Subject: Re: xdm, PAM and krb5 broken
To: Jukka Salmi <email@example.com>
From: Steven M. Bellovin <firstname.lastname@example.org>
Date: 10/19/2006 08:06:52
On Thu, 19 Oct 2006 11:14:04 +0200, Jukka Salmi <email@example.com>
> Christian Biere --> current-users (2006-10-19 03:32:51 +0200):
> > Jukka Salmi wrote:
> > > on a -current Kerberos V system login(1) works fine while xdm(1) doesn't
> > > (both are using pam(8), default /etc/pam.d files). After successfully
> > > logging in, xdm seems to remove the credentials cache file:
> > > [...]
> > > 3508 1 xdm CALL __lstat30(0x806cca0,0xbfbfe094)
> > > 3508 1 xdm NAMI "/tmp/krb5cc_1000"
> > Might be off-topic but I find it odd that this thing creates a file in the
> > world-writable directory /tmp with a non-random filename that contains the
> > user ID.
> The file is created with mode 0600 and is owned by the user whose uid
> is contained in the file name.
What happens if someone creates a symlink of that name, pointing
elsewhere? Yes, I see the lstat, but that looks like a classic TOCTTOU
race condition attack.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb