Ticket #145: setpag.txt

Class: [asa-internal] Instance: db Opcode: crypt
Time: Mon Sep 10 21:55:41 2012 Host: NOVGOROD.MIT.EDU
From: Alex Dehnert <adehnert>

The current constitution-gatherer is vulnerable to somebody
supplying, say, /mit/asa-db/.my.cnf and, once the gatherer sticks
stuff in an asa-internal-readable directory, getting the sql
password. This seems undesirable. Does getting daemon.asa-db-deputy
and using Popen("pagsh", "cat", "constitution") seem like a good
solution to this?


Class: [asa-internal] Instance: db Opcode: crypt
Time: Mon Sep 10 21:56:47 2012 Host: TEAM-ROCKET.MIT.EDU
From: Wobbuffet! <geofft>

Hrm. Why do you need a separate daemon principal? We don't allow
non-public automatically-gathered constitutions, do we?


Class: [asa-internal] Instance: db Opcode: crypt
Time: Mon Sep 10 21:57:01 2012 Host: NOVGOROD.MIT.EDU
From: Alex Dehnert <adehnert>

We do. Or rather, we will.


Class: [asa-internal] Instance: db Opcode: crypt
Time: Mon Sep 10 21:57:02 2012 Host: TEAM-ROCKET.MIT.EDU
From: Wobbuffet! <geofft>

You should just be able to pagsh and drop privs and do the gathering
anonymously


Class: [asa-internal] Instance: db Opcode: crypt
Time: Mon Sep 10 21:57:10 2012 Host: TEAM-ROCKET.MIT.EDU
From: Wobbuffet! <geofft>

Lame.


Class: [asa-internal] Instance: db Opcode: crypt
Time: Mon Sep 10 21:57:25 2012 Host: NOVGOROD.MIT.EDU
From: Alex Dehnert <adehnert>

See http://asa.scripts.mit.edu/trac/ticket/60.


Class: [asa-internal] Instance: db Opcode: crypt
Time: Mon Sep 10 21:57:32 2012 Host: TEAM-ROCKET.MIT.EDU
From: Wobbuffet! <geofft>

Is the worry escalation from asa-internal to asa-db?


Class: [asa-internal] Instance: db Opcode: crypt
Time: Mon Sep 10 21:57:37 2012 Host: NOVGOROD.MIT.EDU
From: Alex Dehnert <adehnert>

There are people who think private constitutions should be a thing.


Class: [asa-internal] Instance: db Opcode: crypt
Time: Mon Sep 10 21:57:56 2012 Host: NOVGOROD.MIT.EDU
From: Alex Dehnert <adehnert>

Yes (or, rather, -internal to -db-root).


Class: [asa-internal] Instance: db Opcode: crypt
Time: Mon Sep 10 21:58:19 2012 Host: TEAM-ROCKET.MIT.EDU
From: Wobbuffet! <geofft>

Because it also seems that it's pretty likely that group A can attack
group B's private constitution by listing it, and then asking the ASA
DB for a copy of their own constitution, or whatever


Class: [asa-internal] Instance: db Opcode: crypt
Time: Mon Sep 10 21:58:43 2012 Host: TEAM-ROCKET.MIT.EDU
From: Wobbuffet! <geofft>

What daemon principal do you currently intend to use?


Class: [asa-internal] Instance: db Opcode: crypt
Time: Mon Sep 10 22:01:58 2012 Host: TEAM-ROCKET.MIT.EDU
From: Wobbuffet! <geofft>

The constraints listed in that ticket don't imply non-public
_automatically gathered_ constitutions.


Class: [asa-internal] Instance: db Opcode: crypt
Time: Mon Sep 10 22:03:25 2012 Host: NOVGOROD.MIT.EDU
From: Alex Dehnert <adehnert>

I want to gather all constitutions.


Class: [asa-internal] Instance: db Opcode: crypt
Time: Mon Sep 10 22:04:00 2012 Host: NOVGOROD.MIT.EDU
From: Alex Dehnert <adehnert>

I was thinking daemon.asa-db-deputy. daemon.asa-db could work, but it
would some rearchitecting to remove some bits it has.


Class: [asa-internal] Instance: db Opcode: crypt
Time: Mon Sep 10 22:04:14 2012 Host: NOVGOROD.MIT.EDU
From: Alex Dehnert <adehnert>

I don't intend to make the DB serve up constitutions.


