[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: MEMORY credential cache interop between Heimdal and MIT?

On Wed, Aug 15, 2007 at 09:26:45PM -0400, Ken Raeburn wrote:

> As for the OS providing secure storage available only to the right 
> processes (for some definition of "right processes"), there is the Linux 
> in-kernel keychain support, for example.  But even using in-memory 
> credentials won't protect you from one compromised worker process attaching 
> another process under ptrace and extracting credentials (or forcing it to 
> make some OS call to retrieve credentials).

IMHO in Linux it would not be too hard to write a security module that
simply disallows ptrace()/kill()/etc. for anyone but root (so some form
of debugging is still possible). Maybe SELinux can do the job if you
make the policy strict enough.


     MTA SZTAKI Computer and Automation Research Institute
                Hungarian Academy of Sciences