[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PIPE ccache implementation for Heimdal
>Unfortunately I've only tested kinit, klist and kdestroy because I don't
>have access to the necessary kerberized services like rcp and such. I
>was just curious as to how this worked in general and I won't be using
>it in the near future (it still doesn't solve my web server scenario
>since a mischievous user can easily find the said descriptor and access
Um, that is not correct (that was the whole point of the PIPE cache).
How could a mischievous user get access to that descriptor if they are
not one of the descendants of the original process? While the PIPE
descriptor does appear in /proc for the processes on some operating
systems, when I looked at that you couldn't actually use descriptors
created by socketpair() for anything.
Now if your concern is processes WITHIN the ancestry hierarchy of the
master process, well, I can't imagine a credential cache that could
possibly solve that problem.