join a PAG in a fork. This is not fatal, and will not result in any crashes or corruption of data. However, this is not correct behavior for PAGs. vmstat: Because kernel MALLOC does not allow the unregistering of malloc_type records, make unload results in an unreadable vmstat -m. Maybe I should fix MALLOC? Or maybe I should not use specific malloc_types. It is useful for monitoring memory though. (This is not an issue under 2.2 as malloc types are not used in the 2.2 build of the module) no transfer: Loadable kernel modules cannot currently hook the socket-based transfer of rights/kernel structures. For this to be implemented, hooks must be added to the FreeBSD kernel. Patches to allow this will be added shortly. setdebug: Due to syslogd using fsync() on log files when messages come from the kernel, setting any reasonable debug level results in the disk churning. Workaround: don't use high debug levels, or disable syslog on kernel messages. 2. Building ktokens ------------------- This software was developed under FreeBSD 3.0-CURRENT, but should also work in 2.2-STABLE. It builds with one warning under -STABLE due to a prototype change for syscalls. This should not affect functionality. However, tokens have not been tested under 2.2, and were not developed there, so no guarantees are made (not that they were for 3.0 either). To build: % cd impl % make To install binaries, libraries, and includes (if desirable): # make install To load the module: # cd module # make load To unload the module: # cd module # make unload To run test programs: % cd userland % ./program [args] 3. Test Programs ---------------- tokcontrol [command] [commandargs] Interface to the token module. Sample uses: # tokcontrol debug 100 Sets debug level to 100. (root only) # tokcontrol createtokend Creates a TOKEND localpriv token to allow the creation of privileged tokens. (root only) newpag [command] Execs 'command' in a new PAG. This is achieved by calling t_newpag(), fork(), and exec(). A useful invocation is "newpag csh". If a parent PAG exists, then any tokens in it marked with the INHERIT right will exist also in the new PAG. % ./newpag tcsh listtokens Lists all tokens in the current PAG using the t_printpretty() function. This is implemented via repeated calls to t_findtoken() and t_readtoken() until no more tokens are found. % ./listtokens Listing tokens in PAG 7 TokenID: 36 Name: setuid1.@local Rights: RMDIet Type: localpriv (1,2,0) Pub length: 0 Priv length: 0 Createtime: 899609951 Expiretime: 0 Creator: process (2) createtoken Creates a token for the sake of experimentation. % ./createtoken deletetoken [tokenid|-a] Deletes the specified token from the current PAG. With the -a argument, all tokens in the current PAG are deleted. This is implemented via the t_deletetoken() call. For all tokens, repeated calls to t_findtoken() are made to discover tokens to delete. % ./deletetoken 1 reflecttoken [tokenid] Generate a reflection of the specified token. This is implemented via t_reflecttoken(). % ./reflecttoken 2 4. Good Things to Try --------------------- Here are some things to try: % ./newpag csh % ./listtokens % ./createtoken % ./listtokens % ./reflecttoken 1 % ./listtokens % ./newpag csh % ./listtokens % exit % ./listtokens % ./deletetoken -a % ./listtokens % exit An interesting example of kernel authorization tokens: % indicates a normal user prompt # indicates a root prompt % newpag tcsh % id uid=1000(test) gid=1000(test) groups=0(wheel), 1000(test) % su Password: # createtokend createtokend: preparing to generate a token createtokend: ok # listtokens Listing tokens in PAG 2 TokenID: 2 Name: tokend.@localpriv Rights: rmDiet Type: localpriv (1,1,0) Pub length: 0 Priv length: 0 Createtime: 0 Expiretime: 0 Creator: kernel (1) # exit % listtokens Listing tokens in PAG 2 TokenID: 2 Name: tokend.@localpriv Rights: rmDiet Type: localpriv (1,1,0) Pub length: 0 Priv length: 0 Createtime: 0 Expiretime: 0 Creator: kernel (1) % createuidtoken 1001 createuidtoken: preparing to generate a token for 1001 createtoken: received tokenid 3 % listtokens TokenID: 2 Name: tokend.@localpriv Rights: rmDiet Type: localpriv (1,1,0) Pub length: 0 Priv length: 0 Createtime: 0 Expiretime: 0 Creator: kernel (1) TokenID: 3 Name: setuid1.@localpriv Rights: rmDIet Type: localpriv (1,2,1001) Pub length: 0 Priv length: 0 Createtime: 900296539 Expiretime: 0 Creator: tokend (3) % setuid 3 id uid=1001(test2) gid=1000(test) groups=0(wheel), 1000(test) The user creates a normal PAG. They then su to root, and create a tokend token via the debugging interface. On returning to their previous shell in the same PAG, they still have the tokend token. Using that token, they may create local authorization tokens that the kernel will observe. The createuidtoken command creates a setuid token with uid 1001, and with the tokend creator. The setuid command makes use of this token to run the id command as uid 1001, which the kernel knows the user is authorized to make use of. This could be extended to arbitrary kernel privileges using a token manager possessing the tokend token, and the ability to transfer tokens to other PAGs. Users permitted to switch UIDs would be able to acquire setuid tokens as needed for those IDs. 5. Files and Directories ------------------------ Directory structure: docs/ Documentation impl/ Implementation common/ Code common to the kernel and userland (syscall arguments, structures, constants, etc) module/ Kernel-only code, structures,etc userland/ User-land only code, structures (library, testprograms) kerberosIV/ KTH KerberosIV modifications to use tokens (under-tested) kernel/ Kernel patches to improve kernel interaction (not yet used) Source files: common/ktoken_const.h Common constants (rights, etc) common/ktoken_structs.h Common structs (utoken structure) common/ktoken_types.h Common types (tokenid_t, etc) common/ktoken_syscall.h Syscall argument structures kerberosIV/kdestroy.c Token-based kdestroy kerberosIV/tf_util_token.c Token-based krb4 support code (requires rebuilding krb4 libraries + programs) kernel/p_authext.diff Kernel (3.0) diffs to add pag refs in proc (not used) module/ktokenloader.c Module loading/unloading code module/ktoken_kconst.h Constants specific to the kernel module/ktoken.c Syscall code, at_* hooks module/ktoken.h Supporting prototypes, macros module/ktoken_support.c Token/PAG manipulation routines module/ktoken_support.h Supporting prototypes, macros module/ktoken_kstructs.h Kernel-specific structures (PAGS, etc) module/procmap.c Cheapo-hash from pid to PAGs module/procmap.h Supporting prototypes, structs userland/libktoken.h Supporting code prototypes userland/libktoken.c Supporting code (library) userland/createtoken.c Creates new token userland/createuidtoken.c Create a uid-localpriv token userland/deletetoken.c Deletes a token userland/listtokens.c Lists current pag token userland/newpag.c Creates new pag userland/reflecttoken.c Reflects a token userland/setuid.c Using an appropriate uid-localpriv token, su userland/tokcontrol.c Debugging control and TOKEND creation 6. Contact Information ---------------------- FreeBSD Tokens Page: http://www.watson.org/fbsd-hardening/tokens/ FreeBSD related questions: robert+freebsd@cyrus.watson.org General ktokens questions: robert+sec.ktokens@cyrus.watson.org Personal email: robert@fledge.watson.org $Id: NOTES,v 1.8 1998/07/13 18:13:11 robert Exp $