porting CCAPI to UNIX
Ken Raeburn
raeburn at MIT.EDU
Wed May 9 17:00:23 EDT 2007
On May 9, 2007, at 15:44, Ken Hornstein wrote:
>> Unless someone's going to implement cross-session ptrace restrictions
>> and the like, there's little point in trying to do enforced
>> isolation.
>
> I understand that line of reasoning ... but exactly how far do you
> want
> to take that logic?
Perhaps I misspoke: I don't think it's worthwhile to invest
significant effort or runtime cost or complexity in making it hard
for one process to access the credentials of another process under
the same uid, if ptrace and /proc are still going to get around the
restrictions easily.
If someone is going to invest serious effort in isolation of sessions
from one another, then yes, ccache access should be done too.
> What attack vectors are you trying to protect against? Same userid?
> Root? Are you concerned about loadable kernel modules? If you worry
> about ALL of that stuff, you will come to the conclusion that on a
> multiuser Unix system you are basically screwed and you might as well
> just broadcast your Kerberos password to your local cracker IRC
> channel.
:-)
I'd rather assume that those three are *not* attacks to worry about
at present (in this context), and thus hard isolation of sessions
isn't a high priority.
> I don't think anyone advocates that, but my point is that at least
> when
> it comes to untrusted host security there are a whole bunch of shades
> of grey when it comes to protecting credentials.
>
> Here's something to think about: this wacky credential cache, when it
> was implemented, resulted in an unquestionable and measurable
> improvement
> in security. Can it be broken? Hell yes. But it is harder to do so,
> and there is no question in my mind that the increase in difficulty
> has
> value.
Agreed.
Ken
More information about the krbdev
mailing list