[4920] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Kerberos design limitation in multiuser evnironments?

daemon@ATHENA.MIT.EDU (Shawn Mamros)
Mon Apr 3 19:57:28 1995

To: kerberos@MIT.EDU
Date: Tue, 28 Mar 1995 10:10:08
From: mamros@ftp.com (Shawn Mamros)
Reply-To: mamros@ftp.com

mfagan@panix.com (Michael Fagan) writes:
>Basically, the ticket is stored in /tmp and it assumes that any old
>(or young) hacker can get at it even if you chmod it!

You don't need to chmod it...  A Kerberos ticket file (or credential
cache in V5 terminology) on a UNIX system is created with mode 600 (user
read-write, no group or world access).  So, if the file system were secure,
non-root users would not be able to get at another user's ticket file.
However, on most UNIX systems, that's a pretty big "if"...

Then again, if a non-root user is able to break local filesystem security
on a multiuser system, you (as a user on that system) are already toast
as far as local resources (i.e., your locally-stored files) are concerned,
and you're also going to be toast for any non-Kerberized network services
on that machine as well.  Kerberos isn't going to help or hurt you in a
situation like that.

Moral of the story: a multiuser system (and any Kerberos ticket file on it)
is only as secure as the local OS allows, and in the case of 99% of the
commercial UNIXes out there, that's not very much.  If you don't like it,
complain to your UNIX vendor...  (That's why I prefer my trusty laptop
nowadays for all my network and non-network computing; lowly PC it may be,
but as long as I've got my eye on it I know it's "secure"...)

-Shawn Mamros
E-mail to: mamros@ftp.com
Speaking only for myself, not my employers...


home help back first fref pref prev next nref lref last post