No subject


Tue Dec 13 04:47:59 EST 2011


rstchown=0" into file /etc/system. This setup switches the restriction
"_POSIX_CHOWN_RESTRICTED" in the OS to "false". (It is someting like a bit
a MAC - Mandatory Access Contrlol).
With this setup it is everything right.  From the point of view of security
I think this setup is not good.

I would recommend not to change ownership of group in the function call of
chown() in pam_krb5_auth.c.
It is possible to use for example: chown(&cache_name[5], pw->pw_uid, -1 ).
I have tried it. It works well.
There is only one potential disadvantage of this solution: a user cannot
change group of "credential" file so she/he cannot share it with somebody.
But I think , this using is nonsense. (May be).

> Steve Langasek
> postmodern programmer


Cheers
Josef Kelbler
VUMS Computers




More information about the Kerberos mailing list