[krbdev.mit.edu #1056]krb4 tickets cannot be read as root
daniel@ncsu.edu via RT
rt-comment at krbdev.mit.edu
Tue Nov 12 09:34:26 EST 2002
Aha! Didn't think through it that way. Thanks much for the info!
I'll be glad when we can disable krb4 altogether anyway... =) Currently
AFS, Zephyrs, and Poppers are holding us back. Weee! (perhaps I had too
much caffeine this morning...)
Daniel
> Your PAM module and login programs should not be doing Kerberos
> credentials cache operations as root. Instead, you should get tickets
> as root into a memory cache, verify them against the host keytab, then
> later in the setcred or open_session phase, seteuid to the user, write
> out the credentials, and write out krb4 tickets. You can setpag and
> get AFS tokens at this point or do it in a later PAM module, but you
> should do so while setuid to the user.
>
>
> Using seteuid instead of chown is very important because it will
> continue to work even if we move towards Unix sockets or shared memory
> for cache representations.
>
> _______________________________________________
> krb5-bugs mailing list
> krb5-bugs at mit.edu
> http://mailman.mit.edu/mailman/listinfo/krb5-bugs
>
--
/\\\----------------------------------------------------------------------///\
\ \\\ Daniel Henninger http://www.vorpalcloud.org/ /// /
\_\\\ North Carolina State University - Systems Programmer ///_/
\\\ Information Technology <IT> ///
"""--------------------------------------------------------------"""
More information about the krb5-bugs
mailing list