[19570] in Kerberos
Kerberos opening /etc/krb5.conf for writing?
daemon@ATHENA.MIT.EDU (Kerry Thompson)
Mon Jul 14 18:00:01 2003
Message-ID: <1400.202.27.185.71.1058219487.squirrel@www.crypt.gen.nz>
Date: Tue, 15 Jul 2003 09:51:27 +1200 (NZST)
From: "Kerry Thompson" <kerry@crypt.gen.nz>
To: <kerberos@mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Errors-To: kerberos-bounces@mit.edu
I've been doing some testing of MIT Kerberos ( 1.2.8 ) under SELinux and
I'm seeing some strange behaviour from most applications which use krb5
authentication. For some reason, something in the library seems to always
open /etc/krb5.conf for both reading and writing.
I think it comes from profile_open_file() in profile_file.c, which calls
rw_access_file() in prof_file.c, which in turn does something like
fopen(&filespec, "r+")
I'm not sure if this poses any security risks, and I haven't worked out a
patch yet. I suspect a fix might need to involve passing the filemode down
from profile_open_file().
Alternatively I can fix the SELinux policy to disallow the write access,
which is an easy fix for now.
Kerry
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
