On 12.06.2016 00:09, Russ Allbery wrote:
> Maybe I should take a step back and ask what security issue are you trying
> to address with this patch? Maybe that would help me understand why you
> think a setuid binary is superior. I admit that, these days, I usually
> just let Kerberos not validate
Maybe I should take a step back and ask what security issue are you trying
to address with this patch? Maybe that would help me understand why you
think a setuid binary is superior. I admit that, these days, I usually
just let Kerberos not validate the ticket request for authentications as
non-da
On Fri, 10 Jun 2016 13:11:41 -0700 Russ Allbery wrote:
> Simon Ruderich writes:
>
> > Any objections against using it as setgid instead of setuid? This
> > would work fine as well and prevent serious privilege escalation.
>
> If you compromise the host keytab in most Kerberos environments, you'
Simon Ruderich writes:
> Any objections against using it as setgid instead of setuid? This
> would work fine as well and prevent serious privilege escalation.
If you compromise the host keytab in most Kerberos environments, you've
compromised root anyway, since the attacker can then mint arbitra
>On Fri, Jun 10, 2016 at 09:31:47PM +0200, Simon Ruderich wrote:
>> Instead of installing the helper as setuid one could also install
>> it as setgid with a specific kerberos group which can read the
>> keytab. Then in the worst case the keytab is compromised. The
>> existing patch supports this ap
Simon Ruderich writes:
> On Fri, Jun 10, 2016 at 10:47:16AM -0700, Russ Allbery wrote:
>> I'm too nervous about the many possible attack approaches to setuid
>> binaries to be entirely comfortable with this approach. My tentative
>> thought about the right way to approach this was to instead add
On Fri, Jun 10, 2016 at 10:47:16AM -0700, Russ Allbery wrote:
> I'm too nervous about the many possible attack approaches to setuid
> binaries to be entirely comfortable with this approach. My tentative
> thought about the right way to approach this was to instead add a daemon
> that listens on a
Simon Ruderich writes:
> The attacked patch adds a setuid-wrapper to allow verification of
> the keytab for non-root PAM programs.
> The new verify_creds_setuid_helper function forks our new suid
> helper binary against which it does a standard kerberos service
> authentication by getting a serv
Package: src:libpam-krb5
Followup-For: Bug #399002
Hello,
Revised patch attached which adds support for Heimdal (the Debian
package with our patch builds fine now) and fixes backwards
compatibility with verify_ap_req_nofail = false (the old patch
always rejected missing KDC validation even if
ver
Package: src:libpam-krb5
Followup-For: Bug #399002
Hello,
The attacked patch adds a setuid-wrapper to allow verification of
the keytab for non-root PAM programs.
The new verify_creds_setuid_helper function forks our new suid
helper binary against which it does a standard kerberos service
authent
10 matches
Mail list logo