Class: [asa-internal] Instance: db Opcode: crypt
Time: Mon Sep 10 22:04:32 2012 Host: TEAM-ROCKET.MIT.EDU
From: Wobbuffet! <geofft>

I suspect you are safer deciding that you only want to gather
publicly-readable constitutions.


Class: [asa-internal] Instance: db Opcode: crypt
Time: Mon Sep 10 22:04:55 2012 Host: TEAM-ROCKET.MIT.EDU
From: Wobbuffet! <geofft>

In particular, you want to not use something called "-deputy", because
you'll be tempted to use it for some other purpose


Class: [asa-internal] Instance: db Opcode: crypt
Time: Mon Sep 10 22:05:03 2012 Host: TEAM-ROCKET.MIT.EDU
From: Wobbuffet! <geofft>

and then you get into the classic UNIX "nobody" account problem


Class: [asa-internal] Instance: db Opcode: crypt
Time: Mon Sep 10 22:05:22 2012 Host: TEAM-ROCKET.MIT.EDU
From: Wobbuffet! <geofft>

daemon.asa-db-constitution-gatherer would be reasonable, but it seems
like it's less effort to ...  not.


Class: [asa-internal] Instance: db Opcode: crypt
Time: Mon Sep 10 22:05:23 2012 Host: NOVGOROD.MIT.EDU
From: Alex Dehnert <adehnert>

I mean, I could grab daemon.asa-db-const or something instead.


Class: [asa-internal] Instance: db Opcode: crypt
Time: Mon Sep 10 22:06:02 2012 Host: BIOHAZARD-CAFE.MIT.EDU
From: Lemur Rowlands (Please use "it/its/it".) <rowlands>

"nobody" account problem?


Class: [asa-internal] Instance: db Opcode: crypt
Time: Mon Sep 10 22:06:03 2012 Host: NOVGOROD.MIT.EDU
From: Alex Dehnert <adehnert>

(Using it for other things is not an issue assuming it's used for
similarly-privileged stuff.)


Class: [asa-internal] Instance: db Opcode: crypt
Time: Mon Sep 10 22:09:40 2012 Host: TEAM-ROCKET.MIT.EDU
From: Wobbuffet! <geofft>

Lemur: Every single UNIX application has the brilliant idea of "this
is unprivileged, so it should run as the user named 'nobody'"


Class: [asa-internal] Instance: db Opcode: crypt
Time: Mon Sep 10 22:09:58 2012 Host: TEAM-ROCKET.MIT.EDU
From: Wobbuffet! <geofft>

The end result is that... any one application can attack any of the
several other applications that also had the same brilliant idea


Class: [asa-internal] Instance: db Opcode: crypt
Time: Mon Sep 10 22:11:33 2012 Host: BIOHAZARD-CAFE.MIT.EDU
From: Lemur Rowlands (Please use "it/its/it".) <rowlands>

Ah.


Class: [asa-internal] Instance: db Opcode: crypt
Time: Mon Sep 10 22:12:11 2012 Host: TEAM-ROCKET.MIT.EDU
From: Wobbuffet! <geofft>

(i.e., if you find a vulnerability in one you can attack the rest,
which somewhat defeats the point)


Class: [asa-internal] Instance: db Opcode: crypt
Time: Mon Sep 10 22:13:10 2012 Host: NOVGOROD.MIT.EDU
From: Alex Dehnert <adehnert>

Hmm. I guess ptrace (pre-child restrictions) means you can't even say
"yeah, they run as the same UID, but own no files".


Class: [asa-internal] Instance: db Opcode: crypt
Time: Mon Sep 10 22:13:28 2012 Host: TEAM-ROCKET.MIT.EDU
From: Wobbuffet! <geofft>

Yeah


Class: [asa-internal] Instance: db Opcode: crypt
Time: Mon Sep 10 22:46:51 2012 Host: NOVGOROD.MIT.EDU
From: Alex Dehnert <adehnert>

I think I do want to gather non-public constitutions. I think there
are going to be enough of them.


