Hi, Here's a question. Lets say that we have a UNIX computer that is in a Kerberos realm, and an untrusted user has "root" access. If some other user happens to log in to that computer, then the root user can symbolically link their ticket cache file to that of any user that has logged in. Thus, when root does a 'klist', it shows the credentials of that other user. This seems like a huge bug (though it's due to how UNIX was architected), because then root has realm-wide access as this user without requiring a password! Since tickets last in the range of hours, this doesn't seem good. It almost seems like enough reason to not use Kerberos at all. Yes, without Kerberos and a Kerberized network filesystem (such as AFS/Coda), root can switch to any other user and view their files on the network. That's not good either. But what I mentioned seems to not even secure this feature either.
Any way, I was wondering if it was thought of how to secure this hole. Would it be possible to make a ticket cache file valid only for a particular process group, perhaps? Is there any current ways to tighten security? I would like to not force removing root access from these untrusted users (such as for their Linux PCs). Also, I've noticed that the login.krb5 program creates a pseudo-random filename for the cache (such as /tmp/krb5cc_XYZPDQ). Why is this? I'm particularly interested in the Linux platform (2.4 kernel series), if someone thinks there are answers that apply to it. Perhaps Capbilities can be used? Thanks. Tomas Maly __________________________________________________ Do You Yahoo!? Yahoo! Greetings - Send FREE e-cards for every occasion! http://greetings.yahoo.com ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
