Red Hat Bugzilla – Bug 40709
Many RPMS have an over-dependence on kerberos
Last modified: 2007-04-18 12:33:15 EDT
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux 2.4.2-2enterprise i686; en-US; rv:0.9) Gecko/20010507 Description of problem: A problem I have noted as Red Hat releases progress is an increasing dependency nightmare, which requires me to have far more packages installed than I need. This in turn means that I potentially have more of a security liability, not so much in that I'm running exploitable services because hopefully I'm smart enough to disable services that aren't used but in that I now have libraries that may be susceptible to buffer overflows and similar attacks. And, as a result of the dependecies, I now have applications which I do use which contain code compiled in that I won't use but that may significantly increase my security exposure. An example should help clarify this gripe: Many of the RPM spec files require the krb5-devel RPM to be installed. We do not run kerberos so I normally would not install anything from the krb5-* packages. However, we do run an infrastructure based on LDAP for authentication so I need openldap installed. As your RPMs stand, openldap depends on cyrus-sasl and both of these depend on kerberos. Also, as your RPMs stand, all the kerberos code is compiled into openldap. So now I'm in a position where I've got kerberos RPMS installed and I've got other libraries with kerberos-related code enabled. Two things have happened: 1) there's uneccesary bloat and 2)I uneccessarily open myself up to any kerberos library or kerberos-related routine exploit (which definitely exist). There are a number of programs that are like this including ftp, cvs, imap, openldap, php, samba, and LPRng. Now granted, some or maybe even most of these do have spec files that allow for a build without kerberos but as the binaries are shipped, they do include the kerberos code. Perhaps I'm in the minority in that I don't use kerberos but I would view it better, both in terms of bloat and of security to ship the spec files with kerberos disabled by default and with the binaries built the same way. I would have been very pleased to have _NOT_ spent the past day recompiling SRPMS while removing all references to kerberos from them - let the foks who want "extra" features recompile and keep the base binaries slim and standard. Of course, it may be hypocritical but the only extra thing that I do like having compiled in is openssl. Don't even get me started on why I have to install graphic libraries (glib) on a CLI {file, web, dns, anything else} server so I can use PAM stuff.... How reproducible: Always Steps to Reproduce: 1.N/A 2. 3. Actual Results: N/A Expected Results: N/A Additional info: N/A
In order to be available, the code has to be compiled in, and there are no plans to remove it from the distribution. In the case of OpenLDAP, removing the cyrus-sasl-gssapi package will prevent it from being able to call any Kerberos functions (it is built with Kerberos IV binding support disabled, and so will only use the library during SASL authentication, and then only if the server has a key in its keytab and the gssapi SASL module is available).