Bug 52499 - kinit fails if eviluser makes /tmp/krb5cc_$VICTIM_UID
kinit fails if eviluser makes /tmp/krb5cc_$VICTIM_UID
Status: CLOSED CURRENTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: krb5 (Show other bugs)
7.3
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-08-24 08:48 EDT by David Woodhouse
Modified: 2007-04-18 12:36 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-08-24 11:52:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Woodhouse 2001-08-24 08:48:19 EDT
Description of Problem:
krb5 appears to keep tickets in a known file in /tmp, and fails if that
file cannot be created. This situation can easily be produced by an evil
user with permission to create files in /tmp.

Version-Release number of selected component (if applicable):
krb5-workstation-1.2.2-12

How Reproducible:
100%

Steps to Reproduce:
1. su eviluser -c "touch /tmp/krb5cc_`id -u`"
2. kinit

Actual Results:
kinit(v5): Internal file credentials cache error when initializing cache 

Expected Results:
Dunno. Something slightly more useful though.
Comment 1 David Woodhouse 2001-08-24 09:09:38 EDT
Also reproduced on Roswell 2 with krb5-workstation-1.2.2-13
Comment 2 Glen Foster 2001-08-24 11:52:00 EDT
We (Red Hat) really need to fix this before next release.
Comment 3 Nalin Dahyabhai 2001-08-27 14:02:54 EDT
A workaround exists: set KRB5CCNAME to a filename you can write to.  The file
name "/tmp/krb5cc_<UID>" is only used when KRB5CCNAME is not set.

Something akin to "export KRB5CCNAME=`mktemp /tmp/krb5cc_XXXXXX`" prior to
running kinit should be sufficient.

Note You need to log in before you can comment on or make changes to this bug.