[30220] in Kerberos
Re: "Stealing" the credential cache
daemon@ATHENA.MIT.EDU (Simo Sorce)
Wed Aug 13 17:40:02 2008
From: Simo Sorce <simo@redhat.com>
To: Ken Raeburn <raeburn@mit.edu>
In-Reply-To: <7B51DE8A-E0F0-4348-BD24-DBA2AFB6BD1E@mit.edu>
Date: Wed, 13 Aug 2008 10:07:24 -0400
Message-Id: <1218636444.2991.84.camel@localhost.localdomain>
Mime-Version: 1.0
Cc: "E. Braun" <p2h56vc7@minet.uni-jena.de>, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Wed, 2008-08-13 at 09:47 -0400, Ken Raeburn wrote:
> On Aug 13, 2008, at 07:55, E. Braun wrote:
> > Is this the expected behaviour, that the root user of a client (the
> > user has
> > no interactive access to the Kerberos and AFS servers) can use a
> > copy of the
> > credentials cache for getting an afs token?
>
> Yes. Finding a place where the superuser cannot access a user's
> credentials (either directly or by changing uid to the user, or in an
> extreme case, attach a user's process via ptrace or whatever, as if
> under a debugger, and extract the authentication info from the user's
> process) is a system-specific problem and not always possible; it
> requires that the OS enforce restrictions on a superuser account.
You should be able to use SELinux to achieve this goal, not sure how
hard would it be to build the policy though.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