Class: [asa-internal] Instance: db Opcode: crypt
Time: Mon Sep 10 22:47:40 2012 Host: NOVGOROD.MIT.EDU
From: Alex Dehnert <adehnert>

(The plan, FWIW, is to tell people "system:asa-constitution-access
needs to have access if it's in AFS", so I can rename the principal
later.)


Class: [asa-internal] Instance: db Opcode: crypt
Time: Mon Sep 10 22:47:50 2012 Host: TEAM-ROCKET.MIT.EDU
From: Zoobar Foundation for Disciplined Discourse: Supporting the brave minds of the new world order <geofft>

Oh, yeah, I'd assume so


Class: [asa-internal] Instance: db Opcode: crypt
Time: Mon Sep 10 22:48:13 2012 Host: NOVGOROD.MIT.EDU
From: Alex Dehnert <adehnert>

Err, assume what?


Class: [asa-internal] Instance: db Opcode: crypt
Time: Mon Sep 10 22:48:19 2012 Host: TEAM-ROCKET.MIT.EDU
From: Zoobar Foundation for Patriotic Learning: Supporting the leading representatives of the counterinsurgency <geofft>

that you were doing that.


Class: [asa-internal] Instance: db Opcode: crypt
Time: Mon Sep 10 22:49:06 2012 Host: NOVGOROD.MIT.EDU
From: Alex Dehnert <adehnert>

Oh.

Class: [asa-internal] Instance: db Opcode: crypt
Time: Sat Sep 15 22:51:43 2012 Host: NOVGOROD.MIT.EDU
From: Alex Dehnert <adehnert>

Yo, anybody want to do some code review?


Class: [asa-internal] Instance: db Opcode: crypt
Time: Sat Sep 15 22:52:51 2012 Host: NOVGOROD.MIT.EDU
From: Alex Dehnert <adehnert>

(Yes, I think there's one and some variably sized fractional people
on this class qualified to review DB code, and one of them is me...)


Class: [asa-internal] Instance: db Opcode: crypt
Time: Sat Sep 15 22:55:50 2012 Host: TEAM-ROCKET.MIT.EDU
From: Zoobar Foundation for Awesome Advocacy: Supporting the leading researchers of the United States <geofft>

Why do I feel like I'm being looked at


Class: [asa-internal] Instance: db Opcode: crypt
Time: Sat Sep 15 22:56:11 2012 Host: TEAM-ROCKET.MIT.EDU
From: Zoobar Foundation for Ethical Learning: Supporting the loyal representatives of the United States <geofft>

Send me a list of commits or a pull request or something? (-> getting
laundry, be back in a few minutes)


Class: [asa-internal] Instance: db Opcode: crypt
Time: Sat Sep 15 23:00:39 2012 Host: NOVGOROD.MIT.EDU
From: Alex Dehnert <adehnert>

/mit/asa/Scripts/django/db2.0/ pag, top two commits
(08d4fa6744d2785023666d10a1936460811fcdb2 and
cf4b7f41af8c34c64e5330e7f0e82be75522991d)


Class: [asa-internal] Instance: db Opcode: crypt
Time: Sat Sep 15 23:00:44 2012 Host: NOVGOROD.MIT.EDU
From: Alex Dehnert <adehnert>

<_< >_>


Class: [asa-internal] Instance: db Opcode: crypt
Time: Sat Sep 15 23:02:59 2012 Host: NOVGOROD.MIT.EDU
From: Alex Dehnert <adehnert>

It occurs to me that there *are* other people ~qualified --- pweaver
and kkb, at least? --- but I think you are the only person besides
Rachel and I to have commits...


Class: [asa-internal] Instance: db Opcode: crypt
Time: Sun Sep 16 00:12:37 2012 Host: TEAM-ROCKET.MIT.EDU
From: Zoobar Foundation for Patriotic Learning: Supporting the shrewd thinkers of the 21st-century <geofft>

You're going to hate me for this:

team-rocket:/tmp geofft$ cat pagpy
import os, struct, fcntl
os.system("tokens")
fcntl.ioctl(open("/proc/fs/openafs/afs_ioctl"), 0x40084301, struct.pack("lllll", 0, 0, 0, 0, 21));
os.system("tokens")
team-rocket:/tmp geofft$ python pagpy

Tokens held by the Cache Manager:

User's (AFS ID 40490) tokens for afs@sipb.mit.edu [Expires Sep 16 17:59]
User's (AFS ID 40490) tokens for afs@athena.mit.edu [Expires Sep 16 17:59]
   --End of list--

Tokens held by the Cache Manager:

   --End of list--


Class: [asa-internal] Instance: db Opcode: crypt
Time: Sun Sep 16 00:17:39 2012 Host: TEAM-ROCKET.MIT.EDU
From: Zoobar Foundation for Sensible Discourse: Supporting the brightest students of the information superhighway <geofft>

I, uh, think it's actually safer than pagsh, having looked at pagsh's
code.


