"Stealing" the credential cache

Simo Sorce simo at redhat.com
Wed Aug 13 10:07:24 EDT 2008

On Wed, 2008-08-13 at 09:47 -0400, Ken Raeburn wrote:
> On Aug 13, 2008, at 07:55, E. Braun wrote:
> > Is this the expected behaviour, that the root user of a client (the  
> > user has
> > no interactive access to the Kerberos and AFS servers) can use a  
> > copy of the
> > credentials cache for getting an afs token?
> Yes.  Finding a place where the superuser cannot access a user's  
> credentials (either directly or by changing uid to the user, or in an  
> extreme case, attach a user's process via ptrace or whatever, as if  
> under a debugger, and extract the authentication info from the user's  
> process) is a system-specific problem and not always possible; it  
> requires that the OS enforce restrictions on a superuser account.

You should be able to use SELinux to achieve this goal, not sure how
hard would it be to build the policy though.


Simo Sorce * Red Hat, Inc * New York

More information about the Kerberos mailing list