Kerberos as non-root
David E. Cross
crossd at cs.rpi.edu
Mon Sep 30 19:08:01 EDT 2002
I am considering making a very *very* simple change to the KDC/kadmind as
follows: start as root, bind any resources (files, network ports, etc).
The motivation for this is as follows:
A compromise of the KDC, as root, gives the attackers the ability to cover
their footprints relatively easily (unless the KDC admin goes through the
additional effort to setup remote logging, etc: even then there is some
information stored localy, like wtmp/utmp that is prone to tinkering)
Also by having the kdc/kadmin running as "not root" you can still have the
important files only readable by root. An attacker then would not have
easy access to the database. They would need to do all database accesses
through the compromised KDC, which isn't as easy as just downloading the
entire DB.
Comments, suggestions?
--
David Cross | email: crossd at cs.rpi.edu
Lab Director | Rm: 308 Lally Hall
Rensselaer Polytechnic Institute, | Ph: 518.276.2860
Department of Computer Science | Fax: 518.276.4033
I speak only for myself. | WinNT:Linux::Linux:FreeBSD
More information about the krbdev
mailing list