"Stealing" the credential cache
simo at redhat.com
Wed Aug 13 10:07:24 EDT 2008
On Wed, 2008-08-13 at 09:47 -0400, Ken Raeburn wrote:
> On Aug 13, 2008, at 07:55, E. Braun wrote:
> > Is this the expected behaviour, that the root user of a client (the
> > user has
> > no interactive access to the Kerberos and AFS servers) can use a
> > copy of the
> > credentials cache for getting an afs token?
> Yes. Finding a place where the superuser cannot access a user's
> credentials (either directly or by changing uid to the user, or in an
> extreme case, attach a user's process via ptrace or whatever, as if
> under a debugger, and extract the authentication info from the user's
> process) is a system-specific problem and not always possible; it
> requires that the OS enforce restrictions on a superuser account.
You should be able to use SELinux to achieve this goal, not sure how
hard would it be to build the policy though.
Simo Sorce * Red Hat, Inc * New York
More information about the Kerberos