52499 – kinit fails if eviluser makes /tmp/krb5cc_$VICTIM_UID

Bug 52499 - kinit fails if eviluser makes /tmp/krb5cc_$VICTIM_UID

Summary: kinit fails if eviluser makes /tmp/krb5cc_$VICTIM_UID

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	krb5
Sub Component:
Version:	7.3
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nalin Dahyabhai
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2001-08-24 12:48 UTC by David Woodhouse
Modified:	2007-04-18 16:36 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2001-08-24 15:52:04 UTC
Embargoed:

Attachments	(Terms of Use)

Description David Woodhouse 2001-08-24 12:48:19 UTC

Description of Problem:
krb5 appears to keep tickets in a known file in /tmp, and fails if that
file cannot be created. This situation can easily be produced by an evil
user with permission to create files in /tmp.

Version-Release number of selected component (if applicable):
krb5-workstation-1.2.2-12

How Reproducible:
100%

Steps to Reproduce:
1. su eviluser -c "touch /tmp/krb5cc_`id -u`"
2. kinit

Actual Results:
kinit(v5): Internal file credentials cache error when initializing cache 

Expected Results:
Dunno. Something slightly more useful though.

Comment 1 David Woodhouse 2001-08-24 13:09:38 UTC

Also reproduced on Roswell 2 with krb5-workstation-1.2.2-13

Comment 2 Glen Foster 2001-08-24 15:52:00 UTC

We (Red Hat) really need to fix this before next release.

Comment 3 Nalin Dahyabhai 2001-08-27 18:02:54 UTC

A workaround exists: set KRB5CCNAME to a filename you can write to.  The file
name "/tmp/krb5cc_<UID>" is only used when KRB5CCNAME is not set.

Something akin to "export KRB5CCNAME=`mktemp /tmp/krb5cc_XXXXXX`" prior to
running kinit should be sufficient.

Note You need to log in before you can comment on or make changes to this bug.