"Stealing" the credential cache

Russ Allbery rra at stanford.edu
Wed Aug 13 14:21:18 EDT 2008


Ken Raeburn <raeburn at MIT.EDU> writes:

> I'm not familiar with whether the keyring code in Linux (optionally  
> used in recent MIT Kerberos releases) enforces such restrictions.

You would probably need to also run something like SELinux to limit the
capabilities of root, if my understanding of how the authorization model
in the kernel works is correct.

> If we could hook into AFS process authentication groups, that might help
> raise the bar as well, to prevent casual copying but not the ptrace
> attack, but only on systems where AFS is installed (specifically
> implementations with PAGs).  Ken Hornstein has patches around to use an
> extra, high-numbered file descriptor inherited across processes, with
> the process fd limit lowered to just below that fd, which restricts
> access to a login session (aside from the ptrace attack), but requires
> modifications to the login process to set up this file descriptor, and
> requires that no process close all the high-numbered file descriptors
> (which I gather is actually fairly uncommon to do above the lowered file
> descriptor limit).

This too only protects against casual attacks, since root can still get
access to this ticket cache by trying hard enough.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list