Klaas Hagemann <[EMAIL PROTECTED]> writes: > Hi, > > after doing kinit the kerberos client creates a krb5 ticket cache file > like /tmp/krb5cc_506. > > Another user having root privileges on this client can optain these > ticket cache file and have the network wide rights of the owner of > this ticket. > > Is there any chance that the ticket is stored in memory rather than on > the local disk? can i configure it in any way?
That wouldn't stop someone with full root privileges -- it would just slow them down a little bit, if at all. (Unless your system is really crippled such that even root is severely limited in what it can do.) The root user could "su" to you, and use your local access to get at the shared memory segment or whereever the credentials are stored. Usually root has access to such things anyways, just because it's root. The root user could attach one of your processes with a debugger and pull out the credentials from the process memory. The root user could replace the programs you're planning to run with ones that will grab the credentials and stuff a copy in a file somewhere. Et cetera.... That said, there may be some benefit to using shared memory segments after all. A user with limited ability to read things as root -- say, through some bug in a setuid program or daemon such that the user can supply a filename and get a few bytes back -- might not be able to get at the shared memory segment. And someone unplugging and walking off with the machine might get the file system contents but not the memory. There is some old code in the krb4 library for storing some information in shared memory, but I don't think anyone has used it in a while, and I've no idea how well it worked, what the effect might've been of never deleting the shared memory segment (if it's not created and deleted by 'login' and friends), etc. And I don't think we have the support in krb5 at all. However, there is the CCAPI interface used on Mac and Windows, usually implemented through some IPC mechanism, which could be used to communicate with a process that keeps the credentials in its memory, or manages a shared memory segment. We aren't supporting that on general UNIX platforms at the moment, but if you wanted to work on it.... ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
