hinman@schizo.samsung.com (David Hinman) (06/04/90)
Hello, It seems to me that if my workstation allows more than one login, someone with the root password can read my ticket cache file and hence impersonate me. 1) Is this a problem in practice, or have I misunderstood something? 2) If it is a problem, will the next release of Kerberos be providing some facility to deal with it? 3) It seems like one solution would be a new device driver, providing ticket cache files that are readable only by the owner and not by root. Is this a reasonable approach? Thanks, Dave Hinman Samsung Software America (508) 685-7200 ext. 124 One Corporate Drive hinman@samsung.com Andover, MA 01810 uunet!schizo.samsung.com!hinman
smb@ulysses.att.com (06/05/90)
Hello, It seems to me that if my workstation allows more than one login, someone with the root password can read my ticket cache file and hence impersonate me. 1) Is this a problem in practice, or have I misunderstood something? Yes, it's a problem *if* someone is able to log in remotely. That is usually not the case at Project Athena. 2) If it is a problem, will the next release of Kerberos be providing some facility to deal with it? There is no defense against root on standard UNIX systems. 3) It seems like one solution would be a new device driver, providing ticket cache files that are readable only by the owner and not by root. Is this a reasonable approach? No, because root could just read /dev/kmem. It's a bit harder, but by no means difficult. Using a device bound to a login session -- to /dev/tty, for example -- eliminates the problem of tickets not being destroyed at logout time, but does nothing to protect against root.