[krbdev.mit.edu #4048] SVN Commit

Tom Yu via RT rt-comment at krbdev.mit.edu
Mon Jul 24 22:32:14 EDT 2006


pull up r18379 from trunk

 r18379 at cathode-dark-space:  jaltman | 2006-07-24 02:58:23 -0400
 ticket: new
 subject: Windows Integrated Login Fixes for KFW 3.1
 tags: pullup
 component: windows
 
     KFW integrated login was failing when the user is 
     not a power user or administrator.  This was occurring 
     because the temporary file ccache was being created in
     a directory the user could not read.  While fixing this
     it was noticed that the ACLs on the ccache were too broad.
     Instead of applying a fix to the FILE: krb5_ccache 
     implementation it was decided that simply applying a new
     set of ACLs (SYSTEM and "user" with no inheritance) to 
     the file immediately after the krb5_cc_initialize() call
     would close the broadest security issues.  
 
     The file is initially created in the SYSTEM %TEMP% directory
     with "SYSTEM" ACL only.  Then it is moved to the user's %TEMP%
     directory with "SYSTEM" and "user" ACLs.  Finally, after
     copying the credentials to the API: ccache, the file is deleted.
     
 


Commit By: tlyu



Revision: 18386
Changed Files:
_U  branches/krb5-1-5/
U   branches/krb5-1-5/src/windows/kfwlogon/Makefile.in
U   branches/krb5-1-5/src/windows/kfwlogon/kfwcommon.c
U   branches/krb5-1-5/src/windows/kfwlogon/kfwcpcc.c
U   branches/krb5-1-5/src/windows/kfwlogon/kfwlogon.c
U   branches/krb5-1-5/src/windows/kfwlogon/kfwlogon.h




More information about the krb5-bugs mailing list