[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bad interraction between krb5_context and krb5_ccache

To: Brian May <bam@snoopy.apana.org.au>
Subject: Re: Bad interraction between krb5_context and krb5_ccache
From: Nicolas Williams <Nicolas.Williams@ubsw.com>
Date: Fri, 17 Nov 2000 09:31:16 -0500
Cc: heimdal-discuss@sics.se
In-Reply-To: <84k8a2apaj.fsf@snoopy.apana.org.au>; from bam@snoopy.apana.org.au on Fri, Nov 17, 2000 at 09:03:32PM +1100
Mail-Followup-To: Brian May <bam@snoopy.apana.org.au>,heimdal-discuss@sics.se
References: <20001115162431.A1402@ola.fr.eu.org> <xofpujx8bzh.fsf@blubb.pdc.kth.se> <20001115114650.G13223@sm2p1386swk.wdr.com> <84k8a2apaj.fsf@snoopy.apana.org.au>
Sender: owner-heimdal-discuss@sics.se

On Fri, Nov 17, 2000 at 09:03:32PM +1100, Brian May wrote:
> >>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams@ubsw.com> writes:
> 
>     Nicolas> Sortof. The MIT Kerberos apps (e.g., telnetd) create a
>     Nicolas> ccache as root with a name based on the PID, then
> 
> I have to wonder: what security holes does this create?

Well, yes, it's a problem; open() nowadays mode options that allow one
to avoid the symlink issue. But I doubt it's taken advantage of in MIT
code, or that it's even available on most platforms.

> Brian May <bam@snoopy.apana.org.au>

Nico
--

References:
- Bad interraction between krb5_context and krb5_ccache
  - From: Joel Kociolek <joko@logidee.com>
- Re: Bad interraction between krb5_context and krb5_ccache
  - From: joda@pdc.kth.se (Johan Danielsson)
- Re: Bad interraction between krb5_context and krb5_ccache
  - From: Nicolas Williams <Nicolas.Williams@ubsw.com>
- Re: Bad interraction between krb5_context and krb5_ccache
  - From: Brian May <bam@snoopy.apana.org.au>

Prev by Date: Re: Linux PAM kerberos module
Next by Date: Re: LDAP+Kerberos
Prev by thread: Re: Bad interraction between krb5_context and krb5_ccache
Next by thread: Linux PAM kerberos module
Index(es):
- Date
- Thread