pthread_setugid_np
Robert Watson
rwatson at FreeBSD.org
Fri May 29 08:48:35 UTC 2009
On Wed, 27 May 2009, Zachary Loafman wrote:
> Isilon has need of per-thread impersonation. We're looking at implementing
> something like the pthread_setugid_np mechanism found on OS X, loosely
> documented in the code:
>
> http://fxr.watson.org/fxr/source/bsd/kern/kern_prot.c?v=xnu-1228 (see settid
> and setgroups1)
>
> and some here:
> http://lists.apple.com/archives/perfoptimization-dev/2008/Jan/msg00043.html
>
> Does anyone have strong objections to Apple's APIs here? There's obviously
> no portable itnerface to handle it, and it seems a little saner to just
> adopt someone else's API/semantics rather than reinvent.
I'm not opposed to adding APIs along these lines, as long as it is done Very
Carefully(tm). Some experience here suggests these sorts of things are very
easy to do wrong, anyway. :-)
Having spent some time investigating and using the APIs on Mac OS X in the
last year, I can report that their usage is at times inconsistent.
Applications frequently fail to properly update their full thread credentials,
assuming that updating only the euid or egid is sufficient, perhaps neglecting
other IDs or additional groups. While this is definitely an application bug,
it is also relevant to the base OS because we do provide a set of
credential-management library functions (especially setlogincontext(3)) that
will not be aware of thread credentials.
Per-thread credentials also require semantics that effectively preclude M:N
threading with usersapce context switching being used in the future (or, at
least, requires user threads with different credentials to use different
kernel-visible threads, or the addition of explicit ucred descriptors to allow
credential context to be saved and restored), which while not currently a huge
concern, is worth thinking about.
There are also potential concerns about other credential elements, such as MAC
labels provided by policies that assume timely update of the label across all
threads (i.e., on next entry to the kernel) as part of their semantics, and
might not respond well to individual threads having other labels. This might
be addressed by MAC policies having the opportunity to force an update to the
per-thread credential even when running in per-thread mode in order to
propagate their own changes, but we'd have to think a bit about the specific
requirements.
Finally: one of the things Apple found with lots of use of daemons that either
switched credentials a lot in order to impersonate many users out of a singlle
process, is that they ended up with a lot more different credentials in use at
a time, as the fleeting credentials get referenced for the long-term by file
descriptors opened when the credential was active. Our reference counting
model is intended to save memory in the case where lots of credentials are the
same but changes are infrequent, and so you can see kernel memory use balloon.
The per-thread case is a bit better behaved than the simple per-process case
frequently switching, but it's worth watching out for this. Apple addressed
the problem by doing a coalesce stage after creating and initializing a new
credential, in which potential existing credentials with identical contents
are searched for and then used instead, discarding the new one, which comes
with some overhead.
Robert N M Watson
Computer Laboratory
University of Cambridge
More information about the freebsd-arch
mailing list