Ken Raeburn <[EMAIL PROTECTED]> writes: > I'm not familiar with whether the keyring code in Linux (optionally > used in recent MIT Kerberos releases) enforces such restrictions.
You would probably need to also run something like SELinux to limit the capabilities of root, if my understanding of how the authorization model in the kernel works is correct. > If we could hook into AFS process authentication groups, that might help > raise the bar as well, to prevent casual copying but not the ptrace > attack, but only on systems where AFS is installed (specifically > implementations with PAGs). Ken Hornstein has patches around to use an > extra, high-numbered file descriptor inherited across processes, with > the process fd limit lowered to just below that fd, which restricts > access to a login session (aside from the ptrace attack), but requires > modifications to the login process to set up this file descriptor, and > requires that no process close all the high-numbered file descriptors > (which I gather is actually fairly uncommon to do above the lowered file > descriptor limit). This too only protects against casual attacks, since root can still get access to this ticket cache by trying hard enough. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