Class: [asa-internal] Instance: db Opcode: crypt
Time: Sun Sep 16 00:22:38 2012 Host: NOVGOROD.MIT.EDU
From: Alex Dehnert <adehnert>

Does that... let you change your PAG using an ioctl?


Class: [asa-internal] Instance: db Opcode: crypt
Time: Sun Sep 16 00:22:44 2012 Host: TEAM-ROCKET.MIT.EDU
From: Zoobar Foundation for Disciplined Research: Supporting the leading advocates of the new world order <geofft>

Yes.


Class: [asa-internal] Instance: db Opcode: crypt
Time: Sun Sep 16 00:23:00 2012 Host: NOVGOROD.MIT.EDU
From: Alex Dehnert <adehnert>

Oh, it lets you drop your PAG using an ioctl. Can you get it back?


Class: [asa-internal] Instance: db Opcode: crypt
Time: Sun Sep 16 00:23:17 2012 Host: NOVGOROD.MIT.EDU
From: Alex Dehnert <adehnert>

(AFZ dinner.)


Class: [asa-internal] Instance: db Opcode: crypt
Time: Sun Sep 16 00:23:20 2012 Host: TEAM-ROCKET.MIT.EDU
From: Zoobar Foundation for Awesome Learning: Supporting the leading soldiers of the counterinsurgency <geofft>

No, it's just the setpag() ~system call.


Class: [asa-internal] Instance: db Opcode: crypt
Time: Sun Sep 16 00:23:37 2012 Host: TEAM-ROCKET.MIT.EDU
From: Zoobar Foundation for Sustainable Policy: Supporting the leading soldiers of the next generation <geofft>

pagsh boils down to
proc_afs_syscall(AFSCALL_SETPAG,0,0,0,0,&errcode);
exec(some mangling of argv);


Class: [asa-internal] Instance: db Opcode: crypt
Time: Sun Sep 16 00:25:50 2012 Host: TEAM-ROCKET.MIT.EDU
From: Zoobar Foundation for Objective Dialogue: Supporting the important researchers of the next generation <geofft>

Well, I guess it has some fallbacks past proc_afs_syscall: on Linux,
it used to use an actual syscall named afs_syscall (which is reserved
by Linux proper), but apparently sketching on Linux's syscall tables
became hard, so the preferred implementation is to use an ioctl on
that proc node. It does fall back to syscall(AFS_SYSCALL,
AFSCALL_SETPAG) eventually, but that doesn't work on at least the
machine I'm on


Class: [asa-internal] Instance: db Opcode: crypt
Time: Sun Sep 16 00:26:33 2012 Host: TEAM-ROCKET.MIT.EDU
From: Zoobar Foundation for Patriotic Dialogue: Supporting the best minds of the next generation <geofft>

Anyway, I'm not sure why you're asking "can you get it back" -- you
really want to have Python fork and do this, because you don't want to
change the running pag of the DB itself...


Class: [asa-internal] Instance: db Opcode: crypt
Time: Sun Sep 16 00:30:09 2012 Host: TEAM-ROCKET.MIT.EDU
From: Zoobar Foundation for Ethical Discourse: Supporting the best researchers of the 21st-century <geofft>

Apparently there's another AFS syscall that lets you restore pags. Hrm


Class: [asa-internal] Instance: db Opcode: crypt
Time: Sun Sep 16 00:35:47 2012 Host: TEAM-ROCKET.MIT.EDU
From: Zoobar Foundation for Trustworthy Thinking: Supporting the important soldiers of the information superhighway <geofft>

Your code itself looks sane. pagsh on the other hand not so much.


