porting CCAPI to UNIX

Ken Raeburn raeburn at MIT.EDU
Wed May 9 17:00:23 EDT 2007

On May 9, 2007, at 15:44, Ken Hornstein wrote:
>> Unless someone's going to implement cross-session ptrace restrictions
>> and the like, there's little point in trying to do enforced
>> isolation.
> I understand that line of reasoning ... but exactly how far do you  
> want
> to take that logic?

Perhaps I misspoke: I don't think it's worthwhile to invest  
significant effort or runtime cost or complexity in making it hard  
for one process to access the credentials of another process under  
the same uid, if ptrace and /proc are still going to get around the  
restrictions easily.

If someone is going to invest serious effort in isolation of sessions  
from one another, then yes, ccache access should be done too.

> What attack vectors are you trying to protect against?  Same userid?
> Root?  Are you concerned about loadable kernel modules?  If you worry
> about ALL of that stuff, you will come to the conclusion that on a
> multiuser Unix system you are basically screwed and you might as well
> just broadcast your Kerberos password to your local cracker IRC  
> channel.


I'd rather assume that those three are *not* attacks to worry about  
at present (in this context), and thus hard isolation of sessions  
isn't a high priority.

> I don't think anyone advocates that, but my point is that at least  
> when
> it comes to untrusted host security there are a whole bunch of shades
> of grey when it comes to protecting credentials.
> Here's something to think about: this wacky credential cache, when it
> was implemented, resulted in an unquestionable and measurable  
> improvement
> in security.  Can it be broken?  Hell yes.  But it is harder to do so,
> and there is no question in my mind that the increase in difficulty  
> has
> value.



More information about the krbdev mailing list