Plan 9 Authentication in Linux

In Linux, applications like su and login currently run as root in order to access authentication information and set or alter the identity of the process. In such cases, if the ap- plication is compromised while running as a privileged user, the entire system can become vulnerable. An alternative approach is taken by the Plan 9 operating system from Bell Labs, which runs such applications as a non-privileged user and relies on a kernel-based capability device working in co- ordination with an authentication server to provide the same services. This avoids the risk of an application vulnerability becoming a system vulnerability.

This paper discusses the extension of Linux authentication mechanisms to allow the use of the Plan 9 approach with existing Linux applications in order to reduce the security risks mentioned earlier. It describes the port of the Plan 9 capability device as a character device driver for the Linux kernel. It also describes the port of the Plan 9 authentica- tion server and the implementation of a PAM module which allows the use of these new facilities. It is now possible to restrain processes like login and su from the uncontrolled se- tuid bit and make them run on behalf of an unprivileged user in Linux.