Linux, store credentials with process and it's children, grandchildren?

Question

I'm working on a little side project on linux(Ubuntu) where I require one to be authenticated to access a service. My idea is that this authentication should be stored with the process and it's children, and not with the linux user itself.

This authentication should be done by calling for example "myapplogin" with a username, password and a script/application(Any application) to run with these credentials. I want it to be possible to retain these credentials in any children made by this process, and any grandchildren and so on.

I have looked at a few options for this capability.

1. Store a login id or something in the environment variables. This is, as far as I know, passed on to any children. However, environment variables can be written to by the process, thus allowing it to possibly gain access it should not have.

2. When logging in, store the process id of the process who logged in, and then on every operation to this service, check if it has the stored pid, or if anywhere in it's ancestry the stored pid exists. This will possibly become too slow if this ancestry grows large, and if the service is accessed often. An option then is to cache any pid who is in the ancestry, but that can have security implications with pid reuse in the OS.

3. Using process groups and link that with a login, but that can also be changed by the process itself, allowing it to possibly join an existing group without actually logging in.

Is there any way to do this? Preferably it should be something stored with the process, that any new children inherits, not possible for the process to overwrite, and readable externally from a kernel module.

Maybe I'm just overlooking something obvious? I would be grateful for any input on this =)

Answer 1

I can provide two methods depends on what kinds of "services" you mentioned:

1.If the services you mentioned is like: network management, disk mounting/umounting, etc. Following:

The Linux Kernel implements CAPABILITY mechanism. The Kernel has defined various capabilities. These capabilities can be assigned to different users. And the basic rule of capability is: assign the minimum set of privilege to one user to accomplish its mission.

So you can use the CAPABILITY idea, what you need to do is:

(1) List all services to which you need to limit the access.

(2) Define new capabilities or use the existing capabilities for the listed services.

(3) Change kernel source codes to check the capabilities of one process when it access the services you listed. Usually, these checks are located in system call entries.

(4) Make changes to the init/login processes' source codes, when user login to system, assign necessary capabilities to different users according to your access control rules.

2.If the services you mentioned is like executing some kind of system commands.

(1) Create a file such as watch_dog or else under /etc/ directory, in this file, you can define a format to list specific users can execute specific commands. Of course, the file format can be really fancy, such as regular expression can be used. To parse the file, Bison or Lex/Yacc can be used.

(2) During Linux Kernel initialization, the file /etc/watch_dog can be parsed.

(3) During process fork(), set the /etc/watch_dog rules to the process related task_struct.

(4) In exec() entry, apply the /etc/watch_dog rules to check whether it can execute the program or not.