[3640] in Kerberos-V5-bugs
Re: [krbdev.mit.edu #1056]krb4 tickets cannot be read as root
daemon@ATHENA.MIT.EDU (daniel@ncsu.edu via RT)
Tue Nov 12 09:35:35 2002
Message-Id: <rt-1056-3682.18.0576106671192@krbdev.mit.edu>
In-Reply-To: <rt-1056@krbdev.mit.edu>
From: "daniel@ncsu.edu via RT" <rt-comment@krbdev.mit.edu>
Reply-To: rt-comment@krbdev.mit.edu
To: krb5-prs@mit.edu
Errors-To: krb5-bugs-admin@mit.edu
Date: Tue, 12 Nov 2002 09:34:26 -0500 (EST)
Aha! Didn't think through it that way. Thanks much for the info!
I'll be glad when we can disable krb4 altogether anyway... =) Currently
AFS, Zephyrs, and Poppers are holding us back. Weee! (perhaps I had too
much caffeine this morning...)
Daniel
> Your PAM module and login programs should not be doing Kerberos
> credentials cache operations as root. Instead, you should get tickets
> as root into a memory cache, verify them against the host keytab, then
> later in the setcred or open_session phase, seteuid to the user, write
> out the credentials, and write out krb4 tickets. You can setpag and
> get AFS tokens at this point or do it in a later PAM module, but you
> should do so while setuid to the user.
>
>
> Using seteuid instead of chown is very important because it will
> continue to work even if we move towards Unix sockets or shared memory
> for cache representations.
>
> _______________________________________________
> krb5-bugs mailing list
> krb5-bugs@mit.edu
> http://mailman.mit.edu/mailman/listinfo/krb5-bugs
>
--
/\\\----------------------------------------------------------------------///\
\ \\\ Daniel Henninger http://www.vorpalcloud.org/ /// /
\_\\\ North Carolina State University - Systems Programmer ///_/
\\\ Information Technology <IT> ///
"""--------------------------------------------------------------"""
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
http://mailman.mit.edu/mailman/listinfo/krb5-bugs
