(Final?) krb5.Conf Lexer/Parser Proposal
Alexandra Ellwood
lxs at MIT.EDU
Fri Jan 6 20:11:37 EST 2006
On Jan 6, 2006, at 7:39 PM, Ken Raeburn wrote:
> Some nitpicking...
>
> On Jan 6, 2006, at 17:53, Alexandra Ellwood wrote:
>> Distributing it over the network seems like a bad idea since it runs
>> afoul of all the same problem as exporting domain_realm information
>> over insecure DNS SRV records.
>
> That would be DNS TXT records, for the domain_realm mapping.
> DNS SRV records are for realm->kdc mappings.
My bad. While editing I combined two sentences into one and got the
wrong halves. Whoops. ;-)
>> And you couldn't use it for
>> krb5_init_secure_context() since the information coming from that
>> configuration isn't secure at all.
>
> Actually, krb5_init_secure_context is about making setuid-type
> programs safe (well, safer), by not pulling in certain information
> from the environment, like the value of $KRB5_CONFIG. It has
> nothing to do with whether we pull in data from DNS or other
> network sources. If you don't trust such data when running setuid,
> you shouldn't be trusting it by default for random users either, so
> you'd turn it off via the config file, or whatever....
With the existence of the '*' operator, a user-editable config file
gives the user the same powers that setting $KRB5_CONFIG does because
they can override arbitrary sections of the system configuration. As
a result on Mac OS X we modify the secure context search paths to
only include the system configuration files, not the user one.
However, you're right that krb5_init_secure_context() isn't terribly
relevant.
--lxs
Alexandra Ellwood <lxs at mit.edu>
MIT Kerberos Development Team
<http://mit.edu/lxs/www>
More information about the krbdev
mailing list