krb5 ticket cache

Klaas Hagemann kerberos at
Thu Feb 6 09:57:30 EST 2003


ok, this makes sense...



Ken Raeburn schrieb:
> Klaas Hagemann <kerberos at> writes:
>>after doing kinit the kerberos client creates a krb5 ticket cache file
>>like /tmp/krb5cc_506.
>>Another user having root privileges on this client can optain these
>>ticket cache file and have the network wide rights of the owner of
>>this ticket.
>>Is there any chance that the ticket is stored in memory rather than on
>>the local disk? can i configure it in any way?
> That wouldn't stop someone with full root privileges -- it would just
> slow them down a little bit, if at all.  (Unless your system is really
> crippled such that even root is severely limited in what it can do.)
> The root user could "su" to you, and use your local access to get at
> the shared memory segment or whereever the credentials are stored.
> Usually root has access to such things anyways, just because it's
> root.
> The root user could attach one of your processes with a debugger and
> pull out the credentials from the process memory.
> The root user could replace the programs you're planning to run with
> ones that will grab the credentials and stuff a copy in a file
> somewhere.
> Et cetera....
> That said, there may be some benefit to using shared memory segments
> after all.  A user with limited ability to read things as root -- say,
> through some bug in a setuid program or daemon such that the user can
> supply a filename and get a few bytes back -- might not be able to get
> at the shared memory segment.  And someone unplugging and walking off
> with the machine might get the file system contents but not the
> memory.
> There is some old code in the krb4 library for storing some
> information in shared memory, but I don't think anyone has used it in
> a while, and I've no idea how well it worked, what the effect might've
> been of never deleting the shared memory segment (if it's not created
> and deleted by 'login' and friends), etc.  And I don't think we have
> the support in krb5 at all.
> However, there is the CCAPI interface used on Mac and Windows, usually
> implemented through some IPC mechanism, which could be used to
> communicate with a process that keeps the credentials in its memory,
> or manages a shared memory segment.  We aren't supporting that on
> general UNIX platforms at the moment, but if you wanted to work on
> it....
> ________________________________________________
> Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list