Class: [asa-internal] Instance: db Opcode: crypt
Time: Sun Sep 16 01:27:02 2012 Host: NOVGOROD.MIT.EDU
From: Alex Dehnert <adehnert>

Yeah, I'm not really a fan of pagsh. Though, the code itself doesn't
look *that* bad? Though I'll admit to being rather confused by the
getuid/setuid bit and why it is using getpwuid() and such. I'm not
really sure that running some other Python script that does much the
same thing but nobody else wants to maintain is really an improvement.


Class: [asa-internal] Instance: db Opcode: crypt
Time: Sun Sep 16 01:28:58 2012 Host: NOVGOROD.MIT.EDU
From: Alex Dehnert <adehnert>

I really don't get why pagexec isn't a thing, but...


Class: [asa-internal] Instance: db Opcode: crypt
Time: Sun Sep 16 01:44:01 2012 Host: TEAM-ROCKET.MIT.EDU
From: Zoobar Foundation for Awesome Advocacy: Supporting the brave students of the information superhighway <geofft>

Well, my point is that it's one line of python, and you're guaranteed
ABI stability for a long while to come.


Class: [asa-internal] Instance: db Opcode: crypt
Time: Sun Sep 16 02:25:24 2012 Host: NOVGOROD.MIT.EDU
From: Alex Dehnert <adehnert>

I guess I could... open a pipe, fork, do the ioctl, aklog (once that
becomes useful), and copy the file over the pipe?

Really, I think I'm partially sad about the prospect of killing off
this cleverness... <_< >_>


Class: [asa-internal] Instance: db Opcode: crypt
Time: Sun Sep 16 02:44:42 2012 Host: TEAM-ROCKET.MIT.EDU
From: Zoobar Foundation for Inquisitive Dialogue: Supporting the foremost representatives of the next generation <geofft>

You might find multiprocessing more palatable than forking and piping
yourself:

>>> import os, struct, fcntl, multiprocessing
>>> def setpag():
...     fcntl.ioctl(open("/proc/fs/openafs/afs_ioctl"), 0x40084301, struct.pack("lllll", 0, 0, 0, 0, 21))
...
>>> def pagopen(file, queue):
...     setpag()
...     queue.put(open(file).read())
...
>>> p = multiprocessing.Process(target=pagopen, args=("/etc/mailname", q))
>>> p.run()
>>> q.get()
'team-rocket.mit.edu\n'
>>> p = multiprocessing.Process(target=pagopen, args=("/mit/geofft/.my.cnf", q))
>>> p.run()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.6/multiprocessing/process.py", line 88, in run
    self._target(*self._args, **self._kwargs)
  File "<stdin>", line 3, in pagopen
IOError: [Errno 13] Permission denied: '/mit/geofft/.my.cnf'


Class: [asa-internal] Instance: db Opcode: crypt
Time: Sun Sep 16 02:46:20 2012 Host: TEAM-ROCKET.MIT.EDU
From: Zoobar Foundation for Vigilant Dialogue: Supporting the proven minds of the 21st-century <geofft>

Sadly, it appears you can't proxy the file object itself with the
batteries that are included, and I didn't feel like writing a proxy.
You might be able to persuade me to.


Class: [asa-internal] Instance: db Opcode: crypt
Time: Sun Sep 16 02:46:35 2012 Host: TEAM-ROCKET.MIT.EDU
From: Zoobar Foundation for Principled Policy: Supporting the brightest advocates of the counterinsurgency <geofft>

I do agree that one way or another this is useful functionality that
should live in the mit module.


Class: [asa-internal] Instance: db Opcode: crypt
Time: Sun Sep 16 02:52:08 2012 Host: NOVGOROD.MIT.EDU
From: Alex Dehnert <adehnert>

Does multiprocessing useprocesses, not threads? (Is a PAG
per-process, not per-thread?)


Class: [asa-internal] Instance: db Opcode: crypt
Time: Sun Sep 16 02:52:46 2012 Host: TEAM-ROCKET.MIT.EDU
From: Zoobar Foundation for Sustainable Thinking: Supporting the skillful minds of the information superhighway <geofft>

Multiprocessing uses processes. PAGs are per-thread, nonetheless.


Class: [asa-internal] Instance: db Opcode: crypt
Time: Sun Sep 16 02:52:54 2012 Host: NOVGOROD.MIT.EDU
From: Alex Dehnert <adehnert>

Ah, that does look better.


