[2211] in Kerberos-V5-bugs
Re: security hole in v4 and v5 login?
daemon@ATHENA.MIT.EDU (Sam Hartman)
Mon Sep 9 17:26:39 1996
To: schemers@stanford.edu
Cc: krb5-bugs@MIT.EDU
From: Sam Hartman <hartmans@MIT.EDU>
Date: 09 Sep 1996 17:26:25 -0400
In-Reply-To: schemers@stanford.edu's message of Mon, 9 Sep 1996 12:17:18 -0700 (PDT)
>>>>> "schemers" == schemers <schemers@stanford.edu> writes:
schemers> some changes to our locally hacked up login program, and
schemers> stumbled across a possible race condition that exists in
schemers> the v4 and v5 login programs.
schemers> The v5 login program has a "chown" call after the
schemers> krb5_get_in_tkt_with_password call. Before the chown,
schemers> someone could unlink the ticket cache, and create a
schemers> symlink to /etc/passwd. After which, the chown would
schemers> change the owner of the password file, correct? It isn't
schemers> that hard to guess what the name of the cache file will
schemers> be, and probably isn't that hard to slow down the system
schemers> enough to do the unlink/symlink create.
I tend to agree with you that the particular section of code
you quote could use some re-writing, but I disagree that there is a
race condition if the sticky bit is set on /tmp. If the sticky bit is
set, only root can unlink the cache. If you're already root, we don't
care if you mangle /etc/passwd.
If you run Kerberos inan environment where your cache
directory doesn't have a sticky bit set, you are likely to run into
more significant problems.
--Sam
