Default ACLs for FILE: ccaches on Windows

[Jeffrey Altman]

Currently, src/lib/krb5/ccache/cc_file.c does not have any Windows
specific functionality for manipulating files.  The module relies
on the C runtime functions which do not have the ability to set
ACLs at file creation.  The ccache files are therefore created with
the default ACLs as inherited from the parent directory.  This is a
security concern as the inherited privileges frequently default to
allowing all members of the "Administrators" and "Power Users" groups
to manipulate files.   While it is possible for the application that
creates the ccache to set a more restrictive set of ACLs after file
creation, I am not aware of applications that do so and even if they
do, there is a window of opportunity that can be exploited when the
ACLs on the file are wide open.

krb5_fcc_initialize() has the property that it deletes the existing file
with unlink() and then creates a new file for the empty ccache.  The
unwanted side effect is that any ACLs which have been set on the file
are lost.

I believe that platform specific functionality must be added to:

(1) set the most restrictive ACLs possible on newly created ccache
    files.  I propose that the default ACL should permit only the
    current thread's user to have full privileges and the current
    process user to have delete privileges.

(2) copy the ACLs from the old ccache file before file deletion
    and use them for the creation of the replacement file.

I believe it should be the responsibility of the application to
assign more permissive ACLs and the library's responsibility to
preserve them.

Instead of using open() to create new files, on Windows I believe this
should be performed using CreateFile() with a non-default
SECURITY_ATTRIBUTES value.

Another thought is that when deleting ccache files that the file
contents should first be overwritten.

Jeffrey Altman