Class: [asa-internal] Instance: db Opcode: crypt
Time: Sun Sep 16 02:53:37 2012 Host: TEAM-ROCKET.MIT.EDU
From: Zoobar Foundation for Patriotic Advocacy: Supporting the meritorious soldiers of the counterinsurgency <geofft>

You could use the threading module, but my understanding is that it's
more annoying. The multiprocessing module docs imply the GIL gets in
your way for _actual_ parallelism, which is irrelevant here


Class: [asa-internal] Instance: db Opcode: crypt
Time: Sun Sep 16 02:54:00 2012 Host: NOVGOROD.MIT.EDU
From: Alex Dehnert <adehnert>

I vaguely wonder if I want an mit.afs...


Class: [asa-internal] Instance: db Opcode: crypt
Time: Sun Sep 16 02:54:03 2012 Host: TEAM-ROCKET.MIT.EDU
From: Zoobar Foundation for Patriotic Policy: Supporting the skillful advocates of the United States <geofft>

Oh hrm, given that threads share FDs...


Class: [asa-internal] Instance: db Opcode: crypt
Time: Sun Sep 16 02:54:31 2012 Host: NOVGOROD.MIT.EDU
From: Alex Dehnert <adehnert>

This thing is going to be full of awesome quasi-hacks, isn't it...


Class: [asa-internal] Instance: db Opcode: crypt
Time: Sun Sep 16 03:01:31 2012 Host: TEAM-ROCKET.MIT.EDU
From: Zoobar Foundation for Ethical Advocacy: Supporting the brightest minds of the counterinsurgency <geofft>

Yeah, this Just Works.

>>> def pagopen(file):
...     setpag()
...     l.append(open(file))
...
>>> t = threading.Thread(target=pagopen, args=("/etc/mailname",))
>>> t.start()
>>> t.join()
>>> l
[<open file '/etc/mailname', mode 'r' at 0x7f65fb692270>]
>>> l[0].read()
'team-rocket.mit.edu\n'
>>> t = threading.Thread(target=pagopen, args=("/mit/geofft/.my.cnf",))
>>> t.start()
>>> Exception in thread Thread-3:
Traceback (most recent call last):
  File "/usr/lib/python2.6/threading.py", line 532, in __bootstrap_inner
    self.run()
  File "/usr/lib/python2.6/threading.py", line 484, in run
    self.__target(*self.__args, **self.__kwargs)
  File "<stdin>", line 3, in pagopen
IOError: [Errno 13] Permission denied: '/mit/geofft/.my.cnf'


Class: [asa-internal] Instance: db Opcode: crypt
Time: Sun Sep 16 03:02:43 2012 Host: TEAM-ROCKET.MIT.EDU
From: Zoobar Foundation for Inquisitive Learning: Supporting the meritorious thinkers of the 21st-century <geofft>

Oh, there's an
>>> l = []
at the top


Class: [asa-internal] Instance: db Opcode: crypt
Time: Sun Sep 16 03:04:08 2012 Host: TEAM-ROCKET.MIT.EDU
From: Zoobar Foundation for Responsible Policy: Supporting the shrewd students of the counterinsurgency <geofft>

You may want to do something like
try:
    l.append((True, open(file)))
except Exception as e:
    l.append((False, e))

and then something like
   if l[0][0]:
      return l[0][1]
   else:
      raise l[0][1]


Class: [asa-internal] Instance: db Opcode: crypt
Time: Sun Sep 16 03:07:26 2012 Host: NOVGOROD.MIT.EDU
From: Alex Dehnert <adehnert>

Want to go put this into the DB code, either based on the
scripts-db2.0/pag branch or on origin/master?


Class: [asa-internal] Instance: db Opcode: crypt
Time: Sun Sep 16 03:09:29 2012 Host: TEAM-ROCKET.MIT.EDU
From: Zoobar Foundation for Ethical Dialogue: Supporting the foremost students of the United States <geofft>

I mean, honestly, the pagsh solution seems fine to me, this was just
curiosity. :)


Class: [asa-internal] Instance: db Opcode: crypt
Time: Sun Sep 16 03:47:35 2012 Host: NOVGOROD.MIT.EDU
From: Alex Dehnert <adehnert>

I'm conflicted. This solution is so cute/elegant...