Subject: Re: xdm, PAM and krb5 broken
To: Steven M. Bellovin <smb@cs.columbia.edu>
From: Elad Efrat <elad@NetBSD.org>
List: current-users
Date: 10/21/2006 16:18:09
Steven M. Bellovin wrote:
> On Thu, 19 Oct 2006 11:14:04 +0200, Jukka Salmi <j+nbsd@2006.salmi.ch>
> wrote:
>
>> Christian Biere --> current-users (2006-10-19 03:32:51 +0200):
>>> Jukka Salmi wrote:
>>>> on a -current Kerberos V system login(1) works fine while xdm(1) doesn't
>>>> (both are using pam(8), default /etc/pam.d files). After successfully
>>>> logging in, xdm seems to remove the credentials cache file:
>>>
>>>> [...]
>>>> 3508 1 xdm CALL __lstat30(0x806cca0,0xbfbfe094)
>>>> 3508 1 xdm NAMI "/tmp/krb5cc_1000"
>>> Might be off-topic but I find it odd that this thing creates a file in the
>>> world-writable directory /tmp with a non-random filename that contains the
>>> user ID.
>> The file is created with mode 0600 and is owned by the user whose uid
>> is contained in the file name.
>>
> What happens if someone creates a symlink of that name, pointing
> elsewhere? Yes, I see the lstat, but that looks like a classic TOCTTOU
> race condition attack.
Looks like other parts of the code were adapted to use mkstemp(),
perhaps this bit should, too...
-e.
--
Elad Efrat