On Thu, 2011-05-26 at 14:43 -0400, Simo Sorce wrote:
> On Thu, 2011-05-26 at 14:19 -0400, Dmitri Pal wrote:
> > Cookie can be stored on the home directory of the user and user home
> > directory can be NFS mounted so if we save anything important in the
> > cookie the NFS root would be able to impersonate the user. It assumes
> > that TGTs are not stored on the NFS in this case so replacing the TGT
> > auth with fast session cookie auth would be a security issue.
> > I hope I understand the issue correctly.
> 
> We can store the the cookie in the ccache, so that we have it in the
> same place the TGT is. We shouldn't save it in the home, as it is
> insecure indeed.

I'd like to point out that this is a strong argument for adding the
SSSD/LDB Kerberos credential cache. It's unsafe to store the user's
credential cache in their home directory (because it may be an NFS mount
and therefore vulnerable to root on another machine).

However, the other common location for a credential cache is in /tmp,
which becomes an issue for systems running with pam_namespace or
sandboxing (where different processes have different views of the
contents of /tmp).

To avoid both of these situations, it might be best for us to store the
credential cache in SSSD.

For more information, see https://fedorahosted.org/sssd/ticket/652 and
https://bugzilla.redhat.com/show_bug.cgi?id=618689

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to