[1209] in Kerberos_V5_Development
initialization of stdio caches
daemon@ATHENA.MIT.EDU (Sam Hartman)
Sat May 18 15:03:15 1996
Date: Sat, 18 May 1996 15:03:06 -0400
From: Sam Hartman <hartmans@MIT.EDU>
To: krbdev@MIT.EDU
Currently, we use fopen to open stdio caches. This is bad
because it does not allow us to do an exclusive open of the cache. As
indicated in comments in the code, there is no way to do an exclusive
open with a stdio call.
There is a serious symlink race created by this situation. If
I create /tmpkrb5cc_your_uid as a symlink to one of your files, I can
force you to overwrite this file next time you run kinit. (I need to
win a race against unlinking this symlink, but that isn't impossible,
and the consequences could be fairly serious).
I would like to know if there are any good reasons in terms of
known portability problems that would be created by fdopen. If it
will work, I think that the security improvement justifies the
abstraction violation. Otherwise, I strongly advise against using
stdio caches by default on Unix systems, as we currently do.
--Sam
