krb5 ticket cache

Ken Raeburn raeburn at MIT.EDU
Thu Feb 6 09:42:22 EST 2003 

Klaas Hagemann <kerberos at northsailor.de> writes:

> Hi,
>
> after doing kinit the kerberos client creates a krb5 ticket cache file
> like /tmp/krb5cc_506.
>
> Another user having root privileges on this client can optain these
> ticket cache file and have the network wide rights of the owner of
> this ticket.
>
> Is there any chance that the ticket is stored in memory rather than on
> the local disk? can i configure it in any way?

That wouldn't stop someone with full root privileges -- it would just
slow them down a little bit, if at all.  (Unless your system is really
crippled such that even root is severely limited in what it can do.)

The root user could "su" to you, and use your local access to get at
the shared memory segment or whereever the credentials are stored.
Usually root has access to such things anyways, just because it's
root.

The root user could attach one of your processes with a debugger and
pull out the credentials from the process memory.

The root user could replace the programs you're planning to run with
ones that will grab the credentials and stuff a copy in a file
somewhere.

Et cetera....

That said, there may be some benefit to using shared memory segments
after all.  A user with limited ability to read things as root -- say,
through some bug in a setuid program or daemon such that the user can
supply a filename and get a few bytes back -- might not be able to get
at the shared memory segment.  And someone unplugging and walking off
with the machine might get the file system contents but not the
memory.

There is some old code in the krb4 library for storing some
information in shared memory, but I don't think anyone has used it in
a while, and I've no idea how well it worked, what the effect might've
been of never deleting the shared memory segment (if it's not created
and deleted by 'login' and friends), etc.  And I don't think we have
the support in krb5 at all.

However, there is the CCAPI interface used on Mac and Windows, usually
implemented through some IPC mechanism, which could be used to
communicate with a process that keeps the credentials in its memory,
or manages a shared memory segment.  We aren't supporting that on
general UNIX platforms at the moment, but if you wanted to work on
it....

More information about the Kerberos mailing list