[976] in Kerberos
Re: Questions about vulnerability of ticket cache file
daemon@ATHENA.MIT.EDU (smb@ulysses.att.com)
Mon Jun 4 15:03:10 1990
From: smb@ulysses.att.com
To: hinman@samsung.com
Cc: kerberos@ATHENA.MIT.EDU
Date: Mon, 04 Jun 90 13:43:48 EDT
Hello,
It seems to me that if my workstation allows more than one
login, someone with the root password can read my ticket cache
file and hence impersonate me.
1) Is this a problem in practice, or have I misunderstood
something?
Yes, it's a problem *if* someone is able to log in remotely. That
is usually not the case at Project Athena.
2) If it is a problem, will the next release of Kerberos be
providing some facility to deal with it?
There is no defense against root on standard UNIX systems.
3) It seems like one solution would be a new device driver,
providing ticket cache files that are readable only by the
owner and not by root. Is this a reasonable approach?
No, because root could just read /dev/kmem. It's a bit harder, but
by no means difficult. Using a device bound to a login session -- to
/dev/tty, for example -- eliminates the problem of tickets not being
destroyed at logout time, but does nothing to protect against root.
