Default ACLs for FILE: ccaches on Windows

Henry B. Hotz hotz at jpl.nasa.gov
Mon Jul 24 14:40:54 EDT 2006 

On Jul 23, 2006, at 9:01 AM, krbdev-request at mit.edu wrote:

> Message: 1
> Date: Sun, 23 Jul 2006 11:22:52 -0400
> From: Jeffrey Altman <jaltman at MIT.EDU>
> Subject: Default ACLs for FILE: ccaches on Windows
> To: "'krbdev at mit.edu'" <krbdev at MIT.EDU>
> Message-ID: <44C3944C.5040303 at mit.edu>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Currently, src/lib/krb5/ccache/cc_file.c does not have any Windows
> specific functionality for manipulating files.  The module relies
> on the C runtime functions which do not have the ability to set
> ACLs at file creation.  The ccache files are therefore created with
> the default ACLs as inherited from the parent directory.  This is a
> security concern as the inherited privileges frequently default to
> allowing all members of the "Administrators" and "Power Users" groups
> to manipulate files.   While it is possible for the application that
> creates the ccache to set a more restrictive set of ACLs after file
> creation, I am not aware of applications that do so and even if they
> do, there is a window of opportunity that can be exploited when the
> ACLs on the file are wide open.
>
> krb5_fcc_initialize() has the property that it deletes the existing  
> file
> with unlink() and then creates a new file for the empty ccache.  The
> unwanted side effect is that any ACLs which have been set on the file
> are lost.

Are POSIX semantics insufficient?  Not all platforms support ACL's.

> I believe that platform specific functionality must be added to:
>
> (1) set the most restrictive ACLs possible on newly created ccache
>     files.  I propose that the default ACL should permit only the
>     current thread's user to have full privileges and the current
>     process user to have delete privileges.
>
> (2) copy the ACLs from the old ccache file before file deletion
>     and use them for the creation of the replacement file.
>
> I believe it should be the responsibility of the application to
> assign more permissive ACLs and the library's responsibility to
> preserve them.

One could argue that an initialize function should initialize  
permissions to a standard (restrictive) value.  Perhaps you are  
reinitializing because you want to remove excess permissions.

> Instead of using open() to create new files, on Windows I believe this
> should be performed using CreateFile() with a non-default
> SECURITY_ATTRIBUTES value.
>
> Another thought is that when deleting ccache files that the file
> contents should first be overwritten.

Yes.

> Jeffrey Altman

------------------------------------------------------------------------ 
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu

More information about the krbdev mailing list