Bug 40709 - Many RPMS have an over-dependence on kerberos
Many RPMS have an over-dependence on kerberos
Status: CLOSED WONTFIX
Product: Red Hat Linux
Classification: Retired
Component: krb5 (Show other bugs)
7.1
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-05-15 10:30 EDT by kevin_myer
Modified: 2007-04-18 12:33 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-05-15 10:30:11 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description kevin_myer 2001-05-15 10:30:06 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux 2.4.2-2enterprise i686; en-US;
rv:0.9) Gecko/20010507

Description of problem:
A problem I have noted as Red Hat releases progress is an increasing
dependency nightmare, which requires me to have far more packages installed
than I need.  This in turn means that I potentially have more of a security
liability, not so much in that I'm running exploitable services because
hopefully I'm smart enough to disable services that aren't used but in that
I now have libraries that may be susceptible to buffer overflows and
similar attacks.  And, as a result of the dependecies, I now have
applications which I do use which contain code compiled in that I won't use
but that may significantly increase my security exposure.  An example
should help clarify this gripe:

Many of the RPM spec files require the krb5-devel RPM to be installed.  We
do not run kerberos so I normally would not install anything from the
krb5-* packages.  However, we do run an infrastructure based on LDAP for
authentication so I need openldap installed.  As your RPMs stand, openldap
depends on cyrus-sasl and both of these depend on kerberos.  Also, as your
RPMs stand, all the kerberos code is compiled into openldap.  So now I'm in
a position where I've got kerberos RPMS installed and I've got other
libraries with kerberos-related code enabled.  Two things have happened: 
1) there's uneccesary bloat and 2)I uneccessarily open myself up to any
kerberos library or kerberos-related routine exploit (which definitely exist).

There are a number of programs that are like this including ftp, cvs, imap,
openldap, php, samba, and LPRng.  Now granted, some or maybe even most of
these do have spec files that allow for a build without kerberos but as the
binaries are shipped, they do include the kerberos code.  Perhaps I'm in
the minority in that I don't use kerberos but I would view it better, both
in terms of bloat and of security to ship the spec files with kerberos
disabled by default and with the binaries built the same way.  I would have
been very pleased to have _NOT_ spent the past day recompiling SRPMS while
removing all references to kerberos from them - let the foks who want
"extra" features recompile and keep the base binaries slim and standard. 
Of course, it may be hypocritical but the only extra thing that I do like
having compiled in is openssl.

Don't even get me started on why I have to install graphic libraries (glib)
on a CLI {file, web, dns, anything else} server so I can use PAM stuff....

How reproducible:
Always

Steps to Reproduce:
1.N/A
2.
3.
	

Actual Results:  N/A

Expected Results:  N/A

Additional info:  N/A
Comment 1 Nalin Dahyabhai 2001-06-27 00:23:53 EDT
In order to be available, the code has to be compiled in, and there are no plans
to remove it from the distribution.

In the case of OpenLDAP, removing the cyrus-sasl-gssapi package will prevent it
from being able to call any Kerberos functions (it is built with Kerberos IV
binding support disabled, and so will only use the library during SASL
authentication, and then only if the server has a key in its keytab and the
gssapi SASL module is available).

Note You need to log in before you can comment on or make changes to this bug.