Red Hat Bugzilla – Bug 52499
kinit fails if eviluser makes /tmp/krb5cc_$VICTIM_UID
Last modified: 2007-04-18 12:36:32 EDT
Description of Problem:
krb5 appears to keep tickets in a known file in /tmp, and fails if that
file cannot be created. This situation can easily be produced by an evil
user with permission to create files in /tmp.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. su eviluser -c "touch /tmp/krb5cc_`id -u`"
kinit(v5): Internal file credentials cache error when initializing cache
Dunno. Something slightly more useful though.
Also reproduced on Roswell 2 with krb5-workstation-1.2.2-13
We (Red Hat) really need to fix this before next release.
A workaround exists: set KRB5CCNAME to a filename you can write to. The file
name "/tmp/krb5cc_<UID>" is only used when KRB5CCNAME is not set.
Something akin to "export KRB5CCNAME=`mktemp /tmp/krb5cc_XXXXXX`" prior to
running kinit should be sufficient.