Kerberos opening /etc/krb5.conf for writing?
Kerry Thompson
kerry at crypt.gen.nz
Mon Jul 14 17:51:27 EDT 2003
I've been doing some testing of MIT Kerberos ( 1.2.8 ) under SELinux and
I'm seeing some strange behaviour from most applications which use krb5
authentication. For some reason, something in the library seems to always
open /etc/krb5.conf for both reading and writing.
I think it comes from profile_open_file() in profile_file.c, which calls
rw_access_file() in prof_file.c, which in turn does something like
fopen(&filespec, "r+")
I'm not sure if this poses any security risks, and I haven't worked out a
patch yet. I suspect a fix might need to involve passing the filemode down
from profile_open_file().
Alternatively I can fix the SELinux policy to disallow the write access,
which is an easy fix for now.
Kerry
More information about the Kerberos
mailing list