[30218] in Kerberos
Re: "Stealing" the credential cache
daemon@ATHENA.MIT.EDU (Russ Allbery)
Wed Aug 13 14:22:23 2008
To: kerberos@mit.edu
In-Reply-To: <7B51DE8A-E0F0-4348-BD24-DBA2AFB6BD1E@mit.edu> (Ken Raeburn's
message of "Wed\, 13 Aug 2008 09\:47\:27 -0400")
From: Russ Allbery <rra@stanford.edu>
Date: Wed, 13 Aug 2008 11:21:18 -0700
Message-ID: <87iqu4u675.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Ken Raeburn <raeburn@MIT.EDU> writes:
> I'm not familiar with whether the keyring code in Linux (optionally
> used in recent MIT Kerberos releases) enforces such restrictions.
You would probably need to also run something like SELinux to limit the
capabilities of root, if my understanding of how the authorization model
in the kernel works is correct.
> If we could hook into AFS process authentication groups, that might help
> raise the bar as well, to prevent casual copying but not the ptrace
> attack, but only on systems where AFS is installed (specifically
> implementations with PAGs). Ken Hornstein has patches around to use an
> extra, high-numbered file descriptor inherited across processes, with
> the process fd limit lowered to just below that fd, which restricts
> access to a login session (aside from the ptrace attack), but requires
> modifications to the login process to set up this file descriptor, and
> requires that no process close all the high-numbered file descriptors
> (which I gather is actually fairly uncommon to do above the lowered file
> descriptor limit).
This too only protects against casual attacks, since root can still get
access to this ticket cache by trying hard enough.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
