On Fri, 2014-08-01 at 11:32 -0400, Chas Williams (CONTRACTOR) wrote: > >We can do a userspace upcall on any platform; that's not the hard > part... > > Yes, but it's mostly useless since it doesn't preserve any existing > security context. Unless your kinit puts the tickets in a well known > (and easily read) location, which somewhat defeats the purpose of > strong authentication, an up call to afsd is mostly useless.
This is what I was getting at with my original comment. As an at least somewhat security aware sysadmin, to the extent that a mechanism like NFSv4's gssd works to track and update arbitrary users' credentials, I find myself wondering if an attacker can exploit the mechanisms that make it possible. And the better it works / more corner cases it handles, the more worrisome this is. And yes, that it's common for user Kerberos tickets to be all in some common place and potentially readable by a privileged process is a longstanding Kerberos worry. Kernel-controlled keychains and API caches help this, but the latter at least hinder a gssd mechanism and the former either needs careful kernel-side control over permissions or leaves us with the same question about exploitability. -- brandon s allbery kf8nh sine nomine associates [email protected] [email protected] unix openafs kerberos infrastructure xmonad http://sinenomine.net
