[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: The auth interface on L4-Hurd
|
From: |
Marcus Brinkmann |
|
Subject: |
Re: The auth interface on L4-Hurd |
|
Date: |
Thu, 1 Aug 2002 23:07:00 +0200 |
|
User-agent: |
Mutt/1.4i |
On Thu, Aug 01, 2002 at 10:59:20PM +0200, Marcus Brinkmann wrote:
> > But, do we maybe have a race condition here? When the server has made
> > the RPC to the user to move his handle to auth, but before he does the
> > auth_server_authenticate, someone else might make the
> > auth_server_authenticate for him, guessing the correct handle number. How
> > can this be prevented?
>
> You must never simply trust a number you get from somewhere. This is
> obvious. The server must tell the user (which is the server of the
> rendevouz port) that it is moving the right to the auth server. Then later
> on, the auth server must verify that it really got the right handle from the
> server. Something like that, we have not worked out the details. Maybe you
> want to look into this issue more closely?
Now, my reply on this point was completely bogus, and I have to think about
what you said ;)
Marcus
--
`Rhubarb is no Egyptian god.' GNU http://www.gnu.org address@hidden
Marcus Brinkmann The Hurd http://www.gnu.org/software/hurd/
address@hidden
http://www.marcus-brinkmann.de/
Re: The auth interface on L4-Hurd, Marcus Brinkmann, 2002/08/01