Subject: Re: xdm, PAM and krb5 broken
To: Steven M. Bellovin <>
From: Elad Efrat <>
List: current-users
Date: 10/21/2006 16:18:09
Steven M. Bellovin wrote:
> On Thu, 19 Oct 2006 11:14:04 +0200, Jukka Salmi <>
> wrote:
>> Christian Biere --> current-users (2006-10-19 03:32:51 +0200):
>>> Jukka Salmi wrote:
>>>> on a -current Kerberos V system login(1) works fine while xdm(1) doesn't
>>>> (both are using pam(8), default /etc/pam.d files). After successfully
>>>> logging in, xdm seems to remove the credentials cache file:
>>>> [...]
>>>>   3508      1 xdm      CALL  __lstat30(0x806cca0,0xbfbfe094)
>>>>   3508      1 xdm      NAMI  "/tmp/krb5cc_1000"
>>> Might be off-topic but I find it odd that this thing creates a file in the
>>> world-writable directory /tmp with a non-random filename that contains the
>>> user ID.
>> The file is created with mode 0600 and is owned by the user whose uid
>> is contained in the file name.
> What happens if someone creates a symlink of that name, pointing
> elsewhere?  Yes, I see the lstat, but that looks like a classic TOCTTOU
> race condition attack.

Looks like other parts of the code were adapted to use mkstemp(),
perhaps this bit should, too...


Elad Efrat