svn rev #18379: trunk/src/windows/kfwlogon/

jaltman@MIT.EDU jaltman at MIT.EDU
Mon Jul 24 02:58:24 EDT 2006


Commit By: jaltman
Log Message: 
ticket: new
subject: Windows Integrated Login Fixes for KFW 3.1
tags: pullup
component: windows

    KFW integrated login was failing when the user is 
    not a power user or administrator.  This was occurring 
    because the temporary file ccache was being created in
    a directory the user could not read.  While fixing this
    it was noticed that the ACLs on the ccache were too broad.
    Instead of applying a fix to the FILE: krb5_ccache 
    implementation it was decided that simply applying a new
    set of ACLs (SYSTEM and "user" with no inheritance) to 
    the file immediately after the krb5_cc_initialize() call
    would close the broadest security issues.  

    The file is initially created in the SYSTEM %TEMP% directory
    with "SYSTEM" ACL only.  Then it is moved to the user's %TEMP%
    directory with "SYSTEM" and "user" ACLs.  Finally, after
    copying the credentials to the API: ccache, the file is deleted.
    



Changed Files:
U   trunk/src/windows/kfwlogon/Makefile.in
U   trunk/src/windows/kfwlogon/kfwcommon.c
U   trunk/src/windows/kfwlogon/kfwcpcc.c
U   trunk/src/windows/kfwlogon/kfwlogon.c
U   trunk/src/windows/kfwlogon/kfwlogon.h



More information about the cvs-krb5 mailing list