Kerberos Security Question

[Tomas Maly]

Hi,

Here's a question. Lets say that we have a UNIX
computer that is in a Kerberos realm, and an untrusted
user has "root" access. If some other user happens to
log in to that computer, then the root user can
symbolically link their ticket cache file to that of
any user that has logged in. Thus, when root does a
'klist', it shows the credentials of that other user.
This seems like a huge bug (though it's due to how
UNIX was architected), because then root has
realm-wide access as this user without requiring a
password! Since tickets last in the range of hours,
this doesn't seem good. It almost seems like enough
reason to not use Kerberos at all. Yes, without
Kerberos and a Kerberized network filesystem (such as
AFS/Coda), root can switch to any other user and view
their files on the network. That's not good either.
But what I mentioned seems to not even secure this
feature either. 

Any way, I was wondering if it was thought of how to
secure this hole. Would it be possible to make a
ticket cache file valid only for a particular process
group, perhaps? Is there any current ways to tighten
security? I would like to not force removing root
access from these untrusted users (such as for their
Linux PCs).

Also, I've noticed that the login.krb5 program creates
a pseudo-random filename for the cache (such as
/tmp/krb5cc_XYZPDQ). Why is this?

I'm particularly interested in the Linux platform (2.4
kernel series), if someone thinks there are answers
that apply to it. Perhaps Capbilities can be used?

Thanks.

Tomas Maly


__________________________________________________
Do You Yahoo!?
Yahoo! Greetings - Send FREE e-cards for every occasion!
http://greetings.yahoo.com