On Thu, 19 Oct 2006 11:14:04 +0200, Jukka Salmi <j+nbsd@2006.salmi.ch>
wrote:

> Christian Biere --> current-users (2006-10-19 03:32:51 +0200):
> > Jukka Salmi wrote:
> > > on a -current Kerberos V system login(1) works fine while xdm(1) doesn't
> > > (both are using pam(8), default /etc/pam.d files). After successfully
> > > logging in, xdm seems to remove the credentials cache file:
> >  
> > > [...]
> > >   3508      1 xdm      CALL  __lstat30(0x806cca0,0xbfbfe094)
> > >   3508      1 xdm      NAMI  "/tmp/krb5cc_1000"
> > 
> > Might be off-topic but I find it odd that this thing creates a file in the
> > world-writable directory /tmp with a non-random filename that contains the
> > user ID.
> 
> The file is created with mode 0600 and is owned by the user whose uid
> is contained in the file name.
> 
What happens if someone creates a symlink of that name, pointing
elsewhere?  Yes, I see the lstat, but that looks like a classic TOCTTOU
race condition attack.

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb