[krbdev.mit.edu #1056]krb4 tickets cannot be read as root
Sam Hartman via RT
rt-comment at krbdev.mit.edu
Mon Nov 11 14:55:24 EST 2002
Hi. As you theorized in a ticket you opened this February, it is a
design decision that root cannot read other users' krb4 tickets.
I'm not sure why this design decision was made but we are not
interested in examining that decision at this point in the krb4 life
cycle.
Your PAM module and login programs should not be doing Kerberos
credentials cache operations as root. Instead, you should get tickets
as root into a memory cache, verify them against the host keytab, then
later in the setcred or open_session phase, seteuid to the user, write
out the credentials, and write out krb4 tickets. You can setpag and
get AFS tokens at this point or do it in a later PAM module, but you
should do so while setuid to the user.
Using seteuid instead of chown is very important because it will
continue to work even if we move towards Unix sockets or shared memory
for cache representations.
More information about the krb5-bugs
mailing list